#Is it possible to fully disable ddos protection, that triggered by vpn connection?

Is it possible to fully disable ddos protection, that triggered by vpn connection?

No

Use TCP VPN or another tunneling protocol on top of your UDP VPN

VAC might cut some UDP VPNs when you are under attack if the connection speed exceeds X mbps

and it is not possible to somehow whitelist clients?

You can whitelist with allow rule, but VAC can likewise override your rules to protect the network.

If your VPN traffic looks similar enough to the attack, it can cut it.

You can use traffic control to limit each client to 30 Mbps during attacks if you must run UDP VPN on a server that gets Bombarded with ddos

for UDP it shows "UDP" for tcp + tls it shows "FRAGMENT

If your server is a dedicated one, and your usage trigger our system, we can adjust our filter to better suit your needs.
But do not use a VPS as a VPN service.

^ Yeah, forgot this one

If its dedicated server, open support ticket and ask for adjustment

They can apply various levels on control over the backend anti-ddos decisions

it is used as hosting and devbox, all developers need to use VPN

Why dont you run TCP vpn though if its just dev access?

I understand, is it a dedicated server?
If yes, do a PCAP file, and send it in a ticket to our support.

VPS

good point, as this will not trigger our system as much

Cannot be tuned then.

Its shared system

Then our system will continue to block your server, as the treshold can't be changed on the VPS.

If you have VPS, change VPN protocol to TCP or limit your UDP VPN speeds during ddos attack

No way around it

but TCP marking with "FRAGMENT"

our filter are quite agressive, if you are unable to rate limit your usage, I would recomend looking to a dedicated server.

Its UDP fragment which is being listed in your security center

Not TCP fragment

VPN is also fragmented UDP most of the times, so thats why it can also get filtered at certain tresholds

Your options are:

1. Rate limit your vpn with traffic control to 20-30 Mbps per client if you must use UDP VPN

2. Change vpn protocol to TCP

3. Get a dedicated server instead which can be adjusted for you

I guess clients should be notified about this issue on "order" page

Generally attackers use both TCP and UDP at same time to attack. Hence you have various of stuff showing up here.

But still can't understand why ddos protection is not optional

Its same everywhere, assuming the service even stays up during attack.

There is optional alternative. Its called null route

Would you prefer that? Plenty people offer it during attacks for their customers.

xD

I'd prefer to disable it at all

The server would lose internet during attacks then sir

As i remember it was optional some time ago.

The DDoS protection is in place to protect you, but also our other clients on the same host and in our infrastructure.

In reality, we do mention the limitation, in our term of condition.

The limitation is in place as your server share the physical connection with other VPS.

Generic udp openvpn does not trigger VAC no matter how much traffic you push through

Same with wireguard

You need to use some pretty custom stuff for VAC to get triggered if there are no attacks ongoing against you

The above limitations apply when you are under active attack

wireguard works fine but not available for part of the required devices

Which devices does wireguard not work with?

OEM thin clients

maybe will try to create wireguard-wireguard gateway then

Your setup is way too custom

You need to understand that, you can't expect stuff like that to work out of box in the cheapest hosting option of third party company

OVHCloud tests their stuff for various use cases, including VPNs

If you wish to make stuff like this work, theres gonna be workarounds involved

This is not limited to ovhcloud

client ip whitelist or summary of 1gb connection was expected actually

Chances are, some competitors might not even offer this many solutions, but instead demand that you buy a more expensive service.

In short, you have plenty of options listed in this chat.