Hi,

On Mon, Jun 29, 2026 at 07:50:00PM +0000, Sami Rusani via Openvpn-devel wrote:
> The --float option lets OpenVPN accept authenticated packets from a
> changed peer address. That only applies to UDP transports; TCP needs a
> new connection when the peer address changes.
> 
> Document the transport limitation in the man page and usage text.
> 
> Github: fixes OpenVPN/openvpn#358
> ---
> doc/man-sections/link-options.rst | 4 ++++
> src/openvpn/options.c | 5 +++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/man-sections/link-options.rst 
> b/doc/man-sections/link-options.rst
> index edda1ca..60f098c 100644
> --- a/doc/man-sections/link-options.rst
> +++ b/doc/man-sections/link-options.rst
> @@ -13,6 +13,10 @@ the local and the remote host.
> --float
> Allow remote peer to change its IP address and/or port number, such as
> due to DHCP (this is the default if ``--remote`` is not used).
> + This option only applies to UDP transports (for example,
> + ``--proto udp``). TCP connections cannot float to a different peer
> + address because that requires establishing a new TCP connection.
> +
> ``--float`` when specified with ``--remote`` allows an OpenVPN session
> to initially connect to a peer at a known address, however if packets
> arrive from a new address and pass all authentication tests, the new

This feels a bit verbose.  Maybe something like

  ... such as due to DHCP or NAT mappings changing.  ``--float`` only 
  works when using UDP transport.

(and remove the part about "(... if --remote is not used)" because
the next paragraph explains that distinction anyway)


> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index f414024..0a95a81 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -175,8 +175,9 @@ static const char usage_message[] =
> "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
> " resolve for n seconds before failing (disabled by default).\n"
> " Set n=\"infinite\" to retry indefinitely.\n"
> - "--float : Allow remote to change its IP address/port, such as through\n"
> - " DHCP (this is the default if --remote is not used).\n"
> + "--float : Allow remote UDP peer to change its IP address/port,\n"
> + " such as through DHCP (default if --remote is not used).\n"
> + " Only applies to UDP transports.\n"
> "--ipchange cmd : Run command cmd on remote ip address initial\n"
> " setting or change -- execute as: cmd ip-address port#\n"
> "--port port : TCP/UDP port # for both local and remote.\n"

The usage message is not a full reference manual, so I would not put it
here.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             [email protected]

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to