@@ -315,6 +315,26 @@ x_gc_free (struct gc_arena *a)

 }

 /*

+ * Transfer src arena to dest, resetting src to an empty arena.

+ */

+void

+gc_transfer (struct gc_arena *dest, struct gc_arena *src)

+{

+  if (dest && src)

+    {

+      struct gc_entry *e = src->list;

+      if (e)

+	{

+	  while (e->next != NULL)

+	    e = e->next;

+	  e->next = dest->list;

+	  dest->list = src->list;

+	  src->list = NULL;

+	}

+    }

+}

+

+/*

  * Hex dump -- Output a binary buffer to a hex string and return it.

  */

@@ -632,6 +632,8 @@ void character_class_debug (void);

  * char ptrs to malloced strings.

  */

+void gc_transfer (struct gc_arena *dest, struct gc_arena *src);

+

 void x_gc_free (struct gc_arena *a);

 static inline void

@@ -120,7 +120,7 @@

 #define D_MULTI_DEBUG        LOGLEV(7, 70, M_DEBUG)  /* show medium-freq multi debugging info */

 #define D_MSS                LOGLEV(7, 70, M_DEBUG)  /* show MSS adjustments */

 #define D_COMP_LOW           LOGLEV(7, 70, M_DEBUG)  /* show adaptive compression state changes */

-#define D_REMOTE_LIST        LOGLEV(7, 70, M_DEBUG)  /* show --remote list */

+#define D_CONNECTION_LIST    LOGLEV(7, 70, M_DEBUG)  /* show <connection> list info */

 #define D_SCRIPT             LOGLEV(7, 70, M_DEBUG)  /* show parms & env vars passed to scripts */

 #define D_SHOW_NET           LOGLEV(7, 70, M_DEBUG)  /* show routing table and adapter list */

 #define D_ROUTE_DEBUG        LOGLEV(7, 70, M_DEBUG)  /* show verbose route.[ch] output */

@@ -356,7 +356,7 @@ check_fragment_dowork (struct context *c)

   if (lsi->mtu_changed && c->c2.ipv4_tun)

     {

       frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu,

-			     c->options.proto);

+			     c->options.ce.proto);

       lsi->mtu_changed = false;

     }

@@ -1038,7 +1038,7 @@ process_outgoing_link (struct context *c)

 #ifdef HAVE_GETTIMEOFDAY

 	  if (c->options.shaper)

 	    shaper_wrote_bytes (&c->c2.shaper, BLEN (&c->c2.to_link)

-				+ datagram_overhead (c->options.proto));

+				+ datagram_overhead (c->options.ce.proto));

 #endif

 	  /*

 	   * Let the pinger know that we sent a packet.

@@ -281,9 +281,6 @@ helper_client_server (struct options *o)

 	  o->push_ifconfig_constraint_network = o->server_network;

 	  o->push_ifconfig_constraint_netmask = o->server_netmask;

 	}

-

-      if (o->proto == PROTO_TCPv4)

-	o->proto = PROTO_TCPv4_SERVER;

     }

   /*

@@ -325,9 +322,6 @@ helper_client_server (struct options *o)

       ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);

       o->ifconfig_pool_netmask = o->server_bridge_netmask;

       push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);

-

-      if (o->proto == PROTO_TCPv4)

-	o->proto = PROTO_TCPv4_SERVER;

     }

   else

 #endif /* P2MP_SERVER */

@@ -349,16 +343,10 @@ helper_client_server (struct options *o)

       o->pull = true;

       o->tls_client = true;

-

-      if (o->proto == PROTO_TCPv4)

-	o->proto = PROTO_TCPv4_CLIENT;

     }

 #endif /* P2MP */

-  if (o->proto == PROTO_TCPv4)

-    msg (M_USAGE, "--proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client");

-

   gc_free (&gc);

 }

@@ -78,23 +78,100 @@ context_clear_all_except_first_time (struct context *c)

 }

 /*

- * Initialize and possibly randomize remote list.

+ * Should be called after options->ce is modified at the top

+ * of a SIGUSR1 restart.

  */

 static void

-init_remote_list (struct context *c)

+update_options_ce_post (struct options *options)

 {

-  c->c1.remote_list = NULL;

+#if P2MP

+  /*

+   * In pull mode, we usually import --ping/--ping-restart parameters from

+   * the server.  However we should also set an initial default --ping-restart

+   * for the period of time before we pull the --ping-restart parameter

+   * from the server.

+   */

+  if (options->pull

+      && options->ping_rec_timeout_action == PING_UNDEF

+      && options->ce.proto == PROTO_UDPv4)

+    {

+      options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;

+      options->ping_rec_timeout_action = PING_RESTART;

+    }

+#endif

+#ifdef USE_CRYPTO

+  /* 

+   * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).

+   */

+  if (link_socket_proto_connection_oriented (options->ce.proto))

+    options->replay_window = options->replay_time = 0;

+#endif

+}

-  if (c->options.remote_list)

+/*

+ * Initialize and possibly randomize connection list.

+ */

+static void

+init_connection_list (struct context *c)

+{

+#ifdef ENABLE_CONNECTION

+  struct connection_list *l = c->options.connection_list;

+  if (l)

     {

-      struct remote_list *l;

-      ALLOC_OBJ_GC (c->c1.remote_list, struct remote_list, &c->gc);

-      l = c->c1.remote_list;

-      *l = *c->options.remote_list;

       l->current = -1;

       if (c->options.remote_random)

-	remote_list_randomize (l);

+	{

+	  int i;

+	  for (i = 0; i < l->len; ++i)

+	    {

+	      const int j = get_random () % l->len;

+	      if (i != j)

+		{

+		  struct connection_entry *tmp;

+		  tmp = l->array[i];

+		  l->array[i] = l->array[j];

+		  l->array[j] = tmp;

+		}

+	    }

+	}

     }

+#endif

+}

+

+/*

+ * Increment to next connection entry

+ */

+static void

+next_connection_entry (struct context *c)

+{

+#ifdef ENABLE_CONNECTION

+  struct connection_list *l = c->options.connection_list;

+  if (l)

+    {

+      if (l->no_advance && l->current >= 0)

+	{

+	  l->no_advance = false;

+	}

+      else

+	{

+	  int i;

+	  if (++l->current >= l->len)

+	    l->current = 0;

+

+	  dmsg (D_CONNECTION_LIST, "CONNECTION_LIST len=%d current=%d",

+		l->len, l->current);

+	  for (i = 0; i < l->len; ++i)

+	    {

+	      dmsg (D_CONNECTION_LIST, "[%d] %s:%d",

+		    i,

+		    l->array[i]->remote,

+		    l->array[i]->remote_port);

+	    }

+	}

+      c->options.ce = *l->array[l->current];

+    }

+#endif

+  update_options_ce_post (&c->options);

 }

 /*

@@ -116,8 +193,41 @@ init_query_passwords (struct context *c)

 #endif

 }

-void

-context_init_1 (struct context *c)

+/*

+ * Initialize/Uninitialize HTTP or SOCKS proxy

+ */

+

+#ifdef GENERAL_PROXY_SUPPORT

+

+static int

+proxy_scope (struct context *c)

+{

+  return connection_list_defined (&c->options) ? 2 : 1;

+}

+

+static void

+uninit_proxy_dowork (struct context *c)

+{

+#ifdef ENABLE_HTTP_PROXY

+  if (c->c1.http_proxy_owned && c->c1.http_proxy)

+    {

+      http_proxy_close (c->c1.http_proxy);

+      c->c1.http_proxy = NULL;

+      c->c1.http_proxy_owned = false;

+    }

+#endif

+#ifdef ENABLE_SOCKS

+  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)

+    {

+      socks_proxy_close (c->c1.socks_proxy);

+      c->c1.socks_proxy = NULL;

+      c->c1.socks_proxy_owned = false;

+    }

+#endif

+}

+

+static void

+init_proxy_dowork (struct context *c)

 {

 #ifdef ENABLE_HTTP_PROXY

   bool did_http = false;

@@ -125,10 +235,73 @@ context_init_1 (struct context *c)

   const bool did_http = false;

 #endif

+  uninit_proxy_dowork (c);

+

+#ifdef ENABLE_HTTP_PROXY

+  if (c->options.ce.http_proxy_options || c->options.auto_proxy_info)

+    {

+      /* Possible HTTP proxy user/pass input */

+      c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options,

+					 c->options.auto_proxy_info);

+      if (c->c1.http_proxy)

+	{

+	  did_http = true;

+	  c->c1.http_proxy_owned = true;

+	}

+    }

+#endif

+

+#ifdef ENABLE_SOCKS

+  if (!did_http && (c->options.ce.socks_proxy_server || c->options.auto_proxy_info))

+    {

+      c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,

+					   c->options.ce.socks_proxy_port,

+					   c->options.ce.socks_proxy_retry,

+					   c->options.auto_proxy_info);

+      if (c->c1.socks_proxy)

+	{

+	  c->c1.socks_proxy_owned = true;

+	}

+    }

+#endif

+}

+

+static void

+init_proxy (struct context *c, const int scope)

+{

+  if (scope == proxy_scope (c))

+    init_proxy_dowork (c);

+}

+

+static void

+uninit_proxy (struct context *c)

+{

+  if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2)

+    uninit_proxy_dowork (c);

+}

+

+#else

+

+static inline void

+init_proxy (struct context *c, const int scope)

+{

+}

+

+static inline void

+uninit_proxy (struct context *c, const int scope)

+{

+}

+

+#endif

+

+void

+context_init_1 (struct context *c)

+{

   context_clear_1 (c);

   packet_id_persist_init (&c->c1.pid_persist);

-  init_remote_list (c);

+

+  init_connection_list (c);

   init_query_passwords (c);

@@ -156,28 +329,8 @@ context_init_1 (struct context *c)

  }

 #endif

-#ifdef ENABLE_HTTP_PROXY

-  if (c->options.http_proxy_options || c->options.auto_proxy_info)

-    {

-      /* Possible HTTP proxy user/pass input */

-      c->c1.http_proxy = new_http_proxy (c->options.http_proxy_options,

-					 c->options.auto_proxy_info,

-					 &c->gc);

-      if (c->c1.http_proxy)

-	did_http = true;

-    }

-#endif

-

-#ifdef ENABLE_SOCKS

-  if (!did_http && (c->options.socks_proxy_server || c->options.auto_proxy_info))

-    {

-      c->c1.socks_proxy = new_socks_proxy (c->options.socks_proxy_server,

-					   c->options.socks_proxy_port,

-					   c->options.socks_proxy_retry,

-					   c->options.auto_proxy_info,

-					   &c->gc);

-    }

-#endif

+  /* initialize HTTP or SOCKS proxy object at scope level 1 */

+  init_proxy (c, 1);

 }

 void

@@ -407,7 +560,7 @@ do_persist_tuntap (const struct options *options)

     {

       /* sanity check on options for --mktun or --rmtun */

       notnull (options->dev, "TUN/TAP device (--dev)");

-      if (options->remote_list || options->ifconfig_local

+      if (options->ce.remote || options->ifconfig_local

 	  || options->ifconfig_remote_netmask

 #ifdef USE_CRYPTO

 	  || options->shared_secret_file

@@ -684,9 +837,9 @@ initialization_sequence_completed (struct context *c, const unsigned int flags)

   else

     msg (M_INFO, "%s", message);

-  /* Flag remote_list that we initialized */

-  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && c->c1.remote_list && c->c1.remote_list->len > 1)

-    c->c1.remote_list->no_advance = true;

+  /* Flag connection_list that we initialized */

+  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options))

+    connection_list_set_no_advance (&c->options);

 #ifdef ENABLE_MANAGEMENT

   /* Tell management interface that we initialized */

@@ -1099,7 +1252,7 @@ do_deferred_options (struct context *c, const unsigned int found)

 #ifdef ENABLE_OCC

   if (found & OPT_P_EXPLICIT_NOTIFY)

     {

-      if (c->options.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)

+      if (c->options.ce.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)

 	{

 	  msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");

 	  c->options.explicit_exit_notification = 0;

@@ -1183,25 +1336,25 @@ socket_restart_pause (struct context *c)

   int sec = 2;

 #ifdef ENABLE_HTTP_PROXY

-  if (c->options.http_proxy_options)

+  if (c->options.ce.http_proxy_options)

     proxy = true;

 #endif

 #ifdef ENABLE_SOCKS

-  if (c->options.socks_proxy_server)

+  if (c->options.ce.socks_proxy_server)

     proxy = true;

 #endif

-  switch (c->options.proto)

+  switch (c->options.ce.proto)

     {

     case PROTO_UDPv4:

       if (proxy)

-	sec = c->options.connect_retry_seconds;

+	sec = c->options.ce.connect_retry_seconds;

       break;

     case PROTO_TCPv4_SERVER:

       sec = 1;

       break;

     case PROTO_TCPv4_CLIENT:

-      sec = c->options.connect_retry_seconds;

+      sec = c->options.ce.connect_retry_seconds;

       break;

     }

@@ -1537,7 +1690,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)

   /* should we not xmit any packets until we get an initial

      response from client? */

-  if (to.server && options->proto == PROTO_TCPv4_SERVER)

+  if (to.server && options->ce.proto == PROTO_TCPv4_SERVER)

     to.xmit_hold = true;

 #ifdef ENABLE_OCC

@@ -1584,7 +1737,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)

   /* If we are running over TCP, allow for

      length prefix */

-  socket_adjust_frame_parameters (&to.frame, options->proto);

+  socket_adjust_frame_parameters (&to.frame, options->ce.proto);

   /*

    * Initialize OpenVPN's master TLS-mode object.

@@ -1682,8 +1835,8 @@ do_init_frame (struct context *c)

   /*

    * Adjust frame size for UDP Socks support.

    */

-  if (c->options.socks_proxy_server)

-    socks_adjust_frame_parameters (&c->c2.frame, c->options.proto);

+  if (c->options.ce.socks_proxy_server)

+    socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);

 #endif

   /*

@@ -1697,7 +1850,7 @@ do_init_frame (struct context *c)

    * (Since TCP is a stream protocol, we need to insert

    * a packet length uint16_t in the buffer.)

    */

-  socket_adjust_frame_parameters (&c->c2.frame, c->options.proto);

+  socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);

   /*

    * Fill in the blanks in the frame parameters structure,

@@ -1739,7 +1892,7 @@ do_option_warnings (struct context *c)

   const struct options *o = &c->options;

 #if 1 /* JYFIXME -- port warning */

-  if (!o->port_option_used && (o->local_port == OPENVPN_PORT && o->remote_port == OPENVPN_PORT))

+  if (!o->ce.port_option_used && (o->ce.local_port == OPENVPN_PORT && o->ce.remote_port == OPENVPN_PORT))

     msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",

 	 OPENVPN_PORT);

 #endif

@@ -1793,7 +1946,7 @@ do_option_warnings (struct context *c)

 #endif

 #ifndef CONNECT_NONBLOCK

-  if (o->connect_timeout_defined)

+  if (o->ce.connect_timeout_defined)

     msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");

 #endif

 }

@@ -1918,10 +2071,12 @@ do_init_socket_1 (struct context *c, const int mode)

 #endif

   link_socket_init_phase1 (c->c2.link_socket,

-			   c->options.local,

-			   c->c1.remote_list,

-			   c->options.local_port,

-			   c->options.proto,

+			   connection_list_defined (&c->options),

+			   c->options.ce.local,

+			   c->options.ce.local_port,

+			   c->options.ce.remote,

+			   c->options.ce.remote_port,

+			   c->options.ce.proto,

 			   mode,

 			   c->c2.accept_from,

 #ifdef ENABLE_HTTP_PROXY

@@ -1933,16 +2088,16 @@ do_init_socket_1 (struct context *c, const int mode)

 #ifdef ENABLE_DEBUG

 			   c->options.gremlin,

 #endif

-			   c->options.bind_local,

-			   c->options.remote_float,

+			   c->options.ce.bind_local,

+			   c->options.ce.remote_float,

 			   c->options.inetd,

 			   &c->c1.link_socket_addr,

 			   c->options.ipchange,

 			   c->plugins,

 			   c->options.resolve_retry_seconds,

-			   c->options.connect_retry_seconds,

-			   c->options.connect_timeout,

-			   c->options.connect_retry_max,

+			   c->options.ce.connect_retry_seconds,

+			   c->options.ce.connect_timeout,

+			   c->options.ce.connect_retry_max,

 			   c->options.mtu_discover_type,

 			   c->options.rcvbuf,

 			   c->options.sndbuf,

@@ -2302,7 +2457,7 @@ do_setup_fast_io (struct context *c)

 #ifdef WIN32

       msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");

 #else

-      if (c->options.proto != PROTO_UDPv4)

+      if (c->options.ce.proto != PROTO_UDPv4)

 	msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");

       else

 	{

@@ -2556,10 +2711,13 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int

   c->sig->signal_text = NULL;

   c->sig->hard = false;

+  /* map in current connection entry */

+  next_connection_entry (c);

+

   /* link_socket_mode allows CM_CHILD_TCP

      instances to inherit acceptable fds

      from a top-level parent */

-  if (c->options.proto == PROTO_TCPv4_SERVER)

+  if (c->options.ce.proto == PROTO_TCPv4_SERVER)

     {

       if (c->mode == CM_TOP)

 	link_socket_mode = LS_MODE_TCP_LISTEN;

@@ -2633,6 +2791,9 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int

   else if (c->mode == CM_CHILD_TCP)

     do_event_set_init (c, false);

+  /* initialize HTTP or SOCKS proxy object at scope level 2 */

+  init_proxy (c, 2);

+

   /* allocate our socket object */

   if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)

     do_link_socket_new (c);

@@ -2825,6 +2986,9 @@ close_instance (struct context *c)

 	/* free up environmental variable store */

 	do_env_set_destroy (c);

+	/* close HTTP or SOCKS proxy */

+	uninit_proxy (c);

+

 	/* garbage collect */

 	gc_free (&c->c2.gc);

       }

@@ -2836,7 +3000,7 @@ inherit_context_child (struct context *dest,

 {

   CLEAR (*dest);

-  switch (src->options.proto)

+  switch (src->options.ce.proto)

     {

     case PROTO_UDPv4:

       dest->mode = CM_CHILD_UDP;

@@ -2952,7 +3116,7 @@ inherit_context_top (struct context *dest,

   dest->c2.es_owned = false;

   dest->c2.event_set = NULL;

-  if (src->options.proto == PROTO_UDPv4)

+  if (src->options.ce.proto == PROTO_UDPv4)

     do_event_set_init (dest, false);

 }

@@ -940,6 +940,7 @@ setenv_str_ex (struct env_set *es,

 	{

 	  const char *str = construct_name_value (name_tmp, val_tmp, &gc);

 	  env_set_add (es, str);

+	  /*msg (M_INFO, "SETENV_ES '%s'", str);*/

 	}

       else

 	env_set_del (es, name_tmp);

@@ -975,6 +976,38 @@ setenv_str_ex (struct env_set *es,

 }

 /*

+ * Setenv functions that append an integer index to the name

+ */

+static const char *

+setenv_format_indexed_name (const char *name, const int i, struct gc_arena *gc)

+{

+  struct buffer out = alloc_buf_gc (strlen (name) + 16, gc);

+  if (i >= 0)

+    buf_printf (&out, "%s_%d", name, i);

+  else

+    buf_printf (&out, "%s", name);

+  return BSTR (&out);

+}

+

+void

+setenv_int_i (struct env_set *es, const char *name, const int value, const int i)

+{

+  struct gc_arena gc = gc_new ();

+  const char *name_str = setenv_format_indexed_name (name, i, &gc);

+  setenv_int (es, name_str, value);

+  gc_free (&gc);

+}

+

+void

+setenv_str_i (struct env_set *es, const char *name, const char *value, const int i)

+{

+  struct gc_arena gc = gc_new ();

+  const char *name_str = setenv_format_indexed_name (name, i, &gc);

+  setenv_str (es, name_str, value);

+  gc_free (&gc);

+}

+

+/*

  * taken from busybox networking/ifupdown.c

  */

 unsigned int

@@ -165,6 +165,9 @@ void setenv_str (struct env_set *es, const char *name, const char *value);

 void setenv_str_safe (struct env_set *es, const char *name, const char *value);

 void setenv_del (struct env_set *es, const char *name);

+void setenv_int_i (struct env_set *es, const char *name, const int value, const int i);

+void setenv_str_i (struct env_set *es, const char *name, const char *value, const int i);

+

 /* struct env_set functions */

 struct env_set *env_set_create (struct gc_arena *gc);

@@ -2619,7 +2619,7 @@ tunnel_server (struct context *top)

 {

   ASSERT (top->options.mode == MODE_SERVER);

-  switch (top->options.proto) {

+  switch (top->options.ce.proto) {

   case PROTO_UDPv4:

     tunnel_server_udp (top);

     break;

@@ -149,7 +149,7 @@ check_send_occ_req_dowork (struct context *c)

 {

   if (++c->c2.occ_n_tries >= OCC_N_TRIES)

     {

-      if (c->options.remote_list)

+      if (c->options.ce.remote)

 	/*

 	 * No OCC_REPLY from peer after repeated attempts.

 	 * Give up.

@@ -369,7 +369,7 @@ process_received_occ_msg (struct context *c)

 	       c->c2.max_send_size_remote,

 	       c->c2.max_recv_size_local);

 	  if (!c->options.fragment

-	      && c->options.proto == PROTO_UDPv4

+	      && c->options.ce.proto == PROTO_UDPv4

 	      && c->c2.max_send_size_local > TUN_MTU_MIN

 	      && (c->c2.max_recv_size_remote < c->c2.max_send_size_local

 		  || c->c2.max_recv_size_local < c->c2.max_send_size_remote))

@@ -466,11 +466,16 @@ If specified, OpenVPN will bind to this address only.

 If unspecified, OpenVPN will bind to all interfaces.

 .\"*********************************************************

 .TP

-.B --remote host [port]

+.B --remote host [port] [proto]

 Remote host name or IP address.  On the client, multiple

 .B --remote

 options may be specified for redundancy, each referring

-to a different OpenVPN server.

+to a different OpenVPN server.  Specifying multiple

+.B --remote

+options for this purpose is a special case of the more

+general connection-profile feature.  See the

+.B <connection>

+documentation below.

 The OpenVPN client will try to connect to a server at

 .B host:port

@@ -478,6 +483,10 @@ in the order specified by the list of

 .B --remote

 options.

+.B proto

+indicates the protocol to use when connecting with the

+remote, and may be "tcp" or "udp".

+

 The client will move on to the next host in the list,

 in the event of connection failure.

 Note that at any given time, the OpenVPN client

@@ -527,10 +536,124 @@ chosen, providing a sort of basic load-balancing and

 failover capability.

 .\"*********************************************************

 .TP

+.B <connection>

+Define a client connection

+profile.  Client connection profiles are groups of OpenVPN options that

+describe how to connect to a given OpenVPN server.  Client connection

+profiles are specified within an OpenVPN configuration file, and

+each profile is bracketed by

+.B <connection>

+and

+.B </connection>.

+

+An OpenVPN client will try each connection profile sequentially

+until it achieves a successful connection.  

+

+.B --remote-random

+can be used to initially "scramble" the connection

+list.

+

+Here is an example of connection profile usage:

+

+.RS

+.ft 3

+.nf

+.sp

+client

+dev tun

+

+<connection>

+remote 198.19.34.56 1194 udp

+</connection>

+

+<connection>

+remote 198.19.34.56 443 tcp

+</connection>

+

+<connection>

+remote 198.19.34.56 443 tcp

+http-proxy 192.168.0.8 8080

+http-proxy-retry

+</connection>

+

+<connection>

+remote 198.19.36.99 443 tcp

+http-proxy 192.168.0.8 8080

+http-proxy-retry

+</connection>

+

+persist-key

+persist-tun

+pkcs12 client.p12

+ns-cert-type server

+verb 3

+.ft

+.LP

+.RE

+.fi

+

+First we try to connect to a server at 198.19.34.56:1194 using UDP.

+If that fails, we then try to connect to 198.19.34.56:443 using TCP.

+If that also fails, then try connecting through an HTTP proxy at 

+192.168.0.8:8080 to 198.19.34.56:443 using TCP.  Finally, try to

+connect through the same proxy to a server at 198.19.36.99:443

+using TCP.

+

+The following OpenVPN options may be used inside of

+a

+.B <connection>

+block:

+

+.B bind,

+.B connect-retry,

+.B connect-retry-max,

+.B connect-timeout,

+.B float,

+.B http-proxy,

+.B http-proxy-option,

+.B http-proxy-retry,

+.B http-proxy-timeout,

+.B local,

+.B lport,

+.B nobind,

+.B port,

+.B proto,

+.B remote,

+.B rport,

+.B socks-proxy, and

+.B socks-proxy-retry.

+

+A defaulting mechanism exists for specifying options to apply to

+all

+.B <connection>

+profiles.  If any of the above options (with the exception of

+.B remote

+) appear outside of a

+.B <connection>

+block, but in a configuration file which has one or more

+.B <connection>

+blocks, the option setting will be used as a default for

+.B <connection>

+blocks which follow it in the configuration file.

+

+For example, suppose the

+.B nobind

+option were placed in the sample configuration file above, near

+the top of the file, before the first

+.B <connection>

+block.  The effect would be as if

+.B nobind

+were declared in all

+.B <connection>

+blocks below it.

+

+.\"*********************************************************

+.TP

 .B --remote-random

 When multiple

 .B --remote

-address/ports are specified, initially randomize the order of the list

+address/ports are specified, or if connection profiles are being

+used, initially randomize the order of the list

 as a kind of basic load-balancing measure.

 .\"*********************************************************

 .TP

@@ -138,7 +138,7 @@ main (int argc, char *argv[])

 #endif

 	  /* initialize options to default state */

-	  init_options (&c.options);

+	  init_options (&c.options, true);

 	  /* parse command line options, and read configuration file */

 	  parse_argv (&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es);

@@ -169,7 +169,7 @@ main (int argc, char *argv[])

 	    break;

 	  /* sanity check on options */

-	  options_postprocess (&c.options, c.first_time);

+	  options_postprocess (&c.options);

 	  /* show all option settings */

 	  show_settings (&c.options);

@@ -158,9 +158,6 @@ struct context_1

   /* persist crypto sequence number to/from file */

   struct packet_id_persist pid_persist;

-  /* array of remote addresses */

-  struct remote_list *remote_list;

-

   /* TUN/TAP interface */

   struct tuntap *tuntap;

   bool tuntap_owned;

@@ -175,11 +172,13 @@ struct context_1

 #ifdef ENABLE_HTTP_PROXY

   /* HTTP proxy object */

   struct http_proxy_info *http_proxy;

+  bool http_proxy_owned;

 #endif

 #ifdef ENABLE_SOCKS

   /* SOCKS proxy object */

   struct socks_proxy_info *socks_proxy;

+  bool socks_proxy_owned;

 #endif

 #if P2MP

@@ -619,21 +619,25 @@ static const char usage_message[] =

  * will be set to 0.

  */

 void

-init_options (struct options *o)

+init_options (struct options *o, const bool init_gc)

 {

   CLEAR (*o);

-  gc_init (&o->gc);

+  if (init_gc)

+    {