Modern versions of OpenSSL and OpenVPN support new ciphers based on ChaCha20-Poly1305.
Using them instead of AES-GCM dramatically improves performance especially on Raspberry Pis or other low-end CPU swhich do not have HW AES acceleration.
Supported from OpenVPN2.5+ and compatible SSL library needed so allowing such ciphers as optional should check if these are supported by the running system.
Below is a quick and dirty patch I used to test it and deploy on RPi (just overwriting the default parameters). Proper way would be of course new selectable option, checks if algos are supported on the particular system, etc.
diff ./original/openvpn-install.sh ./patched/openvpn-install.sh
393,394c393,394
< # Use default, sane and fast parameters
< CIPHER="AES-128-GCM"
---
> # Use modern ChaCha20-Poly1305 for faster operation on Raspberry Pi or other low-end HW
> CIPHER="CHACHA20-POLY1305"
397c397
< CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
---
> CC_CIPHER="TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"
Test comparion on RPi4 1GB RAM shows ChaCha20-Poly1305 is cca 4.5× faster than AES-128-GCM:
$ openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing AES-128-GCM for 3s on 16 size blocks: 8399910 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 64 size blocks: 2530334 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 256 size blocks: 762014 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 1024 size blocks: 200959 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 8192 size blocks: 25868 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 16384 size blocks: 12978 AES-128-GCM's in 3.00s
version: 3.0.13
built on: Mon Apr 29 14:39:02 2024 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-928mA1/openssl-3.0.13=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_armcap=0x81
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
AES-128-GCM 44799.52k 53980.46k 65025.19k 68594.01k 70636.89k 70877.18k
$ openssl speed -elapsed -evp chacha20-poly1305
You have chosen to measure elapsed time instead of user CPU time.
Doing ChaCha20-Poly1305 for 3s on 16 size blocks: 15080966 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 64 size blocks: 6477209 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 256 size blocks: 2940868 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 1024 size blocks: 909247 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 8192 size blocks: 118162 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 16384 size blocks: 58899 ChaCha20-Poly1305's in 3.00s
version: 3.0.13
built on: Mon Apr 29 14:39:02 2024 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-928mA1/openssl-3.0.13=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_armcap=0x81
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
ChaCha20-Poly1305 80431.82k 138180.46k 250954.07k 310356.31k 322661.03k 321667.07k
Modern versions of OpenSSL and OpenVPN support new ciphers based on ChaCha20-Poly1305.
Using them instead of AES-GCM dramatically improves performance especially on Raspberry Pis or other low-end CPU swhich do not have HW AES acceleration.
Supported from OpenVPN2.5+ and compatible SSL library needed so allowing such ciphers as optional should check if these are supported by the running system.
Below is a quick and dirty patch I used to test it and deploy on RPi (just overwriting the default parameters). Proper way would be of course new selectable option, checks if algos are supported on the particular system, etc.
Test comparion on RPi4 1GB RAM shows ChaCha20-Poly1305 is cca 4.5× faster than AES-128-GCM: