OpenSSL performance questionnaire

Aloha all, since I use pfSense in multiple locations in a 4 node IPSec vpn setup, I got curious as to what kind of performance I could potentially be getting if I wasn’t hamstrung by the 20 Mbps uplink each site has.

Apparently, I’d need a multi gigbit uplink to let most of CPU’s I have on hand really stretch their encryption performance legs.

You can view my results here: https://docs.google.com/spreadsheets/d/1zKgIaRF5noy9znNdrYkpRtoy1sZbTCwZy8o_RdDuL6w/edit?usp=sharing

What I’d like from everyone that wishes to contribute is for you to fill out this form I threw together to collate data: https://forms.gle/3yLVxj5c8nbgpaEw8

Entering your username is optional if you want to be anonymous.

When you run the test (the form tells you what command to run), you should get output similar to this:

Basically, you’re going to run 2 tests:

  • AES-NI on: openssl speed -elapsed -evp aes-256-cbc
  • AES-NI off: openssl speed -elapsed aes-256-cbc

If your version of OpenSSL includes 16384 bytes results, don’t use those. I’m only collecting the "8192 bytes" results. Also, if you install OpenSSL for Windows, you can get the results from your Windows based builds as well (desktop, server, laptop, etc).

And finally, the disclaimer: these results do not mean you WILL get this kind of performance across 2 encrypted points.

It’s merely giving you an idea of the potential.

1 Like

I ran it on one of my VM’s hosted off unraid with dual Intel Xeon E5-2650v1 CPU’s.
VM was Ubuntu Server 18.04.3 had 4 CPU’s passed into it.

Just a note, the value you have marked as Bps is actually KBps. Your conversion to Mbps/MBps is correct for KBps though.

I’d also suggest having the non-AES accelerated results on the same sheet for easier comparisons. Maybe some different coloration for VM vs baremetal, as well as OS.
Also, having the passmark in there would be a nice comparison (could automatically pull it with a script).
And, if you’re up for it, you could make your form automatically add entries to the sheet, just need a trigger with a script.

Nonetheless, I like it! Thanks for posting this.

Thanks for the suggestions, those are really good ideas :stuck_out_tongue:

Working on them now.