|
|
Eugen Leitl said: > On Thu, Mar 03, 2005 at 11:38:50AM +0100, Martijn Lievaart wrote: >> Jamie Lokier wrote: >> >> >I've read that the VIA CPUs have instructions which help implementing >> >symmetric crypto like AES, but are not much use for asymmetric >> >public-key crypto such as the slowest part of certificate verification, >> >and session key generation. >> >> True, AFAIK. > > True, currently. Does this bite for OpenVPN with static keys, too, though? > [ snip ] > > in a VServer-customer, and force AES-256 a cipher, will lack of RSA > acceleration be an issue at all? I cannot comment on this. Anyone else? I *think* it will work OK (that is all accelerated). > Speaking about certificates, does anyone use OpenVPN tunnels with secrets > stored on pkcs15 smartcards? (This isn't high-performance, being USB 1.1 > token, and 2048 bit keys will probably make it even slower, but it will > protect > the secret in case of a remote compromise of the machine). No, but I'm very interested in any actual results, both on Linux and Windows. >> Running a low-end via board on a server myself, I can state it should be >> fine for most uses (my OpenVPN links terminate on a lowly P90 just > > How much server can you buy for 600 EUR? Moderately useful systems begin > at > twice the price. It will depend on the application, but for what I'm > trying > to do, 4x low-end servers in 2U rackspace total for the price of one Intel > or > AMD box is a much superior solution. That obviously greatly depends on what you want to do, but two clustered 1U machines with redundant powersupplies should be just as reliable and give much more performance. And probably cost double, that too. My servers cost much less than E600, but then I have to pay for them myself. Still, as long as you don't have hunderds of users (I have 5) you can provide professional quality service. Only the Internet link will remain a SPOF, the rest will be redundant before long. At a fraction of the cost others pay. It's a hobby I guess. I would not recommend it to anyone doing serious business. OTOH, I recently installed a squid for 100 users on a dual Xenon, 36G raid-5 + 9G raid-1 with 4GB memory. It was the smallest model they ordered. A Via based machine would have handled that pretty decently and for that price they probably could have bought a dozen or so. I would have gladly pocketed the difference! >> fine, the via is low-end, but /much/ more powerful than a P90). But it >> /is/ underpowered compared to even the cheapest desktop today and I >> would be hesitant to run a lot of tunnels on it without first testing if >> it can handle the load. > > I think this issue will go away with the Esther core, but even now nothing > prevents you from racking several machines, and letting DNS take care of > the > load. Even then, I would first test it. As I would with a high end machine. >> OTOH, the cheapest Via board would make a fine embedded OpenVPN >> appliance, but that's completely something else. > > As long as you restrict yourself to one system, yes. A cluster, no. > Especially, on a budget. Building an appliance is /always/ on a budget, per definition! :-) M4 ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-03/msg00071.html on line 255 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-03/msg00071.html on line 255 |