I basically end up using the same cipher suite as Wireguard, it works quite well on my Atom N2800, which does not have AES-NI. It is now 3 times as fast.
Cipher = chacha20-poly1305 Digest = blake2b512 On Sat, 2020-04-04 at 20:02 +0200, Jelle de Jong wrote: > Hello everybody, > > First a big thanks for tinc-vpn I am still using it next to > wireguard > and openvpn. > > I am having a setup where the tinc debian appliance is at 100% cpu > load > doing about 7.5MB/s. > > Compression = 9 > PMTU = 1400 > PMTUDiscovery = yes > Cipher = aes-128-cbc > > How can I pick a cipher that is the fasted for my CPU and don't > create a > CPU bottleneck at 100%. > > Kind regards, > > Jelle de Jong > > root@officelink01:~# lscpu > Architecture: x86_64 > CPU op-mode(s): 32-bit, 64-bit > Byte Order: Little Endian > Address sizes: 40 bits physical, 48 bits virtual > CPU(s): 4 > On-line CPU(s) list: 0-3 > Thread(s) per core: 1 > Core(s) per socket: 4 > Socket(s): 1 > NUMA node(s): 1 > Vendor ID: AuthenticAMD > CPU family: 22 > Model: 48 > Model name: AMD GX-412TC SOC > Stepping: 1 > CPU MHz: 775.729 > CPU max MHz: 1000.0000 > CPU min MHz: 600.0000 > BogoMIPS: 1996.08 > Virtualization: AMD-V > L1d cache: 32K > L1i cache: 32K > L2 cache: 2048K > NUMA node0 CPU(s): 0-3 > Flags: fpu vme de pse tsc msr pae mce cx8 apic sep > mtrr > pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx > mmxext > fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl > nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 > cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm > cmp_legacy > svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs > skinit wdt topoext perfctr_nb bpext ptsc perfctr_llc cpb hw_pstate > ssbd > vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save tsc_scale > flushbyasid decodeassists pausefilter pfthreshold overflow_recov > > root@officelink01:~# openssl help > Standard commands > asn1parse ca ciphers cms > crl crl2pkcs7 dgst dhparam > dsa dsaparam ec ecparam > enc engine errstr gendsa > genpkey genrsa help list > nseq ocsp passwd pkcs12 > pkcs7 pkcs8 pkey pkeyparam > pkeyutl prime rand rehash > req rsa rsautl s_client > s_server s_time sess_id smime > speed spkac srp storeutl > ts verify version x509 > > Message Digest commands (see the `dgst' command for more details) > blake2b512 blake2s256 gost md4 > md5 rmd160 sha1 sha224 > sha256 sha3-224 sha3-256 sha3-384 > sha3-512 sha384 sha512 sha512-224 > sha512-256 shake128 shake256 sm3 > > Cipher commands (see the `enc' command for more details) > aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb > aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb > aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb > aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 > aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb > aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 > aria-256-ctr aria-256-ecb aria-256-ofb base64 > bf bf-cbc bf-cfb bf-ecb > bf-ofb camellia-128-cbc camellia-128-ecb camellia-192- > cbc > camellia-192-ecb camellia-256-cbc camellia-256-ecb cast > cast-cbc cast5-cbc cast5-cfb cast5-ecb > cast5-ofb des des-cbc des-cfb > des-ecb des-ede des-ede-cbc des-ede-cfb > des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb > des-ede3-ofb des-ofb des3 desx > rc2 rc2-40-cbc rc2-64-cbc rc2-cbc > rc2-cfb rc2-ecb rc2-ofb rc4 > rc4-40 seed seed-cbc seed-cfb > seed-ecb seed-ofb sm4-cbc sm4-cfb > sm4-ctr sm4-ecb sm4-ofb > > root@officelink01:~# openssl speed -elapsed -evp aes-128-cbc > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-128-cbc for 3s on 16 size blocks: 13905799 aes-128-cbc's in > 3.00s > Doing aes-128-cbc for 3s on 64 size blocks: 6572120 aes-128-cbc's in > 3.00s > Doing aes-128-cbc for 3s on 256 size blocks: 2254183 aes-128-cbc's in > 3.00s > Doing aes-128-cbc for 3s on 1024 size blocks: 623111 aes-128-cbc's in > 3.00s > Doing aes-128-cbc for 3s on 8192 size blocks: 80058 aes-128-cbc's in > 3.00s > Doing aes-128-cbc for 3s on 16384 size blocks: 40180 aes-128-cbc's in > 3.00s > OpenSSL 1.1.1d 10 Sep 2019 > built on: Sat Oct 12 19:56:43 2019 UTC > options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr) > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall > -Wa,--noexecstack -g -O2 > -fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=. > -fstack-protector-strong -Wformat -Werror=format-security > -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM > -DGHASH_ASM > -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time > -D_FORTIFY_SOURCE=2 > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 > bytes 8192 > bytes 16384 bytes > aes-128-cbc 74164.26k 140205.23k 192356.95k 212688.55k > 218611.71k 219436.37k > root@officelink01:~# openssl speed -elapsed -evp aes-256-cbc > You have chosen to measure elapsed time instead of user CPU time. > Doing aes-256-cbc for 3s on 16 size blocks: 12322268 aes-256-cbc's in > 3.00s > Doing aes-256-cbc for 3s on 64 size blocks: 5283431 aes-256-cbc's in > 3.00s > Doing aes-256-cbc for 3s on 256 size blocks: 1686231 aes-256-cbc's in > 3.00s > Doing aes-256-cbc for 3s on 1024 size blocks: 454425 aes-256-cbc's in > 3.00s > Doing aes-256-cbc for 3s on 8192 size blocks: 58092 aes-256-cbc's in > 3.00s > Doing aes-256-cbc for 3s on 16384 size blocks: 29035 aes-256-cbc's in > 3.00s > OpenSSL 1.1.1d 10 Sep 2019 > built on: Sat Oct 12 19:56:43 2019 UTC > options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr) > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall > -Wa,--noexecstack -g -O2 > -fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=. > -fstack-protector-strong -Wformat -Werror=format-security > -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM > -DGHASH_ASM > -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time > -D_FORTIFY_SOURCE=2 > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 > bytes 8192 > bytes 16384 bytes > aes-256-cbc 65718.76k 112713.19k 143891.71k 155110.40k > 158629.89k 158569.81k > root@officelink01:~# > _______________________________________________ > tinc mailing list > tinc@tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc _______________________________________________ tinc mailing list tinc@tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc