Changing VPN server CPU to one with hardware AES

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 20, 2017 2:51 pm

Changing VPN server CPU to one with hardware AES

Post by doman » Thu Oct 12, 2017 8:28 am

In company we HP Z400 with Xeon W3520 on board. Ive setup OpenVPN there. Two users which connect to our network trough their tunnels complain about very low transfer speeds. I found that this CPU doesnt have AES support. I want to change it to Xeon E5620 which is dirty cheap (below 10$).

1. Will such change improve speeds - both VPN clients CPUs already have hardware AES support
2. Will i have to change anything in server setup/config files to force hardware AES support?

Code: Select all

$ openvpn --version
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 26 2017
library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

User avatar
OpenVPN Protagonist
Posts: 4804
Joined: Fri Jun 03, 2016 1:17 pm

Re: Changing VPN server CPU to one with hardware AES

Post by TinCanTech » Thu Oct 12, 2017 10:45 am

If you are using AES for the data channel (which you probably are) then AES hardware support will improve things, don't know how much. More likely a network problem if only a few clients experience problems.

Also, See --engine in The Manual v24x

User avatar
OpenVPN Expert
Posts: 342
Joined: Wed Jul 01, 2015 8:03 am

Re: Changing VPN server CPU to one with hardware AES

Post by Pippin » Thu Oct 12, 2017 4:49 pm

AFAIK, --engine not needed if CPU supports AES-NI.
OpenSSL will autodetect AES-NI support and use it since version 1.0.0.

Post Reply