I am not aware of any prepackaged build of any of these as most people prefer one of the conflicting cryptodev implementations.
In the end you could even use cryptodev in the container. There may be packages around for this.
I do not use any of the acceleration for anything in userspace because software is faster for the interesting packet sizes and the latency is lower. You may save at most 30% cpu time with big packets when using cesa. With small packages the cpu overhead for cesa may go well over 1000%.
Calculation assuming aes-128-cbc and rounded:
OpenSSL with CESA via AF_ALG:
730kbyte/s / 16byte = 45625/s
3000kbyte/s / 64byte = 46875/s
There can be at most about 45000 encryptions per second using AF_ALG and about 75% CPU usage.
OpenSSL without AF_ALG:
48Mbyte/s / 16byte = 3000000/s
55MByte/s / 64byte = 859375/s
We can get 859375 64byte packets per second encrypted using OpenSSL only. Restricting OpenSSL to 75% CPU usage gives the following:
859375/s / 100% * 75% = 644531.25/s
To get the same amount of data encoded as with AF_ALG you would need:
46875/s / 644531.25/s * 100% = 7.27% of the CPU time compared to hardware accelerated.
I took 64bytes as reference because there are quite some small packets like ICMP packets and TCP SYN/ACK that are around 64 bytes in size.
VPN is pretty easy to benchmark when you just connect another Computer (e. g. VMware with linux distribution) and create a vpn network and check speed with iperf. i get around 45mbit with openvpn and 220mbit with wireguard (should be around 350 with config_PADATA enabled)
I don’t have /dev/crypto. Does it mean that CESA is disabled?
kmod-crypto-ocf isn’t installed because it doesn’t available. All other modules are installed.
in/out is in Mbit/s and as seen from the omnia.
acceleration bs is the bitsliced implementation (aes-arm-bs, requires custom kernel).
Result: If you upload or download big files then CESA is faster but creates some problems if you have a upload and a download at the same time. Also CPU usage can be higher with CESA than without. And this is only valid for AES-256-CBC+HMAC(SHA256).
Why is there no tutorial for dummies how to activate CESA and boost the VPN speed. I am searching for a good solution for some days, but i don’t get it run…
I think there are a lot of people who decided to buy omnia to use the nice VPN performance…