Thank you for your in-depth reply.
James Yonan wrote:
With default TLS options, the encapsualtion overhead is 41 bytes,
while the static key default is 44 bytes. Static key is somewhat less
efficient in this regard because even though it saves one byte used by TLS
to encode the key ID, it adds another 4 bytes because the sequence number
must increase from 32 bits to 64 bits in order to be secure with static
key usage (TLS gets away with the smaller sequence number because if it
ever gets close to wrapping around, we can just trigger a new TLS
handshake -- static keys need a large sequence number because they must
be robust for long-term usage). So the net result is that TLS saves 3
bytes per packet on the encapsulation overhead compared to TLS usage.
...and I suppose that the cost of renegotiation is lower than the one of
the "3 extra bytes" of every single packet, if there is high traffic
over the link.
Check out the --fast-io flag.
Wow, I just discovered a new flag.
Does the "Experimental" word in the man page perhaps mean that I should
fear some BIG trouble by using it?
Openvpn-users mailing list