OpenWrt Forum Archive

Topic: Best hardware for openvpn

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

I'm looking for a hardware router with an encryption chip.
Which one du you use with openvpn? Does it work stable?

hardwarecrypto and openvpn have some specific problems.
IPSec and hardware-crypto normally makes more sense than openvpn and hardware-crypto, because IPSec runs completly in kernelspace.
With openvpn it might be the case that the memorybandwith is the limiting factor not the cpu, especially of you are use hardware-crypto. (this was the case with some older broadcomchips, I tried it with a asus wl-500gp and the hardware-crypto was quite fast 200Mbit/s or something like that for aes-256-cbc, but in combination with openvpn it was slower than softwarecrypto.

So what are your performance needs?
there a some atheros-cpus around with 680MHz you will get 20-25Mbit/s with softwarecrypto (aes-256-cbc+sha1).
the amd genode cpus on the alix boards from pc engines have a hardwarecrypto-engine (for aes-128-cbc) but I don't know anything about  the  performance with openvpn.

the via-cpus have quite fast hardwarecrypto I had one a few years ago, and run it with debian and harddisk-encryption and it was really fast (the bottleneck was the hdd-speed, not the encryption) so you could get an itx, or nano-itx board.

but if you only need 20-25Mbit/s I wouldn't bother with hardwarecrypto-engines

(Last edited by eleon216 on 20 Mar 2012, 08:34)

20-25Mbit/s should be enough. I'm using the openvpn-routers only as clients.

Which router to use in this case?

In the past I used the WRT54GL but I think there are much better ones available yet.

with an wrt54gl you will get 5Mbit/s max

these are some devices with an atheros-cpu with 680Mhz:

http://wiki.openwrt.org/toh/d-link/dir-825
http://wiki.openwrt.org/toh/netgear/wndr3800
http://wiki.openwrt.org/toh/buffalo/wzr-hp-ag300h
http://wiki.openwrt.org/toh/ubiquiti/routerstation
http://wiki.openwrt.org/toh/ubiquiti/routerstation.pro

they cost between 60 and 100euro.

If 10-15Mbit/s are enough, you can get some devices with a 400MHz Atheros-CPU, there are many around and they are really cheap (20-50euros)

eleon216 wrote:

hardwarecrypto and openvpn have some specific problems.
IPSec and hardware-crypto normally makes more sense than openvpn and hardware-crypto, because IPSec runs completly in kernelspace.
With openvpn it might be the case that the memorybandwith is the limiting factor not the cpu, especially of you are use hardware-crypto. (this was the case with some older broadcomchips, I tried it with a asus wl-500gp and the hardware-crypto was quite fast 200Mbit/s or something like that for aes-256-cbc, but in combination with openvpn it was slower than softwarecrypto.

So what are your performance needs?
there a some atheros-cpus around with 680MHz you will get 20-25Mbit/s with softwarecrypto (aes-256-cbc+sha1).
the amd genode cpus on the alix boards from pc engines have a hardwarecrypto-engine (for aes-128-cbc) but I don't know anything about  the  performance with openvpn.

the via-cpus have quite fast hardwarecrypto I had one a few years ago, and run it with debian and harddisk-encryption and it was really fast (the bottleneck was the hdd-speed, not the encryption) so you could get an itx, or nano-itx board.

but if you only need 20-25Mbit/s I wouldn't bother with hardwarecrypto-engines

Very interested in hearing how did you use hardware crypto in wl500gP in combination with OpenVPN.

you need kmod-ocf-ubsec-ssb (support for the hardwarecryptochip) kernel 2.6/3.x and crytodev support (but I think this is already selected by kmod_ocf_ubsec-ssb).
And than you only have to specify the engine crytodev in the openvpn-config. If you get good results let me know, but I doubt it.

I have a firmware based on Linux 2.6.22.19 (new oleg's firmware, not openwrt) could you point me exactly which module I need?

I have already compiled aes.ko support, but not sure if it's uses hardware encryption.

Interesting is there an OpenWRT build based on 3.x kernel for ASUS WL-500gP v1?

here is an image:
http://i.imgur.com/Cd3Tx.jpg

NOTE: hardware crypto devices is empty for me for some reason.

EDIT: i think it's not bundled with this kernel, I found it here - https://dev.openwrt.org/browser/trunk/p … ?rev=15242

probably need to try to compile it within my kernel.

(Last edited by toolame on 27 Jul 2012, 19:02)

My favorite routers are the TP-Link TL-WDR4300 and the D-Link DIR-825.  Both have plenty of CPU horsepower and RAM (128MB and 64MB respectively).  They should handle 25 Mbit/s or better.  They are easy to flash from the factory GUI and support concurrent 2.4Ghz and 5Ghz traffic.

The DIR-825 is supported in the stable branch (Backfire).  The TL-WDR4300 has better specs but is only supported on the main trunk currently.  I have both and they both work great.

@toolame: kmod-ocf-ubsec-ssb (the driver for the broadcom hardwarecryptochip) is not part of the mainline kernel, it's a patch included in openwrt, so I don't think you would find it in oleg, Why not just try openwrt, it's a lot easier than patching the oleg-sources with openwrt-modifications. you will need the driver, the ocf-framework, you need to compile openssl and openvpn with hardwarecryptosupport,... or you just use openwrt smile

@Gideon7: one idea behind openwrt is to make the most out of your device, so getting hardwarecrypto running on the wl-500gp is an interessing project. Sure you can always buy newer/faster hardware, but that's really not the point here!

(Last edited by eleon216 on 28 Jul 2012, 07:39)

eleon216 wrote:

@toolame: kmod-ocf-ubsec-ssb (the driver for the broadcom hardwarecryptochip) is not part of the mainline kernel, it's a patch included in openwrt, so I don't think you would find it in oleg, Why not just try openwrt, it's a lot easier than patching the oleg-sources with openwrt-modifications. you will need the driver, the ocf-framework, you need to compile openssl and openvpn with hardwarecryptosupport,... or you just use openwrt smile

well, the problem is I'm using WL500gP with BCM43222 card as a wireless (to have 802.11n) on it.

it works only within new oleg's firmware with closed source driver, i tried backfire 10.3 but wireless didn't work for me with b43 driver.

i'm mostly interested in recent kernel build because wireless might work there.

also there is another problem with sirq high usage on 2.6.x kernel (both on OpenWRT and Oleg's-rtn) (i think it's due et driver's implementation).

OpenWRT lacks fast_nat's Broadcom implementation and few things which present in Oleg's firmware.. Basically, If I'm gonna switch I'd need to configure everything from scratch, writing scripts etc, not convinient at all and a lot of time whilst on the other side OpenWRT is bit slower than Oleg's. (tested through the ethernet - max I could get on 100 mbit/sec line around 40 mbit/sec, on rtn Oleg - 50-54 mbit/sec).

But I'd like to use this hardware crypto advantage because I'm running multiple OpenVPN instances. Will probably give it a shot, thanks for the info.

eleon216 wrote:

@Gideon7: one idea behind openwrt is to make the most out of your device, so getting hardwarecrypto running on the wl-500gp is an interessing project. Sure you can always buy newer/faster hardware, but that's really not the point here![

exactly! this is what I'm trying to achieve... already made it 802.11n wireless capable for about 10$ bucks smile

Gideon7 wrote:

My favorite routers are the TP-Link TL-WDR4300 and the D-Link DIR-825.  Both have plenty of CPU horsepower and RAM (128MB and 64MB respectively).  They should handle 25 Mbit/s or better.  They are easy to flash from the factory GUI and support concurrent 2.4Ghz and 5Ghz traffic.

The DIR-825 is supported in the stable branch (Backfire).  The TL-WDR4300 has better specs but is only supported on the main trunk currently.  I have both and they both work great.

If I had some money for the new router - I'd go for Netgear's recent models. Never liked D-Link or TP-Link, both always are having problems (DIR-620 had WAN and LAN ports fucked up, heard about TP-Link lots of negative comments).

(Last edited by toolame on 28 Jul 2012, 14:01)

Gideon7 wrote:

My favorite routers are the TP-Link TL-WDR4300 and the D-Link DIR-825.  Both have plenty of CPU horsepower and RAM (128MB and 64MB respectively).  They should handle 25 Mbit/s or better.  They are easy to flash from the factory GUI and support concurrent 2.4Ghz and 5Ghz traffic.

The DIR-825 is supported in the stable branch (Backfire).  The TL-WDR4300 has better specs but is only supported on the main trunk currently.  I have both and they both work great.

Not all DIR-825 revisions are fully supported in Backfire.

See the wiki for this: "Newer revisions (FW 2.05EU) store mac-addresses differently, which leads to non-working wlan0/1. Working with trunk as of r29119"


I've got one of these, they seem to do fine with latest trunk though.

(Last edited by freezer2k on 28 Jul 2012, 20:07)

As I wrote earlier, when I tested it 2 years ago, I got hardwarecrypto working, and openssl-speedtests were really fast, and I got openvpn using the hardware, but openvpn didn't perform well it was even slower than with softwarecrypto. So maybe you should test the performance with openwrt before you try to port it to oleg's firmware.

did you patch openssl as well? or it was 'inside the box' already?

OK, I will try to test it, i'm also interested in using this module for filesystem encryption, maybe it will give some speed.

(Last edited by toolame on 28 Jul 2012, 20:48)

when I tested it 3 years ago, it I got everything from here: http://danm.de/index.php?action=source (ubsec_ssb) but it should be in openwrt now, and I think openssl has support out of the box, too.
But you should really test it before you spend too much time with getting it working with oleg's firmware. The context switches userspace->kernelspace and kernelspace->userspace might still be a problem. So I guess you will only be able to use hardwarecrypto with a vpnsolution running in kernelspace (e.g. IPsec)

hey eleon216.

I've recently bought Netgear WNDR3800 (680Mhz CPU+128mb memory), but the speeds over OpenVPN are around ~6.4 mbit/sec (~800kbytes/sec) (lzo+aes256 enabled over UDP), you've said speeds should be around 20-25mbit/sec (~2.5-3mbytes/sec), but I do not see such speeds here.

Here is my client configuration:

dev tun13
client
remote x.x.x.x
proto udp
port 25500
daemon

key main/me.key
cert main/me.crt
ca main/ca.crt

comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
ns-cert-type server
resolv-retry infinite
mssfix 1430

;log main.log
verb 0
daemon
#mute 20
pull

I also have a rule to fix MSS for tun+ interfaces in mangle chain of iptables:

   1    60 TCPMSS     tcp  --  *      tun+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU

do you think it's worth trying hardware crypto ?

(Last edited by toolame on 4 Feb 2013, 11:18)

toolame wrote:

(lzo+aes256 enabled over UDP)
do you think it's worth trying hardware crypto ?

I would try disabling compression. Using it with encryption decreases the throughput, because CPU is the limiting factor in this case. To my knowledge, wndr3800 does not have any hardware crypto.

The discussion might have continued from here.