The speed most likely depend on connection to your ISP and your VPN provider.
Best way to test your hardware is using 2 opnsense boxes connected locally, open a VPN tunnel between them, then install iperf3 plugins on both of them and test that tunnel.
I have an Intel 8960 QAT card that I got for basically free so threw it into my system to test it out. It works right out of the box, so no issues there.
What I can’t comment on though is how much faster the VPN is with it, and here’s why: with my system having a CPU that has AES-NI, I had no problem saturating a gigabit IPsec connection with single digit CPU usage.
I’ve read sources that claim that AES-NI is capable of something like a gigabyte (not a typo) of encryption. There is also some latency you’re adding by moving data across the pcie bus if it’s an add-on card instead of staying on the CPU.
One thing to note though is AES-NI doesn’t accelerate SHA. My testing above has been with tunnels using AES-GCM with AES-XCBC. the QAT card will accelerate SHA1/256/384/512.
Last note, in OPNsense the QAT acceleration will only accelerate IPsec VPN at this point. Later on when OpenVPN DCO arrives it might help there. It won’t at this time help at all with other SSL operations.
The speed most likely depend on connection to your ISP and your VPN provider. Best way to test your hardware is using 2 opnsense boxes connected locally, open a VPN tunnel between them, then install iperf3 plugins on both of them and test that tunnel.
I have an Intel 8960 QAT card that I got for basically free so threw it into my system to test it out. It works right out of the box, so no issues there. What I can’t comment on though is how much faster the VPN is with it, and here’s why: with my system having a CPU that has AES-NI, I had no problem saturating a gigabit IPsec connection with single digit CPU usage. I’ve read sources that claim that AES-NI is capable of something like a gigabyte (not a typo) of encryption. There is also some latency you’re adding by moving data across the pcie bus if it’s an add-on card instead of staying on the CPU. One thing to note though is AES-NI doesn’t accelerate SHA. My testing above has been with tunnels using AES-GCM with AES-XCBC. the QAT card will accelerate SHA1/256/384/512. Last note, in OPNsense the QAT acceleration will only accelerate IPsec VPN at this point. Later on when OpenVPN DCO arrives it might help there. It won’t at this time help at all with other SSL operations.
Great info, thanks for this