Re: [Openvpn-devel] [PATCH] multi.c: Allow floating to a new IP right after connection setup

Wed, 25 Jun 2025 15:44:48 -0700 

Am 25.06.25 um 15:30 schrieb Walter Doekes:

Good. I backported the patch so it ran against the culprit version
(b3647114).

I got these mesages:


   SENT CONTROL [mycommonname]: 'PUSH_REPLY,route ... 255.255.255.255
net_gateway,route-gateway 10.x.x.1,topology subnet,ping 15,ping-restart
55,route 10.x.x.0 255.255.0.0 vpn_gateway,ifconfig 10.x.x.3
255.255.255.0,peer-id 4,cipher AES-256-GCM' (status=1)

   Packet with invalid or missing SID from [AF_INET]HOME_IP:33567

   Float requested for peer 4 to HOME_IP:33567

   peer 4 (mycommonname) floated from VPN_IP:33567 to [AF_INET]HOME_IP:33567



The "Packet with invalid or missing SID" is new to me. But other than
that, it works.


Thanks for testing and confirming that it works.


I also tried it against 2.6-latest (0169b4ad). Also works. There the
message is:

   Packet (P_ACK_V1) with invalid or missing SID from [AF_INET]HOME_IP:46088

I can't tell if this new message is problematic or not. It doesn't
negatively impact my connection setup. And I (now) know when to expect it.



As for your patch: there's a minor typo in your patch at ssl_pkt.h in the
signature:

"bool check_session_id_hmac" should be "bool pkt_is_ack"


Thanks will fix in the  next revision.


Further, I would prefer if the commit message itself mentioned something
about "floating IPs and 60 second timeout after connect" instead of "rare
circumstances" which are not rare in 100% of my use cases. That might be
beneficial to the next person who runs into this.



You need a connection that

- starts on IP A
- successfully floats to IP B by data packet
- then has a control packet from IP A before any data packet can trigger the float back to IP A
In this scenario we would trigger a new connection coming before while know we detect that this should not trigger a new connection as it is not a new connection attempt. So instead of creating a new connection, you see (at verb 4 or higher) the message 

   Packet (P_ACK_V1) with invalid or missing SID

instead with the patch.
I will update the commit message when the patch is no longer in draft mode. I wanted to confirm that this is actually the problem/scenario we are fixing before finishing the patch. 

Arne




_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to