On 09/03/2021 20:53, David Sommerseth wrote:
On 09/03/2021 21:04, tincanteksup wrote:
 >
I have swapping issues all the time and I can't add more RAM.
I don't want system wide disk encryption.
And I don't want an SSD either.

I do not have the money to keep up with modern hardware.

Having openvpn --mlock is exactly the right choice for my home
system.

Please, do not remove --mlock from openvpn.


How much memory does your OpenVPN process consume?  And if the process (or task in kernel lingo) is active (not idling), it generally will not be swapped out.  If it does, you are already running way to much on your host.  So you need to prioritize what that host should really run.

OpenVPN's --mlock does not save you.

And in fact, the kernel may as well swap out the memory pages containing the program itself and just keep the data pages allocated by the program in memory.  Which will result in a sluggish OpenVPN performance regardless.

This gives a brief overview which might help you see what happens:
<https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry>

And even though you don't want SSD.  At least consider if you can get hold of a reasonably performing SSD with not too many GB and activate that device as a swap device on your host.  It will not be optimal, but at least the general swapping can go faster if you have a decent SATA/SAS controller.

 > Please try to put yourselves in the place of the average user,
 > for once.

The average users I know does not push their hardware beyond its limits so much it hurts the overall performance.  Those I know would start planning for an upgrade.  Or get an RPi4 and run OpenVPN on it, as it got a reasonable network performance: <https://notenoughtech.com/raspberry-pi/2019-raspberry-pi-network-speed-test/>

But openvpn --mlock is never the solution to performance and swapping. Never ever.



As I Initially clarified, there *may* be a Small performance tweak by using --mlock.

The problem here is that by removing --mlock you shift the
burden of securing ephemeral key data to the under lying OS.

You may as well print the full private keys in the log (again)
and expect the user to delete them all and shred their disk.

As for how I must spend my money, that is no business of yours.

my2c


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to