On Saturday 12 December 2009, James Yonan wrote: > Using nobind on the client for UDP client connections generates a socket > with a dynamic source port number. This is key because it means that > when the client reconnects, it does so with a new source port number, > and this allows OpenVPN to detect that the initial UDP packet represents > a new connection, and is not part of the old connection. > > The problem is that when nobind is not used, the source port on the new > connection is recycled -- it's the same as the old connection. So when > OpenVPN sees the connection-initiating packet, after the client switches > over to the secondary server address, it gets confused because it > doesn't expect sessions from a given source address to change its > destination address mid-session.
Quite subtle, but makes sense indeed. If I can make a suggestion, I'd add a note in the documentation about this particular interaction between the use of "multihome" on the server and not using "nobind" on the client (though it should be rare to see clients without "nobind", agreed), so other people won't be puzzled as I was when trying to debug it. Thanks again! -- D.
