What's new

Checking for AES-NI use in OpenVPN on RT-AX88U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ScottK83

New Around Here
Hey guys,

First time poster here. Appreciate the valuable info I've found as I have been researching new routers for use with ExpressVPN. I wanted one specifically with hardware encryption/decryption capability and ended up with hardware v1.1 version of the Asus RT-AX88U router, which supports AES-NI.

I followed the instructions on ExpressVPN for setting up OpenVPN with the native firmware and it worked perfectly out of the box. The range is also much, much better than the Linksys WRT 3200ACM router I had been using for ExpressVPN.

I had read all about the great things that changing the firmware to Merlin could allow, so am now running 384.15 and have had no issues connecting to ExpressVPN.

However, how can I tell if OpenVPN is using the AES-NI instructions?

I ran this command:
Code:
openvpn --genkey --secret /tmp/secret
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

AES-128-GCM: 3200/3.88 = 824 Mbps
AES-256-CBC: 3200/4.00 = 800 Mbps

According to the information on this website (https://x3mtek.com/openvpn-performance/), it seems like this is higher Mbps than just the processor would allow natively.

My ISP only gets me up to 30ish Mbps so I can't judge download speed with or without the VPN running. To saturate the download I set up a download of a popular linux distribution on bittorrent: With VPN on of the cores occasionally got up to around 10%, and another core was maybe 1-2%. With VPN off, one of the cores was around 1-2%. Download speeds were the same.

That test is very rudimentary and I can't tell based on CPU load if OpenVPN was simply using the CPU or was using the hardware encryption/decryption chipset.

For the experts here, is there a definitive test I can run or something I can look for in the logs to tell me with certainty if that chipset is being used? The CPU is fast enough by itself that I probably don't need the builtin hardware support, but if it is there, it would be nice for it to be used.

Thanks!
 
However, how can I tell if OpenVPN is using the AES-NI instructions?

It's inherent to the code, not a feature of OpenVPN. OpenSSL compiled for this router's CPU will make use of AES operands, speeding up AES performance for anything that uses OpenSSL.

or was using the hardware encryption/decryption chipset.

The hardware crypto engine is a separate thing from the AES CPU operands. That engine is only used by IPSEC. OpenSSL/OpenVPN cannot use it to increase performance, because the context switch between the kernel driver and the user software results in a drop in performance.
 
It's inherent to the code, not a feature of OpenVPN. OpenSSL compiled for this router's CPU will make use of AES operands, speeding up AES performance for anything that uses OpenSSL.



The hardware crypto engine is a separate thing from the AES CPU operands. That engine is only used by IPSEC. OpenSSL/OpenVPN cannot use it to increase performance, because the context switch between the kernel driver and the user software results in a drop in performance.

Thanks for the explanation, RMerlin! Makes sense.
 
Yes, the RT-AX88U has AES optimized CPU operands.
 
ARMv8 CPU's support set of AES instructions.

Not all ARMv8's support the AES extensions, which is an extra cost licensed feature from ARM.

B53 provided by HND for the AX88U is obviously licensed... but not all Broadcom SoC's have the extensions (RPi's for example, both the A53's as well as the A72's). Should also note that fixed function HW accelerator blocks are not all faster than running on the cores directly - some are more for offload so that the application cores can get other work done.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top