Hi, On Sat, Nov 16, 2019 at 09:07:43PM +0100, Boris wrote: > > Generally speaking: use tls-auth. This will stop all packets from > > unauthorized sources from generating state and eating memory in the > > openvpn server process (it will still eat up some CPU, but if that is > > enough to crash the server, you need a faster CPU - or move the openvpn > > service to another port). > > thanks a lot for your statement. > > Yes, the openvpn daemon is dying from all those requests. > > Is it that section,that you suggest to be enabled? > : > > # For extra security beyond that provided > # by SSL/TLS, create an "HMAC firewall" > # to help block DoS attacks and UDP port flooding.
Yes. But this needs to be included in all client configs as well, so
if you "just change the server", things will no longer work.
So, generate the ta.key on the server, distribute it to all the clients,
enable it in all client configs and then enable it in the server config.
(the "ta.key" file needs to be identical everywhere)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
