[Openvpn-users] Fwd: client config fallback from 1194 udp to 80 tcp

[Selva N. <sel...@gm...>]

Hi,

On Wed, Oct 21, 2015 at 4:48 PM, Gert Doering <ge...@gr...> wrote:

> Hi,
>
> On Wed, Oct 21, 2015 at 04:37:57PM -0400, Selva Nair wrote:
> > If I'm not mistaken, persist-remote-ip pre-dates connection-list support.
> > With multiple options conditionally depending on each other, such
> seemingly
> > unexpected behaviour is no surprise.. Call it feature or a bug. The user
> > asked for persist-remote-ip which the manual says will persist both IP
> and
> > port, so why expect something else.
>
> If the documentation says so, it's not a bug.  Just a weird feature, which
> we might want to eventually print a warning about...
>

The manpage says

 --persist-remote-ip
              Preserve  most  recently  authenticated  remote  IP  address
 and  port  number  across   SIGUSR1   or
              --ping-restart restarts.

Which is not totally correct -- the IP persists even when its not a
previously authenticated one.  Even if that is fixed, many users may not
realize all the implications. So, yes, it would be useful to add a warning
to not to use it with multiple remotes or connection lists.  The strange
thing is that it will most likely use the same IP even after a SIGHUP
restart or SIGKILL + manual restart, unless the multiple IPs are obtained
by name resolution or random is also specified.

That's why I say its worth considering getting rid of that option.

Selva