Checking for AES-NI use in OpenVPN on RT-AX88U

ScottK83

New Around Here
Hey guys,

First time poster here. Appreciate the valuable info I've found as I have been researching new routers for use with ExpressVPN. I wanted one specifically with hardware encryption/decryption capability and ended up with hardware v1.1 version of the Asus RT-AX88U router, which supports AES-NI.

I followed the instructions on ExpressVPN for setting up OpenVPN with the native firmware and it worked perfectly out of the box. The range is also much, much better than the Linksys WRT 3200ACM router I had been using for ExpressVPN.

I had read all about the great things that changing the firmware to Merlin could allow, so am now running 384.15 and have had no issues connecting to ExpressVPN.

However, how can I tell if OpenVPN is using the AES-NI instructions?

I ran this command:
Code:
openvpn --genkey --secret /tmp/secret
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
AES-128-GCM: 3200/3.88 = 824 Mbps
AES-256-CBC: 3200/4.00 = 800 Mbps

According to the information on this website (https://x3mtek.com/openvpn-performance/), it seems like this is higher Mbps than just the processor would allow natively.

My ISP only gets me up to 30ish Mbps so I can't judge download speed with or without the VPN running. To saturate the download I set up a download of a popular linux distribution on bittorrent: With VPN on of the cores occasionally got up to around 10%, and another core was maybe 1-2%. With VPN off, one of the cores was around 1-2%. Download speeds were the same.

That test is very rudimentary and I can't tell based on CPU load if OpenVPN was simply using the CPU or was using the hardware encryption/decryption chipset.

For the experts here, is there a definitive test I can run or something I can look for in the logs to tell me with certainty if that chipset is being used? The CPU is fast enough by itself that I probably don't need the builtin hardware support, but if it is there, it would be nice for it to be used.

Thanks!
 

RMerlin

Asuswrt-Merlin dev
However, how can I tell if OpenVPN is using the AES-NI instructions?
It's inherent to the code, not a feature of OpenVPN. OpenSSL compiled for this router's CPU will make use of AES operands, speeding up AES performance for anything that uses OpenSSL.

or was using the hardware encryption/decryption chipset.
The hardware crypto engine is a separate thing from the AES CPU operands. That engine is only used by IPSEC. OpenSSL/OpenVPN cannot use it to increase performance, because the context switch between the kernel driver and the user software results in a drop in performance.
 

ScottK83

New Around Here
It's inherent to the code, not a feature of OpenVPN. OpenSSL compiled for this router's CPU will make use of AES operands, speeding up AES performance for anything that uses OpenSSL.



The hardware crypto engine is a separate thing from the AES CPU operands. That engine is only used by IPSEC. OpenSSL/OpenVPN cannot use it to increase performance, because the context switch between the kernel driver and the user software results in a drop in performance.
Thanks for the explanation, RMerlin! Makes sense.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top