Re: [Openvpn-devel] [PATCH 2/2] When using UDP over SOCKS5, send the actual remote hostname (FQDN) to the proxy server in the first packet.

Sat, 24 Aug 2013 08:35:14 +0000 

Hi,

On Thu, Aug 22, 2013 at 07:49:42PM -0400, Jesse Glick wrote:
> On Thu, Aug 22, 2013 at 7:08 PM, Josh Cepek <josh.ce...@usa.net> wrote:
> >> akin to how HTTP reverse proxies commonly delegate to a physical server
> >> according to the HTTP 1.1 Host header???so that many hostnames can map
> >> to the same IP of the reverse proxy.
> >
> > There was some issue figuring out what this all means. Do you have an
> > example use-case where this is helpful?
> 
> To expand on my explanation as quoted above:

Thanks for the explanation.

I'm not convinced it makes sense to merge this right now.

Why?  HTTP/1.1 with Host: headers is extremely widespread, because there
are zillions of "lightweight" web servers that can easily share one
physical machine + IP address, because they hardly cause any load etc.

OTOH, I do not really see people sharing multiple OpenVPN services behind
one single "reverse proxy" - and if you really need that (multiple OpenVPN
services on a single IP address), you could run multiple OpenVPN services 
on different UDP ports already today (either on the same box, or using 
some sort of UDP forwarder).

With web browsers, using different ports is a pain.  OTOH, with OpenVPN
you usually specify the port anyway, it's just part of the .ovpn you
ship to your clients.


As you say yourself that there is no such service currently, as the server
side proxy has not been written yet, balancing "cool feature" vs. "amount
of special cases in the code we have to maintain" makes me tend to "let's
postpone this until some real-world experience shows it's really useful".

(OTOH, a patch that is based on Arne's dual-stack work and ensures that
SOCKS5 works nicely over IPv4 and IPv6, talking to IPv4 or IPv6 servers
via the proxy, that would be more immediately relevant...  and with IPv6,
you can run your OpenVPN server farm with "one IP address per OpenVPN
service" again, so this whole discussion becomes moot anyway :-) )

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpbpMGKkm44Z.pgp
Description: PGP signature

Reply via email to