Kosta Welke wrote:
James Yonan wrote:
No, --float only applies to the IP address, not the port.
Sadly, yes.
You can't really float on the port efficiently because a UDP socket
needs to bind to some port number (either static or dynamic). To do
port floating, you would need to bind to every possible port that a
packet might come in on -- fairly impractical.
No. Using the same logic the openvpn server would need to listen on
all 4,294,967,296 IP addresses.
It is the *client* port that changes, which can be detect just as
easily as a change in the client IP address. The only problem is that
it is not checked.
Please re-visit my original post to see under what circumstances the
IP address can stay the same while the client port number changes
*from the servers point of view*.
I think I found the potions of the code that would need modification:
- In mroute.h, struct mroute_addr would need an unsigned short port to
store the port number. Also, mroute_addr_equal() would need to return
false if the port numbers dont match
- In mroute.c, mroute_extract_addr_from_packet() would need to get the
port number from the packet. This is the part where I'm not too sure.
Is it safe to assume that the UDP header starts just after the IP
header? To be honest, I never understood the concept of IP header
options... :)
HTH,
Kosta
Okay, I understand what you are asking for -- If you were using static
key mode (which is stateless), you would get the behavior you are
looking for. In TLS mode, however, OpenVPN doesn't allow a port or IP
change within a given TLS session (for security/DoS reasons). The
behavior you should be seeing is that the new port and IP address is
only accepted by the server after a fresh TLS renegotiation.
James
