Re: [Openvpn-users] tcp-client: large ping during transfers (fwd)

Fri, 10 Nov 2017 02:51:51 -0800 

Hi Adam,

On 10/11/17 11:18, Adam Wysocki via Openvpn-users wrote:

[...]



David:

Port sharing is a feature for the server side to "hide" OpenVPN behind
an existing SSL/TLS based service (typically https).  So packets which
carries an OpenVPN signature will be processed by the OpenVPN process.
Anything else will be sent to the provided IP address and port and the
OpenVPN process will just act as a proxy.

This happens on _all_ packets - OpenVPN packets and anything else, not
just some or just during the initial handshake.

Strange. Are you sure about it? What would be a reason for this with TCP?
With UDP I perfectly see why (despite port-sharing being a TCP-only
feature), but with TCP? Once a connection is established and it's known
that it was an OpenVPN client thas has connected?

This seems consistent with this code from socket.c (stream_buf_added()):

#if PORT_SHARE
       if (sb->port_share_state == PS_ENABLED)
         {
           if (!is_openvpn_protocol (&sb->buf))
             {
               msg (D_STREAM_ERRORS, "Non-OpenVPN client protocol detected");
               sb->port_share_state = PS_FOREIGN;
               sb->error = true;
               return false;
             }
           else
             sb->port_share_state = PS_DISABLED;
         }
#endif

To summarize:

- if port sharing state is ENABLED
   - if the protocol is not openvpn, we set state to FOREIGN
   - if the protocol is openvpn, we set state to DISABLED

So it seems it works only on a first data packet, and I guess that states
are:

- ENABLED - we don't know yet if we're port-sharing, decision is to be made
- FOREIGN - we know that the first packet wasn't openvpn one, so from now we're 
forwarding
- DISABLED - we know that the first packet was our, so from now we don't forward



now you've made me curious so I've just checked it by adding a single line
  msg( M_INFO, "Is it OpenVPN?" );


to ps.c in the function 'is_openvpn_protocol' and indeed, that function 
is called only once, when the client first connects.

So, port-sharing does not make your problem any worse than it already is ;)

cheers,

JJK


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



























					Reply via email to