On 16/11/17 06:59, Илья Шипицин wrote:
> hi,
> 
> I'm running vpn server since 2012, with comp-lzo enabled (on both client
> and server side)
> 
> in openvpn-2.4 comp-lzo is deprecated in favor of compress option.
> 
> also, I'm considering switching to lz4 from lzo.
> 
> any best practice how to switch lzo --> lz4 without operation interruption ?

First of all, I'd recommend you to do some performance testing on the
typical payload you're pushing through your tunnel.  You might find that
LZO can perform better than LZ4 in some scenarios with a lower CPU load.
 But it is hard to come with a generic recommendation; it depends a lot
on what you push through your tunnel and how compressible that data
stream is.  A bit more info can be found here: <https://github.com/lz4/lz4/>

Another detail is the security aspects related to compressing data
streams.  The CRIME attack [0] is now an ageing side-channel attack
vector which is made possible due to compression.  And there are other
compression oracle attacks [1] too, like BREACH [2].

[0] <https://en.wikipedia.org/wiki/CRIME>
[1] <https://en.wikipedia.org/wiki/Oracle_attack>
[2]
<https://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579/>

--compress is pushable.  Not sure if you can mix lzo and lz4
compression, but I'd just add 'compression' in all the config files and
then only push 'compress {lzo,lz4}' to those clients that is reasonable
to use.  I would not, however, enable compression itself on by default -
just have the compression framing available.


--
kind regards,

David Sommerseth

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to