Stronger OpenVPN encryption needs higher spec server?

Question

I am testing my OpenVPN server [Debian 10, 1 CPU core, 2 GB RAM] and I want to use stronger encryption, but throughput is slow with a stronger encryption cipher [SHA512, AES-256] and if I change the cipher [SHA256, AES-128], throughput is faster.

• Do I have to upgrade my OpenVPN server with a higher spec for stronger encrytion?
• Are there any server config options for stronger encryption and higher throughput?

Answer 1

First, you should split ciphers with usge:

• RSA-4096 is asymmetric crypto, requires high computation power that's why it is used only for key agreement (for symmetric crypto)
• AES-256 - symmetric crypto for established channel - most CPU goes here
• SHA512 - HMAC for message authentication

Parameters you have chosen are pretty strong. If you can trade security over speed, using AES-128 with SHA256 is also acceptable.

If you are ok with upgrading sever spec I would recommend AES-256-GCM.

Answer 2

...I want to use stronger encryption, but throughput is slow with a stronger encryption cipher [SHA512, AES-256] and if I change the cipher [SHA256, AES-128], throughput is faster.

Anything over AES128 is pointless since it will remain uncrackable until at least 2030 (similar math applies: all AES192 or AES256 will do is slow throughput without an AES-NI CPU, with no additional gain in security); instead, setting a low key re-negotiation value would be recommended to further harden security:

• reneg-bytes <#>: Renegotiate data channel key after # bytes sent/received ^{(Default: disabled)}
• reneg-pkts <#>: Renegotiate data channel key after # packets sent/received ^{(Default: disabled)}
• reneg-sec <#>: Renegotiate data channel key after # seconds ^{(Default: 3600)
  Can be used on both client/server: lowest value will be one to trigger renegotiation}

Encryption/decryption is CPU intensive, so the stronger the cipher, the slower the throughput, and with a single-core CPU, throughput efficiency becomes vital:

• TLS EC ciphers should be used over SSL, as they're more efficient:

  # Server config (see: openssl ciphers -v ; openssl ciphers -tls1_2)
  HMAC:
  auth              'SHA512'
  
  
  SSL:
  cipher            'AES-128-CBC'
  
  
  TLS (!: specifies disabled ciphers)
  tls-version-min   '1.2'
  tls-crypt         '/path/to//openvpn/tls-crypt.psk'
  tls-cipher        'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
  
  

  ^{Server's/client's certificate keyUsage determines what encryption algorithms can be used}
  

Cipher speed examples:
^{openssl list -digest-commands | openssl list -cipher-commands}

• Router: WRT1900ACS ^{(2C 1.6GHz CPU | 512MB RAM)}

  openssl speed -elapsed aes-128-cbc aes-192-cbc aes-256-cbc
  # The 'numbers' are in 1000s of bytes per second processed.
    type                        16 bytes    64 bytes    256 bytes   1024 bytes  8192 bytes  16384 bytes
    aes-128 cbc                 50944.22k   55614.08k   57525.85k   58109.61k   58589.18k   59053.40k
    aes-192 cbc                 45287.47k   49316.10k   50979.41k   51186.35k   51503.10k   51478.53k
    aes-256 cbc                 39510.03k   42003.80k   43466.67k   43816.28k   43881.81k   43876.35k
  AES-NI CPUs:
  openssl speed -elapsed -evp <cipher>
    aes-128 cbc                 43612.99k   54396.71k   58581.25k   59807.06k   60222.12k   60347.73k
    aes-192 cbc                 45327.42k   48932.03k   50659.75k   51033.09k   51112.62k   51030.70k
    aes-256 cbc                 39232.39k   41801.90k   43211.86k   43575.30k   43627.86k   43537.75k
  aes-128-gcm                 32829.30k   39914.79k   44297.47k   48705.19k   49851.05k   49728.98k
    aes-192-gcm                 29934.27k   35889.30k   39292.33k   43299.84k   44348.76k   44307.80k
    aes-256-gcm                 27591.53k   31829.29k   35027.46k   38921.56k   40135.34k   40042.50k
  openssl speed -elapsed rsa
    type                        sign        verify      sign/s      verify/s
    rsa  512 bits               0.000419s   0.000034s   2387.4      29407.8
    rsa 1024 bits               0.002078s   0.000091s    481.1      10943.3
    rsa 2048 bits               0.012328s   0.000304s     81.1       3294.0
    rsa 3072 bits               0.035587s   0.000638s     28.1       1566.2
    rsa 4096 bits               0.077231s   0.001100s     12.9        908.8
  openssl speed -elapsed ecdsa
    type                        sign        verify      sign/s      verify/s
    192 bits ecdsa (nistp192)   0.0024s     0.0019s      419.6      519.6
    224 bits ecdsa (nistp224)   0.0033s     0.0026s      298.8      379.2
    256 bits ecdsa (nistp256)   0.0004s     0.0011s     2675.1      923.3
    384 bits ecdsa (nistp384)   0.0125s     0.0093s       80.3      108.1
    521 bits ecdsa (nistp521)   0.0307s     0.0223s       32.6       44.9
  openssl speed -elapsed ecdh
    type                        op          op/s
    192 bits ecdh (nistp192)    0.0023s      443.9
    224 bits ecdh (nistp224)    0.0031s      318.3
    256 bits ecdh (nistp256)    0.0008s     1328.1
    384 bits ecdh (nistp384)    0.0118s       84.8
    521 bits ecdh (nistp521)    0.0291s       34.4
  openssl speed -elapsed eddsa
    type                        sign        verify      sign/s      verify/s
    253 bits EdDSA (Ed25519)    0.0004s     0.0012s     2659.0      55.5
  

  
  
• PC: Alienware 18 ^{(4C/8T 3.2GHz CPU | 32GB RAM)}

  openssl speed -elapsed aes-128-cbc aes-192-cbc aes-256-cbc
  # The 'numbers' are in 1000s of bytes per second processed.
    type                        16 bytes    64 bytes    256 bytes   1024 bytes  8192 bytes  16384 bytes
    aes-128 cbc                 201781.99k  204240.19k  205846.50k  204732.26k  198368.08k  192202.36k
    aes-192 cbc                 155320.50k  165649.08k  170799.59k  174669.13k  174455.52k  176713.92k
    aes-256 cbc                 148357.47k  151856.76k  139485.29k  139795.69k  147752.06k  146543.36k
  AES-NI CPUs:
  openssl speed -elapsed -evp <cipher>
    aes-128 cbc                 594581.71k  704905.32k  727373.46k  734094.34k  735351.19k  728341.29k
    aes-192 cbc                 173568.45k  172797.10k  172932.76k  172692.18k  176029.76k  174697.20k
    aes-256 cbc                 151384.09k  149307.17k  153628.24k  154848.72k  154694.49k  154085.68k
  aes-128-gcm                 289326.68k  669727.86k  1691665.95k 2336267.43k 2923761.74k 2939784.87k
    aes-192-gcm                 280643.46k  789515.49k  1799382.17k 2161594.31k 2613359.92k 2599900.99k
    aes-256-gcm                 265146.87k  722269.03k  1588710.62k 1959085.67k 2308647.86k 2307122.45k
  TLS-like benchmark:
  openssl speed -elapsed -aead -evp aes-128-cbc-hmac-sha256
    aes-128-cbc-hmac-sha256     25654.32k   271748.59k  1119811.51k 8298379.99k 66950407.39k 130586894.21k
  openssl speed -elapsed rsa
    type                        sign        verify      sign/s      verify/s
    rsa  512 bits               0.000057s   0.000005s   17670.1     201324.8
    rsa 1024 bits               0.000152s   0.000011s    6568.0      92138.0
    rsa 2048 bits               0.000726s   0.000032s    1377.9      31147.1
    rsa 3072 bits               0.003061s   0.000062s     326.7      16042.9
    rsa 4096 bits               0.007236s   0.000111s     138.2       9015.5
  openssl speed -elapsed ecdsa
    type                        sign        verify      sign/s      verify/s
    192 bits ecdsa (nistp192)   0.0003s     0.0003s      3022.3     3221.8
    224 bits ecdsa (nistp224)   0.0005s     0.0004s      2159.8     2430.3
    256 bits ecdsa (nistp256)   0.0000s     0.0001s     29636.7     9640.2
    384 bits ecdsa (nistp384)   0.0011s     0.0009s       887.1     1053.4
    521 bits ecdsa (nistp521)   0.0026s     0.0021s       379.8      467.0
  openssl speed -elapsed ecdh
    type                        op          op/s
    192 bits ecdh (nistp192)    0.0003s      3190.5
    224 bits ecdh (nistp224)    0.0005s      2192.7
    256 bits ecdh (nistp256)    0.0001s     12309.3
    384 bits ecdh (nistp384)    0.0011s       892.2
    521 bits ecdh (nistp521)    0.0025s       402.1
  openssl speed -elapsed eddsa
    type                        sign        verify      sign/s      verify/s
    253 bits EdDSA (Ed25519)    0.0000s     0.0001s     25465.9     7878.0
  

  
  

Do I have to upgrade my OpenVPN server with a higher spec for stronger encryption?

While at least two CPU cores are ideal, AES128 on a single core is sufficient depending on your ISP's upload speed, as it's the upload speed that determines the max throughput possible with no encryption.

Are there any server config options for stronger encryption and higher throughput?

Tuning the server and client configs provides the highest throughput possible, however it is a trial and error approach requiring time reading the OpenVPN man page and trying different tuning options to garnish the highest throughput possible (tuned config examples).