I am trying to tweak a VPN server to use the xeon processor (And AES crypto support) it possesses for a speed boost. I have checked that the processor supports it, but it doesn't seem to be listed as an engine in my OpenSSL version. When OpenVPN server tries to start I get :
Sun Mar 27 01:57:47 2016 us=522532 library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Sun Mar 27 01:57:47 2016 us=523118 OpenSSL error: cannot load engine 'aesni'
Sun Mar 27 01:57:47 2016 us=523135 Exiting due to fatal error
[\code]
[code]
sort -u /proc/crypto | grep module
returns: module : aesni_intel
so I know the processor is capable, but how do I instruct OpenVPN to utilize this? Or does it already without any additional server config?
Like I said in the post, the server fails to start saying this is an unknown engine. Typing the openssl commands in the post you referenced works. I have added this in lower case, and openvpn still fails to start saying unknown engine.
local x.x.x.x
port 1194
;proto tcp
proto udp
;dev tap
dev tun
## start OpenVPN Process inside of chroot jail at /etc/openvpn/jail
chroot /etc/openvpn/jail
## Server Cert and Key Info for inside of Jail
ca /etc/openvpn/jail/keys/ca.crt
cert /etc/openvpn/jail/keys/GeekVPNServer.crt
key /etc/openvpn/jail/keys/GeekVPNServer.key # This file should be kept secret
tls-auth /etc/openvpn/jail/keys/ta.key
key-direction 0
# Require SHA-2 For message authentication
auth SHA256
## PAM plugin for Shadow password auth and linux /etc/passwd file with limited privs
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
# Enforce TLS ciphers that provide forward secrecy
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
## Enforce minimum of TLS 1.2
tls-version-min 1.2
## Check the Extended key Usage on certs
remote-cert-eku "TLS Web Client Authentication"
## Server Virtual IP and Subnet masking
server 10.8.0.0 255.255.255.0
## Speed Boost? (could never get a handle on this either)
## tun-mtu 6000
## msfix 0
## Boost Speed by utilizing AES-NI CPU Support
# engine aesni
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
# ifconfig-pool-persist ipp.txt
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
push block-outside-dns
keepalive 10 120
# Cryto Ciphers Supported
cipher AES-256-CBC
# LZO Compression
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 40
user nobody
group nogroup
persist-key
persist-tun
I've commented out the line with the "engine" reference as it fails to start with in server.conf
I am willing to also post client logs, but as I said OpenVPN doesn't even start with that line in the config, as it says unknown engine. From what I am reading possibly it already utilizes the AESNI instructions automatically in OpenSSL and is not loaded as an engine? I've also read in something linked from the post you linked saying this can actually cause a speed dip?
Looking at OpenSSL.org's page, it seems their latest supported LTS version is 1.0.2. Is there a way to upgrade this without removing the old OpenSSL? I've downloaded openssl-1.0.2g.tar.gz is it as simple as:
