Re: [Openvpn-devel] Listen on multiple interfaces but not all

On 06/04/17 17:11, Илья Шипицин wrote: > Usually, you can bind to certain interface and forward packets by > firewall from other interfaces > > 6 апр. 2017 г. 19:41 пользователь "Kor Korrd" > mailto:kor.korrd%2bopen...@gmail.com>> > написал: > > Hi, > > is it possible for the Server part

Re: [Openvpn-devel] Listen on multiple interfaces but not all

Usually, you can bind to certain interface and forward packets by firewall from other interfaces 6 апр. 2017 г. 19:41 пользователь "Kor Korrd" написал: > Hi, > > is it possible for the Server part to listen on more than one specific > interface but not on all interfaces? > > e.g. > One Debian Se

[Openvpn-devel] Listen on multiple interfaces but not all

Hi, is it possible for the Server part to listen on more than one specific interface but not on all interfaces? e.g. One Debian Server with several IPv4 and IPv6 addresses. Run the OpenVPN Server on one specific v4 and v6 address (local + local ), so that I can use the remaining addresses for ot

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:49, David Sommerseth wrote: > On 06/04/17 15:37, debbie10t wrote: >> Company A has 1,000 vpn users and (for what ever reason) they reboot >> the server every 24 hours. They experience the slow down because all >> their vpn users are permanently connected. They all connect at once

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 15:37, debbie10t wrote: > Company A has 1,000 vpn users and (for what ever reason) they reboot > the server every 24 hours. They experience the slow down because all > their vpn users are permanently connected. They all connect at once. > This patch is not trying to address the initia

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> > > On 06/04/17 12:52, Steffan Karger wrote: >> Hi, >> >> On 6 April 2017 at 12:26, David Sommerseth >> wrote: >>> On 06/04/17 11:45, Simon Matter wrote: > I like Arne's and David's suggestion - the existing option "as is" > will > enable X% jitter, while a second parameter can

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:05, Gert Doering wrote: > Hi, > > On Thu, Apr 06, 2017 at 01:49:04PM +0100, debbie10t wrote: >> As you can see, the current proposal does not allow for first random, >> followed by expected/normal/regular renegs. It is either *always* random >> or *never* random .. I believe this i

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Web servers these days are also multi-threaded (or "multi-forked"), so > they can utilize multiple cores more efficiently. OpenVPN is *single > threaded*. So when one client starts a TLS renegotiation, it blocks all > the other connected clients until the renegotiation have completed. > When yo

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:49, debbie10t wrote: > > As you can see, the current proposal does not allow for first random, > followed by expected/normal/regular renegs. It is either *always* random > or *never* random .. I believe this is a poor decision. Even though I see arguments for first-only, I have no

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On Thu, Apr 06, 2017 at 01:49:04PM +0100, debbie10t wrote: > As you can see, the current proposal does not allow for first random, > followed by expected/normal/regular renegs. It is either *always* random > or *never* random .. I believe this is a poor decision. Your voice has been heard, an

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 12:52, Steffan Karger wrote: > Hi, > > On 6 April 2017 at 12:26, David Sommerseth > wrote: >> On 06/04/17 11:45, Simon Matter wrote: >>> I like Arne's and David's suggestion - the existing option "as is" will enable X% jitter, while a second parameter can specify a more spe

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 6 April 2017 at 12:26, David Sommerseth wrote: > On 06/04/17 11:45, Simon Matter wrote: >> >>> I like Arne's and David's suggestion - the existing option "as is" will >>> enable X% jitter, while a second parameter can specify a more specific >>> range. Following Arne's argument about user

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 11:26, David Sommerseth wrote: > With the 1 hour default, not setting --reneg-sec gives a time window of > 6 minutes with 10%. That is a reasonable default unless explicitly > overridden by either --reneg-sec 3600 (no randomness) or --reneg-sec > 3000 4000 (with a 1000 seconds large

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 11:45, Simon Matter wrote: > >> I like Arne's and David's suggestion - the existing option "as is" will >> enable X% jitter, while a second parameter can specify a more specific >> range. Following Arne's argument about users and percent math, it might >> indeed be better to have "min

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 06:08, Илья Шипицин wrote: > > > 2017-04-06 3:26 GMT+05:00 David Sommerseth > >: > > On 05/04/17 23:43, Илья Шипицин wrote: > > hello! > > > > just curious how renegotiation is handled in "https" ? > > is it "an abbrevate

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Hi, > > On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: >> > Optional option does not mean that it is disabled by default. If you >> > don't the randomness you would need to do: >> > >> > reneg-sec 3600 3600 >> > >> > the optional argument also allows it to fine tune it to your needs.