OpenVPN Support Forum

Hello all,

What is the difference between proto tcp/tcp-server/tcp-client?

Cheers,
Andrew

im surprised to find this is not really covered in the manual...
my understanding of it is that tcp-server/tcp-client are for ptp operation (in openvpn 1 ptp was the only mode available)
of course they can be used still in client/server mode, but also proto tcp can be used there, because each side already knows who should act as the server/client for the tcp session.

from the manual:
For TCP operation, one peer must use --proto tcp-server and the other must use --proto tcp-client. A peer started with tcp-server will wait indefinitely for an incoming connection.

notice it says peer... as in ptp mode there is no server or client, only peers.

looks like you found something that should be explained better in the manual, I will show this thread to those with permissions to update the manual

Thank you for your reply. It seems that the reason why manual is silent about the "tcp" option is because it's not really an option. If you try and use it you'll get a error that you should specify tcp-client or tcp-server instead.

I've checked the code path for the sanity check of --proto {tcp,tcp-server,tcp-client}. It is correct that normally --proto tcp will not be accepted at all. Even the source code is a bit vauge on what it expects or should allow. It looks like OpenVPN once allowed --proto tcp to be used in conjunction with --inetd. However, there's now a pretty explicit check before the more forgiving code which now will block this. So with --inetd you now must use --proto tcp-server. And in all other scenarios you need to use either --proto tcp-server or --proto tcp-client.

To briefly explain the reason why a --proto tcp implementation won't work while --proto udp does, is related to how TCP and UDP connections are established. TCP connections requires listen() to be called on the server side, while UDP connections do not need that at all. On the client side, TCP clients need to use connect() while UDP does not. This makes it necessarily to distinguish between TCP client and server - to know how to establish the network socket. While the UDP client/server on the other hand are much more similar when creating the network socket.

Having that said, it should theoretically be possible to distinguish the server/client mode based on other options used in conjunction with a --proto tcp option. But to make that logic work out will require some effort.

An update: I forgot to mention that while I've done this code review based on traditional client/server with multiple clients to one server ... there are other code paths related to --mode p2p, which changes some of the code path. So that might give quite a different challenge to automatic client/server detection for a TCP mode.

Thank you for your research, this is most useful information.

Andrew.