ROCK64 as VPN Gateway - Talkabout - 11-30-2019
Hi guys,
I am searching a good VPN gateway board since some time. Currently I am using a Raspberry Pi 4 but am not really happy with the OpenVPN throughput (approx. 60 MBit/s, but 100 MBits/s connection). I guess this is related to the fact that the Raspberry does not have supported hardware acceleration for openssl/openvpn. I also tried some other boards (like an Odroid) but none of them provided a sufficient performance until now. I read about the ROCK64 and people are claiming that the crypto hardware is used by openssl, is this the case? What performance can I expect if using the board with OpenVPN? Maybe somebody already tested it and can provide some numbers?
Thanks in advance!
Bye
RE: ROCK64 as VPN Gateway - jsfrederick - 11-30-2019
I have a Rock64 as my Pi-Hole box and it's also running PiVPN. I'm very happy with the performance. Don't have any real numbers, but it's pretty comparable to the commercial VPN I used previously.
RE: ROCK64 as VPN Gateway - Talkabout - 12-01-2019
Hi @jsfrederick ,
thanks for your answer!
Can you do me a favor and execute the following command on your Rock64:
Code: :~ $ openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 11503672 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 3579215 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 967404 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 246825 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 30944 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 15543 aes-128-cbc's in 3.00s
OpenSSL 1.1.1c 28 May 2019
built on: Thu May 30 15:27:48 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-hL5TK7/openssl-1.1.1c=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 61352.92k 76356.59k 82551.81k 84249.60k 84497.75k 84885.50k
This should show how slow/fast the openssl performance is.
Bye
RE: ROCK64 as VPN Gateway - evilbunny - 12-01-2019
Code: Rock64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15650249 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 12464649 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6646786 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2423452 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 348775 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 175497 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 83467.99k 265912.51k 567192.41k 827204.95k 952388.27k 958447.62k
Code: RockPro64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 66070573 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 40764719 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 14919383 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 4125855 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 545375 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 274066 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 352376.39k 869647.34k 1273120.68k 1408291.84k 1489237.33k 1496765.78k
RE: ROCK64 as VPN Gateway - Talkabout - 12-01-2019
(12-01-2019, 05:30 AM)evilbunny Wrote: Code: Rock64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15650249 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 12464649 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6646786 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2423452 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 348775 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 175497 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 83467.99k 265912.51k 567192.41k 827204.95k 952388.27k 958447.62k
Code: RockPro64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 66070573 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 40764719 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 14919383 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 4125855 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 545375 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 274066 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 352376.39k 869647.34k 1273120.68k 1408291.84k 1489237.33k 1496765.78k
Hi @evilbunny
these numbers look amazing (compared to the PI4). What operating system are you using?
I think that the Rock64 could be the solution for my performance problems... Am I correct that the size of the Rock64 is equal to the size of the RPI4? I have a small Rack for my PIs I would like to mount the Rock64 there.
Thanks!
Bye
RE: ROCK64 as VPN Gateway - tllim - 12-01-2019
(12-01-2019, 05:41 AM)Talkabout Wrote: (12-01-2019, 05:30 AM)evilbunny Wrote: Code: Rock64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15650249 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 12464649 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6646786 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2423452 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 348775 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 175497 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 83467.99k 265912.51k 567192.41k 827204.95k 952388.27k 958447.62k
Code: RockPro64:
# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 66070573 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 40764719 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 14919383 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 4125855 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 545375 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 274066 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 352376.39k 869647.34k 1273120.68k 1408291.84k 1489237.33k 1496765.78k
Hi @evilbunny
these numbers look amazing (compared to the PI4). What operating system are you using?
I think that the Rock64 could be the solution for my performance problems... Am I correct that the size of the Rock64 is equal to the size of the RPI4? I have a small Rack for my PIs I would like to mount the Rock64 there.
Thanks!
Bye Rock64 same size as RPi3, the only different is the power connect (DC jack vs microUSB).
RE: ROCK64 as VPN Gateway - Talkabout - 12-01-2019
Ok, thanks guys, sound good!
some more points to confirm:
- NFS root (file system on nfs share) possible?
- is Debian a recommended distro to use? I am using Raspbian on my other PIs, is it compatible with Rock64 also?
- my PI rack has a fan, what temperatures are expected from the CPU on load?
Thanks!
RE: ROCK64 as VPN Gateway - jsfrederick - 12-01-2019
My numbers are just about the same as Evilbunny's, see below.
I am using Armbian Stretch (www.armbian.com) for the Rock64, and PiVPN (www.pivpn.io).
I have a a case that has a fan so it runs pretty cool for me. I got my case from here: https://www.kksb-cases.us/
As TLLIM said, the Rock64 is the same size as the RPi, but i recommend that you get a Rock64 specific case since the connectors are slightly different.
Code: root@pihole:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 16437665 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 13192876 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6888083 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2453359 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 352688 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 175202 aes-128-cbc's in 3.00s
OpenSSL 1.1.0l 10 Sep 2019
built on: reproducible build, date unspecified
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/aarch64-linux-gnu/engines-1.1\""
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 87667.55k 281448.02k 587783.08k 837413.21k 963073.37k 956836.52k
root@pihole:~#
RE: ROCK64 as VPN Gateway - evilbunny - 12-02-2019
(12-01-2019, 05:41 AM)Talkabout Wrote: these numbers look amazing (compared to the PI4). What operating system are you using?
Ayufan's Debian Minimal
(12-01-2019, 04:57 PM)Talkabout Wrote: - NFS root (file system on nfs share) possible?
you still need an emmc/sdcard for boot etc, once that finishes you can do nfs root, this is an OS/software config thing
Quote:- is Debian a recommended distro to use? I am using Raspbian on my other PIs, is it compatible with Rock64 also?
Raspbian is a debian fork, with arm there is no bios, hardware specific files get loaded at boot you need to use rock64 images.
Quote:- my PI rack has a fan, what temperatures are expected from the CPU on load?
Thermal limits start kicking in about 83C, I use a small fan and some small heatsinks on my r64's to stop them getting that high.
RE: ROCK64 as VPN Gateway - Talkabout - 12-02-2019
Thanks again guys!
This answers all my questions, I ordered a Rock64 and will give it a shot.
Bye
|