On 16/11/17 06:59, Илья Шипицин wrote: > hi, > > I'm running vpn server since 2012, with comp-lzo enabled (on both client > and server side) > > in openvpn-2.4 comp-lzo is deprecated in favor of compress option. > > also, I'm considering switching to lz4 from lzo. > > any best practice how to switch lzo --> lz4 without operation interruption ?
First of all, I'd recommend you to do some performance testing on the typical payload you're pushing through your tunnel. You might find that LZO can perform better than LZ4 in some scenarios with a lower CPU load. But it is hard to come with a generic recommendation; it depends a lot on what you push through your tunnel and how compressible that data stream is. A bit more info can be found here: <https://github.com/lz4/lz4/> Another detail is the security aspects related to compressing data streams. The CRIME attack [0] is now an ageing side-channel attack vector which is made possible due to compression. And there are other compression oracle attacks [1] too, like BREACH [2]. [0] <https://en.wikipedia.org/wiki/CRIME> [1] <https://en.wikipedia.org/wiki/Oracle_attack> [2] <https://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579/> --compress is pushable. Not sure if you can mix lzo and lz4 compression, but I'd just add 'compression' in all the config files and then only push 'compress {lzo,lz4}' to those clients that is reasonable to use. I would not, however, enable compression itself on by default - just have the compression framing available. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
