James Yonan wrote:
No, --float only applies to the IP address, not the port.
Sadly, yes.
You can't
really float on the port efficiently because a UDP socket needs to bind
to some port number (either static or dynamic). To do port floating,
you would need to bind to every possible port that a packet might come
in on -- fairly impractical.
No. Using the same logic the openvpn server would need to listen on all
4,294,967,296 IP addresses.
It is the *client* port that changes, which can be detect just as easily
as a change in the client IP address. The only problem is that it is not
checked.
Please re-visit my original post to see under what circumstances the IP
address can stay the same while the client port number changes *from the
servers point of view*.
I think I found the potions of the code that would need modification:
- In mroute.h, struct mroute_addr would need an unsigned short port to
store the port number. Also, mroute_addr_equal() would need to return
false if the port numbers dont match
- In mroute.c, mroute_extract_addr_from_packet() would need to get the
port number from the packet. This is the part where I'm not too sure. Is
it safe to assume that the UDP header starts just after the IP header?
To be honest, I never understood the concept of IP header options... :)
HTH,
Kosta
