Kicksecure · raja-grewal · Jul 25, 2022 · Jul 25, 2022 · Jul 25, 2022 · Jul 25, 2022
diff --git a/README.md b/README.md
@@ -200,6 +200,22 @@ dropping RST packets for sockets in the time-wait state.
 * Reverse path filtering is enabled to prevent IP spoofing and mitigate
 vulnerabilities such as CVE-2019-14899.
 
+## Network optimisation
+
+* Increases the size of the receive queue and the number of maximum connections.
+
+* Increases memory dedicated to the network interfaces.
+
+* Raises the default UDP limits.
+
+* Enable TCP Fast Open to reduce network latency.
+
+* Raise the number of pending connections in order to be more resistant to simple DoS attack.
+
+* Disables TCP slow start after idle.
+
+* Reduces the TCP keepalive time.
+
 ## Entropy collection improvements
 
 * The `jitterentropy_rng` kernel module is loaded as early as possible

diff --git a/etc/sysctl.d/30_network-opt.conf b/etc/sysctl.d/30_network-opt.conf
@@ -0,0 +1,56 @@
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Improvements in networking performance largely based on Arch's recommendations
+## https://wiki.archlinux.org/title/sysctl#Improving_performance
+
+## Increasing the size of the receive queue
+net.core.netdev_max_backlog=16384
+
+## Increase the maximum number of connections
+net.core.somaxconn=8192
+
+## Increase memory dedicated to the network interfaces
+## Set max cache size (in bytes) to 16MB
+## These settings are for extremely fast connections and likely allocate excessive memory for typical networks
+## https://blog.cloudflare.com/the-story-of-one-latency-spike/
+## https://github.com/redhat-performance/tuned/blob/master/profiles/network-throughput/tuned.conf#L10
+## https://nateware.com/2013/04/06/linux-network-tuning-for-2013/
+net.core.rmem_default=1048576
+net.core.rmem_max=16777216
+net.core.wmem_default=1048576
+net.core.wmem_max=16777216
+net.core.optmem_max=65536
+net.ipv4.tcp_rmem=4096 1048576 2097152
+net.ipv4.tcp_wmem=4096 65536 16777216
+
+## Increase the default UDP limits
+net.ipv4.udp_rmem_min=8192
+net.ipv4.udp_wmem_min=8192
+
+## Enable TCP Fast Open for both incoming and outgoing connections
+## https://www.keycdn.com/support/tcp-fast-open
+net.ipv4.tcp_fastopen=3
+
+## Raise maximum queue length of pending connections
+net.ipv4.tcp_max_syn_backlog=8192
+
+## Raise maximum number of sockets in TIME_WAIT state
+net.ipv4.tcp_max_tw_buckets=2000000
+
+## Let TCP reuse an existing connection in the TIME-WAIT state
+net.ipv4.tcp_tw_reuse=1
+
+## Seconds to wait for a final FIN packet before the socket is forcibly closed
+net.ipv4.tcp_fin_timeout=10
+
+## Disable TCP slow start
+## https://en.wikipedia.org/wiki/TCP_congestion_control#Slow_start
+net.ipv4.tcp_slow_start_after_idle=0
+
+## Change TCP keepalive parameters
+## Reduces the TCP keepalive period from 2 hours to 2 minutes
+## https://en.wikipedia.org/wiki/Keepalive#TCP_keepalive
+net.ipv4.tcp_keepalive_time=60
+net.ipv4.tcp_keepalive_intvl=10
+net.ipv4.tcp_keepalive_probes=6