UBNT-cmb wrote:
robokaren wrote:Updated OpenVPN with hardware acceleration for AES would be so fantastic.
Hardware acceleration can't help much if at all with OpenVPN. Its primary overhead is in tun/tap, which can't be hardware-accelerated. OpenVPN's only minimally faster (single digit percent) with a null cipher than it is with crypto last I tried it (which was last year, on x86, with pfsense before I was here, but it's not OS-specific). It's something we briefly discussed internally earlier today, it's worth another test, but short of a significantly faster CPU, or a huge revamp in OpenVPN itself which is unlikely, it's not possible to significantly accelerate OpenVPN. Its design is poor for performance purposes.
Hmmm. Yeah, I had my concerns with that as well. It'd be nice if it could possible support it, but it doesn't use anything kernel-provided at all either, as it lives totally in userspace to my knowledge anyway.
For me, though, OpenVPN does run at the same network level speeds as IPsec does, even with hardware acceleration enabled, and tuning OpenVPN to run optimally without packet loss or dropped connections is far easier than IPsec is. Its MSS Clamping techniques are a bit more reliable at least, and the way it pushes and receives routes makes it versatile. For those reasons I use OpenVPN today.
Eric Renfro