Hi all, On Sunday, 14 May 2023 21:12:08 CEST David Sommerseth wrote: > We ended up only enabling this on the server config by default, as it > was some good points (which I don't recall right now) about not > restarting the client configs automatically. It might have been due to > avoid DDoS the server in larger deployments, if a bad option would be > pushed to all clients or something like that.
These are some good points. For server-side currently it is RestartSec=5s, which I agree makes sense for server. To avoid too aggressive connection spamming can we not set the client restart interval to a much higher value? If OpenVPN itself does not fatal error/crash, the back-off interval mechanism is used for reconnect with the --connect-retry option. The default maximum wait time after a bunch of attempts is 300 seconds (5 minutes). Knowing this is the worst case scenario for all common setups, I think we safely can set RestartSec=300s without any risk of DDoS or similar, as this timeout matches the slowest reconnection interval of OpenVPN internally. Personally I think RestartSec=60s or RestartSec=120s is also fine, but I understand being conservative with a change like this. In the end I don't really care if it takes "one" or "a few" minutes as long as the client does reconnect if something went wrong inside or outside the OpenVPN process. Thoughts on this? Thanks! -- Melvin Vermeeren Systems engineer
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
