[nerdbert]

They're going to freeze the whole data center? It's rack after rack of machines that the traffic could have passed through, right? And if they're not logging IPs to RAM then they only have a fraction of a second to get the right one before the register is overwritten with the next user's info.

[mlyle]

You do need to know where to send the user's return traffic, so you'll need a table ultimately comprising mappings of network flows to end-user addresses. Of course, once the flows close you don't need to retain this information. In practice, you'll also need information about all currently-open VPN sessions.