Opened 7 years ago
Last modified 4 years ago
#1037 assigned Feature Wish
client-connect or similar does not fire when OpenVPN client floated
Reported by: | mcp | Owned by: | stipa |
---|---|---|---|
Priority: | minor | Milestone: | release 2.6 |
Component: | Management | Version: | OpenVPN 2.4.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hello,
I'm using a client-connect script to export all env variables from the connecting clients to temporary files so my management GUI can use them. This works pretty well but not for floating clients.
When I look into the man page I see the ipchange cmd. I thought to use that but there's a hint "Don't use --ipchange in --mode server mode. Use a --client-connect script instead." but I tried it anyway w/o success because OpenVPN does not start anymore with that parameter active in an OpenVPN server config.
The problem is, when a client floats, --client-connect is not fired, nothing is fired so a new IP or a new port is not known from any env variable because it's not there so the temp file cannot get updated so my management GUI does not see the changes.
I think this is a bug, at least something should fire when a client floats. I mean these events:
Float requested for peer 40 to 1.2.3.4:62487
peer 40 (Common.Name) floated from 1.2.3.4:62487 to [AF_INET]5.6.7.8:62487
Float requested for peer 7 to 2.4.6.8:1025
peer 7 (Other.CommonName?) floated from 2.4.6.8:62018 to [AF_INET]2.4.6.8:1025
I'm using OpenvPN 2.4.4 on Debian Linux.
Thank you!
Change History (5)
comment:1 Changed 7 years ago by
Type: | Bug / Defect → Feature Wish |
---|
comment:2 Changed 7 years ago by
well OK, but the management interface / status file do not have detailed info's about the connected clients, or do I miss something? Like all the IV variables for example.
Another question: can one disable floating on the server side so clients have to reconnect, i.e. new full handshake?
comment:3 Changed 7 years ago by
It has also bothered me as to why --float can not be disabled on a --server
--float
Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used).
comment:4 Changed 7 years ago by
The management interface will give you the IV_ set on connect, and the active client IP at the moment you query it. Status file has no IV_, so it won't replace your --client-connect
scripts, but it can nicely complement it - IV_s are not going to change on floating, so no new information there.
As for why --float
cannot be turned off - because it does not make sense to do so, in all cases where it can fire, it's beneficial for the users, and we already have way too many options that create new alternative paths in the code that need to be tested and maintained, etc. (and too many options as well).
The main reason why we still have a --float
option at all is for peer-to-peer mode which works sufficiently different from client-to-server mode that it make some sense to keep the existing code and options around. Otherwise it could just go completely.
comment:5 Changed 4 years ago by
Component: | Community services → Management |
---|---|
Milestone: | → release 2.6 |
Owner: | changed from Samuli Seppänen to stipa |
Status: | new → assigned |
No idea why this was assigned to mattock. Must be some trac automatism because "Community Services" was selected...
Anyway - to @stipa, as feature wish for 2.6 - make --ipchange
work in server mode, and report if a client floated. If it can be done in a nice way without major surgery.
More a feature wish.
The whole point of floating is that it's not a full new handshake - so, no authentication, IP address change, PUSH/PUSH_REPLY, no part of the machinery that would involve
--client-connect
.OTOH, extending
--ipchange
to work in server mode might be a good plan, and do that job ("update whoever needs that information with the new peer address for the instance}}}.Besides this, you can always query the management interface or look at the
--status
file which have the current client IP address for you.