From patchwork Tue Jan 13 12:15:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4702 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b01a:b0:80a:3855:ce6a with SMTP id nz26csp3880140mab; Tue, 13 Jan 2026 04:15:30 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV5b1Jqj+p1DK+GK+VszONrH3klSZtJblPHVVSQ1TCOS3P7hsI8Ya5A9rhrpXSWdf1Io8ZF8eVJExM=@openvpn.net X-Google-Smtp-Source: AGHT+IHKvWekRTDZ1tGjoV1SY1+iT//7qR7vwcJSYY9G1cuDlEgpn9UQjpLGsF7XCxy1JO2eAN2u X-Received: by 2002:a05:6870:f116:b0:3e8:973e:e011 with SMTP id 586e51a60fabf-3ffc0c1118fmr10620960fac.47.1768306529882; Tue, 13 Jan 2026 04:15:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768306529; cv=none; d=google.com; s=arc-20240605; b=ljJ8lFZ80ROz10P3vqEhWj7oZH5WQSvORxDDxXU1gAow7XtoNWWs0ssg1FRateqDiH 6Gg/vxiHVmTbrSMIPEjBKRh+G/YYKvWO47K+8q54F8Qhlv5AxN5V9MbmohnUElsTDFNu eTiQnHHzs02Z9mx7nob2/tdrcnzNeo2UjSn2ggNZfjBc/FHg+hhe5D/ofUPKgQes2ipy vDtrwfP6CvGyjbeY+YYeS4YR6Kq8drxdXRFzF/Al/fKSIk+axkGiVfX75Uus/ggy3M3h KoMJ/doQUUNTasw41yQdacVyJSnK0o72uYV/H30g3XR/+Any8yAxvIj//f+bPwETJ+82 53Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=xI8okRHsXl3Pc8tynRgygGdGIF/26O0im9O7mAwKPsU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=LMPPaUXTiBukeMIe3Ll7mFs0Plh3GYvmUKFAa3NJa9tlKptYtiYotenPO4k9dzPsE7 UM6mX0xi3mIpkd7HJrenZDGdTjiXd9kl0QXR4WkTUNLfXGfhaXE5Cxlfbh/w3Z6cOTHt gY1Z7IlhQo+kNgj1rTtDGY7tEpR6/dKK+MrhA5ZhdJ/xxCcqDkSGwyDWOcsYlTWBGgoP TwEBmFvbxOEqYBFSUujO+uFEoiomp01KQkxv5GwF96OQNJxw03byT1ezTq3YobzijCT6 P5grNFZH6lUegev+KbDeb4ilf8+5IElflTy2UnXX8/ziJd3LoEb5bZwV8FHcaXI0+TLJ hsww==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LaUAgMV8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NNTp2Z46; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=da8tmL5+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3ffa5177fa9si15689600fac.450.2026.01.13.04.15.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Jan 2026 04:15:29 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LaUAgMV8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NNTp2Z46; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=da8tmL5+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=xI8okRHsXl3Pc8tynRgygGdGIF/26O0im9O7mAwKPsU=; b=LaUAgMV8peKdMCNs67Z/lx95MD ADc8tYULPJyimSQoAKqQ8COmiuX73qIk8A5VmXHeJ12z+c8lD+7OMKTv2J6iRRBquoBueZcdqPq08 QaS0LsvIe7WJbXOLPiQYFRrTEsvwS2xqNZpMw0tt/+ftHKYosj/qUIOV7vf0hEvoAv04=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vfdJ1-00012q-QG; Tue, 13 Jan 2026 12:15:27 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vfdIv-00012Z-HG for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 12:15:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z2XtStWrsdk3Zcdz2BIFYHGR/D/vaaizdjy6u6RpeiQ=; b=NNTp2Z46x8mlJRPg2NG/w85hok yDPvl0esSCRaB4obJw3nktnfHqrHFbia4ss0D+pGwduuTGmHT74ZLy+bjA7aSrGaLxam1w17gB5dl mPIg322LfZXgkObENv5Ohho983yXSq4cTTam/CZw7zeZVBQmVug12jXvj/fruz/8s0jY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z2XtStWrsdk3Zcdz2BIFYHGR/D/vaaizdjy6u6RpeiQ=; b=da8tmL5+1PAJT/zPM5BjPpHPJ3 DdS1o07Y3gJEGY4V+orNfPUVb+wwR3Pa7YieYFyLX/sK0JbFOCesQzimgkjsPu+YDo+HyWyv3bGSI o+NF+Kg10WMMnyA07TvV+UTyYi6WSArNxxxl37lx9bs+2VAEsI1bAzn21zXHep6XJa/8=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vfdIu-00007L-7U for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 12:15:21 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 60DCFDOC012074 for ; Tue, 13 Jan 2026 13:15:13 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 60DCFDWJ012073 for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 13:15:13 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 13 Jan 2026 13:15:05 +0100 Message-ID: <20260113121512.12057-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld So apparently when using --proto tcp-server --tls-server --remote, AND the remote is not resolvable on startup then we would preserve the remote name and resolve it later on connect. Except that when [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vfdIu-00007L-7U Subject: [Openvpn-devel] [PATCH v1] socket: Remove old "dynamic remote" feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854203787980436809?= X-GMAIL-MSGID: =?utf-8?q?1854203787980436809?= From: Frank Lichtenheld So apparently when using --proto tcp-server --tls-server --remote, AND the remote is not resolvable on startup then we would preserve the remote name and resolve it later on connect. Except that when the remote is not resolvable I never managed to get it to create a listening socket in the first place. Originally I looked into this code because ZeroPath claimed it was broken. I think that report was correct but I think it is much easier to declare this feature dead instead of trying to fix it. It is undocumented and if it is usable then only in very specific circumstances that are hard to figure out. Github: openvpn-private-issues#13 Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index e2c5844..093f822 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -867,12 +867,10 @@ static socket_descriptor_t socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act, - const char *remote_dynamic, const struct addrinfo *local, bool do_listen, + const struct addrinfo *local, bool do_listen, bool nowait, volatile int *signal_received) { struct gc_arena gc = gc_new(); - /* struct openvpn_sockaddr *remote = &act->dest; */ - struct openvpn_sockaddr remote_verify = act->dest; socket_descriptor_t new_sd = SOCKET_UNDEFINED; CLEAR(*act); @@ -913,31 +911,7 @@ if (socket_defined(new_sd)) { - struct addrinfo *ai = NULL; - if (remote_dynamic) - { - openvpn_getaddrinfo(0, remote_dynamic, NULL, 1, NULL, - remote_verify.addr.sa.sa_family, &ai); - } - - if (ai && !addrlist_match(&remote_verify, ai)) - { - msg(M_WARN, "TCP NOTE: Rejected connection attempt from %s due to --remote setting", - print_link_socket_actual(act, &gc)); - if (openvpn_close_socket(new_sd)) - { - msg(M_ERR, "TCP: close socket failed (new_sd)"); - } - freeaddrinfo(ai); - } - else - { - if (ai) - { - freeaddrinfo(ai); - } - break; - } + break; } management_sleep(1); } @@ -1255,8 +1229,7 @@ } static void -resolve_remote(struct link_socket *sock, int phase, const char **remote_dynamic, - struct signal_info *sig_info) +resolve_remote(struct link_socket *sock, int phase, struct signal_info *sig_info) { volatile int *signal_received = sig_info ? &sig_info->signal_received : NULL; struct gc_arena gc = gc_new(); @@ -1351,10 +1324,6 @@ { msg(M_INFO, "TCP/UDP: Preserving recently used remote address: %s", print_link_socket_actual(&sock->info.lsa->actual, &gc)); - if (remote_dynamic) - { - *remote_dynamic = NULL; - } } else { @@ -1516,7 +1485,7 @@ { resolve_bind_local(sock, sock->info.af); } - resolve_remote(sock, 1, NULL, NULL); + resolve_remote(sock, 1, NULL); } } @@ -1577,8 +1546,7 @@ } static void -phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic, - struct signal_info *sig_info) +phase2_tcp_server(struct link_socket *sock, struct signal_info *sig_info) { ASSERT(sig_info); volatile int *signal_received = &sig_info->signal_received; @@ -1586,8 +1554,9 @@ { case LS_MODE_DEFAULT: sock->sd = - socket_listen_accept(sock->sd, &sock->info.lsa->actual, remote_dynamic, - sock->info.lsa->bind_local, true, false, signal_received); + socket_listen_accept(sock->sd, &sock->info.lsa->actual, + sock->info.lsa->bind_local, true, false, + signal_received); break; case LS_MODE_TCP_LISTEN: @@ -1675,7 +1644,7 @@ sock->info.lsa->remote_list = NULL; } - resolve_remote(sock, 1, NULL, sig_info); + resolve_remote(sock, 1, sig_info); } #if defined(_WIN32) @@ -1733,7 +1702,6 @@ const struct frame *frame = &c->c2.frame; struct signal_info *sig_info = c->sig; - const char *remote_dynamic = NULL; struct signal_info sig_save = { 0 }; ASSERT(sock); @@ -1748,18 +1716,8 @@ /* initialize buffers */ socket_frame_init(frame, sock); - /* - * Pass a remote name to connect/accept so that - * they can test for dynamic IP address changes - * and throw a SIGUSR1 if appropriate. - */ - if (sock->resolve_retry_seconds) - { - remote_dynamic = sock->remote_host; - } - /* Second chance to resolv/create socket */ - resolve_remote(sock, 2, &remote_dynamic, sig_info); + resolve_remote(sock, 2, sig_info); /* If a valid remote has been found, create the socket with its addrinfo */ #if defined(_WIN32) @@ -1809,7 +1767,7 @@ if (sock->info.proto == PROTO_TCP_SERVER) { - phase2_tcp_server(sock, remote_dynamic, sig_info); + phase2_tcp_server(sock, sig_info); } else if (sock->info.proto == PROTO_TCP_CLIENT) {