Here's the summary of the IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 29th May 2019
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:


Your local meeting time is easy to check from services such as



cron2, dazo, lev, mattock, ordex and plaisthos participated in this meeting.


Talked about the possible DoS attack that forums had a few days ago.
Investigation of what happened is still ongoing. It is possible that it
was just a misbehaving bot (happens occasionally on community/trac).

This possible DoS attack was mitigated by turning on CloudFlare
temporarily. This caused some bad blood in the community. We'll continue
the discussion once we know exactly what happened.


Discussed tap-windows6 HLK testing. Mattock will setup a physical HLK
environment in his office. Developers can experiment with trying to make
tap-windows6 appear as a virtual device, as described in last meeting


These two approaches ("make it virtual", "build physical HLK
environment") can and will go hand-in-hand. It is known that sgstair and
jamallx made all the (mandatory) tests pass using a physical HLK
environment, so that route is "guaranteed" to work, unlike the "make it
virtual" route.


Discussed dropping TAP support from Windows. Agreed that it can happen
in 2.6 at earliest (if at all). Tons of people are probably using TAP.
It was also agreed that if TAP support was ever dropped, it would be
best to just migrate to wintun altogether.


Talked about wintun. Agreed that having wintun support as an option in
OpenVPN 2.5 makes perfect sense. Lev is adding wintun support to OpenVPN
2 right now.


Next mini-hackathon will be arranged Friday next week (7th June)
starting in European morning. As usual, it will focus on OpenVPN 2.5 work.


Dazo is soon going to announce the public availability of openvpn3-linux
client v6 apt repositories for Debian and Ubuntu.


Full chatlog attached.

Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(12:30:20) syzzer: meeting today?
(12:32:01) plaisthos: I think so but I got to go in 20 minutes
(12:32:33) ***dazo is here
(12:32:54) syzzer: https://community.openvpn.net/openvpn/wiki/Topics-2019-05-29
(12:32:56) vpnHelper: Title: Topics-2019-05-29 – OpenVPN Community (at 
(12:33:05) mattock: howdy!
(12:33:25) mattock: syzzer: if there was an invite, there will be a meeting, 
people present or no :)
(12:33:32) mattock: ok so
(12:33:45) mattock: let me start with something outside of the topic list, ok?
(12:33:55) dazo: sure
(12:34:25) mattock: so, forums was attacked a few days ago
(12:34:33) mattock: or maybe it was just a badly behaving bot
(12:34:41) dazo: yikes
(12:34:57) mattock: ecrist is investigating the root cause, but so far no 
(12:35:27) syzzer: attacked as in DoS, or compromise?
(12:35:34) mattock: DoS
(12:35:43) mattock: novaflash (one of our employees) turned on CloudFlare on 
forums temporarily to stop the attack, and on request of ecrist CloudFlare is 
disabled again now
(12:36:35) mattock: ecrist was strongly opposed to turning on CloudFlare
(12:36:41) syzzer: ah, sucks, but shit happens
(12:36:54) ordex: ay ay 
(12:37:45) lev__: hello
(12:38:03) mattock: the main result of this was that ecrist and novaflash 
rubbed each other the wrong way
(12:38:16) syzzer: I have no opinion on the cloudflare thing
(12:38:28) ordex: rubbed each other ?
(12:38:40) mattock: both were pissed at each other basically
(12:38:46) ordex: ah ok :D
(12:39:15) mattock: so, I suggest we wait for ecrist's analysis and then think 
about what to do in the long run
(12:39:31) mattock: if this was just a bot, then cloudflare would be kind of 
(12:40:05) mattock: I think that covers it
(12:40:25) mattock: tap-windows6 next? from 
(12:40:26) vpnHelper: Title: Topics-2019-05-29 – OpenVPN Community (at 
(12:40:57) plaisthos: From my side I don't have much. But I will post a patch 
set for OpenVPN 2.x to teach it the things needs for doing SSO via web and 
challenge/response without reconnect. Both features depend on using management. 
It is more an AS feature (or who else wants to implement it), client side is in 
OpenVPN for Android
(12:40:59) dazo: I fully and completely understand the resistance to CF (my 
Friday lost hours fighting it as well in a not related issue) ... it really can 
be a pain ... but also a life saver when shit hits the fan ... As long as our 
sites are properly secured and can tackle a storm, I don't care that much how 
we reach that goal.  But if the solution in use is painful to work with on a 
day-to-day basis, well, then we need something different
(12:41:53) dazo: tap-windows6 ... yes :)
(12:42:00) mattock: ok
(12:42:34) mattock: so, in last mini-hackathon rozmansi suggested that _maybe_ 
it would be possible to modify the driver's parameters so that we could skip 
the NDISTest suite (which requires support machine etc.)
(12:42:59) mattock: rozmansi is busy until end of this year, but he did say 
he'd take a quick stab at that to see if he gets lucky
(12:43:27) mattock: because there are no guarantees, I have assembled lots of 
stuff (computers, cables, switches) to build a physical HLK environment in my 
own office
(12:43:49) mattock: unfortunately getting that stuff from the company has 
historically been really painful, and I do want to get this thing done a.s.a.p.
(12:43:53) ordex: mattock1: I think lev__ proposed a patch along this direction?
(12:43:56) dazo: can we sync up with what wintun does?  I just feels like they 
managed to pull through this signing stuff incredibly quickly
(12:44:12) mattock: I don't mind if somebody researches that, but I'm not 
waiting any longer :P
(12:44:29) mattock: we know that tap-windows6 can pass the HLK test suite if 
HLK is running on physical computers
(12:44:56) mattock: if any of you guys (ping lev?) have spare time to 
experiment with this I welcome the help
(12:45:13) lev__: well wintun doesn't do tap
(12:45:30) dazo: but is TAP mode really relevant?
(12:45:37) mattock: rozmansi provided a patch to tap-windows6 that attempts to 
make HLK believe that tap-windows6 is a virtual network device
(12:45:48) ***dazo has no understanding of the low level windows driver layers, 
(12:45:49) ordex: dazo: well with openvpn2 people can do tap on windows 
server/client, no?
(12:45:49) mattock: that patch did not have the desired effect unfortunately, 
for HLK tests
(12:45:58) ordex: mattock1: oh ok
(12:46:13) mattock: worst case we need to talk to Microsoft (which probably 
takes ages) to get some exception for tap-windows6
(12:46:15) dazo: ordex: no, I mean ... for a software/virtual network adapter 
... does TAP mode really mattter?
(12:46:28) mattock: dazo: remember, it is HLK that cares
(12:46:39) mattock: whether there is a difference in the driver is irrelevant
(12:46:44) lev__: and wintun defines itself as a virtual device
(12:46:55) dazo: yes, but again, tap-windows6 isn't a hardware driver, it's a 
driver for a virtual NIC
(12:47:19) mattock: yes, but we need to make HLK think that, too
(12:47:28) ordex: I guess the fact that it is capable of doing L2 transport 
makes it eligible for more tests, no?
(12:47:45) mattock: yes
(12:47:48) dazo: HLK requiring physical hardware makes sense when the driver is 
targeting a physical hardware ... but in this case, it is a virtual interface 
it drives
(12:47:51) lev__: can we make a tun-only tap-windows6
(12:48:13) dazo: meh ... then we should probably just move over to wintun alone
(12:48:28) mattock: yeah
(12:48:40) lev__: well I am working on wintun patch for openvpn2
(12:48:46) cron2: lev__: I think it would be easier to just use wintun then - 
tap6 is an ethernet driver with ethernet built-in into everything
(12:48:59) dazo: unless we think we can easily get tap-windows6 (being a tun 
only driver) at least as efficient as wintun .... not sure it's worth the 
effort though
(12:49:03) mattock: but anyways, I will build the physical HLK environment 
while anyone who can/wants can play with driver properties
(12:49:30) lev__: mattock1: it seems that tap support costs us a lot
(12:49:34) dazo: mattock1: sounds like a good plan 
(12:49:39) mattock: lev: that is very true
(12:49:47) mattock: in real $$$
(12:50:06) lev__: which brings the question, do we really need it
(12:50:15) mattock: who wants to volunteer to send email to openvpn-users and 
tell "we're dropping tap support on Windows" :D
(12:50:52) syzzer: there's probably a ton on people using it
(12:51:27) syzzer: and dropping support mid-life for 2.4 seems a bit harsh on 
our users
(12:51:32) syzzer: but we might consider this for 2.5
(12:51:33) mattock: agreed
(12:51:46) lev__: I would suggest to strip tap support, get HLK done and offer 
both tap and wintun options
(12:51:57) dazo: yeah, agreed ... I think even 2.5 is too early, unless we're 
ready for some flame wars on the mailing lists and forums
(12:52:03) lev__: like we do with SSL backend
(12:52:23) dazo: but we can announce with the 2.5 release that we're moving 
towards a tun-only OpenVPN on Windows
(12:52:25) syzzer: lev__: adding wintun support is definitely a good plan
(12:52:28) dazo: in 2.6, that is
(12:52:43) mattock: +1 for wintun in 2.5
(12:52:45) ordex: well, we can also "ask" for anybody being willing to maintain 
tap support at his/her own expenses since we can't do that anymore
(12:52:53) dazo: +1 for wintun in 2.5 too
(12:52:56) ordex: +1
(12:53:04) cron2: not sure why we're actually having this discussion.  We have 
paid a lot for having a working driver, so we just need to finally finish the 
HLK tests...
(12:53:16) mattock: yes, let us finish the HLK tests
(12:53:27) syzzer: that needs to happen anyway, yes
(12:53:33) dazo: agreed
(12:53:47) ordex: assuming we are really able to finish those :p
(12:53:49) mattock: it will take me two working days probably to setup the 
physical environment, unless there are some blockers (unlikely)
(12:53:55) cron2: and since these tests supposedly *do* pass, any talk about 
"drop tap support" seems to be activitionism
(12:54:01) mattock: we know that sgstair and jamallx finished HLK on real 
(12:54:08) ordex: ok
(12:54:19) ordex: I was under the impression "that we don't really know when 
we'll be done"
(12:54:19) mattock: hence my inclination to build the physical environment and 
be done with it
(12:54:24) ordex: ok
(12:54:44) mattock: plus my colleagues at the office inherit (from a client) a 
boatload of computers that fit the HLK testing roles perfectly
(12:54:58) mattock: which I can obtain for a reasonable amount of money (or 
maybe even lease)
(12:55:59) mattock: they're waiting for me to insert the Windows Server 2019 
installation medium :)
(12:56:04) mattock: tap-windows6 covered?
(12:57:36) ordex: I guess you know :D
(12:57:45) dazo: yeah
(12:59:26) mattock: ok so 2.5 next on topic list
(12:59:29) mattock: anything to add there?
(13:00:07) dazo: nothing new, I presume ... we're just trying to get things 
reviewed, ACKed and merged
(13:03:58) mattock: anything to add to dazo's analysis?
(13:04:41) syzzer: nope, "all we need is some focused dev/review time"
(13:06:23) cron2: yeah, basically that's it... I'm working on sitnl but the 
meeting last week in Reykjavik cost me more time than I expected (= nothing 
happened on my end).  But I'll resume today/tomorrow.
(13:06:50) mattock: ok, so mini-hackaton coming up again next Friday
(13:06:58) mattock: next week's friday I mean
(13:07:12) cron2: yep.  I'm @ home and should be able to find half a day
(13:07:18) mattock: \o/
(13:07:31) cron2: (returning from a meeting at midnight... - thursday's meeting 
will see me in a train :-) )
(13:09:26) mattock: ok
(13:09:30) mattock: anything else for todays meeting?
(13:13:46) dazo: Just a note that I'm in the final phase of having Debian and 
Ubuntu repos ready for the new openvpn3 client .... going to test the repos and 
announce them a bit later.
(13:14:23) dazo: The v6 beta release seems pretty solid now and should be not 
be too scary to test, in regards to stability and bugs.
(13:14:59) mattock: \o/
(13:15:40) syzzer: nice :)
(13:15:53) syzzer: so, lunch then I guess
(13:16:07) mattock: if I can get a Linux client that does not suck at 
configuring the system resolver I will buy it immediately :P
(13:16:29) mattock: anyways, you guys get lunch, I already did
(13:17:07) ***dazo arrived the office minutes before the meeting started :-P
(13:19:47) mattock: two minutes of silence -> end of meeting :)

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to