Re: [Openvpn-users] Re: Answering on the same interface where the request came from

[James Y. <ji...@yo...>]

On Wed, 23 Feb 2005, Doncho N. Gunchev wrote:

> On 2005 02 23 (Wednesday) 12:01, Charles Duffy wrote:
> > On Wed, 23 Feb 2005 11:46:06 +0200, Doncho N. Gunchev wrote:
> ...
> > >     Is it possible to bind openvpn (maybe 2.1) to multiple addresses
> > >     like
> > > BIND, SQUID, Apache and many others can?
> > 
> > Sure you can bind to multiple addresses, but in UDP mode you don't have a
> > guarantee that the answer will be on the same IP as the source.
> 
>     How does bind do so?
> ... netstat -unap | grep '[0-9]/named'
> udp  0  0 127.0.0.1:53        0.0.0.0:*   6481/named
> udp  0  0 10.0.0.1:53         0.0.0.0:*   6481/named
> udp  0  0 192.168.1.1:53      0.0.0.0:*   6481/named
> udp  0  0 172.30.255.200:53   0.0.0.0:*   6481/named
> ...
> 
>     It is one process. If I guess this right it binds to many sockets and
> sends replies via the socket it got the query from, just like when you
> bind to only one interface(IP) you get replies fine (but I'm only guessing).
> Is my guess right? Will in this case source be guaranteed?

Exactly -- we need to bind to multiple sockets, rather than to a single
socket using the wildcard address INADDR_ANY as OpenVPN is doing right
now.

I didn't do it this way in the first place because I didn't realize that 
INADDR_ANY + UDP is broken due to the way that that the standard sockets 
API doesn't give you a source IP argument for the recvfrom and sendto 
syscalls.

Listening on multiple sockets is also bad from a performance perspective 
unless you are using a modern polling API such as epoll on Linux 
2.6.

James