Tweet
Does openVPN still allow use of SafeXcel Crypto for off boarding and acceleration? I can’t see the chip listed anymore on the latest version of OpenVPN on pfSense. I spoke with the Negate community and they state that OpenVPN no longer supports offboarding to a hardware cryptography device. I am running ARM architecture. It works perfectly in my older OpenVPN versions.
-
-
OpenVPN uses OpenSSL. OpenSSL supports hardware for cryptographic operations offloading and acceleration.
So if OpenSSL sees it and uses it, then so will OpenVPN.
There is nothing special you have to do inside of OpenVPN to support this. If OpenSSL sees it and uses it, it will 'just work'. For example the AES-NI encryption handling in modern computer processors works the same way. If OpenSSL sees it and uses it, then so does OpenVPN. There's really not much more to it.
So if there's trouble using it, check OpenSSL configuration and run tests with OpenSSL to see if it's using this acceleration device or not.
Kind regards,
JohanOpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support -
pfSense 23.05.01 does see it as I was able to see logs with it connecting on the version prior. However in 23.09 and 24 it shows this error when I connect to the OpenVPN server in logs..
I can see the chip..Code:[h=3]dco_update_peer_stat: invalid peer ID 0 returned by kernel[/h]
I also have counters that increment with pfSense 23.05Code:[h=2]Shell Output - dmesg | grep safexcel[/h] safexcel0: <SafeXcel EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1
Code:[h=2]Shell Output - vmstat -i |grep safexcel[/h] gic0,s20: safexcel0 16609 0 gic0,s21: safexcel0 18887 0
But with use of the new version and package I show no countersComment
-
Per Netgate ..."OpenSSL no longer supports the BSD cryptodev device as an 'engine'. Selecting it there does nothing so it was removed.
SafeXcel should still be used for kernel mode crypto though so if you have DCO enabled.
Steve"
Ref:
Comment
-
If "OpenSSL no longer supports the BSD cryptodev device.." is there a way around this to utilize the chip again?Comment
Comment