[Openvpn-devel] [PATCH v2] Add t_server_null test suite

[Samuli Seppänen]

Change-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de
Signed-off-by: Samuli Seppänen 
Acked-by: Frank Lichtenheld 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/663
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld 


diff --git a/.gitignore b/.gitignore
index 92d65bf..db8bb73 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,6 +55,7 @@
 
 tests/t_client.sh
 tests/t_client-*-20??-??/
+tests/t_server_null.rc
 t_client.rc
 t_client_ips.rc
 tests/unit_tests/**/*_testdriver
diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst
new file mode 100644
index 000..e3a098a
--- /dev/null
+++ b/doc/t_server_null.rst
@@ -0,0 +1,147 @@
+Notes for the --dev null test suite
+===
+
+Introduction
+
+
+The *--dev null test suite* is primary targeted at testing client connections
+to the "just compiled" version of OpenVPN. The name is derived from "null"
+device type in OpenVPN. In particular, when *--dev null --ifconfig-noexec* is
+used in OpenVPN client configuration one does not need to run OpenVPN with root
+privileges because interface, routing, etc. configuration is not done at all.
+This is still enough to ensure that the OpenVPN client can connect to a server
+instance.
+
+The main features of the test suite:
+
+* Parallelized for fairly high performance
+* Mostly operating-system agnostic
+* Tested on Fedora Linux 38/39/40 and FreeBSD 14
+* POSIX-compliant
+* Tested and known to work with Bash, Dash, Ksh, Yash and FreeBSD's default 
/bin/sh
+* Uses the sample certificates and keys
+* Supports running multiple servers and clients
+* Supports running servers directly as root and with sudo
+* Supports using different OpenVPN client versions
+
+  * The "current" (just compiled) version
+  * Any other OpenVPN versions that is present on the filesystem
+
+* Support testing for success as well as failure
+* Test cases (client configurations) and server setups (server configurations) 
are stored in a configuration file, i.e. data and code have been separated
+* Configuration file format is nearly identical to t_client.rc configuration
+* Supports a set of default tests, overriding default test settings and adding 
local tests
+
+Prerequisites
+-
+
+Running the test suite requires the following:
+
+* *bash* for running the tests
+* root-level privileges for launching the servers
+
+  * run as root
+  * a privilege escalation tool (sudo, doas, su) and the permission to become 
root
+
+Technical implementation
+
+
+The test suite is completely parallelized to allow running a large number of
+server and client combinations quickly.
+
+A normal test run looks like this:
+
+#. Server instances start
+#. Brief wait
+#. Client instances start
+#. Tests run
+#. Client instances stop
+#. Brief wait
+#. Server instances stop
+
+The tests suite is launched via "make check":
+
+* make check
+
+  * t_server_null.sh
+
+* t_server_null_server.sh
+
+  * Launches the compiled OpenVPN server instances as root (if necessary 
with sudo or su) in the background. The servers are killed using their 
management interface once all clients have exited.
+
+* t_server_null_client.sh
+
+  * Waits until servers have launched. Then launch all clients, wait for 
them to exit and then check test results by parsing the client log files. Each 
client kills itself after some delay using an "--up" script.
+
+Note that "make check" moves on once *t_server_null_client.sh* has exited. At
+that point *t_server_null_server.sh* is still running, because it exists only
+after waiting a few seconds for more client connections to potentially appear.
+This is a feature and not a bug, but means that launching "make check" runs too
+quickly might cause test failures or unexpected behavior such as leftover
+OpenVPN server processes.
+
+Configuration
+-
+
+The test suite reads its configuration from two files:
+
+* *tests/t_server_null_defaults.rc:* default test configuration that should 
work on any system
+* *tests/t_server_null.rc:* a local configuration file; can be used to add 
additional tests or override settings from the default test configuration. Must 
be present or tests will be skipped, but can be an empty file.
+
+The configuration syntax is very similar to *t_client.rc*. New server 
instances can be
+defined like this::
+
+  SERVER_NAME_5="t_server_null_server-11195_udp"
+  SERVER_MGMT_PORT_5="11195"
+  SERVER_EXEC_5="${SERVER_EXEC}"
+  SERVER_CONF_5="${SERVER_CONF_BASE} --lport 11195 --proto udp --management 
127.0.0.1 ${SERVER_MGMT_PORT_5}"
+
+In this case the server instance identifier is **5**. Variables such as
+*SERVER_EXEC* and *SERVE

[Openvpn-devel] Summary of the community meeting (21st September 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 21st September 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, djpig, lev, mattock, MaxF, novaflash, ordex and plaisthos 
participated in this meeting.


---

Talked about the hackathon. MaxF said that it is possible to use the 
meeting room also on Friday during office hours. Some people may arrive 
on Thursday evening. Novaflash promised take the role of a taxi driver 
for other people. Agreed to go to the Westcord hotel just like the last 
time.


---

Noted that plaisthos is on vacation for two weeks, but he should have 
some time for OpenVPN 2.


---

Talked about automated testing. Noted that GitHub Actions has usage 
limits on the free GitHub tier. Not sure what those limits are exactly.


---

Talked about OpenVPN 2.6. Lev noted that the dco-win code has been 
merged and is now the default driver on Windows when possible.


--

Full chatlog attached
(11:29:08) mattock: hi
(11:29:10) mattock: anyone here?
(11:29:36) cron2__: actually I am :-) - doc sent me home again "we'll call you 
when $kid is ready", so I'm about to leave any minute...
(11:29:51) MaxF: hi!
(11:29:55) MaxF: I'm here!
(11:30:07) mattock: hi!
(11:30:23) plaisthos: I am on vacation and only semi present
(11:30:24) d12fk: hi
(11:30:52) cron2__: ho
(11:31:10) cron2__: plaisthos: how long are you on vaction?
(11:31:16) cron2__: vacation even
(11:31:20) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-09-21
(11:32:02) mattock: start from the top? #1 hackathon
(11:32:25) MaxF: yes! You can come on Friday
(11:32:35) d12fk: excellent
(11:33:05) mattock: anything else on hackathon?
(11:33:30) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(11:33:38) novaflash: Boop?
(11:33:54) cron2__: MaxF: that is very nice :-) - so "Friday whenever planes 
land" (and/or night train)?
(11:34:24) MaxF: uh no, I can't let you in after office hours
(11:34:33) cron2__: "daytime"
(11:34:40) cron2__: of course :)
(11:34:47) cron2__: after office hours, beer
(11:35:08) MaxF: oh, I misread it, I thought you said arriving at night
(11:35:32) novaflash: I also have something else with 4 letters and ee in the 
middle
(11:35:39) cron2__: night train = leaves munich thursday evening, arrives in 
Amsterdam on Friday 9:30-ish, so I could take that one and be in Delft 
~11:00-ish
(11:35:58) plaisthos: cron2__: 2 weeks but probably have some time for openvpn 2
(11:36:05) cron2__: novaflash: beef! most welcome :-)
(11:36:13) djpig: moin
(11:36:49) cron2__: plaisthos: mmmh, ok.  Your patchsets are the ones that need 
resending, testing, questioning, and merging... and ordex' dco p2p could use 
some looking at
(11:37:18) novaflash: Yes... beef
(11:37:53) cron2__: ;)
(11:38:33) novaflash: Sorry I wasn't in the meeting last week. The forum topic 
was hot then. But I had some health issues.
(11:41:05) novaflash: So hackathon. I'll be in Delft on Friday. So can I meet 
up with you guys then at fox it? Not sure if you already just asked that.
(11:41:47) d12fk: Yes MaxF said Friday we can get the room as well
(11:41:52) cron2__: this is how I understood MaxF, "we can arrive on Friday"
(11:41:59) novaflash: Cool
(11:42:13) cron2__: yep
(11:42:25) novaflash: I have my car with me then so I can be taxi for arriving 
peeps if that's wanted
(11:43:57) d12fk: when will you arrive in Delft?
(11:44:20) d12fk: i.e. what time
(11:44:27) djpig: I will probably arrive on Thursday evening, then. Although it 
would also be an option to only go to Amsterdam Thursday and then go to Delft 
on Friday. Amsterdam might be more interesting on a  Thursday evening...
(11:45:13) novaflash: Well I could be there early if there's people to meet up 
with. 10am for example or even earlier. But if I'll be the unholy one there at 
10am that could be boring.
(11:45:25) novaflash: Only* ...autocorrect
(11:45:36) cron2__: you are always the unholy one
(11:45:43) novaflash: True
(11:45:54) novaflash: Oh someone is down to party on Thursday? Ok cool
(11:46:17) novaflash: I could be there on Thursday so there is party time
(11:46:57) novaflash: A drive from delft to Amsterdam is pretty short even by 
public transport
(11:48:14) lev__: Guten tag
(11:48:24) novaflash: Perkele
(11:49:22) plaisthos: cron~.~.
(11:49:32) plaisthos: argh
(11:49:33) mattock: we all good regarding hackathon scheduling for now?
(11:49:50) plaisthos: cron2__: I can probably go through my patches and resend 
the ones that need resending
(11:49:52) d12fk: have we decided on a hotel?
(11:49:55) cron2__: seems so... now find useful ways to travel there :)
(11:50:03) d12fk: shanghai looks good to me
(11:50:04) cron2__: d12fk: I'd go for the Ikea hotel again
(1

[Openvpn-devel] Summary of the community meeting (14th September 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 14th September 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, djpig, lev, mattock, MaxF, ordex, plaisthos, rob0 
participated in this meeting.


---

The hackathon date has been set. Status of Friday is still unclear. We 
need to leave Fox-IT Premises by 19.00, but that's fine (pub time anyways).


---

Coordinated patches that are aimed at 2.6 and 2.7. Cron2 will start 
going through them now that his vacation is over.


---

Noted that Lev has a new, signed tap-windows6 driver ready with fixes. 
For unknown reasons building the arm64 version of tap-windows6 MSM 
failed. Once that is fixed mattock can push out a new 2.5 Windows installer.


Also noted that HP has sent a PR to tap-windows6 which will need some 
work and may even violate GPLv2.


---

Talked about data-channel offload. Lev is waiting on review + ack + 
merge of two Windows DCO patches. The FreeBSD DCO needs two fixes. The 
p2p mode needs to be fixed in both FreeBSD and Linux.


---

Talked about uncrustify. Noted that it is broken in some cases because 
it is not a real C parser. One alternative is clang-format. The 
challenge there is that clang-format may not be customizable enough to 
be able to adapt to our current uncrustify rules. Also, according to 
dazo, going the clang-format route is not trivial, either.


Agreed not to just use uncrustify as-is for now, in order to avoid 
time-consuming bikeshedding discussions.


---

Talked about automated Windows testing. Mattock's 
openvpn-windows-buildtest repository on GitHub should be a good starting 
point:




---

Talked about unacceptable, one could say "toxic", behavior of a certain 
forum moderator. This issue will be brought up with him in person.


--

Full chatlog attached
(11:27:27) cron2__: good morning maxf :)
(11:27:39) MaxF: good morning!
(11:29:08) plaisthos: moin moin
(11:30:37) rob0: zzZZZzz
(11:30:59) ***cron2__ wakes up rob0
(11:31:18) cron2__ ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-09-14
(11:31:31) cron2__: not much there
(11:32:01) mattock: hi!
(11:33:04) ordex: ding dang
(11:33:17) ***ordex pokes everybody with a pointy stick
(11:33:22) ***cron2__ jumps
(11:33:28) cron2__: I'm awake! I'm awake!
(11:34:36) ordex: sooo
(11:35:06) ordex: any imminent aspect to discuss?
(11:35:08) MaxF: hackathon: Date is confirmed. I added some hotels to the wiki 
page
(11:35:10) ordex: MaxF: u there?
(11:35:11) ordex: ah there!
(11:35:27) ordex: MaxF: thanks! did you get a response for friday as well?
(11:35:30) cron2__: cool.  So what's the status of "Friday"?
(11:35:33) cron2__: hah
(11:35:42) ordex: https://github.com/OpenVPN/tap-windows6/pull/150
(11:59:45) MaxF: wow
(11:59:51) dazo: ahh, it was closed
(12:00:10) cron2__: I closed it because "this is not something which can be 
amended"
(12:00:14) dazo: " Corrected the copyright info. "  I mean  wow 
(12:00:37) cron2__: *that* is the harmless patch of the two commits :)
(12:01:07) cron2__: it just changes some strings that the other one introduces
(12:01:22) dazo: yeah, I just saw the main patch summary ... and then that 
commit
(12:01:25) dazo: so yeah
(12:03:03) lev__: also I don't like that we would have to maintain #ifdef 
VENDOR_X code
(12:04:17) cron2__: the actual code change is nicely contained behind an 
ioctl()-settable value (even if I don't understand what it is for, it looks... 
like misunderstood ethernet or so)
(12:04:34) cron2__: but the "we want this to look like our product" changes can 
never go in
(12:05:16) dazo: agreed
(12:05:43) mattock2 [~ya...@mobile-access-bcee7d-214.dhcp.inet.fi] è entrato 
nella stanza.
(12:07:26) cron2__: anyway, we're detouring again
(12:07:40) cron2__: 2.5 -> so, MSM next, then openvpn-build updats, then new 
release ;-)
(12:07:42) cron2__: 2.6?
(12:08:01) cron2__: - lev__ is waiting on review+ack+merge of two window-dco 
patches
(12:08:11) mattock: so we need a new 2.5.x release, or just new installer?
(12:08:24) cron2__: mattock: new installer.  Sorry for wrong wording.
(12:08:27) mattock: ok
(12:08:31) mattock: I'm relieved :)
(12:08:42) mattock: I'll create a ticket for myself, so that I do not forget
(12:09:41) cron2__: more 2.6 -> FreeBSD DCO has 2 kernel side bugs to fix, but 
besides that, looks very good (= passes all my torture testing now).  Well, p2p 
renegotiaton is broken the same way as Linux, so we'll see what ordex will come 
up with :-)
(12:10:50) cron2__: I'm back from vacation and will try to make sense of all 
open patches in patchwork "of this year, and some of last year", so I will come 
and ask for reviews, new 

[Openvpn-devel] Community meetings in September 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 14th September 2022 at 10:30 CEST
- Wed 21th August 2022 at 10:30 CEST
- Wed 28th August 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (31st August 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 31st August 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

d12fk, dazo, lev, mattock, MaxF, novaflash, ordex and plaisthos 
participated in this meeting.


---

The dco-win support has been merged to master and latest snapshot MSIs 
can be used to try it out:




---

Noted that there is some ongoing discussion on the Linux kernel mailing 
list about the ovpn-dco userspace API. If that discussion takes too 
long, we may have to postpone the 2.6-RC1 release so that


- 2.6.0 will still be "the DCO release"
- we don't have to make (major) feature changes in the middle of the RC 
cycle


---

Noted that the hackthon date is set to "the weekend of November 25".

--

Full chatlog attached(11:30:47) lev__: guten tag
(11:31:11) MaxF: moin!
(11:35:15) novaflash: goedemorgen
(11:35:15) mattock: hi
(11:36:35) plaisthos: moin moin
(11:36:45) novaflash: good meeting.
(11:36:53) dazo: *yawn*
(11:38:20) d12fk: moin
(11:39:44) d12fk: silence
(11:41:09) lev__: I think ordex and cron2__ are on vacation
(11:41:59) mattock: just got out from a meeting
(11:42:18) mattock: can we discuss anything now that our benevolent project 
lead is gone?
(11:42:20) lev__: dco-win support has been merged to master and latest snapshot 
MSIs https://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ can 
be used to try it out
(11:42:21) vpnHelper: Title: Index of 
/downloads/snapshots/github-actions/openvpn2/ (at build.openvpn.net)
(11:43:09) lev__: there is a patch for persist-tun support waiting for review, 
otherwise I think it is ready for 2.6 RC
(11:43:35) dazo: We have a code freeze appearing in about 2 weeks  so lets 
focus on 2.6
(11:43:48) dazo: Is 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn26  up to date?
(11:45:04) dazo: "update auth-user-pass docs"   what is _really_ happening 
with this one?
(11:45:42) dazo: lev__: got a patchwork link?
(11:45:58) lev__: 
https://patchwork.openvpn.net/project/openvpn2/patch/20220830104958.91-1-lstipa...@gmail.com/
(11:45:59) vpnHelper: Title: [Openvpn-devel,v2] dco-win: support for 
--persist-tun - Patchwork (at patchwork.openvpn.net)
(11:46:09) ***ordex waves
(11:46:23) dazo: hey, ordex!
(11:46:30) lev__: bongiorno!
(11:46:34) ordex: something I wanted to mention: there is some ongoing 
discussion on the kernel ml about the ovpn-dco userspace API
(11:46:46) ordex: [kid is sleeping so I have some minutes :D]
(11:47:01) ordex: the API *may* change to reflect any upcoming decision
(11:47:18) ordex: at the same time it won't be nice to break existing userspace 
tools, expecially openvpn2
(11:47:33) ordex: this said, the changes may still require some time, like till 
end of october
(11:47:40) ordex: how do we feel about this? :D
(11:47:50) dazo: ordex: what kind of changes is this?
(11:47:55) plaisthos: let's aim for a rc first 
(11:48:08) ordex: for example: how to create the new interface: rtnl vs genl
(11:48:23) ordex: or how to separate API enum attributes 
(11:48:32) plaisthos: got a link to the discussion?
(11:48:33) ordex: (which will trigger a attributes renumbering)
(11:48:41) ordex: plaisthos: nope, can fish it
(11:48:41) dazo: ordex: I'm not too concerned. But it might be we either want 
to extend todays implementation with a "API version" check from user-space; if 
that does not exists we presume it's the new one ... or vice versa
(11:48:58) ordex: but it is just a question somebody is rising and some points 
make sense, so things *may* change
(11:49:14) dazo: But that depends if we're able to manage OpenVPN 2.6 code 
freeze mid-september
(11:49:33) ordex: the problem with the version is that old openvpn won't be 
able to talk to the new ovpn-dco in any case
(11:50:08) ordex: but like plaisthos said, we should possibly aim at the RC in 
any case and maybe apply any of these changes before the release?
(11:50:19) ordex: that'd be the best case, imho
(11:50:27) dazo: yeah, that makes sense  RC is still not a full release
(11:51:23) ordex: maybe we could also remove the --enable-dco knob from 
configure until the API is decided and reactivate it in some 2.6.x ? (as 
extreme case)
(11:51:47) dazo: --enable-experimental-dco ;-)
(11:53:00) dazo: I'm not sure  2.6 is targeted to be the DCO release.  So 
we need to re-evaluate quite a bit then.
(11:54:23) dazo: It would be quite odd to release a 2.6.0 without DCO support 
when we've talked so much about 2.6 being a DCO release.
(11:58:51) plaisthos: or we have to name the netlink name of the ovpn-dco 
module something different for now
(11:58:54) plaisthos: or the kernel module later
(11:59:00) d12fk:

[Openvpn-devel] Summary of the community meeting (24th August 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 24th August 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

d12fk, dazo, djpig, kp, lev, mattock, MaxF, ordex, Pippin and plaisthos 
participated in this meeting.


---

Agreed that ommunity services migration tomorrow (Thursday) during EET 
working time (9-17) is ok. Mattock will take care of it.


---

Talked about the hackathon. It seems like November 26th is the best 
option right now.


---

Talked about OpenVPN 2.5. The next release, which is not urgent, should 
include an updated tap-windows6 driver.


---

Talked about OpenVPN 2.6. Lev had dco-win pretty comprehensively tested 
by OpenVPN Inc. internal QA. A report of the results has been sent to 
the mailing list. On the Linux dco side some changes were made which 
required simultaneous userspace (openvpn) and kernel-space (ovpn-dco) 
changes to maintain compatibility.


Set the tentative release schedule for first 2.6 RC to mid-September, 
which would make 2.6.0 November 1st a possibility.


--

Full chatlog attached
(11:30:44) ordex: ay
(11:30:52) MaxF: hi!
(11:30:57) mattock: hi!
(11:33:18) mattock: who do we have here today?
(11:33:41) dazo: o/
(11:33:46) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-08-24
(11:33:50) lev__: guten tag
(11:34:00) mattock: I have one topic I want to discuss before I head to my 
customary lunch
(11:34:23) mattock: "Community services migration tomorrow (Thursday) during 
EET working time (9-17) is ok?"
(11:34:32) mattock: more details on the topic page
(11:35:02) mattock: trac will be affected briefly tomorrow, otherwise you 
(=developers) should not notice anything
(11:35:06) mattock: will/would
(11:35:22) ordex: fine with me, as long as we have some time to double check 
that things are working before you disappear :D
(11:35:36) mattock: I've allocated a full day (plus Friday) for fixing any 
issues
(11:36:03) mattock: I can typically focus on Thursdays from morning to late 
evening
(11:36:10) dazo: LGTM; and I agree with ordex
(11:36:14) ordex: :-D
(11:36:16) mattock: +1
(11:36:52) mattock: hackathon?
(11:36:54) d12fk: ooh late, hi
(11:37:05) mattock: hi!
(11:37:28) MaxF: hackathon! Has everyone responded to the poll?
(11:37:36) mattock: I have not!
(11:37:38) mattock: forgot
(11:37:40) mattock: link?
(11:37:43) mattock: I'll do it now
(11:38:06) Pippin_: https://doodle.com/meeting/participate/id/dRgEwERe
(11:38:07) vpnHelper: Title: Doodle (at doodle.com)
(11:38:15) mattock: thanks!
(11:40:12) mattock: done
(11:40:41) MaxF: looks like nov 26 is the least worst
(11:40:58) mattock: that late we could all stay for Christmas :)
(11:41:38) dazo: yeah ... that date might mean I need to leave late on Saturday 
 I'll see what I can manage
(11:42:40) mattock: Sync up on OpenVPN 2.5 and 2.6? 
(11:42:42) MaxF: is this everyone? what about corp people?
(11:45:17) plaisthos: Hmpf I still don't see the overview
(11:45:59) dazo: MaxF: Charlie, James, Johan and Mark are the corp folks 
missing ... I'll follow up internally, but I'd say the community folks are more 
important in this context
(11:47:14) plaisthos: argh and now I removed my choices
(11:47:15) MaxF: the main point is, I need to have a list with everyone's name 
on it, and if you're not on it, I can't let you in
(11:47:43) ordex: by when is this required?
(11:48:17) MaxF: not sure, but if we settle on a date in November, I don't need 
it right now
(11:49:20) plaisthos: yeah I think we can get that very soon after we finalise 
the date
(11:49:26) d12fk: can we fix the date today?
(11:51:21) plaisthos: yeah I would say we should
(11:53:29) dazo: +1
(11:54:24) MaxF: nov 26 looks the best with one "cannot attend" and one "if 
need be" (dazo might leave on Saturday evening)
(11:54:40) MaxF: nov 12 has one "cannot attend" and two "if need be"
(11:55:07) dazo: yeah ... Just checked flights and trains, if I need to leave 
on Sat, I need to fetch a train 17:24 from Delft
(11:55:21) ordex: we don't have much choice then, unless we ask the "if need 
be" on the 12 if they can still make it to the whole meting
(11:55:28) dazo: and arrive 12:00-12:30-ish
(11:55:29) ordex: then 12 would be better to we really have everybody for the 
whole meeting
(11:55:29) MaxF: that sounds pretty close to cannot attend
(11:55:52) dazo: (arrive on Friday)
(11:56:22) ordex: still stretched I'd say. what about asking cron2__ and kp 
their plan on Nov 12th? maybe they can still do it reasonably
(11:56:23) MaxF: I haven't heard from the "if need be"s on nov 12. If there's 
*two* people who have to leave at 17.00, that's worse
(11:56:38) dazo: 12th has 2 "need be", 26th has 1
(11:56:44) ordex: MaxF: it may be they don't favour that date, but still c

[Openvpn-devel] Summary of the community meeting (17th August 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 17th August 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

berniv6, cron2, d12fk, dazo, djpig, lev, mattock, MaxF, ordex and 
plaisthos participated in this meeting.


---

Talked about hackathon. Noted that many people have not answered the 
Doodle poll yet. They should.


---

Talked about DCO and NetworkManager. After a long discussion the patch 
to be created boils down to "if we have no CAP_SETPCAP and --user, 
disable dco".


In other words the short-term fix is to disable DCO when CAP_SETPCAP is 
not available, and the long-term fix needs to be talked about with the 
NetworkManager team.


---

Talked about what OpenVPN version Debian should bundle. Cron2 and 
berniv6 agree that the plan is that we have 2.6.x ready at Debian 
release freeze so they can just ship it.


Unfortunately downstream distros like Ubuntu and Kali Linux used 
experimental OpenVPN code from Debian experimental/sid as a basis for 
their own OpenVPN packages. So our strategy to address the bugs in 
Debian testing "ASAP" and then send a heads up to those distros so that 
they know to update their OpenVPN codebases.


Noted that OpenVPN 2.5 -> 2.6 upgrade combined with the OpenSSL 1.1.1 -> 
3.0.0 upgrade will break things. Debian users should be shown a 
notification when they're about to do such an upgrade.


---

Talked about OpenVPN 2.6 status:



Cron2's plan is to get FreeBSD DCO tested on the server side and then 
merge the 2/2 patch of that. Then stare at the Windows patches, get a 
working build environment then get that stuff merged. It seems possible 
to have all code in by mid/end October and to make the release on 
December 1st. For Debian project end of January is the "still get things 
into packages easily" -deadline.


---

Noted that there is a tap-windows6 fix, so a new MSM needs to be created 
and signed. We also want testable OpenVPN MSI installers that bundle the 
new MSM.


--

Full chatlog attached(11:29:29) mattock3: Hi!
(11:29:37) cron2__: ho
(11:29:41) MaxF: hi!
(11:29:54) dazo: o/
(11:29:58) cron2__ ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-08-17
(11:29:58) lev__: hello
(11:30:19) ordex: goedentag
(11:30:59) berni [~berni@2a01:170:1181:0:6600:6aff:fe6a:9cf4] è entrato nella 
stanza.
(11:31:14) berni: hi
(11:31:27) ordex: hi berni 
(11:31:43) cron2__: hi, cool that you could make it
(11:31:57) cron2__: where did you leave your signature "v6"? :)
(11:32:05) berni: I'm still in a meeting, might delay my answers a bit
(11:32:08) berni è ora conosciuto come berniv6
(11:32:30) dazo: lost in a v6-in-v4-nat translation? :-P
(11:32:35) cron2__: this is the spirit :)
(11:32:37) ordex: :D
(11:32:58) cron2__: so, d12fk and djpig coming?  or on vacation?
(11:33:09) ordex: almost here
(11:33:22) dazo: fighting about rfc structures in a meeting room ;-)
(11:33:37) plaisthos [~arne@openvpn/developer/plaisthos] è entrato nella stanza.
(11:33:37) modalità (+o plaisthos) da ChanServ
(11:33:51) plaisthos: oh my client did not join here
(11:34:28) lev__: we're all in the same room
(11:35:12) cron2__: hackathon - missing feedback from (at least) dazo and d12fk
(11:35:19) cron2__: doodle, that is
(11:35:30) ordex: and me too
(11:35:31) ordex: darn
(11:35:52) ordex: anybody has the link at hand?
(11:35:55) dazo: yikes!
(11:36:12) cron2__: it might be this one 
https://doodle.com/meeting/participate/id/dRgEwERe
(11:36:14) vpnHelper: Title: Doodle (at doodle.com)
(11:36:37) L'account è disconnesso e non sei più in questa chat. Sarai 
reinserito in questa chat alla riconnessione dell'account.
(12:17:12) L'argomento di #openvpn-meeting è: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-08-17
(12:17:12) L'argomento per #openvpn-meeting è stato impostato da 
cron2__!gert@openvpn/developer/cron2 a 11:29:58 su 17/08/2022
(12:17:12) berniv6: on the OpenVPN side with a big fat warning, I don't think 
that having nm-openvpn add --disable-dco is easier
(12:17:12) cron2__: the problem is that the code flow right now makes this 
extremely messy
(12:17:12) cron2__: openvpn connects, pulls options from the server, sets up 
tun or dco interface, *then* drops privileges
(12:17:12) cron2__: notices "damn, can't keep capabilities"
(12:17:12) cron2__: but that's way too late to disable DCO
(12:17:12) ordex: is there anyway to do a "pre-check" ?
(12:17:12) ordex: like a set_cap dry run
(12:17:12) berniv6: the problem is that NM removes the CAP_NET_ADMIN priviledge 
before even starting the daemon, right? Can we somehow test this?
(12:17:12) berniv6: a stop, it has to have the priviledge at this point, 
otherwise 

[Openvpn-devel] Summary of the community meeting (10th August 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 10th August 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, djpig, lev, kp, mattock, MaxF and plaisthos 
participated in this meeting.


---

Talked about our Changelog in the OpenVPN Git repository. Agreed to have 
a dummy changelog in "master" branch where it is mostly useless and/or 
stale.


---

Talked about the hackathon. There's now a poll here:



---

Talked about OpenVPN 2.5. Nothing has happened on that front.

---

Talked about OpenVPN 2.6. The Linux DCO code is not merged. Windows DCO 
patches are expected soon. FreeBSD patches are waiting for review.


---

Noted that we need a new tap-windows6 release after this PR is merged:



--

Full chatlog attached
(11:25:46) mattock: hi
(11:25:51) cron2__: ho
(11:26:29) mattock: forgot to mention this earlier, but I have call at the same 
time as this meeting, so I probably won't be able to interact much - not sure 
how long the call will take though
(11:27:07) mattock: regardless: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-08-10
(11:29:22) plaisthos: I put the Changelog there
(11:29:37) plaisthos: It is a file that stops somewhere at 2.3ish and is just 
confusing nowadays
(11:29:50) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11:29:54) cron2__: it's maintained in the release versions
(11:30:01) lev__: hello
(11:30:07) cron2__: hi lev, maxf
(11:30:08) d12fk: hi
(11:30:14) MaxF: hi!
(11:30:18) dazo: o/
(11:30:42) cron2__: plaisthos: so when I do a numbered release, ChangeLog gets 
"git shortlog v2.5.6..v2.5.7" added, and commit as part of the "this is 2.5.7 
now!" release + tag
(11:30:58) cron2__: in master, it's not updated
(11:32:11) dazo: Maybe we should just have a dummy ChangeLog in master?
(11:32:51) dazo: ("This ChangeLog file is not used in the master branch, but is 
updated in the release branches")
(11:33:19) MaxF ha abbandonato la stanza (quit: Client Quit).
(11:33:42) plaisthos: ah yeah the one in master is in a sorry state
(11:33:45) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11:33:50) cron2__: if we want to generally keep ChangeLog (which I find a good 
thing), then this sounds like a plan
(11:34:32) dazo: I don't have any strong feelings either way for ChangeLog ... 
but it would make the intention of that file less confusing if we keep it.
(11:35:45) d12fk: don't we merge the release branch back into master?
(11:35:59) cron2__: no
(11:36:05) cron2__: all new commits go to master
(11:36:14) cron2__: bugfixes are cherrypicked to release/2.x (where applicable)
(11:36:20) cron2__: no merge commits
(11:36:22) dazo: release/* branches are forks of master
(11:36:56) cron2__: when we get close to 2.6 release, there will be a fork 
master -> release/2.6
(11:37:08) d12fk: yeah then either the burden of merging Changelog back, or 
dummy
(11:37:55) cron2__: having a ChangeLog in master that talks about "2.5.6->2.5.7 
changes" and "2.4.11->2.4.12 changes" does not sound *that* useful either
(11:38:09) dazo: agreed
(11:38:56) cron2__: I could do quarterly updates in Master, but then the 
changelog would still be "up to 90 days stale"... so maybe just not have it in 
master
(11:39:04) cron2__: as dazo suggested
(11:39:19) plaisthos: yeah, I asked for removal since it is just currently 
living in the distant past and seem not to be used
(11:39:28) plaisthos: so having a dummy Changelog would be fine with me
(11:39:43) cron2__: I'll send a patch
(11:39:48) plaisthos: thanks!
(11:39:55) d12fk: yeah, not worth the effort
(11:40:38) d12fk: ^ merging, not the patch =)
(11:43:21) cron2__: https://pastebin.com/Fj3iui95
(11:43:22) vpnHelper: Title: OpenVPN Change LogCopyright (C) 2002-2022 OpenVPN 
Inc T - Pastebin.com (at pastebin.com)
(11:44:20) d12fk: cron2__: 
(11:44:22) d12fk: individual ChangeLog
(11:44:23) d12fk: file
(11:44:28) d12fk: -> files
(11:44:31) cron2__: fixed
(11:44:55) d12fk: and maybe this branch instead of master branch, the it is 
reusable
(11:45:02) plaisthos: and use either Change Log or Changelog
(11:45:03) d12fk: *then
(11:45:12) plaisthos: both feels a bit odd
(11:45:33) cron2__: "this branch" amended, "ChangeLog" both
(11:45:42) d12fk: ACK
(11:45:48) dazo: ACK
(11:46:30) d12fk: next: hackathon
(11:46:44) MaxF: I made a poll!
(11:46:49) MaxF: let me search the link...
(11:47:36) MaxF: https://doodle.com/meeting/participate/id/dRgEwERe
(11:47:38) vpnHelper: Title: Doodle (at doodle.com)
(11:48:22) lev__: I see only my answers, is it intentional ?
(11:48:45) MaxF: you're the only one who answered so far
(11:48:

[Openvpn-devel] Summary of the community meeting (3rd August 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 3rd August 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, djpig, lev, kp, mattock, MaxF and ordex participated 
in this meeting.


---

Talked about buildbot. After latest djpig's changes (including 
increasing number of CPU cores on the docker host) gitpoller seems to 
have become stable.


---

Noted that djpig needs t_client keys for his MacOS buildbot worker. 
Cron2 can grant him access, or mattock can get him the keys.


---

Noted that nothing important has been happening in OpenVPN's release/2.5 
branch.


---

Talked about the ifconfig-noexec patch. Noted that because buildbot was 
not operating properly the patch could not yet be tested properly. 
Agreed that ifconfig-noexec patch will be exposed to the now working 
buildbot after the DCO hassle is done.


---

kp will repost the FreeBSD DCO patches once the latest Linux DCO patches 
have landed.


---

Agreed to remove the --disable-managent option.

--

Full chatlog attached
(11:30:04) dazo: o/
(11:30:13) cron2__: I am here
(11:30:16) cron2__: and I am not here...
(11:30:20) mattock: hi
(11:30:38) dazo: schrödingers cron2__ .
(11:30:39) cron2__: I just received a call that I need to leave *now* to pick 
up $kid at train station, at 11:15, and it takes me 30+ minutes to get there...
(11:30:59) dazo: no worries
(11:31:03) cron2__: I do not have anything that ordex or djpig couldn't report 
on
(11:31:31) djpig: hey, I'm punctual to a community meeting :)
(11:31:32) cron2__: dazo: something for you - this Ka Lok Wu person sent a mail 
to security@ that none of us can decrypt.  Maybe we need new security@ keys?
(11:31:40) cron2__: djpig: hi and ciao ;-)
(11:31:50) MaxF: hi!
(11:31:57) ***cron2__ waves and runs
(11:32:03) dazo: cron2__: I'll handle that ... I thought I had sent you the 
2022 keys for security list
(11:32:18) mattock: hi guys!
(11:32:27) cron2__: dazo: if you have, they haven't made it :-( - please re-send
(11:33:01) ***plaisthos is here
(11:33:29) d12fk: hi
(11:34:13) djpig: first topic seems to be for me to give a buildbot status 
update?
(11:34:23) mattock: I'm interested in that also
(11:34:35) mattock: also, thanks to djpig for saving what remained of my 
vacation! :)
(11:34:43) djpig: okay, I will get started
(11:35:18) djpig: - buildbot gitpoller works reliable since update to 3.5.0
(11:35:42) djpig: - I added workers for Ubuntu 22 and Fedora 36. If you have 
any workers you're missing let me know
(11:36:04) mattock: djpig: did you upgrade the EC2 instance also?
(11:36:11) mattock: and/or allocate more memory for the container?
(11:36:14) mattock: buildmaster container
(11:36:18) ordex: ay
(11:36:23) djpig: - I added a macOS worker yesterday which should be mostly 
functional now. Missing t_client setup
(11:36:45) djpig: mattock: yeah, upgraded from 2 vCPUs to 4 vCPUs
(11:36:50) mattock: +1
(11:37:14) djpig: memory is not a problem so far, so I used the m instance type 
for now.
(11:37:25) djpig: C builds really don't require a lot of memory
(11:38:00) mattock: current buildbot config uses locking to ensure that, at any 
given time, only two docker-based builds are running at the same time
(11:38:21) mattock: this prevents buildbot docker host from choking on trying 
to launch  containers at once
(11:38:35) mattock: this should ensure that memory consumption remains 
reasonable
(11:38:48) djpig: cron2__: mattock said for getting access to the t_client CA 
to generate a new client cert for the macOS worker I need your assistance?
(11:39:23) djpig: mattock: actually it is num of CPUs, not 2. But even with 
four builds memory is still plenty
(11:40:38) djpig: I think that's it as an update. Let me know if you have 
questions. Otherwise we can move on to the next topic, I guess
(11:40:49) mattock: ah ok
(11:42:15) mattock: djpig: I can also generate t_client keys for you, or cron2 
could grant you access to the openvpn test/ca server
(11:42:55) mattock: next topic: "Hackathon"
(11:43:04) mattock: any news from MaxF or lev?
(11:43:49) lev__: yeah we're welcomed in Hki, I haven't cancelled it yet
(11:44:27) lev__: apparently in Delft we need first aid guy
(11:45:08) MaxF: One of the people who are helping out had the BHV training. 
I'll try to look for one more in case they can't be there the whole time
(11:46:11) ordex: could we start a poll for the dates? or we need more pieces 
first?
(11:47:23) MaxF: I'll check today with the first aid person if there are some 
dates where they aren't available
(11:47:46) MaxF: then I can exclude those dates from the poll right away
(11:48:37) MaxF: first date September 24, last date November 26?
(11:49:02) becm_ [~Thunderbi@217.110.68.42] è en

[Openvpn-devel] Community meetings in August 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 3rd August 2022 at 10:30 CEST
- Wed 10th August 2022 at 10:30 CEST
- Wed 17th August 2022 at 10:30 CEST
- Wed 24th August 2022 at 10:30 CEST
- Wed 31st August 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (6th July 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 6th July 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, MaxF and ordex participated in this meeting.

---

Talked about OpenVPN 2.6.

The DCO patchset from from ordex was split it into smaller chunks. That 
has paid off by making review easier and thus helping getting it merged 
piece by piece.


The --ifconfig-noexec patch from MaxF is pending review by cron2.

---

Talked about the hackathon. MaxF should know next week if Fox-IT is ok 
with hosting the hackathon or not. Lev's queries to F-Secure have 
progressed, but there's no answer yet.


---

Mattock will be technically on vacation starting next Monday, but he'll 
probably be working a few days to get the community services migration 
in a good state, so that he can relax better.


---

Talked about --mktun. It is a linux-only feature to use openvpn as a 
vehicle to create persistent tun/tap devices (... that can then be added 
to bridge groups, even while openvpn is not running, etc.).


Part of its implementation is rather complex, and its functionality can 
be replaced with an "ip tuntap" command on Linux on modern Linux distros.


Agreed to make --mktun a no-op with a warning on OpenVPN 2.6, then rip 
it out in OpenVPN 2.7.


---

Talked about new Patchwork instance. Decided to try to migrate the 
database from the old Patchwork instance. If that fails, we can resend 
patches that are relevant to the new Patchwork, thus loosing a bit of 
history in the process. Mattock will work on the database migration.


---

Talked about Trac. Mattock is making inquiries that will help determine 
if self-hosting Trac (or something else) is really a management 
requirement nowadays.


One migration option is codeberg.org, which is a SaaS service provided 
by a non-profit foundation and that runs on top of Gitea open source 
project. If self-hosting is a thing using self-hosted Gitea.


--

Full chatlog attached
(11:28:20) mattock: hello
(11:28:34) cron2__: early bird
(11:28:41) cron2__: :-)
(11:28:54) mattock: not that early
(11:28:56) mattock: :)
(11:29:01) cron2__: 2 minutes early
(11:30:37) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11:30:53) cron2__: ooh, Hackathon
(11:31:13) cron2__: updated agenda :)
(11:33:04) d12fk: hi
(11:33:08) MaxF: hi
(11:34:30) ordex: hi!
(11:34:34) cron2__: ohi ;)
(11:35:00) mattock: sync up?
(11:35:16) ordex: yap
(11:35:27) cron2__: so, 2.5 -> nothing new from my end
(11:36:52) ordex: for 2.6 I got interesting rewviews for the DCO patches
(11:37:05) ordex: some will have to be resent (working on them) and some got 
ACK'd
(11:37:17) cron2__: I like the activity that the "split patch into smaller 
hunks" has caused
(11:37:22) ordex: so ideally the ACK'd once could be piped for final check&merge
(11:37:29) cron2__: so the plan worked (and thanks for your work)
(11:37:30) ordex: cron2__: +1 it worked pretty well
(11:37:41) ordex: although it was a bit painful :D but it's paying back
(11:37:52) ordex: (I also found issues while splitting, so all the better)
(11:37:55) cron2__: ordex: yes, I'll go through them one by one and if it has 
an ACK, I'll apply when that patch is due (or when it can be applied 
independently)
(11:38:20) ordex: yap yap, I think 2 or 3 can go in without waiting
(11:38:23) ordex: thanks
(11:38:44) becm [~b...@55d46585.access.ecotel.net] è entrato nella stanza.
(11:39:21) cron2__: this week, I won't get anything done, though - after this 
meeting, I'll be busy with paid work until end of business day, and then 4 days 
sandboarding trip with $kid - so, lots of real sand and friction, not much 
virtual ;-)
(11:39:44) cron2__: I do read IRC and reply to mail, but focused testing is 
very unlikely to happen
(11:40:12) cron2__: mattock: as a side note, can you find plaisthos and dazo on 
internal chat?
(11:40:21) mattock: yes
(11:40:24) mattock: I'll poke them
(11:40:27) cron2__: I really want their opinion on --mktun
(11:40:55) mattock: done
(11:42:00) cron2__: anything else on 2.6?
(11:42:56) djpig [~flicht...@lovelace.lichtenheld.com] è entrato nella stanza.
(11:43:06) cron2__: hi :)
(11:43:09) MaxF: I've still got the --ifconfig-noexec patch
(11:43:21) ordex: yap, on my list to review again
(11:43:30) cron2__: MaxF: I think the plan is to get it in after 05 v14
(11:43:32) ordex: --mktun got me busy for the past few days
(11:43:40) ordex: yeah
(11:43:43) cron2__: so we need to make 05 go to v14 first ;-)
(11:43:46) ordex: :D
(11:44:34) cron2__: (and then we need to decide if we want this in 2.5, because 
it's a bugfix - but the 2.5 patch would then look like one of the older 
versions without DCO getting in the way)
(11:44:55) cr

[Openvpn-devel] Community meetings in July 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 6th July 2022 at 10:30 CEST
- Wed 13th July 2022 at 10:30 CEST
- Wed 20th July 2022 at 10:30 CEST
- Wed 27th July 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (29th June 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 29th June 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, djpig, lev, mattock, MaxF, ordex and plaisthos 
participated in this meeting.


---

Noted that nothing of importance has happened on the 2.5 front. As 
discussed in previous meeting the recent OpenSSL 1.1.1p release is not 
relevant for OpenVPN.


---

Talked about 2.6. Noted that the essential DNS changes are now in. Also, 
DCO review has progressed well.


---

Talked about the next hackathon. MaxF will request Fox-IT to provide an 
answer in two weeks to question "can OpenVPN hackathon be hosted at 
Fox-IT?" (in Delft, Netherlands). Privately we are prepared to wait 
until end of July for the answer.


The backup location would be Helsinki, Finland. Lev has asked F-Secure 
if they'd be willing to host the hackathon, but has not yet secured an 
answer.


---

Worked on getting cron2's buildbot workers to connect to the new 
buildmaster.


--

Full chatlog attached(11:27:13) mattock2: hi
(11:27:59) djpig [~flicht...@lovelace.lichtenheld.com] è entrato nella stanza.
(11:28:41) djpig: yay, I remembered the meeting time ;)
(11:30:18) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11:30:45) dazo: o/
(11:31:21) MaxF: \o
(11:31:41) mattock2: yes
(11:32:14) d12fk: hi
(11:32:31) djpig: moin
(11:33:41) cron2: yo
(11:35:02) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-06-29
(11:36:27) mattock2: sync up?
(11:37:02) cron2: we have quite a few topics from -01 and from -22 that were 
not finished
(11:37:13) cron2: but anyway
(11:37:36) cron2: 2.5 -> nothing really interesting.  Ordex found a bug that 
looked bad but turned out "just a bug", so no need for a pressing release
(11:37:44) ordex: ay
(11:37:50) cron2: openssl released something new in 1.1.1*, which is also not 
relevant for us
(11:38:58) cron2: anything else on 2.5?
(11:40:22) dazo: Don't think so
(11:40:47) cron2: so, master
(11:41:04) cron2: "the DNS things" are done, I think (thanks, d12fk)
(11:41:24) d12fk: well, started
(11:41:43) cron2: well, the "must have bits for 2.6", at least ;-)
(11:41:54) ***d12fk add checkmark
(11:41:55) plaisthos: moin moin
(11:42:09) lev__: guten tag
(11:42:51) cron2: djpig has been enormously helpful with reviews (THANKS) - 
having a dangling ACK there really gets me moving :)
(11:43:30) ordex: wheee
(11:43:57) MaxF: I'm still waiting for a review on 
https://patchwork.openvpn.net/patch/2502/
(11:43:58) vpnHelper`: Title: [Openvpn-devel,v4] Don't "undo" ifconfig on exit 
if it wasn't done - Patchwork (at patchwork.openvpn.net)
(11:44:04) cron2: DCO is rolling again... now getting real in-depth reviews, 
since we have manageable chunks again
(11:46:10) dazo: MaxF: I started looking into it  and it requires a bit of 
deep dive as these are mostly new code paths for me.  But it's on my list 
unless someone else is quicker than me
(11:46:35) ordex: I am also a candidate reviewer for that patch - but won't get 
to it before we're done with dco, sorry
(11:46:41) dazo: I'm diving into more of the auth code path patches from 
plaisthos as well.  
https://patchwork.openvpn.net/project/openvpn2/list/?series=1580
(11:46:42) vpnHelper`: Title: OpenVPN 2 - Patchwork (at patchwork.openvpn.net)
(11:47:26) cron2: the MaxF patch is in ordex/cron2 land, I think, because we 
did the current code when untangling v4/v6 config
(11:47:46) cron2: I think it looks good, but wanted to verify all the platform 
interactions
(11:47:53) cron2: so I threw it to ordex :-)
(11:47:55) cron2: but anyway
(11:48:10) cron2: mattock2: can you verify that the build army is really 
looking at the right repo?
(11:49:00) cron2: nothing was built (e.g. on "netbsd-81-i386-stable-master") 
since May 31
(11:49:51) cron2: since the DCO and the "undo ifconfig" patch might possibly 
break non-linux/non-freebsd platforms, it would be important to have the 
builders back
(11:54:53) ordex: then?
(11:55:19) cron2: dunno, the mattock thing happend
(11:57:03) cron2: I intend to spend a few more hours on DCO this afternoon, and 
then close to no time on Thu, Fri, Sat - grandparent things, 
kid[1]->birthday_party(), that stuff
(11:57:16) mattock: cron2: you have not migrated your buildbot workers to the 
new master yet
(11:57:31) cron2: mattock: there are no instructions what I have to do
(11:57:44) mattock: you have the VPN configs for all of those?
(11:57:47) cron2: no
(11:57:58) cron2: I have a single VPN config for "me personally", I think
(11:58:04) mattock: let me check the VPN situation first
(11:58:30) cron2: so the old build master is dead now?
(11:59:03) mattock: no, it is not dead
(11:59:07

[Openvpn-devel] Summary of the community meeting (22nd June 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 22nd June 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, MaxF, ordex and plaisthos participated in 
this meeting.


---

Talked about OpenSSL 1.1.1p release. Agreed that none of the fixes are 
relevant for OpenVPN. As there's not much in the pipe for 2.5.8 it was 
decided not to make a new release, nor a new installer release just for 
1.1.1p.


---

Noted that cron2 was not yet able to push to the local openvpn.git repo 
hosted on buildbot-host. That was fixed soon after the meeting.


---

Talked about the next hackathon. MaxF was more hopeful regarding 
organizing it in Delft at Fox-IT. But it was agreed to look into backup 
options, Helsinki in Finland being the first and foremost. Mattock (and 
Lev) will make some inquiries to see if we could find a sponsor for the 
meeting space.


--

Full chatlog attached
(11:43:54) cron2: that sounds not relevant to us
(11:44:02) ordex: if it was, plaisthos would have screamed already
(11:45:36) mattock: so basically there is no point in releasing a new Windows 
_installer_
(11:45:54) mattock: except to avoid the "is OpenVPN affected by the 
vulnerabilities fixed in 1.1.1p" queries
(11:49:05) MaxF: sorry, version 1.1.1p of what?
(11:49:09) ordex: openssl
(11:53:24) plaisthos: yeah, c_rehash is just a script that we don't use
(11:53:27) plaisthos: so whatever :)
(11:54:05) plaisthos: For 2.6 I implemented 1420 as new default MTU and 
pushable MTU
(11:54:28) plaisthos: bringing my outstanding again over 20
(11:54:37) plaisthos: outstanding patches
(11:54:57) cron2: I started reviewing the patch set
(11:55:17) plaisthos: yay! :)
(11:55:21) cron2: but got sidetracked by corp account handling messes, unable 
to push to community repo
(11:55:37) cron2: s/messes/wonderful new technology/
(11:58:16) mattock: cron2: btw. you probably can SSH in to 
buildbot-host.openvpn.net now
(11:59:02) cron2: yay!
(11:59:09) cron2: so what was the issue?
(11:59:12) plaisthos: cron2: OT do you know what the best qemu/kvm driver for 
FreeBSD is? I want to check if kqueue at least helps FreeBSD if it doesn't help 
macOS...
(11:59:26) mattock: I assume it now works, so HBAC rules were incorrect, as I 
assumed
(11:59:48) cron2: plaisthos: sorry, no idea.  My FreeBSDs all run in vmware and 
that one presents e1000 NIC, not virtualized
(12:00:10) cron2: $ git push mattock
(12:00:10) cron2: fatal: '//var/lib/repos/openvpn.git' does not appear to be a 
git repository
(12:00:13) cron2: fatal: Could not read from remote repository.
(12:00:17) cron2: mattock: path changed as well?
(12:00:18) ***ordex runs
(12:00:25) plaisthos: cron2: no problem
(12:00:46) ordex: cron2: I have pushed a dco-wip branch to my personal repo. is 
that something you could pull and feed to the automated tests?
(12:01:45) cron2: ordex: https://gitlab.com/ordex986/openvpn <- this one
(12:01:47) vpnHelper`: Title: Antonio / openvpn · GitLab (at gitlab.com)
(12:01:59) cron2: and "dco" branch?
(12:02:04) ordex: "dco-wip"
(12:02:11) cron2: ah.  wait
(12:02:11) ordex: repo is correct
(12:02:22) ordex: (I mirror gitlab and github, so both are fine)
(12:02:30) cron2: Branch 'dco-wip' set up to track remote branch 'dco-wip' from 
'origin'.
(12:02:47) cron2: running...
(12:02:51) ordex: thanks!
(12:03:03) cron2: mattock: repo path?
(12:03:06) lev__: ordex: does it include windows support
(12:03:38) ordex: not yet
(12:03:42) ordex: will add it on top now
(12:03:47) ordex: this stops at linux for now
(12:04:07) ordex: 14 patches between general infra, linux and doc
(12:04:51) cron2: OpenVPN 2.6_git [git:dco-wip/e1a99ac1ed83139b] 
x86_64-pc-linux-gnu
(12:05:15) ordex: correct
(12:05:32) cron2: make check running... this will take like 20 minutes
(12:06:10) ordex: sure, thanks
(12:06:12) ordex: no rush
(12:06:13) lev__: ordex: please consider this 
https://patchwork.openvpn.net/patch/2492/ for inclusion
(12:06:15) vpnHelper`: Title: [Openvpn-devel] Set o->use_peer_id flag for p2p 
mode - Patchwork (at patchwork.openvpn.net)
(12:06:45) ordex: this should go to master as well, right?
(12:07:12) ordex: will review
(12:07:32) lev__: yeah, well dco also should go to master eventually
(12:08:18) mattock: cron2: /var/lib/repos/openvpn
(12:09:05) ordex: lev__: sure, but that patch is a fix for master, no? not for 
the dco branch alone
(12:09:20) cron2: error: remote unpack failed: unable to create temporary 
object directory
(12:09:23) cron2: To ssh://buildbot-host.openvpn.net/var/lib/repos/openvpn ! 
[remote rejected]   master -> master (unpacker error)
(12:09:59) cron2: mattock: smells like permission error (group etc)?
(12:10:26) lev__: ordex: yes, strictly speaking it is not related t

Re: [Openvpn-devel] [PATCH v2] GitHub Actions: trigger openvpn-build GHA on success

[Samuli Seppänen]

Acked-by: Samuli Seppänen 

Il 05/06/22 03:40, Lev Stipakov ha scritto:

From: Lev Stipakov 

After successfult builds on all platforms,
start openvpn-build GHA which produces
Windows MSI installers.

Signed-off-by: Lev Stipakov 
---
  v2:

   - bring pull_request trigger back
   - simplify trigger_openvpn_build run condition

  .github/workflows/build.yaml | 19 +--
  1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d34f4e9a..6c267a61 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,6 +1,8 @@
  # The name of our workflow
  name: Build
-on: [push, pull_request]
+on:
+  push:
+  pull_request:
  
  jobs:

checkuncrustify:
@@ -32,6 +34,7 @@ jobs:
- name: Set job status
  run: test ! -s uncrustify-changes.patch
  working-directory: openvpn
+
mingw:
  strategy:
fail-fast: false
@@ -250,7 +253,6 @@ jobs:
- name: make check
  run: make check
  
-

macos:
  runs-on: macos-latest
  strategy:
@@ -344,3 +346,16 @@ jobs:
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.pdb
  doc/openvpn.8.html
+
+  trigger_openvpn_build:
+runs-on: windows-latest
+needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc]
+if: ${{ github.event_name != 'pull_request' && github.repository == 
'openvpn/openvpn' && github.ref == 'refs/heads/master' }}
+
+steps:
+- name: Repository Dispatch
+  uses: peter-evans/repository-dispatch@v2
+  with:
+token: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }}
+repository: openvpn/openvpn-build
+event-type: openvpn-commit



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] GitHub Actions: trigger openvpn-build GHA on success

[Samuli Seppänen]

Hi,

Il 03/06/22 11:03, Lev Stipakov ha scritto:

From: Lev Stipakov 

After successfult builds on all platforms,
start openvpn-build GHA which produces
Windows MSI installers.

Signed-off-by: Lev Stipakov 
---
  .github/workflows/build.yaml | 21 +++--
  1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d34f4e9a..99968aae 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,6 +1,7 @@
  # The name of our workflow
  name: Build
-on: [push, pull_request]
+on:
+  push:


I've understood that this change has no effect, but this is a commonly 
used pattern. So ok with it.


  
  jobs:

checkuncrustify:
@@ -32,6 +33,7 @@ jobs:
- name: Set job status
  run: test ! -s uncrustify-changes.patch
  working-directory: openvpn
+
mingw:
  strategy:
fail-fast: false
@@ -250,7 +252,6 @@ jobs:
- name: make check
  run: make check
  
-

macos:
  runs-on: macos-latest
  strategy:
@@ -344,3 +345,19 @@ jobs:
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.pdb
  doc/openvpn.8.html
+
+  trigger_openvpn_build:
+runs-on: windows-latest
+needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc]
+if: github.ref == 'refs/heads/master'
+env:
+  REPO_DISPATCH: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }}
+
+steps:
+- name: Repository Dispatch
+  if: "${{ env.REPO_DISPATCH != '' }}"
+  uses: peter-evans/repository-dispatch@v2
+  with:
+token: ${{ env.REPO_DISPATCH }}
+repository: openvpn/openvpn-build
+event-type: openvpn-commit


Not having done much with GHA I can't tell if this is correct. But we do 
want this feature and Lev has tested it, so ACK.


Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] GitHub Actions: trigger openvpn-build GHA on success

[Samuli Seppänen]

Hi,

Il 03/06/22 11:03, Lev Stipakov ha scritto:

From: Lev Stipakov 

After successfult builds on all platforms,
start openvpn-build GHA which produces
Windows MSI installers.

Signed-off-by: Lev Stipakov 
---
  .github/workflows/build.yaml | 21 +++--
  1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d34f4e9a..99968aae 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,6 +1,7 @@
  # The name of our workflow
  name: Build
-on: [push, pull_request]
+on:
+  push:


So, does this disable GHA for pull requests? Asking because we allow PRs 
and testing those as well would be good.


  
  jobs:

checkuncrustify:
@@ -32,6 +33,7 @@ jobs:
- name: Set job status
  run: test ! -s uncrustify-changes.patch
  working-directory: openvpn
+
mingw:
  strategy:
fail-fast: false
@@ -250,7 +252,6 @@ jobs:
- name: make check
  run: make check
  
-

macos:
  runs-on: macos-latest
  strategy:
@@ -344,3 +345,19 @@ jobs:
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.pdb
  doc/openvpn.8.html
+
+  trigger_openvpn_build:
+runs-on: windows-latest
+needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc]
+if: github.ref == 'refs/heads/master'
+env:
+  REPO_DISPATCH: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }}
+
+steps:
+- name: Repository Dispatch
+  if: "${{ env.REPO_DISPATCH != '' }}"
+  uses: peter-evans/repository-dispatch@v2
+  with:
+token: ${{ env.REPO_DISPATCH }}
+repository: openvpn/openvpn-build
+event-type: openvpn-commit


I have not really used GHA, but if this code works, I'm all for this 
feature.


Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (1st June 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 1st June 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, MaxF and plaisthos participated in this meeting.

---

Talked about Windows snapshot building. Lev has implemented GitHub 
Actions that produce unsigned MSI installers on a daily schedule. The 
installers have signed kernel drivers so they're fully usable by normal 
people. Agreed that such installers are enough for most purposes, so we 
don't necessarily need the Windows Buildbot worker, which is quite an 
effort to maintain. That said, we still want to have a template for 
creating Windows build boxes, as well as the capability to do release 
builds, which means maintaining msibuilder / msibuilder25 in 
openvpn-vagrant.


Agreed that it would be nice to be able to push the MSI snapshots to 
build.openvpn.net. Mattock will first switch over to the new 
build.openvpn.net (DNS + some tweaks), then this automatic pushing can 
be implemented.


---

Talked about OpenVPN 2.5.7. It is now in testing repos of Fedora and 
EPEL and will eventually trickle down to the official repos.


Ubuntu 20.04 package maintainer has expressed interest in the OpenSSL 
3.0 support, but nothing concrete has happened yet.


Noted that OpenVPN 2.5.7 Windows installers still bundle EasyRSA 3.0.8 
and we should upgrade it in a separate Windows installer release.


---

Talked about the next hackathon. According to MaxF hosting it at Fox-IT 
_might_ be more difficult than previously because security on weekends 
has been tightened.


---

Cron2 has been whacking the DCO branch on an Ubuntu 20.04 test server, 
and found interesting and amazing things. For example:


- NCP cipher fail leads to server fatal error -> exit()
- Connect to a DCO enabled server with "--cipher 3DES" on the client, 
server aborts
- Connect in P2P mode, works exactly once, then the server will never 
again respond to new TLS packets coming in


These are being worked on.

--

Full chatlog attached
(11.29.35) dazo: hey!
(11.29.53) mattock: hi
(11.30.06) cron2: yo
(11.31.50) MaxF: hi!
(11.33.17) plaisthos: hey
(11.36.11) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-06-01
(11.36.35) mattock: I have about 30 minutes before lunch
(11.36.42) MaxF: go go go!
(11.36.47) mattock: let's get this thing going
(11.37.00) cron2: this is not a way to run a meeting
(11.37.08) cron2: when finally everyone has arrived, the first runs away
(11.37.27) mattock: not yet!
(11.37.56) mattock: Sync up on OpenVPN 2.5 and 2.6?
(11.38.04) cron2: not everyone has arrived... it would be very useful to have 
word from ordex...
(11.38.20) mattock: what if we start with the second topic
(11.38.25) cron2: go!
(11.38.31) mattock: snapshot building & publishing 
(11.38.38) cron2: want! :)
(11.38.42) plaisthos: he is onn vacation iirc
(11.38.48) dazo: ordex is on holiday
(11.38.56) cron2: I thought only last week?
(11.39.34) dazo: a few days more
(11.39.42) mattock: so, we now have GitHub Actions configs that generate 
Windows installers on every commit and PR
(11.39.54) mattock: those MSI installers are unsigned, but the kernel-mode 
stuff (drivers) are signed
(11.40.06) mattock: so those are fully usable for testing/use by normal people
(11.40.36) mattock: the second part of this is that maintaining Windows 
automation (buildbot worker) is really time-consuming (for me)
(11.40.44) cron2: nice.  Can we get them published somewhere where people can 
find them, like, on build.openvpn.net, with a time stamp + commit id?
(11.41.21) mattock: having documentation might be enough, but it is probably 
possible to automatically sync those from github to somewhere else
(11.41.31) mattock: using some custom script
(11.41.50) cron2: sounds good (emphasis on "useful filename")
(11.43.04) mattock: there's one piece missing though: GHA only launches on 
commits to openvpn-build, not to openvpn
(11.43.14) mattock: lev might know if that can be fixed somehow
(11.43.57) cron2: we can add github actions to openvpn main repo
(11.44.07) mattock: yeah, true
(11.44.26) cron2: (we have all the test builds for ubuntu and everything, so 
adding windows is "just" a matter of adding the proper lines)
(11.44.55) mattock: related to this I would still like to keep the 
msibuilder/msibuilder25 in openvpn-vagrant, for two reasons:
(11.44.55) mattock: - release builds
(11.44.55) mattock: - for other people who may want to build on Windows
(11.45.05) lev__: we can add step to GHA to upload MSIs to somewhere
(11.45.21) cron2: mattock: yes, that is very useful to have
(11.45.34) mattock: so, we'd end up with
(11.45.34) mattock: - GHA building MSIs
(11.45.34) mattock: - msibuilder/msibuilder25 for build

[Openvpn-devel] Community meetings in June 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 1st June 2022 at 10:30 CEST
- Wed 8th June 2022 at 10:30 CEST
- Wed 15th June 2022 at 10:30 CEST
- Wed 22nd June 2022 at 10:30 CEST
- Wed 29th June 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Debian 11 ("Bullseye") OpenVPN 2.5.7 packages also available

[Samuli Seppänen]

Hi,

OpenVPN 2.5.7 has been packaged for Debian 11 and is available in our 
Debian/Ubuntu apt repos:




If you have any issues with please let me know.

Ubuntu 22.04 package is also available for testing, but due to (current) 
technical limitations not available in the apt repository. If you want 
to give it a spin, let me know and I'll put it online somewhere.


Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.5.7 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.5.7. 
This is mostly a bugfix release, but adds limited support for OpenSSL 
3.0. Full support will arrive in OpenVPN 2.6.




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (18th May 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 18th May 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, ordex and plaisthos participated in 
this meeting.


---

Mattock has completed rebuild and modernization of build.openvpn.net, 
but the switch (old -> new) still needs to be done.


Mattock is almost done with rebuild and modernization of Patchwork in 
Vagrant. Once that is done deploying Patchwork in AWS EC2 will be fairly 
trivial.


After that mattock shall move to upgrading ldap, pwm and trac.

Cron2 will test the community VPN and set up new buildslaves, hopefully 
next week.


---

Talked about the private Git repository currently hosted on 
build.openvpn.net. It is mainly used for testing feature branches with 
buildbot and also for hosting sensitive code not yet releasable for the 
generic public (i.e. fixes to vulnerabilities).


Agreed that having such a local repository is preferable to having a 
private repo on a public Cloud-based Git hosts (e.g. github.com or 
gitlab.com).


Mattock will see how such a repo could be integrated with the new buildbot.

---

Talked about the next hackathon. Agreed that it would be nice to have it 
in Delft. MaxF will ask around at Fox-IT is doing that would be feasible.


---

Noted that 2.5.6 + ossl3 does not work well. Therefore 2.5.7-to-be has 
the ossl3 backports, so we need a 2.5.7 release "soonish". Agreed that 
next Tuesday is doable.


Also noted that upstream (e.g. Ubuntu) needs to be notified of the 
issues so that they can backport the fixes.



--

Full chatlog attached(11.23.34) mattock: almost meeting time
(11.23.44) ordex: lunch time you mean ?
(11.28.32) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.29.29) mattock: yes, also lunch time!
(11.30.02) MaxF: what, already? time zones are weird
(11.30.09) ordex: not i's just mattock
(11.30.12) ordex: *it
(11.30.42) MaxF: hello, anyway!
(11.31.06) mattock2 [~ya...@mobile-access-bcee3c-243.dhcp.inet.fi] è entrato 
nella stanza.
(11.31.57) d12fk: .fi is +3, right?
(11.32.13) mattock: yes, now it is
(11.32.36) d12fk: makes you early lunch explanation
(11.32.52) d12fk: it's LATE actually ;-)
(11.33.10) ***cron2 is here and is not here
(11.34.33) d12fk: omg cron2 is Heisenberg
(11.34.39) cron2: heisencron2
(11.35.12) mattock: let me give an update before I leave for lunch (faster 
typing than on mobile)
(11.35.29) mattock: I've completed rebuild and modernization of 
build.openvpn.net, but the switch needs to be done
(11.35.59) mattock: I'm almost done with rebuild and modernization of patchwork 
- still working in Vagrant, but once that's done deploying it in AWS EC2 will 
be almost trivial
(11.36.18) mattock: from there I shall move to ldap, pwm and trac
(11.36.24) cron2: yeah, now it's my time to do something... test the community 
VPN, set up new buildslave.  I hope I can get stuff done next week.
(11.36.31) ***plaisthos is here
(11.36.41) mattock: trac will be most effort, pwm and ldap should be easier 
(less moving parts)
(11.36.50) mattock: cron2: +1
(11.37.28) mattock: there's one topic related to build.openvpn.net we should 
discuss: there's a local Git repo there which is used to do feature branch 
tests against buildbot
(11.37.41) ***dazo is here
(11.37.56) mattock: could we replace that with a public repository (e.g. 
GitHub, GitLab)?
(11.38.24) cron2: I like the private repository, because it gives me the 
opportunity to share quarantained stuff with you
(11.38.28) mattock: so basically have a public place where you (developers) can 
push branches and then point buildbot at them
(11.38.38) mattock: how about a private public repository?
(11.38.47) cron2: like, prepare a release with CVE stuff, push to build, you 
can test stuff on it
(11.38.48) mattock: where we (developers) have access
(11.39.04) ***cron2 is not trusting github or gitlub to keep anything private
(11.39.11) mattock: I see where this is going :D
(11.39.19) cron2: so what is your reasoning for wanting to go away from build?
(11.39.20) dazo: yeah, I think we should have the internal git repo ... it's 
good to be able to test some builds "internally only" some times
(11.39.29) cron2: (I can do the quarantaine stuff on my machine, we've done 
this before)
(11.39.37) mattock: cron2: nothing except to keep the complexity of the setup a 
bit lower
(11.40.32) ordex: +1 for keeping a really private repo - whether this is on 
build.o.n or somewhere else is not important, as long as we don't use gh ot gl 
for that
(11.40.34) mattock: but I believe the setup of the private git repository on 
build.openvpn.in has been codified, so reimplementing it is doable as well
(11.40.43) cron2: I'd ke

[Openvpn-devel] Summary of the community meeting (11th May 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 11th May 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, ordex and plaisthos participated 
in this meeting.


---

Talked about OpenVPN 2.5.

Mattock will spin up a new Windows installer to fix some OpenVPN-GUI 
issues. Luckily OpenVPN was not affected by the OpenSSL issues fixed 
since our previous installer release.


---

Talked about OpenVPN 2.6.

D12fk will submit a path this week which add a --dns-support bit to 
IV_PROTO. It is mostly for servers to be able to not push --dns to 
non-compliant clients, to avoid warnings in log files, which reduces the 
potential of clueless support tickets.


The HMAC stuff is all in, thanks to djpig and ordex for lots of review 
rounds + testing.


The xkey patch is waiting for review (from Selva or someone else).

---

Talked about the fix to broken TCP connections on Windows Server 2022:



Lev will ask Simon to give his feedback in the PR, in addition to 
already having given it privately.


--

Full chatlog attached(11.29.54) mattock: hi
(11.30.28) cron2: yo!
(11.31.08) d12fk: hello
(11.32.17) MaxF: hi!
(11.33.40) mattock: I have about 20 minutes, then I need to head to lunch - can 
follow the discussion with my mobile though
(11.33.53) cron2: you and your food desires... :-)
(11.34.06) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-05-11
(11.34.27) d12fk: .fi food schedule is slightly shifted, both timezone and 
cultural reasons
(11.34.33) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-05-11
(11.36.39) cron2: so - 2.5 updates?
(11.36.51) plaisthos:moin moin
(11.36.59) dazo: moin
(11.37.09) d12fk: I'll submit a path this week which add a --dns-support bit to 
IV_PROTO
(11.37.11) mattock: 2.5 installer-vise no, but I'll do a build later today
(11.37.22) mattock: tested lev's new Windows build process and it seems to work
(11.37.34) mattock: installer + new build process are not strictly related 
though
(11.37.53) cron2: d12fk: why?
(11.38.24) cron2: (as in "the server can just push both, without doing harm")
(11.38.44) d12fk: yes, plaisthos requested it for AS
(11.39.03) cron2: so you want to avoid warnings if pushing to an "old" client?
(11.39.20) d12fk: concern ist customers getting worried for no reason
(11.39.23) dazo: cron2: it's more for servers to be able to not push --dns to 
non-compliant clients, to avoid warnings in log files, which reduces the 
potential of clueless support tickets
(11.40.01) cron2: so, "yes" :)
(11.40.10) cron2: (not exactly a 2.5 topic, tho)
(11.40.20) d12fk: yeah, my fault
(11.41.16) cron2: but we seem to have nothing else on 2.5 anyway ;-) (except, 
for the minutes "we are not vulnerable to the new openssl security issues, but 
we still release a new installer due to our own bugs")
(11.41.22) cron2: so, 2.6
(11.41.33) cron2: "there will be an IV_PROTO bit for DNS" ;-)
(11.42.14) cron2: the HMAC stuff is all in (thanks, djpig and ordex, for lots 
of review rounds + testing)
(11.42.18) ordex: hi
(11.42.22) plaisthos: I made a patch for ed448/ed25519 for xkey_provider
(11.42.50) cron2: freebsd openvpn-devel port has been updated to master "as of 
last friday", so we might see bug reports
(11.43.14) ***cron2 hopes Selva finds the xkey patch interesting and tests & 
ACKs :-)
(11.43.22) plaisthos: I still need to do the mtu 1400 by default patch
(11.43.29) plaisthos: cron2: yeah it is not something urgent
(11.43.47) plaisthos: who you will currently be hardpressed to find something 
that already supports these certificates
(11.43.56) cron2: ah, plaisthos: does "--mtu-disc yes" work with the 
control-channel MTU patches?
(11.44.40) cron2: so, if I send a control-channel packet and get back a socket 
error "packet too big", will it influence both control+data channel MTU 
settings?
(11.44.54) plaisthos: mtu-disc is data channel iirc
(11.45.13) cron2: mtu-disc is "make the socket don't fragment and report 
errors", so that affects control packets as well
(11.45.13) plaisthos: but it won't chagne control channel settings
(11.45.20) mattock2 [~ya...@mobile-access-bcee25-0.dhcp.inet.fi] è entrato 
nella stanza.
(11.45.21) cron2: mtu-test is "DCO"
(11.45.49) plaisthos: and it never really worked
(11.46.07) cron2: which one?
(11.46.20) plaisthos: because it kicks in after the control channel has been 
already established and OpenVPN lacks the ability to resend and split packets
(11.46.27) plaisthos: (on a protocol level)
(11.47.07) plaisthos: TCP does ACK bytes instead of packets for a good reason, 
so you can try sending less without getting confused about packet id

[Openvpn-devel] Community meetings in May 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 11th May 2022 at 10:30 CEST
- Wed 18th May 2022 at 10:30 CEST
- Wed 25th May 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (27th April 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 27th April 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, djpig, lev, mattock, plaisthos participated in this 
meeting.


---

Merged two openvpn-build PRs:

- https://github.com/OpenVPN/openvpn-build/pull/242
- https://github.com/OpenVPN/openvpn-build/pull/243

---

Talked about Uncrustify and noted that we should use 0.72 which has less 
undesirable features (bugs) than 0.74. That said, even 0.72 needs some 
tweaks to fix array block initializations (see example in meeting agenda 
page).


We'd also need somebody to check if running uncrustify as part of "git 
am" and "git rebase" is possible.


Also noted that GitHub Actions uses Uncrustify 0.69, which is old. 
However, that will be solved when - hopefully in a few weeks - Ubuntu 
22.04 images are available.


---

Talked about OpenVPN 2.6. Plaisthos' 28 patch series is being reviewed 
by djpig and ordex. Good progress is being made.


--

Full chatlog attached
(11.27.36) mattock: almost meeting time
(11.27.58) ***dazo prepares
(11.28.52) plaisthos: moin moin
(11.29.48) cron2: hola
(11.30.14) cron2: mattock: your powershell script already got an ACK from lev
(11.31.17) mattock: +1, merged
(11.31.32) cron2: and the other one got approved and merged too
(11.31.38) mattock: yeah, great!
(11.31.41) cron2: very efficient meeting
(11.32.56) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-04-27
(11.33.28) mattock: uncrustify?
(11.33.55) plaisthos: as you have probably all seen the big patchset for hmac 
3way handshake/control channel improvement is on the mailing list
(11.34.15) cron2: wat, new patchset?
(11.34.21) ***cron2 hides
(11.34.31) cron2: where's dazo and d12fk...?
(11.34.48) ***dazo is here
(11.34.55) ***d12fk is here
(11.36.07) cron2: great
(11.36.09) dazo: I think plaisthos meant this one  
https://patchwork.openvpn.net/project/openvpn2/list/?series=1532
(11.36.11) vpnHelper: Title: OpenVPN 2 - Patchwork (at patchwork.openvpn.net)
(11.36.16) dazo: which is already on the way into master
(11.36.24) cron2: dazo: I noticed :)
(11.36.36) cron2: so, uncrustify.  I need dazo and d12fk's brains here :-)
(11.36.38) plaisthos: cron2: no, no new patchset yet
(11.37.16) cron2: we noticed that 0.72 does "what we have", and 0.74 introduces 
some changes that do not look right, and are not consistent with itself (some 
files get the changes, others not)
(11.37.20) cron2: so, 0.74 is buggy
(11.37.24) cron2: use 0.72
(11.38.14) cron2: that said, it still does "non-desirable" changes - dazo noted 
that in the last commit - on array block initializations
(11.38.25) cron2: see example in the meeting topic
(11.38.59) cron2: it will move these blocks all the way to the left, unless you 
move the opening bracket to "char foo[] = {"
(11.39.07) dazo: yupp
(11.39.10) cron2: but I do like the other style better, for this type of array 
inits
(11.39.36) cron2: so, looking for a volunteer to go through the 473 zillion 
options if there is something for "array initialization indent"...
(11.40.12) djpig [~flicht...@lovelace.lichtenheld.com] è entrato nella stanza.
(11.40.59) cron2: ... and then, another volunteer to see if there is a hook 
that fires on "git am" or "git rebase" that we could use... the normal 
pre-commit hook doesn't
(11.41.24) dazo: I believe our indent_brace is set to 0 by default.  But that 
needs to be tested.  There's quite some 'indent_braces' group of options
(11.41.44) dazo: (I just quickly looked at uncrustify --config 
dev-tools/uncrustify.conf --show-config)
(11.41.46) djpig: cron2: I can look into that
(11.42.21) lev__: hello
(11.43.14) cron2: dazo: for regular braces, that's what we want
(11.43.16) cron2: if(foo)
(11.43.17) cron2: {
(11.43.19) cron2:indent
(11.43.19) cron2: }
(11.43.28) dazo: yeah, true
(11.43.31) cron2: so some sort of other braces :-)
(11.43.37) ordex: aloha
(11.43.38) cron2: djpig: cool, thanks
(11.43.47) cron2: aloah lev__, ordex ;-)
(11.44.01) dazo: $ uncrustify --config dev-tools/uncrustify.conf --show-config 
| grep -E ^indent_brace
(11.44.02) dazo: indent_brace= 0# unsigned number
(11.44.02) dazo: indent_braces   = false# true/false
(11.44.02) dazo: indent_braces_no_func   = false# true/false
(11.44.02) dazo: indent_braces_no_class  = false# true/false
(11.44.02) dazo: indent_braces_no_struct = false# true/false
(11.44.04) dazo: indent_brace_parent = false# true/false
(11.44.06) dazo: that's what we have to play with
(11.44.22) cron2: oh
(11.44.27) dazo: unless there is a different set for "curly braces"
(11.44.50) cron2: so indent_brace = 4, indent_br

[Openvpn-devel] Summary of the community meeting (6th April 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 6th April 2022
Time: 10:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, ordex and plaisthos participated 
in this meeting.


---

Talked about OpenVPN 2.6:



Noted that tls-cryptv2 will need client support and some tricks to do 
signalling there (packet id starts at magic number instead 1). This is 
on the "must have" list for 2.6.


Lev has discovered an issue with tap-windows6 driver and Windows Server 
2022 / Windows 11 which in some cases breaks TCP streams. It manifests 
itself by, for example, iperf3 -R via VPN on Windows not working at all. 
Lev has a workaround (fix?) for it already, but he'll do some further 
looking into the problem to see if there's a cleaner solution. This also 
required changes to the build configuration to differentiate between 
Windows 10 and 11.


Noted that there's a Windows GUI bug that breaks escaping of ' in 
passwords. We need a new Windows installer release to fix this.


Noted that OpenSSL 3.0.1 Windows build are working fine.

Mattock is fixing the auth-user-pass docs.

---

Noted that new production buildbot spams the hell out of us with "Build 
successful" emails. Mattock (hopefully) made it send mails only on failure.


--

Full chatlog attached
(11.27.16) dazo: w00t!?! topic URL is already correct!
(11.27.28) cron2: I got prepared :-)
(11.27.47) dazo: :)
(11.31.13) plaisthos: moin
(11.32.05) cron2: hi
(11.33.42) plaisthos: so on update for 2.6 
(11.34.01) plaisthos: syn cookie like 3way handshake works for 
tls-auth/tls-crypt/none
(11.34.34) ordex: here
(11.34.42) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.34.42) ordex: 2.6?
(11.34.44) plaisthos: tls-cryptv2 will need client support and I also doing 
some tricks to do signalling there (packet id starts at magic number instead 1)
(11.34.46) cron2: very nice
(11.34.51) ordex: isn't it a bit rushed to go in 2.6?
(11.34.59) cron2: it's much too late
(11.35.32) cron2: this is one of our weak spots, allowing reflection and state 
exhaustion attacks
(11.35.59) ordex: yap
(11.36.10) ordex: still in a limited manner though
(11.36.14) MaxF ha abbandonato la stanza (quit: Client Quit).
(11.36.44) ordex: but regardless, isn't it late for such a big thing to go into 
2.6?
(11.36.56) cron2: ordex: it's on the MUST HAVE list
(11.37.08) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.37.21) cron2: and it should have been in 2.5 :-)
(11.37.55) ordex: oh
(11.38.10) plaisthos: ordex: what do you mean with lmited manner?
(11.38.39) plaisthos: I updated a few bits in the RFC that I touched during 
that stuff
(11.38.48) cron2: *like*
(11.38.54) ordex: plaisthos: that it's not like we can be used in a DDoS attack 
as amplifier
(11.39.07) ordex: (I think?)
(11.39.17) cron2: we can
(11.39.37) ordex: oh ok
(11.40.48) cron2: with tls-auth/tls-crypt, you need to have that key, of course 
- but if you have a big VPN provider, all clients have the same tls-* key, so 
if one of them is lazy or malicious, it's no perfect protection
(11.41.04) cron2: also, state exhaustion in the server, and attacks against 
ongoing sessions
(11.42.29) plaisthos: you don't need the key
(11.42.39) plaisthos: replay attacks work fine
(11.43.12) cron2: if you can sniff a packet, yes, but "to abuse a random 
openvpn server for reflection", you need to see at least one handshake packet
(11.45.05) mattock: hi
(11.45.07) mattock: time flew
(11.46.01) lev__: hello
(11.46.01) MaxF22 [~m...@27-73-177-143.ftth.glasoperator.nl] è entrato nella 
stanza.
(11.46.46) MaxF22: libera webchat really hates me today
(11.47.49) plaisthos: :P
(11.47.58) MaxF ha abbandonato la stanza (quit: Ping timeout: 250 seconds).
(11.48.09) ordex: IT REALLY DOES
(11.48.11) ordex: ops
(11.48.25) dazo: !!
(11.48.26) vpnHelper: dazo: temper, temper!
(11.48.29) cron2: haha
(11.48.38) mattock: well somebody here has good manners
(11.48.59) plaisthos: vpnHelper in here, is new
(11.49.00) vpnHelper: plaisthos: Error: "in" is not a valid command.
(11.49.12) dazo: :-D
(11.49.14) cron2: mattock: MAKE IT STOP
(11.49.40) cron2: I am not pushing anything, and the buildbot keeps spamming me 
with "BUILD SUCCESS!" mails
(11.50.00) mattock: cron2: lol yes
(11.50.03) mattock: there are so many builds
(11.50.14) mattock: I'll make it stop for successful builds, just a sec
(11.50.19) lev__: I discovered an issue with tap-windows6 driver and windows 
server 2022 which in some cases breaks TCP streams, it manifests itself in 
iperf3 -R via vpn on windows not working at all
(11.50.24) plaisthos: anyway. Basically something I am doing to

Re: [Openvpn-devel] Community meetings in April 2022

[Samuli Seppänen]

In April, not in March as stated before. So

- Wed 6th April 2022 at 10:30 CEST
- Wed 13th April 2022 at 10:30 CEST
- Wed 20th April 2022 at 10:30 CEST
- Wed 27th April 2022 at 10:30 CEST

Samuli

Il 5.4.2022 12.19, Samuli Seppänen ha scritto:

Hi,

Next community meetings have been scheduled to

- Wed 6th March 2022 at 10:30 CEST
- Wed 13th March 2022 at 10:30 CEST
- Wed 20th March 2022 at 10:30 CEST
- Wed 27th March 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:

<https://community.openvpn.net/openvpn/wiki/IrcMeetings>

Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Community meetings in April 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 6th March 2022 at 10:30 CEST
- Wed 13th March 2022 at 10:30 CEST
- Wed 20th March 2022 at 10:30 CEST
- Wed 27th March 2022 at 10:30 CEST

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (30th March 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 30th March 2022
Time: 10:30 CEST (8:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, novaflash, ordex and plaisthos 
participated in this meeting.


---

Cron2 noted that the hackathon T-shirts have not yet been sent to 
novaflash for further distribution.


--

Novaflash presented a workaround to the "no IPv6 on community servers" 
dilemma. The proposal is to create subdomains in Cloudflare for each 
community server and turn on IPv6 there without affecting the whole of 
openvpn.net domain. This seems the only reasonable way forward that can 
be done relatively quickly.


--

Talked about OpenVPN 2.6.

Plaisthos has HMAC based (syn cookies) three way handshake working for 
none/tls-auth/tls-crypt. Cron2 is fighting DCO and iroutes right now, 
but he has a path forward. Besides that the patch queue looks fairly 
decent. The big ones are done, there are a few small ones that want to 
be looked at (and old stuff that needs to be revived or closed). Some 
patches in the queue require more careful review before being merged.


--

Talked about community server upgrade. Mattock plans to migrate the 
current (somewhat outdated) community servers to the new VPC, then 
upgrade them one by one.


--

Talked about new production buildbot. It is now email notification 
capable. It was agreed to make it send build failures and other 
notifications to the openvpn-builds mailing list.


Potentially it could be configured to notify "projects owners" as well 
if we wanted that.


--

Full chatlog attached
(11.24.21) mattock: meeting time almost here
(11.26.59) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.30.46) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(11.32.45) mattock: anyone here?
(11.32.57) dazo: yupp!
(11.32.58) novaflash: no
(11.33.02) cron2: meow
(11.33.05) MaxF: not me!
(11.33.34) novaflash: hey cron2 - did i neglect to send you my address in 
regards to distribution of t-shirts?
(11.34.26) d12fk: also here mattock
(11.34.37) cron2: no, but after it took weeks to get the addresses, I got too 
busy otherwise... so sorry, t-shirts still sitting here.
(11.34.43) ***cron2 feeling embarrassed
(11.35.01) novaflash: ah okay. so it's not my fault.
(11.35.15) novaflash: we still didn't get ipv6
(11.35.16) cron2: *this* is all my fault.  Everything else can be your fault 
today :-)
(11.35.18) ***novaflash feeling embarrassed
(11.35.38) d12fk: btw, closed the --dns PR on github manually, didn't autoclose 
b/c of the formatting changes by cron2
(11.36.01) novaflash: okay, i already managed to deflect some blame onto dazo 
yesterday, so i'm ready to take on more today.
(11.36.08) cron2: github autodetects merged patches, even if no reference to 
the PR in the commit message?
(11.36.34) d12fk: git can do that
(11.36.55) d12fk: iff the sha is the same
(11.37.29) d12fk: this time it just showed conflicts with master wy on the 
bottom
(11.37.48) cron2: well, yeah, that's the uncrustification
(11.38.01) cron2: d12fk: but that's good to know
(11.40.17) mattock: maybe novaflash can mention the potential workaround/fix to 
the IPv6 dilemma?
(11.40.28) novaflash: oh yeah
(11.40.37) novaflash: you can set a different nameserver per subdomain
(11.40.56) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.03) novaflash: so we can run another nameserver for community stuff and 
assign the subdomains to that nameserver so it can do ipv4 and ipv6 without 
affecting the rest of the openvpn.net domain's dns settings
(11.41.15) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.23) novaflash: which, if i understand the situation correctly, can be a 
workaround/solution, at least until the time the company does ipv6 on the whole 
domain.
(11.41.56) cron2: that sounds like a way forward for community :-) - and way 
backward for corp ("we have solved what Gert is complaing about, so we do not 
need to fix the actual thing")
(11.42.01) mattock: "until the time" could be years from now, so I think this 
is a reasonable hack
(11.42.39) cron2: I'm fine if I have IPv6 on everything I want to access 
regularily...
(11.43.06) novaflash: does your fridge have ipv6?
(11.43.31) cron2: it has no network connection
(11.43.42) novaflash: but then how will you access it..
(11.43.46) mattock: I will get worried when they start selling axes that have 
IPv6
(11.44.12) mattock: anyhow
(11.44.22) mattock: novaflash: did you do a PoC about this subdomain thing?
(11.44.28) novaflash: no
(11.44.33) novaflash: but it's trivial to try one
(11.44.42) cron2: novaflash: I walk into the ki

[Openvpn-devel] OpenVPN 2.4.12 released

[Samuli Seppänen]

OpenVPN 2.4.12 was released last week. It will be the last release in 
the 2.4.x series, so we encourage you to migrate to latest 2.5.x release 
if you can.


Source code and Windows installers can be downloaded from our download page:



Linux packages are not provided for this release.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.5.6 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.5.6. 
This is mostly a bugfix release including one security fix ("Disallow 
multiple deferred authentication plug-ins.", CVE: 2022-0547). More 
details are available in Changes.rst:




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH master+release/2.5] vcpkg-ports/pkcs11-helper: adapt to new upstream URL

[Samuli Seppänen]

Based on my testing this fixes the Windows build issues.

ACK.

Il 14.3.2022 14.03, Lev Stipakov ha scritto:

From: Lev Stipakov 

Signed-off-by: Lev Stipakov 
---
  contrib/vcpkg-ports/pkcs11-helper/CONTROL| 2 +-
  contrib/vcpkg-ports/pkcs11-helper/portfile.cmake | 8 
  2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/contrib/vcpkg-ports/pkcs11-helper/CONTROL 
b/contrib/vcpkg-ports/pkcs11-helper/CONTROL
index 6a5077fd..ff116364 100644
--- a/contrib/vcpkg-ports/pkcs11-helper/CONTROL
+++ b/contrib/vcpkg-ports/pkcs11-helper/CONTROL
@@ -1,4 +1,4 @@
  Source: pkcs11-helper
-Version: 1.28-3
+Version: 1.28-4
  Homepage: https://github.com/OpenSC/pkcs11-helper
  Description: pkcs11-helper is a library that simplifies the interaction with 
PKCS#11 providers for end-user applications.
diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake 
b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
index 0723344e..4a9cd20c 100644
--- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
+++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
@@ -1,9 +1,9 @@
-set(VERSION 1.28)
+set(VERSION 1.28.0)
  
  vcpkg_download_distfile(ARCHIVE

-URLS 
"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.0.tar.bz2";
-FILENAME "pkcs11-helper-${VERSION}.tar.bz2"
-SHA512 
11b8e554d9223ab9305a3ad7e2b6a9bbece1c09ca8d49276618dec31eefdccf6a32b0db85a28a90334ea42fe809beec83514a31930b79bdbefa368ed4658945b
+URLS 
"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.gz";
+FILENAME "pkcs11-helper-${VERSION}.tar.gz"
+SHA512 
1c1cc7f83ed360fabdcfa68d0eafa7d25be03e68c6a202e7ad2907feb472663bb34e12b9e162344ec221a4298abc02acdc75f0f45d9a89657aa7ac55e59badd5
  )
  
  vcpkg_extract_source_archive_ex(



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (9th March 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 9th March 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, novaflash, plaisthos participated in 
this meeting.


---

Talked about the upcoming OpenSSL release (with security fixes) and 
agreed that'd be a good time to do an OpenVPN 2.5 release as well.


---

Talked about the multi-defer auth loophole. We have patches that fix the 
immediate problem, but "fix for good" needs a more massive rewrite of 
the deferred auth handling.


Agreed to fix the loophole now and do the proper fix later.

--

Full chatlog attached(11.39.44) cron2: ah
(11.40.10) cron2: so, let's start
(11.40.53) cron2: a new openssl release is coming next tuesday (3.0.2 and 
1.1.1*) with a security thing.  So that would be a good time to do the upcoming 
2.5.x release
(11.41.38) mattock: +1
(11.41.39) dazo: +1 ... do we get the multi-defer auth stuff part of this?
(11.42.13) plaisthos: severity ofn the openssl release?
(11.42.43) cron2: dazo: we should - it's waiting for you
(11.44.08) cron2: there was a discussion on details and how to further improve 
the plugin for automated testing, and then it basically ended... but we have 
ACKs on the general patch ("it will fix the problem"), and we seem to agree 
that further improvement could be done (like, remove defer/simple.c)
(11.44.22) dazo: cron2: I might be at loss ... ordex acked it ... you had some 
concerns about the fatal behaviour, but that's what we agreed on was the right 
solution. For testing, lets not test that now in automated testing until we've 
done refinements
(11.45.09) dazo: kicking out defer/simple.c should not block this change.  
That's just another patch removing it, right?
(11.46.32) cron2: I'd remove it right away (so git can see "it got moved and 
then improved") but we can do this in two steps
(11.49.41) dazo: Okay, I see in the mail dialoge there were some complaints 
about NULL==var vs var==NULL ... I can fix those, rename multi-auth.c to 
defer.c and update testing doc?  Is that a plan to move forward?  I'll have 
that done today
(11.49.58) cron2: anyway, the other thing (ending openvpn instead of just 
returning AUTH FAILED) - I missed that part of the discussion, it seems.  Why 
end the process, instead of just fail auth (with a clear message)?
(11.50.09) cron2: the latter would enable automated testing
(11.50.25) cron2: which is something I do a lot, and it finds a lot of corner 
cases :-)
(11.51.02) dazo: Basically, because the behaviour was broken ... and to really 
lead admins into the right direction of trying to understand why auth failed.  
They would have to look at the log files for openvpn far more closely ("Why 
does openvpn stop running?")
(11.51.47) cron2: nah, not "rename multi-auth.c to defer.c" - the new name is 
good, but if you remove the old source in the same go, git will understand "ah, 
file has moved, and then was improved"
(11.51.52) dazo: and also to ensure we don't end up in other corner cases with 
various states which could lead to another circumvention of auth
(11.51.58) plaisthos: dazo: that feels like a very weak argument
(11.52.19) cron2: I think "the server always refuses login" is about as clear 
as "the server dies" - you need to look into the log
(11.52.21) plaisthos: the first part
(11.52.31) dazo: plaisthos: that was one of the arguments brought up, I don't 
recall from whom ... but it was to force admins to look into what's going on
(11.55.21) cron2: if the server always refuses login, don't you think the admin 
will look into it as well?
(11.56.10) dazo: many admins will start saying "have you reset your OTP tokens, 
have done this have you done that" to their users   and then they might 
start looking into logs.  that's my experience with a bit too many "admins"
(11.56.18) dazo: blame the user first
(11.57.34) dazo: And by stopping openvpn on an illconfigured authentication 
setup, from a security point of view, is safer than just kicking rejects.  It 
really ensures the misconfiguration is getting fixed properly.
(11.59.27) dazo: the only argument of not stopping, is automated testing ... 
which is understandable, but perhaps the test framework needs to be able to 
handle crashes of the processes as well?  Isn't that going to improve the 
testing possibilities better?
(12.00.05) cron2: given that systemd will restart openvpn right away, I wonder 
if that is really very useful - it will hide the error behind new startup 
messages
(12.00.40) dazo: systemd will not restart under any circumstances, only some 
 but let me check what happens with our current systemd unit
(12.00.47) cron2: under normal conditions, openvpn on the server *never* exits, 
so 

[Openvpn-devel] Summary of the community meeting (2nd March 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 2nd March 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

d12fk, lev, mattock, ordex, plaisthos and rob0 participated in this meeting.

---

Noted that email sending in Trac does not work because the recipient 
(e.g. gmail) rejects the From address. Mattock will organize a meeting 
with somebody that has access to Sendgrid to resolve this. Then we can 
start adding Sendgrid-based email delivery to other places as well (Pwm, 
Trac).


---

Noted that buildbot Windows builds broke on several fronts due to change 
in OpenVPN build process (spectre mitigation, openssl3). Those are now 
fixed except for openvpn-gui build which still fails. Mattock will work 
on that.


---

Lev is working on dco-win and fixed a bug when connection stalls (found 
 by plaisthos on his hardware). He's also working on adding mssfix 
support. We also now have chachapoly support on Windows 11


Latest signed dco-win releases could be found here:



---

Talked about secur...@openvpn.net GPG keys. Noted that MaxF needs one 
and that the existing subkeys are soon expiring.


--

Full chatlog attached
(11.31.28) mattock: hi
(11.31.31) mattock: meeting time
(11.31.39) mattock: adding the meeting agenda pages
(11.32.13) MaxF: hi!
(11.32.22) plaisthos: hey
(11.32.28) dazo: hey!
(11.32.35) lev__: hello
(11.32.44) mattock: hi guys!
(11.35.37) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-03-02
(11.36.48) d12fk: moin
(11.36.53) mattock: will cron2 be here?
(11.38.40) ***d12fk added --dns to the agneda
(11.38.48) mattock: +1
(11.41.14) mattock: maybe sync-up first?
(11.41.27) mattock: cron2 is not here it seems, but maybe a small status report 
would be ok?
(11.42.11) dazo: yeah
(11.42.59) mattock: I'll start
(11.43.18) mattock: I'm fighting Sendgrid to understand why the emails (that 
get queued) get invalid "From" addresses
(11.43.38) mattock: without visibility at the sendgrid side fixing this is a 
bit challenging, so I may have to do a call with somebody who has that access
(11.44.08) dazo: could it be you need different sendgrid credentials per "from 
identity"?
(11.44.25) mattock: on buildbot side things have progressed, but I was set back 
by two things 1) introduction of spectre mitigation in the Windows build 
process (needed fixes) and 2) openssl3
(11.44.40) mattock: dazo: the credentials are ok
(11.45.22) mattock: the email gets dropped by the recipient email server due to 
malformed From address
(11.45.23) dazo: Or that the envelope sender is not the same as "from" ... and 
sendgrid prioritises (overwrites) "from" with the envelope address? (as an spam 
counter measure)
(11.45.33) dazo: ahh
(11.45.59) mattock: it is hard to tell what exactly is wrong without the 
visibility, so I think I need a session with a person with Sendgrid access to 
resolve it
(11.46.06) mattock: anyhow
(11.46.30) mattock: buildbot windows builds have only one final issue: 
openvpn-gui builds broke, and this seems also related to openssl3
(11.46.36) mattock: code signing etc. is working fine
(11.47.00) mattock: once windows build are working, I want to enable 
notifications (which is also blocked by sendgrid issues)
(11.47.09) mattock: then buildbot will be "in production"
(11.47.21) mattock: now it is, but nobody will know if the builds do not work
(11.47.30) mattock: that's all from my end
(11.50.50) d12fk: is it also the end of status updates?
(11.51.00) mattock: could very well be
(11.51.01) lev__: I am working on dco-win, fixed a bug when connection stalls 
which plaisthos discovered on his hardware. Working on adding mssfix support 
(11.51.16) mattock: we had a volunteer! :)
(11.52.44) lev__: and we also have chachapoly support on Windows 11
(11.53.10) lev__: latest signed dco-win releases could be found here 
https://github.com/OpenVPN/ovpn-dco-win/releases
(11.53.41) mattock: +1
(11.53.47) d12fk: do you know if they will bring chacha to windows 10 with an 
update?
(11.55.32) lev__: I don't know for sure but I doubt
(11.56.11) lev__: but if they do it will work for us, since we probe it in 
runtime
(11.56.56) d12fk: is it in cryptoapi?
(11.57.59) lev__: CNG
(11.58.40) lev__: 
https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal Cryptography 
API: Next Generation (CNG) is the long-term replacement for the CryptoAPI
(12.02.13) d12fk: Vista onwards, maybe the driver can just be backported, do 
you know if the algos are in a dedicated dll?
(12.03.35) lev__: must be BCrypt.dll
(12.06.22) plaisthos: isn't the driver framework itself that you are using 
win10+?
(12.06.41) lev__: but dco-win requires at least Windows 10 2004 (since that 
framework I 

[Openvpn-devel] Community meetings in March 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 2nd March 2022 at 10:30 CET
- Wed 9th March 2022 at 10:30 CET
- Wed 16th March 2022 at 10:30 CET
- Wed 23rd March 2022 at 10:30 CET
- Wed 30th March 2022 at 10:30 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (23rd February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 23rd February 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, ordex and plaisthos participated in this 
meeting.


---

Noted that both Trac and Pwm are unable to send emails right now, for 
unrelated reasons. Mattock will try to get Sendgrid SMTP credentials 
this week to resolve both of these issues (plus get credentials for 
Buildbot).


---

Talked about making --fragment pushable. Since we do not modify the 
actual buffers anymore, pushing --fragment should be possible now. We 
also can't kill --fragment as long as we support tap - people do use 
openvpn to link together ethernet segments.


---

Talked about --mtu-disc. It works for "over IPv4" now, and the missing 
code for "over IPv6" is on the list for review and ACK. That option 
seems rarely used as it has been broken at least since 2.4.3 and never 
worked for IPv6 [and we had not heard about it].


---

Talked about the OpenVPN control channel and noted it can't handle 
smaller MTU paths. At the moment openvpn assumes one control packet per 
TLS record and one TLS record per packet. This is the reason why TLS 
record splitting breaks OpenVPN.


---

Talked about --mtu-test, one of the other exotic OpenVPN --mtu-* 
options. It exchanges a number of packets of varying sizes over OCC, 
trying to figure out if "large packets" get eaten by gremlins on the way 
(like, fragmenting routers). The implemention was rewritten as part of 
the frame stuff, and lost the "varying sizes" part. So, that needs to be 
brought back.


---

Talked about --mssfix. The new 2.6 behaviour is "--mssfix defaults to 
'1492 mtu'" (good), and "if --tun-mtu != 1500" is configured, mssfix 
defaults to *off* (not good). Cron2 proposed that a good default might 
be "if tun-mtu != 1500, then use the inner MTU for mssfix".


--

Full chatlog attached(11.28.49) mattock: hi
(11.29.01) mattock: my IRC blew up for no particular reason, but now it is fixed
(11.29.49) cron2: hah
(11.30.05) cron2: you were just hiding to avoid my questions about trac and 
e-mail sending...
(11.30.18) mattock: that's being pushed internally
(11.30.34) mattock: we're going to get a bunch of SMTP credentials that will 
send email through Sendgrid
(11.30.42) mattock: that will fix our email sending issues in Trac and pwm
(11.31.52) cron2: "we're going to get" sounds about as exciting as "one day, 
community might have IPv6"
(11.32.01) cron2: this is broken since over a week now
(11.32.43) cron2: anyway... meeting
(11.33.45) d12fk: hi
(11.34.04) cron2: hi :)
(11.34.35) lev__: guten tag
(11.34.50) ordex: sorry - had a thing to put to sleep
(11.35.04) plaisthos: hey all
(11.35.46) mattock: ordex: a small human?
(11.36.10) ordex: yeah
(11.36.11) ordex: quite small
(11.37.20) d12fk: very cooperative
(11.38.43) cron2: mattock: can you explain to the SMTP credential authorities 
that they broke a production service and some people are getting really really 
annoyed at Corp Ops?
(11.39.03) cron2: like "can we not just move this to someone competent" level 
annoyed
(11.39.31) mattock: I will relay your annoyance and bump up the priority of the 
ticket
(11.40.02) plaisthos: cron2: trust us, they are breaking not only community 
stuff :/
(11.40.17) ***ordex listens to Limp Bizkit - Breaking stuff
(11.40.20) plaisthos: we are as annoyed as you are
(11.40.25) mattock: breaking is one thing, getting things fixed quickly is 
another
(11.40.51) mattock: they only broke 50% of our email delivery, the rest was 
just legacy configuration that broke by itself
(11.40.52) cron2: plaisthos: meh :(
(11.42.23) cron2: anyway, shall we look at the agenda? :-)
(11.43.58) d12fk: yeah why not ;-)
(11.43.59) mattock: ok, there was a response from the sendgrid person
(11.44.12) mattock: I'm trying to schedule a meeting with her tomorrow or on 
Friday
(11.45.09) cron2: that is the right spirit, something as trivial as SMTP 
credentials must never be solved just by an e-mail (or corp wiki or whatnot), 
if a meeting is possible
(11.45.15) plaisthos: you need a meeting for credentilas?
(11.45.43) cron2: plaisthos: OpenVPN Corp is practising for "We Will Be A 
MegaCorp One Day", I think
(11.46.21) cron2: one of my consulting customers is, indeed, a DAX company, and 
there is no way to get anything done without meetings with 10+ people in there 
that do not server any other purpose than to agree who to invite for the next 
meeting
(11.46.26) plaisthos: I not yet have to fill out forms where I detail what 
expense goes into what cost object
(11.46.53) mattock: plaisthos: it seems I do need a meeting, yes
(11.47.11) cron2: that is the nicer part of working with a DAX company... "this 
is only

[Openvpn-devel] Summary of the community meeting (16th February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 16th February 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, MaxF and plaisthos participated in this meeting.

---

Talked about mbedTLS license incompatibility. MaxF asked about an 
"OpenVPN exception" on the mbedtls mailing list and they were not 
interested in granting one as they'd need to ask every contributor about it.


Decided to drop mbedTLS support from OpenVPN in 2.7. Meanwhile MaxF / 
Fox IT will keep the GPL-compatible version up-to-date with security 
fixes until then. We will point OpenVPN users to that repository and 
warn people about the license incompatibility.


---

Talked about the next 2.5 release. The only missing this is the plugin 
fix, which is next on cron2's list.


---

Talked about 2.6. The big frame/buffer changes are in. Next in line are 
DCO and DNS. DNS patchset should be ready for final review.


---

Talked about the OpenSSL 3 PR in openvpn-build:



Agreed that having a separate branch for release/2.5 builds would be 
maintainable. Therefore the PR can be merged to master while retaining 
1.1.1 builds in 2.5 releases.


---

Talked about custom triplets in the MSVC build. Lev will check if there 
is another way to do static linking. If not, he'll just use lz4.dll and 
get rid of them to simplify the buildsystem.


---

Noted that Trac can't send notifications because SMTP authorization 
fails. Mattock will create an internal ticket about it.


--

Full chatlog attached
(11.26.02) mattock: hello
(11.26.26) lev__: guten tag
(11.30.13) dazo: hey!
(11.32.04) mattock: anyone else?
(11.33.58) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.34.09) MaxF: hello!
(11.34.12) mattock: hi!
(11.37.40) plaisthos: hi
(11.37.58) plaisthos: MaxF: btw. I was never contacted by however was looking 
into the license
(11.38.44) cron2: ups
(11.38.47) cron2: I am here
(11.39.14) cron2: alarm clock set to 10:25, decided to "just finish that 
commit"... *g*
(11.39.48) MaxF: plaisthos I don't think they will then. We're using the last 
version of mbedtls that is GPL for OpenVPN-NL 2.5.x
(11.40.20) MaxF: so we'll have to backport any security fixes ourselves
(11.40.47) MaxF: and from 2.6 onward I guess we'll use OpenSSL
(11.44.40) dazo: so ... sync-up?
(11.45.17) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(11.46.07) cron2: so this sort of answered 2. "license issue?" already, no?  
We'll keep supporting GPL mbedTLS, and not Apache2 mbedTLS?
(11.47.08) cron2: have "you" (MaxF, plaisthos) mentioned this to mbedTLS folks?
(11.49.02) MaxF: I have asked on the mbedtls mailing list if it would be 
possible to make an exception for OpenVPN
(11.49.21) cron2: that would also work... so, any response?
(11.49.25) MaxF: they say they'd have to ask everyone who ever contributed 
code, so that's not possible
(11.49.52) cron2: but they already asked everybody for the GPL->Apache change...
(11.50.21) mattock: well, I can see the point about asking everyone for every 
single project that wants an exception
(11.50.24) cron2: but the signal is clear "they do not want OpenVPN to use 
mbedTLS anymore, then"
(11.50.25) dazo: maybe they forgot to do that when changing the license 
.
(11.51.09) plaisthos: might be also that they still had full rights when going 
to apache 2 and giving it to the contribution from the arm site
(11.51.21) plaisthos: but the foundation does not have that rights anymore
(11.51.22) cron2: effectively this means we'll have to rip out mbedTLS support 
at some point, maybe for 2.7 - having all this code in there for a backend that 
we can no longer use
(11.51.38) MaxF: cron2 They've been offering GPLv2 **or** Apache, I don't think 
they needed to ask anyone to drop GPL.
(11.53.24) dazo: right
(11.55.01) mattock: anyhow, we keep supporting GPL mbedTLS and drop it in 2.7?
(11.55.49) cron2: annoyance, but this is my reading of the situation
(11.56.46) mattock: should we fork mbedTLS on GitHub then?
(11.57.02) mattock: make it official
(11.57.12) mattock: maybe some other project is in the same situation
(11.58.40) MaxF: we could also wait and see if we need to make any changes. 
Maybe we're lucky and we don't need to do anything until 2.7
(11.58.53) plaisthos: mattock: no, nobody of us wants to maintain mbed TLS
(11.59.32) dazo: I'm not sure we should fork mbedTLS ... that means we need to 
keep up with security updates and follow-up with that maintenance.  I'm not 
sure I see the value of that with mbed TLS.
(11.59.44) mattock: I'm not speaking of a real fork
(11.59.59) novaflash: are we going into matrix territory no

[Openvpn-devel] Summary of community meeting (9th February 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 9th February 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock and ordex participated in this meeting.

---

Noted that IPv6 on community has not progressed, despite poor excuses. 
Dazo promised to start pushing it internally to get this embarrassment 
fixed for good.


---

Noted that 2.6 is moving forward at slow but steady pace. The DNS and 
DCO patches can be reviewed and tested independently by different 
people, which can help speed things up.


---

Talked about a few patches being crafted on the security list. Agreed 
that we should do 2.4 and 2.5 releases soon after the patches are 
merged, even though there's no reason to rush.


---

Talked about missing 2.5/2.6 man pages on the main website:



Mattock opened an internal ticket for the website team to fix this.

---

Talked about buildbot. Production buildbot is running and mattock is 
finalizing the Windows Server 2019 buildbot worker. Enabling Spectre 
mitigation broke building some time ago and he's adding VS components to 
fix that breakage. Due to esoteric WinRM-related reasons code-signing 
might be broken in EC2, but that remains to be seen.


--

Full chatlog attached
(11.32.29) d12fk: morning
(11.33.08) cron2: meow
(11.33.22) dazo: ey!
(11.33.55) mattock: hi
(11.34.42) ordex: hi
(11.34.57) ordex: I may not be 100% present because the heater technician is 
coming anytime soon
(11.35.03) ordex: but will follow as I can
(11.36.54) lev__: guten tag
(11.37.04) d12fk: Page Topics-2022-02-09 not found
(11.37.25) dazo: ordex: https://youtu.be/sXyciR5oE8o?t=22
(11.37.29) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-02-09
(11.37.54) mattock: oh yes, a new month again
(11.37.56) mattock: time flies
(11.38.07) mattock: let me fix that
(11.38.10) cron2: a new month, and still no IPv6...
(11.38.42) dazo: cron2: We're replanning internally, we'll be ready for IPv7 
when that arrives
(11.38.44) d12fk: it _is_ the future
(11.38.58) ordex: dazo: exactly
(11.39.30) cron2: not sure how often I've heard *that* excuse in the last 20 
years, but no, it's not a new one... ("IPv6 has so many shortcomings, let's 
just wait for the next thing, it will be much better")
(11.39.31) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-02-09
(11.40.22) dazo: Sync up!
(11.40.59) mattock: yep
(11.41.39) cron2: 2.6: not much has happened here... I've reviewed and tested 
most of the remaining frame patches, but got stuck at some point and need to 
discuss the way forward with plaisthos (who had more important priorities for 
the last days).  But, making progress.
(11.42.04) ordex: should we plan for those 2 patches on sec@ ?
(11.42.04) cron2: I've seen dazo+ordex' work on the plugin stuff, will look 
into that tomorrow-ish
(11.42.09) ordex: kk
(11.42.12) cron2: yes, soon
(11.42.23) cron2: "really soon", not "openvpn corp ipv6 soon"
(11.43.11) ordex: hehe
(11.44.52) ordex: moar?
(11.45.14) d12fk: the --dns option PR
(11.45.44) d12fk: I ported it to ovpn3 and it might be merged into master 
soonish
(11.45.58) ordex: I presume that will need to wait more available review cycles 
(?)
(11.46.02) ordex: wait for*
(11.46.07) dazo: Just wondering ... once we're ready to merge the seclist 
patches, should we plan for a 2.4 and 2.5 release related to that?
(11.46.20) ordex: maybe just 2.5 ?
(11.46.22) cron2: yes (but not "rushed")
(11.46.25) dazo: It's not that urgent, but once the cat is out of the bag 
(11.46.38) cron2: we had intended to do a 2.4.12 anyway, and then formally 
close that train
(11.46.43) dazo: yeah
(11.47.09) d12fk: ordex: sure, but it is time to start thinking about the way 
forward
(11.47.35) d12fk: thus, I want to start a rfc on -devel 
(11.48.04) cron2: d12fk: how big is the patchset?
(11.48.14) cron2: ("what granularity")
(11.48.33) d12fk: atm very overseeable
(11.48.40) ordex: let's not forget that after the frame patches we have the dco 
patchset waiting too
(11.49.34) cron2: understood
(11.53.20) dazo: so, frame patches, dco patches and DNS patches ... that's the 
plan, together with the seclist patches in-between where convenient
(11.54.02) cron2: as different people can do review/testing for DCO and DNS 
this can go somewhat in parallel
(11.54.02) dazo: anything burning for review on patchwork for 2.5 or 2.6?
(11.54.40) cron2: we have lev__'s "adjust buld options to harden binaries" 
patches for windows build, which are sort of hanging in the cold
(11.54.51) cron2: nobody qualified to review them around, it seems
(11.55.03) cron2: 2207, 2209, 2210
(11.55.20) cron2: ah
(11.55.27) cron2: dazo: I 

[Openvpn-devel] Summary of the community meeting (2nd February 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 2nd February 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash, ordex and plaisthos participated 
in this meeting.


---

Novaflash will have OpenVPN Inc ("corp") tickets in Trac reviewed.

---

Talked about OpenSSL 3 and easyrsa3. According to wiscii the changes 
required are minor, so we should be able to continue using easyrsa3. The 
fix could even be applied on the fly as a patch.


---

Agreed that we should release 2.4.12 after completing mattock's ongoing 
tasks. In particular:


- Windows EC2 buildbot worker (requires a small fix + buildbot glue)
- ovpn-dco packaging (not started)

---

Talked about OpenVPN 2.6 release. There are plenty of patches to review 
and test. For the gory details refer to the full chatlog.


---

Noted that OpenSSL 3.0.0 (bundled with Fedora 36 right now) should work 
with OpenVPN just fine, even though you might encounter some deprecation 
warnings if using it.


---

Note that there's no progress on the community IPv6 front.

---

The new community Buildbot is now in production and is tracking almost 
all openvpn projects worth building. TheWindows EC2 buildbot worker is 
almost done. The new community VPN server is available for real people 
and buildbot workers alike. Cron2 will try to get one of this buildbot 
workers connected to buildmaster before the next meeting.


--

Full chatlog attached(11.31.25) mattock: hello
(11.32.19) cron2: meow
(11.33.23) lev__: hellow
(11.33.42) dazo: Yo!
(11.36.21) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-02-02
(11.36.41) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-02-02
(11.37.12) cron2: that agenda looks messy
(11.37.41) mattock: I cannot be blamed because it's not my doing!
(11.39.16) cron2: fixed
(11.39.32) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(11.39.58) cron2: updated
(11.40.56) dazo: lets kick off with 2 and throw novaflash under the bus! ;-)
(11.41.12) novaflash: that's where i belong
(11.43.29) cron2: so... #2 can be handled fairly quickly... can we revive the 
activities regarding corp products in community trac again, please?  thanks :-)
(11.44.08) dazo: novaflash: can you follow up on that? ^^^
(11.44.15) novaflash: yeah.. i'll see what can be done
(11.44.24) cron2: thanks!
(11.44.40) cron2: #1 is "what can we do about easyrsa3 with openssl3"
(11.45.01) cron2: wiscii says "it just works, with a small bugfix", if I 
understood that right (over in #openvpn-devel)
(11.47.12) cron2: consequence of that: we should be able to ship 2.6 with 3.0.1
(11.47.37) dazo: What does "small bugfix" imply?
(11.48.09) cron2: either it gets fixed upstream or we patch at build time 
("like we do for pkcs11-helper, etc.")
(11.48.37) dazo: fine ... but how small is that fix?
(11.49.14) novaflash: 2 inches
(11.49.35) cron2: he did not say... backlog in #openvpn-devel of today around 
2am
(11.54.53) dazo: If an updated easy-rsa could be made available soonish, we're 
all good.  That would also indicate how small and intrusive the change is.
(11.56.14) mattock: +1
(11.57.00) mattock: sync up?
(11.57.59) cron2: I can live with having the patch available just fine
(11.58.44) cron2: getting the patch merged could be complicated, if there is no 
active maintainer
(11.58.58) dazo: We should probably get 2.4 into that list  do we have 
anything in the pipe for 2.4?  Just to do the last release before switching to 
old-stable
(11.59.25) dazo: cron2: I'll try to reach out to ecrist and check the situation
(11.59.34) ordex: hi hi
(11.59.35) cron2: 2.4 has some minor bugfixes
(11.59.36) ordex: sorry for being late
(11.59.59) dazo: Does 2.4 have any unreviewed changes we want to include?
(12.00.08) cron2: not that I'm aware
(12.00.28) dazo: so, basically we can do a 2.4 release as soon as mattock is 
ready for it then ...
(12.00.59) mattock: I suggest "after windows EC2 buildbot worker and after 
ovpn-dco packaging"
(12.01.19) mattock: the former is lacking a small fix (authorization issue) + 
buildbot glue
(12.01.27) dazo: https://termbin.com/zcmq   shortlog 2.4.11 to release/2.4
(12.01.31) mattock: the latter I did not start doing, but ordex may be on it
(12.02.36) dazo: Agreed ... lets complete on-going tasks, then do the 2.4.12
(12.03.08) d12fk ha abbandonato la stanza (quit: Remote host closed the 
connection).
(12.03.20) d12fk [~he...@exit0.net] è entrato nella stanza.
(12.04.55) mattock: 2.6?
(12.05.04) mattock: Windows builds + openssl?
(12.05.27) lev__: there are few patches waiting for review
(12.05.35) lev__: related to ossl3
(12.05.36) cron2: I managed to get one buffer pa

[Openvpn-devel] Community meetings in February 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 2nd February 2022 at 10:30 CET (ongoing)

- Wed 9th February 2022 at 10:30 CET

- Wed 16th February 2022 at 10:30 CET

- Wed 23rd February 2022 at 10:30 CET


The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (19th Jan 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 19th January 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, MaxF, ordex and plaisthos participated in 
this meeting.


---

Ordex told that DCO patchset is out as RFC, but will still take some 
time to run more tests and to possibly gather some more external feedback.


---

Dazo is ironing out some FIPS related issues in Git master, which 
impacts the dco branch as well


---

Lev has fixed pkcs11-helper for windows, which was lacking EC support.

---

Mattock is fixing some shared Puppet code to be able to use it for VMs 
in community VPC. After this he will move to setting up the OpenVPN 
server for buildbot use.


---

MaxF noted that one of their customer has a lawyer looking into the 
MbedTLS license incompatibility issue. Plaisthos will help in this 
process as well.


---

Plaisthos will review the latest version of the xkey patchset. The 
current version is already in use in OpenVPN for Android.


---

Agreed that nothing is holding back the final 2.4.x release.

--

Full chatlog attached(11.30.08) cron2_: good morning sunshines
(11.30.26) plaisthos: moin moin
(11.30.42) dazo: 
(11.31.14) MaxF: hi! Now I finally put this meeting into my calendar
(11.31.55) cron2_: yeeha!
(11.32.55) MaxF: I would have forgotten it again otherwise
(11.34.06) dazo: I thought I had corrected it the few last two times  and 
came to an empty room :-P
(11.34.31) mattock: howdy
(11.36.09) dazo: https://community.openvpn.net/openvpn/wiki/Topics-2022-01-19
(11.36.35) ordex: morgen
(11.40.12) dazo: 10 minutes  and meeting not started  shall we?
(11.40.37) MaxF: I'm ready
(11.40.40) cron2_: I'm here
(11.40.51) mattock: we shall
(11.41.03) mattock: sync up
(11.41.18) ordex: yap
(11.41.30) ordex: for 2.6 we are a bit behind the schedule
(11.41.44) ordex: DCO patchset is out as RFC, but will still take some time to 
run more tests
(11.41.50) ordex: and possibly gather some more external feedback
(11.42.05) ordex: I have asked dazo and mattock to help me package the dco 
branch so that people can easily test on their distros
(11.42.24) ordex: hopefully this will lead to some additional feedback compared 
to what we got until now
(11.44.01) dazo: I'm ironing out some FIPS related issues we have in git 
master, which impacts the dco branch as well  Fedora + RHEL/CentOS has FIPS 
enabled OpenSSL libraries, so it explodes currently.  I can have patches for 
that out pretty soonish
(11.44.38) lev__: pkcs11-helper for windows was lacking EC support, this is now 
fixed and is waiting for review/test/merge
(11.44.50) lev__: but I don't know how to test it
(11.46.15) lev__: also I now have working HLK setup, just passed all required 
tests for Windows 10 x64 WHCP (ex-WHQL) certification
(11.46.46) lev__: WHCP certification is optional. but with that one could push 
driver into Windows Update
(11.48.30) mattock: I'm in the process of cleaning up some of Puppet code so 
that it can be reused for the new community AWS setup - it is a requirement for 
the actual production deployment
(11.48.56) mattock: that moves forward well, but requires some concentrated 
effort
(11.49.14) mattock: once the code works for community AWS I can start setting 
up an OpenVPN server for buildbot usage
(11.49.31) mattock: sorry, not really 2.5/2.6 related, though sync-up
(11.50.02) lev__: mattock: would it be possible to resurrect snapshot windows 
builds
(11.50.19) mattock: yes, it will be possible with new buildbot
(11.50.38) mattock: the Windows builder code is complete and supports building 
MSIs with signing and all
(11.50.40) cron2_: how's that song "wake me up when September ends"
(11.50.46) lev__: would be nice to have dco branch (or we just use ordex repo?) 
with all dco-related stuff there
(11.51.06) ordex: I have pushed the dco branch to the OpenVPN repo, so that we 
can build from there
(11.51.09) ordex: rather than my own repo
(11.51.11) cron2_: I've been waiting on that great new buildbot (to get rid of 
my python2 stuff) about as long as for ipv6 on community... so, I'm going to 
sleep a few more months...
(11.51.21) lev__: there is windows dco build, but it is very old
(11.51.31) mattock: cron2: yes, I know, all the delays
(11.51.32) lev__: build->installer
(11.51.51) mattock: I think it will be ready before next September though :)
(11.53.13) cron2_: let's hope for the best
(11.55.30) cron2_: more seriously: for 2.6 release it will be crucial to have 
windows build snapshots
(11.55.59) cron2_: so people can really test stuff
(11.56.26) mattock: yes, we shall have snapshots by then
(11.57.20) mattock: keep mounting the pressure on me! :)
(11.59.21) cron2_: nah, I've give

[Openvpn-devel] Summary of the community meeting (12th January 2022)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 12th January 2022
Time: 10:30 CET (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, mattock, ordex and plaisthos participated in this meeting.

---

D12k said his DNS patch will be arriving as a GitHub PR shortly after 
the meeting. Plaishos will take a look at at the PR when it is ready.


---

Mattock now has new production buildmaster running in a new, shiny 
community VPC, but it is not accessible from the outside. The next step 
is to add OpenVPN server to the VPC to grant access to buildbot workers 
and people who need access. Mattock will provide new OpenVPN configs for 
cron2 and wiscii when the server is ready.


Noted that the Windows buildbot worker does not yet run connectivity 
tests for the MSI installers it creates and signs. Adding that support 
should be fairly straightforward however, given mattock semi-automated 
Windows-based testing with Powershell earlier.


---

Talked about IPv6 on community.openvpn.net. Nothing has happened on that 
front, but fortunately IPv6 is gaining traction globally and there might 
eventually be progress on this as well.


--

Full chatlog attached

(11.18.29) cron2: I'm fighting IPSEC VPN, so might be a tad late
(11.24.21) mattock: install OpenVPN instead
(11.31.15) mattock: hello
(11.31.45) mattock: any young and enthusiastic software developers here today?
(11.31.53) mattock: or if not young, at least enthusiastic?
(11.32.09) ordex: hi
(11.32.56) d12fk: hello
(11.33.15) d12fk: cron2: what are you fighting with?
(11.33.39) d12fk: mattock: can serve with being here at least ;-)
(11.33.50) mattock: d12fk: that is enough :)
(11.34.11) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-01-12
(11.34.18) mattock: pure copy and paste that agenda
(11.34.21) cron2: now!
(11.35.22) cron2: d12fk: migrating corporate customer VPN from "IKEv1 on 
Netscreen" to "IKEv2 on Fortigate", with all the possible crap out there, like 
"Cisco ASA" or "opnsense"...
(11.35.40) cron2: *this* episode was "a pre-shared key starting with 
0x"
(11.36.05) cron2: which netscreen and opnsense interpret as, well, "hex digits 
describing the key" and fortinet just takes verbatim as "it is a key that 
starts with 0, x, ..."
(11.36.41) d12fk: have not seem many binary PSKs
(11.36.50) d12fk: *seen
(11.37.02) cron2: neither have I, so that came unexpected...
(11.37.13) ordex: how was 'x' interpreted? o-o
(11.37.19) ordex: just ascii ?
(11.37.34) cron2: just ascii on the FG side, so "key mismatch"
(11.37.47) ordex: indeed
(11.38.35) cron2: so, agenda :-)
(11.39.04) d12fk: off agenda, I can announce that the --dns PR will appear 
shortly after this meeting
(11.39.10) cron2: nice
(11.39.30) cron2: my plate is full with buffers
(11.40.18) d12fk: yeah no rush
(11.40.34) mattock: update on my part: production buildbot exists in a new, 
shiny community VPC, but is still unreachable due to lack of openvpn server
(11.40.43) mattock: so openvpn server is the next step for me
(11.41.40) cron2: ok.  Will this be transparent to the build clients (same 
credentials, same hostname) or do they need new configs?
(11.42.09) plaisthos: I will take a lok at the dns pr after I am done with xkey 
patch set
(11.43.01) mattock: cron2: I think I'll create a completely new openvpn + CA 
for that - otherwise I'd need to upgrade and migrate other stuff over to the 
new AWS first
(11.43.33) cron2: okay
(11.43.35) mattock: I can create new client configs for you
(11.44.03) cron2: yes, please (and for wiscii, don't think anyone else 
non-mattock runs a buildslave today)
(11.44.15) mattock: yep
(11.48.28) mattock: anything else for today or was this one the shortest 
meeting ever? :)
(11.49.17) d12fk: the ipv6 for community question needs to be answered
(11.49.21) cron2: I wonder how to proceed with Lev's windows build patches
(11.49.46) cron2: https://patchwork.openvpn.net/patch/2214/ and 
https://patchwork.openvpn.net/patch/2215/
(11.50.03) mattock: d12fk: yep, no progress on IPv6 front
(11.50.09) cron2: I can merge that ("it's not touching code, so I am not very 
concerned") but having an actual test would be good...
(11.51.30) d12fk: don't we run a windows buildslave?
(11.52.39) mattock: d12fk: not at the moment
(11.52.57) mattock: the new buildmaster will have a MSVC buildbot worker
(11.53.32) d12fk: ah the new one is not active, yet
(11.53.51) d12fk: my bad
(11.53.52) mattock: no
(11.54.07) cron2: will it also install the result and test it?
(11.54.20) mattock: at the moment it only produces signed msi packages
(11.54.39) mattock: but adding tests should not be too difficult
(11.55.36) mattock: I have powershell code (which broke some time ago, but 
should be easily fixable) for testing wi

[Openvpn-devel] Community meetings in January 2022

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 5th January 2022 at 10:30 CET
- Wed 12th January 2022 at 10:30 CET
- Wed 19th January 2022 at 10:30 CET
- Wed 26th January 2022 at 10:30 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (15th Dec 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 15th December 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, novaflash, ordex, plaisthos, 
rob0 and syzzer participated in this meeting.


---

Talked about the mbedtls dropping dual licensing (GPLv2 + Apache License 
2) in favor of Apache License 2. This will probably make OpenVPN, which 
is GPLv2 only, incompatible with mbedtls. The question here depends on 
whether mbedtls can  be considered a system library. If yes, our use of 
mbedtls would not trigger license incompatibility. Agreed that 
contacting an open source license lawyer about it might be a good idea.


---

Agreed to change meeting time to 10.30-11.30 CET/CEST. This works for 
everyone who attends the meetings regularly, except rob0 from the US, 
who was fine with the change nevertheless.


---

Talked about Google Titan and Yubikey giveway. Agreed that community 
developers should get the free ones and OpenVPN Inc. developers can get 
ones from the company.


---

Talked about mssfix. Agreed to set default mssfix to 1492.

--

Full chatlog attached


(15.00.14) mattock: hello
(15.00.20) MaxF: hello!
(15.00.30) mattock: hi!
(15.02.12) lev__: hello
(15.02.38) d12fk: hihi
(15.02.44) mattock: hi all!
(15.03.01) mattock: cron2 said he will join but may be distracted
(15.03.48) plaisthos: hey!
(15.03.55) plaisthos: MaxF: have you seen the license mail?
(15.04.09) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-12-15
(15.04.12) MaxF: yes, and I did some googling
(15.04.29) MaxF: GPLv2 and Apache don't seem to be compatible :/
(15.04.47) cron2: I'm here, but we're having a heated discussion $overthere 
about VPN access to corp network...
(15.05.01) MaxF: http://www.gnu.org/licenses/license-list.html#apache2
(15.05.42) cron2: is dazo around?  he seems to understand licensing best (from 
the core team)
(15.05.46) cron2: can one of you wake him? :-)
(15.06.00) mattock: I tried already
(15.06.14) mattock: he woke up
(15.06.24) dazo: I'm here!
(15.08.22) dazo: So ... GPLv2 is incompatible with Apache License 2  
https://fedoraproject.org/wiki/Licensing:Main#Good_Licenses
(15.09.05) ordex: heya
(15.09.09) ordex: partly here too!
(15.10.42) plaisthos: MaxF: maybe Fox IT has still contacts with mbed TLS 
people and ask if there is any chance for our GPL2 only project ot be able to 
continue to use mbed TLS
(15.11.25) MaxF: I don't think we still have contacts, but I'll ask around
(15.11.36) dazo: In regards to the LZO license exception  That is for 
OpenSSL only.  The question is if OpenSSL or LibreSSL can be considered a 
system library; likewise for mbed TLS.  But that is not something we can 
decide, that is the distro needing to define that.
(15.12.31) ordex: basically who builds the package?
(15.13.49) dazo: kinda ... both the SSL/TLS library packager but also the whole 
OS/distro project, I'd say
(15.14.26) MaxF: in OpenVPN-NL, we statically link with an mbedtls version that 
we check out, so I don't think we can claim it's a system library
(15.14.30) dazo: "We consider the SSL/TLS library a critical and important 
component of this OS. It cannot function without it"
(15.14.50) MaxF: or am I misunderstanding that term?
(15.14.54) dazo: MaxF: That is true, static linking breaks the system library 
part
(15.15.17) cron2: windows building also breaks it, as we ship the SSL library 
(OpenSSL, in that case)
(15.16.18) dazo: The OpenSSL 1.x and older license challenge is a bit 
different, so there *we* need to grant a linking exception.  While with the 
Apache license that is the reverse, I believe
(15.17.00) plaisthos: with apache it is the same for OpenVPN + OpenSSL 3.0
(15.17.15) dazo: Yeah, that is something which will bite us too
(15.18.34) plaisthos: You must obey the GNU General Public License in all 
respects for all of the code used other than OpenSSL. 
(15.18.39) plaisthos: is what we have in our COPYING
(15.18.57) dazo: MaxF: in regards to static linking ... if the OS you build on 
provides a static linkable version, linking against that would probably be fine 
and considered part of the system library.  But building your own mbed TLS and 
linking statically will not be a system library.
(15.19.04) plaisthos: so if something in the GPL would not hold true for the 
OpenSSL library then you still free to use
(15.19.40) MaxF: dazo Well, that's unfortunate
(15.20.34) mattock: perhaps this would be material for an open source license 
specialist
(15.20.44) dazo: Yes, I think so
(15.21.16) mattock: we want to avoid screwing this thing up, especially if we 
have to go through the relicensing process
(15.21.26) dazo: I see our OpenVPN 2 Copying even has a link

[Openvpn-devel] OpenVPN 2.5.5 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.5.5. 
The most notable changes are Windows-related: use of CFG 
Spectre-mitigations in MSVC builds, bringing back of OpenSSL config 
loading and several build fixes. More details are available in Changes.rst:




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (8th December 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 8th December 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, novaflash, plaisthos, rob0 and 
syzzer participated in this meeting.


---

Talked about getting IPv6 to community.openvpn.net. There has been no 
progress on this front.


---

Talked about OpenVPN 2.5.5. MaxF found out that OpenVPN release/2.5 and 
master segfault if mbedtls is compiled without blowfish support. He'll 
provide a patch for this that will be included in 2.5.5.


Due to the above decided to postpone 2.5.5 release to Wednesday 15th 
December 2021.


---

Decided that cron2 will send the US-bound hackathon T-shirts to 
novaflash who can ship them to the US.


--

Full chatlog attached


15.00.05) d12fk: hi
(15.00.35) rob0: it's That Time Again
(15.00.44) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15.02.18) mattock: hi!
(15.02.46) novaflash: ugh
(15.02.51) cron2: gu
(15.04.25) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-12-08
(15.04.48) cron2: shall we start with something simple?  ipv6 to community?
(15.05.22) novaflash: that'll take a long time, we're still in the process of 
getting a community-only infrastructure. it's a slow process.
(15.05.55) cron2: not sure this is answering the same question
(15.06.10) novaflash: oh sorry. i thought it was about the community 
infrastructure like forums and such.
(15.06.18) mattock: ha
(15.06.23) cron2: "ipv6 to community" is as simple as checking the "[X] yes, 
ipv6" checkmark on cloudflare, for openvpn.net
(15.06.31) novaflash: okay. same thing.
(15.06.33) cron2: but The Company is afraid
(15.06.41) mattock: yes
(15.06.46) novaflash: ya hence we need to get our own community infrastructure
(15.06.51) cron2: forums.openvpn.net has IPv6 address 
2600:1f1c:702:ae00:57df:e63:fbd0:a360
(15.06.58) cron2: it's not an *infrastructure* issue
(15.07.08) novaflash: semantics
(15.07.09) cron2: it's Massive Corporate Silliness
(15.07.31) novaflash: i'll pass that along to andrew;-)
(15.07.37) plaisthos: yeah, fear of the "enable ipv6" button
(15.07.39) cron2: you could run communit wherever you want, if Corp does not 
allow the checkbox item on cloudflare to be set, because We Have Doubts, 
community won't have ipv6
(15.08.02) lev__: hello
(15.08.02) cron2: novaflash: feel free to quote me on that :-)
(15.08.07) MaxF: hello!
(15.08.14) cron2: hi maxf, lev__
(15.08.17) mattock: hi
(15.09.41) mattock: ok, next topic?
(15.09.43) cron2: are ordex, dazo, d12fk joining?
(15.09.52) cron2: next topic would be 2.5, me thinks
(15.09.54) novaflash: i think ordex is on a public holiday
(15.10.25) ***rob0 is not a fan of cloudflare, at least not for everything
(15.11.12) d12fk: cron2: I was the first here ;-)
(15.11.41) ***cron2 polishes his glasses
(15.11.51) novaflash: i just pinged dazo, he'll be joining shortly
(15.11.55) d12fk: ordex: has a public holiday
(15.11.56) cron2: oh, yeah, a d12fk has appeared!  in a blinding flash of light!
(15.12.01) dazo: sorry, I'm here ... forgot about time
(15.12.30) novaflash: yes time is something that slips my mind too. space too 
sometimes. sometimes both at the same time and then the universe is gone.
(15.12.52) rob0: I hate it when that happens.
(15.12.57) cron2: tried to join a meeting today... first, wrong timezone (DE 
vs. UK).  Then, right time, still no meeting.  Meeting was yesterday...
(15.13.10) cron2: so yeah, I know what you mean
(15.14.16) cron2: 2.5?
(15.15.03) mattock: the famous upcoming 2.5.5
(15.16.45) lev__: yeah I guess we're ready for it
(15.17.09) lev__: there were quite a few changes/bugfixes in openvpn and gui 
since 2.5.4
(15.17.28) syzzer: cool. any new bugs too?
(15.17.29) mattock: yep
(15.19.42) cron2: not sure if anyone tested last week's installer, since it was 
not announced...
(15.19.58) mattock: I think wiscii tested it, but I could be wrong
(15.20.57) MaxF: I still have a patch that I would like to get into 2.5. The 
one where OpenVPN deletes IP addresses on exit even with --ifconfig-noexec
(15.21.16) cron2: yeah, sorry.  I got plaisthos'ed
(15.21.34) cron2: (to plaisthos someone = swamp in 20+ patches :-) )
(15.21.36) novaflash: that sounds uncomfortable
(15.21.41) MaxF: yeah, I saw that too
(15.22.23) cron2: turning that around - I saw you looking at 7/9 v2 of the 
"cipher" patchset.  Any good? :-)
(15.25.41) cron2: ok, back to 2.5 - so, either we do 2.5.5 soonish 
("tomorrow"), and merge MaxF's patch into 2.5.6, or we delay another week
(15.25.55) MaxF: looked good to me. Then I had a segfault while running the 
unit tests, then I found that that happens too with the latest master
(15.26.01

[Openvpn-devel] Summary of the community meeting (1st December 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 1st December 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, d12fk, lev, mattock, plaisthos and rob0 participated in this meeting.


---

Talked about OpenVPN 2.5.5. Mattock provided preview installers with 
2.5.4 label for it last week:






These installer have not yet been thoroughly tested. Once they are, we 
can push out 2.5.5.


---

Talked about the status of OpenVPN 2.6:



D12fk started looking at the new dns option today.

Dazo's potential fix to the multiple auth-plugin mess is in internal 
review and once that's done it will go to the mailing list. Dazo will 
provide a similar fix for 2.5.


Plaisthos has two patchsets pending. the first one is changing cipher 
and auth from cipher_kt to const char and the second is the buffer 
overhaul, which will change the wacky and incorrect mssfix calculation.


Talked about split-dns in the context of 2.6. Agreed that full split-dns 
support is for 2.7, even if we happen to include some parts of it in 2.6.


---

Talked about extending t_client tests. This, in combination with the new 
buildbot infrastructure, will allow developers to test potentially 
breaking changes easily with good test coverage. Mattock can finally 
start creating the new buildbot production infrastructure (all blockers 
have been resolved).


---

Talked about moving 2.4 to oldstable. There have been no issues with 2.4 
since latest June, so it should be doable.


--


Full chatlog attached




(14.58.41) mattock: almost time
(15.00.26) d12fk: ready
(15.01.15) plaisthos: me too
(15.01.21) dazo: hoho!
(15.01.35) rob0: oyez
(15.02.08) lev__: hello
(15.03.27) mattock: hi!
(15.04.39) mattock: cron2?
(15.05.10) mattock: fact of today: "dwz: debian/openvpn/usr/sbin/openvpn: DWARF 
compression not beneficial - old size 1215239 new size 1244553"
(15.07.43) dazo: mattock: cron2 said yesterday he would miss the meeting today
(15.07.49) mattock: ah
(15.07.50) mattock: ok
(15.07.56) mattock: let's start then
(15.08.00) dazo: +1
(15.08.07) mattock: sync up for 2.5
(15.08.19) mattock: where are we at on that front?
(15.08.50) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-12-01
(15.11.07) dazo: lev__: ^^^ maybe you know a little bit, in cron2's absence?
(15.11.21) mattock: I only know that I provided "almost 2.5.5" installers last 
week
(15.11.37) mattock: basically "latest release/2.5" with 2.5.4 label
(15.12.04) dazo: It might just need some testing and then tagging the release 
and start the release machinery
(15.12.24) lev__: yeah I cannot add much, been reviewing/fixing some (minor) 
openvpn-gui issues and talking with MSFT about publishing openvpn to windows 
store
(15.12.25) mattock: that was my understanding as well
(15.12.49) dazo: Latest change to release/2.5 is Nov 24 ... so sounds the core 
part is essentially good to go, just the GUI and installer aspects left
(15.13.53) dazo: so next topic?
(15.14.01) mattock: fine by me
(15.14.02) mattock: 2.6
(15.14.36) d12fk: I started looking at the new dns option today
(15.14.37) dazo: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn26
(15.15.07) d12fk: reminder: patches will come as github PRs
(15.15.46) plaisthos: why?
(15.15.55) plaisthos: for the first review?
(15.16.11) dazo: I've sent a potential fix the multiple auth-plugin mess to an 
internal review ... if that looks good, I'll send it to the public mailing 
lists together with a similar fix for at least 2.5
(15.16.29) d12fk: plaisthos: as a test if we live up to "you can contribute via 
github as well"
(15.17.18) mattock: yes, we've essentially allowed that for two years
(15.17.40) mattock: but never really tested it ourselves to see how it goes
(15.17.43) dazo: for initial reviews, GH pull-reqs are okay, but once all is 
settled and it needs to hit the mailing list for the official ACK ... otherwise 
all fine
(15.17.44) plaisthos: I have two patchsets pending that are not yet on the list 
since I want to test them some more
(15.18.09) plaisthos: the first one is changing cipher and auth from cipher_kt 
to const char
(15.18.18) plaisthos: and the second is the buffer overhaul
(15.20.20) dazo: the buffer overhauls is part of the "frame/buffer size 
handling" item?
(15.20.26) ***dazo looks at 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn26
(15.20.30) plaisthos: yes it is basically that
(15.20.38) plaisthos: it will change mssfix calculation
(1

[Openvpn-devel] Community meetings in December 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 1st December 2021 at 14:00 CET
- Wed 8th December 2021 at 14:00 CET
- Wed 15th December 2021 at 14:00 CET
- Wed 22nd December 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (17th November 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 17th November 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, MaxF, novaflash, ordex, Pippin and rob0 
participated in this meeting.


---

Talked about hackathon T-shirts. Cron2 will send them out both 
individually and in larger bunches for further distribution. Agreed that 
the T-shirts look good.


--

Full chatlog attached



(14:59:51) mattock: howdy
(15:00:04) dazo: yo!
(15:02:05) lev__: hallo
(15:02:16) d12fk: hi
(15:04:49) cron2: hoi
(15:04:55) cron2: had to feed the monsters first...
(15:05:01) ordex: hy
(15:05:04) novaflash: goedendag
(15:05:22) dazo: plaisthos is on a holiday, so I don't expect him here today
(15:05:35) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(15:05:47) MaxF: hi!
(15:06:03) cron2: yo!
(15:06:03) mattock: ok let's start
(15:06:24) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-11-17
(15:06:45) cron2: indeed
(15:07:20) cron2: so, T-Shirts.  I have received a box full of T-Shirts, and 
extracted an XL one for me
(15:07:27) mattock: do the T-shirt look ok?
(15:07:31) mattock: T-shirts
(15:07:34) cron2: yes
(15:07:35) cron2: wait
(15:07:38) mattock: \o/
(15:07:43) mattock: too bad they were sol ate
(15:08:13) cron2: https://demo.vct.spacenet.de/o
(15:08:28) cron2: I don't want to do a video meeting, just show the t-shirt :-)
(15:08:49) novaflash: sorry don't have any microphone or camera on this ancient 
thing!
(15:08:54) cron2: ah
(15:08:55) mattock: I'll join but keep the video off as I look like shit (flu, 
running nose, etc) :)
(15:09:04) novaflash: looks good!
(15:09:37) mattock: +1
(15:10:00) dazo: +1
(15:10:23) cron2: indeed, they are black :-) - wasn't my doing
(15:10:26) novaflash: thanks for showing
(15:10:33) novaflash: yeah i know, grey wasn't an option
(15:10:39) novaflash: or too light
(15:10:44) cron2: ah
(15:10:52) cron2: *I* am fine with black :-)
(15:11:08) dazo: :-D
(15:11:12) novaflash: tradition must not be broken!
(15:11:26) cron2: so - I can send around a few boxes to aggregation points, 
like "one box to syzzer, with T-Shirts and headphones", and "another to qaware"
(15:11:40) ***rob0 warms up as Tevye in Fiddler on the Roof
(15:11:40) cron2: mattock: how many T-Shirts have you planned for QA?
(15:11:54) mattock: QAware I assume - five
(15:11:59) mattock: five times XL
(15:12:15) MaxF: and then they can all fight over it?
(15:12:30) cron2: ok, so I take out 5x XL, send to qaware.  Then take out all 
the dutch T-Shirts and send to Syzzer (and you can sort this out locally).
(15:12:34) mattock: that's pretty much the plan MaxF :)
(15:13:01) cron2: but what to do with the rest?  I do not think I can manage 
"send individually to the world" in reasonable time
(15:14:06) MaxF: sending them to USA must be crazy expensive
(15:14:08) cron2: do you foresee a "corp people meeting" in the next few 
months?  So I could ship to plaisthos/d12fk, and he can bring it along
(15:14:18) cron2: MaxF: plus customs declarations and stuff...
(15:14:21) mattock: MaxF: sending to the USA is not that expensive
(15:14:23) novaflash: i think we probably will now that travel is somewhat 
possible again
(15:14:29) mattock: I can't recall getting a stroke when I did it the last time
(15:14:36) novaflash: but likely not with USA people
(15:16:07) ***cron2 suggests that corp people sort this out internally and let 
me know where to ship the "corp" part of the box :-)
(15:16:39) mattock: yeah, one corp box sounds reasonable
(15:16:50) mattock: we can ask around to figure out where that box should go
(15:16:58) cron2: let me know :-)
(15:17:22) cron2: for the non-hackathon-attendees - we have a few 
T-Shirt-Requests in the wiki.  Have these been part of the order?
(15:17:52) d12fk: I don't mind bringing the shirts, however if someone else 
want their shirt urgently, I'll pass, as I do not
(15:18:47) mattock: yes, there are shirts for the non-participants 
(15:20:01) cron2: ok... so maybe I can ship those direct (otherwise too much 
shipping and delay).  Can you e-mail me the addresses?
(15:20:56) mattock: I only have wiscii's address
(15:21:00) mattock: the rest will have to be dug out
(15:21:27) mattock: I'll send that address to you now
(15:21:49) cron2: thanks
(15:24:09) mattock: done
(15:24:41) Pippin_: @mattock you have my address too
(15:24:53) Pippin_: mattock: ^
(15:24:54) mattock: mm, let me try to find that one
(15:26:52) mattock: can't find it - care to send it again?
(15:28:21) mattock: or send it to cron2 rather
(15:28:30) mattock: if he's going to ship the T-shirt
(15:28:36) Pippin_: Ah just send it
(15:28:40) Pippin_: :)
(15:28:40) cron2: yeah
(15:29:49) Pippin_: done...

[Openvpn-devel] Summary of the community meeting (10th November 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 10th November 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, novaflash, ordex and plaisthos participated 
in this meeting.


---

Talked about the hackathon. Agreed that it went really well. Also noted 
that OpenVPN Inc. will send something nice to Qaware as a thanks.


---

Talked about the scope of 2.6:



It was suggested to move split DNS enhancements to 2.7, the motive being 
to speed up the 2.6 release cycle. This idea was rejected after a bit of 
discussion, which meant  that the "must have" parts in 2.6 remained 
unchanged.


--

Full chatlog attached


(15:00:31) cron2: yo!
(15:02:02) mattock: only 1 minute late
(15:02:04) mattock: well, two
(15:03:28) ordex: https://community.openvpn.net/openvpn/wiki/Topics-2021-11-10
(15:06:49) d12fk: 1) hackathon was good
(15:07:03) lev__: hello
(15:07:07) mattock: +1
(15:08:20) mattock: anything to add for hackathon
(15:08:21) mattock: ?
(15:09:12) d12fk: I heard rumors that next one is in Oslo?!
(15:09:17) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:10:23) mattock: better start building a buffer of money now!
(15:10:50) novaflash: well i just joined. guess i'm a little late.
(15:11:10) mattock: anything to add regarding hackathon?
(15:11:31) plaisthos: cron2 and I are in contact with qaware
(15:11:43) plaisthos: they want to know what we really liked about the location
(15:11:54) novaflash: it was fun. we're putting together a blog post. i also 
want to send them a gift. some t-shirts and a nintendo nes classic. (shh it's a 
surprise)
(15:12:10) novaflash: because their raspberry pi retro pie was shit
(15:12:15) d12fk: was there anything to dislike?
(15:13:20) ordex: maybe food? :-P
(15:13:22) lev__: it was not straightforward to turn VR on
(15:13:23) novaflash: it was spacious and clean, amply provided with food, 
drinks, entertainment - it had everything we'd ever want or need for a meeting 
room.
(15:13:41) cron2: this!
(15:14:00) lev__: also bottles of wine were hard to open
(15:14:15) novaflash: and we should give them something (i'm working on that) 
as a gift to keep them happy so hopefully in a future hackathon we can be there 
again
(15:14:43) mattock: +1
(15:14:47) novaflash: lev is right about the wine bottles and the VR. i'm 
deducting 2 stars because of that. 3 out of 5 stars because of that. just 
kidding
(15:15:22) ordex: btw, I was not there, but given the proven success, it may be 
meaningful to continue organizing hackathons as "guests" of some local 
community/company also in the future
(15:15:35) ordex: (just as a thought)
(15:15:47) novaflash: myeah but this was one pretty exceptional i'd have to 
say, probably not going to find that easily elsewhere
(15:15:48) mattock: yeah
(15:16:05) novaflash ha abbandonato la stanza (quit: Quit: Client closed).
(15:16:18) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:16:27) novaflash: harrumph. this web client is unstable.
(15:17:20) novaflash: since you guys are in contact with qaware, is there a 
particular address they'd like to receive stuff on, or is the meeting room 
address where we were THE address for them?
(15:18:36) novaflash ha abbandonato la stanza (quit: Client Quit).
(15:18:50) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:19:33) d12fk: the were offices on multiple floors of the building, so I 
think the answer is yes
(15:21:19) cron2: the primary office door is "on the left wing", so, yes
(15:21:41) novaflash: k
(15:22:53) mattock: move to sync up?
(15:22:55) novaflash: i have to go in a bit to pick up the xx chromosomed being 
attached to me
(15:23:24) mattock: systemd-chromosomed, right?
(15:24:12) ***d12fk shakes fist
(15:24:19) cron2: T-Shirts have not arrived yet... they say "Nov 10", so there 
is a few hours left...
(15:24:20) d12fk: now they implemented that too
(15:25:28) novaflash: did we get to 2.6.0 scope yet?
(15:25:41) ordex: no
(15:25:47) novaflash: gosh
(15:25:50) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-11-10
(15:26:26) cron2: I think what we agreed upon (documented in the wiki) is still 
making sense
(15:27:14) cron2: and the tentative timeline is built on "DCO, alpha, beta, 
release candidates, release" :-) - other stuff might happen in between
(15:29:32) ordex: yeaterday we had a discussion about already removing other 
non essential things from the list and already plan 2.7 (and possibly 2.8)
(15:29:48) mattock: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn26
(15:29:50) ordex: m

[Openvpn-devel] Community meetings in November 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 10th November 2021 at 14:00 CET
- Wed 17th October 2021 at 14:00 CET
- Wed 24th October 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (27th October 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 27th October 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, novaflash, plaisthos and rob0 
participated in this meeting.


---

Talked about hackathon T-shirt design. The top left design was chosen 
earlier:




Most people agreed that the grey color as shown in the design is 
preferable to black. So grey is what we'll have.


It was agreed that we'd like to have a list of hackathons at the back:

2011 Brussels
2012 Brussels
2013 Munich
2014 Munich
2015 Delft
2016 Helsinki
2017 Karlsruhe
2018 Lviv
2019 Trento
2021 Munich

---

Talked about the OpenSSL 3.0 patches aimed at 2.6. Plaisthos will make 
the requested modifications once the currently acked ones are merged.


---

Talked about 2.5.5 release. One significant bug has been fixed since 
2.5.4-I604. Agreed to wait a few weeks to make sure there are no more 
hidden corner-cases caused by the switch to MSVC builds, then do 2.5.5.


---

Talked about corp guys who are not active in the community yet they're 
joining the hackathon even on Friday-Sunday. Noted that this is ok, but 
we'd like to get them involved in community work as well. Also noted 
that Qaware guys were invited to join us on Friday.


--

Full chatlog attached

(15:03:05) mattock: hi
(15:03:17) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:03:20) novaflash: boop
(15:03:21) dazo: hey!
(15:03:37) cron2: coming soon... got stuck in a meeting
(15:03:39) MaxF: hello
(15:03:55) mattock: this is the "fight over T-shirt color and what's on their 
backside" -meeting
(15:04:01) rob0: hi all, longer, larger, fart[her]
(15:04:13) mattock: cron2 has opinions, not sure if anyone else has them :)
(15:04:14) novaflash: top left dark gray ball of network cables woo
(15:04:30) mattock: not my preference, but I can live with it
(15:05:17) dazo: mattock: oh good!  So nice with a variation of the colour of 
the bike shed discussions . :-P
(15:06:11) ordex: I agree with cron2: wouldn't be bad to have the dates of the 
hackathons on the back
(15:06:14) ordex: :]
(15:06:21) ordex: assuming this is not too much effort for the designer
(15:06:37) novaflash: it's an american designer, you know how they are with 
dates
(15:06:42) plaisthos: just the dates!
(15:06:45) ordex: resending: "hey I am here just to say that time my on side is 
still not easily available, thus I have to confirm that I won't be able to join 
the hackathon phisically"
(15:06:45) novaflash: better teach them the right way
(15:06:52) ordex: lol
(15:07:09) novaflash: but i assume if we just do  then it's hard for them 
to mess it up
(15:07:39) mattock: you still have to convert those years to pounds
(15:08:05) plaisthos: MMXI, MMXII, MMXIV, yeah should be doable ;)
(15:08:13) mattock: indeed
(15:08:29) mattock: that's actually fairly easy because we're not far away from 
2000
(15:08:36) mattock: anyhow
(15:08:41) mattock: we need a list of hackathons then
(15:08:57) mattock: I should have the old T-shirt designs which have the list
(15:10:48) mattock: 2011 Brussels, 2012 Brussels, 2013 Munich, 2014 Munich, 
2015 Delft, 2016 Helsinki, 2017 Karlsruhe, 2018 Lviv, 2019 Trento, 2021 Munich
(15:11:06) mattock: damn, year 10
(15:11:27) novaflash: munich is a lot in there
(15:11:30) mattock: everybody ok with having the dates on back
(15:11:32) mattock: ?
(15:11:35) novaflash: +1
(15:12:04) mattock: as for the color: I would personally prefer the gray one
(15:12:10) novaflash: it serves as a great reminder of the trauma experienced - 
but only when i see someone else wearing the shirt. so i'm not confronted with 
it every time when wearing it myself.
(15:12:13) novaflash: yes gray +1
(15:12:19) mattock: but it might be possible to just have black for cron2 and 
grey for everyone else
(15:12:20) mattock: :D
(15:12:31) dazo: gray++
(15:12:32) novaflash: just turn off the light for him
(15:12:42) rob0: I think plaisthos also wanted black
(15:12:54) mattock: I told the designed (let's call him Matt) to make design so 
that it will work on both grey and black
(15:13:10) mattock: rob0: I think plaisthos said he has too many black 
hackathon T-shirts
(15:13:11) mattock: :)
(15:13:18) rob0: haha
(15:13:24) plaisthos: yeah
(15:13:35) plaisthos: I would prefer a non-black colour
(15:13:53) mattock: I also have like 10 black openvpn hackathon T-shirts, so I 
welcome change
(15:14:33) novaflash: i have a backup design handy just in case, in pink
(15:15:03) d12fk: pink *would* be nice
(15:15:20) ***rob0 has to go afk, wishing all an excellent hackathon and a 
well-painted bikeshed
(15:15:27) rob0:

[Openvpn-devel] Summary of the community meeting (20th October 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 20th October 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, nariman, novaflash, plaisthos 
and rob0 participated in this meeting.


---

Noted that there are about fifty openvpn_inc tickets in Trac that should 
be cleaned up.


---

Talked about OpenVPN 2.5.4 I604 Windows installers. Mattock copied them 
to build.openvpn.in, cron2 tested arm64 version and lev will test amd64. 
If all is good mattock will push out this new installer release.


---

Talked about hackathon. COVID-19 situation in Munich seems reasonable so 
we should be able to make it happen.


---

Talked about hackathon T-shirt design. Agreed that we can give fairly 
free hands for the designed, with "OpenVPN 2021 hackathon in Munich at 
QAware" as guidance. Mattock will ask a couple of design we can choose 
from. Cron2 will get the T-shirts printed in Munich to cut off the 
shipping time.


Those hackathon participants who want a T-shirt should add their size to 
the Hackathon attendee table in Trac:




---

Talked about the OpenSSL patch flood. Noted that ordex is on paternal 
leave and hence unable to ACK those. Agreed that ACKs and NACKs from 
MaxF are good, because he has to live with the results.


--

Full chatlog attached
(14:59:52) plaisthos: moin
(14:59:55) mattock: hi
(15:01:08) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:02:34) cron2: so, good afternoon, gentlemen
(15:02:45) novaflash: hallo
(15:03:43) cron2: ah, the openvpn_inc guy :-)
(15:05:12) cron2: shall we start?
(15:05:19) d12fk: aint we all inc guys?! =)
(15:05:39) plaisthos: d12fk: there is a openvpn_inc account that novaflash 
manages
(15:05:43) cron2: d12fk: be careful what you are asking for :-) - this is the 
user account that gets to clean up Corp tickets from trac...
(15:05:53) mattock: yes
(15:06:09) lev__: Hello
(15:06:22) nariman: hi 
(15:06:25) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(15:06:30) mattock: let me check the status of windows installer build
(15:06:39) d12fk: cron2: how do I delete things from IRC? =)
(15:06:40) mattock: build was successful
(15:06:47) mattock: 2.5.4-I604
(15:06:48) novaflash: the openvpn_inc account is shared across company peeps - 
rob0 for example uses it
(15:06:54) rob0: yup
(15:07:14) novaflash: cron2: and yes we are terribly slow at cleaning up trac 
tickets but it's being processed slowly
(15:07:45) cron2: thanks
(15:07:48) dazo: so  we're slow because we're slow? :-P
(15:08:12) cron2: I just noticed because I had a cleaning spree yesterday, 
looking at the most recent 50-ish tickets, and noticed quite a few 
"openvpn_inc" ones...
(15:08:35) Pippin_ [Pippin_@openvpn/community/Pippin] è entrato nella stanza.
(15:08:44) cron2: now, the *rest* of "the openvpn community" (with a few 
notable exceptions) was even less active...
(15:08:47) lev__: mattock: do we use OpenSSL 1.1.1l with the latest installer?
(15:08:56) cron2: lev__: thanks. I forgot.
(15:09:06) cron2: (that was one of those tickets)
(15:09:56) mattock: lev: not sure, but openssl port gets updated
(15:10:12) mattock: I will scp over the MSI so that somebody can test
(15:11:02) cron2: lev__: ah, that might have been due to 2.5 still building 
with the "local openssl build" thingie
(15:11:12) lev__: Oh right
(15:13:00) mattock: copying
(15:14:14) cron2: nice, so we already covered two agenda items (trac hygiene 
and 2.5.4 I604 re-release) :-)
(15:14:52) mattock: lev: 
https://build.openvpn.net/downloads/releases/OpenVPN-2.5.4-I604-amd64.msi
(15:14:57) mattock: if you happen to have time to test it
(15:15:20) lev__: I will test Soininen
(15:15:25) lev__: Soonish
(15:17:09) mattock: testing Soini[nen] is also welcome
(15:17:30) mattock: if the installer works ok I will release it this evening
(15:18:45) mattock: I have an update on buildbot
(15:18:48) lev__: And if it doesn’t?
(15:18:52) mattock: then we do something
(15:18:53) mattock: :)
(15:19:16) dazo: do $magic
(15:19:19) cron2: testing arm64
(15:19:20) mattock: yep
(15:19:21) cron2: 1.1.1l
(15:19:21) cron2: good
(15:19:28) mattock: so the build is working well
(15:19:32) mattock: updates deps etc.
(15:20:12) mattock: as for buildbot: we're getting closer to being able to 
start migrating and upgrading the community services, buildbot included
(15:20:34) mattock: the new services will live in a fresh environment
(15:20:59) mattock: most of the work has been fighting policies and lack of 
policies
(15:21:08) mattock: technically it is not such a big deal
(15:23:07) cron2: so arm64 passed a few basic connects, tcp

[Openvpn-devel] Summary of the community meeting (13th October 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 13th October 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, janjust, lev, mattock, MaxF, novaflash, plaisthos and rob0 
 participated in this meeting.


---

Talked about hackathon, in particular swag and T-shirts. The official 
OpenVPN swag shop is in here:




Agreed that Qaware who will kindly host the meeting in Munich should get 
some nice swag for their efforts. It was agreed that hackathon T-shirts 
with "Qaware" logos in the would be a nice gesture. For the rest of the 
crowd plain hackathon T-shirts would suffice.


Mattock will make inquiries to locate a designer at OpenVPN Inc. who 
could design the shirts. The shirts can then be shipped to Munich to 
cron2, or printed there, and then given to the hackathon participants. 
OpenVPN Inc. should be able to sponsor the T-shirts.


---

Noted that OpenVPN 2.5.4 broke version numbering in Windows (2.5..4 
instead of 2.5.4). Lev is investigating this problem. Fortunately this 
does not seem to cause any major issues to people right now.


---

Noted that Windows 11 seems to break OpenVPN 2.5.* *and* Connect for 
some people, which is a bit weird. This hints more at "some security 
product getting in the way". There are no "verb 5" logs yet, but the 
errors were UDP write errors. The problems may be related to this:




---

Agreed that it is reasonable to add a "tls-cert-profile insecure" to 
allow setting OpenSSL security profile to 0 for better compatibility 
with "old crap":




Plaisthos will send a patch.

---

Agreed that splitting off buildbot from openvpn-vagrant to 
openvpn-buildbot is fine. It has grown too big to "fit in" already.


--

Full chatlog attached
(14:55:28) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-10-13
(15:01:31) rob0: 2021-10-13 12:00 UTC is one minute ago!
(15:01:53) ***cron2 yawns
(15:01:59) mattock_: hi
(15:02:00) cron2: hullo, good people!
(15:03:38) d457k: rob0: so you are one minute late ;-)
(15:03:43) d457k è ora conosciuto come d12fk
(15:04:15) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(15:04:19) MaxF: hi!
(15:04:29) cron2: d12fk is randomizing nicks again, for better IRC security
(15:04:44) plaisthos: hehe
(15:04:45) lev__: hello
(15:04:51) plaisthos: hello everybody
(15:04:58) plaisthos: I added a topic to the agenda
(15:05:02) d12fk: the beefy comments come from "someone" else
(15:06:03) mattock_: let's start
(15:06:11) cron2: $nick = substr(sha256(mood,time),8)... :-)
(15:06:23) mattock_: hackathon
(15:06:27) cron2: yes!
(15:07:19) plaisthos: yes
(15:07:20) cron2: I've checked with qaware again, and they are still happy with 
us coming (and it's still okay with covid requirements)
(15:07:43) cron2: plaisthos has established contacts and will be there to shake 
hands and receive key cards on tuesday morning
(15:07:47) cron2: (thanks)
(15:08:00) cron2: so for all corp people -> talk to plaisthos :-)
(15:08:10) cron2: I will show up Friday morning
(15:08:19) cron2: so for all non-corp people -> talk to me or plaisthos ;-)
(15:09:23) cron2: anything else?
(15:09:41) plaisthos: mattock_: are you getting some merch/goodies for qaware?
(15:09:50) plaisthos: or let our marketing people do that?
(15:10:00) cron2: oh yes please, and t-shirts
(15:10:05) MaxF: how do we talk to you or plaisthos? phone?
(15:10:11) janjust [~janj...@schrepel.nikhef.nl] è entrato nella stanza.
(15:10:18) cron2: phowat
(15:10:21) janjust: hey folks
(15:10:33) cron2: MaxF: will update web site with phone number
(15:10:41) d12fk: jjk! hi
(15:11:17) d12fk: beer outings at night are not a problem, are they?
(15:11:24) janjust: hi d12fk, long time no see. Just wanted to let you all know 
that I still intend to come to Munchen
(15:12:04) mattock_: plaisthos: no, I don't have access to any merchandize :)
(15:12:23) mattock_: if we want such a thing maybe we could ship it to cron2 
before the hackathon?
(15:12:33) mattock_: that said, I recall our web shop only ships to the US
(15:12:41) plaisthos: MaxF: I will send you my phone in private query
(15:12:45) d12fk: janjust: cool, see you there then
(15:12:46) mattock_: so we'd need 

[Openvpn-devel] Community meetings in October 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 13th October 2021 at 14:00 CET
- Wed 20th October 2021 at 14:00 CET
- Wed 27th October 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.5.4 released

[Samuli Seppänen]

ficial documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Easy RSA 3 HOWTO:
<https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (22nd September 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 22nd September 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, mattock, lev, MaxF, ordex, plaisthos and rob0 participated in this 
meeting.


---

Talked about "master" / 2.6. Noted that the full compat-mode patchset 
has been merged. The next step is to start merging the DCO patches.


For 2.5 we have a sitnl bugfix and we need a rst2html if we wish to move 
to 2.5 Windows releases built with MSVC. Some other patches like the 
"Windows 11 fix" will be included in next 2.5 as well:




---

Noted that there is no particular reason to make "the last 2.4 release" 
anytime soon.


---

Talked about enabling IPv6 for the openvpn.net domain [in Cloudflare]. 
No progress has been seen, which probably equates with "no progress". We 
probably need a carrot, planning and some coordination to get this done.


---

Mattock gave an update on the new buildbot. It now works in both Vagrant 
and EC2:


- Linux builds (no packaging yet)
- Windows builds + signing [+ MSI packaging]

The next step is to create the new _production_ EC2 buildmaster. 
Mattocks related PRs have now been approved and merged now, which makes 
this easier.


---

Noted that MaxF and in particular nariman are working on recreating 
their own nternal OpenVPN CI/CD system. It was agreed to have a 
discussion about their requirements to see if we could co-operate there 
instead of implementing essentially the same thing twice.


--

Full chatlog attached


(15:02:08) MaxF: hi!
(15:02:21) lev__: Hello
(15:03:33) mattock: hi
(15:05:54) mattock: who else do we have here?
(15:06:01) plaisthos: me
(15:06:28) ordex: ay
(15:06:29) mattock: cron2 said he'd be late
(15:07:09) mattock: let's get on with this thing :)
(15:07:38) dazo: hey!
(15:08:12) mattock: hi!
(15:08:30) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-09-22
(15:10:52) mattock: sync up on 2.5/2.6
(15:10:56) ordex: regarding 2.6 we have managed to merge the full compat-mode 
patchset
(15:10:57) mattock: anything new on that front
(15:11:08) ordex: so now the focus will shift to dco support
(15:11:16) ordex: and cleaning up smaller things here and there
(15:11:34) ordex: for 2.5 we have a bugfix about sitnl, that is on the ml 
pending approval
(15:11:39) plaisthos: the only thing we might want to add to compat patchset is 
to have --nobind as default when --client/--pull is specified
(15:11:47) ordex: maybe we could issue a new release after merging that, unless 
we want to wait longer
(15:12:17) ordex: plaisthos: do you think that is really required for backwards 
compatibility?
(15:14:20) plaisthos: or we just change the default without adding it to compat
(15:14:20) plaisthos: :D
(15:14:45) plaisthos: I just thought falling back to old behaviour would be 
safer
(15:18:21) mattock: mm
(15:19:06) mattock: so maybe a new 2.5 release
(15:19:12) mattock: dco next
(15:19:15) mattock: anything else?
(15:20:48) lev__: for 2.5 we also have "windows 11" fix 
(15:21:22) lev__: https://community.openvpn.net/openvpn/ticket/1418
(15:21:56) rob0: fwiw (not much) I am here
(15:21:56) mattock: oh yes
(15:22:11) mattock: so at least two solid fixes
(15:22:46) ordex: yap
(15:22:56) mattock: I might try out the new msibuilder/buildbot setup to build 
2.5
(15:22:57) ordex: wasn't there something else which was already committed but 
not released for 2.5?
(15:23:09) mattock: it will fail in rst2html unless lev's patch was backported 
there
(15:23:58) mattock: maybe some other fixes as well
(15:24:09) lev__: mattock: didn't we agree to do Frankenstein releases for 2.5 
and switch to full Windows release in 2.6
(15:24:11) mattock: it would be nice to be able to build 2.5 and 2.6/master 
snapshots, plus releases
(15:24:22) mattock: possibly
(15:24:27) mattock: can't recall the details anymore
(15:24:49) lev__: basically we build arm64 on windows and rest on linux
(15:25:07) lev__: too bad we need to maintain 2 build systems
(15:25:34) lev__: or we can be brave enough and start producing 2.5 builds with 
msvc
(15:26:10) mattock: I think we could try full-windows builds on 2.5
(15:26:19) mattock: and if that backfires horribly we could backpedal
(15:26:33) mattock: it would simplify things at my end greatly
(15:27:50) mattock: when would we push out the next 2.5?
(15:27:52) mattock: roughly
(15:28:54) mattock: "some weeks from now"?
(15:29:12) ordex: maybe we need cron2's feedback for this question
(15:29:21) ordex: to see if he has something else in the pipe for 2.5
(15:30:12) mattock: +1
(15:30:22) mattock: ok, let's move forward shall we
(15:30:27) ordex: kk
(15:30:52) mattock: 2.4 -> oldstable : does the sitnl fix 

[Openvpn-devel] Summary of the community meeting (15th September 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 15th September 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, MaxF, ordex, plaisthos and rob0 participated in 
this meeting.


---

Plaisthos is preparing patches that drop support for the APIs that are 
deprecated in OpenSSL 3.0.


Agreed that the OpenSSL 3.0 patches should be master only, so only 2.6 
will have full OpenSSL 3.0 support with external key support and without 
compiler warnings. OpenVPN 2.4/2.5 would continue to work, but would 
have some missing features.


---

No news on "OpenVPN 2.4 to oldstable" transition, nor IPv6 for community.

---

Talked about the new buildbot. Mattock will spin up an EC2 buildmaster 
instance "somewhere" by Monday next week, if he does not have access to 
the "correct" place by then. The buildmaster instance can then be 
migrated to the "correct" place later.


Mattock will also implement the fixes to openvpn-build suggested by Lev:



What remains is merging the above PR and mattock's openvpn-vagrant 
dockerized buildbot work:




--

Full chatlog attached

(15:03:38) mattock: hi!
(15:03:45) MaxF: hi!
(15:04:54) dazo: hey!
(15:05:04) rob0: I'm here.  You may start. ;)
(15:05:11) dazo: hehehe
(15:05:55) plaisthos: From my side
(15:06:21) plaisthos: I am preparing patches to no longer use the APIs that are 
deprecated in OpenSSL 3.0
(15:06:36) plaisthos: that cosists of a few small patches and one that will be 
very big
(15:07:05) cron2: do we expect openssl 3.0 to be a hard requirement soon?
(15:07:39) plaisthos: to still support external keys we will need to implement 
a provider (replaces engines and RSA_method/EC_method) and that provider is a 
lot of a code, mostly boilerplate code to get all things setup
(15:07:51) plaisthos: cron2: I expect Ubuntu 22.04 to ship with OpenSSL 3.0
(15:08:19) plaisthos: Current OpenVPN still compiles/works with OPenSSL 3.0 
with the exception of extgernal key
(15:08:56) cron2: who (except the Android app) uses external key these days?
(15:10:18) plaisthos: Windows 
(15:10:53) plaisthos: cryptoapicert uses the same mechanism
(15:11:13) dazo: cron2: I also expect Fedora 36 to upgrade to openssl 3.0  
discussions already begun
(15:11:30) dazo: so in the timeline of 6-8 months, yes
(15:11:57) dazo: (sooner if we care about the Rawhide development version - 
which moves forward constantly)
(15:12:44) cron2: oh, I thought cryptoapicert would use "something windows", 
and be not a problem
(15:13:14) cron2: how long is the support cycle for 1.1.1?  aka "how long can 
we get away with just shipping windows binaries with 1.1.1"?
(15:13:23) plaisthos: yeah external-key bridges to management and cryptoapicert 
does the same for windows api
(15:13:36) plaisthos: cron2: 2023 or something like that
(15:14:00) plaisthos: but that is more a rethorical question as I will have the 
patches for the external provider ready before that ;)
(15:14:35) cron2: understood.  I do wonder about our review/test/merge cycle 
and these patches competing with DCO for attention - this is why I'm asking
(15:14:52) cron2: but maybe we can get Fox crypto folks interested again :-)
(15:16:17) plaisthos: But for a more pratical answer
(15:17:06) plaisthos: We can merge the OSSL 3.0 patches to master only, so only 
2.6 will have full OpenSSL 3.0 support with external key support and without 
compiler warnings and OpenVPN 2.4/2.5 just work with those known caveats
(15:17:27) MaxF: > but maybe we can get Fox crypto folks interested again
(15:17:38) MaxF: interested in dco for Linux or Windows?
(15:17:50) MaxF: or in OpenSSL?
(15:17:58) nariman [~nari...@cust-95-128-91-242.breedbanddelft.nl] è entrato 
nella stanza.
(15:18:42) dazo: openssl, I'd say
(15:20:23) MaxF: hm, I don't think we'll be migrating OpenVPN-NL to OpenSSL 
anytime soon, but I can read the patches and test
(15:21:28) cron2: plaisthos: yep, let's see we can get 2.6 out before Ubuntu 
22.04 :-)
(15:21:34) dazo: I'm fine with the approach plaisthos suggests, openssl 3.0 
only for master/2.6
(15:22:39) plaisthos: MaxF: do you guys have any insights if mbed TLS gets TLS 
1.3 anytime soon?
(15:23:05) MaxF: don't know, sorry
(15:23:26) MaxF: maybe I can convince our customer to switch if not ;)
(15:24:46) plaisthos: yeah no problem
(15:24:53) plaisthos: or to wolfSSL *ducks*
(15:24:59) mattock: :)
(15:25:38) cron2: *howl*
(15:26:48) mattock: anything else on this topic?
(15:27:34) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-09-15
(15:28:09) mattock: the topic being "2.5/2.6 sync up"
(15:28:19) cron2: nothing 

[Openvpn-devel] Summary of the community meeting (8th September 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 8th September 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, MaxFm, ordex, plaisthos and rob0 participated 
in this meeting.


---

Plaisthos is fixing the Ubuntu GitHub Actions.

---

Mattock got distracted by some Access Server packer work and is still 
waiting for access to the Terraform repo he needs to spin up an updated 
buildmaster. Agreed to start discussions with OpenVPN Inc. ops team to 
facilitate quicker infrastructure deployments. Right now waiting time is 
very long for the core team and community.


---

The compat mode patches are being reviewed. They're quite important to 
get the review of dco going.


Ordex is reviewing dco patches from plaisthos so that he can start 
sending them to the mailing list.


---

Lev implemented zerocopy for Tx datapath in dco-win. He's now working on 
Rx datapath. This won't affect the driver API.


---

Noted that there is no progress on the IPv6 front.

---

Talked about the issue with Red Hat / CentOS 8 in FIPS mode:



Agreed that the code is good enough for now. When OpenSSL 3.0.0 becomes 
a thing the code paths can be changed again.


Dazo will look into the patch on a fresh Red Hat 8 box.

--

Full chatlog attached
(15:01:47) mattock: hello
(15:02:32) MaxF: hi!
(15:02:47) ordex: hi!
(15:02:49) lev__: hello
(15:02:56) ordex: **buurp**
(15:03:07) ***ordex summons cron2 
(15:03:37) ordex: **buuurp**
(15:03:39) ***ordex summons cron2 !!
(15:04:06) ordex: ECONNREFUSED
(15:04:21) cron2: wat
(15:04:35) ordex: there you go
(15:04:55) ordex: I guess dazo won't be able to join
(15:05:01) ordex: plaisthos should be in the surroundings
(15:05:06) ordex: maybe hiding in the bushes
(15:05:23) plaisthos: moin 
(15:06:01) rob0: s I was trying to sleep
(15:06:23) mattock: hi all
(15:06:45) plaisthos: I am doing a patch to fix the Ubuntun github action 
thingy ...
(15:09:04) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-09-08
(15:09:42) ordex: regarding 2.5 - do we have anything in the pipe?
(15:11:33) dazo: hey!
(15:11:35) dazo: sorry ... just forgot about time today
(15:13:20) cron2: good morning, sir :-)
(15:13:44) dazo: :)
(15:13:47) mattock: I don't have anything about 2.5 or 2.6, got distracted by 
some AS packer work and still waiting for access to the terraform repo I'd need 
to spin up updated buildmaster
(15:14:01) ***cron2 has nothing on 2.5 either
(15:14:24) plaisthos: nothing for 2.5 on my side
(15:14:30) dazo: mattock: lets bring that terraform issue up internally  
this is being delayed too long now
(15:14:35) mattock: yes
(15:14:48) MaxF: what's that?
(15:15:04) mattock: I think this has to do with the more generic problem of ops 
team not being able to provision infrastructure for the core team in a timely 
manner
(15:15:15) dazo: +1
(15:15:28) mattock: MaxF: I need access to an operations' repository in order 
to be able to create the new production buildmaster
(15:18:32) ordex: ok
(15:18:40) ordex: for 2.6 I think some progress can be seen on the mailing list
(15:18:58) ordex: compat mode is being reviewed - that is quite important to 
get the review of dco going
(15:19:09) ordex: (that is the next thing on the radar)
(15:19:21) ordex: I am checking arne's dco patches before he can start sending 
them to the ml
(15:21:09) lev__: on dco-win I implemented zerocopy for Tx datapath, now 
working on Rx datapath
(15:21:52) lev__: this is obviously internal change, doesn't affect driver API
(15:23:01) MaxF: faster drivers are good!
(15:23:26) cron2: +1
(15:24:12) MaxF: I guess I should check now and then if reproducible builds 
still work in dco-win
(15:25:02) lev__: I haven't committed anything to master yet, although there is 
"zerocopy" branch in my fork
(15:28:27) mattock: anything else noteworthy?
(15:28:38) cron2: ipv6?
(15:28:47) mattock: no progress
(15:30:38) ordex: :(
(15:30:50) mattock: can we conclude the meeting?
(15:31:05) cron2: wait :-)
(15:31:30) cron2: dazo, ordex: how shall we proceed with the FIPS thing?  Maybe 
dazo has a CentOS 8 test environment ready?
(15:31:44) cron2: https://patchwork.openvpn.net/patch/1915/
(15:31:45) cron2: this one
(15:32:01) ordex: I was just commenting
(15:32:05) ordex: I don't like this patch
(15:32:14) dazo: cron2: it's already on my todo-list ... just need to clear 
some time getting a testbox configured with FIPS and test it.  Code looks 
reasonable, just wanted to test it before ACK
(15:32:21) ordex: FIPS_mode() exists only in openssl-1.0.2, that is even dead 
for upstream
(15:32:26) plaisthos: I can spawn an AWS instance for whoever wants to test that
(15:32:39) plaisthos: ord

[Openvpn-devel] Summary of the community meeting (1st September 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 1st September 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, plaisthos, rob0 and syzzer participated in 
this meeting.


---

Mattock is done with buildbot/windows packaging except for some small 
documentation fixes and some work on the msibuilder vm in 
openvpn-vagrant. The next step after those is to setup the production 
buildmaster.


---

Plaishos is working on DCO again.

---

Ordex is chopping the compat-mode patch and will send a small series to 
replace it.


---

Lev is working on zerocopy dco-win, which is much faster comparison to 
existing implementation (which is already fast enough).


---

Plaisthos noted that with normal Linux tun sends at 400MBit/s, but 
receives 1.5GBit/s. In Windows with Wintun he gets 1.2GBit/s in both 
direction. So, there is a major performance issue somewhere, probably in 
our *magic* select/poll/epoll maze. Windows/wintun avoids that maze 
because it has a different implementation that uses windows specific 
functions.


---

Noted that the forums board rethinking forum post has not been responded 
to. We probably need to contact some key people directly about it. 
Mattock will check the forums database to locate the key contributors 
and contact them.


--

Full chatlog attached
(14:59:59) lev_: guten tag
(15:00:29) ordex: hoi hoi
(15:02:12) d12fk: gday
(15:03:14) plaisthos: hey
(15:04:22) mattock: hi
(15:07:44) rob0: the /topic would seem a bit out of date ;)
(15:08:22) plaisthos: :D
(15:08:39) ordex: not much
(15:08:40) d12fk: its still good
(15:09:03) mattock: it is always the same
(15:10:59) d12fk: kommst du nachher mit dem westwagen zum deppenlager?
(15:11:14) plaisthos: d12fk: wrong channel?
(15:11:21) d12fk: indeed =)
(15:12:11) d12fk: guess it is encypted enough to go public ;-)
(15:12:21) d12fk: so, anything here?
(15:13:00) ordex: .oO
(15:13:10) mattock: I don't have much, I tried almost all the loose ends in 
buildbot/windows packaging
(15:13:31) mattock: just small documentation fixes and some work on the 
msibuilder vm in openvpn-vagrant
(15:13:38) cron2: yo
(15:13:39) mattock: then of course the production buildbot setup
(15:13:48) mattock: that's something for next week it seems
(15:13:57) mattock: I'll probably work on those on Friday as well
(15:14:17) cron2: next week is good.  This week I'm still mostly afk
(15:14:42) rob0: dazo's out this week too
(15:14:58) plaisthos: I finally got enough time to work on dco again
(15:15:19) syzzer [~syz...@77-9-88-45.connected.by.freedominter.net] è entrato 
nella stanza.
(15:15:22) ordex: \o/
(15:15:33) ordex: I am chopping the compat-mode patch
(15:15:46) ordex: will send a small series on the list that substitutes it
(15:16:01) cron2: okay
(15:17:12) ***lev_ working on zerocopy dco-win, which is much faster comparison 
to existing implementation (which is fast enough)
(15:17:20) cron2: nice
(15:18:07) plaisthos: at some point we *really* need to figure out why linux 
with tun is slow when receving
(15:18:16) plaisthos: I get 1,2 GBit/s in both directions with wintun
(15:18:38) lev_: windows has much better network stack
(15:18:39) plaisthos: and normal Linux tun is 400 MBit/s sending but 1,5 GBit/s 
receving
(15:18:44) ***lev_ runs away
(15:19:17) syzzer: Well, having a kernel/user context switch for each packet 
doesn't help
(15:19:33) plaisthos: syzzer: sure, but it must be something else. 
(15:19:41) plaisthos: since one direction works and the other one doesn't
(15:20:07) lev_: do we get multiple packets with one syscall on rx path ?
(15:20:10) plaisthos: and the number of context siwtches *should* be similar in 
one direction and the other 
(15:20:20) plaisthos: lev_: no
(15:20:26) cron2: lev_: not today.  syzzer started on multi-packet, but that 
never got traction
(15:20:29) syzzer: yeah, that definitely strange
(15:20:34) cron2: (and, btw, nice seeing you :-) )
(15:20:44) plaisthos: but we might do something like trying to do read() again 
to see if something is ready again or something like that
(15:20:58) syzzer: (thanks cron2 :-) )
(15:21:08) plaisthos: yeah good to see you
(15:21:13) mattock: +1
(15:23:05) syzzer: It's been years since I attempted to do performance profiling
(15:25:39) plaisthos: yeah, I was just getting some dco numbers and that was 
really odd
(15:26:02) plaisthos: I suspect some of our *magic* select/poll/epoll maze is 
broken
(15:26:33) plaisthos: windows/wintun uses a different implementation that uses 
windows specific functions
(15:26:35) ordex: could be
(15:29:15) mattock: somebody needs to take a deep dive
(15:29:39) mattock: need to sync more on 2.5/2.6?
(15:30:41) ordex: not here
(15:31:31) mattock: a small u

[Openvpn-devel] Community meetings in September 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 1st September 2021 at 14:00 CET
- Wed 8th September 2021 at 14:00 CET
- Wed 15th September 2021 at 14:00 CET
- Wed 22nd September 2021 at 14:00 CET
- Wed 29th September 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4] Add building man page on Windows

[Samuli Seppänen]

Il 25/08/21 19:47, Lev Stipakov ha scritto:

From: Lev Stipakov 

Use rst2html to build html from rst. Ignore errors,
this is not fatal and affects only MSI build.

Modify MSVC GitHub Actions to install python3/rst2html
and add html man page to artifacts.

Signed-off-by: Lev Stipakov 
---

  v4:
   - really replace "python3" with "python"

  v3:
   - replace "python3" with "python"

  v2:
   - change implementation to support GitHub Actions

  .github/workflows/build.yaml  | 9 +
  build/msvc/msvc-generate/Makefile.mak | 9 -
  2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 5d7dd37b..4cb2f4cc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -206,6 +206,14 @@ jobs:
- name: Add MSBuild to PATH
  uses: microsoft/setup-msbuild@v1
  
+  - name: Set up Python

+uses: actions/setup-python@v2
+with:
+  python-version: '3.x'
+
+  - name: Install rst2html
+run: python -m pip install --upgrade pip rst2html
+
- name: Restore artifacts, or run vcpkg, build and cache artifacts
  uses: lukka/run-vcpkg@main
  with:
@@ -227,3 +235,4 @@ jobs:
path: |
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.exe
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
+doc/openvpn.8.html
diff --git a/build/msvc/msvc-generate/Makefile.mak 
b/build/msvc/msvc-generate/Makefile.mak
index 59fc9f0e..6da859e3 100644
--- a/build/msvc/msvc-generate/Makefile.mak
+++ b/build/msvc/msvc-generate/Makefile.mak
@@ -11,7 +11,10 @@ OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h
  INPUT_PLUGIN_CONFIG=version.m4.in
  OUTPUT_PLUGIN_CONFIG=version.m4
  
-all:	$(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN)

+INPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.rst
+OUTPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.html
+
+all:   $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN)
  
  $(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG)

cscript //nologo msvc-generate.js --config="$(CONFIG)" 
--input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)"
@@ -22,7 +25,11 @@ $(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG)
  $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG)
cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" 
--input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
  
+$(OUTPUT_MAN): $(INPUT_MAN)

+-FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" 
"$(OUTPUT_MAN)"
+
  clean:
-del "$(OUTPUT_MSVC_VER)"
-del "$(OUTPUT_PLUGIN)"
-del "$(OUTPUT_PLUGIN_CONFIG)"
+   -del "$(OUTPUT_MAN)"



Works. ACK.

Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Add building man page on Windows

[Samuli Seppänen]

Hi,

I smoke-tested this on Linux and it does not break anything (docutils 
installed or not). Results of Windows testing below.


Il 24/08/21 16:46, Lev Stipakov ha scritto:

From: Lev Stipakov 

Use rst2html to build html from rst. Ignore errors,
this is not fatal and affects only MSI build.

Modify MSVC GitHub Actions to install python3/rst2html
and add html man page to artifacts.

Signed-off-by: Lev Stipakov 
---
  v2:
   - change implementation to support GitHub Actions

  .github/workflows/build.yaml  | 9 +
  build/msvc/msvc-generate/Makefile.mak | 9 -
  2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 5d7dd37b..4cb2f4cc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -206,6 +206,14 @@ jobs:
- name: Add MSBuild to PATH
  uses: microsoft/setup-msbuild@v1
  
+  - name: Set up Python

+uses: actions/setup-python@v2
+with:
+  python-version: '3.x'
+
+  - name: Install rst2html
+run: python -m pip install --upgrade pip rst2html
+
- name: Restore artifacts, or run vcpkg, build and cache artifacts
  uses: lukka/run-vcpkg@main
  with:
@@ -227,3 +235,4 @@ jobs:
path: |
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.exe
  ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
+doc/openvpn.8.html
diff --git a/build/msvc/msvc-generate/Makefile.mak 
b/build/msvc/msvc-generate/Makefile.mak
index 59fc9f0e..4924a6ce 100644
--- a/build/msvc/msvc-generate/Makefile.mak
+++ b/build/msvc/msvc-generate/Makefile.mak
@@ -11,7 +11,10 @@ OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h
  INPUT_PLUGIN_CONFIG=version.m4.in
  OUTPUT_PLUGIN_CONFIG=version.m4
  
-all:	$(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN)

+INPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.rst
+OUTPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.html
+
+all:   $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN)
  
  $(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG)

cscript //nologo msvc-generate.js --config="$(CONFIG)" 
--input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)"
@@ -22,7 +25,11 @@ $(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG)
  $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG)
cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" 
--input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
  
+$(OUTPUT_MAN): $(INPUT_MAN)

+-FOR /F %i IN ('where rst2html.py') DO python3 %i "$(INPUT_MAN)" 
"$(OUTPUT_MAN)"


This line breaks at least if Python 3 was installed with Chocolatey[1]:

   choco install python

The problem is that there's no "python3" binary in PATH. There is a 
"python" binary though. If I change the line above to say "python" I get 
a HTML man-page out.


Maybe "python3" is gone from the latest Python packages? If not, I can 
have a look at what Chocolatey is doing when installing the Python package.



+
  clean:
-del "$(OUTPUT_MSVC_VER)"
-del "$(OUTPUT_PLUGIN)"
-del "$(OUTPUT_PLUGIN_CONFIG)"
+   -del "$(OUTPUT_MAN)"




[1] 


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (25th August 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 25th August 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, Pippin and plaisthos participated in this 
meeting.


---

Talked about the recent SM2 cipher security issue in OpenSSL. Noted that 
OpenVPN does not use the SM2 cipher normally, nor does it construct asn1 
strings by itself. So OpenVPN is not vulnerable.


---

Talked about the layout of the forum boards. In particular some sort of 
"open source client" forum board is missing. Pippin had designed a new 
forum board layout a while back, so a more major layout, or at least a 
discussion about it, is in order.


---

Talked about getting IPv6 to the openvpn.net domain by flipping a switch 
in Cloudflare. Mattock heard from reliable sources that there's nothing 
really blocking the flipping of the switch anymore. So from now on its 
all about pressure and coordination.


---

Noted that plaisthos has added openvpn://import-profile/https://some/url 
support to his OpenVPN for Android client. This allows triggering a 
profile import by clicking a URL from a server without having the user 
to having to choose "open with this app".


---

Mattock has refactored openvpn-build/windows-msi packaging system to be 
independent of openvpn-build/generic (the cross-compile buildsystem). 
This means fully native OpenVPN building and packaging on Windows. 
Signing with signtool is done except for signing of the MSI package.


Mattock is still blocked from upgrading the production buildmaster due 
to lack of repository access. Mattock will continue bugging ops team 
about it.


---

Noted that Daynix (HCR/HLK-CI people) want to test dco-win driver as 
well. Tap-windows6 testing is already in place.


---

Talked about COVID-19 and the 2021 hackathon. Noted that it makes sense 
to avoid buying any plane tickets or booking accommodation that can't be 
cancelled. The recent rise of COVID-19 infections in Europe may give 
rise to more restrictions and thus ruin the hackathon.


--

Full chatlog attached
(15:01:35) mattock: hello
(15:01:37) plaisthos: hey all
(15:02:26) ordex: hi!
(15:03:21) d12fk: hey
(15:03:23) plaisthos: I am releasing a new version of my client with the new 
OpenSSL
(15:03:39) plaisthos: just because I wanted to do a release soon anyway
(15:03:43) ordex: plaisthos: do you know if OpenVPN by itself is affected?
(15:04:08) d12fk: plaisthos: have you looked into how exactly the ASN.1 issue 
is exploitable?
(15:04:08) plaisthos: SM2 is a cipher we don't use by default. You could 
configure it to use it but normally we don't
(15:04:38) ***ordex hasn't read the advisory 
(15:05:55) d12fk: SM2 is a Chinese chiper. likely that ppl will have 
reservations using it, much like with GOST
(15:06:16) plaisthos: I don't think we are affected by the asn.1 issue as we 
don't construct asn1 strings ourselves
(15:06:40) d12fk: ah it is C-sting -> ASN.1 string
(15:06:53) cron2_: oh, meeting
(15:07:05) d12fk: the cron2_ is here!
(15:07:19) d12fk: thought you are on vacation
(15:07:20) mattock: hi!
(15:07:22) cron2_: I am
(15:07:44) cron2_: we just finished a very luxurious lunch, and I am entitled 
to use the laptop between "lunch is done" and "15:00"
(15:07:47) cron2_: so, just in time
(15:07:57) cron2_: family vacation rules :-)
(15:08:00) ordex: :D
(15:08:14) d12fk: checks out with me =)
(15:08:17) ordex: "cleared for openvpn meeting. copy"
(15:10:35) cron2_: so, please meet on!
(15:11:40) dazo: oh, meeting started
(15:11:45) d12fk: is there much to meet on?
(15:11:55) mattock: two topics
(15:12:14) mattock: selva wanted to open a discussion about having a dedicated 
forum board for client topics
(15:12:29) mattock: as most of us know, the forum boards we have now are a bit 
wonky in that regard
(15:12:35) mattock: client questions don't belong anywhere
(15:12:55) cron2_: sounds like a good idea to me
(15:13:00) dazo: +1
(15:13:02) d12fk: general client or GUI?
(15:13:02) mattock: yes, agreed
(15:13:08) plaisthos: I have no idea about forums
(15:13:11) mattock: I guess general client would be better
(15:13:20) mattock: any client-related questions
(15:13:21) plaisthos: I never go there, so I have no opinion
(15:13:30) mattock: that kind of naturally leans towards users as opposed to 
admins
(15:13:40) d12fk: hm, makes sense if the client authors stick around there, 
thinking of the tunnelblick guy
(15:14:01) d12fk: or is it a first level support kind of thing
(15:14:05) dazo: Perhaps we should have a closer look at all the sub-forums we 
have ... and consider consolidating some of them?  to make them more "target 
audience" focused than product/project focused?
(15:14:06) mattock: I think they might, and there

[Openvpn-devel] Summary of the community meeting (18th August 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 18th August 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, d12fk, lev, mattock, MaxF and plaisthos participated in this meeting.

---

Noted that lev merged the reproducible-build commits in ovpn-dco-win. He 
is also working on eliminating excessive copying in ovpn-dco-win, which 
should make performance even better.


---

Mattock is progressively changing the Windows MSI installer (WiX) code 
to use files from the new OpenVPN msbuild build process:




It should not take many hours to complete the transition as it is moving 
forward nicely.


---

Plaisthos wants to add chachapoly to data-ciphers by default if it is 
available as lowest priority algorithm. So, clients will just report one 
more cipher in data-ciphers and the server will accept clients that only 
offer chacha but not aes instead of rejecting them.


Agreed that this approach makes sense.

---

Mattock is still waiting access to a (Terraform) repository which would 
enable him to create the new production buildmaster.


---

Talked about IPv6 support for community.openvpn.net. Dazo had raised the 
issue in an internal meeting. No visible progress on that front.


---

Talked about moving OpenVPN 2.4 to "oldstable" support:



Right now we're collecting patches for the final (2.4.12) release.

--

Full chatlog attached
(14:58:23) mattock: hello!
(14:58:44) d12fk: good day!
(15:00:10) dazo: Hey!
(15:00:39) mattock: it seems I'm feeling more ill (normal flu) than yesterday, 
but I think I can endure this meeting
(15:01:55) mattock: well, flu + kid at home and not at kindergarten is not 
exactly a winning combination :)
(15:02:04) mattock: + having to work
(15:02:29) mattock: who else do we have here today?
(15:02:34) lev_: hello
(15:03:50) dazo: mattock: feel your pain  that's an impossible fight, just 
surrender and have fun with the kids instead and let the rest go
(15:04:44) mattock: we take shifts, which would be "ok", but the flu makes it 
all the more annoying
(15:04:58) mattock: anyhow, I think tomorrow I'll be in near-ok condition
(15:05:01) plaisthos [~arne@openvpn/developer/plaisthos] è entrato nella stanza.
(15:05:02) modalità (+o plaisthos) da ChanServ
(15:06:31) mattock: cron2 here today?
(15:07:29) cron2_: no, sorry
(15:07:45) cron2_: just came up to say "won't make it", feed the family now, 
then pack stuff
(15:07:51) MaxF: hi!
(15:08:25) mattock: hi and ok :)
(15:08:33) mattock: let's move on then
(15:09:04) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-08-18
(15:09:06) mattock: sync up
(15:09:14) dazo: Is plaisthos around?
(15:09:18) plaisthos: yes
(15:09:39) dazo: you are probably most up-to-date 2.6 stuff right now
(15:09:41) dazo: :)
(15:10:08) plaisthos: Yeah, but I basically took a few days off work since last 
meeting and so status has not really changed
(15:10:19) plaisthos: at least from my side
(15:10:20) dazo: fair enough
(15:10:45) dazo: so, slowly moving progress but not too much happened since 
last week,
(15:12:03) MaxF: @lev_ merged the reproducible-build commits in ovpn-dco-win
(15:14:00) mattock: at my end the Windows WiX packaging changes are 
progressing: https://github.com/OpenVPN/openvpn-build/pull/224
(15:14:14) dazo: great!
(15:14:24) ***lev_ also works on eliminating excessive copying in ovpn-dco-win, 
which should make performance even better 
(15:14:33) mattock: I'm going through files going to the MSI installer, 
hardcoding the paths (at first), and regression testing after a few changes
(15:14:55) mattock: so right now the build script has the "old style" 
(generated by "generic" buildsystem") files
(15:15:12) mattock: and I'm migrating it over to the new files from vcpkg and 
openvpn msbuild progressively
(15:15:29) mattock: the process seems to work very well, so it should not take 
that many hours to complete
(15:16:54) mattock: any other updates on 2.5/2.6?
(15:17:31) plaisthos: I want add chachapoly to data-ciphers by default if it is 
available as lowest priority algorithm
(15:17:45) ***lev_ is discussing "Import from URL" feature with Selva to make 
it more community-friendly
(15:18:15) plaisthos: rationale it is that more user friendly if someone wants 
to use chacha, they only need to touch client or server
(15:19:23) dazo: I think that makes sense ... the signalling should be in place 
for this to be handled gracefully, right?
(15:19:36) plaisthos: sure
(15:19:55) plaisthos: clients will just report one more cipher in data-ciphers
(15:20:05) dazo: exactly, so lets do that
(15:20:27) plaisthos: and for the server if will 

[Openvpn-devel] Summary of the community meeting (11th August 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 11th August 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, MaxF, ordex, plaisthos and zx2c4 participated 
in this meeting.


---

Ordex has sent a patch to get rid of PF support in openvpn 2.6.

---

Talked about the pluggable transport patchset that was funded by Google 
and implemented by Operator Foundation. Ordex is still in discussion 
with the involved parties.


---

Talked about the new buildbot setup. Mattock attempted to start setting 
up the production dockerized buildmaster, but lacked permissions to 
create the EC2 instance (not being in ops anymore). He created an 
internal ticket about this to get things moving forward.


Mattock also published the buildbot work as a PR to openvpn-vagrant:



He also started adapting the MSI installer WiX source files to take the 
results of new built-in msbuild buildsystem in OpenVPN as their source.


---

Talked about AutoHCR also known as HLK-CI. It is now testing 
tap-windows6 pull requests automatically. Permissions are handled by a 
separate "openvpn-ci" GitHub user created by mattock who has write 
permissions to tap-windows6. Those permissions are, however, narrowed 
down by providing the HLK-CI guys openvpn-ci's GitHub PAT ("personal 
access token") that only grants "repo:status" permission. Tests results 
are uploaded automatically to a Dropbox share.


Also noted that attempting to resolve all the issues found by HLK(-CI) 
is probably not worth the effort, given that there are already better 
drivers to replace it.


---

Lev gave an update on dco-win. He plans to look into doing crypto 
directly on network buffers without copying, which should make it even 
faster.


---

Talked about Wintun. Zx2c4 mentioned that many people would like to have 
an updated version of Wintun included in OpenVPN. Wintun will continue 
to be maintained despite the fact that a new driver will replace it in 
Wireguard.


---

Talked about profile import functionality for openvpn-gui:



Noted that while this approach is quite brutal, it is the only one that 
seems to work reliably across all platforms.


--

Full chatlog attached
(15:01:14) MaxF: Hi!
(15:01:19) mattock: hi!
(15:03:37) lev___: hello
(15:05:35) ordex: hi!
(15:05:43) ordex: cron2_: dazo: plaisthos: 
(15:06:00) ordex: cron2_ will be a bit late
(15:08:52) dazo: Hey!
(15:09:00) cron2_: hy
(15:09:16) ordex ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-08-11
(15:09:58) ordex: please be quiet !
(15:10:11) ordex: it seems we're too much into summer mode
(15:10:16) ordex: mattock: do something! :D
(15:10:48) mattock: hi
(15:10:51) mattock: sorry, got distracted
(15:11:01) mattock: anyhow
(15:11:24) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-08-11
(15:11:28) mattock: sync up
(15:11:51) ordex: more patches went in
(15:12:02) ordex: I sent a patch to get rid of PF support in openvpn 2.6
(15:12:06) ordex: as discussed
(15:12:21) cron2_: yes!
(15:13:08) ordex: https://znc.in).
(15:17:24) d12fk [~he...@exit0.net] è entrato nella stanza.
(15:18:32) ordex: not much else to add to this topic for now
(15:18:35) ordex: will keep you posted
(15:19:58) mattock: ok
(15:20:23) mattock: I can give a brief update as well
(15:20:28) cron2_: 1
(15:20:30) cron2_: +
(15:21:09) mattock: I tried to start setting up the new production buildmaster
(15:21:29) cron2_: I saw your PR, but had no time to look more closely
(15:21:33) mattock: however, I was immediately blocked by the fact that I did 
not have access to the terraform repository in which I should have added the 
EC2 instance
(15:21:46) mattock: so, I filed a ticket asking for permission to the repository
(15:21:53) mattock: did not yet check if I got an answer
(15:22:03) mattock: meanwhile I created a PR for the dockerized buildbot work
(15:22:24) mattock: and started working on adapting WiX to consume the results 
of the new msbuild buildsystem
(15:22:44) cron2_: that sounds pretty cool
(15:22:46) mattock: the PR is in a good shape afaics, but WiX is fighting back 
and does not provide much debugging info to figure out what is wrong
(15:23:06) mattock: in theory adapting the WiX source files is easy, there's 
probably just some small glitch somewhere
(15:23:41) mattock: anyhow, that's what I'll continue doing
(15:23:54) ordex: may I dare to ask what is WiX?
(15:24:14) mattock: yes, it is the tool that is used to compile WiX XML files 
into MSI installer packages
(15:24:27) mattock: so XML is the source and WiX makes it into an installer
(15:24:42) ordex: oh I see
(

[Openvpn-devel] Summary of the community meeting (4th August 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 4th August 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, ordex and plaisthos participated in 
this meeting.


---

Plaisthos and ordex want to pick up DCO again and work on it again to 
have it integrated soon.


---

Talked about the OpenVPN 2021 hackathon:



The company hosting the meeting wanted to publish a blog post about the 
hackathon, which sounded very acceptable, especially if we can have a 
say on the content of the blog post before it gets published. Mattock 
will compile an executive summary of the hackathon for the CEO of 
OpenVPN Inc. to see if it all looks good.


---

Talked about the pluggable transport patchset that was funded by Google 
and implemented by Operator Foundation. Ordex has been talking to the 
Google PM responsible for it and it is unclear if the patchset will have 
a maintainer should we decide to merge it. The patchset is fairly 
intertwined with the rest of codebase, so we do not want to merge it 
without somebody taking responsibility over it. As far as we know the 
patches are not used by anyone (outside of Google).


Ordex will make more inquiries to gauge the interest in the patchset 
from Google / Operator Foundation.


---

Talked about the new buildbot setup. It is already a drop-in replacement 
for the old one. The only not fully implemented yet is building of MSIs. 
As cron2's FreeBSD buildslaves are unupgradeable because of Buildbot 
0.7/0.8's dependency on Python 2, it was decided to expedite moving the 
new buildbot to production.


--

Full chatlog attached
(14:57:47) mattock_: hello
(14:58:23) MaxF: hello!
(14:59:31) plaisthos: moin
(15:00:15) lev___: hello
(15:00:18) cron2_: oi
(15:00:19) dazo: hey!
(15:01:44) mattock_: we have dazo here as well! \o/
(15:02:49) dazo: well, somewhat physically at least :-P
(15:03:34) ***cron2_ looks
(15:03:39) cron2_: no, just virtual dazo
(15:03:40) mattock_: as long as your brain and fingers work a bit that's enough 
:)
(15:03:50) dazo: lets see! :-D
(15:04:20) cron2_ ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-08-04
(15:05:12) mattock_: let's start, five minutes past
(15:06:23) plaisthos: ordex and I want to pick up DCO again and work on it 
again to have it integrated soon
(15:06:40) d12fk: has the hackathon (venue) been discussed last week already?
(15:06:41) mattock_: I recall most of the prerequisites are in now
(15:06:54) plaisthos: I still have to finish a few other tasks this week but 
will be working DCO again next week
(15:07:15) ordex: hi there!
(15:07:26) mattock_: hi ordex!
(15:07:45) ordex: what plaisthos says
(15:08:33) cron2_: d12fk: no, because dazo was missing, and my appointment with 
qaware was only thursday
(15:08:42) cron2_: so, let's get the hackathon done :-)
(15:09:20) dazo: the qaware site looks really nice, and a really generous offer 
from them
(15:09:24) cron2_: I spoke with qaware last week, explained about "corp" and 
"community", and they are all happy.  The room is huge (ordex shared the 
pictures internally, I hope) and even with corona we can fit 20 persons in
(15:09:29) d12fk: I've updated the wiki with the best (imho) Hotel option
(15:10:02) ordex: well, it seems we converged on to qaware already :)
(15:10:08) cron2_: they noticed that they actually do use openvpn for their 
corp VPN :-) - so the boss is totally happy now, and some of the tech geeks 
that saw me with the OpenVPN T-Shirt were like "oh, openvpn, cool!"
(15:10:48) cron2_: what they want is to do a bit of PR with us ("look, qaware 
is a totally great place to work, we do all these nice things together with the 
open source community") and I think this is a good thing
(15:11:04) ordex: agreed
(15:11:05) mattock_: +1
(15:11:11) dazo: sounds reasonable
(15:11:17) ordex: they can feature the hackathon on any pr material they should 
do?
(15:11:18) cron2_: they actually do a lot of open source integration work, 
organize meetups here in munich, etc.
(15:11:28) ordex: cool
(15:11:34) cron2_: ordex: yep
(15:11:34) ordex: sounds like a very good fit :)
(15:12:01) cron2_: they also seem to have a few people interested in looking 
into openvpn - I said "Fri-Sun they are very welcome"
(15:12:08) dazo: +1
(15:13:02) mattock_: +1
(15:13:15) cron2_: the only drawback I could find is that there are not too 
many exciting-looking restaurants in very close distance, so for lunch it might 
end up "going to their cantina" (we'd have to pay for this ourselves :-) ) or 
"order something"
(15:14:24) dazo: I don't see that as an issue
(15:14:28) mattock_: is it close enough to good res

[Openvpn-devel] Community meetings in August 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 4th August 2021 at 14:00 CET
- Wed 11th August 2021 at 14:00 CET
- Wed 18st August 2021 at 14:00 CET
- Wed 25th August 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (14th July 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 14th July 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, mattock, MaxF, ordex and plaisthos participated in this 
meeting.


---

Talked about the OpenVPN 2021 hackathon. Nothing concrete was decided, 
but a few options for accommodation and for the meeting room were 
discussed. Noted that being fully vaccinated will probably help 
participants avoid quarantines.


Invited Jan and Simon (who have joined the hackathon in the past) to 
join this year as well.


---

Gave a brief development status update:

- OpenVPN 2.4: nothing has happened
- OpenVPN 2.5: nothing has happened
- OpenVPN 2.6: ordex and cron are working on plaisthos' TLS magic patches

---

Noted that mattock will be on vacation for two weeks starting next week. 
Also noted that dazo is currently on vacation.


--

Full chatlog attached

(14:06:06) mattock: ok
(14:59:43) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(14:59:59) MaxF: Hi!
(15:01:23) mattock: hi!
(15:01:27) mattock: who do we have here today?
(15:01:43) ***cron2_ is halfway there
(15:04:33) ***d12fk is here now
(15:05:22) mattock: welcome!
(15:07:44) cron2_: ordex excused himself, on a mission
(15:07:48) cron2_: what about dazo?
(15:08:13) d12fk: dazo is on vacation
(15:09:07) cron2_: hrmph, does not help with hackathon planning
(15:09:32) d12fk: reminds me of that I wanted to contact the NH near main 
station
(15:09:59) plaisthos: yeah
(15:10:10) d12fk: the have meeting rooms, place looks reasonably nice and is 
central
(15:11:04) cron2_: I might have an interesting other option here - we got 
offered to use rooms of a local company that a friend of mine knows well enough 
to ask
(15:11:17) mattock: ah that would be nice!
(15:11:23) cron2_: it's more in the south of munich, but still public transport
(15:11:25) d12fk: this one 
https://www.google.com/travel/hotels/Munich/entity/CgsI_oKyrfuS-NuJARAB
(15:11:40) cron2_: https://www.qaware.de/kontakt/
(15:12:41) cron2_: d12fk: looks nice and is really central ("right at the 
central station")
(15:13:44) d12fk: I'm in favor of the meeting room at qaware. that is only for 
the hackathon and not company meeting I suppose?
(15:13:59) cron2_: I asked for "Tuesday to Sunday" and they agreed
(15:14:12) d12fk: oh splendid
(15:14:20) plaisthos: d12fk: more space for the company part is not wrong
(15:14:32) cron2_: I called it a 6-day hackathon, though... but the difference 
is somewhat marginal, if it's "just me and maybe syzzer"
(15:14:50) plaisthos: and MaxF 
(15:15:03) cron2_: I do not have all details, I only received that e-mail ~1 
hour ago, with "yes, we can do that, let's discuss the details"
(15:16:00) d12fk: I think we can make it work any way
(15:16:47) d12fk: maybe the room availability might be an issue
(15:18:10) cron2_: d12fk: can you check with the hotel, I check with qaware, 
and then we finalize something when dazo is back?
(15:18:45) MaxF: Was the plan to have the hackathon for the whole time span 
shown in the doodle poll? I thought that was just to check when everyone has 
time
(15:18:46) d12fk: sounds good
(15:19:21) d12fk: Hotel close to qaware: 
https://www.google.com/travel/hotels/Munich/entity/ChkIir_a5-vRyaLlARoML2cvMTJxNHRsZzkyEAE
(15:19:32) cron2_: MaxF: hackathon is Fri-Sat Nov 5-Nov 7
(15:19:59) cron2_: Corp people meet Tuesday-Friday before the "community 
hackathon weekend", so Nov 2-Nov 4
(15:20:35) cron2_: d12fk: BOLDly go where no hacker has been before? :-)
(15:20:35) d12fk: fri-sun, no?
(15:21:06) d12fk: ordex: soory it is not the italics hotel
(15:21:28) cron2_: uh, yes.  3 days.
(15:21:36) cron2_: the date was correct, the weekday not
(15:21:56) MaxF: Corp people are OpenVPN Inc.?
(15:22:23) cron2_: yes
(15:22:37) d12fk: eye-to-eye team meeting
(15:27:53) cron2_: okay
(15:28:01) cron2_: more questions related to hackathon?
(15:28:16) d12fk: # of ppl I should ask the room for?
(15:28:41) cron2_: 10-11 is the current guesstimate
(15:28:42) d12fk: ist the doodle list complete?
(15:29:23) cron2_: no idea.  Is James on it?
(15:29:28) d12fk: yeah
(15:30:39) cron2_: so how many on the doodle (I lost the URL)?
(15:30:48) d12fk: https://doodle.com/poll/ac9dbsqwd8ftkqup
(15:31:07) d12fk: 11 (with Antonio questionable)
(15:31:08) mattock: the list looks correct
(15:31:40) d12fk: kk, going to ask for a room for 11/12 and 10/11 rooms then
(15:31:54) cron2_: all the usual suspects are on it, except Simon
(15:32:03) mattock: did someone ask Simon?
(15:32:41) d12fk: MaxF: is it okay to book you on the NH, if we decide to go 
there? or do you guys want to stay somewhere else?
(15:33:37) cron2_: mattock: not that I'm aware of
(15:33:42) mattock: c

[Openvpn-devel] Community meetings in July 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 7th July 2021 at 14:00 CET
- Wed 14th July 2021 at 14:00 CET
- Wed 21st July 2021 at 14:00 CET
- Wed 28th July 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (30th June 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 30rd June 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, novaflash, ordex and plaisthos 
participated in this meeting.


---

Finished the CVE text for OpenVPN 2.5.3:

"OpenVPN before version 2.5.3 on Windows allows local users to load 
arbitrary dynamic loadable libraries via an OpenSSL configuration file 
if present, which allows the user to run code with the same privilege 
level as the main OpenVPN process (openvpn.exe)."


---

Noted that rob0 from IRC was hired as support person for OpenVPN Inc. 
He'll be working mostly on the commercial support side.


There are other open positions as well, so OpenVPN Inc encourages 
interested people to send in applications, or to notify people who might 
be interested:




---

Noted that the console fixes for Windows are now merged. They work on 
the most recent Windows Insider build (tested on ARM64).


---

Lev is working on AS support for openvpn-gui and will send first PR 
soonish. There will be "Import from Access Server..." menu item, which 
opens host/user/pwd dialog, which then imports profile from AS.


Talked about the option for making this work on non-AS profile download 
portals as well. The "application/x-openvpn-profile" MIME type used by 
AS could be converted into a de facto standard.


---

Talked about OpenVPN 2.6. Noted that ordex and cron2 need to busy 
themselves with "what we have on the list" to free space for the new 
patch wave. Agreed to work on this the upcoming Friday.


---

Agreed to have the OpenVPN 2021 hackathon on 5.-7.11.2021. That way 
everyone except ordex will be able to join. Also, ordex might be able to 
join as well, if he's lucky.


Talked about the meeting space options (Regus, ImpactHub, etc). Dazo 
made an inquiry to Regus, cron2 will look around a bit more.


Novaflash will ask the OpenVPN Inc. accountant how to handle the 
finances part of booking the meeting space.


--

Full chatlog attached
(15:00:48) mattock_: howdy
(15:00:52) plaisthos: moin moin
(15:01:07) MaxF: hi
(15:01:07) novaflash: hallo daar generaal kenobi
(15:01:39) d12fk: no funny speak novaflash =)
(15:01:49) novaflash: okay, humor removed
(15:02:21) d12fk: was targeting dutch rather ;-)
(15:02:31) novaflash: i know ;-)  
(15:02:44) novaflash: so topic still points to last week's agenda
(15:02:49) ordex: hi
(15:03:01) lev___: hello
(15:03:05) dazo: hey!
(15:03:07) plaisthos: that is an improvement, last week the topic was 3 weeks 
old
(15:03:13) novaflash: so we're catching up
(15:03:51) dazo: we probably need vpnHelper here to get the right privs
(15:04:29) cron2: howdy
(15:04:42) plaisthos: are we doing text or video based meeting this week?
(15:05:56) cron2: do we have a security topic?  Otherwise I'd stick to text
(15:06:49) dazo: +1
(15:07:06) novaflash: good. i hadn't put on my makeup or my wig yet
(15:07:18) dazo: I don't think we have any security topics  maybe we can 
quickly just have a look at the CVE description of the last release we did
(15:07:33) mattock_: text is good
(15:07:46) dazo: OpenVPN before version 2.5.3 on Windows allows local users to 
load arbitrary dynamic loadable libraries via an OpenSSL configuration file if 
present, which allows the user to run code with a different privilege level.
(15:08:42) novaflash: seems okay to me. the description, not the bug.
(15:08:52) cron2: maybe not, as openvpn runs with the privileges of the user 
normally
(15:08:53) dazo: I know lev___ had some thoughts around specifying "different 
privilege levels" ... But we don't need to be too specific in these notes
(15:10:14) cron2: ... which in certain deployment scenarios might allow running 
code with different privileges
(15:10:32) dazo: yeah, that's what I'm accounting for
(15:10:52) cron2: you either need to run openvpn gui as admin (in which case 
you have root already) or have different users on the same machine, and drop a 
.cnf for the *other* user to find
(15:11:06) dazo: yupp
(15:11:14) lev___: I was wondering if we need to state that it is not running 
as, say, SYSTEM
(15:11:45) cron2: if someone runs openvpn from regular service, and a .cnf can 
be dropped, that would give you admin
(15:12:47) lev___: well yeah, but that's not how ppl usually run openvpn I guess
(15:13:10) cron2: some do, so "there is an attack angle", but it needs specific 
setups
(15:13:12) dazo: lev___: we generally don't really need to specific what is not 
possible, the text should focus on the possibilities ... running a code 
"unexpectedly" with a different privilege level is the issue which can be abused
(15:14:10) cron2: I find it relevant on whether thi

[Openvpn-devel] Summary of the community meeting (23rd June 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 23rd June 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, MaxF, novaflash, plaisthos and zx2c4 
participated in this meeting.


---

Talked about OpenVPN 2.5.3. It is in the queue of getting through the 
community testing in Fedora 34. Fedora Copr repos (F33, EPEL-7, EPEL-8) 
are already out and published in the openvpn-release copr repo.


---

Noted that "magic code" was found in windows stderr handling, which 
breaks MSVC compiled binaries on latest Win10 insider builds. So we 
might need a 2.5.4 eventually. Cron2, selvanair and lev are pulling 
their hair to fix it.


---

Noted that latest OpenVPN GUI has the SSO patches. Also noted that 
OpenVPN GUI in OpenVPN 2.5.3 Windows installer has those as well, as it 
includes the latest GUI available at release time.


---

Noted that 2.6 will probably move forward a bit slower as ordex is on 
his vacation.


---

Plaisthos will probably post a patch in next few days/weeks to remove 
__DATE__ and __TIME__ from the version to make builds reproducible iff 
the git tree is clean. The goal is to enable reproducible builds.


---

MaxF (from Fox-IT) gave an update on OpenVPN-NL. They're almost ready to 
release the first 2.5-based OpenVPN built on top of 2.5.3.


---

Talked about building Wintun and having reproducible builds. According 
to zx2c4 wintun builds might be reproducible, but he's not 100% sure. 
While we currently distribute (old) Wintun MSMs as-is, we'd like to 
build as many of our dependencies as possible to reduce the likelihood 
of supply chain attacks.


--

Full chatlog attached
(14:58:30) plaisthos: breedbanddelft.nl sounds like Fox IT :P
(14:59:22) MaxF: Dark Fiber!
(14:59:25) mattock_: hello!
(14:59:53) MaxF: hello!
(15:01:06) dazo: hehe
(15:01:10) dazo: hi!
(15:01:18) lev__: hi
(15:02:37) cron2: yo!
(15:04:40) plaisthos: the topics in the topics are from 3 weeks ago %)
(15:04:53) mattock_: they're always the same topics anyways?
(15:04:55) mattock_: :)
(15:05:55) d12fk: hi
(15:07:30) ***cron2 has added moar topics
(15:07:54) plaisthos: to the agenda of the 2nd june? :)
(15:08:07) cron2: no, to 06-23
(15:08:18) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-06-23
(15:08:28) cron2: now I get that part of the joke :)
(15:09:30) ***d12fk doesn't
(15:10:06) cron2: well, the first 2 items never change, but if the /topic 
points to the agenda of 3 weeks ago, it's not surprising that the agenda does 
not change at all...
(15:11:14) cron2: shall we start?
(15:11:20) plaisthos: sure
(15:11:29) dazo: to get #2 done quickly  we have gotten some new people to 
push and annoy internally to attempt to move forward on IPv6 ... so it's 
"moving" forward, somehow
(15:11:40) cron2: dazo: thanks
(15:13:15) cron2: so, #1 - anything on 2.5.x?
(15:14:24) dazo: 2.5.3 is in the queue of getting through the community testing 
in Fedora 34.  Fedora Copr repos (F33, EPEL-7, EPEL-8) are already out and 
published in the openvpn-release copr repo
(15:17:33) lev__: mattock_: is 2.5.3 using gui with crtext support
(15:17:58) lev__: it was merged into master before 2.5.3 was built
(15:20:16) mattock_: 2.5.3 uses whatever was in openvpn-gui "master" at release 
time
(15:21:24) mattock_: so the answer is "yes"
(15:22:19) lev__: danke shon
(15:23:12) MaxF: Since this is my first meeting, I'm not sure if you're 
interested in hearing about OpenVPN-NL ;)
(15:23:31) cron2: MaxF: we are :-) - let's do a quick round on 2.5/2.6 status 
first, then NL
(15:23:45) plaisthos: I am interested what happens there even if it just out of 
curiosity
(15:24:12) mattock_: +1
(15:24:32) cron2: so, from my side on 2.5 - there is a... "magic code" in the 
windows stderr handling, which breaks MSVC compiled binaries on latest Win10 
insider builds (arm64 *and* amd64).  So we might need a 2.5.4 eventually... lev 
is working on it, selva and I are pulling our hair on the code
(15:24:46) cron2: plus, we need to followup on the CVE documentation for 3606
(15:24:47) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(15:24:51) cron2: whichever century
(15:25:20) novaflash: i feel so liberated
(15:25:27) lev__: cron2: I've sent a patch already
(15:25:30) cron2: (in case you missed it, the 2021- morphed to 2121- at some 
point)
(15:25:42) cron2: lev__: I've seen the patch, but want to understand better if 
this is what we want
(15:25:57) cron2: "just drop stuff" is tempting, but I'd expect it to be there 
for a reason...
(15:26:13) cron2: like, you can run "openvpn --log file.txt --config my.ovpn" 
and still see the prompts...
(15:26:24) novaflash: wish i could drop tha

[Openvpn-devel] OpenVPN 2.5.3 released

[Samuli Seppänen]

//community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (9th June 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 9th June 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, plaisthos and syzzer participated in 
this meeting.


---

Talked about patches aimed at OpenVPN 2.6. Ordex plans on reviewing nine 
patches from plaisthos this week. Cron2 will test and merge a few 
pending auth patches.


---

Agreed to try to release new OpenVPN 2.5.2 installers with ARM64 MSI 
support next wednesday. Possibly this could become 2.5.3 release as well 
as there's a crash bug in 2.5.2.


The main blocker is that mattock's vagrantized MSVC build VM (=the 
upcoming buildbot worker) does not work now because Microsoft's download 
servers seem to be borked, preventing some Visual Studio components from 
downloading. So, mattock is unable to build things with MSVC at the 
moment. It used to work last Monday or so.


Lev will try to build the MSVC build VM independently to rule out local 
issues caused by mattock's laptop/internet connection (e.g. IPv6 blocked 
at MS end).


---

Noted that copyright notices should be upgraded (to 2021). We have a 
script to do it.


---

Noted that there's no IPv6 on openvpn.net domain yet. Invented some 
novel ideas on how to make IPv6 a reality.


---

Mattock gave an update on Buildbot. The buildbot worker part is working 
on the Windows Server 2019 VM now, but Visual Studio component 
installation issues are blocking things (see above).


---

Mattock will create a Doodle poll for the hackathon (November 2021).
(14:58:39) mattock: hi
(14:59:03) ordex: hoi
(14:59:11) dazo: yeh!
(14:59:26) lev__: hello
(14:59:30) cron2: hey, you're all early
(14:59:37) ***cron2 is still digesting
(15:00:29) ordex: same here
(15:00:50) lev__: video or chat?
(15:00:51) dazo: Just a heads-up, I have another meeting at 15:00, so need to 
part around 14:45
(15:01:04) ***cron2 feels like chat today
(15:01:09) ordex: chat chat
(15:01:42) dazo: +1
(15:02:22) d12fk: hi
(15:02:42) mattock: chatchat
(15:03:23) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-06-09
(15:03:40) mattock: #1 sync up
(15:04:03) syzzer_: hi!
(15:04:24) cron2: yo!
(15:05:21) cron2: I haven't seen much activity in "master/2.6" related 
patches... ordex: what is your time planning?
(15:05:41) ***cron2 is able to focus on things again: KIDS ARE IN SCHOOL.  
BOTH.  On the SAME DAY.
(15:06:16) mattock: that's EXCELLENT news cron2! :D
(15:07:47) ordex: cron2: this week I have the 9 patches v2 from plaisthos 
(15:07:57) ordex: planning to et those reviewed within this week
(15:08:00) ordex: *get
(15:08:33) cron2: ordex: ok, that's a lot :-) - let's see how it works out
(15:08:43) cron2: I have one of the "pending auth" still on my test-and-merge 
list
(15:08:47) cron2: (3, actually)
(15:09:32) ordex: cron2: yeah it is, goal is to get them all checked, but let's 
see where we get :)
(15:09:52) cron2: cool.  (Any word on where plaisthos is hiding?)
(15:12:22) ordex: (somewhere)
(15:12:55) plaisthos: here!
(15:13:06) mattock: welcome!
(15:13:09) ***d12fk waves vigorously
(15:14:01) cron2: plaisthos: your agreement on the msg() patch is missing ("in 
here" is good enough)
(15:14:11) plaisthos: Yeah, just apply it
(15:14:22) plaisthos: I was just annoyed that my build failed because of -Werror
(15:14:57) ***ordex waves fist against lev__ 
(15:15:26) lev__: well, I made it better - at last it compiles with msvc
(15:15:30) lev__: *at least
(15:16:04) ordex: hehe
(15:16:05) plaisthos: not if you use msvc+clang
(15:16:15) ordex: not sure -Werror is enabled by default
(15:16:18) ordex: :p
(15:18:14) ordex: anything else for the sync up /
(15:18:15) ordex: ?
(15:18:47) cron2: you can use msvc+clang?
(15:18:56) lev__: lets to 2.5.2/3 arm64
(15:18:59) lev__: *do
(15:19:55) cron2: mattock, lev__: next week wednesday?
(15:20:10) mattock: sounds doable
(15:20:52) lev__: I would love to see a few patches (msvc standalone, 
pkcs11-helper + arm64 in openvpn-build) merged
(15:20:54) mattock: if there are not pending, important 2.5 changes then 2.5.2 
installer release might be sufficient
(15:21:05) cron2: there's a crashbug in 2.5.2 :-)
(15:21:32) lev__: there are also some 2fa improvements in openvpn-gui
(15:21:43) mattock: my main challenge now is that Visual Studio components fail 
to install because of upstream (Microsoft server) issues, so I don't have a 
build environment for MSVC
(15:22:09) cron2: lev__: yeah, one of these build patches is on my radar.  I'll 
ping you tomorrow/friday on what else is missing.
(15:22:12) ***lev__ shrugs
(15:22:20) lev__: cron2: sure, thanks
(15:23:14) lev__: mattock: we could have AMI in ec2 under inc account for msvc 
release building
(15:24:07) mattock: yeah, but t

[Openvpn-devel] Summary of the community meeting (2nd June 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: Jitsi / #openvpn-meeting on irc.freenode.net
Date: Wed 2nd June 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, plaisthos and syzzer participated in 
this meeting.


---

Talked about organizing a hackathon in November 2021, probably in Munich 
which is fairly easily reachable from around the world.


Cron2 will check out if there are meeting spaces that could be rented 
for about a week. The first part of the week (e.g. Tue-Thu) would be 
allocated for OpenVPN Inc. core team and the latter part (e.g. Fri-Sun) 
for the community hackathon.


The hackathon after the 2021 one could be organized in Oslo or 
Amsterdam, for example. For optimal weather the Oslo hackathon would 
have to be in the late spring or summary.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Community meetings in June 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 2nd June 2021 at 14:00 CET
- Wed 9th June 2021 at 14:00 CET
- Wed 16th June 2021 at 14:00 CET
- Wed 23rd June 2021 at 14:00 CET
- Wed 30th June 2021 at 14:00 CET

The place is #openvpn-meeting IRC channel at libera.chat Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (26th May 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 26th May 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, ecrist, lev, mattock, ordex, plaisthos and syzzer 
participated in this meeting.


---

Talked about the "Add detailed man page section to setup a OpenVPN setup 
with peer-fingerprint" patch:




Agreed that we should be consistent in what certificate and key file 
extensions we use in our documentation. Also agreed that this patch 
should be considered as-is, without thinking about all the other cases 
where our usage of file extensions might be inconsistent.


--

Talked about OpenVPN 2.5.2 and Windows ARM64. Once a few patches and PRs 
related to MSVC/MSI/building are merged we could release 2.5.2 for ARM64.


--

Talked about the Freenode vs. Libera controversy. Agreed to keep the 
bridge between these networks active until things possibly blow over. 
We'll revisit this topic next week.


--

Mattock gave an update on the dockerized Buildbot environment. It is now 
fully functional (in Vagrant) with buildmaster and about 11 latent 
(on-demand) containerized workers. T_client tests are working on a basic 
level, but for reasons unknown there's lot of packet loss, which 
apparently makes t_client tests fail. This could be a local problem so 
mattock won't debug it further.


The next step is to upgrade openvpn-vagrant's "msibuilder" VM to Windows 
Server 2019 to support WiX toolset 3.14, then use the same automation 
code to spin up on-demand (latent) EC2 Windows worker for buildbot. This 
allows us to get MSI snapshots as well.


---

Full chatlog attached


(12:50:37) cron2: I might be late for the meeting today, a few minutes
(12:53:33) cron2: meeting right now seems to overrun, and what I need to get 
done "in between" is tight
(12:55:03) cron2: I do not have any specific points anyway (except IPv6!)
(15:00:19) mattock: hi
(15:01:24) lev__: Hello
(15:01:46) dazo: hey!
(15:03:59) cron2: hi
(15:03:59) ***d12fk waves hello
(15:04:45) cron2: i am actually not here.. stuck i  the woods, 35 min home by 
bike and rain
(15:04:57) cron2: so just nexus7
(15:05:13) d12fk: at least you got net int he woods
(15:07:25) ***ordex is here
(15:07:26) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-05-26
(15:07:28) ***ordex waves fist
(15:08:31) plaisthos: I want to ask about the key/crt vs pem thing
(15:10:10) cron2: i think selva makes good points
(15:10:30) ordex: yeah
(15:10:32) ordex: think so too
(15:11:10) dazo: anyone got a pointer to his points?
(15:11:11) plaisthos: so I change that to key/crt that is used on the server 
side
(15:11:34) plaisthos: we still also use conf instead of ovpn on linux so it is 
not consistent anyway
(15:11:54) plaisthos: but I don't have a strong enough feeling to fight for pem 
file extensions
(15:12:00) ordex: right, but that'e less problematic imho
(15:12:13) ordex: key/crt/pem are really black boxes for most users, so easier 
to mess up
(15:12:30) ordex: dazo: there is somee mail on the -devel ml - plaisthos what 
was the subject ?
(15:12:54) dazo: I vaguely recall seeing it, but I can't find it
(15:13:26) plaisthos: the tutorial of the peer-fingerprint v2 patch
(15:13:33) ordex: Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page 
section to setup a OpenVPN setup with peer-fingerprint
(15:14:25) dazo: found it! thx!
(15:15:03) ordex: np
(15:16:23) dazo: I don't have any strong opinions either way.  I commonly use 
$(prefix)-{cert,key}.pem ... as there are a few times it's been easier to 
search for files that way and some tools have picked up the files only with 
.pem extension; but I acknowledge that Windows might prefer .crt instead.
(15:17:42) cron2: personally i do not care much eithet way. we must be 
consistent, but this can be done either way
(15:17:59) dazo: This is essentially just a color of bikeshed variant  and 
it relates to whether we see the file extension as the "content" or "format" of 
the file
(15:18:11) dazo: cron2++
(15:18:48) ***dazo votes for consistency, whatever extension is preferred
(15:18:50) d12fk: Windows display nice icons if you have the file extension 
right. it is all about that
(15:19:04) cron2: as well
(15:19:31) ordex: I also have no strong opinion, but vote for consistency
(15:19:33) d12fk: thou shalt shall inline 
(15:19:47) dazo: :-D
(15:19:50) ordex: but it seems that .key/.crt is what has been out there longer 
(regarding openvpn files)
(15:20:14) plaisthos: the tutorial uses inline fo clients but not for the server
(15:20:30) plaisthos: also what section is right one for the openvpn-example 
man page
(15:20:31) cron2: ok, swimming home now... afk
(15:20:35) p

[Openvpn-devel] Summary of the community meeting (19th May 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 19th May 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex, plaisthos and syzzer 
participated in this meeting.


---

Noted that native OpenVPN 2.5 on ARM64 (OpenVPN build, MSI, 
dependencies, etc) is progressing very nicely. We could build an 
ARM64-compatible 2.5.2 installer with fairly small amount of manual 
tinkering now. Only Wintun support would be missing. The msibuilder VM 
in openvpn-vagrant may need to be upgraded to install WiX 3.14 (that has 
ARM64 support).


---

Noted that openvpn.net domain is still missing IPv6. No changes since 
last week as far as we know.


---

Talked about removing --no-replay option. Noted that it was to be 
removed in 2.5, but we backpedaled on that decision and forgot to change 
our documentation. It was also noted that that option changes the wire 
format.


Noted that --cipher none --auth none and --no-replay are quite 
intertwined. Getting rid of these options would be good from security 
perspective, but it was also noted that plain-text OpenVPN tunnels do 
have some advantages over the alternatives like GRE tunnels.


Summarizing the discussion:

1) OpenVPN 2.6: reject configs where --no-replay is used without --auth 
none.

2) OpenVPN 2.7: remove --no-replay
3) Add clear warnings to 2.5 and 2.6 about 1) and 2)

---

Noted that mattock buildbot setup is shaping up nicely. There are a ton 
of workers and code and data are quite well separated. Mattock is now 
working on limiting concurrent builds on the docker host, then moving on 
to t_client tests.


---

Full chatlog attached

(14:57:15) ordex: heya
(14:59:19) plaisthos: hey
(14:59:25) dazo: hey!
(14:59:33) d12fk: hi
(15:00:25) mattock: hi
(15:01:12) lev__: Hi
(15:03:25) cron2: ohaiu
(15:03:43) ordex ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-05-19
(15:04:07) ordex: added point 3
(15:05:37) mattock: all ready?
(15:05:42) cron2: this cloudflare shitshow with the URL massacring is annoying
(15:05:43) plaisthos: yeah
(15:05:46) dazo: yeah
(15:06:40) cron2: booting FreeBSD/Arm64 right now... $something is insanely 
slow...
(15:06:57) mattock: ah, I got the topic page now :)
(15:07:00) mattock: sync up
(15:07:21) plaisthos: cron2: on your m1 mac?
(15:07:23) cron2: yep
(15:07:29) cron2: (in parallels)
(15:08:02) cron2: might just be the virtual CD rom, will see after installation
(15:08:10) cron2: win10 sort of felt normal
(15:10:21) cron2: so, meeting? :)
(15:10:55) ***dazo is ready
(15:11:07) mattock: yes, sync up
(15:11:45) cron2: I have not much to report... I broke one of the patches, and 
the other did not apply anymore (*selfslap*), but a v3 is there which I haven't 
looked at yet...
(15:12:34) cron2: today and tomorrow is RIPE meeting, so busy.  Friday+weekend 
looking good.
(15:14:06) cron2: lev__, d12fk and selva seem to do a great job on the ARM64 
installer
(15:14:29) ordex: plaisthos you should be sending rebased patches soon, right? 
(for the x/7 patchset)
(15:14:40) d12fk: mostly the other two
(15:14:47) plaisthos: yeah
(15:14:57) lev__: yeah after openvpn-build PR is merged, arm64 should be done 
(except wintun)
(15:14:58) plaisthos: I need to fixup the connect patch to work with p2p first 
:/
(15:15:03) syzzer: hi :)
(15:15:16) d12fk: hi syzzer
(15:15:24) lev__: hi syzzer!
(15:15:24) mattock: hi!
(15:15:44) ordex: !
(15:15:52) ordex: plaisthos: ah right
(15:17:45) plaisthos: I am probably opting for a hacky solution as the whole 
code block gets removed eventually by the p2p ncp and S_GENERATED_KEY anyway
(15:17:53) cron2: syzzer! welcome back :-)
(15:18:38) ordex: plaisthos: if that code gets removed, might it make sense to 
merge the two patches back2back ?
(15:18:55) ordex: rather than fixing a case that is broken for one commit only?
(15:18:57) cron2: that was my idea as well
(15:19:20) ordex: it feels like "it's a needed step towards salvation", so 
probably acceptable
(15:19:26) cron2: if we have two ACKed and "together everything passes" 
patches, we could do that
(15:19:33) plaisthos: if that is okay I can do that too
(15:19:36) cron2: (if the patch in between only breaks a corner case)
(15:19:42) ordex: yeah
(15:20:07) ordex: implementing "a hacky transient solution" doesn't sound any 
better after all, something might still be broken
(15:20:41) plaisthos: basically non-ncp code paths are broken in the patch
(15:20:49) plaisthos: cron2: did you have tests with ncp-disable?
(15:20:56) plaisthos: they *might* be broken too
(15:20:58) ordex: the patch breaking tls/p2p is 1788 ?
(15:21:00) cron2: wait
(15:21:21) cron2: plaisthos: not on the server
(15:21:37) cron2: there are a few 

[Openvpn-devel] Summary of the community meeting (12th May 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 12th May 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


---

Talked about OpenVPN 2.6 patches that are a requirement for the upcoming 
DCO patches:


- Two patches are related to refactoring the TLS state machine
- The p2p ncp/remove ncp-disable pair is a fairly large change
- cmake build/autoconf patches
- a few other patches

---

Talked about ARM64 support in MSI installer. Lev was able to work around 
the various problems and thinks the next OpenVPN 2.5 MSI installer could 
have arm64 support. No code changes were required for OpenVPN, but the 
build system did require some work.


Current limitations of MSI + ARM64 are

1) no pkcs11
2) no wintun
3) no multiline and non-english strings in openvpn-gui

The first two may solveable fairly easily if they can be built natively 
for arm64.


The third is because openvpn-gui resources are not compatible with msvc 
resource compiler (which doesn't recognize multiline strings). So right 
now arm64 version uses a special msvc-compatible resource file created 
from the english original with all multiline strings trimmed.


D12fk volunteered to have a look at the multi-line issue tomorrow. Lev 
will look into wintun and pkcs11.


---

Noted that there are various ways to run Windows 10 on ARM64:

- Raspberry PI4 (apparently "proof of concept"-slow)
- Amazon Linux ARM64 instance with QEMU on top
- Apple M1 arm64 laptops with virtualization
- Linux x86 with qemu and arm64 VM

---

Noted that openvpn.net domain is still missing IPv6. No changes since 
last week as far as we know.


---

Full chatlog attached

(14:59:33) d12fk: good day
(14:59:33) cron2: mahlzeit :)
(14:59:33) d12fk: ah another early bird
(14:59:33) d12fk: i thought I heard an echo
(14:59:33) ***: Playback Complete.
(14:59:37) mattock: hi
(14:59:45) lev__: hyvää päivää
(14:59:51) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-05-12
(15:00:12) dazo: Hey!
(15:01:38) ordex: hi hi
(15:03:42) mattock: short topic list
(15:04:13) ordex: something is missing from last week
(15:04:59) ordex: please refresh
(15:05:00) ordex: :)
(15:06:17) d12fk: can someone check my email addr in trac pls
(15:06:22) mattock: +1
(15:06:30) d12fk: thinking it might point to my old employer
(15:06:46) d12fk: was: refresh =)
(15:06:47) mattock: you have to change it from the "account" menu
(15:06:51) mattock: d12fk
(15:06:56) d12fk: not without a password
(15:07:04) mattock: mkay
(15:07:08) ordex: he is chickened
(15:07:09) cron2: wait
(15:07:12) mattock: chickened and egged
(15:07:13) plaisthos: moin moin
(15:07:16) ordex: needs an egg
(15:07:19) ordex: moin
(15:07:32) mattock: I need to play some ldap games then
(15:07:37) d12fk: start with a mcnugget
(15:07:38) mattock: I will start mentally preparing for it
(15:07:44) cron2: can't you change that in the admin interface?
(15:08:10) mattock: pwm does have an admin interface but that's disabled
(15:08:30) mattock: the ldap server has an admin interface which does not work 
for me and I have not bothered to look into it :D
(15:08:42) cron2: I thought you could do that in the trac admin interface, but 
no, that's all nonclickable
(15:08:43) mattock: though I can check if trac maintains its own email address 
setting
(15:08:52) cron2: (and indeed, it's the old address)
(15:09:14) ordex: d12fk: squeeze your brains and remember that password!
(15:09:15) ordex: :D
(15:09:20) d12fk: not an pressing issue anyways
(15:09:47) d12fk: will try a few password until i'm locked out
(15:10:00) mattock: ok
(15:11:12) ordex: so
(15:11:15) ordex: we go with #1 ?
(15:12:11) ordex: for 2.6 we have two more patches that were ACK'd (still about 
refactoring the TLS state machine) - the rest will have to be rebased by 
plaisthos and resent because new changes were introduced in the middle
(15:12:15) ordex: due to review
(15:12:33) ordex: plaisthos: how many pre-dco patches do we have after this 
batch is merged?
(15:12:57) plaisthos: lets see
(15:14:34) plaisthos: the p2p ncp/remove ncp-disable pair is another bigger 
patch
(15:14:51) d12fk: found password, ldap also has the private email, probably 
still graylisted, that's why I didn't get anything
(15:15:04) d12fk: \o/
(15:15:08) plaisthos: then 3-5 smaller ones
(15:15:50) plaisthos: there is also some patches that are unrelated to DCO 
still in my tree, like all the patches belonging to the whole cmake 
build/autoconf
(15:16:04) ordex: ok
(15:16:08) lev__: yay, cmake
(15:16:13) ordex: but they can be done in parallel
(15:16:23) ordex: or in any order we like
(15:16:31) ordex: plaisthos: ab

[Openvpn-devel] Summary of the community meeting (5th May 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 5th May 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


--

Lev is working on arm64 support in dco-win. So far he has managed to 
produce MSI which runs on arm64, but installation fails because his 
customactions.dll runs on .net framework which is not available for 
arm64, so he is rewriting it to C++ (should’t be a big task).


---

Talked about  backporting the "Fix build with mbedtls w/o SSL 
renegotiation support" patch to 2.5. Agreed that this should be merged 
because the patch that breaks the build is also there.


---

Ordex is working on the few remaining patches from Arne - they touch the 
TLS state machine so further digging is required, hence more time to 
stamp with ACK.


---

Talked about DCO for Linux. There has not been much feedback on it, so 
either it is not being used much, or it works perfectly. Agreed that to 
know for sure it needs to be released to the mainstream in 2.6. After we 
have enough real users we can consider upstreaming the Linux kernel patches.


---

Talked about the CRL extractor script:



Agreed to merge this. Noted that we could have a "openvpn-contrib" repo 
for this kind of things, but did not move forward with the idea. Also 
noted that "contrib" directory in openvpn repo is fairly unmaintained.


---

Talked about compat mode introduced by plaisthos:



Basically it allows more easily configuring default options OpenVPN to 
be compatible with old OpenVPN versions. This allows changing the 
defaults without affecting users too much. Agreed that it would make 
sense to make this compat-mode feature client-only.


---

Mattock is figuring out the technical details regarding GitHub + HCK-CI 
with the Daynix guys.


---

Mattock now has dockerized buildbot + two workers that are actually to 
build openvpn2 correctly. This is all in Vagrant for now. The main 
challenge is keeping the configuration clean given all special builders 
and build parameters we have.


Noted that the two buildbot setups can co-exist peacefully so there's no 
particular hurry in migrating the buildslaves.


---

Full chatlog attached
(14:48:03) plaisthos: I am probably semi-afk in the meeting since I have 
another meeting in parallel :/
(14:57:58) ***ordex waves fist
(14:58:33) mattock: hello
(14:58:39) cron2: who schedules such!
(14:59:02) mattock: I blame the ukrainians as the americans are sleeping
(15:01:31) lev__: Hello
(15:02:11) dazo: hey
(15:02:35) d12fk: howdy
(15:02:46) cron2: I think corp meetings need to be refused unless they have IPv6
(15:02:59) dazo: :-D
(15:03:06) ordex: agreed!!
(15:03:12) d12fk: or only held in black and white
(15:03:14) ordex: or they shuld be held only on ipv6-only servers
(15:03:18) ordex: *should
(15:03:29) cron2: we have a correct topic! and an agenda page!
(15:03:35) ***cron2 congratulates mattock :-)
(15:04:27) ordex: wooo
(15:04:35) ordex: "Topic set by ordex"
(15:04:39) ordex: :-P
(15:05:36) dazo: ordex++
(15:05:44) ordex: \o/
(15:06:07) ordex: so, anything for the sync up ?
(15:07:05) ***lev__ prepared ovpn-dco-win enabled client in the form of MSI 
installer
(15:07:06) ordex: I think for 2.5 not much has happened since the last meeting?
(15:07:25) cron2: yeah, that's easy.  Nothing on my plate.
(15:07:31) ordex: lev__: what is that based on? master + dco patches from arne 
+ ?
(15:07:55) mattock: topic is not my doing, but agenda pages are mostly
(15:07:56) cron2: well, there's this mbedtls patch where someone on the list 
requested 2.5 pull-up, but I haven't looked more closely yet (= if needed, I'll 
do, but I think the prerequisite patch isn't even in)
(15:08:36) ordex: mbedtls patch ?
(15:09:00) lev__: Now working on arm64 support. So far I managed to produce MSI 
which runs on arm64, but installation fails because my customactions.dll runs 
on .net framework which is not available for arm64, so I am rewriting it to C++ 
(should’t be a big task)
(15:09:31) lev__: Based on Arne‘a DCO branch
(15:09:48) cron2: ordex: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22178.html
(15:09:50) vpnHelper: Title: Re: [Openvpn-devel] [PATCH applied] Re: Fix build 
with mbedtls w/o SSL renegotiation support (at www.mail-archive.com)
(15:09:59) cron2: lev__: cool
(15:10:18) ordex: lev__: oky
(15:10:56) ordex: cron2: yeah, that makes sense
(15:11:04) mattock: lev: there's the risk that Microsoft will get off the hook 
if you 

[Openvpn-devel] Community meetings in May 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 5th May 2021 at 14:00 CET
- Wed 12th May 2021 at 14:00 CET
- Wed 19th May 2021 at 14:00 CET
- Wed 26th May 2021 at 14:00 CET

Please note the change of time (11:30 -> 14:00).

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (29th April 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 29th April 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


--

Talked about 2.5.2 and 2.4.11 releases. Noted that the RPM packages are 
moving towards the stable repos for Fedora and EPEL repositories. No 
major complaints have been heard from users so far.


Some distros like Gentoo and Debian have not yet updated their packages 
with the security fixes. We poked them during the meeting.


---

Lev has working MSI installer for ovpn-dco. No MSM's, just small update 
to WiX XML and installer script. Script downloads zip with driver 
(inf/cat/sys) and CustomActions.DLL (which is C# DLL, part of  ovpn-dco 
repo). Lev is now testing various (un)install scenarios.


A fully working installer should be available by the end of this week.

---

Talked about 2.6 patches. Cron2 is working hard to merge the patches 
plaisthos and ordex are pushing his way. Right now plaisthos' backlog is 
about 30 patches.


There has been no progress at the FreeBSD end regarding a FreeBSD kernel 
DCO module.


---

Noted that an issue was found in the peer fingerprint code by cron2's 
new test instance. It's a particularily silly bug: you tell openvpn "try 
once!", and it will try twice, then report "oh, my (1) try failed!


---

Had a long discussion about deprecating features and maintaining 
compatibility with old clients, in particular in the context of OpenVPN 
2.6 and DCO. Plaisthos is now using a compatibility mode option which 
sets some configuration defaults to make it easier to fix older clients 
to work with newer servers. There was some opposition to this strategy, 
but nobody could present any better solutions given on our unwritten 
policy of "we must not break old clients".


---

Mattock gave an update on the new Buildbot setup. His plan (which will 
be publishes shortly on Trac) includes consolidating several things in 
to the new Buildbot environment:


- Current Buildbot system (CI/CD)
- Release packaging (Windows, Debian/Ubuntu)
- Parts of internal OpenVPN Inc. QA which is done manually now

The new setup is being built publicly in

https://github.com/mattock/openvpn-vagrant

and

https://github.com/OpenVPN/openvpn-vagrant

which allows anyone to spin up a Buildbot setup for OpenVPN and 
contribute tests and fixes to it.


---

Full chatlog attached
(14:59:26) ordex: hallo!
(14:59:29) plaisthos: hey
(14:59:36) dazo: hepp hepp!
(14:59:38) cron2: *burp*
(14:59:48) plaisthos: video call or text today?
(15:00:39) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(15:00:58) cron2: no preferences
(15:01:25) ordex: I think mattock prefers text, for easier reporting
(15:01:30) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-04-28
(15:01:38) ordex: the call was more to discuss things that should not be 
written :D
(15:01:39) d457k è ora conosciuto come d12fk
(15:01:48) mattock: text is better for me definitely :)
(15:01:58) modalità (+o d12fk) da ChanServ
(15:02:47) ***d12fk is happy with anything
(15:03:07) lev__: guten tag
(15:03:08) dazo: lets chat ... that works :)
(15:03:21) d12fk: lev__: daag
(15:03:23) dazo: text, I meant
(15:04:18) mattock: ok, so let us move on
(15:04:37) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-04-28
(15:04:39) dazo: #1 ... sync up on 2.5/2.6
(15:04:41) mattock: sync-ups
(15:05:05) ordex: # emerge --sync
(15:05:29) ***cron2 fills all disk
(15:05:36) dazo: 2.5.2/2.4.11 releases are moving towards the stable repos for 
Fedora and EPEL repositories
(15:06:07) ordex: cool
(15:06:20) cron2: freebsd got moved to 2.5.2 right away :-)
(15:06:22) dazo: No real complaints (a packaging challenge with systemd not 
properly restarting openvpn on upgrade on newer Fedoras only - nothing critical 
for OpenVPN community)
(15:07:01) cron2: haven't heard from debian yet... poking berniv6 as we speak
(15:07:02) dazo: I announced the upgrade on fedora-devel  and people 
started testing the upgrade quite soon after, so I'm grateful for that
(15:08:14) lev__: I have working MSI installer for ovpn-dco. No MSM's, just 
small update to WiX XML and installer script. Script downloads zip with driver 
(inf/cat/sys) and CustomActions.DLL (which is C# DLL, part of  ovpn-dco repo). 
Now testing various (un)install scenarios.
(15:08:27) ordex: gentoo has no 2.5.2 in list yet
(15:08:44) cron2: complain!
(15:08:49) dazo: soo the bleeding edge source distros are falling behind!?!?
(15:08:54) ordex: hehe
(15:08:55) dazo: :-P
(15:09:46) ordex: I can open a bug with them
(15:09:53) ordex: an mention the CVE
(15:09:55) or

[Openvpn-devel] Summary of the community meeting (21st April 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 21st April 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


--

Noted that OpenVPN 2.5.2 and 2.4.11 are out and include important 
security fixes. Fixes to "master" and release/2.3 branch will follow soon.


Also wrote our security announcement for those releases:



--

Noted that Lev is working on the ovpn-dco MSI installer.

--

Discussed AWS MacOS instances in context of Buildbot. Noted that they're 
essentially dedicated Mac Minis and the minimum billing is one day. So, 
not really disposable virtual machines you could use for five minutes 
and get rid of. The daily price is around $25.


There is an internal OpenVPN Inc. ticket for providing a virtualized 
MacOS VM for use by the community. So we don't need the overprices AWS 
Mac Minis for this.


--

Noted that mattock is 90% free from OpenVPN ops work now. [This means 
the Buildbot environment upgrade can start soon].


---

Full chatlog attached
(15:01:58) mattock: hi
(15:02:00) plaisthos: hey
(15:02:15) ordex: we stic to the chat?
(15:02:19) cron2: *burb*
(15:02:19) ordex: *stick
(15:02:50) ordex: *prot*
(15:03:18) mattock: chat is fine for me, easier to summarize :)
(15:04:10) ordex: kk
(15:04:15) mattock: I'll add the agenda page
(15:05:48) mattock: I stripped out pretty much everything: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-04-21
(15:05:55) mattock: the previous meeting agenda was also a summary
(15:06:05) ordex: 2.5.2 is out - congrats!!!
(15:06:18) ordex: our palindrome release
(15:06:39) dazo: heh :)
(15:06:58) mattock: added back some stuff
(15:07:18) mattock: also known as "The Plaishos Release"
(15:07:49) dazo: Plaisthos Pandora Box Release
(15:08:12) mattock: "State machine release"
(15:08:12) dazo: but  so ... topics?
(15:08:15) plaisthos: why my release?
(15:08:20) mattock: 10 patches from you
(15:08:25) mattock: and your Pandora's box
(15:08:27) mattock: :)
(15:08:38) ordex: anything specific to discuss about 2.5 at the moment ?
(15:08:46) mattock: no
(15:08:50) ***cron2 is annoyed about 2.4.11
(15:08:58) ordex: cron2: because of the patch?
(15:09:01) cron2: yes
(15:09:11) dazo: I'm finalizing the Fedora, EPEL and Copr builds for 2.4 and 2.5
(15:09:19) ordex: you could change the commit and repush and retag
(15:09:24) ordex: not sure anybody has pulled yet
(15:09:28) ordex: but might be ugl
(15:09:29) ordex: y
(15:09:40) dazo: what about .11?
(15:09:50) mattock: rewriting history should be reserved for kings, emperors 
and bishops
(15:10:10) cron2: ordex: no, never
(15:10:24) ordex: cron2: I agree - but wanted to see if you could feel a little 
better :p
(15:10:25) cron2: dazo: the commit message for "the CVE patch" is... lacking
(15:10:36) dazo: As the emperor, I announce cron2 as a king :-P
(15:11:04) cron2: yeah, but rewriting *public* history needs lots of "burning 
books" and I'm not going to do that :-)
(15:11:09) ordex: we could/should come up with a wikipage about this security 
situation maybe? and there we could add links to the commits? this way the 
2.4.11 commit would somewhat be logically extended
(15:11:32) cron2: we have a wiki page and refer to it from Changes.rst
(15:11:33) cron2: 
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
(15:11:38) dazo: cron2: force-push of an amended commit message might be 
acceptable, if it's just the last commit needing changes  otherwise there 
is the 'git note', which is a bit annoying to push and fetch
(15:11:41) dazo: but!
(15:11:43) cron2: so that should now be maintained
(15:11:47) dazo: we could use tags here as well 
(15:12:09) cron2: dazo: well, it's the commit before that... and the release 
has a signed tag... nothing good will come out of this
(15:12:11) dazo: tag the release with cve/2020-  and a signed tag can 
have the appropriate message
(15:12:53) plaisthos: is this really a big deal?
(15:12:55) cron2: we've never used CVE IDs as tags, and it won't trivially work 
anyway as the CVE is fixed in 2.4, 2.5 and master (eventually)...
(15:13:10) dazo: oh, true
(15:13:18) cron2: plaisthos: it totally annoys *me*, but in the grand scheme, 
it's probably not that important
(15:13:21) ordex: honestly, I think we can live with this. I don't think it's a 
big deal
(15:13:29) mattock: my hope is that whatever we do does not require 2.4.12
(15:13:41) ordex: I presume 3 or 4 people in total will look at the release/2.4 
branch
(15:13:46) ordex: mattock: nope
(15:14:36) mattock: anyways, do we have the text for 
https://community.openvpn.net/openvpn/wiki/

[Openvpn-devel] OpenVPN 2.4.11 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4.11. 
It fixes two related security vulnerabilities (CVE-2020-15078) which 
under very specific circumstances allow tricking a server using delayed 
authentication (plugin or management) into returning a PUSH_REPLY before 
the AUTH_FAILED message, which can possibly be used to gather 
information about a VPN setup. This release also includes other bug 
fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in 
Windows installers.


Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.5.2 released

[Samuli Seppänen]

st>

---

Linux packages are available from

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>

Useful resources

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Easy RSA 3 HOWTO:
<https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (7th April 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 7th April 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, novaflash, ordex and plaisthos 
participated in this meeting.


--

Decided to postpone OpenVPN 2.5.2 and 2.4.11 releases to April 20th / 
21st due to Access Server-related challenges.


--

Decided not to release OpenVPN Windows installers before 2.5.2 and 
2.4.11 as the latest OpenSSL issues affect only Windows acting as an 
OpenVPN server and because there are ways to mitigate the issue while 
waiting for the new releases.


--

Noted that mattock will be able to start working on upgrading buildbots 
after 19th April once he's off the hook from ops work.


Also noted that MacOS buildslave is shown "offline". Mattock restarted 
the buildmaster as the slave had been restarted several times already.


--

Decided to reschedule the meetings to 14:00 CET/CEST. Everyone agreed 
that works better as it does not conflict with lunch time. It won't 
affect Americans as they're all asleep and generally not present in the 
meetings anyways.


--

Talked about removing OCC warnings completely. It was agreed that the 
feature is partially broken in modern client<->server setups. In p2p 
static key context it works better, but we're getting rid of that, so 
that point is moot. Did not decide anything on this topic, but noted 
that cleanups are needed before we can move forward with this.


--

Talked about LibreSSL support. We can perhaps drop support for older 
OpenBSDs if needed, but in general we want to avoid breaking LibreSSL 
support in OpenVPN	.


---

Full chatlog attached
(12:26:22) cron2: I am here!
(12:26:30) cron2: EARLIER THAN NEEDED! HAH!
(12:27:49) mattock: hi
(12:30:17) cron2: we have no topic and no agenda...
(12:30:47) mattock: of course, turn of the month catches mattock by surprise 
every month :)
(12:30:54) mattock: let's make something up then
(12:31:19) cron2: damn cloudflare messing up my links again
(12:31:54) lev__: hello
(12:32:39) cron2: ah, call interferes
(12:32:41) cron2: 5 min
(12:32:44) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-04-07
(12:33:46) d12fk: hi and back in 3 -> coffee
(12:34:40) mattock: I have 26 minutes then I'll have to start multitasking due 
to a meeting
(12:37:35) cron2: let's go :)
(12:37:41) mattock: +1
(12:37:43) mattock: 2.5.2?
(12:38:32) dazo: so  yet another delay due to the Easter eggs ...
(12:38:48) cron2: I have updated the agenda page
(12:39:08) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(12:39:23) cron2: AS has arm-twisted us into not releasing today, and I am very 
busy next week... so we compromised on a joint release in 2 weeks (April 20, 
April 21)
(12:39:36) cron2: we'll do a 2.5.2 and 2.4.11 release
(12:39:53) mattock: +1
(12:40:09) novaflash: so sorry about that :-)  but it's not good to do a 
release on a friday and that's what it would have amounted to. so thanks for 
agreeing to delay it.
(12:40:36) cron2: in corona times, all the days blur...
(12:40:57) d12fk: not if you have a wine cellar =)
(12:41:08) novaflash: with a wine cellar, EVERYTHING blurs
(12:41:11) cron2: the 2.5.2 release is actually all finished and in mattock's 
repo :-) - but will be overwritten when I push the next change to 2.5
(12:41:18) cron2: novaflash: I was about to say that
(12:41:37) novaflash: but yeah i would like to try to keep the weekend, well, 
the weekend
(12:41:47) cron2: but I have the 3+1 patches all ready, so for me it's not very 
much work to do
(12:41:48) plaisthos: With wine cellar I am surprised you are still alive 
during Covid
(12:41:53) novaflash: haha
(12:41:55) cron2: (unless plaisthos discovers new easter eggs)
(12:42:01) dazo: yeah, keeping releases to mon-wed is reasonable
(12:42:13) novaflash: oh is that what we're calling this vulnerability? the 
easter egg?
(12:42:34) dazo: it seems plaisthos and ordex was bored this easter :-P
(12:42:48) cron2: I think the last patch needed to fix all avenues is now 
called "the easter egg" because it came to novaflash as a surprise :)
(12:43:02) dazo: :-D
(12:43:20) dazo: So, anything else blocking the 2.5.2/2.4.11 releases?
(12:43:34) cron2: so - there remains the question whether "we" (*cough* 
mattock) wants to do a 2.5.1-I602 with updated OpenSSL interim...
(12:44:34) cron2: dazo: no blockers from my side.  My test infra needs a bit 
work to do a full server side test for 2.4 (because all the instances test 
"something of the new 2.5 stuff" nowadays, so 2.4 doesn't even start with these 
configs...)
(12:44:50) dazo: plaisthos: how critical would you classify the latest OpenSSL 
CVEs in OpenVPN context?
(12:45:07) plaisthos: c

[Openvpn-devel] Community meetings in April 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 14th April 2021 at 14:00 CET
- Wed 21st April 2021 at 14:00 CET
- Wed 28th April 2021 at 14:00 CET

Please note the change of time (11:30 -> 14:00).

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (31st March 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net / Jitsi
Date: Wed 31st March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock and plaisthos participated in this meeting.

---

Noted that plaisthos is about sixty patches ahead of "master" in 
Patchwork. He also has additional local patches that will be published 
later. Antonio has reviewed many of these which helps cron2 a lot as 
he's only able to review on weekends. Sending DCO patches makes little 
sense before plaisthos' work is merged.


--

Discussed the OpenVPN 2.5.2 release:

- Agreed make the release next Wednesday (7th April 2021)
- It will also include the latest OpenSSL with security fixes

--

Talked about the OpenVPN security issue for which we have a CVE. Agreed 
that we may need to release 2.4.11 too as 2.4 is fully supported until 
May 2022.


--

Discussed the dco-win MSI installer. Noted that the current code 
originates from Wintun. As Wintun license is not compatible with OpenVPN 
Connect (proprietary) we should write our own MSI installer that could 
be shared between OpenVPN (community versions) and OpenVPN Connect 
(proprietary). The OpenVPN Connect team can probably build a replacement 
MSI installer in a way that is compatible on code and license level with 
community OpenVPN.


--

Discussed kicking out Wintun from OpenVPN 2.6. Noted that the new Wintun 
versions do not support the API we're currently using in OpenVPN's 
Wintun integration. So, if security issues are found in Wintun we would 
have to backport them to our old Wintun version. Also, the new driver is 
only available as a DLL and we prefer to build our dependencies 
ourselves. Also, because we have tap-windows6 (slower, but supports all 
use-cases) and dco-win (faster, but more limited use-cases) available, 
having a third driver makes little sense. One motive to keep Wintun is 
that dco-win will only work on Windows 10 20H1, so Windows Server is 
unable to use it yet.


--

Noted that the "remove LZ4 from openvpn-build" PR failed Travis tests:



Mattock will trigger a new build to see if that helps.

--

Agreed that Travis CI's new open source policies are unclear enough to 
force us to move to GitHub Actions. Mattock agreed to ask chipitsine if 
he wants to add GitHub actions support to our GitHub repos.


--

Lev will build an installer that includes Selva's patch that rips out 
OpenVPNServiceLegacy from openvpnserv.exe. The 2.5.x MSIs do not install 
OpenVPNServiceLegacy so no MSI changes are needed.


--

Played with the idea of using IPSec as the data channel for OpenVPN. On 
some high-end NICs this would allow reaching wire speeds.


---

This was a video meeting so there's no chat backlog.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (24th March 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


---

Noted that community.openvpn.in still does not support IPv6 (at 
Cloudflare). The main blocker seems to be .net and .com split, which is 
still work in progress.


---

Gave updates on OpenVPN 2.6. Cron2 is working his way through the open 
patch sets and ordex and plaistos are reviewing and revising patches. On 
the OpenVPN Inc. side there's a clear focus on getting the OpenVPN 2.6 
patches in.


Lev is about to announce dco-win and provide link to OpenVPN 2 + 
openvpn-gui installer which has driver bundled. The driver source will 
be published on OpenVPN's GitHub. On the OpenVPN 3 side the dco-win is 
still work in progress.


Mattock will test Lev's installer on Windows ARM64.

---

Noted that OpenVPN 2.5.2 release will need a bit more time.

---

Talked about building OpenVPN for/on Windows with MSVC. Agreed that 
going from our custom buildsystem (openvpn-build/msvc) to standard CMake 
located in the  OpenVPN 2 repository is the right way forward. It seems 
necessary to build a vcpkg for libpkcs11-helper for this to work.


The CMake work would not replace autotools on non-Windows platforms. Nor 
would it replace cross-compling using openvpn-build/generic.


---

Talked about deprecating --secret mode in 2.6 and removing in 2.7. 
Nobody was opposed. Plus peer-fingerprint should be almost as easy to setup.


---

Talked about "Containerized buildmaster and mattock's buildslaves". 
There's no progress, but mattock will officially leave the ops team on 
15th April 2021, so after that he can finally focus on that task


---

Talked about "​Bridged Windows 10 Causes Sporadic Crashes":



Hopefully we can OpenVPN Inc. QA to replicate the environment and then 
get the data to reproduce the issue and fix it. Mattock has detailed 
information from the bug reporter (mpfrench) that can be used here.


---

Noted that FIPS support is now present in Git "master" branch. It can 
finally be removed from the meeting agendas.


---

Talked about the option of having video calls every now and then. Nobody 
was opposed to the idea. [Also agreed to have Jitsi call next week.]


---

Full chatlog attached
(12:26:32) ordex: 
(12:26:38) ordex: |o|
(12:26:42) ordex:  /o\
(12:29:22) mattock: howdy!
(12:29:41) lev__: hello
(12:29:45) cron2: hullo
(12:29:58) ordex: hi
(12:30:33) d12fk: hi
(12:31:01) modalità (+o d12fk) da ChanServ
(12:32:18) cron2: so, is plaisthos already awake?
(12:32:33) cron2: ordex: what did you torture him with, yesterday night?
(12:33:00) ordex: some more v6-mapped v4 addresses. but he survived
(12:33:34) ordex: found out that the UDP tunnelling in the linux kernel does 
not work exactly as we have in userspace. but a patch was merged and since 5.12 
we will have the same behaviour
(12:33:42) ordex: I spare you the details, unless you care :)
(12:33:59) cron2: I care, but maybe not in the meeting time
(12:34:34) ordex: okok
(12:34:49) ordex: plaisthos: dazo: ?
(12:35:02) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-03-24
(12:36:40) cron2: mattock: can we spend the time to hear about ipv6 on 
community?
(12:37:01) mattock: sure, no news on that front
(12:37:16) ordex: that was a fast discussion
(12:37:27) ordex: I guess we are waiting for the .net vs .com split?
(12:37:56) cron2: can you (for some value of you) push this a bit?
(12:38:23) ordex: last time I did I was told there is a plan and we just have 
to wait for $things to happen
(12:38:27) ordex: lots of $things
(12:38:31) ordex: but can try again
(12:39:25) plaisthos: Yeah, awake
(12:39:49) cron2: ordex: thanks
(12:40:21) ordex: I threw some message to see what the plan is
(12:40:23) cron2: (I *did* mention that none of this makes any sense... but 
just feel the need to say it again)
(12:40:32) cron2: anyway... let's start
(12:40:44) ordex: cron2: I guess when tech needs hit business priorities 
nothing makes sense anymore
(12:40:45) ordex: :D
(12:40:49) cron2: 2.6 news...
(12:40:55) ordex: yeah
(12:41:19) cron2:  - I am working my way through the open patch sets (thanks to 
ordex for all the reviews, thanks to plaisthos for sending new versions quickly 
while the momentum is there)
(12:41:50) cron2: - found new "config not reset after SIGUSR1" bugs at it (now 
that I have a testbed... testing is *BAD* because you always find stuff you 
didn't want to hear about)
(12:41:56) ordex: internally (corp side) we are trying to dedicate more time on 
revieweing openvpn2 patches and I made this my high prio

Re: [Openvpn-devel] Visual Studio building for master/2.6 and LZ4

[Samuli Seppänen]

Il 22/03/21 11:55, Gert Doering ha scritto:

Hi,

(I have changed the Subject: line to make clear that this is a bigger
topic now)

On Mon, Mar 22, 2021 at 11:51:46AM +0200, Lev Stipakov wrote:

For 2.6, I think we should drop openvpn-build for Windows (VS)
building and switch to vcpkg for dependencies (openssl, lz4 etc) and
cmake as a project file (also supported by VS).


I'm not opposed as this sounds more standard than what we have now 
(opevnpn-build/msvc). We can still cross-compile using 
openvpn-build/generic if we wish.


This could potentially simplify the automated Windows MSI build process. 
Right now with Linux + Windows in the mix things are very confusing and 
fragile.



I have no opinion there whatsoever...  please send patches & trac
documentation :-)

gert



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (17th March 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 17th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:


https://community.openvpn.net/openvpn/wiki/Topics-2021-03-17


Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, lev, mattock, ordex and plaisthos participated in this 
meeting.

---

Noted that OpenVPN 2.5.2 release has been postponed to next week.

---

Patch v2 to fix the "mbedTLS 2.25.0 crash bug / patch " is on the list, but 
review is still lacking.

---

Mattock mentioned that there is no progress on the buildslave refactoring due 
to lack of focus and time.

---

Agreed that we should try to let OpenVPN Inc. QA replicate the "Bridged Windows 
10 Causes Sporadic Crashes" issue:



Mattock will contact the person who reported this and QA will replicate the 
environment. Then the problem can be reproduced and fixed eventually.

---

Talked about the review culture. Everyone agreed that whitespace and formatting 
issues are important, but those should preferably detected automatically before 
any human even looks at the patch. It is possible that we could do this with 
Patchwork and uncrustify, but that would require some effort. 

Agreed that as a first step we should move the code formatting instructions in 
the CONTRIBUTING file up.

---

Talked about the technical details regarding kicking out the embedded lz4 
library. Did not find a perfect solution yet. 

---

Full chatlog attached
(12:28:33) mattock: almost time
(12:30:29) cron2: I'll be a few minutes late for the meeting (still in a call)
(12:31:41) mattock: ok
(12:31:44) mattock: who else do we have here?
(12:32:22) ***d457k <-
(12:32:44) d457k: weird nick
(12:33:22) mattock: indeed :)
(12:34:25) d457k è ora conosciuto come d12fk
(12:34:54) modalità (+o d12fk) da ChanServ
(12:35:13) mattock: I pinged the guys on internal chat
(12:36:32) ***dazo is here
(12:36:40) lev__: hello
(12:36:46) mattock: hi!
(12:37:53) ***plaisthos is here
(12:38:52) dazo ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-17
(12:39:27) lev__: Page Topics-2021-03-17 not found
(12:39:58) ***dazo is s tempted to update the topic url  once more, to 
include the ?__cf_chl_jschl_tk__={blob} part .
(12:40:28) dazo: https://community.openvpn.net/openvpn/wiki/Topics-2021-03-10 
... so probably catch-up from here then
(12:41:40) plaisthos: for 2 that is postponed
(12:41:46) mattock: let's see
(12:42:05) dazo: yeah, 2 is postponed one more week
(12:42:54) plaisthos: btw. our mail server is down
(12:42:57) plaisthos: :/
(12:43:17) lev__: Use Outlook web access :)
(12:43:34) dazo: Then living without e-mail is better
(12:43:50) dazo: OWA is webmail done in the 90s
(12:44:57) d12fk: are we waiting for cron2?
(12:45:02) mattock: yes I think so
(12:45:17) mattock: well, any news on "mbedTLS 2.25.0 crash bug / patch "?
(12:45:42) plaisthos: v2 is on the list
(12:45:47) plaisthos: no review yet
(12:46:38) mattock: ok
(12:46:55) mattock: so the question on "how to deal with it" has probably been 
resolved
(12:47:16) plaisthos: interestingly Mail.app still works
(12:47:17) mattock: regarding buildslaves - no progress, no point in me trying 
to 30 minutes here and 30 minutes there, needs focus
(12:47:22) plaisthos: probably uses the exchange interface
(12:47:49) plaisthos: but I am not looking into Mail.app+gpg
(12:48:42) dazo: :-D
(12:50:31) mattock: I have some updates on "Bridged Windows 10 Causes Sporadic 
Crashes" (https://community.openvpn.net/openvpn/ticket/1385)
(12:50:49) mattock: so, the person was willing to grant access to a Windows 
instance with this problem
(12:51:16) mattock: I recall lev almost volunteered to have a look at this
(12:52:04) cron2: ok, now I'm fully here
(12:52:25) mattock: welcome!
(12:52:46) lev__: I asked for a stack trace from the driver
(12:53:52) lev__: but I've never done bridging on windows
(12:54:22) mattock: lev: what if I connect you with the guy directly?
(12:54:45) mattock: he seemed reluctant to start meddling with stack traces, 
but maybe creating that would be quite easy
(12:54:49) cron2: it seems to be "a supported feature", but a) for some people 
it bluescreens, and b) for other people it stopped working with the last Win10 
update
(12:54:49) mattock: you could instruct him
(12:57:24) mattock: lev: I take silence as a "yes" :D
(12:57:32) lev__: well wait
(12:57:54) lev__: how much this case is important comparison to dco-win I am 
working on
(12:58:13) mattock: probably quite unimportant
(12:58:44) mattock: at least for most people, but might be really important for 
a small subset of users
(12:59:01) cron2: lev__: way less important
(12:59:18) lev__: maybe we should ask our QA to test bringing first
(12:59:26) dazo: Any b0rken feature is 

[Openvpn-devel] Summary of the community meeting (10th March 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 10th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex and plaisthos participated in this meeting.

---

Plaisthos is working on the Windows side of DCO. The Linux part is 
waiting for the patch backlog to clear. Besides that the Linux part is 
ready except that some fringe cases might still not work and some 
cleanups would be in order.


Once plaisthos gets DCO integrated with the Access Server then OpenVPN 
Inc. QA will start their testing it. This will also help on the 
community side.


---

Noted that FIPS support is now ready.

---

Agreed that Wednesday 17th March 2021 is a reasonable release date for 
OpenVPN 2.5.2. The CVE numbers are in the works and GPG signing key 
renewal has been completed. FreeBSD and Debian package maintainers have 
been given a heads up.


---

Noted that community.openvpn.in does not support IPv6.

---

Agreed that the fix to the mbedTLS 2.25.0 crashbug is reasonable. We'd 
like to get syzzer's approval, though.


---

Full chatlog attached
(12:29:25) mattock: hi
(12:30:17) cron2: ho!
(12:31:26) plaisthos: moin moin
(12:31:43) dazo: hey!
(12:32:29) cron2 ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-10
(12:33:47) Pippin_ [~Pippin_@193.173.218.243] è entrato nella stanza.
(12:34:56) mattock: ok are we ready?
(12:35:16) cron2: ordex and lev__ are missing...
(12:35:30) ordex: here here
(12:35:31) ordex: sorry
(12:35:54) cron2: then let's start :-)
(12:36:22) notafile ha abbandonato la stanza (quit: Quit: Bridge terminating on 
SIGTERM).
(12:36:47) mattock: yes
(12:36:52) mattock: sync up
(12:37:07) mattock: lev is on vacation btw
(12:37:09) dazo: lev__ is on holiday
(12:37:15) mattock: haha, I was faster
(12:37:18) mattock: :)
(12:37:21) dazo: :-P
(12:37:24) cron2: okay, so...
(12:37:27) cron2: 2.6/master
(12:37:42) cron2: I'm working my way through the "delayed auth" patchset, and 
might eventually get there :-)
(12:38:44) cron2: then, SRV, and possibly "OOM handling revisit"
(12:39:53) dazo: OOM?
(12:40:22) ordex: the M_FATAL on alloc failure ?
(12:40:25) cron2: when we hit out of memory, and memory is really short, it's 
possible that we hit OOM again on our way towards an "orderly cleanup"
(12:40:35) cron2: and then we start looping and filling syslogs
(12:40:59) cron2: https://community.openvpn.net/openvpn/ticket/1390
(12:41:27) dazo: thx!
(12:42:08) cron2: so any news from the DCO side?  or anything else related to 
2.6/master?
(12:42:34) ordex: plaisthos is working on the windows part now
(12:42:50) ordex: the linux part is kind of "on-hold" but I don't know what's 
required to get it "done"
(12:43:02) cron2: who is holding it?
(12:43:05) ordex: plaisthos is also worried that sending more patches to the ml 
will just not look good
(12:43:29) ordex: so he was hoping that our backlog could be cleaned up before 
sending the dco patches
(12:43:48) cron2: yeah, we need to get patchwork into a proper state again.  
There's the fingerprint patchset, and I think some sort of "cleanup/refactor" 
of TLS stuff
(12:44:13) cron2: volunteers on this one?  
https://patchwork.openvpn.net/project/openvpn2/list/?series=907
(12:44:15) vpnHelper: Title: OpenVPN 2 - Patchwork (at patchwork.openvpn.net)
(12:44:21) cron2: (that's the fingerprint stuff)
(12:44:35) ordex: for FIPS we are done, right ?
(12:44:44) plaisthos: cron2: I am fithgint against windows overlapped i/o on 
the dco side
(12:44:45) cron2: it's a bit political ("do we want to go there?") and lots of 
"is the implementation sane"
(12:45:16) cron2: ordex: I think so, yes.  The "waht to do with mbedTLS 
debugging?" is pending a decision and/or feedback from them
(12:45:25) plaisthos: For the linux parts there is basically more testing 
required and some more fringe features might be broken but otherwise it is kind 
of done
(12:45:37) cron2: very nice
(12:46:12) notafile [notafilema@gateway/shell/matrix.org/x-cnbxilqmymxgdwvb] è 
entrato nella stanza.
(12:46:16) plaisthos: it is still rough in some parts and might require some 
clean up but all the code is there
(12:46:20) dazo: I can also spin up some Fedora Copr builds on the openvpn-git 
repo, giving installable packages for daring users
(12:46:52) plaisthos: dazo: doesn't make sense yet
(12:47:02) plaisthos: either user can compile it themselves or they can't
(12:47:21) dazo: okay, more time for me to do other things in the mean time :-P
(12:47:28) plaisthos: and unless we also package ovpn-dco there is no sense in 
prebuilding just openvpn+dco
(12:48:20) cron2: has there been feedback from the "Linux Kernel" people?  or 
have you not submitted it yet?
(12:48:34)

[Openvpn-devel] Summary of the community meeting (3rd March 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 3rd March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash and ordex participated in this meeting.

---

Mattock is planning to automate agenda wiki page creation [and
invitation email sending] as he forgets to do that almost every month.

--

Noted that Access Server needs IPv6 support, but Python 3 port needs to
go in first.

--

Lev IPv6 and TCP support for ovpn-dco-win. TCP is a bit slower
comparison to UDP but still good enough. Server-side support is missing,
but that is not the primary goal anyways. Installer (MSI) support is
also missing.

The goal is to have both Linux and Windows DCO in 2.6.

--

Mattock reopened discussion with Microsoft (and Simon and Lev) about
Windows ARM64 support in OpenVPN 2.5 MSI installers. No progress yet on
that front. Agreed that Microsoft should put the effort to patch the
MSIs to work on ARM64. For now we have the legacy NSIS snapshot
installers for 2.5 which ARM64 people can use if they wish.

--

Mattock will start work on the buildbot upgrade and refactoring with
krzee soon. The test coverage will also be increased a lot [by adding
some internal OpenVPN Inc. test scenarios to the mix].

--

Agreed to try to release OpenVPN 2.5.2 next Wednesday (10th Mar). If we
fail to do that postpone the release by one week. This release will have
a security fix.

--

Noted that novaflash is training an OpenVPN Inc. support guy to answer
forum posts that are related to OpenVPN Inc. products. Novaflash is also
slowly moving product tickets from Trac to internal developers to solve.

---

Full chatlog attached
(12:32:32) lev__: guten tag
(12:32:45) novaflash: tag cloud
(12:33:34) novaflash: why is topic linking to wed 3rd feb meeting
(12:34:03) cron2_: our meeting organizer seems distracted...
(12:34:06) mattock: yellow
(12:34:31) mattock: I trust that somebody else remembers to change the topic 
here :D
(12:34:33) cron2_ ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-03
(12:34:40) cron2_: (but that page is not yet existing...)
(12:34:42) mattock: an it worked!
(12:34:49) mattock: oh shit, the months go by
(12:34:54) dazo: hey!
(12:34:58) mattock: well, at least these meetings are 100% predictable now
(12:35:05) mattock: let me create that page now
(12:36:05) dazo: cron2_: did you see the link to the analogue terminal bell on 
#openvpn-devel?  could probably arrange that for you! :-D
(12:37:27) cron2_: dazo: yes, this what I'm referring to :)
(12:38:58) dazo: :)
(12:39:59) mattock: I think I'll look into the Trac API and see if I could 
create meeting pages from now to 2025 
(https://www.edgewall.org/docs/branches-1.2-stable/html/api/index.html)
(12:40:02) vpnHelper: Title: API Reference Trac branches-1.2-stable-r17480 
documentation (at www.edgewall.org)
(12:40:49) dazo: mattock: make something which writes the minutes automatically 
from our meeting discussions and creates real topics for the next meeting 
automatically ;-)
(12:40:52) novaflash: yes it would be excellent if you could just plan the next 
few years of topics for us, that would give us some insight in what needs to be 
developed next hehe
(12:41:06) ordex: do we have any topic for today? :D
(12:41:07) cron2_: novaflash: AS needs IPv6
(12:41:14) ordex: other than the usual suspect ?
(12:41:18) novaflash: yeah i agree cron2_
(12:41:18) cron2_: well, we wanted to reopen the topics from 2 weeks ago
(12:41:26) mattock: dazo: should I also write something that will have the 
meetings on our behalf?
(12:41:31) ***cron2_ goes copypaasta
(12:41:47) novaflash: we're getting to python3 first and then we'll look at ipv7
(12:41:50) novaflash: ipv6
(12:41:56) dazo: mattock: h ... lets call that version 2 ;-)
(12:41:58) novaflash: oops. man i'm in the future already.
(12:42:01) mattock: dazo: ok
(12:42:08) mattock: :)
(12:42:18) lev__: I have finished IPv6 and TCP support for ovpn-dco-win, now 
instrumenting driver with trace framework
(12:42:33) cron2_: so, topics
(12:42:42) cron2_: lev__: wohoo!
(12:43:15) lev__: TCP is a bit slower comparison to UDP but still good enough
(12:43:41) cron2_: so what is missing from dco-win?  this is client-only or 
client+server?
(12:43:58) lev__: server support is missing
(12:44:28) ordex: i think the idea is to get client-only out first, no lev? as 
window server is not really a high priority
(12:44:46) lev__: and installer (openvpn-build/msi) has to be changed to add 
new driver there
(12:45:02) ordex: cron2_: ideally it will be published along with some basic 
ovpn3 support, so that people can test it, instead of staring at it only
(12:45:09) cron2_: I just wanted to kno

[Openvpn-devel] Community meetings in March 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 3rd March 2021 at 11:30 CET
- Wed 10th March 2021 at 11:30 CET
- Wed 17th March 2021 at 11:30 CET
- Wed 24th March 2021 at 11:30 CET
- Wed 31st March 2021 at 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (24th February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock and plaisthos participated in this meeting.

---

Talked about OpenVPN 2.5.1 release. The release was tagged today
morning. Packages were being built during the meeting and the release
was pushed out after the meeting.

--

Plaishos is planning on writing an email announcing the alpha version of
openvpn2+dco. It was noted that we need to pick up slack on "master/2.6"
stuff or merging these DCO bits will become extremely painful.

--

Lev is working on ovpn-dco-win stability - added missing locks, SAL
annotations, running under driver verifier / KMDF verifier etc. Right
now he's adding IPv6 support.

--

Decided to move the rest of the discussion topics to next week as cron2
needed to split early and mattock wanted to push out the 2.5.1 release.

---

Full chatlog attached


(12:30:04) cron2_: hah!
(12:30:05) cron2_: made it!
(12:31:19) d12fk: hiho
(12:31:56) ***plaisthos hides under a rock
(12:32:09) d12fk: you hide too loud
(12:32:29) cron2_: hiho d12fk :)
(12:35:25) lev__: hello
(12:35:25) dazo: hey!
(12:35:28) mattock: hi
(12:37:13) mattock: msi builds just finished
(12:37:16) cron2_: so.  I do not have very much time today.  My wife needs milk 
for her coffee... I will be pained otherwise... :-)
(12:37:18) mattock: so, topics for today?
(12:37:23) cron2_: 2.5.1 release!
(12:37:29) mattock: it is ongoing, end of story :D
(12:37:37) mattock: the less we babble here, the faster :D
(12:37:52) mattock: I'm about to push the windows msi packages for testing
(12:37:53) mattock: then testing
(12:37:54) cron2_: yeah.  For the others: 2.5.1 has been tagged and pushed this 
morning.
(12:37:56) mattock: then release notes etc.
(12:38:00) dazo: I'm running test builds of 2.5.1 for Fedora 34 now ... kicking 
of the Copr builds soon after that
(12:38:20) cron2_: cool.
(12:38:52) plaisthos: I will probably write a email announcing the alpha 
version of openvpn2+dco
(12:39:02) plaisthos: this week or early next week
(12:39:06) cron2_: cool!
(12:39:37) cron2_: we need to pick up slack on "master/2.6" stuff, otherwise 
merging these bits will be extremely painful
(12:39:41) plaisthos: draft for the announcement so far: 
https://github.com/schwabe/openvpn/blob/dco/Readme.dco.md
(12:40:18) plaisthos: relax, it is only 51 commits ahead of master ;)
(12:40:36) dazo: :-D
(12:40:46) cron2_: I'm worried about the SRV patch from themiron, which I 
assume to be conflict prone
(12:40:58) plaisthos: should be too bad
(12:41:05) plaisthos: I barely touch that part
(12:41:16) cron2_: "not" missing, I hope :-)
(12:41:29) dazo: "shouldn't be too bad" ... or ... "would be too bad"  ;-(
(12:41:30) dazo: ;-)
(12:41:34) mattock: fyi: 
https://build.openvpn.net/downloads/releases/OpenVPN-2.5.1-I601-amd64.msi
(12:41:37) mattock: I'll smoke-test that one
(12:41:43) cron2_: and I want to get rid of the heap of half-acked delayed-auth 
patches :-)
(12:42:21) plaisthos: yeah, there is also the patch that fixed a bug for jjk 
but I never heard back from him
(12:43:01) lev__: I was working on ovpn-dco-win stability - added missing 
locks, SAL annotations, running under driver verifier / KMDF verifier etc
(12:43:05) dazo: plaisthos: If you get the last outstanding bits of the 4 last 
delayed-auth patches updated, I can have a quick look at those
(12:43:08) lev__: now adding IPv6 support
(12:43:18) cron2_: the announcement sounds good.  I wonder about the "IPv6 
mapped IPv4 addresses", but this is maybe better discussed this afternoon, 
outside the meeting
(12:43:28) cron2_: lev__: cool
(12:43:55) plaisthos: cron2_: currently bug/limitation in ovpn-dco itself.
(12:44:51) cron2_: plaisthos: but what is the limitation?  "receiving an IPv4 
connection on an IPv6 socket, and passing the v4-mapped v6 socket to the 
kernel"?
(12:45:02) cron2_: or "inside"?
(12:45:30) cron2_: payload should never ever see v4-mapped addresses - they are 
illegal to be "put on the wire"
(12:45:46) plaisthos: cron2_: the first thing
(12:46:18) plaisthos: for inside the the tunnel that is something we leave to 
the linux kernel :)
(12:46:26) cron2_: okay.  These ugly code paths... - but as long as we have no 
dual-listen-sockets, we'll have to make this work
(12:46:51) cron2_: I would be totally OK with "we have no dual-stack sockets 
anymore", but that requires "dual listen sockets"
(12:46:52) plaisthos: Yeah multiple sockets might came later since I understand 
those code paths better now but one step at a time
(12:47:21) cron2_: whatever is the more sane path forward for dual-stacked 
servers
(12:47:35) plaisthos: the other strange multi ip option 

[Openvpn-devel] OpenVPN 2.5.1 released

[Samuli Seppänen]

mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (17th February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 17th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash, ordex, plaisthos and Pippin
participated in this meeting.

---

Noted that mattock will containerize the to-be upgraded buildmaster and
his own buildslaves. This helps cut through the (generally) crappy OS
packaging that needs to be dealt with on real VMs. [OpenVPN connectivity
tests (t_client) could complicate this on Docker, though].

---

Talked about potentially becoming a Linux Foundation project. This would
give us a number of benefits:



However, this seems to be "all or nothing" package. In our (OpenVPN Inc)
case trademarks is the big question. Other requirements look quite
reasonable.

This needs to be discussed in more detail later.

---

Agreed to release 2.5.1 next Tuesday (23rd Feb).

---

Noted that there is a new shared trac/forums account "openvpn_inc".
Novaflash will reassign tickets from "denys" (an old support guy) to
this new account which will be manned by four people.

---

Talked about the current layout on the community forums:



Agreed that it is confusing and that it should be improved. Completely
archiving the old forums is an option, but (important) articles would
need to migrated and traffic redirected to the new URLs. So just
improving what we have would be easiest and safest. This needs to be
discussed in more detail later.

There are also plans to setup a GDPR plugin to the forums.

Also noted that PhpBB is behind three versions and should be upgraded.

---

Lev will take over the "Bridged Windows 10 Causes Sporadic Crashes" issue:



It would still be good to know if this is a tap driver bug, or general
windows fubar.

---

Lev has been working on Windows version of OpenVPN-DCO recently. It is
WDF and NetAdapterCx based so no more NDIS. Results are promising.

Lev and d12fk will start working together on getting the OpenVPN 3
reference client up-to-shape for this new DCO driver on Windows.

---

Plaistos' Linux OpenVPN + DCO seems to be quite stable now. He is also
doing the openvpn2 side of things for ovpn-dco on Linux, including
server support.

---

Full chatlog attached

(13:03:09) mattock: hi
(13:04:11) mattock: cron2: you here already?
(13:04:13) cron2_: soon
(13:06:29) mattock: ok
(13:06:34) dazo: hey!
(13:07:28) cron2_: nearly there
(13:08:23) cron2_: so!
(13:09:13) cron2_: sorry for messing up your scheduling... the 11:30-12:30 time 
slot is very conflict prone if I get to do some actual work (as opposed to 
"sitting on IRC and ranting all day")
(13:09:33) cron2_: where's ordex and plaisthos and lev? :)
(13:09:54) mattock: hi!
(13:10:07) ordex: hi!
(13:10:50) lev__: guten tag
(13:10:51) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(13:11:02) cron2_: oh, nice, lots of updates in the agenda page already :)
(13:11:20) cron2_: hi lev, novaflash
(13:11:25) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-17
(13:11:34) novaflash: i bring news
(13:11:49) mattock: tell the quickly
(13:11:52) mattock: we have 19 minutes
(13:11:55) novaflash: oh. it's in the meeting notes already. damnit.
(13:11:56) mattock: total :D
(13:12:03) novaflash: okay go go hurry hurry
(13:12:10) mattock: may I start with some quick updates
(13:13:05) cron2_: go
(13:13:07) mattock: "Containerized buildmaster and mattock's buildslaves": 
buildbot and the slaves are easiest to manage as containers, so that's my plan 
when going about upgrading them - this will not have any effect on any other 
buildslave providers
(13:13:18) mattock: cuts through the poor OS packaging
(13:13:47) mattock: then something I did not actually put on the topic list: I 
looked a Linux Foundation project support thingies (hinted by dazo)
(13:13:51) cron2_: won't help me much on non-linux, but as I only have one 
buildslave per VM, "the VM is the container".  So you just tell me what I want
(13:14:30) mattock: it seems like we could not in practice become a linux 
foundation project because of trademarks (we want to keep them), but otherwise 
there were no really major blockers
(13:15:02) mattock: that said, the Linux Foundation Project approach seems to 
be suited better for large projects with multiple (large) vendors co-operating 
on the same piece of software
(13:15:04) cron2_: what was the intention?  funding, or prestige?
(13:15:05) mattock: openstack or such
(13:15:17) mattock: just to research if we could  benefit from their programs
(13:15:19) cron2_: or manpower / project management?
(13:15:22)

[Openvpn-devel] Summary of the community meeting (10th February 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 10th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, d12fk, gcox, lev, mattock, ordex and plaisthos participated in
this meeting.

---

Noted that plaisthos' "Pending authentication improvements" patchset:



Noted that some of them still need some (easy) fixes.

---

Talked about "Remove --no-replay" patch:



It had managed to slip through the cracks because we have not decided
whether to support "--cipher none" or not - a thing that affects the
implementation of the above patch.

---

Talked about "--cipher none" and whether we should remove it. When
plaisthos accidentally broke it lots of users complained. That's why we
can't remove it right now, but removing it is our long-term goal. For
example ovpn-dco will not support "--cipher none".

---

Noted that wiscii's buildslaves have issues connecting to the
buildmaster. Mattock will investigate.

---

Full chatlog attached
(12:29:53) lev__: guten tag
(12:30:30) plaisthos: moin
(12:31:16) d12fk: huhu
(12:31:41) ordex: oi oi
(12:31:59) mattock: hi!
(12:35:45) mattock: mkay let's start shall we?
(12:36:07) dazo: Hey!
(12:36:16) mattock: hi!
(12:36:23) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-10
(12:36:34) mattock: it looks like our topic list is fairly short
(12:36:44) mattock: but I'm sure there's some syncing up to do :)
(12:37:26) mattock: cron2 mentioned that he's bound in a meeting
(12:37:30) mattock: not sure if he'll make it
(12:37:56) dazo: "Checking your browser before accessing openvpn.net." ... 40+ 
sec now
(12:38:04) mattock: try reload
(12:38:13) d12fk: they know who to check thoroughly
(12:38:15) mattock: or maybe you're just too suspicious to let you in
(12:38:15) dazo: yeah
(12:38:48) dazo: $rant_about_cloudflare
(12:39:38) dazo: so, lets catch up on the patches from plaisthos  what is 
missing there?
(12:40:35) lev__: from 1-7 I've reviewed, 3 and 5
(12:40:47) lev__: (but it should be easy to fix)
(12:40:58) plaisthos: Yeah I need to resend some patches
(12:41:00) dazo: I did 8-11, was a few simple fixes there as well
(12:41:03) lev__: talking about "Pending authentication improvements" series
(12:42:52) dazo: plaisthos: btw, the if() statement I complained about, 
proposing a macro where you swapped to 2 bool vars  that was a very nice 
change; I liked that  much more readable
(12:43:40) plaisthos: yeah I didn't like the idea of a macro
(12:44:29) dazo: yeah, and it's a fair point on it hiding things  it's just 
the old openvpn habbit stuck in me :-P
(12:48:06) dazo: anything else than this patch-set and the one ordex is looking 
at in the patch queue needing attention?
(12:49:54) ordex: plaisthos: did you resend 3/3 as one patch already?
(12:50:00) ordex: I haven't dug in the mailbox yet
(12:53:04) gcox: Maybe not "needs" attention, but 
https://patchwork.openvpn.net/patch/1297/ is a 6month old ack'ed patch that 
seems like it's held up pending a discussion + decision that hasn't happened.  
Not saying y'all need to do it right now, but it looks like low-hanging fruit.
(12:53:05) vpnHelper: Title: [Openvpn-devel] Remove --no-replay - Patchwork (at 
patchwork.openvpn.net)
(12:56:53) dazo: gcox: oh, good catch ... that might have fallen through our 
cracks
(12:58:03) plaisthos: ordex: no, not yet
(12:58:36) ordex: okyz
(12:58:47) plaisthos: for none cipher no-replay is still useful
(12:59:10) plaisthos: but maybe we don't enough about none cipher and can still 
commit it
(12:59:13) dazo: so the question is then ... are we ready to decide whether to 
remove --cipher none support?
(12:59:44) plaisthos: we not ready to remove none
(12:59:52) plaisthos: I accidently did that
(13:00:11) dazo: I can pull up that patch again (probably needs a rebase 
anyhow) ... but would like to know if we should make the --cipher none 
exception or not
(13:00:32) dazo: what happened when you removed --cipher none, plaisthos?
(13:00:44) plaisthos: a lot of users complained about it not working anymore
(13:00:53) dazo: h
(13:01:04) dazo: which users?  why can't they use GRE tunnels instead?
(13:01:16) ordex: because they may still like other openvpn features
(13:01:25) plaisthos: exactly that
(13:01:25) ordex: like the authentication method
(13:01:32) ordex: or other stuff
(13:01:36) plaisthos: unencrypted tunnel but from a dynamic IP
(13:01:39) plaisthos: like to your streambox
(13:01:42) plaisthos: or something like that
(13:02:25) ordex: I also believe that using openvpn with no encryption is 
kinda...weird, but apparently all the knobs we have managed to create

[Openvpn-devel] Summary of the community meeting (3rd Feb 2021)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 3rd February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in
this meeting.

---

Noted that OpenVPN DCO ("Data Channel Offload") is progressing well. UDP
server works, including client dicsonnect. Client support is broken, but
once that is fixed an official announcement can be made. A lot of the
work still needs to be merged into "master", though.

On plaisthos' test system (Hyper-V with Ubuntu VMs) he was able to, with
iperf, get 550 Mbit for openvpn2 w/o DCO, 11 GBit/s raw, gre tunnel 4,5
GBit/s, 3,2 GBit/s with DCO+aes-gcm, 2,4 GBit/s for DCO+Chachapoly1305.

---

Discussed OpenVPN 2.5.1. Noted that there is client-side stuff in (echo
msg, windows fixes, and important auth-token improvements) already in.

On server-side there are server-side auth-token fixes, which should go
into 2.5 at some point. These are all "good and reasonable
improvements", but nothing truly critical.

It was agreed to make a decision about the 2.5.1 release schedule next week.

--

Discussed "possible DoS vector with non-successful auth for the same
client cert as for an existing session". This is related to the fact
that OpenVPN ties reauth TLS session to the original session only by
IP/port, so if a different cert comes in from the same IP+port, and 2.5
would "reauth fail, go away" while master does "reauth fail, unauth all
keys, you all go away"?

---

Full chatlog attached

(12:30:32) dazo: Meeting time?
(12:30:32) ***: Playback Complete.
(12:30:33) cron2_: yes
(12:30:35) mattock: yes
(12:31:08) mattock: who else is present?
(12:31:23) d12fk: here
(12:31:32) dazo ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-02-03
(12:31:50) dazo: d12fk: cool!
(12:31:58) cron2_: \o/
(12:32:03) mattock: hi!
(12:32:30) dazo: I know plaisthos and lev__ are alive 
(12:32:52) dazo: (and I've pinged them)
(12:32:56) cron2_: ordex was complaing about doas yesterday, so yesterday he 
was alive, too :)
(12:33:41) dazo: hehehe
(12:33:57) becm [~b...@port-92-196-77-196.dynamic.as20676.net] è entrato nella 
stanza.
(12:33:58) dazo: he might have been up hacking ovpn-dco last night
(12:34:03) lev__: hi
(12:34:13) mattock: hi!
(12:34:14) plaisthos: hehe
(12:34:14) dazo: o/
(12:35:01) ordex: here here !
(12:35:06) ordex: sorry
(12:35:36) dazo: surfaced from a km long kernel stacktrace  .. :-P
(12:35:47) ordex: LOL
(12:35:58) ordex: those activities are secret !
(12:36:02) dazo: :-D
(12:36:05) dazo: sorry!
(12:37:05) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-03
(12:37:12) mattock: let's get on with it :D
(12:37:29) mattock: "Sync up on OpenVPN 2.5 and 2.6" first?
(12:37:44) ***plaisthos checks
(12:38:01) plaisthos: currently 54 commits ahead of master
(12:38:02) plaisthos: :P
(12:38:29) mattock: 2.6 I presume
(12:38:29) cron2_: working my way through those bits that are on the list 
already... (and I have some questions about 02/11 v2, will ask later)
(12:39:01) cron2_: 2.6 is sort of "what's happening in DCO land", since this is 
"the!" feature for 2.6, I think...
(12:39:17) cron2_: any exciting news you're willing to share?
(12:39:29) plaisthos: UDP server works
(12:39:34) ***ordex cheers
(12:39:45) cron2_: including client disconnect?
(12:39:49) plaisthos: yes
(12:39:50) ordex: yap
(12:39:51) cron2_: cool
(12:40:23) plaisthos: it is still work in progress and I want to fix client to 
work again before we publish it with an announcement on the mailing list
(12:40:39) cron2_: ah, so we have a server-only implementation now :)
(12:40:42) ordex: :D
(12:40:43) cron2_: something for a change
(12:40:57) ordex: I am working on the ovpn-dco support (APIs have changed since 
last release)
(12:41:07) ordex: so we can do ovpn3 to ovpn2-server soon :D
(12:41:17) plaisthos: but if you checkout the experimental branch of ovpn-dco 
and the dco branch of my repo you can get a working version
(12:41:41) cron2_: exciting news indeed!
(12:42:17) ordex: yap yap they are!
(12:43:36) cron2_: on my side, I am working my way through the (already-ACKed) 
patches on the list - sorting what belongs where, if I can add more testing, 
... - but progress has been slow.  Too many distractions ("MAMA I DO NOT 
UNDERSTAND THIS HOMEWORK QUESTION?")
(12:44:24) mattock: does not help focus for sure
(12:44:24) cron2_: gcox is keeping us busy with sample plugin improvements :-)  
(and they are sort of "small and one-shot" so they are much easier to "just 
merge and get out of the way" than bigger stuff)
(12:45:41) plaisthos: on my hyper-v ubuntu vms and using iperf I get 550 Mbit 
for openvpn2 w/o DCO, 11 GBit/s raw,

[Openvpn-devel] Community meetings in February 2021

[Samuli Seppänen]

Hi,

Next community meetings have been scheduled to

- Wed 3rd February 2021 at 11:30 CET
- Wed 10th February 2021 at 11:30 CET
- Wed 17th February 2021 at 11:30 CET
- Wed 24th February 2021 at 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli

NOTE: we decided not to have the European late-evening meetings on
Thursdays. They did not seem to serve their original purpose, which was
getting more people from the Americas to participate.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel