Address PR feedback: remove outbound rate limit, improve config docs

Remove rate limiting from StartHandshake (outbound) since DoS protection only needs to limit inbound handshakes. This also avoids returning nil from StartHandshake which historically always returned non-nil. Update config comment to note openssl speed is single-core and suggest scaling by routines. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>
2026-05-16 04:47:38 +02:00 · 2026-04-10 14:36:32 -04:00
parent 3df60ae195
commit 7794e93762
3 changed files with 12 additions and 37 deletions
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -342,12 +342,12 @@ logging:
  # after receiving the response for lighthouse queries
  #trigger_buffer: 64

-  # max_rate limits the number of new handshakes per second. Both incoming and outgoing new
-  # handshakes count against this limit. Once the limit is reached, new handshakes are dropped
-  # until the next second. A value of 0 means unlimited (default).
+  # max_rate limits the number of new inbound handshakes per second. Once the limit is reached,
+  # new handshakes are dropped until the next second. A value of 0 means unlimited (default).
  # This is useful for preventing DoS attacks that attempt to exhaust CPU with handshake crypto.
  # Running `openssl speed ecdhp256` on your hardware can be a good rule of thumb for choosing
-  # a max, as each handshake performs similar DH operations.
+  # a max, as each handshake performs similar DH operations. Note that this benchmarks a single
+  # core, so you may wish to scale the value by the number of `routines` configured.
  #max_rate: 0

 # Tunnel manager settings