Am 16.11.19 um 21:29 schrieb Gert Doering: > Hi, > > On Sat, Nov 16, 2019 at 09:07:43PM +0100, Boris wrote: >>> Generally speaking: use tls-auth. This will stop all packets from >>> unauthorized sources from generating state and eating memory in the >>> openvpn server process (it will still eat up some CPU, but if that is >>> enough to crash the server, you need a faster CPU - or move the openvpn >>> service to another port). >> >> thanks a lot for your statement. >> >> Yes, the openvpn daemon is dying from all those requests. >> >> Is it that section,that you suggest to be enabled? >> : >> >> # For extra security beyond that provided >> # by SSL/TLS, create an "HMAC firewall" >> # to help block DoS attacks and UDP port flooding. > > Yes. But this needs to be included in all client configs as well, so > if you "just change the server", things will no longer work. > > So, generate the ta.key on the server, distribute it to all the clients, > enable it in all client configs and then enable it in the server config. > > (the "ta.key" file needs to be identical everywhere) >
Got it, thank you very much!! First step is to upgrade the box. Boris _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
