gonzopancho
New Around Here
OpenVPN DCO is significantly faster than without.
It's also faster than Wireguard (even keeping the transform the same.)
It's also faster than Wireguard (even keeping the transform the same.)
That's probably because CPUs specialized operands can accelerate AES cipher operations, but not Chacha20.It's also faster than Wireguard (even keeping the transform the same.)
That's probably because CPUs specialized operands can accelerate AES cipher operations, but not Chacha20.
Oh, and CPU instructions can accelerate ChaCha20, too. That's why we did the IIMB work for pfSense, and extended it to ARM64 platforms.
In addition to AES-GCM, DCO can run ChaCha20/Poly1305
Jim,
Which instructions are you asserting to regarding ChaCha20-Poly1035 acceleration and on which architecture classes?
On x86 - even without AES-NI, intel did a lot of good work using SSE to speed up the AES family...
ChaCha20 does run quite nicely on MIPS32 along with 32-bit ARM (and ARM64 cores that didn't license the crypto extensions like Broadcom's older Pi chips...)
Go up in the thread - it's been discussed that DCO supports the AEAD ciphers for AES-128-GCM and ChaCha20-Poly1305 - that's old news...
Anyways nice to see that pfSense is implementing DCO - with the BSD stack, should perform well...
Realizing of course, that DCO is still work in progress, obviously...
At this point, it’s essentially done.
At this point, it’s essentially done.
Scenario | Device A Receiving | Device A Sending |
LAN to LAN (forwarding only) | 2.35 Gbits/sec | 2.35 Gbits/sec |
OpenVPN (userspace) | 188 Mbits/sec | 188 Mbits/sec |
OpenVPN (DCO, no QAT) | 929 Mbits/sec | 318 Mbits/sec |
OpenVPN (DCO with QAT) | 19.5 Mbits/sec | 18.4 Mbits/sec |
IPSec (AES-CBC with QAT) | 1.13 Gbits/sec | 411 Mbits/sec (presumably because macOS is slow) |
I did some iperf testing today with and without DCO on pfsense with an OpnVPN Windows client (seems DCO is enabled by default on the app), so far I didn't see much difference.
Once upon a time I remember reading something about if the appropriate driver isn’t installed, QAT may still technically work, but its performance may be worse than if you hadn’t enabled QAT at all… but u can’t find the source anymore… (?)I'm taking a risk here by reviving a dead thread... but has anyone tried out DCO + QAT on Linux? I took this for a spin and have some head-scratching results, curious if anyone else here has attempted.
Test setup: iperf on two devices on different LANs, both connected to a Linux-based router instance running Intel C3858. Linux 6.6.40, OpenVPN 2.6.3, QAT Linux Driver 4.24.
Device A running built-in macOS ipsec client, Viscosity for OpenVPN. Device B just a standard Ethernet client on the LAN. Both devices are connected to the router using 2.5 GbE NICs.
Scenario Device A Receiving Device A Sending LAN to LAN (forwarding only) 2.35 Gbits/sec 2.35 Gbits/sec OpenVPN (userspace) 188 Mbits/sec 188 Mbits/sec OpenVPN (DCO, no QAT) 929 Mbits/sec 318 Mbits/sec OpenVPN (DCO with QAT) 19.5 Mbits/sec 18.4 Mbits/sec IPSec (AES-CBC with QAT) 1.13 Gbits/sec 411 Mbits/sec (presumably because macOS is slow)
Meanwhile props to the PFSense folks who seem to have it working quite nicely with their BSD-based implementation.
Alternatively, …..Once upon a time I remember reading something about if the appropriate driver isn’t installed, QAT may still technically work, but its performance may be worse than if you hadn’t enabled QAT at all… but u can’t find the source anymore… (?)
But maybe I’m misremembering?
Once upon a time I remember reading something about if the appropriate driver isn’t installed, QAT may still technically work, but its performance may be worse than if you hadn’t enabled QAT at all… but u can’t find the source anymore… (?)
But maybe I’m misremembering?
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
L | Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200 | VPN | 31 | |
S | Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site? | VPN | 2 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!