Here's the summary of the IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 20th March 2019
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:


The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



cron2, dazo, janjust, mattock, ordex, plaisthos and syzzer participated
in this meeting.


Discussed the OpenVPN T-shirts. Mattock has them but has
(unsurprisingly) been extremely slow in starting the shipping process.
Fortunately there's a deadline which mattock needs to meet [for a big
chunk of the shirts] and that deadline is quickly approaching.

If you've been promised a T-shirt and you have not sent your postal
address to mattock: please sent it now.


Discussed the Windows MSI PR in openvpn-build:


Mattock will try out the cures to the tar.exe problem suggested by Selva
and report back. Once that problem is fixed everyone seems to feel
comfortable with merging the PR.


Discussed the Travis-CI base OS update PR:


No obvious problems were spotted in it and mattock merged it during the


Discussed tap-windows6 HLK testing / WHQL certification. Not much has
happened: we're close, but not there yet. Stephen said he'd be able to
pick up pace soon.

Some internal pressure is building up at OpenVPN Inc. because right now
we're prevented from building new tap-windows6 versions, even for
trivial reasons like changing the driver name as seen by Windows.

Mattock is leaning towards setting up a dedicated HLK testing
environment in-house, as outsourcing the testing would probably involve
considerable overhead (plus considerable fixed costs for each release/OS
combination). Also, we'd need to understand the test setup in order to
document it for the outsourcing company. Mattock will reopen discussions
about getting a Windows Server 2016 box for this purpose.


Discussed the current meeting schedule, which seems to be suboptimal for
some. Ordex will create a Doodle poll to understand what options we have.


Discussed our OpenVPN 2.5 patch backlog. People are trying to pick up
pace, but that has proven to be quite difficult.


Full chatlog attached.

(12:28:46) L'argomento di #openvpn-meeting è: Next meeting on 13/Feb/2019 at 
11:30CET. Agenda at https://community.openvpn.net/openvpn/wiki/Topics-2019-02-13
(12:28:46) L'argomento per #openvpn-meeting è stato impostato da 
ordex!~linux...@open-mesh.org/batman/ordex a 11:35:02 su 13/02/2019
(12:30:56) ordex: meeting ?
(12:31:00) mattock: yes
(12:31:06) ***syzzer present :)
(12:31:15) mattock: hi syzzer and ordex!
(12:32:17) janjust [~janjust@openvpn/community/support/janjust] è entrato nella 
(12:32:48) syzzer: hi mattock1 :)
(12:32:55) janjust: hi all
(12:33:06) ordex: hi
(12:33:11) ordex: dazo said will be a bit late
(12:33:44) mattock: do we have our leader, cron2? :P
(12:33:48) janjust: hi mattock1 , just a quick question before we start: I've 
not received the hackathon t shirt yet. did you send it already?
(12:34:27) mattock: no, I have been shamefully slow
(12:34:34) mattock: but I do have a deadline and it is almost here
(12:34:40) janjust: no problem :)
(12:34:56) janjust: I just wanted to know if I should start badgering some 
postal people 
(12:35:15) ordex: mattock1: does it mean you will send the first day after the 
deadline ?
(12:35:15) ordex: :D
(12:35:30) ordex: oh I have an address in EU if you want to send something to 
me too :-P
(12:35:36) janjust: hehe
(12:35:56) mattock: ordex: you're absolutely correct there! :D
(12:36:02) cron2_: ho
(12:36:03) cron2_: sorry
(12:36:06) mattock: I will postpone until I have to send the T-shirts with 
super-express-fast mail
(12:36:09) mattock: :P
(12:36:13) cron2_: got stuck in a meeting
(12:36:16) janjust: yo syzzer , btw: I am still digging into that 'auth token 
before payload' question. The *spec* might state that it is sent first, but I 
cannot find it in the *code*
(12:36:47) janjust: mattock1, just do a world tour to drop by each of us 
individually with a gift-wrapped shirt
(12:36:51) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2019-03-20
(12:36:52) vpnHelper: Title: Topics-2019-03-20 – OpenVPN Community (at 
(12:37:11) janjust: hiya cron2_ 
(12:37:16) mattock: janjust: that's an idea :)
(12:37:34) janjust: most expensive hackathon t shirt ever :)
(12:37:36) ***cron2_ sees syzzer and ordex - cool :)
(12:37:48) mattock: added one topic to the list
(12:37:55) mattock: anything to add to the topic list?
(12:38:30) janjust: I've got something I'd like to discuss, but could be done 
on the devel list also
(12:38:48) ordex: list looks good to me
(12:39:13) ordex: I just have an update on transport-api - will fit in #1
(12:39:21) syzzer: janjust: auth token is something david and arne know more 
about than me
(12:39:26) syzzer: I just reviewed the original patch
(12:39:44) janjust: syzzer, nah not *that* auth token, it's about the packet 
format question from Pieter
(12:39:57) syzzer: ah, the tag
(12:40:08) janjust: ah right, the auth *tag*
(12:40:39) ordex: :D
(12:40:56) syzzer: so, #1 ?
(12:40:58) mattock: yes
(12:41:05) mattock: https://github.com/OpenVPN/openvpn-build/pull/141
(12:41:08) mattock: MSI PR
(12:41:08) vpnHelper: Title: Windows MSI Packaging by rozmansi · Pull Request 
#141 · OpenVPN/openvpn-build · GitHub (at github.com)
(12:41:11) janjust: question/topic I'd like to add:   is there any way that an 
OpenVPN client can determine the version of the OpenVPN server it is connecting 
to?  If not, how easy is it to add?
(12:41:32) cron2_: it's a question on whether we want it
(12:41:46) cron2_: if you enable push-peer-info on the server, you get all the 
peer-info variables on the client
(12:41:53) cron2_: like IV_VER
(12:42:10) janjust: huh? I thought that was a one-way thing... client-> server 
only.  Let me test that
(12:42:18) cron2_: "back then" we decided that we want to send data 
client->server always, and server->client only on request
(12:42:32) janjust: ah okay... question answered for now :)
(12:42:36) janjust: thx cron2_ 
(12:42:41) cron2_: janjust: the actual handshake is symmetric in that regard 
(as it comes from the peer-to-peer mode times)...
(12:44:52) cron2_: reading the discussion in pr 141 now...
(12:46:55) mattock: I would be inclined to just merge PR#141 unless we can spot 
some obvious problems in the review comments - the tar.exe issue could be 
counted as one, though
(12:47:14) mattock: documenting or fixing it as Selva proposes would be good
(12:48:40) janjust: just reading it: if I understand correctly, we need GNU tar 
otherwise it breaks, right?
(12:49:12) mattock: yes, at the moment
(12:49:25) mattock: and in powershell tar.exe is some bsd tar variant
(12:49:32) janjust: how about requiring gtar.exe then  - that should always be 
gnu tar
(12:50:04) mattock: that's probably a good approach if we can't fix the problem
(12:50:04) janjust: plus, you can then probably do stuff like "gtar xzf ..." 
(12:50:25) mattock: what I can do is test the fix proposals and report back
(12:50:37) janjust: +1
(12:50:51) mattock: but besides that one problem: do you guys feel comfortable 
in merging that mega-PR?
(12:51:00) cron2_: yes
(12:51:00) mattock: I would, as it is well-isolated from the rest of the build
(12:51:03) mattock: ok good
(12:51:16) mattock: then we would have full MSI support in "master" (openvpn + 
(12:51:19) cron2_: the msi itself got quite a bit of testing from tincantech 
(thanks), and you tested building
(12:51:28) mattock: yeah
(12:51:38) mattock: enough of MSI then :P
(12:51:39) janjust: I tested earlier revs of the msi
(12:51:47) cron2_: of course we need to test more :-) - like "produce .msi from 
the buildslaves from now on", so we'll find the remaining warts
(12:51:50) janjust: and it seems the way forward for windows installs anyways
(12:52:25) mattock: I'm actually wondering if we should at some point switch to 
building OpenVPN for Windows on Windows... 
(12:53:04) mattock: the process with MSI is getting convoluted (cross-compile 
on linux, sign on linux or windows, package on windows)
(12:53:19) janjust: has advantages but definitely also disadvantages... "back 
then" openvpn on windows could be built only using visual studio, iirc
(12:53:21) mattock: plus linux code-signing is soon going to stop working
(12:53:23) cron2_: I hear you :-) - as long as I do not have to point and click 
somewhere and can get meaningful results out of a build failure, "works for 
(12:53:38) ordex: can we use a windows host from corp for that?
(12:54:03) cron2_: mingw right now is nice because I can ssh to it, run 
"build-snapshot" and have normal unixy error messages, git, ...
(12:54:04) mattock: I already have a Vagrant-based VM in openvpn-build 
("msibuilder"), but yes, we could have a more static node
(12:54:30) mattock: cron2: yeah, I'm not looking forward to the move to Windows 
 building, either
(12:54:40) ***dazo is here
(12:54:43) mattock: hi dazo!
(12:55:03) mattock: anyways, we don't need to make any decisions now - just 
something to keep in mind
(12:55:13) mattock: next topic?
(12:55:13) cron2_: yes
(12:55:29) mattock: https://github.com/OpenVPN/openvpn-build/pull/149
(12:55:30) vpnHelper: Title: travis-ci: switch to xenial image by chipitsine · 
Pull Request #149 · OpenVPN/openvpn-build · GitHub (at github.com)
(12:55:53) mattock: a similar thing was done for openvpn's travis, right?
(12:55:59) cron2_: I'm a bit confused about that - as in "I was not aware that 
we have travis-y things for openvpn-build"
(12:56:02) cron2_: what does that do?
(12:56:41) cron2_: (as a side note: syzzer, do we want to have the 3 
travis-related patches in relese/2.4 as well?  your ACK :) )
(12:57:24) plaisthos: sorry, completely missed the meeting
(12:57:28) mattock: it runs openvpn-build (generic and windows-nsis)
(12:57:45) mattock: so similar to the old "windows buildslave", but does not 
produce any artefacts
(12:58:12) syzzer: cron2_: yeah, those can go into 2.4 too
(12:59:01) plaisthos: syzzer: davids want me to rename 
--auth-token-secret-genky to --genkey-auth-token-secret. I named it after 
--tls-crypt-v2-genkey. If we do that I would also rename that one to 
--genkey-tls-crypt-v2? Any opinions on that? (I don't care much either way as 
long as it is consistent)
(12:59:08) cron2_: mattock1: if you understand what that does, I'm fine with 
the patch :)
(12:59:18) cron2_: syzzer: ok, good
(12:59:20) ordex: mattock1: so it basically means that is just tests that the 
build still works
(12:59:23) cron2_: I'll merge that into one...
(12:59:29) ordex: seems good to have :)
(12:59:36) plaisthos: janjust: what's your question on auth token?
(12:59:41) syzzer: plaisthos: we had that discussion too when I introduced the 
(12:59:51) janjust: plaisthos, nah, is a question on auth *tag*
(12:59:59) ordex: if that travis-ci.yml has been tested, I think it makes sense 
to merge the PR
(13:00:01) mattock: cron2: I try not to understand Travis-CI, but I hear you :P
(13:00:03) syzzer: I strongly prefer namespacing per functionaltity. ie, group 
all tls-crypt stuff
(13:00:35) dazo: syzzer: the challenge comes with --auth-gen-token-genkey ... 
which gets a lot of gen
(13:00:40) janjust: syzzer +
(13:00:41) janjust: +1
(13:01:20) syzzer: dazo, then get rid of the extra gen?
(13:01:24) syzzer: why is it in there anyway
(13:01:34) dazo: because we have the function --auth-gen-token
(13:01:36) syzzer: --auth-token-genkey
(13:01:36) janjust: although --tls-crypt-v2-genkey is ugly IMHO with the v2 in 
there :)
(13:01:52) dazo: syzzer: and --auth-token is what the client receives via 
(13:01:56) mattock: merged https://github.com/OpenVPN/openvpn-build/pull/149
(13:01:57) vpnHelper: Title: travis-ci: switch to xenial image by chipitsine · 
Pull Request #149 · OpenVPN/openvpn-build · GitHub (at github.com)
(13:02:08) mattock: change of topic on the fly, but that's good :P
(13:03:52) syzzer: that whole group should have been --auth-token-* to prevent 
that, but that's too late :p
(13:03:52) dazo: syzzer: --auth-token goes back to v2.1 days .... 
--auth-gen-token is a new v2.4 feature, where openvpn server can generate 
tokens sent as --auth-token to the client
(13:03:52) plaisthos: janjust: oh then it is more for syzzer, syzzer answer 
that I would know more about it seems like it was auth-token
(13:03:53) janjust: plaisthos, yes my bad... auth tag, auth token... we are 
good at confusing ourselves with nomenclature, it seems :)
(13:04:00) plaisthos: but yes, I would agree that tag after encrypted is better 
for hw implementation
(13:04:26) dazo: syzzer: so since we have --genkey for the static secrets, we 
could have --genkey-tls-crypt-v2 and --genkey-auth-token ... which groups the 
usage .... all of these are also "single operations"
(13:05:02) syzzer: that
(13:05:36) syzzer: that's not really a group, just similar things for different 
(13:06:51) janjust: plaisthos, my suspicion is that that is exactly what we're 
doing for AEAD, regardless of what the spec says; I just need to prove it :)
(13:07:00) syzzer: janjust: no
(13:07:06) syzzer: we are putting the tag in front
(13:07:18) syzzer: I didn't like it, but it's what were doing
(13:07:39) ordex: from the user perspective all the --genkey-* might be seen as 
"this is the group of things I can generate and put in the config" .. so it 
makes some sense, but I guess we have to deal with our legacy :)
(13:07:44) janjust: tag = HMAC key?
(13:07:52) ordex: should we go back to our agenda?
(13:07:58) janjust: ordex: yes
(13:08:23) ordex: I wanted to add to #1:
(13:08:30) syzzer: (janjust: no, the key should never be on the wire ;-) )
(13:09:00) ordex: Operator Foundation picked up plaisthos' reviews for the 
transport-api and dropped on me some *new* patches. I will integrate them with 
the original PR (some rebase and squash) and post a v2 of the patchset in a 
week or so
(13:09:11) dazo: syzzer: that's just a different view ... I see it as a group 
of "generate keys" when it starts with --genkey .... you want to group all 
operations of features, prefixed by the feature
(13:09:13) janjust: ah nomenclature again!!!  let's take that offline for now
(13:10:58) syzzer: let's move the name bikeshedding to the end of the meeting 
indeed :)
(13:11:06) janjust: dazo, I see your point, but in that case I would suggest to 
use --genkey  for all of them and add an option to that parameter to specify 
what you're generating, e.g.   --genkey   authtoken ,  --genkey  tls-crypt, 
--genkey tls-crypt-v2 etc
(13:13:11) ordex: #2 ?
(13:13:21) dazo: janjust: that's a good alternative as well
(13:16:25) mattock: so bikeshed outside of the meeting? :P
(13:16:34) mattock: and move to #2 as suggested by ordex?
(13:16:34) dazo: I'm fine with that
(13:16:37) dazo: yeah
(13:16:44) syzzer: :-#
(13:16:47) mattock: #2 is quick
(13:17:05) mattock: stephen expects to pick up the pace soon
(13:17:15) mattock: but no particular measurable progress
(13:18:50) mattock: I've started to get some pressure from the company about 
(13:19:16) mattock: basically there's the need to rename the tap-windows6 
driver but right now it is not possible because of the WHQL thingy 
(13:19:51) mattock: rename the driver as seen by Windows, that is
(13:20:51) mattock: I'm also thinking that the least bad solution would be to 
setup our own physical HLK test environment once Stephen has documented all the 
special knobs in his
(13:21:14) mattock: I was not particularly impressed by the HLK test 
outsourcing company tbh
(13:21:57) mattock: lots of overhead in getting even the basic things right
(13:21:57) cron2_: oops
(13:22:06) ***cron2_ got sucked away for 20 minutes... "I'm back"
(13:22:17) mattock: time for tap-windows6 updates
(13:22:21) mattock: anything to add to ^^^
(13:23:05) ordex: < mattock1> I was not particularly impressed by the HLK test 
outsourcing company tbh <<< didn't we quit this long time ago?
(13:23:43) mattock: I mean even the basic HLK testing part
(13:23:54) mattock: the bugs in tap-windows6 were way beoynd their capability
(13:24:06) mattock: but assuming those are all fixed - they would probably 
still struggle with the testing
(13:24:14) mattock: setting up the environment etc.
(13:24:18) cron2_: mattock1: no news from my side, waiting for stephen.  He had 
some issues with bridging and timing, and I'm not sure what came out of that yet
(13:24:38) cron2_: and indeed, what mattock1 says - the test rig needed for 
tap-windows HLK testing is complicated
(13:25:28) cron2_: after we reach the "all tests pass!" bit we need to merge 
Stephen's enhancements and try to actually rebuild a test environment so we can 
reproduce the results...
(13:25:46) mattock: yeah, and at that point why would we need to outsource the 
work? :P
(13:25:51) cron2_: (of course if I say "we" it means "mattock does the work" 
(13:25:58) mattock: well that is the case obviously :D
(13:26:02) ordex: :D
(13:26:15) mattock: I worked a lot with HLK when I still tried to make it work 
myself, and the env setup is puppetized
(13:26:26) mattock: so that's perfectly acceptable, even though I'm not looking 
forward to it :D
(13:26:55) mattock: I'll send email about getting a Windows Server 2016 box 
(13:27:00) cron2_: right now the setup needs a modified openvpn server as 
bridge, so that needs quite a bit fo documentation :)
(13:29:55) mattock: yep
(13:30:18) mattock: I can model the environment in Vagrant as usual, but for 
actual HLK tests we need real hardware
(13:30:28) mattock: ok one hour mark reached
(13:30:32) mattock: done for today?
(13:30:55) mattock: anything else to discuss?
(13:30:59) cron2_: two quick things
(13:31:02) mattock: ok
(13:31:13) cron2_: a) meeting schedule - shall we stick to this time slow, now 
that ordex is in europe again?
(13:31:29) ordex: *slot
(13:31:40) cron2_: I would *prefer* an evening time slot (8 pm local time), but 
I can live with what we have
(13:31:45) mattock: what does "ordex is in europe again" mean?
(13:31:47) syzzer: the current timeslot is suboptimal for me
(13:31:54) cron2_: mattock1: living in italy
(13:32:03) mattock: oh, I did not know that
(13:32:09) ordex: mattock1: it means that having the meeting in the evening is 
feasible again
(13:32:14) ordex: ah
(13:32:18) cron2_: right :)
(13:32:28) ordex: mattock1: sorry - not advertise that much :D
(13:32:31) ordex: *did not
(13:32:36) mattock: no problem!
(13:32:47) cron2_: dazo, plaisthos: what about you?
(13:32:59) mattock: I'm not sure if it is the time, but years ago our evening 
meetings seemed to have more people in them (in generla)
(13:33:01) mattock: general
(13:33:12) mattock: or maybe it was just the fact that we had regular meetings 
(13:33:51) janjust: I suppose we have a chance of seeing James if the time slot 
is 8 pm munich time ;)
(13:34:10) syzzer: that too
(13:34:20) syzzer: so, evening again?
(13:34:21) plaisthos: I am often away in the evening so no idea how often I can 
make it
(13:34:25) dazo: To be honest, James is focused on quite larger projects these 
days, which doesn't touch openvpn 2.x at all
(13:34:26) ordex: we could try to move it back to 8pm and see how it goes ?
(13:34:50) plaisthos: I also on't really expect James to join and really focus 
on our meetings
(13:34:53) ordex: plaisthos: you can drink your beer later :-P
(13:34:53) cron2_: +1 :) - which day?  monday, wednesday, thursday work for me
(13:35:03) ordex: stick to Wed?
(13:35:04) mattock: we haven't _needed_ james in many years in OpenVPN 2.x
(13:35:05) dazo: The company is pleased how the community develops and 
maintains OpenVPN 2.x so far ... plaisthos might come with features important 
for Access Server every now and then, but that's essentially it
(13:35:07) janjust: "quite larger projects" dazo?    sounds intriguing
(13:35:25) ordex: janjust: corp private/closed things..not much to play with :-P
(13:35:26) mattock: plus for some odd reasons we don't have any OpenVPN 2.x 
core developers from the U.S.
(13:35:29) plaisthos: I have fencing on monday and wednesday between 19:30 and 
22:00 CET
(13:35:38) cron2_: mattock1: actually we have - Selva
(13:35:45) mattock: oh yes forgot
(13:35:48) dazo: janjust: can't say too much ... but we're extending and making 
the Private Tunnel a lot, making it more suitable for the business market
(13:35:49) mattock: well Canada
(13:36:01) cron2_: "us-ish time zone" :)
(13:36:08) ordex: how about Tue or Thur then ?
(13:36:19) mattock: for me a meeting during daytime is better, but when exactly 
 - I don't care much
(13:36:22) cron2_: tue I won't be home before 20:30
(13:36:38) ordex: shall we do a doodle? it seems easier
(13:36:41) ***dazo double checks calendar
(13:36:49) syzzer: Mon doesn't work for me, so that leaves Wed or Thu
(13:37:09) ordex: Wed doesn't work for plaisthos 
(13:37:11) cron2_: we seem to be converging already... who can not make Thu 8pm?
(13:37:14) ordex: Thur then ?
(13:37:19) mattock: I can't
(13:37:20) syzzer: oh, no, plaisthos can't make Wed
(13:37:20) dazo: Monday is not possible for me either .... generally 
Tue-Wed-Thu are best ... but double checking
(13:37:32) ordex: :D
(13:37:36) ***ordex jumps
(13:38:01) cron2_: ordex: can you set up a doodle (with the "maybe" option 
enabled) and mail it around? ;-)
(13:38:08) syzzer: Thu 20:00 CE(S)T works for me
(13:38:13) mattock: let's do doodle
(13:38:16) dazo: I can manage Thu but would prefer Tue ... as that day is 
already typically a meeting day on my end
(13:38:28) ordex: cron2_: yeah will take care of that
(13:38:37) ordex: ok, let's stop the craziness here :D and stay tuned for a 
(13:38:39) dazo: I might not manage every Thu, but probably most
(13:38:47) dazo: thx ordex!
(13:38:49) cron2_: ordex: thanks
(13:38:51) ordex: np
(13:38:52) ordex: lunch time !
(13:39:00) syzzer: ordex++
(13:39:10) cron2_: ok, b) - how's your plans wrt moving forward with our heap 
of patches for 2.x?  Anyone with free time?
(13:39:46) syzzer: cron2_: not much free time on my end :(
(13:40:21) syzzer: I do try to pick it up again, but it's not been very 
successful yet...
(13:40:48) cron2_: syzzer: who do we need to bribe, threaten, ... to improve 
things? ;-)
(13:41:01) cron2_: (OTOH the snowboard season is over...)
(13:41:18) mattock: ordex: in your doodle poll: can you include european 
day-times as well?
(13:42:19) plaisthos: even our local ski resort is still open 
(13:42:25) plaisthos: (and filled with Dutch people)
(13:42:50) cron2_: we went boarding last sunday and it was Just Too Warm 
there... (though the snow was still nice)
(13:43:49) ***janjust sees that this meeting is now *definitely* over
(13:43:58) cron2_: janjust: enjoy lunch :)
(13:44:06) janjust: thx you too... until next time
(13:44:44) mattock: until next week - I won't be sending any invites
(13:44:57) mattock: we're schedule until 3rd Apr
(13:45:00) mattock: scheduled
(13:45:19) mattock: summary coming up soon

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to