Am 25.03.21 um 23:37 schrieb Antonio Quartulli: > Hi, > > On 15/12/2020 17:42, Arne Schwabe wrote: >> For --nobind clients OpenVPN reuses the context and tls_multi structs >> of the previous clients and does not rerun the connect scripts on >> connect. But since it is a new client connection, the key_id is 0 and >> we postpone the key generation but it will never happen. > > Can you explain how the --nobind on the client is related to the server > behaviour? > > Are you saying that a client connecting from the same IP of another > client will share its session and tls_multi object? (I will also copy that explanation to a v2 of the patch )
When OpenVPN sees a new (SSL) connection via HARD or SOFT_RESET with the same port/ip as an existing session, it will give it the slot of the renegotiation session (TM_UNTRUSTED). And when the authentication succeeds it will replace the current session. Since we already have gone through connect stages and set context_auth to CAS_SUCCEEDED, we don't call all the connect stages again, and therefore also never call multi_client_generate_tls_keys for this session. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
