Seems that only IPQ807x and IPQ60xx support OpenVPN DCA in QSDK. No support for IPQ806x for now.
I will test this on IPQ807x when I borrow one. Hope these information help and you can port these patches to IPQ806x.
@quarky - What do I need to run Crypto NSS?
I have nss-cfi and nss-crypto modules installed and it doesn't work.
When I try openssl benchmark I have an error like below. What am I missing?
Yeah, the qvpn NSS interfaces seems to be available for Hakweye SoCs only. From what I read from the QSDK sources, it looks like the qvpn NSS interfaces does the encryption/decryption directly on the received packets. If that's the case, it would mean that OpenVPN has to be patched to work with it, otherwise it will not work.
I was kind of excited to be able to try out later QSDK firmware initially as it has OpenVPN support, but was dissapointed when I found out that it's only for Hawkeye SoCs.
Anyway, I'm currently trying to figure out how to use the ipq806x NSS crypto for AEAD encryptions. From what I can piece together, if OpenVPN is patched to call NSS crypto engine directly using the cryptodev APIs (i.e. by passing OpenSSL) and using AEAD (i.e. hmac-sha1/sha256-aes-cbc) cipher, performance may improve, or it may not. In any case, it's an interesting project for me to try.
I would like to share with you the IPQ807x OpenVPN performance. It's at least 790Mbps. It's more because I see my PC is bottleneck when test the performance.
How to set up?
IPQ807x is as server; My PC is as a client. Run iperf in IPQ807x and My PC.
root@OpenWrt:/tmp/etc# Fri Jul 3 09:37:01 2020 DCA: Received PING packet:0x55b7895700
root@OpenWrt:/tmp/etc# cat openvpn-sample_server.conf
persist-key
persist-tun
enable-dca
auth SHA1
ca /lib/uci/upload/cbid.openvpn.sample_server.ca
cert /lib/uci/upload/cbid.openvpn.sample_server.cert
cipher AES-128-CBC
#comp-lzo no
dev tun
dh /lib/uci/upload/cbid.openvpn.sample_server.dh
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /lib/uci/upload/cbid.openvpn.sample_server.key
port 1194
proto udp
server 10.8.0.0 255.255.255.0
status /tmp/openvpn-status.log
user nobody
verb 3
root@OpenWrt:/tmp/etc# iperf -c 10.8.0.6 -t 30 -P 2
Fri Jul 3 09:36:20 2020 DCA: Received PING packet:0x55b7895700
------------------------------------------------------------
Client connecting to 10.8.0.6, TCP port 5001
TCP window size: 45.0 KByte (default)
------------------------------------------------------------
[ 4] local 10.8.0.1 port 37954 connected with 10.8.0.6 port 5001
[ 3] local 10.8.0.1 port 37952 connected with 10.8.0.6 port 5001
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-30.0 sec 1.37 GBytes 393 Mbits/sec
[ 3] 0.0-30.0 sec 1.40 GBytes 401 Mbits/sec
[SUM] 0.0-30.0 sec 2.77 GBytes **793 Mbits/sec**
If he tested on the QSDK OpenVPN should be offloaded to NSS there.
But Quad A53 cores are beastly though, it looks like my AX3600 will finally arrive after 2 months
Very good performance. In fact I would say it’s excellent for a consumer router. The boost most likely comes from the crypto as well as the in kernel routing of network packets. Would you mind trying with WireGuard as well?
Well, they are relatively affordable.
Around 100EUR, but its IPQ8071A so the weakest model and it does not come with 2.5 or 10G ethernet like 3-4 more expensive model come with
The only issue with the AX3600 is that it only have 4 ports, inclusive of WAN. ipq8071 is probably a massive step up from what I have owned, so it’ll be a lot of SoC for me to mess with.
I think I can still wring more juice out of the ipq806x SoC. So let’s see how it goes.
Previously this simple config compiled without issue. Anything new in the build or am I selecting the wrong package combo for basic router + wifi acceleration?
I had the same problem with the latest changes on @ansuel's github. I'm compiling right now, for the second time, to check if it goes through this time. I'll let you know the outcome.