1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Checking for AES-NI use in OpenVPN on RT-AX88U

Discussion in 'ASUS Wireless' started by ScottK83, Mar 25, 2020 at 3:46 PM.

  1. ScottK83

    ScottK83 New Around Here

    Joined:
    Wednesday
    Messages:
    2
    Hey guys,

    First time poster here. Appreciate the valuable info I've found as I have been researching new routers for use with ExpressVPN. I wanted one specifically with hardware encryption/decryption capability and ended up with hardware v1.1 version of the Asus RT-AX88U router, which supports AES-NI.

    I followed the instructions on ExpressVPN for setting up OpenVPN with the native firmware and it worked perfectly out of the box. The range is also much, much better than the Linksys WRT 3200ACM router I had been using for ExpressVPN.

    I had read all about the great things that changing the firmware to Merlin could allow, so am now running 384.15 and have had no issues connecting to ExpressVPN.

    However, how can I tell if OpenVPN is using the AES-NI instructions?

    I ran this command:
    Code:
    openvpn --genkey --secret /tmp/secret
    time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
    AES-128-GCM: 3200/3.88 = 824 Mbps
    AES-256-CBC: 3200/4.00 = 800 Mbps

    According to the information on this website (https://x3mtek.com/openvpn-performance/), it seems like this is higher Mbps than just the processor would allow natively.

    My ISP only gets me up to 30ish Mbps so I can't judge download speed with or without the VPN running. To saturate the download I set up a download of a popular linux distribution on bittorrent: With VPN on of the cores occasionally got up to around 10%, and another core was maybe 1-2%. With VPN off, one of the cores was around 1-2%. Download speeds were the same.

    That test is very rudimentary and I can't tell based on CPU load if OpenVPN was simply using the CPU or was using the hardware encryption/decryption chipset.

    For the experts here, is there a definitive test I can run or something I can look for in the logs to tell me with certainty if that chipset is being used? The CPU is fast enough by itself that I probably don't need the builtin hardware support, but if it is there, it would be nice for it to be used.

    Thanks!
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,412
    Location:
    Canada
    It's inherent to the code, not a feature of OpenVPN. OpenSSL compiled for this router's CPU will make use of AES operands, speeding up AES performance for anything that uses OpenSSL.

    The hardware crypto engine is a separate thing from the AES CPU operands. That engine is only used by IPSEC. OpenSSL/OpenVPN cannot use it to increase performance, because the context switch between the kernel driver and the user software results in a drop in performance.
     
    L&LD likes this.
  3. ScottK83

    ScottK83 New Around Here

    Joined:
    Wednesday
    Messages:
    2
    Thanks for the explanation, RMerlin! Makes sense.