Here's the summary of the IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Thu 7th May 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:


Your local meeting time is easy to check from services such as



cron2, dazo and mattock participated in this meeting.


Noted that cloudflare has now been disabled on community.openvpn.net
(again) to get IPv6 working. This is hopefully just a stop-gap measure
before we get IPv6 enabled in Cloudflare - for community.openvpn.net or
for whole openvpn.net domain.


Noted that most of OpenVPN Inc. has been working on CloudVPN which has
now been released:


It is not clear if CloudVPN supports IPv6 transport. IPv6 payload seems
to be supported. Mattock made some queries during the meeting.


Discussed OpenVPN 2.5. Noted that the high-level status has not changed


The recent activity was directed at cleaning up the backlog, Trac
tickets, etc. which was also needed.

The amount of effort required by most "must have" tasks seems fairly

- async-cc stuff
  - it's there, it works
  - needs polishing, some refactoring and review
  - a few days of focused work
- MSI installers
  - needs final integration + testing
  - 1-2 days of work assuming no major roadblocks
- asymmetric compression
  - just needs the final ACK

Effort required by man-page reformatting and IPv6-only server were not

Ordex is working on the OpenVPN kernel module which is why he's been
isolated from OpenVPN 2.5 tasks. However, dazo and lev have some
bandwidth for taking over tasks from ordex next week.

Mattock will start work on MSI a.s.a.p. so that if any issues are found
rozmansi will have some time to step in. Mattock will also try to locate
OpenVPN Inc. MSI experts, if any, to help with potential MSI issues.


Noted that syzzer's successor at OpenVPN-NL has been pretty quiet on the
community front. Also noted that syzzer said he might be able to do some
OpenVPN community work on his free time.


Full chatlog attached

(21:00:46) mattock: guten abend
(21:00:54) dazo: ciao!
(21:01:30) cron2: gr�ezi!
(21:04:22) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-05-07
(21:04:23) vpnHelper: Title: Topics-2020-05-07 – OpenVPN Community (at 
(21:05:25) mattock: IPv6 on community should work now or soon
(21:05:46) cron2: not now, so "soon" :)
(21:05:57) mattock: unfortunately the "IPv6 on all servers" thing had to be 
postponed - too much stuff going on
(21:06:17) cron2: yeah, it always is
(21:07:20) dazo: Most of the corp folks has been involved in this lately: 
https://openvpn.net/cloud-vpn/ .... first version finally released
(21:08:23) mattock: yeah, I got dragged into that too
(21:08:34) cron2: does it have IPv6?
(21:08:48) cron2: ah, yes, the web page says so \o/
(21:09:07) cron2: external *and* internal v6?
(21:09:52) dazo: You define all the internal IPs yourself, and I would be 
surprised if IPv6 was missing
(21:10:11) cron2: that's "internal", but what about IPv6 transport towards the 
(21:10:33) cron2: ("--proto udp6")
(21:11:10) dazo: right ... external should be supported, but the ops team knows 
which IPs has been deployed into production
(21:11:32) dazo: I've not been involved on the production servers, so I dunno
(21:11:41) cron2: mattock: do you know?
(21:14:15) mattock: no, not sure
(21:17:13) mattock: ok, distractions over
(21:17:49) mattock: I would not count on IPv6 transport - knowing that our 
Cloudflare has IPv6 disabled I would not count on it
(21:18:19) mattock: now, openvpn 2.5 anyone?
(21:18:38) cron2: this is why I'm asking.  We've had problems here in DE with 
client networks behind DS-Lite ("double natted IPv4" plus native IPv6) and 
"server has no v6" starts being a problem
(21:18:45) cron2: (for all that is not "tcp port 80/443")
(21:19:56) mattock: I asked about IPv6 transport on our ops channel
(21:20:00) mattock: maybe somebody knows
(21:21:45) mattock: as far as OpenVPN 2.5 is concerned - no progress yet on my 
end unfortunately on MSI
(21:22:00) cron2: not too much progress on my end here either
(21:22:03) mattock: the big internal project I talked about ended today finally
(21:22:15) cron2: I've been digging through patches, working my way through 
_inline v11 right now
(21:22:16) mattock: the next project is starting but it should not be as 
(21:22:32) cron2: good, so msi on you and v6-only on me :)
(21:22:59) cron2: (I had to do a quick patch to tcpdump yesterday, hah :-) )
(21:23:17) mattock: doorbell ...
(21:24:44) dazo: I got about 35 min until my next meeting starts
(21:25:17) cron2: dazo: so how's your time availability?  (and how's ordex'?)
(21:25:33) cron2: our major stumbling block is "working with plaisthos on 
(21:26:53) dazo: It is tight ... but it should be possible to squeeze in more 
community time now
(21:28:40) mattock: should we update the 2.5 status page? it is several months 
(21:28:56) mattock: I've lost track of the status way back when
(21:29:09) mattock: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(21:29:11) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
(21:29:19) cron2: I do not think we have completed anything of those points... 
but let me look
(21:30:00) mattock: I'll make a minor change
(21:31:22) dazo: Do we know if there are any man page changes in the pipe among 
the last changes we're planning to pull in?  Otherwise I can get started on the 
man page stuff
(21:32:36) cron2: I am not aware of any, but lost track
(21:36:15) cron2: ok, so the "must have" are "unchanged"
(21:36:30) mattock: since months
(21:36:52) cron2: the "try to make it happen" is also unchanged :-(
(21:37:09) mattock: hmm
(21:37:28) mattock: there has been lots of activity recently - I wonder where 
it was directed then :P
(21:39:38) mattock: well, this is not nice
(21:39:54) cron2: this was in the "trac tickets, floating-around patches, clean 
up" section, but not one of the major blocks
(21:40:03) mattock: ok
(21:40:16) mattock: so we really need a final push which focuses on the must 
(21:40:25) mattock: before we start having a backlog of that other random stuff 
(21:41:05) cron2: corp needs to release ordex a bit more :)
(21:41:20) mattock: yep
(21:43:30) mattock: dazo: any idea on how to make the happen?
(21:43:43) mattock: also, any idea of the effort required by the "must haves"?
(21:43:50) mattock: are we speaking of hours, days or week of work?
(21:44:40) cron2: a few days of focused work for the async-cc stuff - it's 
there, it works, it "just" needs polishing, some refactoring, and review
(21:46:24) mattock: the MSI stuff is probably 1-2 days of work (including 
testing) assuming there are no major issues
(21:47:06) mattock: asymmetric compression?
(21:47:13) dazo: We have isolated ordex to be able to progress more rapidly on 
the kernel module ... which will also provide openvpn 2.x support as well .... 
we know it is not too good for the 2.5 release, but lets see if lev__ or I can 
try to help on the review side for the async-cc stuff
(21:47:15) cron2: needs a final ACK, I think
(21:47:30) cron2: (the asymm compression)
(21:47:44) dazo: review is tagged "syzzer/cron2" ... is that doable?
(21:47:48) cron2: lev__ could certainly do this, I think, as he found quite a 
few async bugs
(21:48:04) cron2: dazo: review fort aht?
(21:48:23) cron2: ah
(21:48:24) cron2: yes
(21:48:29) cron2: I'll bite
(21:48:32) dazo: :)
(21:49:28) dazo: lev__ is on some training courses this week ... so I hope we 
can figure out something for next week.
(21:49:50) cron2: I need him to figure out my win7 openvpn problems as well :)
(21:50:14) dazo: heh ... alright, I'll make some notes :)
(21:51:32) cron2: someone who understands crypto could have a look at the 
tls-groups patch...
(21:52:40) ***dazo got 3-4 minutes until needing to prepare for next meeting
(21:53:10) mattock: quick question: so what is syzzer's availability nowadays?
(21:53:16) cron2: spotty
(21:53:23) mattock: did he get a new job or something?
(21:53:54) cron2: changed department in fox-it
(21:54:23) mattock: where is the bright new guy then?
(21:54:37) cron2: seems to be a bit shy
(21:55:02) mattock: but there is such a thing?
(21:55:52) cron2: supposedly syzzer can now work in his spare time on openvpn, 
not being all burnt up by work exposure to openvpn :-)
(21:56:09) cron2: and a new guy works on openvpn-nl which we sort of have met 
before (Karlsruhe?)
(21:57:13) mattock: mkay
(21:57:20) mattock: but there is some hope on the crypto front
(21:57:32) dazo: Just asked lev__, he will try to allocate some time next week
(21:57:37) mattock: \o/
(21:57:48) cron2: nice
(21:58:06) mattock: I will also try to allocate time on MSI next week - at 
least to see if it is all smooth sailing or if rozmansi will need to work on 
(21:58:16) mattock: I will also try to locate any MSI guys we might have 
(21:58:27) mattock: forgot to do that last week
(21:59:06) ***dazo gotta go
(21:59:21) mattock: I think we can call this a day - we did manage to do 
something useful at least :D
(21:59:26) mattock: ok?
(21:59:36) cron2: yep... good night :)
(22:00:32) mattock: good night!
(22:02:04) mattock: IPv6 was missing the AAAA record
(22:02:08) mattock: should start working shortly
(22:02:45) cron2: community.openvpn.net has no AAAA record
(22:03:07) cron2: ah, now it's there
(22:03:12) mattock: yep
(22:03:14) cron2: local resolver still has the NXDOMAIN cached
(22:03:14) mattock: I just added it
(22:04:05) mattock: I will try to get IPv6 enabled across the board because on 
the next DoS (and those do happen occasionally) they will just turn on 
cloudflare and then IPv6 is broken again on community
(22:04:23) mattock: this is just duct tape to cover the problem
(22:12:18) cron2: so v6 is direct, not via cloudflare?
(22:20:12) mattock: yes, direct for now
(22:20:24) cron2: better than nothing and it will quiet my monitoring :)
(22:20:30) mattock: and mine
(22:20:42) mattock: I have IPv6 monitoring for community servers now
(22:21:04) mattock: technically it checks the certificate expiration, but as it 
does it via IPv6 tranport it will alert on broken IPv6 as well
(22:26:27) mattock: that could of course cause us to not catch IPv4 issues on 
those servers :D

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to