From patchwork Mon Jun 29 19:50:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sami Rusani X-Patchwork-Id: 5044 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c319:b0:861:c897:cb9d with SMTP id jk25csp7146mab; Mon, 29 Jun 2026 12:50:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+G5XmiRdcUnGyMbzil4XT9CI+3fUfWrjiDDyK3ohdeK5eXVXQSg42wIgwp0d3MEZ6TP+SU49qR5wM=@openvpn.net X-Received: by 2002:a05:6820:8119:b0:6a1:7af8:a048 with SMTP id 006d021491bc7-6a18a02450fmr449454eaf.33.1782762623085; Mon, 29 Jun 2026 12:50:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1782762623; cv=none; d=google.com; s=arc-20260327; b=khB4dclHVaFrvw83X/Ih/DM7xBunx2Dst3NbMJy7elOluZTdm8Ua/Tr7tzBX964zgs JkY24w4YGkpYF+pYJWYgnaWdHRQbTvV49vcZHF0bmkf2Fm9NntLJtjrfnRCuNhGf0REn TibayzMMrDnMafL5J3d7snetWIJJyv9dz8xtqZq4cHhsQwvaRmwjORRd4KZCc6DDVrKo asWfUstUIhRSlGDOX88eQA3oEwMCHtAr3irDsYK2/sh/TfoPLEhrUi5j90uJD1CmvxjY tPpMGK9iO8Gpv8W2WCOVgrv7Capg+kRw8gcSZffJcuvlyeR7Y7O9iCOSeQrsUvL2o1r5 bLFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:feedback-id:message-id:to:date:dkim-signature :dkim-signature:dkim-signature:dkim-signature; bh=qxV5XS+Kxbr4/TyJt6dM27u2etP1NmUEcHiN4rWVcwI=; fh=I37vhZPGuICZbOiKJJ+210MDIMcPcV/kCIo1c3aMqKw=; b=ilbaogqU3Moh4j38hUzRvbtY3sVYQKlMjZtq+WT0BcAy7E/JPvVdctQgkovehaQy4h t82caGQAZYA0pbSm5lhKkeAEsLVdEB8SoAw/o4qKMQ8J/tQeoMmi/dNDgVcakzd8UvBK P/oXH/4dn2G0tVrUEOLrVuxOsYJAZ6fhxV/7Nhf+7lLZi8cpcbHIO+o9UKzdC/agoCqL aZ5sYCXFlYsKDjEZk8UXa7PyreDzTC6klSjgBVt/ZXlqXqXxWCB5jXi21qx5XWMvKoP/ 1DrQv7IALIoCSlm9w8PAiLammWg5BNhZhzPnuPe5vbGZ0UQy6da43GEz5su+oZdvIXkb 0lIA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Vs3w8tPk; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mK68uxLK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AfSb75EX; dkim=neutral (body hash did not verify) header.i=@pm.me header.s=protonmail3 header.b=oMBnbgYe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-448dc272b7dsi547372fac.254.2026.06.29.12.50.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jun 2026 12:50:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Vs3w8tPk; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mK68uxLK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AfSb75EX; dkim=neutral (body hash did not verify) header.i=@pm.me header.s=protonmail3 header.b=oMBnbgYe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Type:Reply-To:From:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject: MIME-Version:Message-ID:To:Date:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=qxV5XS+Kxbr4/TyJt6dM27u2etP1NmUEcHiN4rWVcwI=; b=Vs3w8tPkinhoPvkbAmSYdjndI2 4KfECaM5nvoWb3Z4nZ8hZsgjtVthEu97ZtpBcnXlzHptm+T6FbZ1P2YQI7A+zHLGwwj01c8Svmdau d8r2s2YQykusb2j96wwUCwmK2UjXkwMDkHyf30QPmmcwjGCIJdBEKIuGfhqwGxmKKB+U=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1weHzi-0003mm-A8; Mon, 29 Jun 2026 19:50:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1weHzg-0003mf-PQ for openvpn-devel@lists.sourceforge.net; Mon, 29 Jun 2026 19:50:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Message-ID:Subject:From: To:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Q9Byg77w1LNGFtubX/zGHs0OsdsyzNTxtjGj/JsyMnQ=; b=mK68uxLKvMR981WY9TCqAst9Nf jX4wRfMixB7RAsvA6yPREHW+oTi7iq2nP+Bzr37Q1WNgdLajt0TPDNdNdHNUF9hVdqDz0CL+jpA1y /+DVfGOe3wmqAeNN+fuGHnFOImXdEIBDkxbt/Hz/M9gDhwooFrS7orFmKd/sW52csvzA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Message-ID:Subject:From:To:Date:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Q9Byg77w1LNGFtubX/zGHs0OsdsyzNTxtjGj/JsyMnQ=; b=A fSb75EXyAcBV4ILURb35H7X+VycXIBABrpWZQa5juw8t4bZafs1CQJ8oVZB/fUP4wwn2ADDb2rosv 5vMFwvSwnsEv5w8O3jD+lJXE5vIu+KBSXDGPawhUZFJDo5xD+9sdl77SgwgqgX7MaSSCSBjLfvWN8 UwEncW40R5gQdIaw=; Received: from mail-10629.protonmail.ch ([79.135.106.29]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1weHzf-0004OE-B0 for openvpn-devel@lists.sourceforge.net; Mon, 29 Jun 2026 19:50:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail3; t=1782762604; x=1783021804; bh=Q9Byg77w1LNGFtubX/zGHs0OsdsyzNTxtjGj/JsyMnQ=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=oMBnbgYeoRQfDM5CC2atCQEjrBcRyNc8jzn5ASfDNrO6T6uPSiS0wYErL92F2xm/T Ce3PPN8o4EpgFWDzBVtgQLzh8bzacG3d1e/zOpQNMj4ztftSH595Ca/WMrlsoGWXCR 5tCIbLaZnkxecMGomAH/tZA8JxuVlYkejXRYHSe1S46unIjIYXUaCXuDxzlXGRTDTi Tc4T+UsE8X7HM9Eo67WG7Y5DnKY1rnSyptTy9kf2VmtxJ50EsGToNe7cWps+4J6HLF GXq+7MZu+FaV0Tm6jv2EsroL2nD3DxZYggPvtgcuqxoSsDbo9a78T7MwcdmHB3SYIC 4nnw+f/VqC5fQ== Date: Mon, 29 Jun 2026 19:50:00 +0000 To: "openvpn-devel@lists.sourceforge.net" Message-ID: <_bJ1zZXmxAD6YHGNM2W5HBm8iTr9nSYO-a3PUY6guDPKD9ZNfmri_8fPnlnLBA984ahSqoMAdAcQeF4Xf_P5Ljk0mexlvZHXSOPGxGD5AEU=@pm.me> Feedback-ID: 192537181:user:proton X-Pm-Message-ID: bbe9c1e2a3185952b61b59f2a43b024162280cc6 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The --float option lets OpenVPN accept authenticated packets from a changed peer address. That only applies to UDP transports; TCP needs a new connection when the peer address changes. Document the transport limitation in the man page and usage text. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [79.135.106.29 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1weHzf-0004OE-B0 Subject: [Openvpn-devel] [PATCH] doc: clarify that --float only applies to UDP X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Sami Rusani via Openvpn-devel From: Sami Rusani Reply-To: Sami Rusani Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1869362100178459429 X-GMAIL-MSGID: 1869362100178459429 The --float option lets OpenVPN accept authenticated packets from a changed peer address. That only applies to UDP transports; TCP needs a new connection when the peer address changes. Document the transport limitation in the man page and usage text. Github: fixes OpenVPN/openvpn#358 --- doc/man-sections/link-options.rst | 4 ++++ src/openvpn/options.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) -- 2.53.0 diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index edda1ca..60f098c 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -13,6 +13,10 @@ the local and the remote host. --float Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if ``--remote`` is not used). + This option only applies to UDP transports (for example, + ``--proto udp``). TCP connections cannot float to a different peer + address because that requires establishing a new TCP connection. + ``--float`` when specified with ``--remote`` allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f414024..0a95a81 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -175,8 +175,9 @@ static const char usage_message[] = "--resolv-retry n: If hostname resolve fails for --remote, retry\n" " resolve for n seconds before failing (disabled by default).\n" " Set n=\"infinite\" to retry indefinitely.\n" - "--float : Allow remote to change its IP address/port, such as through\n" - " DHCP (this is the default if --remote is not used).\n" + "--float : Allow remote UDP peer to change its IP address/port,\n" + " such as through DHCP (default if --remote is not used).\n" + " Only applies to UDP transports.\n" "--ipchange cmd : Run command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n"