Hi, It seems ocserv is considering connections over UNIX socket as coming from "localhost". This causes some erroneous decisions later in the code, as seen in the logs: ... ocserv: added 1 points (total 1) for IP 'localhost' to ban list ocserv: localhost error in getting TCP_MAXSEG: Operation not supported ... I think ocserv should look for a 'X-Forwarded-For' header, and use the left-most IP address for routing decisions, and the right-most IP address as the client's original IP address. This should be a configurable behavior that is off by default, as the header can be spoofed as long as the administrator does not take special precautions (i.e. protect ocserv from direct access). Another issue with listen-clear-file is that the file-mode and permissions on the socket should be configurable. In my setup I see that both ocserv and haproxy strip their additional groups, making it impossible to tune group membership to solve this. Regards, Claudio
