Looking for a powerful Pi-like SoC with dual gigabit NICs and good openssl/openvpn performance (AES hardware acceleration ideally).
@fribbledom Heh, you don't ask for much do you?
I know, it's rather specific. I wouldn't be asking otherwise 😄
I need this thing as a mobile VPN router, ideally supporting up to gigabit speeds.
@fribbledom here you go:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256 cbc 30489.85k 32036.08k 33030.20k 33227.58k 33080.74k
aes-256-gcm 13082.96k 13656.00k 13708.76k 13809.17k 13772.46k
@uint8_t eeks! OpenSSL 1.0.2...
@brnrd supposedly patched by the vendor
Thank you so much! ❤️
Sadly I really need at least twice the performance there. Guess I'll have to look into x86 based machines, after all 😐
@fribbledom it's a fair bit chomkier than the pi but: pcengines apu2 (low power amd embedded x86 based sbc with coreboot and no firmware blobs and ecc ram. aes-ni works)
@fribbledom you can even get it with 3 nics, and with a slot for an lte modem if you want :P
I tried that, but never managed to get more than 200mbit/s throughput (over OpenVPN).
then you'll want something more high power
though i'd try benchmarking wireguard too tbh
@fribbledom You forgot budget. And you're implying Pi-like size too, true?
Budget: <$150. Can be bigger than a Pi, but shouldn't use _much_ more power than one.
@fribbledom You _may_ find something from the NXP Layerscape eval platforms then. SolidRun is taking one of those and making a desktop out of it, but it out of your budget.
@fribbledom There's also the ClearFog platform from SolidRun as that also has enough real ethernet on it for your usecase but you'd want to double check that crytpo accel works/is available in the way you want it.
@fribbledom @trini hmm. if your budget could stretch a bit higher, you could go straight to an x86 industrial mini pc like https://www.newegg.com/p/2DS-0020-00001 - that example is a dual gige lan, and you get a quad core 'braswell' chip (that's intel's big cores, not atom) with aes-ni.
if you got down to your budget target, you tend to get atom cores without aes-ni :/
@fribbledom Something in the TI Sitara or NXP i.MX series ought to have what you're asking for.
@fribbledom Wait, are you asking for a SoC or an SBC?
@fribbledom I would take a look at pc engines from Switserland. Use them for some opnsense firewalls.
@fribbledom I’m using the beagleboard X15 which can most likely meet your needs. It’s very good but requires additional cooling or it overheats and dies frequently.
@fribbledom If you can find one, Soekris 6501s are adequate. Think they're 686 based machines though.
you can also get a USB-to-ethernet adapter
@fribbledom oops sorry, that one has one gigabit nic and one 100 megabit nic
@fribbledom Dual NIC is a difficult one. You might be able to use a network switch.
Lovely machines, but sadly I need roughly 50 times the OpenVPN throughput 🙈
@fribbledom Is 500 mbit/s OpenVPN troughput even realistic? https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
Ok, it is, but how can hardware chips for AES-NI differ that much? Would be nice if anyone knows a good post telling more about them.
It's possible, yeah. Even on older x86 hardware you get >1GB/s with AES acceleration.
The biggest problem here is that OpenVPN doesn't utilize multi-threading, and most SoC lack single-core performance.
There's frivpn which is OpenVPN compatible and multi-threaded, but only supports a very specific server configuration currently:
@fribbledom But why? Do ARM CPUs have worse IPC or are there diffrent AES accelerations and even the latest ones from ARM a bad?
@bionade24 @fribbledom Yes, the IPC is very different. It depends on how complex is each processor core.
BOOM SPEC17 IPC compared to Intel Skylake and AWS Graviton cores." - see here: https://carrv.github.io/2020/papers/CARRV2020_paper_15_Zhao.pdf
AES implementations are also different. Check my responses on the root toot about the VIA CPUs.
And one find: https://github.com/ThomasKaiser/sbc-bench#openssl
Small tool to get rough idea how capable is given SBC. Most of the Chinese SOCs implement ARM AES instructions. The Broadcom CPUs in the Raspberries PIs - don't. There is a very big difference for cryptography operations.
@fribbledom if wireguard would be an option pi4+ 5volt switch?
I love the Pi, but even then the Pi4 only does 240MBit/s over its "gigabit" NIC.
Also, its AES-256-CBC performance is pretty miserable.
@fribbledom habs als VPN zuhause laufen. Laut Reddit gehen 800 drüber
Tatsache, ich habe wohl vergessen, dass die da am Pi4 geschraubt haben.
@fribbledom odroid-h2+ passt perfekt glaub ich. Grad auf Golem.de entdeckt
@fribbledom Ones upon a time VIA CPUs boards were exceptionally good at encryption. Their Padlock engine is unmatched per MHz and low power consumption: https://airvpn.org/forums/topic/11827-routers-with-aes-256-cbc-acceleration/?tab=comments#comment-18780
This seems quite good:
But the price is well above your budget (250 euro without taxes and RAM):
@fribbledom The other similar option 3,5" SBC with 1 GB RAM but 1 core only, but 5 ports at 1 Gbps:
Price is 190 euro without VAT at Mouser.
@fribbledom A Pine RockPro64 has one GB NIC plus a PCIe slot. I've previously wondered if you could add another GB NIC or so on the PCIe?
@fribbledom it's not cheap, but it sounds like you're looking for a higher-end router or gateway. A lot of business-class gear would fit, just have to look for something that already runs an open firmware (pfSense is most likely in that hardware bracket) so you can customize it
@fribbledom Guck mal bei armbian.com. Mein Odroid HC1 läuft damit einwandfrei.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!