Warning: AES instruction set support has not been detected on this host. This may cause performance degradation. Consult your virtualization solution and/or BIOS/UEFI setting to enable AES instructions.
How to solve this problem, follow the screenshot attachment:
https://photos.app.goo.gl/amCtjsvddkYpHZKg6
Active Configuration
-
chilinux
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Active Configuration
Actually, the solution is this last part: "Consult your virtualization solution and/or BIOS/UEFI setting to enable AES instructions."
Are you using running this on bare metal hardware or inside a virtual machine?
Try running this:
You can then research if the processor model supports AES-NI processor extensions. If it doesn't then the only way to remove the warning is to switch to hardware that does support AES-NI. If it does support AES-NI but OpenVPN AS is not detecting it, then it is either not being passed through =to the VM by the hypervisor or is being hidden by a BIOS/EFI setting.
If you are happy with the current performance you are getting (maximum bandwidth, network latency, etc) then you don't need to solve this warning. It will not impact security and will have minimal impact on reliability to not use AES-NI processor extensions for encryption. It is strictly a performance *warning*.
Are you using running this on bare metal hardware or inside a virtual machine?
Try running this:
Code: Select all
egrep "model name" /proc/cpuinfo
If you are happy with the current performance you are getting (maximum bandwidth, network latency, etc) then you don't need to solve this warning. It will not impact security and will have minimal impact on reliability to not use AES-NI processor extensions for encryption. It is strictly a performance *warning*.
-
Webstrucs
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 19, 2021 8:05 pm
Re: Active Configuration
I'm using a linux vps (debian 10 64bit ) and after the command ( egrep "model name" /proc/cpuinfo ), I got the result: model name : QEMU Virtual CPU version (cpu64-rhel6)
-
chilinux
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Active Configuration
The "cpu64-rhel6" is kind of revealing. My guess is this is a cheap cloud hosting provider that is still using CentOS 6 has a hypervisor. It seems likely the hardware from such a provider also has no support for AES-NI.
Again, not having AES-NI is not a big deal if you are getting the performance you desire. OpenVPN AS is providing this only as a warning.
The bigger issue would be if the hypervisor is CentOS 6. The end of life date for CentOS 6 was November 30, 2020. There has been a number of updates of QEMU since then to address security/reliability issues. However, CentOS is no longer issuing those updates to CentOS 6. I don't recommend using VPN software in such an environment.
To be clear, even if the Debian 10 guest OS is being kept up to date, if something compromises at the hypervisor level then the security of the guest/VPS is also compromised.
You may want to contact your VPS provider to confirm they are using CentOS 6 for the hypervisor and if they are then consider using a different provider.
Again, not having AES-NI is not a big deal if you are getting the performance you desire. OpenVPN AS is providing this only as a warning.
The bigger issue would be if the hypervisor is CentOS 6. The end of life date for CentOS 6 was November 30, 2020. There has been a number of updates of QEMU since then to address security/reliability issues. However, CentOS is no longer issuing those updates to CentOS 6. I don't recommend using VPN software in such an environment.
To be clear, even if the Debian 10 guest OS is being kept up to date, if something compromises at the hypervisor level then the security of the guest/VPS is also compromised.
You may want to contact your VPS provider to confirm they are using CentOS 6 for the hypervisor and if they are then consider using a different provider.