Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Jan Just Keijser <janjust <at> nikhef.nl>
Subject: Re: Using AES-NI in OpenVPN with OpenSSL 1.0.1
Newsgroups: gmane.network.openvpn.user
Date: Sunday 15th April 2012 00:55:56 UTC (over 6 years ago)
Hi,

Martin Beck wrote:
> Hi all,
>
> I just upgraded from OpenSSL 0.9.8o to 1.0.1 hoping to get AES-NI 
> support for OpenVPN that way. But using 'openssl speed' I found that 
> AES-128-CBC throughput dropped from 242 MB/s to 102 MB/s. After some 
> searching I found that AES-NI support was moved from an engine to the 
> EVP layer and on console i could get speed up to 603 MB/s by calling 
> 'openssl speed -evp aes-128-cbc'.
>
> Does anyone know how to enable that using OpenVPN? Or does OpenVPN 
> already use OpenSSL's EVP API by default?
>
>   
EVP stands voor Envelope here and is, AFAIK , the only layer to support 
AESNI.
OpenVPN uses EVP encryption by default, so if 'openssl speed -evp' shows 
the right improvement then openvpn will also benefit from it; you 
*might* have to add
  engine aes-ni
to the openvpn config file. but this depends a bit on the way your 
openssl lib is built.

Don't expect tremendous speed boosts however (not beyond 300 Mbps) - the 
bottleneck in openvpn is not in the encryption/decryption part but in 
the way packets are passed from kernelspace to userspace and back.

Read my wiki
  https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
on this for more details.

HTH,

JJK



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
 
CD: 17ms