OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Changing VPN server CPU to one with hardware AES

https://forums.openvpn.net/viewtopic.php?t=25011

Page 1 of 1

Changing VPN server CPU to one with hardware AES

Posted: Thu Oct 12, 2017 8:28 am
by doman
In company we HP Z400 with Xeon W3520 on board. Ive setup OpenVPN there. Two users which connect to our network trough their tunnels complain about very low transfer speeds. I found that this CPU doesnt have AES support. I want to change it to Xeon E5620 which is dirty cheap (below 10$).

1. Will such change improve speeds - both VPN clients CPUs already have hardware AES support
2. Will i have to change anything in server setup/config files to force hardware AES support?

Code: Select all

$ openvpn --version
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 26 2017
library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

Re: Changing VPN server CPU to one with hardware AES

Posted: Thu Oct 12, 2017 10:45 am
by TinCanTech
If you are using AES for the data channel (which you probably are) then AES hardware support will improve things, don't know how much. More likely a network problem if only a few clients experience problems.

Also, See --engine in The Manual v24x

Re: Changing VPN server CPU to one with hardware AES

Posted: Thu Oct 12, 2017 4:49 pm
by Pippin
AFAIK, --engine not needed if CPU supports AES-NI.
OpenSSL will autodetect AES-NI support and use it since version 1.0.0.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/