[Openvpn-devel] doc: clarify that --float only applies to UDP
Commit Message
The --float option lets OpenVPN accept authenticated packets from a
changed peer address. That only applies to UDP transports; TCP needs a
new connection when the peer address changes.
Document the transport limitation in the man page and usage text.
Github: fixes OpenVPN/openvpn#358
---
doc/man-sections/link-options.rst | 4 ++++
src/openvpn/options.c | 5 +++--
2 files changed, 7 insertions(+), 2 deletions(-)
--
2.53.0
Comments
Hi,
On Mon, Jun 29, 2026 at 07:50:00PM +0000, Sami Rusani via Openvpn-devel wrote:
> The --float option lets OpenVPN accept authenticated packets from a
> changed peer address. That only applies to UDP transports; TCP needs a
> new connection when the peer address changes.
>
> Document the transport limitation in the man page and usage text.
>
> Github: fixes OpenVPN/openvpn#358
> ---
> doc/man-sections/link-options.rst | 4 ++++
> src/openvpn/options.c | 5 +++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst
> index edda1ca..60f098c 100644
> --- a/doc/man-sections/link-options.rst
> +++ b/doc/man-sections/link-options.rst
> @@ -13,6 +13,10 @@ the local and the remote host.
> --float
> Allow remote peer to change its IP address and/or port number, such as
> due to DHCP (this is the default if ``--remote`` is not used).
> + This option only applies to UDP transports (for example,
> + ``--proto udp``). TCP connections cannot float to a different peer
> + address because that requires establishing a new TCP connection.
> +
> ``--float`` when specified with ``--remote`` allows an OpenVPN session
> to initially connect to a peer at a known address, however if packets
> arrive from a new address and pass all authentication tests, the new
This feels a bit verbose. Maybe something like
... such as due to DHCP or NAT mappings changing. ``--float`` only
works when using UDP transport.
(and remove the part about "(... if --remote is not used)" because
the next paragraph explains that distinction anyway)
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index f414024..0a95a81 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -175,8 +175,9 @@ static const char usage_message[] =
> "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
> " resolve for n seconds before failing (disabled by default).\n"
> " Set n=\"infinite\" to retry indefinitely.\n"
> - "--float : Allow remote to change its IP address/port, such as through\n"
> - " DHCP (this is the default if --remote is not used).\n"
> + "--float : Allow remote UDP peer to change its IP address/port,\n"
> + " such as through DHCP (default if --remote is not used).\n"
> + " Only applies to UDP transports.\n"
> "--ipchange cmd : Run command cmd on remote ip address initial\n"
> " setting or change -- execute as: cmd ip-address port#\n"
> "--port port : TCP/UDP port # for both local and remote.\n"
The usage message is not a full reference manual, so I would not put it
here.
gert
@@ -13,6 +13,10 @@ the local and the remote host.
--float
Allow remote peer to change its IP address and/or port number, such as
due to DHCP (this is the default if ``--remote`` is not used).
+ This option only applies to UDP transports (for example,
+ ``--proto udp``). TCP connections cannot float to a different peer
+ address because that requires establishing a new TCP connection.
+
``--float`` when specified with ``--remote`` allows an OpenVPN session
to initially connect to a peer at a known address, however if packets
arrive from a new address and pass all authentication tests, the new
@@ -175,8 +175,9 @@ static const char usage_message[] =
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
" resolve for n seconds before failing (disabled by default).\n"
" Set n=\"infinite\" to retry indefinitely.\n"
- "--float : Allow remote to change its IP address/port, such as through\n"
- " DHCP (this is the default if --remote is not used).\n"
+ "--float : Allow remote UDP peer to change its IP address/port,\n"
+ " such as through DHCP (default if --remote is not used).\n"
+ " Only applies to UDP transports.\n"
"--ipchange cmd : Run command cmd on remote ip address initial\n"
" setting or change -- execute as: cmd ip-address port#\n"
"--port port : TCP/UDP port # for both local and remote.\n"