Follow

Looking for a powerful Pi-like SoC with dual gigabit NICs and good openssl/openvpn performance (AES hardware acceleration ideally).

Anything, anyone?

[Boosts appreciated]

@gedvondur

I know, it's rather specific. I wouldn't be asking otherwise 😄

I need this thing as a mobile VPN router, ideally supporting up to gigabit speeds.

@gedvondur @fribbledom ASUS tinker board? I don't know of other ARM boards with dual-channel RAM.

@cyplo @fribbledom Turris has a Marvell Armada 38x SoC with AES acceleration
I just ran cryptsetup benchmark and it does
94 MiB/s AES-CBC with 128-bit key,
29 MiB/s AES-XTS with 512-bit key
(enc/dec throughput symmetrical)

@uint8_t @cyplo

Can you also try aes-256-gcm and aes-256-cbc, please?

crypto benchmark 

@fribbledom here you go:

The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256 cbc 30489.85k 32036.08k 33030.20k 33227.58k 33080.74k
aes-256-gcm 13082.96k 13656.00k 13708.76k 13809.17k 13772.46k

crypto benchmark 

lol, these numbers compared to my i7-2640M

crypto benchmark 

@uint8_t

Thank you so much! ❤️

Sadly I really need at least twice the performance there. Guess I'll have to look into x86 based machines, after all 😐

crypto benchmark 

@fribbledom @uint8_t I wonder if you would get twice the perf with twice the threads.

@fribbledom it's a fair bit chomkier than the pi but: pcengines apu2 (low power amd embedded x86 based sbc with coreboot and no firmware blobs and ecc ram. aes-ni works)

@fribbledom you can even get it with 3 nics, and with a slot for an lte modem if you want :P

@haskal

I tried that, but never managed to get more than 200mbit/s throughput (over OpenVPN).

@fribbledom hmm
then you'll want something more high power
though i'd try benchmarking wireguard too tbh

@fribbledom You forgot budget. And you're implying Pi-like size too, true?

@trini

Budget: <$150. Can be bigger than a Pi, but shouldn't use _much_ more power than one.

@fribbledom You _may_ find something from the NXP Layerscape eval platforms then. SolidRun is taking one of those and making a desktop out of it, but it out of your budget.

@fribbledom There's also the ClearFog platform from SolidRun as that also has enough real ethernet on it for your usecase but you'd want to double check that crytpo accel works/is available in the way you want it.

@fribbledom @trini hmm. if your budget could stretch a bit higher, you could go straight to an x86 industrial mini pc like newegg.com/p/2DS-0020-00001 - that example is a dual gige lan, and you get a quad core 'braswell' chip (that's intel's big cores, not atom) with aes-ni.

if you got down to your budget target, you tend to get atom cores without aes-ni :/

@kepstin @fribbledom Yeah, there's a few x86 examples I think. Personally my router/AP is pcengines.ch/apu2.htm which is probably a bit slower than that but does reasonable networking speeds (and isn't the bottleneck locally).

@fribbledom @trini correction: braswell *is not* the intel big cores, it is atom-based. But at least it does have aes-ni, and pretty high clocks.

@fribbledom This might do what you need it to, I am unsure of AES acceleration though.

grapeboard.com/

@fribbledom Something in the TI Sitara or NXP i.MX series ought to have what you're asking for.

@fribbledom I know for professional network use Alix APU2 is recommended quite often. It has higher prices compared to a Pi of course: pcengines.ch/apu2.htm

@fribbledom I would take a look at pc engines from Switserland. Use them for some opnsense firewalls.

@fribbledom I’m using the beagleboard X15 which can most likely meet your needs. It’s very good but requires additional cooling or it overheats and dies frequently.

@fribbledom If you can find one, Soekris 6501s are adequate. Think they're 686 based machines though.

@fribbledom oops sorry, that one has one gigabit nic and one 100 megabit nic

@fribbledom Dual NIC is a difficult one. You might be able to use a network switch.

@kelbot

Lovely machines, but sadly I need roughly 50 times the OpenVPN throughput 🙈

@fribbledom Is 500 mbit/s OpenVPN troughput even realistic? community.openvpn.net/openvpn/
Ok, it is, but how can hardware chips for AES-NI differ that much? Would be nice if anyone knows a good post telling more about them.

@bionade24

It's possible, yeah. Even on older x86 hardware you get >1GB/s with AES acceleration.

The biggest problem here is that OpenVPN doesn't utilize multi-threading, and most SoC lack single-core performance.

There's frivpn which is OpenVPN compatible and multi-threaded, but only supports a very specific server configuration currently:

github.com/znuh/frivpn

@fribbledom But why? Do ARM CPUs have worse IPC or are there diffrent AES accelerations and even the latest ones from ARM a bad?

@bionade24 @fribbledom Yes, the IPC is very different. It depends on how complex is each processor core.
"Figure 6:
Sonic
BOOM SPEC17 IPC compared to Intel Skylake and AWS Graviton cores." - see here: carrv.github.io/2020/papers/CA

AES implementations are also different. Check my responses on the root toot about the VIA CPUs.

And one find: github.com/ThomasKaiser/sbc-be
Small tool to get rough idea how capable is given SBC. Most of the Chinese SOCs implement ARM AES instructions. The Broadcom CPUs in the Raspberries PIs - don't. There is a very big difference for cryptography operations.

@fribbledom if wireguard would be an option pi4+ 5volt switch?

@Bobo_PK

I love the Pi, but even then the Pi4 only does 240MBit/s over its "gigabit" NIC.

Also, its AES-256-CBC performance is pretty miserable.

@Bobo_PK @fribbledom kann sein dass 240 der 3er warm wo Ethernet mit über den USB-Controller musste

@Bobo_PK

*Scratches head*

Tatsache, ich habe wohl vergessen, dass die da am Pi4 geschraubt haben.

@fribbledom odroid-h2+ passt perfekt glaub ich. Grad auf Golem.de entdeckt

@Bobo_PK @fribbledom I find it hard to believe this benchmark

The last time I tried the Pi 4 it wasn't even able to play back high bitrate h264 from a luks encrypted USB hard drive, because it has no AES acceleration

@fribbledom There's the ROCKPRO from @PINE64, you'd need to bring a PCI-e NIC though.

@fribbledom Ones upon a time VIA CPUs boards were exceptionally good at encryption. Their Padlock engine is unmatched per MHz and low power consumption: airvpn.org/forums/topic/11827-

This seems quite good:
viatech.com/en/products/boards

But the price is well above your budget (250 euro without taxes and RAM):
eu.mouser.com/ProductDetail/VI

@fribbledom The other similar option 3,5" SBC with 1 GB RAM but 1 core only, but 5 ports at 1 Gbps:
viatech.com/en/products/boards
Price is 190 euro without VAT at Mouser.

@fribbledom hardkernel.com/shop/odroid-h2/
This seems your best bet. It some RAM and the other taxes/shipping it will be around your budget. But it should be fast enough.

@fribbledom A Pine RockPro64 has one GB NIC plus a PCIe slot. I've previously wondered if you could add another GB NIC or so on the PCIe?

@fribbledom it's not cheap, but it sounds like you're looking for a higher-end router or gateway. A lot of business-class gear would fit, just have to look for something that already runs an open firmware (pfSense is most likely in that hardware bracket) so you can customize it

@fribbledom Guck mal bei armbian.com. Mein Odroid HC1 läuft damit einwandfrei.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!