On 09/03/2021 20:53, David Sommerseth wrote:
On 09/03/2021 21:04, tincanteksup wrote:
>
I have swapping issues all the time and I can't add more RAM.
I don't want system wide disk encryption.
And I don't want an SSD either.
I do not have the money to keep up with modern hardware.
Having openvpn --mlock is exactly the right choice for my home
system.
Please, do not remove --mlock from openvpn.
How much memory does your OpenVPN process consume? And if the process
(or task in kernel lingo) is active (not idling), it generally will not
be swapped out. If it does, you are already running way to much on your
host. So you need to prioritize what that host should really run.
OpenVPN's --mlock does not save you.
And in fact, the kernel may as well swap out the memory pages containing
the program itself and just keep the data pages allocated by the program
in memory. Which will result in a sluggish OpenVPN performance regardless.
This gives a brief overview which might help you see what happens:
<https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry>
And even though you don't want SSD. At least consider if you can get
hold of a reasonably performing SSD with not too many GB and activate
that device as a swap device on your host. It will not be optimal, but
at least the general swapping can go faster if you have a decent
SATA/SAS controller.
> Please try to put yourselves in the place of the average user,
> for once.
The average users I know does not push their hardware beyond its limits
so much it hurts the overall performance. Those I know would start
planning for an upgrade. Or get an RPi4 and run OpenVPN on it, as it
got a reasonable network performance:
<https://notenoughtech.com/raspberry-pi/2019-raspberry-pi-network-speed-test/>
But openvpn --mlock is never the solution to performance and swapping.
Never ever.
As I Initially clarified, there *may* be a Small performance tweak by
using --mlock.
The problem here is that by removing --mlock you shift the
burden of securing ephemeral key data to the under lying OS.
You may as well print the full private keys in the log (again)
and expect the user to delete them all and shred their disk.
As for how I must spend my money, that is no business of yours.
my2c
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
