Hi, On Mon, Jun 29, 2026 at 07:50:00PM +0000, Sami Rusani via Openvpn-devel wrote: > The --float option lets OpenVPN accept authenticated packets from a > changed peer address. That only applies to UDP transports; TCP needs a > new connection when the peer address changes. > > Document the transport limitation in the man page and usage text. > > Github: fixes OpenVPN/openvpn#358 > --- > doc/man-sections/link-options.rst | 4 ++++ > src/openvpn/options.c | 5 +++-- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/doc/man-sections/link-options.rst > b/doc/man-sections/link-options.rst > index edda1ca..60f098c 100644 > --- a/doc/man-sections/link-options.rst > +++ b/doc/man-sections/link-options.rst > @@ -13,6 +13,10 @@ the local and the remote host. > --float > Allow remote peer to change its IP address and/or port number, such as > due to DHCP (this is the default if ``--remote`` is not used). > + This option only applies to UDP transports (for example, > + ``--proto udp``). TCP connections cannot float to a different peer > + address because that requires establishing a new TCP connection. > + > ``--float`` when specified with ``--remote`` allows an OpenVPN session > to initially connect to a peer at a known address, however if packets > arrive from a new address and pass all authentication tests, the new
This feels a bit verbose. Maybe something like
... such as due to DHCP or NAT mappings changing. ``--float`` only
works when using UDP transport.
(and remove the part about "(... if --remote is not used)" because
the next paragraph explains that distinction anyway)
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index f414024..0a95a81 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -175,8 +175,9 @@ static const char usage_message[] =
> "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
> " resolve for n seconds before failing (disabled by default).\n"
> " Set n=\"infinite\" to retry indefinitely.\n"
> - "--float : Allow remote to change its IP address/port, such as through\n"
> - " DHCP (this is the default if --remote is not used).\n"
> + "--float : Allow remote UDP peer to change its IP address/port,\n"
> + " such as through DHCP (default if --remote is not used).\n"
> + " Only applies to UDP transports.\n"
> "--ipchange cmd : Run command cmd on remote ip address initial\n"
> " setting or change -- execute as: cmd ip-address port#\n"
> "--port port : TCP/UDP port # for both local and remote.\n"
The usage message is not a full reference manual, so I would not put it
here.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
