On 25/02/2021 17:56, tincanteksup wrote:
How about ...
On 25/02/2021 01:03, tincanteksup wrote:
Keeping up with the internet is hard:
https://squeeze.isobar.com/2019/04/11/the-sad-story-of-tcp-fast-open/
I guess the bottom line is: Use UDP, if you are worried about TCP SYN
to your server.
Instead of UDP..
Use --port-share and have the other application drop all incoming
packets anyway.
Would that work ? I have not tested ..
Not really. If you're worried about TCP SYN attacks .... this happens
before any application on the system. The whole TCP handshake is
handled in the kernel.
You need a stateless protocol layer (UDP) to battle the TCP SYN challenges.
And with --port-share, OpenVPN becomes a (MITM) proxy also for all the
traffic not identified as OpenVPN packets. --port-share needs a
destination port for the non-OpenVPN traffic.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
