Hi,
On 30/07/15 19:04, Rahul Arora wrote:
Hi
Thanks for the reply.
I am already using "--engine cryptodev" in the configuration file.
I am using "aes-128-cbc" cipher algorithm and it is supported in my
hardware as i am running "openssl speed test" using these ciphers only
and in case of "openssl speed test" throughput is increasing but with
openvpn it is not so.
this was reported by someone on the list a few days ago as well.
the problem is not with openvpn , but with the openssl speed command
used: the cryptodev engine (and kernel device) do not provide a factor
of 100+ speedup. It's the "openssl speed -evp aes-256-cbc" command that
reports erroneous results.
Try running this openssl command on your box:
date ; cat bigfile | openssl enc -e -aes-256-cbc -bufsize 8192 -pass
pass:testing123 > /dev/null ; date
where 'bigfile' is some large file of > 2 GB in size.
Then rerun it using
date ; cat bigfile | openssl enc -engine cryptodev -e -aes-256-cbc
-bufsize 8192 -pass pass:testing123 > /dev/null ; date
and compare the results. On my hardware I get zero difference whether I
use cryptodev or not, whereas 'openssl speed' reports a 100+ % improvement:
with cryptodev module loaded:
aes-256-cbc 286337.65k 1048423.31k 4589489.60k 19596646.40k
141238272.00k
without cryptodev:
aes-256-cbc 465276.57k 487043.33k 493990.87k 493776.90k
495720.11k
so, apart from the fact that openvpn's speed limitations are not
determined solely by encryption/decryption, this does prove to me that
the cryptodev device offers little if no performance improvement.
hope this clears things up,
JJK
On Thu, Jul 30, 2015 at 5:18 PM, Gert Doering <g...@greenie.muc.de
<mailto:g...@greenie.muc.de>> wrote:
Hi,
On Thu, Jul 30, 2015 at 12:55:00PM +0530, Rahul Arora wrote:
> *Openvpn --version*
> OpenVPN 2.1.3 arm-fsl-linux-gnueabi [SSL] [LZO2] [EPOLL] built on Jul 29
> 2015
This is, uh, ancient. 2.3.7 is the current stable release.
(It might or might not related, but we're certainly not going back
to 2.2
or even 2.1 releases to debug anything. OpenVPN *should* use the
crypto
accelerator just fine, if OpenSSL can use it - if you need to use an
OpenSSL engine, tell OpenVPN with "--engine yourengine". It might not
make an overwhelming difference in speed if you use the wrong crypto
algorithms - like, your hardware accelerates 3DES and you use
--cipher blowfish...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
Gert Doering - Munich, Germany g...@greenie.muc.de
<mailto:g...@greenie.muc.de>
