[Openvpn-devel] Summary of the community meeting (21st April 2021)

2021-04-21 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 21st April 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


--

Noted that OpenVPN 2.5.2 and 2.4.11 are out and include important 
security fixes. Fixes to "master" and release/2.3 branch will follow soon.


Also wrote our security announcement for those releases:



--

Noted that Lev is working on the ovpn-dco MSI installer.

--

Discussed AWS MacOS instances in context of Buildbot. Noted that they're 
essentially dedicated Mac Minis and the minimum billing is one day. So, 
not really disposable virtual machines you could use for five minutes 
and get rid of. The daily price is around $25.


There is an internal OpenVPN Inc. ticket for providing a virtualized 
MacOS VM for use by the community. So we don't need the overprices AWS 
Mac Minis for this.


--

Noted that mattock is 90% free from OpenVPN ops work now. [This means 
the Buildbot environment upgrade can start soon].


---

Full chatlog attached
(15:01:58) mattock: hi
(15:02:00) plaisthos: hey
(15:02:15) ordex: we stic to the chat?
(15:02:19) cron2: *burb*
(15:02:19) ordex: *stick
(15:02:50) ordex: *prot*
(15:03:18) mattock: chat is fine for me, easier to summarize :)
(15:04:10) ordex: kk
(15:04:15) mattock: I'll add the agenda page
(15:05:48) mattock: I stripped out pretty much everything: 
https://community.openvpn.net/openvpn/wiki/Topics-2021-04-21
(15:05:55) mattock: the previous meeting agenda was also a summary
(15:06:05) ordex: 2.5.2 is out - congrats!!!
(15:06:18) ordex: our palindrome release
(15:06:39) dazo: heh :)
(15:06:58) mattock: added back some stuff
(15:07:18) mattock: also known as "The Plaishos Release"
(15:07:49) dazo: Plaisthos Pandora Box Release
(15:08:12) mattock: "State machine release"
(15:08:12) dazo: but  so ... topics?
(15:08:15) plaisthos: why my release?
(15:08:20) mattock: 10 patches from you
(15:08:25) mattock: and your Pandora's box
(15:08:27) mattock: :)
(15:08:38) ordex: anything specific to discuss about 2.5 at the moment ?
(15:08:46) mattock: no
(15:08:50) ***cron2 is annoyed about 2.4.11
(15:08:58) ordex: cron2: because of the patch?
(15:09:01) cron2: yes
(15:09:11) dazo: I'm finalizing the Fedora, EPEL and Copr builds for 2.4 and 2.5
(15:09:19) ordex: you could change the commit and repush and retag
(15:09:24) ordex: not sure anybody has pulled yet
(15:09:28) ordex: but might be ugl
(15:09:29) ordex: y
(15:09:40) dazo: what about .11?
(15:09:50) mattock: rewriting history should be reserved for kings, emperors 
and bishops
(15:10:10) cron2: ordex: no, never
(15:10:24) ordex: cron2: I agree - but wanted to see if you could feel a little 
better :p
(15:10:25) cron2: dazo: the commit message for "the CVE patch" is... lacking
(15:10:36) dazo: As the emperor, I announce cron2 as a king :-P
(15:11:04) cron2: yeah, but rewriting *public* history needs lots of "burning 
books" and I'm not going to do that :-)
(15:11:09) ordex: we could/should come up with a wikipage about this security 
situation maybe? and there we could add links to the commits? this way the 
2.4.11 commit would somewhat be logically extended
(15:11:32) cron2: we have a wiki page and refer to it from Changes.rst
(15:11:33) cron2: 
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
(15:11:38) dazo: cron2: force-push of an amended commit message might be 
acceptable, if it's just the last commit needing changes  otherwise there 
is the 'git note', which is a bit annoying to push and fetch
(15:11:41) dazo: but!
(15:11:43) cron2: so that should now be maintained
(15:11:47) dazo: we could use tags here as well 
(15:12:09) cron2: dazo: well, it's the commit before that... and the release 
has a signed tag... nothing good will come out of this
(15:12:11) dazo: tag the release with cve/2020-  and a signed tag can 
have the appropriate message
(15:12:53) plaisthos: is this really a big deal?
(15:12:55) cron2: we've never used CVE IDs as tags, and it won't trivially work 
anyway as the CVE is fixed in 2.4, 2.5 and master (eventually)...
(15:13:10) dazo: oh, true
(15:13:18) cron2: plaisthos: it totally annoys *me*, but in the grand scheme, 
it's probably not that important
(15:13:21) ordex: honestly, I think we can live with this. I don't think it's a 
big deal
(15:13:29) mattock: my hope is that whatever we do does not require 2.4.12
(15:13:41) ordex: I presume 3 or 4 people in total will look at the release/2.4 
branch
(15:13:46) ordex: mattock: nope
(15:14:36) mattock: anyways, do we have the text for 

[Openvpn-devel] OpenVPN 2.4.11 released

2021-04-21 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.4.11. 
It fixes two related security vulnerabilities (CVE-2020-15078) which 
under very specific circumstances allow tricking a server using delayed 
authentication (plugin or management) into returning a PUSH_REPLY before 
the AUTH_FAILED message, which can possibly be used to gather 
information about a VPN setup. This release also includes other bug 
fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in 
Windows installers.


Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] OpenVPN 2.5.2 released

2021-04-21 Thread Samuli Seppänen
st>

---

Linux packages are available from

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>

Useful resources

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Easy RSA 3 HOWTO:
<https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (7th April 2021)

2021-04-07 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 7th April 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, novaflash, ordex and plaisthos 
participated in this meeting.


--

Decided to postpone OpenVPN 2.5.2 and 2.4.11 releases to April 20th / 
21st due to Access Server-related challenges.


--

Decided not to release OpenVPN Windows installers before 2.5.2 and 
2.4.11 as the latest OpenSSL issues affect only Windows acting as an 
OpenVPN server and because there are ways to mitigate the issue while 
waiting for the new releases.


--

Noted that mattock will be able to start working on upgrading buildbots 
after 19th April once he's off the hook from ops work.


Also noted that MacOS buildslave is shown "offline". Mattock restarted 
the buildmaster as the slave had been restarted several times already.


--

Decided to reschedule the meetings to 14:00 CET/CEST. Everyone agreed 
that works better as it does not conflict with lunch time. It won't 
affect Americans as they're all asleep and generally not present in the 
meetings anyways.


--

Talked about removing OCC warnings completely. It was agreed that the 
feature is partially broken in modern client<->server setups. In p2p 
static key context it works better, but we're getting rid of that, so 
that point is moot. Did not decide anything on this topic, but noted 
that cleanups are needed before we can move forward with this.


--

Talked about LibreSSL support. We can perhaps drop support for older 
OpenBSDs if needed, but in general we want to avoid breaking LibreSSL 
support in OpenVPN	.


---

Full chatlog attached
(12:26:22) cron2: I am here!
(12:26:30) cron2: EARLIER THAN NEEDED! HAH!
(12:27:49) mattock: hi
(12:30:17) cron2: we have no topic and no agenda...
(12:30:47) mattock: of course, turn of the month catches mattock by surprise 
every month :)
(12:30:54) mattock: let's make something up then
(12:31:19) cron2: damn cloudflare messing up my links again
(12:31:54) lev__: hello
(12:32:39) cron2: ah, call interferes
(12:32:41) cron2: 5 min
(12:32:44) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-04-07
(12:33:46) d12fk: hi and back in 3 -> coffee
(12:34:40) mattock: I have 26 minutes then I'll have to start multitasking due 
to a meeting
(12:37:35) cron2: let's go :)
(12:37:41) mattock: +1
(12:37:43) mattock: 2.5.2?
(12:38:32) dazo: so  yet another delay due to the Easter eggs ...
(12:38:48) cron2: I have updated the agenda page
(12:39:08) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(12:39:23) cron2: AS has arm-twisted us into not releasing today, and I am very 
busy next week... so we compromised on a joint release in 2 weeks (April 20, 
April 21)
(12:39:36) cron2: we'll do a 2.5.2 and 2.4.11 release
(12:39:53) mattock: +1
(12:40:09) novaflash: so sorry about that :-)  but it's not good to do a 
release on a friday and that's what it would have amounted to. so thanks for 
agreeing to delay it.
(12:40:36) cron2: in corona times, all the days blur...
(12:40:57) d12fk: not if you have a wine cellar =)
(12:41:08) novaflash: with a wine cellar, EVERYTHING blurs
(12:41:11) cron2: the 2.5.2 release is actually all finished and in mattock's 
repo :-) - but will be overwritten when I push the next change to 2.5
(12:41:18) cron2: novaflash: I was about to say that
(12:41:37) novaflash: but yeah i would like to try to keep the weekend, well, 
the weekend
(12:41:47) cron2: but I have the 3+1 patches all ready, so for me it's not very 
much work to do
(12:41:48) plaisthos: With wine cellar I am surprised you are still alive 
during Covid
(12:41:53) novaflash: haha
(12:41:55) cron2: (unless plaisthos discovers new easter eggs)
(12:42:01) dazo: yeah, keeping releases to mon-wed is reasonable
(12:42:13) novaflash: oh is that what we're calling this vulnerability? the 
easter egg?
(12:42:34) dazo: it seems plaisthos and ordex was bored this easter :-P
(12:42:48) cron2: I think the last patch needed to fix all avenues is now 
called "the easter egg" because it came to novaflash as a surprise :)
(12:43:02) dazo: :-D
(12:43:20) dazo: So, anything else blocking the 2.5.2/2.4.11 releases?
(12:43:34) cron2: so - there remains the question whether "we" (*cough* 
mattock) wants to do a 2.5.1-I602 with updated OpenSSL interim...
(12:44:34) cron2: dazo: no blockers from my side.  My test infra needs a bit 
work to do a full server side test for 2.4 (because all the instances test 
"something of the new 2.5 stuff" nowadays, so 2.4 doesn't even start with these 
configs...)
(12:44:50) dazo: plaisthos: how critical would you classify the latest OpenSSL 
CVEs in OpenVPN context?
(12:45:07) plaisthos: 

[Openvpn-devel] Community meetings in April 2021

2021-04-07 Thread Samuli Seppänen

Hi,

Next community meetings have been scheduled to

- Wed 14th April 2021 at 14:00 CET
- Wed 21st April 2021 at 14:00 CET
- Wed 28th April 2021 at 14:00 CET

Please note the change of time (11:30 -> 14:00).

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (31st March 2021)

2021-03-31 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net / Jitsi
Date: Wed 31st March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock and plaisthos participated in this meeting.

---

Noted that plaisthos is about sixty patches ahead of "master" in 
Patchwork. He also has additional local patches that will be published 
later. Antonio has reviewed many of these which helps cron2 a lot as 
he's only able to review on weekends. Sending DCO patches makes little 
sense before plaisthos' work is merged.


--

Discussed the OpenVPN 2.5.2 release:

- Agreed make the release next Wednesday (7th April 2021)
- It will also include the latest OpenSSL with security fixes

--

Talked about the OpenVPN security issue for which we have a CVE. Agreed 
that we may need to release 2.4.11 too as 2.4 is fully supported until 
May 2022.


--

Discussed the dco-win MSI installer. Noted that the current code 
originates from Wintun. As Wintun license is not compatible with OpenVPN 
Connect (proprietary) we should write our own MSI installer that could 
be shared between OpenVPN (community versions) and OpenVPN Connect 
(proprietary). The OpenVPN Connect team can probably build a replacement 
MSI installer in a way that is compatible on code and license level with 
community OpenVPN.


--

Discussed kicking out Wintun from OpenVPN 2.6. Noted that the new Wintun 
versions do not support the API we're currently using in OpenVPN's 
Wintun integration. So, if security issues are found in Wintun we would 
have to backport them to our old Wintun version. Also, the new driver is 
only available as a DLL and we prefer to build our dependencies 
ourselves. Also, because we have tap-windows6 (slower, but supports all 
use-cases) and dco-win (faster, but more limited use-cases) available, 
having a third driver makes little sense. One motive to keep Wintun is 
that dco-win will only work on Windows 10 20H1, so Windows Server is 
unable to use it yet.


--

Noted that the "remove LZ4 from openvpn-build" PR failed Travis tests:



Mattock will trigger a new build to see if that helps.

--

Agreed that Travis CI's new open source policies are unclear enough to 
force us to move to GitHub Actions. Mattock agreed to ask chipitsine if 
he wants to add GitHub actions support to our GitHub repos.


--

Lev will build an installer that includes Selva's patch that rips out 
OpenVPNServiceLegacy from openvpnserv.exe. The 2.5.x MSIs do not install 
OpenVPNServiceLegacy so no MSI changes are needed.


--

Played with the idea of using IPSec as the data channel for OpenVPN. On 
some high-end NICs this would allow reaching wire speeds.


---

This was a video meeting so there's no chat backlog.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (24th March 2021)

2021-03-24 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in 
this meeting.


---

Noted that community.openvpn.in still does not support IPv6 (at 
Cloudflare). The main blocker seems to be .net and .com split, which is 
still work in progress.


---

Gave updates on OpenVPN 2.6. Cron2 is working his way through the open 
patch sets and ordex and plaistos are reviewing and revising patches. On 
the OpenVPN Inc. side there's a clear focus on getting the OpenVPN 2.6 
patches in.


Lev is about to announce dco-win and provide link to OpenVPN 2 + 
openvpn-gui installer which has driver bundled. The driver source will 
be published on OpenVPN's GitHub. On the OpenVPN 3 side the dco-win is 
still work in progress.


Mattock will test Lev's installer on Windows ARM64.

---

Noted that OpenVPN 2.5.2 release will need a bit more time.

---

Talked about building OpenVPN for/on Windows with MSVC. Agreed that 
going from our custom buildsystem (openvpn-build/msvc) to standard CMake 
located in the  OpenVPN 2 repository is the right way forward. It seems 
necessary to build a vcpkg for libpkcs11-helper for this to work.


The CMake work would not replace autotools on non-Windows platforms. Nor 
would it replace cross-compling using openvpn-build/generic.


---

Talked about deprecating --secret mode in 2.6 and removing in 2.7. 
Nobody was opposed. Plus peer-fingerprint should be almost as easy to setup.


---

Talked about "Containerized buildmaster and mattock's buildslaves". 
There's no progress, but mattock will officially leave the ops team on 
15th April 2021, so after that he can finally focus on that task


---

Talked about "​Bridged Windows 10 Causes Sporadic Crashes":



Hopefully we can OpenVPN Inc. QA to replicate the environment and then 
get the data to reproduce the issue and fix it. Mattock has detailed 
information from the bug reporter (mpfrench) that can be used here.


---

Noted that FIPS support is now present in Git "master" branch. It can 
finally be removed from the meeting agendas.


---

Talked about the option of having video calls every now and then. Nobody 
was opposed to the idea. [Also agreed to have Jitsi call next week.]


---

Full chatlog attached
(12:26:32) ordex: 
(12:26:38) ordex: |o|
(12:26:42) ordex:  /o\
(12:29:22) mattock: howdy!
(12:29:41) lev__: hello
(12:29:45) cron2: hullo
(12:29:58) ordex: hi
(12:30:33) d12fk: hi
(12:31:01) modalità (+o d12fk) da ChanServ
(12:32:18) cron2: so, is plaisthos already awake?
(12:32:33) cron2: ordex: what did you torture him with, yesterday night?
(12:33:00) ordex: some more v6-mapped v4 addresses. but he survived
(12:33:34) ordex: found out that the UDP tunnelling in the linux kernel does 
not work exactly as we have in userspace. but a patch was merged and since 5.12 
we will have the same behaviour
(12:33:42) ordex: I spare you the details, unless you care :)
(12:33:59) cron2: I care, but maybe not in the meeting time
(12:34:34) ordex: okok
(12:34:49) ordex: plaisthos: dazo: ?
(12:35:02) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-03-24
(12:36:40) cron2: mattock: can we spend the time to hear about ipv6 on 
community?
(12:37:01) mattock: sure, no news on that front
(12:37:16) ordex: that was a fast discussion
(12:37:27) ordex: I guess we are waiting for the .net vs .com split?
(12:37:56) cron2: can you (for some value of you) push this a bit?
(12:38:23) ordex: last time I did I was told there is a plan and we just have 
to wait for $things to happen
(12:38:27) ordex: lots of $things
(12:38:31) ordex: but can try again
(12:39:25) plaisthos: Yeah, awake
(12:39:49) cron2: ordex: thanks
(12:40:21) ordex: I threw some message to see what the plan is
(12:40:23) cron2: (I *did* mention that none of this makes any sense... but 
just feel the need to say it again)
(12:40:32) cron2: anyway... let's start
(12:40:44) ordex: cron2: I guess when tech needs hit business priorities 
nothing makes sense anymore
(12:40:45) ordex: :D
(12:40:49) cron2: 2.6 news...
(12:40:55) ordex: yeah
(12:41:19) cron2:  - I am working my way through the open patch sets (thanks to 
ordex for all the reviews, thanks to plaisthos for sending new versions quickly 
while the momentum is there)
(12:41:50) cron2: - found new "config not reset after SIGUSR1" bugs at it (now 
that I have a testbed... testing is *BAD* because you always find stuff you 
didn't want to hear about)
(12:41:56) ordex: internally (corp side) we are trying to dedicate more time on 
revieweing openvpn2 patches and I made this my high 

Re: [Openvpn-devel] Visual Studio building for master/2.6 and LZ4

2021-03-23 Thread Samuli Seppänen

Il 22/03/21 11:55, Gert Doering ha scritto:

Hi,

(I have changed the Subject: line to make clear that this is a bigger
topic now)

On Mon, Mar 22, 2021 at 11:51:46AM +0200, Lev Stipakov wrote:

For 2.6, I think we should drop openvpn-build for Windows (VS)
building and switch to vcpkg for dependencies (openssl, lz4 etc) and
cmake as a project file (also supported by VS).


I'm not opposed as this sounds more standard than what we have now 
(opevnpn-build/msvc). We can still cross-compile using 
openvpn-build/generic if we wish.


This could potentially simplify the automated Windows MSI build process. 
Right now with Linux + Windows in the mix things are very confusing and 
fragile.



I have no opinion there whatsoever...  please send patches & trac
documentation :-)

gert



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (17th March 2021)

2021-03-17 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 17th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:


https://community.openvpn.net/openvpn/wiki/Topics-2021-03-17


Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, dazo, lev, mattock, ordex and plaisthos participated in this 
meeting.

---

Noted that OpenVPN 2.5.2 release has been postponed to next week.

---

Patch v2 to fix the "mbedTLS 2.25.0 crash bug / patch " is on the list, but 
review is still lacking.

---

Mattock mentioned that there is no progress on the buildslave refactoring due 
to lack of focus and time.

---

Agreed that we should try to let OpenVPN Inc. QA replicate the "Bridged Windows 
10 Causes Sporadic Crashes" issue:



Mattock will contact the person who reported this and QA will replicate the 
environment. Then the problem can be reproduced and fixed eventually.

---

Talked about the review culture. Everyone agreed that whitespace and formatting 
issues are important, but those should preferably detected automatically before 
any human even looks at the patch. It is possible that we could do this with 
Patchwork and uncrustify, but that would require some effort. 

Agreed that as a first step we should move the code formatting instructions in 
the CONTRIBUTING file up.

---

Talked about the technical details regarding kicking out the embedded lz4 
library. Did not find a perfect solution yet. 

---

Full chatlog attached
(12:28:33) mattock: almost time
(12:30:29) cron2: I'll be a few minutes late for the meeting (still in a call)
(12:31:41) mattock: ok
(12:31:44) mattock: who else do we have here?
(12:32:22) ***d457k <-
(12:32:44) d457k: weird nick
(12:33:22) mattock: indeed :)
(12:34:25) d457k è ora conosciuto come d12fk
(12:34:54) modalità (+o d12fk) da ChanServ
(12:35:13) mattock: I pinged the guys on internal chat
(12:36:32) ***dazo is here
(12:36:40) lev__: hello
(12:36:46) mattock: hi!
(12:37:53) ***plaisthos is here
(12:38:52) dazo ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-17
(12:39:27) lev__: Page Topics-2021-03-17 not found
(12:39:58) ***dazo is s tempted to update the topic url  once more, to 
include the ?__cf_chl_jschl_tk__={blob} part .
(12:40:28) dazo: https://community.openvpn.net/openvpn/wiki/Topics-2021-03-10 
... so probably catch-up from here then
(12:41:40) plaisthos: for 2 that is postponed
(12:41:46) mattock: let's see
(12:42:05) dazo: yeah, 2 is postponed one more week
(12:42:54) plaisthos: btw. our mail server is down
(12:42:57) plaisthos: :/
(12:43:17) lev__: Use Outlook web access :)
(12:43:34) dazo: Then living without e-mail is better
(12:43:50) dazo: OWA is webmail done in the 90s
(12:44:57) d12fk: are we waiting for cron2?
(12:45:02) mattock: yes I think so
(12:45:17) mattock: well, any news on "mbedTLS 2.25.0 crash bug / patch "?
(12:45:42) plaisthos: v2 is on the list
(12:45:47) plaisthos: no review yet
(12:46:38) mattock: ok
(12:46:55) mattock: so the question on "how to deal with it" has probably been 
resolved
(12:47:16) plaisthos: interestingly Mail.app still works
(12:47:17) mattock: regarding buildslaves - no progress, no point in me trying 
to 30 minutes here and 30 minutes there, needs focus
(12:47:22) plaisthos: probably uses the exchange interface
(12:47:49) plaisthos: but I am not looking into Mail.app+gpg
(12:48:42) dazo: :-D
(12:50:31) mattock: I have some updates on "Bridged Windows 10 Causes Sporadic 
Crashes" (https://community.openvpn.net/openvpn/ticket/1385)
(12:50:49) mattock: so, the person was willing to grant access to a Windows 
instance with this problem
(12:51:16) mattock: I recall lev almost volunteered to have a look at this
(12:52:04) cron2: ok, now I'm fully here
(12:52:25) mattock: welcome!
(12:52:46) lev__: I asked for a stack trace from the driver
(12:53:52) lev__: but I've never done bridging on windows
(12:54:22) mattock: lev: what if I connect you with the guy directly?
(12:54:45) mattock: he seemed reluctant to start meddling with stack traces, 
but maybe creating that would be quite easy
(12:54:49) cron2: it seems to be "a supported feature", but a) for some people 
it bluescreens, and b) for other people it stopped working with the last Win10 
update
(12:54:49) mattock: you could instruct him
(12:57:24) mattock: lev: I take silence as a "yes" :D
(12:57:32) lev__: well wait
(12:57:54) lev__: how much this case is important comparison to dco-win I am 
working on
(12:58:13) mattock: probably quite unimportant
(12:58:44) mattock: at least for most people, but might be really important for 
a small subset of users
(12:59:01) cron2: lev__: way less important
(12:59:18) lev__: maybe we should ask our QA to test bringing first
(12:59:26) dazo: Any b0rken feature is 

[Openvpn-devel] Summary of the community meeting (10th March 2021)

2021-03-10 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 10th March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex and plaisthos participated in this meeting.

---

Plaisthos is working on the Windows side of DCO. The Linux part is 
waiting for the patch backlog to clear. Besides that the Linux part is 
ready except that some fringe cases might still not work and some 
cleanups would be in order.


Once plaisthos gets DCO integrated with the Access Server then OpenVPN 
Inc. QA will start their testing it. This will also help on the 
community side.


---

Noted that FIPS support is now ready.

---

Agreed that Wednesday 17th March 2021 is a reasonable release date for 
OpenVPN 2.5.2. The CVE numbers are in the works and GPG signing key 
renewal has been completed. FreeBSD and Debian package maintainers have 
been given a heads up.


---

Noted that community.openvpn.in does not support IPv6.

---

Agreed that the fix to the mbedTLS 2.25.0 crashbug is reasonable. We'd 
like to get syzzer's approval, though.


---

Full chatlog attached
(12:29:25) mattock: hi
(12:30:17) cron2: ho!
(12:31:26) plaisthos: moin moin
(12:31:43) dazo: hey!
(12:32:29) cron2 ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-10
(12:33:47) Pippin_ [~Pippin_@193.173.218.243] è entrato nella stanza.
(12:34:56) mattock: ok are we ready?
(12:35:16) cron2: ordex and lev__ are missing...
(12:35:30) ordex: here here
(12:35:31) ordex: sorry
(12:35:54) cron2: then let's start :-)
(12:36:22) notafile ha abbandonato la stanza (quit: Quit: Bridge terminating on 
SIGTERM).
(12:36:47) mattock: yes
(12:36:52) mattock: sync up
(12:37:07) mattock: lev is on vacation btw
(12:37:09) dazo: lev__ is on holiday
(12:37:15) mattock: haha, I was faster
(12:37:18) mattock: :)
(12:37:21) dazo: :-P
(12:37:24) cron2: okay, so...
(12:37:27) cron2: 2.6/master
(12:37:42) cron2: I'm working my way through the "delayed auth" patchset, and 
might eventually get there :-)
(12:38:44) cron2: then, SRV, and possibly "OOM handling revisit"
(12:39:53) dazo: OOM?
(12:40:22) ordex: the M_FATAL on alloc failure ?
(12:40:25) cron2: when we hit out of memory, and memory is really short, it's 
possible that we hit OOM again on our way towards an "orderly cleanup"
(12:40:35) cron2: and then we start looping and filling syslogs
(12:40:59) cron2: https://community.openvpn.net/openvpn/ticket/1390
(12:41:27) dazo: thx!
(12:42:08) cron2: so any news from the DCO side?  or anything else related to 
2.6/master?
(12:42:34) ordex: plaisthos is working on the windows part now
(12:42:50) ordex: the linux part is kind of "on-hold" but I don't know what's 
required to get it "done"
(12:43:02) cron2: who is holding it?
(12:43:05) ordex: plaisthos is also worried that sending more patches to the ml 
will just not look good
(12:43:29) ordex: so he was hoping that our backlog could be cleaned up before 
sending the dco patches
(12:43:48) cron2: yeah, we need to get patchwork into a proper state again.  
There's the fingerprint patchset, and I think some sort of "cleanup/refactor" 
of TLS stuff
(12:44:13) cron2: volunteers on this one?  
https://patchwork.openvpn.net/project/openvpn2/list/?series=907
(12:44:15) vpnHelper: Title: OpenVPN 2 - Patchwork (at patchwork.openvpn.net)
(12:44:21) cron2: (that's the fingerprint stuff)
(12:44:35) ordex: for FIPS we are done, right ?
(12:44:44) plaisthos: cron2: I am fithgint against windows overlapped i/o on 
the dco side
(12:44:45) cron2: it's a bit political ("do we want to go there?") and lots of 
"is the implementation sane"
(12:45:16) cron2: ordex: I think so, yes.  The "waht to do with mbedTLS 
debugging?" is pending a decision and/or feedback from them
(12:45:25) plaisthos: For the linux parts there is basically more testing 
required and some more fringe features might be broken but otherwise it is kind 
of done
(12:45:37) cron2: very nice
(12:46:12) notafile [notafilema@gateway/shell/matrix.org/x-cnbxilqmymxgdwvb] è 
entrato nella stanza.
(12:46:16) plaisthos: it is still rough in some parts and might require some 
clean up but all the code is there
(12:46:20) dazo: I can also spin up some Fedora Copr builds on the openvpn-git 
repo, giving installable packages for daring users
(12:46:52) plaisthos: dazo: doesn't make sense yet
(12:47:02) plaisthos: either user can compile it themselves or they can't
(12:47:21) dazo: okay, more time for me to do other things in the mean time :-P
(12:47:28) plaisthos: and unless we also package ovpn-dco there is no sense in 
prebuilding just openvpn+dco
(12:48:20) cron2: has there been feedback from the "Linux Kernel" people?  or 
have you not submitted it yet?

[Openvpn-devel] Summary of the community meeting (3rd March 2021)

2021-03-03 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 3rd March 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash and ordex participated in this meeting.

---

Mattock is planning to automate agenda wiki page creation [and
invitation email sending] as he forgets to do that almost every month.

--

Noted that Access Server needs IPv6 support, but Python 3 port needs to
go in first.

--

Lev IPv6 and TCP support for ovpn-dco-win. TCP is a bit slower
comparison to UDP but still good enough. Server-side support is missing,
but that is not the primary goal anyways. Installer (MSI) support is
also missing.

The goal is to have both Linux and Windows DCO in 2.6.

--

Mattock reopened discussion with Microsoft (and Simon and Lev) about
Windows ARM64 support in OpenVPN 2.5 MSI installers. No progress yet on
that front. Agreed that Microsoft should put the effort to patch the
MSIs to work on ARM64. For now we have the legacy NSIS snapshot
installers for 2.5 which ARM64 people can use if they wish.

--

Mattock will start work on the buildbot upgrade and refactoring with
krzee soon. The test coverage will also be increased a lot [by adding
some internal OpenVPN Inc. test scenarios to the mix].

--

Agreed to try to release OpenVPN 2.5.2 next Wednesday (10th Mar). If we
fail to do that postpone the release by one week. This release will have
a security fix.

--

Noted that novaflash is training an OpenVPN Inc. support guy to answer
forum posts that are related to OpenVPN Inc. products. Novaflash is also
slowly moving product tickets from Trac to internal developers to solve.

---

Full chatlog attached
(12:32:32) lev__: guten tag
(12:32:45) novaflash: tag cloud
(12:33:34) novaflash: why is topic linking to wed 3rd feb meeting
(12:34:03) cron2_: our meeting organizer seems distracted...
(12:34:06) mattock: yellow
(12:34:31) mattock: I trust that somebody else remembers to change the topic 
here :D
(12:34:33) cron2_ ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-03-03
(12:34:40) cron2_: (but that page is not yet existing...)
(12:34:42) mattock: an it worked!
(12:34:49) mattock: oh shit, the months go by
(12:34:54) dazo: hey!
(12:34:58) mattock: well, at least these meetings are 100% predictable now
(12:35:05) mattock: let me create that page now
(12:36:05) dazo: cron2_: did you see the link to the analogue terminal bell on 
#openvpn-devel?  could probably arrange that for you! :-D
(12:37:27) cron2_: dazo: yes, this what I'm referring to :)
(12:38:58) dazo: :)
(12:39:59) mattock: I think I'll look into the Trac API and see if I could 
create meeting pages from now to 2025 
(https://www.edgewall.org/docs/branches-1.2-stable/html/api/index.html)
(12:40:02) vpnHelper: Title: API Reference Trac branches-1.2-stable-r17480 
documentation (at www.edgewall.org)
(12:40:49) dazo: mattock: make something which writes the minutes automatically 
from our meeting discussions and creates real topics for the next meeting 
automatically ;-)
(12:40:52) novaflash: yes it would be excellent if you could just plan the next 
few years of topics for us, that would give us some insight in what needs to be 
developed next hehe
(12:41:06) ordex: do we have any topic for today? :D
(12:41:07) cron2_: novaflash: AS needs IPv6
(12:41:14) ordex: other than the usual suspect ?
(12:41:18) novaflash: yeah i agree cron2_
(12:41:18) cron2_: well, we wanted to reopen the topics from 2 weeks ago
(12:41:26) mattock: dazo: should I also write something that will have the 
meetings on our behalf?
(12:41:31) ***cron2_ goes copypaasta
(12:41:47) novaflash: we're getting to python3 first and then we'll look at ipv7
(12:41:50) novaflash: ipv6
(12:41:56) dazo: mattock: h ... lets call that version 2 ;-)
(12:41:58) novaflash: oops. man i'm in the future already.
(12:42:01) mattock: dazo: ok
(12:42:08) mattock: :)
(12:42:18) lev__: I have finished IPv6 and TCP support for ovpn-dco-win, now 
instrumenting driver with trace framework
(12:42:33) cron2_: so, topics
(12:42:42) cron2_: lev__: wohoo!
(12:43:15) lev__: TCP is a bit slower comparison to UDP but still good enough
(12:43:41) cron2_: so what is missing from dco-win?  this is client-only or 
client+server?
(12:43:58) lev__: server support is missing
(12:44:28) ordex: i think the idea is to get client-only out first, no lev? as 
window server is not really a high priority
(12:44:46) lev__: and installer (openvpn-build/msi) has to be changed to add 
new driver there
(12:45:02) ordex: cron2_: ideally it will be published along with some basic 
ovpn3 support, so that people can test it, instead of staring at it only
(12:45:09) cron2_: I just wanted to 

[Openvpn-devel] Community meetings in March 2021

2021-03-03 Thread Samuli Seppänen
Hi,

Next community meetings have been scheduled to

- Wed 3rd March 2021 at 11:30 CET
- Wed 10th March 2021 at 11:30 CET
- Wed 17th March 2021 at 11:30 CET
- Wed 24th March 2021 at 11:30 CET
- Wed 31st March 2021 at 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (24th February 2021)

2021-02-24 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock and plaisthos participated in this meeting.

---

Talked about OpenVPN 2.5.1 release. The release was tagged today
morning. Packages were being built during the meeting and the release
was pushed out after the meeting.

--

Plaishos is planning on writing an email announcing the alpha version of
openvpn2+dco. It was noted that we need to pick up slack on "master/2.6"
stuff or merging these DCO bits will become extremely painful.

--

Lev is working on ovpn-dco-win stability - added missing locks, SAL
annotations, running under driver verifier / KMDF verifier etc. Right
now he's adding IPv6 support.

--

Decided to move the rest of the discussion topics to next week as cron2
needed to split early and mattock wanted to push out the 2.5.1 release.

---

Full chatlog attached


(12:30:04) cron2_: hah!
(12:30:05) cron2_: made it!
(12:31:19) d12fk: hiho
(12:31:56) ***plaisthos hides under a rock
(12:32:09) d12fk: you hide too loud
(12:32:29) cron2_: hiho d12fk :)
(12:35:25) lev__: hello
(12:35:25) dazo: hey!
(12:35:28) mattock: hi
(12:37:13) mattock: msi builds just finished
(12:37:16) cron2_: so.  I do not have very much time today.  My wife needs milk 
for her coffee... I will be pained otherwise... :-)
(12:37:18) mattock: so, topics for today?
(12:37:23) cron2_: 2.5.1 release!
(12:37:29) mattock: it is ongoing, end of story :D
(12:37:37) mattock: the less we babble here, the faster :D
(12:37:52) mattock: I'm about to push the windows msi packages for testing
(12:37:53) mattock: then testing
(12:37:54) cron2_: yeah.  For the others: 2.5.1 has been tagged and pushed this 
morning.
(12:37:56) mattock: then release notes etc.
(12:38:00) dazo: I'm running test builds of 2.5.1 for Fedora 34 now ... kicking 
of the Copr builds soon after that
(12:38:20) cron2_: cool.
(12:38:52) plaisthos: I will probably write a email announcing the alpha 
version of openvpn2+dco
(12:39:02) plaisthos: this week or early next week
(12:39:06) cron2_: cool!
(12:39:37) cron2_: we need to pick up slack on "master/2.6" stuff, otherwise 
merging these bits will be extremely painful
(12:39:41) plaisthos: draft for the announcement so far: 
https://github.com/schwabe/openvpn/blob/dco/Readme.dco.md
(12:40:18) plaisthos: relax, it is only 51 commits ahead of master ;)
(12:40:36) dazo: :-D
(12:40:46) cron2_: I'm worried about the SRV patch from themiron, which I 
assume to be conflict prone
(12:40:58) plaisthos: should be too bad
(12:41:05) plaisthos: I barely touch that part
(12:41:16) cron2_: "not" missing, I hope :-)
(12:41:29) dazo: "shouldn't be too bad" ... or ... "would be too bad"  ;-(
(12:41:30) dazo: ;-)
(12:41:34) mattock: fyi: 
https://build.openvpn.net/downloads/releases/OpenVPN-2.5.1-I601-amd64.msi
(12:41:37) mattock: I'll smoke-test that one
(12:41:43) cron2_: and I want to get rid of the heap of half-acked delayed-auth 
patches :-)
(12:42:21) plaisthos: yeah, there is also the patch that fixed a bug for jjk 
but I never heard back from him
(12:43:01) lev__: I was working on ovpn-dco-win stability - added missing 
locks, SAL annotations, running under driver verifier / KMDF verifier etc
(12:43:05) dazo: plaisthos: If you get the last outstanding bits of the 4 last 
delayed-auth patches updated, I can have a quick look at those
(12:43:08) lev__: now adding IPv6 support
(12:43:18) cron2_: the announcement sounds good.  I wonder about the "IPv6 
mapped IPv4 addresses", but this is maybe better discussed this afternoon, 
outside the meeting
(12:43:28) cron2_: lev__: cool
(12:43:55) plaisthos: cron2_: currently bug/limitation in ovpn-dco itself.
(12:44:51) cron2_: plaisthos: but what is the limitation?  "receiving an IPv4 
connection on an IPv6 socket, and passing the v4-mapped v6 socket to the 
kernel"?
(12:45:02) cron2_: or "inside"?
(12:45:30) cron2_: payload should never ever see v4-mapped addresses - they are 
illegal to be "put on the wire"
(12:45:46) plaisthos: cron2_: the first thing
(12:46:18) plaisthos: for inside the the tunnel that is something we leave to 
the linux kernel :)
(12:46:26) cron2_: okay.  These ugly code paths... - but as long as we have no 
dual-listen-sockets, we'll have to make this work
(12:46:51) cron2_: I would be totally OK with "we have no dual-stack sockets 
anymore", but that requires "dual listen sockets"
(12:46:52) plaisthos: Yeah multiple sockets might came later since I understand 
those code paths better now but one step at a time
(12:47:21) cron2_: whatever is the more sane path forward for dual-stacked 
servers
(12:47:35) plaisthos: the other strange multi ip option 

[Openvpn-devel] OpenVPN 2.5.1 released

2021-02-24 Thread Samuli Seppänen
mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (17th February 2021)

2021-02-17 Thread Samuli Seppänen


Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 17th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, novaflash, ordex, plaisthos and Pippin
participated in this meeting.

---

Noted that mattock will containerize the to-be upgraded buildmaster and
his own buildslaves. This helps cut through the (generally) crappy OS
packaging that needs to be dealt with on real VMs. [OpenVPN connectivity
tests (t_client) could complicate this on Docker, though].

---

Talked about potentially becoming a Linux Foundation project. This would
give us a number of benefits:



However, this seems to be "all or nothing" package. In our (OpenVPN Inc)
case trademarks is the big question. Other requirements look quite
reasonable.

This needs to be discussed in more detail later.

---

Agreed to release 2.5.1 next Tuesday (23rd Feb).

---

Noted that there is a new shared trac/forums account "openvpn_inc".
Novaflash will reassign tickets from "denys" (an old support guy) to
this new account which will be manned by four people.

---

Talked about the current layout on the community forums:



Agreed that it is confusing and that it should be improved. Completely
archiving the old forums is an option, but (important) articles would
need to migrated and traffic redirected to the new URLs. So just
improving what we have would be easiest and safest. This needs to be
discussed in more detail later.

There are also plans to setup a GDPR plugin to the forums.

Also noted that PhpBB is behind three versions and should be upgraded.

---

Lev will take over the "Bridged Windows 10 Causes Sporadic Crashes" issue:



It would still be good to know if this is a tap driver bug, or general
windows fubar.

---

Lev has been working on Windows version of OpenVPN-DCO recently. It is
WDF and NetAdapterCx based so no more NDIS. Results are promising.

Lev and d12fk will start working together on getting the OpenVPN 3
reference client up-to-shape for this new DCO driver on Windows.

---

Plaistos' Linux OpenVPN + DCO seems to be quite stable now. He is also
doing the openvpn2 side of things for ovpn-dco on Linux, including
server support.

---

Full chatlog attached

(13:03:09) mattock: hi
(13:04:11) mattock: cron2: you here already?
(13:04:13) cron2_: soon
(13:06:29) mattock: ok
(13:06:34) dazo: hey!
(13:07:28) cron2_: nearly there
(13:08:23) cron2_: so!
(13:09:13) cron2_: sorry for messing up your scheduling... the 11:30-12:30 time 
slot is very conflict prone if I get to do some actual work (as opposed to 
"sitting on IRC and ranting all day")
(13:09:33) cron2_: where's ordex and plaisthos and lev? :)
(13:09:54) mattock: hi!
(13:10:07) ordex: hi!
(13:10:50) lev__: guten tag
(13:10:51) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(13:11:02) cron2_: oh, nice, lots of updates in the agenda page already :)
(13:11:20) cron2_: hi lev, novaflash
(13:11:25) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-17
(13:11:34) novaflash: i bring news
(13:11:49) mattock: tell the quickly
(13:11:52) mattock: we have 19 minutes
(13:11:55) novaflash: oh. it's in the meeting notes already. damnit.
(13:11:56) mattock: total :D
(13:12:03) novaflash: okay go go hurry hurry
(13:12:10) mattock: may I start with some quick updates
(13:13:05) cron2_: go
(13:13:07) mattock: "Containerized buildmaster and mattock's buildslaves": 
buildbot and the slaves are easiest to manage as containers, so that's my plan 
when going about upgrading them - this will not have any effect on any other 
buildslave providers
(13:13:18) mattock: cuts through the poor OS packaging
(13:13:47) mattock: then something I did not actually put on the topic list: I 
looked a Linux Foundation project support thingies (hinted by dazo)
(13:13:51) cron2_: won't help me much on non-linux, but as I only have one 
buildslave per VM, "the VM is the container".  So you just tell me what I want
(13:14:30) mattock: it seems like we could not in practice become a linux 
foundation project because of trademarks (we want to keep them), but otherwise 
there were no really major blockers
(13:15:02) mattock: that said, the Linux Foundation Project approach seems to 
be suited better for large projects with multiple (large) vendors co-operating 
on the same piece of software
(13:15:04) cron2_: what was the intention?  funding, or prestige?
(13:15:05) mattock: openstack or such
(13:15:17) mattock: just to research if we could  benefit from their programs
(13:15:19) cron2_: or manpower / project management?

[Openvpn-devel] Summary of the community meeting (10th February 2021)

2021-02-10 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 10th February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, d12fk, gcox, lev, mattock, ordex and plaisthos participated in
this meeting.

---

Noted that plaisthos' "Pending authentication improvements" patchset:



Noted that some of them still need some (easy) fixes.

---

Talked about "Remove --no-replay" patch:



It had managed to slip through the cracks because we have not decided
whether to support "--cipher none" or not - a thing that affects the
implementation of the above patch.

---

Talked about "--cipher none" and whether we should remove it. When
plaisthos accidentally broke it lots of users complained. That's why we
can't remove it right now, but removing it is our long-term goal. For
example ovpn-dco will not support "--cipher none".

---

Noted that wiscii's buildslaves have issues connecting to the
buildmaster. Mattock will investigate.

---

Full chatlog attached
(12:29:53) lev__: guten tag
(12:30:30) plaisthos: moin
(12:31:16) d12fk: huhu
(12:31:41) ordex: oi oi
(12:31:59) mattock: hi!
(12:35:45) mattock: mkay let's start shall we?
(12:36:07) dazo: Hey!
(12:36:16) mattock: hi!
(12:36:23) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-10
(12:36:34) mattock: it looks like our topic list is fairly short
(12:36:44) mattock: but I'm sure there's some syncing up to do :)
(12:37:26) mattock: cron2 mentioned that he's bound in a meeting
(12:37:30) mattock: not sure if he'll make it
(12:37:56) dazo: "Checking your browser before accessing openvpn.net." ... 40+ 
sec now
(12:38:04) mattock: try reload
(12:38:13) d12fk: they know who to check thoroughly
(12:38:15) mattock: or maybe you're just too suspicious to let you in
(12:38:15) dazo: yeah
(12:38:48) dazo: $rant_about_cloudflare
(12:39:38) dazo: so, lets catch up on the patches from plaisthos  what is 
missing there?
(12:40:35) lev__: from 1-7 I've reviewed, 3 and 5
(12:40:47) lev__: (but it should be easy to fix)
(12:40:58) plaisthos: Yeah I need to resend some patches
(12:41:00) dazo: I did 8-11, was a few simple fixes there as well
(12:41:03) lev__: talking about "Pending authentication improvements" series
(12:42:52) dazo: plaisthos: btw, the if() statement I complained about, 
proposing a macro where you swapped to 2 bool vars  that was a very nice 
change; I liked that  much more readable
(12:43:40) plaisthos: yeah I didn't like the idea of a macro
(12:44:29) dazo: yeah, and it's a fair point on it hiding things  it's just 
the old openvpn habbit stuck in me :-P
(12:48:06) dazo: anything else than this patch-set and the one ordex is looking 
at in the patch queue needing attention?
(12:49:54) ordex: plaisthos: did you resend 3/3 as one patch already?
(12:50:00) ordex: I haven't dug in the mailbox yet
(12:53:04) gcox: Maybe not "needs" attention, but 
https://patchwork.openvpn.net/patch/1297/ is a 6month old ack'ed patch that 
seems like it's held up pending a discussion + decision that hasn't happened.  
Not saying y'all need to do it right now, but it looks like low-hanging fruit.
(12:53:05) vpnHelper: Title: [Openvpn-devel] Remove --no-replay - Patchwork (at 
patchwork.openvpn.net)
(12:56:53) dazo: gcox: oh, good catch ... that might have fallen through our 
cracks
(12:58:03) plaisthos: ordex: no, not yet
(12:58:36) ordex: okyz
(12:58:47) plaisthos: for none cipher no-replay is still useful
(12:59:10) plaisthos: but maybe we don't enough about none cipher and can still 
commit it
(12:59:13) dazo: so the question is then ... are we ready to decide whether to 
remove --cipher none support?
(12:59:44) plaisthos: we not ready to remove none
(12:59:52) plaisthos: I accidently did that
(13:00:11) dazo: I can pull up that patch again (probably needs a rebase 
anyhow) ... but would like to know if we should make the --cipher none 
exception or not
(13:00:32) dazo: what happened when you removed --cipher none, plaisthos?
(13:00:44) plaisthos: a lot of users complained about it not working anymore
(13:00:53) dazo: h
(13:01:04) dazo: which users?  why can't they use GRE tunnels instead?
(13:01:16) ordex: because they may still like other openvpn features
(13:01:25) plaisthos: exactly that
(13:01:25) ordex: like the authentication method
(13:01:32) ordex: or other stuff
(13:01:36) plaisthos: unencrypted tunnel but from a dynamic IP
(13:01:39) plaisthos: like to your streambox
(13:01:42) plaisthos: or something like that
(13:02:25) ordex: I also believe that using openvpn with no encryption is 
kinda...weird, but apparently all the knobs we have managed to 

[Openvpn-devel] Summary of the community meeting (3rd Feb 2021)

2021-02-03 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 3rd February 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, lev, mattock, ordex and plaisthos participated in
this meeting.

---

Noted that OpenVPN DCO ("Data Channel Offload") is progressing well. UDP
server works, including client dicsonnect. Client support is broken, but
once that is fixed an official announcement can be made. A lot of the
work still needs to be merged into "master", though.

On plaisthos' test system (Hyper-V with Ubuntu VMs) he was able to, with
iperf, get 550 Mbit for openvpn2 w/o DCO, 11 GBit/s raw, gre tunnel 4,5
GBit/s, 3,2 GBit/s with DCO+aes-gcm, 2,4 GBit/s for DCO+Chachapoly1305.

---

Discussed OpenVPN 2.5.1. Noted that there is client-side stuff in (echo
msg, windows fixes, and important auth-token improvements) already in.

On server-side there are server-side auth-token fixes, which should go
into 2.5 at some point. These are all "good and reasonable
improvements", but nothing truly critical.

It was agreed to make a decision about the 2.5.1 release schedule next week.

--

Discussed "possible DoS vector with non-successful auth for the same
client cert as for an existing session". This is related to the fact
that OpenVPN ties reauth TLS session to the original session only by
IP/port, so if a different cert comes in from the same IP+port, and 2.5
would "reauth fail, go away" while master does "reauth fail, unauth all
keys, you all go away"?

---

Full chatlog attached

(12:30:32) dazo: Meeting time?
(12:30:32) ***: Playback Complete.
(12:30:33) cron2_: yes
(12:30:35) mattock: yes
(12:31:08) mattock: who else is present?
(12:31:23) d12fk: here
(12:31:32) dazo ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-02-03
(12:31:50) dazo: d12fk: cool!
(12:31:58) cron2_: \o/
(12:32:03) mattock: hi!
(12:32:30) dazo: I know plaisthos and lev__ are alive 
(12:32:52) dazo: (and I've pinged them)
(12:32:56) cron2_: ordex was complaing about doas yesterday, so yesterday he 
was alive, too :)
(12:33:41) dazo: hehehe
(12:33:57) becm [~b...@port-92-196-77-196.dynamic.as20676.net] è entrato nella 
stanza.
(12:33:58) dazo: he might have been up hacking ovpn-dco last night
(12:34:03) lev__: hi
(12:34:13) mattock: hi!
(12:34:14) plaisthos: hehe
(12:34:14) dazo: o/
(12:35:01) ordex: here here !
(12:35:06) ordex: sorry
(12:35:36) dazo: surfaced from a km long kernel stacktrace  .. :-P
(12:35:47) ordex: LOL
(12:35:58) ordex: those activities are secret !
(12:36:02) dazo: :-D
(12:36:05) dazo: sorry!
(12:37:05) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-02-03
(12:37:12) mattock: let's get on with it :D
(12:37:29) mattock: "Sync up on OpenVPN 2.5 and 2.6" first?
(12:37:44) ***plaisthos checks
(12:38:01) plaisthos: currently 54 commits ahead of master
(12:38:02) plaisthos: :P
(12:38:29) mattock: 2.6 I presume
(12:38:29) cron2_: working my way through those bits that are on the list 
already... (and I have some questions about 02/11 v2, will ask later)
(12:39:01) cron2_: 2.6 is sort of "what's happening in DCO land", since this is 
"the!" feature for 2.6, I think...
(12:39:17) cron2_: any exciting news you're willing to share?
(12:39:29) plaisthos: UDP server works
(12:39:34) ***ordex cheers
(12:39:45) cron2_: including client disconnect?
(12:39:49) plaisthos: yes
(12:39:50) ordex: yap
(12:39:51) cron2_: cool
(12:40:23) plaisthos: it is still work in progress and I want to fix client to 
work again before we publish it with an announcement on the mailing list
(12:40:39) cron2_: ah, so we have a server-only implementation now :)
(12:40:42) ordex: :D
(12:40:43) cron2_: something for a change
(12:40:57) ordex: I am working on the ovpn-dco support (APIs have changed since 
last release)
(12:41:07) ordex: so we can do ovpn3 to ovpn2-server soon :D
(12:41:17) plaisthos: but if you checkout the experimental branch of ovpn-dco 
and the dco branch of my repo you can get a working version
(12:41:41) cron2_: exciting news indeed!
(12:42:17) ordex: yap yap they are!
(12:43:36) cron2_: on my side, I am working my way through the (already-ACKed) 
patches on the list - sorting what belongs where, if I can add more testing, 
... - but progress has been slow.  Too many distractions ("MAMA I DO NOT 
UNDERSTAND THIS HOMEWORK QUESTION?")
(12:44:24) mattock: does not help focus for sure
(12:44:24) cron2_: gcox is keeping us busy with sample plugin improvements :-)  
(and they are sort of "small and one-shot" so they are much easier to "just 
merge and get out of the way" than bigger stuff)
(12:45:41) plaisthos: on my hyper-v ubuntu vms and using iperf I get 550 Mbit 
for openvpn2 w/o DCO, 11 GBit/s 

[Openvpn-devel] Community meetings in February 2021

2021-02-03 Thread Samuli Seppänen
Hi,

Next community meetings have been scheduled to

- Wed 3rd February 2021 at 11:30 CET
- Wed 10th February 2021 at 11:30 CET
- Wed 17th February 2021 at 11:30 CET
- Wed 24th February 2021 at 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli

NOTE: we decided not to have the European late-evening meetings on
Thursdays. They did not seem to serve their original purpose, which was
getting more people from the Americas to participate.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (27th January 2021)

2021-01-27 Thread Samuli Seppänen


Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 27th January 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, mattock, novaflash, ordex and plaisthos participated in this meeting.

---

Noted that the patch that rips away --inetd is on the list and will be
merged soon to "master". It will not be removed from 2.5 as --inetd
support is not actively broken.

---

Noted that some weeks ago FreeBSD and Pfsense were given green light to
use the OpenVPN DCO (Data Channel Offload) code. Nothing has happened on
that front apparently.

---

Noted that the current way of managing Changes.rst across different
branches is cumbersome. Agreed that it would be better to add the
changes to commit messages and add them to Changes.rst at release time.

---

Talked about upgrading Trac and Buildbot. These are among the first
things for mattock once he clears his [operations] backlog [and is able
to focus on community work].

---

Full chatlog attached


(12:31:21) mattock: hello
(12:31:23) cron2: good morning
(12:32:07) cron2 ha scelto come argomento: Agenda 
https://community.openvpn.net/openvpn/wiki/Topics-2021-01-27
(12:32:28) cron2: I have put a bit of stuff on the agenda :-)
(12:33:26) ***cron2 rings the bell
(12:34:15) ordex: aloha
(12:35:56) cron2: mattock, ordex: can you ring the internal corp bell, please?
(12:36:47) mattock: yes
(12:37:03) mattock: did so
(12:37:52) mattock: let's see if the rest of the good folks there wake up
(12:38:07) plaisthos: no I am still asleep
(12:38:11) ordex: :D
(12:38:12) ordex: good
(12:38:29) cron2: plaisthos: haha, I was just typing "plaisthos is busy 
updating sudo" :-)
(12:39:15) ordex: :D
(12:39:35) novaflash [b9e34...@185-227-75-241.dsl.cambrium.nl] è entrato nella 
stanza.
(12:39:52) cron2: hey novaflash :-) - long time no see
(12:40:10) novaflash: i know right! it's been so long my registration on 
nickserv expired and i lost my privileges. boohoo.
(12:40:41) mattock: oh wow
(12:40:45) ordex: :D
(12:40:48) novaflash: yeah didn't know that could happen
(12:40:51) ordex: is that even possible?
(12:40:52) ordex: yeah
(12:40:56) novaflash: apparently so!
(12:40:58) ordex: but you hadn;t been offline for so long
(12:41:01) ordex: anyway
(12:41:01) mattock: in a flash he went, in a flash he returned
(12:41:18) ordex: we don't wanna know where, though
(12:41:20) ordex: so topic #1 ?
(12:41:36) mattock: let's start with something, and #1 is always a good first 
guess
(12:41:47) ordex: yap
(12:41:49) mattock: "Sync up on OpenVPN 2.5 and 2.6"
(12:42:03) ordex: does it mean "master and release/2.5"?
(12:43:09) cron2: yes
(12:43:26) cron2: and "can we keep the 2.6 release date dazo has asked for" :-)
(12:43:26) ordex: what are we exactly missing?
(12:43:40) cron2: for 2.6? dco :-)
(12:44:00) ordex: no, I mean, about the sync up
(12:44:12) ordex: ah, it's all about us syncing up
(12:44:13) ***plaisthos looks at his tree, 50 commits ahead of openvpn/master
(12:44:14) ***ordex hides
(12:44:28) ordex: corp has allocated one day to do more patch review
(12:44:30) ordex: like last week
(12:44:36) cron2: well, the intention of #1 is "find out who is working on 
what, what are timelines, what is noteable to report"
(12:44:41) ordex: ideally we will find ways to reject all plaisthos' patches
(12:45:15) ordex: it's happening this friday
(12:45:19) cron2: nah, ideally you all do code that is so great that plaisthos 
never has to refactor it :-))
(12:45:26) ordex: so hopefully more progress on plaisthos' patches will happen 
then
(12:45:32) ordex: :-)
(12:45:33) cron2: that is great
(12:45:51) cron2: I'm happy to merge, but on some features I do not have a use 
case = no test bed = hard to test
(12:46:20) ordex: yap
(12:46:28) cron2: how's DCO coming along?
(12:46:30) ordex: at the same time plaisthos is making progress with dco support
(12:46:44) cron2: cool
(12:46:58) cron2: and kernel side? any feedback from "the linux community"?
(12:47:24) plaisthos: heard anything about from the FreeBSD guys?
(12:47:29) cron2: not me
(12:47:51) cron2: but I'll send a mail and ask
(12:48:42) cron2: so where's dazo hiding?
(12:49:13) plaisthos: maintaining kids since the kid maintaining factory 
(kindergarten) has closed in .no
(12:49:18) plaisthos: I guess
(12:50:28) mattock: here that factory is still producing childcare services
(12:50:31) cron2: yeah, tell me about the juggling of laptops & rooms to get 3 
concurrent teams / zoom meeting sorted out
(12:50:33) mattock: which is very good
(12:52:45) cron2: anyway. I think #1 is covered on status and updates - #2, #3 
are quick updates with your chance to shout "NO!! I WANT THIS!" now
(12:52:50) cron2: #2 -> --inetd
(12:53:15) cron2: we think this is really not used 

[Openvpn-devel] Summary of the community meeting (20th January 2021)

2021-01-20 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 20th January 2021
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, ordex and plaisthos participated in this meeting.

---

Closed down the remaining HackerOne reports and set the awards.
Requested HackerOne to close down our project.

--

Noted that enabling IPv6 on the openvpn.net domain in CloudFlare is
progressing slowly. Some of the critical services that OpenVPN Inc. ops
were worried about have already moved to .com.

---

Full chatlog attached


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Community meetings in January 2021

2021-01-19 Thread Samuli Seppänen
Hi,

Next community meetings have been scheduled to

- Wed 20th January 2021 at 11:30 CET
- Wed 27th January 2021 at 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli

NOTE: we decided not to have the European late-evening meetings on
Thursdays. They did not seem to serve their original purpose, which was
getting more people from the Americas to participate.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (17th Dec 2020)

2020-12-17 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 17th December 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev, mattock, plaisthos and Pippin participated in
this meeting.

---

We have received some bug reports and patches related to OpenVPN 2.5.
Some of them are minor, some are "strange corner cases", a few are "the
default is no longer iproute2, so my --iproute $script setup fails" and
"and all my systemd unit files look different". The
windows-register-dns-crash looks bad, but it only happens if you're not
using the iservice.

So nothing major or urgent has surfaced yet.

---

Noted that OpenVPN 2.4.10 release has been solid. Nothing to report.

---

For 2.6/master we have quite a few patches from plaisthos in patchwork
(#1549/1550, #1545/1544/1546). We also have the "pending authentication
improvements patchset:



These would need review from someone who understands crypto.

---

Noted that it would be good to have community download numbers viewable
by community members. Mattock will relocate the page and see if the
metrics could be exposed publicly.

---

Talked about openvpn3-linux client. While it would be possible to port
it to FreeBSD most of those are servers, and openvpn3-linux really
targets the client (GUI) experience. So, the network-manager
improvements that are being worked on will make more people happy that a
FreeBSD port.

---

Cron2 announced a bounty of a "few pounds of chocolate" for having a
working NM OpenVPN client with tokens that survive suspend/resume and
network changes.

---

Planned the 2.5.1 release. There are a few bugfixes wrt auth-token and
TLS session handling that needs to go into 2.5.

A release in mid-January seems reasonable.

---

Talked about migrating to the new Wintun API. That is perfect material
for OpenVPN 2.6. If we're not forced by, say, a Wintun 0.8 security
issue, we should keep OpenVPN 2.5 at Wintun 0.8 to ensure stability.

That said, Lev will check if we could use WinTun 0.10 in OpenVPN 2.5
without changing the API.

---

Talked about officially deprecating OpenVPNServiceLegacy. We dropped it
silently in OpenVPN 2.5 and then somebody noticed:



There is no reason (as far as we know) for using OpenVPNServiceLegacy in
this day and age. However, we should clearly document that it is gone
and will never come back. This documentation effort would include

- The Windows README that gets installed by the MSI
- Changes.rst
- Some articles in Trac

These should be done by OpenVPN 2.5.1 release time.

---

Noted that OpenVPN Connect tickets in Trac have been assigned to "yuriy"
but there has not been any visible movement there. Somebody will poke
him internally and ask what's up. In the worst case we can automatically
close OpenVPN Connect tickets with a message like "Open tickets for
OpenVPNConnect here: $URL".

---

Talked about OpenVPN exploding with "unknown option" if it encounters
an option in the configuration file that is not supported by the
platform (Windows, Linux, etc). We need to think about how to solve this
nicely.

---

Noted that

https://community.openvpn.net/openvpn/ticket/1345

requires a test installer. Potentially one of the NSIS-based 2.6
installers could be used:



If not, lev or mattock can do a custom build.

We don't yet have MSI snapshot automation.

---

Next neeting is scheduled for January 6th 2021 (Wed) at the usual time.

---

Happy Holidays everyone!

--

Full chatlog attached


(20:59:28) mattock: hi
(20:59:36) cron2: ho!
(20:59:37) mattock: not me
(21:00:15) dazo: Blame me!
(21:00:28) cron2: !blame
(21:00:43) cron2: (this certainly needs updating, over in the other channel)
(21:02:51) dazo: hehe
(21:04:22) cron2: are lev__ and ordex somewhere around?
(21:04:30) cron2: plaisthos already said he couldn't make it
(21:05:43) mattock: internal meeting ended, now I'm really here
(21:06:10) cron2: I've used the time to add stuff to the agenda :)
(21:06:28) mattock: shall we start?
(21:06:29) dazo: I'll ping them
(21:07:40) plaisthos: i am semi around actually
(21:08:15) dazo: Nice! I've pinged lev__ and ordex in our internal chat and 
privately  warning them cron2 is looking for them :-P
(21:08:32) cron2: with every minute they are late, I will assign a trac ticket!
(21:08:59) mattock: you're making them an offer they can't refuse, basically :D
(21:09:08) cron2: which is actually somewhat starting the "updates on 2.5" 
section :-)
(21:09:46) dazo: hahaha
(21:10:07) cron2: so, people *are* using this, and we are receiving bug reports 
(and patches!).  Some 

Re: [Openvpn-devel] Community meetings in December 2020

2020-12-15 Thread Samuli Seppänen
Il 11/12/20 01:48, tincanteksup ha scritto:
> Please discuss and resolve the fate of the OpenVPN-Legacy-Service for
> Windows.
> 
> Ref: https://community.openvpn.net/openvpn/ticket/1344
> 
> Official status of deprecation/removal requested.
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Added to the agenda for Thursday:

https://community.openvpn.net/openvpn/wiki/Topics-2020-12-17


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (9th December 2020)

2020-12-09 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 9th December 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex and plaisthos participated in
this meeting.

---

Noted that plaisthos has implemented AES-CCM.

---

Cron2 had tagged 2.4.10 before the meeting. It was released later the
same day.

---

Discussed the data-channel offload module (DCO) in context of OpenVPN
2.5. The current ovpn-dco only works with p2p but the current p2p model
is not easily extendable to p2mp. Therefore plaisthos and ordex agreed
that they will switch to a newer model in ovpn-dco that will also
support p2mp befor they continue with DCO and 2.5.

---

Discussed the OpenSSL bug fixed in OpenSSL 1.1.1i (CVE-2020-1971):



There seemed to be agreement that this does not really affect OpenVPN.
Basically somebody would have to be able to place a messed-up CRL on
your OpenVPN server, in which case you have bigger problems than a
vulnerable OpenSSL version. OpenVPN also does not download CRLs
dynamically, which reduces the impact.

Moreover, this problem is only a problem with OpenVPN running as server
on Windows. It is also possible, even if not very convenient, to replace
the OpenSSL library inside the OpenVPN installation directory
(C:\Program Files\OpenVPN) to patch this vulnerability.

Due to above the consensus (for the most part) was that we can wait
until 2.5.1 that is due in a few weeks before fixing this. If needed, we
can backpedal and do a separate OpenVPN 2.5.0 Windows installer release
before 2.5.1.

OpenVPN 2.4.10 has now been released - it has the fixed OpenSSL version
(1.1.1i).

---

Full chatlog attached

(12:28:52) ordex: hi
(12:31:35) plaisthos: moin
(12:32:59) dazo: Hey!
(12:33:29) cron2: I am sort of here
(12:33:38) cron2: have the window open but focus is elsewhere sorry
(12:33:50) dazo: "sort of" is still better than not at all :)
(12:36:03) cron2: seems mattock got lost in the 2.4.10 windows build fight
(12:36:12) dazo: yeah ...
(12:36:17) dazo ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2020-12-09
(12:42:28) cron2: internal chat?
(12:42:39) dazo: trying
(12:43:51) plaisthos: So I implemented AES-CCM :P
(12:46:44) cron2: that sounds like a 2.6 update :-)
(12:46:50) cron2: any news on dco? 2.5?
(12:47:02) plaisthos: But on a more serious note, I am considerinng introducing 
XOR-ing our packet id with a shared secret
(12:47:13) cron2: on the 2.4 front - I have tagged and pushed 2.4.10 this 
morning, and mattock is working on release building
(12:47:48) plaisthos: so an observer doesn't know how many packets have already 
been sent by looking a single packet
(12:48:23) plaisthos: and also avoids a purely theoretical precomputation 
attack ;)
(12:49:31) dazo: cron2: nice!  I'll kick off the Fedora/EPEL builds once the 
tarball + sigs are in place
(12:49:51) plaisthos: I think I will look into the client with --bind bug next
(12:50:34) dazo: what's that bug?
(12:51:56) dazo: cron2: DCO ... I'm about to push out an updated openvpn3-linux 
client ... with TCP and IPv6 transport support implemented, just waiting for 
some regression testing to complete ... ordex might have more details on what 
else on his roadmap now :)
(12:52:20) plaisthos: new client connection reuses old context on the server 
and since we don't run the new connect logic we don't generate a key since the 
ncp code assumes that key_id==0 is always a new session
(12:52:32) dazo: ahh
(12:52:53) mattock: damn
(12:52:59) mattock: meeting slipped my mind completely
(12:53:20) ordex: *boom*
(12:53:27) mattock: anyhow, I will start the release machinery now, a surprise 
lunch interrupted that one
(12:54:07) ordex: not a bad surprise
(12:54:31) cron2: plaisthos: sounds good
(12:55:11) plaisthos: For DCO and 2.5, the current ovpn-dco only works with p2p 
but the current p2p model is not easily extendable to p2mp
(12:55:50) plaisthos: So ordex and I agree that we switch to a newer model in 
ovpn-dco that will also support p2mp beforr I continue with dco and 2.5
(12:56:02) ordex: things are undergoing big changes on the kernel side, to 
accommodate p2mp
(12:56:07) ordex: yap
(12:56:11) ordex: that's where I Am right now
(12:56:20) ordex: (which also simplifies the code, in a sense)
(12:56:29) cron2: good to know
(12:56:46) cron2: plaisthos: have you shared your repo with bz?
(12:56:53) cron2: (the RFC repo)
(12:57:07) plaisthos: I sent an invite
(12:58:29) plaisthos: https://bfy.tw/Psjf
(12:58:30) vpnHelper: Title: LMGTFY (at bfy.tw)
(12:58:33) plaisthos: https://bfy.tw/Psjf
(12:58:35) plaisthos: https://bfy.tw/Psjf
(12:58:37) plaisthos: https://bfy.tw/Psjf

[Openvpn-devel] OpenVPN 2.4.10 released

2020-12-09 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.4.10
which is primarily a maintenance release with bugfixes and small
improvements. Windows installers include the latest OpenSSL version
(1.1.1i) which includes security fixes.

A summary of the changes is available here:



and a full list of changes is available here:



Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



I you need help with this release please refer to our Getting Help Wiki
article:




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (3rd December 2020)

2020-12-03 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 3rd December 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, mattock, ordex, plaisthos and syzzer participated in
this meeting.

---

Agreed to release OpenVPN 2.4.10 early next week, assuming OpenSSL has
made their pre-announced (=important) release before that.

---

Agreed to bundle libpkcs11-helper 1.27 with 2.4.10. We're at 1.26 now,
and the changes between the versions look safe.

---

Noted that some of the auth-token fixed from Git "master" could and
should be backported to release/2.5. The refactorings done in "master"
could be omitted. It seems like at the moment there's no real need to
push out 2.5.1.

---

Agreed to not have meeting on Dec 23rd or 31st. The last meeting this
month will be on 17th.

--

Talked about HackerOne bounties. Agreed to go through the current
HackerOne reports and set awards (bounties) and close all reports down
(if possible) in the next meeting. Then we can close our HackerOne
project for good.

---

Noted that "IPv6 to community.openvpn.net" has not moved forward. But
OpenVPN Inc. ops team manager is aware that cron2 needs to be kept happy
and that IPv6 will have to arrive eventually.

---

Talked about the buildbot upgrade. It will need a couple of days of
concentrated effort from mattock's part. Doing the upgrade around
Christmas time sounds realistic.

---

Full chatlog attached
(21:01:32) ordex: aloha!
(21:01:57) syzzer_: hi!
(21:02:10) mattock: hi
(21:02:28) becm: hi
(21:02:47) ordex: cron2: dazo: plaisthos: ?
(21:02:53) ***cron2 hides
(21:03:16) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2020-12-03
(21:03:35) dazo: Hey!
(21:03:41) cron2: yo!
(21:04:43) plaisthos: I am only semi here
(21:04:52) ordex: which part is here exactly?
(21:05:00) cron2: which is half more than usual on thursday evenings
(21:05:05) ordex: :D
(21:05:53) cron2: whoa, 4 ACKs on the list
(21:06:20) ordex: amazzing
(21:06:33) ordex: are we aiming at doing another 2.4.x release?
(21:07:26) cron2: yes
(21:08:00) cron2: a number of bugfixes have accumulated in release/2.4, so we 
agreed (2-3 weeks ago) to do a 2.4.10
(21:08:04) cron2: eventually
(21:08:18) mattock: internal meeting goes on and goes on...
(21:08:36) cron2: tell them you do not care until the IPv6 crisis is solved :)
(21:08:44) mattock: :)
(21:08:57) ordex: :D
(21:09:02) ordex: cron2: ok
(21:09:12) mattock: so 2.4.10 when?
(21:09:47) cron2: I want the line number fix to be in, but have not written the 
second version yet... so maybe early next week?  What works for you?
(21:10:31) mattock: early next week would be ok
(21:11:07) cron2: good.  I'll see that I can get the patch done tomorrow-ish, 
so ordex can review it ("he ACKed the other one but wanted to see a variant")
(21:11:39) ordex: yup, can do
(21:12:28) becm: will the 2.4.10 for Windows ship with the brand new 
pkcs11-helper 1.27?
(21:12:28) cron2: 25 patches in tree since 2.4.9
(21:13:05) cron2: do we have feedback about pcks11-helper in 2.5.0?
(21:13:30) cron2: like, "works!" or "breaks :-("?  I haven't seen *any* 
feedback on 2.5.0 yet, which is sort of... "what does that mean?"
(21:13:31) mattock: becm: it looks like we have 1.26 now in generic/build.vars
(21:13:50) mattock: cron2: I think it means it is stable and boring
(21:14:17) cron2: this is how I like my software :)
(21:14:20) mattock: which is somewhat surprising given how much stuff went to it
(21:14:31) mattock: perhaps we're doing something right :D
(21:14:37) ordex: :D
(21:14:38) ordex: it happens
(21:14:44) ***cron2 pats his test rig :)
(21:15:22) mattock: so, libpkcs11-helper 1.26 -> 1.27 in 2.4.10 and 2.5.1?
(21:15:28) mattock: any reason not to?
(21:15:35) cron2: becm: what is in there?
(21:16:08) dazo: https://github.com/OpenSC/pkcs11-helper/releases
(21:16:19) becm: looks like 2 bugfixes to me?
(21:16:59) dazo: "thanks to Tunnelblick" ... smells like it has been tested ;-)
(21:17:20) mattock: at least in tunnelblick
(21:17:37) mattock: also look like your libpkcs11-helper patch should apply ok
(21:17:46) mattock: I say "why not"
(21:17:53) cron2: yea
(21:17:54) cron2: h
(21:18:28) dazo: agreed
(21:19:17) ordex: looks good to me too
(21:20:47) cron2: anything else on 2.4?
(21:21:38) dazo: Don't think so
(21:21:44) cron2: good :-)
(21:21:48) cron2: 2.5 status, then
(21:22:05) mattock: I think we need to update all the other dependencies as 
well - build-complete.vars has not been updated since 2.4.9, but that's the 
normal procedure anyways
(21:22:23) cron2: 4 patches in tree since 2.5.0, 1 "make install" patch, 2 
"client side fixup for auth-token + auth-nocache" patches
(21:22:34) dazo: oh, OpenSSL is about to 

[Openvpn-devel] Community meetings in December 2020

2020-12-03 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 3rd December 20:00 CET (ongoing)
- Wed 9th December 11:30 CET
- Thu 17th December 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (25th November 2020)

2020-11-25 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 25th November 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, mattock, ordex and plaisthos participated in this meeting.

---

Talked about the 80 character limit in the OpenVPN codebase and agreed 
to set the soft limit to 80 chars and the hard limit to 120 characters. 
This was because sometimes trying to stay below 80 characters for the 
sake of it makes the code uglier, not prettier. For example, when you 
have to use temporary variables with short names just to accomplish it. 
Plus on modern terminals 80 characters is quite little.


---

Talked about the data channel offload (DCO) kernel module work in 
OpenVPN 2 by plaisthos and ordex. The current code/status is hacky and 
works with only one peer and renogotiation does not work yet. A cleaner 
integration is probably coming when ovpn-dco gets p2mp support: this 
avoids having to refactor twice.


Lev is checking if DCO could be reasonably be done within the 
tap-windows6 driver as well. There is also the possibility that Linux 
version of OpenVPN 2 + DCO could be used as-is on WSL2 (Windows 
Subsystem for Linux) which basically runs a Linux kernel on top of Hyper-V.


The DCO changes will require us to improve our automated testing to 
ensure things do not break too badly.


--

Noted that OpenVPN 2.4.10 release is on schedule. That is, it will be 
released "next week".


--

Noted that mattock is now able to resume the Buildmaster upgrade work. 
This will require upgrading all buildslaves to Python 3, including our 
zombie from the dinosaur age, OpenSolaris. Our codebase still supports 
that platform so we should not stop testing it, either.


---

Full chatlog attached
(12:29:45) cron2: meeting calling...
(12:30:44) mattock: hello
(12:31:18) cron2: hi!
(12:32:58) mattock: anyone else?
(12:33:10) cron2: so, while we wait for dazo, plaisthos, ordex to find their 
way... any news on IPv6?
(12:34:08) ordex: here here
(12:34:26) ordex: dazo most likely won't join
(12:34:34) ordex: he's out at least until the end of the month I believe
(12:34:45) cron2: :(
(12:35:29) mattock: nothing on ipv6, it all depends on the migration to 
openvpn.com domain which I can keep asking about (no meeting this week though, 
Thanksgiving and all)
(12:35:54) cron2: yeah... *sigh*
(12:37:38) mattock: such an empty topic list: 
https://community.openvpn.net/openvpn/wiki/Topics-2020-11-25
(12:37:42) cron2: so, where is plaisthos hiding :-)
(12:38:02) mattock: ordex?
(12:38:59) ordex: I don't really have much on my side
(12:39:00) plaisthos: since even Linux kernel allows now 100 chars wide code, 
can we also allow a bit longer lines? *makes dog's eyes*
(12:39:07) ***ordex agrees
(12:40:27) cron2: I think a general 80 character "soft limit" is still 
reasonable, with flexibility if the alternatives are just plain ugly... so 100 
or 120 "flex margin" would work for me
(12:41:02) cron2: I am tempted often enough to just make something 83 
characters, because wrapping looks more ugly...
(12:41:36) ordex: yeah
(12:41:39) ordex: that makes sense
(12:43:30) cron2: since you two are the ones who wrote most of the code in the 
last years, I think we can just decide this here and now...
(12:43:44) cron2: (and not wait for dazo or syzzer or james to show up and 
agree :-) )
(12:45:05) Pippin_ [Pippin_@gateway/vpn/protonvpn/pippin/x-75792076] è entrato 
nella stanza.
(12:45:23) plaisthos: a lot of times I am wrapping functiosn to two lines 
instead of one because of the 80 char limit or introduce temporary variables to 
shorten the names
(12:45:29) plaisthos: I would like to reduce that
(12:45:41) plaisthos: because I don't think that improves overall readability
(12:45:45) mattock: I'll add this decision to the meeting summary and anyone 
who wants to complain can complain :)
(12:45:51) cron2: understood.  Would you be fine with a "general 80 character 
limit, as a goal, with flexibility to go to 100/120"?
(12:46:01) cron2: (the last sentence was intended for plaisthos)
(12:46:24) plaisthos: unless you are really on a machine or terminal that 
cannot be made 100 or 120
(12:46:54) plaisthos: lets keep a 120 hard limit
(12:47:10) cron2: I personally find code that has "all very long lines" (or 
extremely deeply nested) harder to read, that's why "soft/hard"
(12:47:17) plaisthos: yeah
(12:47:19) cron2: okay, so "soft 80, hard 120"?  Everyone ok with that?
(12:47:24) plaisthos: okay
(12:47:52) cron2: ordex went for lunch, it seems :)
(12:47:55) ordex: nono
(12:47:58) ordex: still thinking :D
(12:48:08) ordex: soft 80, hard 120 sounds good though
(12:48:27) ordex: I was just thinking that also moving the soft to 80 would be 
ok imho. 80 is just very 

[Openvpn-devel] Summary of the community meeting (11th Nov 2020)

2020-11-11 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 11th November 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev, mattock, ordex, plaisthos and zx2c4 participated 
in this meeting.


---

Talked about updating the Wintun driver (0.8.1) we bundle in OpenVPN 2.5 
installers to something more recent. Lev will take care of updating 
openvpn2 code to use userspace API. Zx2c4 will assist if lev hits any 
snags with the API.


---

Discussed a potential Wintun GPLv2 violation in OpenVPN Connect: it 
turns out that the Wintun MSM is embedded into OpenVPN Connect MSI.


Due to this zx2c4 is requesting OpenVPN Inc. to release the source code 
of OpenVPN Connect. We need to investigate this and do whatever actions 
are needed to ensure GPLv2 compliance.


Zc2c4 is also open to relicensing Wintun at some point.

--

Full chatlog attached

(12:29:11) mattock: hello
(12:32:00) plaisthos: hey
(12:32:13) mattock: hi!
(12:33:39) ordex: hi!
(12:34:29) lev__: hello
(12:34:43) mattock: cron2, dazo?
(12:35:10) dazo: hey!
(12:35:38) becm: hi
(12:36:42) mattock: shall we?
(12:37:26) plaisthos: yes
(12:37:31) plaisthos: before I need to run for lunch
(12:37:33) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-11-11
(12:37:37) mattock: the agenda is quite boring
(12:37:43) mattock: anything on 2.5 or 2.6?
(12:37:52) mattock: any other topics to bring up?
(12:38:28) plaisthos: WolfSSL still has not gotten us a version that actually 
works
(12:39:07) mattock: looks like it will get buried before 2.6 then
(12:39:19) plaisthos: yeah
(12:39:19) becm: possible WINTUN driver update?
(12:39:21) dazo: well, that was exactly our concern when they first approached 
us
(12:40:09) eworm [~eworm@archlinux/developer/eworm] è entrato nella stanza.
(12:40:55) mattock: becm: any particular issues that wintun update would 
address?
(12:41:35) plaisthos: well if we release a 2.5.1 it would be good to have the 
newest driver included
(12:41:42) cron2: uh
(12:41:44) becm: mattock: not to my knowledge.
(12:41:49) cron2: I'm stuck in a phone call, will be with you soon
(12:41:53) dazo: mattock: which version do we ship?
(12:41:57) mattock: plaisthos: agreed, that is not a problem
(12:42:04) lev__: 0.8.1 IIRC
(12:42:28) mattock: 
https://github.com/OpenVPN/openvpn-build/blob/master/windows-msi/version.m4
(12:42:37) mattock: lev is correct
(12:42:44) becm: effectively 0.8 (0.8.1 was installer-only update)
(12:43:27) cron2: now
(12:43:51) becm: this will be the first *update* of Wintun shipped with OpenVPN
(12:43:53) lev__: there is now 0.9 with at least  userspace API
(12:43:55) dazo: I see that there's some API changes by simon  seems to be 
lots of clean-up and minor fixes, but we should ensure our implementation is 
up-to-date
(12:44:07) cron2: what is a "userspace API"?
(12:44:41) lev__: instead of use Device IOControl calls, there is now 
wintun.dll with exported functions like CreateDevice, RegisterBuffer etc
(12:45:15) becm: the whole installation process seems to have changed as well.
(12:45:19) lev__: https://git.zx2c4.com/wintun/about/
(12:45:20) vpnHelper: Title: wintun - Layer 3 TUN Driver for Windows (at 
git.zx2c4.com)
(12:45:57) zx2c4: dazo: "some api changes by simon"?
(12:46:14) zx2c4: from the perspective of kernel api, those changes are mine
(12:46:20) zx2c4: and it's also not just "someapi changes"
(12:46:36) dazo: zx2c4: I just skimmed the first commit page 
https://git.zx2c4.com/wintun/log/  and I see that it was far more 
comprehensive
(12:46:37) vpnHelper: Title: wintun - Layer 3 TUN Driver for Windows (at 
git.zx2c4.com)
(12:46:38) zx2c4: wintun.dll from simon and i is totally different
(12:46:47) dazo: I didn't mean to be condescending
(12:46:49) lev__: zx2c4: will DeviceIOControl approach still work?
(12:47:26) zx2c4: dazo: even skimming, thats ridiculous. you're a well known 
asshole when it comes to this stuff. i'd appreciate it if you stay out of this, 
if you want there to be any cooperation at all.
(12:47:49) zx2c4: lev__: maybe. but we're not going to guarantee it
(12:48:10) zx2c4: the interface now has moved to the userspace dll
(12:48:12) ordex: language please
(12:48:26) zx2c4: ordex: fuck off
(12:48:40) ordex: zx2c4: we are having an open meeting, what's wrong with you?
(12:48:52) zx2c4: ordex: you want my help or not? if so, please fuck off
(12:48:58) zx2c4: lev__: so the way forward is to migrate to wintun.dll
(12:49:09) zx2c4: there's a hook for the uninstaller to hit that should be 
pretty basic
(12:49:14) zx2c4: and overall deployment should be simplified
(12:49:24) zx2c4: also -- this will allow openvpn to work in "administrator 
mode" with wintun
(12:49:28) plaisthos: zx2c4: hm, what 

[Openvpn-devel] Summary of the community meeting (5th Nov 2020)

2020-11-05 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 5th November 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo and mattock participated in this meeting.

---

Noted that OpenVPN 2.5.0 has been very stable with no confirmed issues 
so far.


---

Agreed that having a final 2.4.x release at some point would be good.

---

Started planning OpenVPN 2.6:



Also updated the SupportVersions page:



---

Talked about Debian packaging. It would be good to get OpenVPN 2.6 into 
Debian 11 before the freeze date which is around February-March 2020.


Decided to start talks with the current Debian OpenVPN package 
maintainer about packaging ovpn3-linux and ovpn-dco packages. Dazo is 
willing to help author those packages.


---

Noted that DCO support with server support will require quite a bit of 
refactoring in the main OpenVPN 2 codebase as well.


--

Full chatlog attached


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Community meetings in November 2020

2020-11-05 Thread Samuli Seppänen

Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 5th November 20:00 CET
- Wed 11th November 11:30 CET
- Thu 19th November 20:00 CET
- Wed 25th November 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] OpenVPN 2.5.0 released

2020-10-28 Thread Samuli Seppänen
st: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (28th October 2020)

2020-10-28 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 28th October 2020
Time: 11:30 CEST (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, plaisthos and syzzer participated in this 
meeting.


---

Crafted the release announcement for OpenVPN 2.5.0.

--

Full chatlog attached
(12:29:46) dazo: hey!
(12:30:14) mattock: hello, release meeting
(12:30:24) dazo: mattock: so ... have you pushed?
(12:30:25) mattock: dazo: the release files are on swupdate
(12:30:32) cron2: ho
(12:30:34) mattock: depends on what "push" means
(12:30:40) cron2: working on the release announcement text
(12:30:41) dazo: yes, to s3
(12:30:43) mattock: yes
(12:30:46) cron2: https://etherpad.mit.edu/p/sjdhfksdhk
(12:30:47) vpnHelper: Title: Etherpad@MIT (at etherpad.mit.edu)
(12:33:23) dazo: Hmm ... we might have been just to late to put 2.5 into the 
main Fedora 33 repositories; it got released yesterday :/
(12:33:50) dazo: Fedora 34 will be the first shipping it in distro packages 
 but I'll add Copr repos for the other
(12:34:01) ***dazo need to create a new Copr repo for releases
(12:34:57) mattock: +1
(12:35:09) cron2: dazo: argh, how annoying... Monday would have been easily 
doable if we had known
(12:35:26) dazo: yeah, well, Fedora releases arrives every 6 months
(12:35:31) ***plaisthos is here 
(12:35:37) mattock: hi
(12:35:41) plaisthos: BUt I will leave in about 20 minutes for lunch
(12:35:55) mattock: I mean, we could have _tagged_ the release a few days ago 
easily
(12:36:30) cron2: plaisthos: can you have a look at the etherpad and see if 
that makes sense?
(12:36:58) dazo: well, there's no point at grieving over the past now
(12:39:30) mattock: dazo: +1 :)
(12:39:57) dazo: mattock: 
https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/    this 
is where I will put the packages; preparing for the builds now
(12:39:58) vpnHelper: Title: dsommers/openvpn-release Copr (at 
copr.fedorainfracloud.org)
(12:40:13) mattock: +1 again
(12:40:42) mattock: so does the release announcement look good to all?
(12:40:49) lev__: mattock: will you remove 2.5beta1 -> 2.5rc3 from 
https://openvpn.net/community-downloads/ ?
(12:40:50) vpnHelper: Title: Community Downloads | OpenVPN (at openvpn.net)
(12:41:32) mattock: lev: yes, I shall now
(12:43:59) cron2: mattock: we do seem to have MSI twice in the new feature list 
"we support building it, and we have it"
(12:44:16) mattock: yep, let's get rid of one
(12:44:53) plaisthos: cron2: I edited the etherpad
(12:45:05) plaisthos: and added the note that PIA always generated warning in 
the logs
(12:45:10) plaisthos: so it is not really a new problem
(12:45:55) cron2: yeah
(12:50:45) syzzer: hi :)
(12:50:47) mattock: nothing is happening the the pad
(12:50:52) cron2: wohoo
(12:50:54) mattock: is the announcement good now?
(12:50:56) mattock: hi syzzer!
(12:50:58) cron2: I just added something :-)
(12:51:01) plaisthos: the FAQ text in my app is less nice:
(12:51:03) plaisthos: Last but not least, there is a popular VPN provider that 
has a broken server that always says it is using \'BF-CBC\' because its 
developer thought it would be a good idea to create a proprietary cipher 
negotiation patch that is incompatible with standard OpenVPN.
(12:51:32) cron2: I am good with the announcement, but maybe it would be good 
to have syzzer have look, with fresh eyes
(12:52:52) dazo: cron2: VLAN support  I'm fuzzy on the details, is that for 
TAP only, or also TUN?
(12:53:08) cron2: tap only
(12:53:55) plaisthos: need to go for lunch now, sorry :(
(12:54:59) syzzer: "Debian and Ubuntu packages are available in the official 
apt repositories." sounds like the debian and ubuntu repos, but you mean the 
openvpn apt repos right/
(12:55:25) dazo: "but if you need to keep a 2.3 (or even older) OpenVPN 
around, and need to stay on BF-CBC, the 2.5 end of that session needs a config 
file change to add the formerly-default cipher"  <<< this sounds odd
(12:55:40) dazo: syzzer: yeah, that apt repo sentence needs to be clarified
(12:56:58) mattock: please note that copying the text broke the links
(12:57:01) mattock: that's why it is confusing
(12:57:07) mattock: but we can also reword it a bit
(12:57:11) mattock: that is, I can
(12:57:41) mattock: done and somebody else was there before me :)
(13:00:06) mattock: pippin on #openvpn-devel suggests adding a link to the 
easy-rsa 3 howto 
(https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto)
(13:00:08) cron2: aynthing else on the announcement text?
(13:00:13) mattock: ^^^
(13:00:16) mattock: I would not mind
(13:00:20) dazo: do we require FreeNode registration to access #openvpn these 
days?
(13:00:20) mattock: it's new to most
(13:00:32) mattock: 

[Openvpn-devel] Summary of the community meeting (22nd October 2020)

2020-10-22 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 22nd October 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, mattock and plaisthos participated in this meeting.

---

Talked about turning on IPv6 on the openvpn.net domain, in particular 
community.openvpn.net. As turning on IPv6 in Cloudflare is per-domain, 
the current plan from OpenVPN Inc. operations' team is to finish a 
migration of some critical servers/services to the openvpn.com domain 
(which has IPv6 enabled), then try turning on IPv6 on openvpn.net 
domain. This will happen in November (optimistic estimate) or this 
quarter (realistic estimate).


---

Mattock has started the long overdue buildbot upgrade by setting up a 
PoC buildmaster (2.x). The initial targets for the new buildbot setup are:


- Building tap-windows6 (to get automated HLK testing running)
- Building MSI snapshot installers

The existing buildslaves and master.cfg can be migrated later.

---

Noted that there are no known issues in OpenVPN 2.5-rc3. This gives 
confidence that we can release 2.5.0 soon.


---

Planned the OpenVPN 2.5.0 release.

Agreed that we should invest some time in the release announcement text 
(pointing out surprises with BF-CBC using setups and 2.3 servers), and 
maybe have a thorough look at Changes.rst as well.


Changes.rst change could be drafted in a public Etherpad such as this:



It allows GitHub logins among other things.

We will aim to have the release announcement and tag ready next Tuesday 
so that the release can be made on Wednesday.


---

Dazo is wrapping up the openvpn3-linux v11 beta release and has ovpn-dco 
packages for Ubuntu 20.04 and Fedora 31, 32 and 33 ready.


--

Full chatlog attached

(21:00:10) mattock: good evening people!
(21:01:20) mattock: I believe it is meeting time
(21:01:44) cron2: yo
(21:01:46) mattock: hi!
(21:02:00) mattock: while waiting let's start with cron2's favorite topic
(21:02:14) cron2: haha :)
(21:02:25) cron2: so, any well-tasting cakes today?
(21:02:36) mattock: so, the proposal from the ops team/manager regarding IPv6 
on openvpn.net domain
(21:02:40) mattock: no cakes
(21:02:52) cron2: "no cake" is not one of my favourite topics
(21:03:22) mattock: the is a large number of critical servers getting moved 
away from openvpn.net to openvpn.com
(21:03:30) mattock: servers/services
(21:03:51) mattock: that will optimistically happen in November, and 
realistically by the end of the year
(21:03:56) dazo: Hey!
(21:04:12) mattock: after that the risks of turning on IPv6 would be way smaller
(21:04:18) cron2: well, I do not think this is a strategy worth of a technology 
company... "AVOID IPV6 AT ALL COSTS!".  But if it brings back IPv6 to the 
rest...
(21:04:44) cron2: I could sell some IPv6 consulting... :-)
(21:04:50) mattock: so basically: migrate the critical stuff over to .com 
(which has IPv6 enabled, btw), then switch on IPv6 on openvpn.net
(21:05:00) cron2: wat
(21:05:10) mattock: yes
(21:05:22) cron2: watever :)
(21:05:38) dazo: there are more voices internally which also questions these 
worries about IPv6
(21:05:56) mattock: the problem with those voices is that it's not their head 
on the plate if money stops flowing
(21:06:13) mattock: it's not even my head on the plate
(21:06:40) dazo: well, lets not dive into that here :)
(21:06:46) mattock: yep
(21:07:18) mattock: anyways, the only alternative I can offer is turning off 
cloudflare on community.openvpn.net and then trying to figure out some way to 
prevent DoS which tends to happen soon after CF is off
(21:07:29) mattock: I'd like not to go that route, too much stuff to do anyways
(21:07:44) mattock: well, that's all
(21:07:55) mattock: I do have some unrelated news though
(21:08:22) mattock: due to various circumstances which included HCR/HLK-CI I 
decided to start the buildmaster upgrade process
(21:08:32) cron2: like, "python 3"?
(21:08:43) mattock: among other things
(21:08:57) mattock: but if that is an issue we can have the old buildmaster 
running for a long while still
(21:09:10) cron2: nah, it is great news
(21:09:11) mattock: the main goal now is:
(21:09:11) mattock: - tap-windows6 builds
(21:09:11) mattock: - automated openvpn MSIs
(21:09:34) mattock: tap-windows6 first and foremost, as HLK-CI guys need build 
artefacts to test
(21:09:39) cron2: my FreeBSDs are sending me lengthy mails every day that 43 
py27-xxx modules are now considered deprecated
(21:09:55) cron2: so while the conversion will be some work, I think it is a 
useful thing to do
(21:09:59) mattock: yep
(21:10:12) mattock: it should not be too bad
(21:10:45) mattock: I did a PoC master setup already - the setup has not 

[Openvpn-devel] OpenVPN 2.5-rc3 released

2020-10-19 Thread Samuli Seppänen

The OpenVPN community project team is proud to release OpenVPN
2.5-rc3. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
MSI installer (Windows)
The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
  management

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (14th Oct 2020)

2020-10-14 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 14th October 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev, mattock and ordex participated in this meeting.

---

The OpenVPN website is under maintenance now. This has prevented us from 
releasing 2.5-rc3. The maintenance should be finished today California time.


--

Agreed that we tag 2.5-rc3 today and release it tomorrow, if possible. 
Then in the next community meeting (Thu 22nd) we decide when to push out 
2.5.0.


--

Noted that some pages on https://openvpn.net are empty and look silly:



There is an internal OpenVPN Inc. ticket for this issue already.

--

Noted that OpenVPN 3 Linux client 11 beta will be out this week. Its 
main feature is the inclusion of kernel acceleration (DCO). A recent OS 
like Ubuntu 20.04 or Fedora 32 is required to use it.


Also noted that the DCO API is not yet properly documented and that it 
should be. That way kernel acceleration could be implemented more easily 
on non-Linux kernels.


--

Noted that IPv6 is still not enabled on the openvpn.net domain in 
Cloudflare. Mattock and ordex will keep pressure on the correct people 
at OpenVPN Inc. to get this fixed.


--

Full chatlog attached

(12:30:33) cron2: hullo!
(12:32:24) ordex: hillo!
(12:34:16) lev__: hello
(12:35:28) dazo: yay!
(12:37:07) cron2: so
(12:37:18) cron2: where is mattock?
(12:38:18) cron2: it#s not a "shit meeting", we're not corp :-)
(12:39:07) ordex: :p
(12:39:08) dazo: :-P
(12:39:14) ordex: he must be hiding
(12:39:16) ordex: mattock: !!
(12:39:32) dazo: he appeared in the wrong channel :-P
(12:39:45) cron2: he is in here, he's just ignoring us
(12:39:54) cron2: 11:39 -!-  ircname  : Samuli Sepp\u00e4nen
(12:39:54) cron2: 11:39 -!-  channels : @#openvpn-meeting @#openvpn-devel
(12:40:07) cron2: anyway
(12:40:15) cron2: this is either a short or a very long meeting...
(12:40:23) mattock: hello
(12:40:35) dazo: 2.5 status
(12:40:39) mattock: sorry, was distracted by "real work" :D
(12:40:44) cron2: from the "openvpn repo" side of things, RC3 looks good - 
there is a few bugfixes in, so "having RC3 this week, 2.5.0 next week" sounds 
reasonable
(12:41:00) cron2: I am not sure about the windows installer / TAP driver status
(12:41:04) dazo: mattock: nono ... you got it reversed  *this* is _real_ 
work ;-)
(12:41:27) mattock: the main blocker is that the website is being updated, so 
it does not make sense to release anything until that is done
(12:41:45) dazo: cron2: I'll have a look at your argv patch  quick glance 
looks good, just want to stare a bit more on the code
(12:41:49) mattock: because the download page would get wipe and things would 
probably end up in 404 hell with cloudflare etc
(12:42:10) mattock: hopefully the rc3 release can be made tomorrow so that it 
sticks on the dl page
(12:42:48) lev__: mattock: can you make sure those page are removed or filled 
with content https://openvpn.net/download/openvpn-2-5-rc2/
(12:42:49) vpnHelper: Title: OpenVPN 2.5-rc2 | OpenVPN (at openvpn.net)
(12:42:55) dazo: mattock: krzee has been pretty good at beating up the 
cloudflare/aws cloudfront caching  he's done wonders with some scripts
(12:43:27) mattock: lev: sure, I can scrap the betas and older rc releases when 
making rc3 release
(12:43:30) dazo: lev__: I believe they're looking at doing a 304 redirect or so
(12:43:52) mattock: lev: oh, I misunderstood
(12:44:02) mattock: I believe there is a ticket about those "empty pages"
(12:44:04) mattock: let me check
(12:44:52) eworm [~eworm@archlinux/developer/eworm] è entrato nella stanza.
(12:45:08) mattock: lev: you created a ticket: 
https://openvpn.atlassian.net/browse/OW-382
(12:45:09) vpnHelper: Title: Log in with Atlassian account (at 
openvpn.atlassian.net)
(12:46:30) lev__: yes, but it has been 3 weeks and pages are still there
(12:47:06) mattock: I don't have a magic bullet
(12:47:39) mattock: one way to convince them to fix it is to show that google 
spits those stupid URLs to people
(12:47:40) dazo: lev__: Matt and Doug are on it ... so lets they tackle that
(12:47:54) mattock: I was unable to get a link from Google to those broken pages
(12:47:56) dazo: "We will also no-index these pages and inform Search Console 
about this as well. "
(12:48:08) dazo: back to 2.5 release, shall we?
(12:48:13) mattock: yes
(12:50:14) cron2: so, how's the windows installer/tap side looking?
(12:50:27) mattock: well, I don't see any blockers there
(12:50:39) mattock: I did not start the process yet as this website thing made 
it kind of unnecessary
(12:50:57) mattock: I built new tap-windows6 some days ago
(12:51:04) cron2: so... if we 

[Openvpn-devel] Summary of the community meeting (8th October 2020)

2020-10-08 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 8th October 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock and yanv participated in this meeting.

---

Daynix Computing LTD has developed automation framework (hck-ci) for
running Windows HCK/HLK certification tests with sponsoring for Red Hat
to get virtio-win HCK/HLK tested:



Daynix is offering to let the OpenVPN project use their hck-ci
installation to test tap-windows6. This would allow them to generalize
their CI to work with drivers other than virtio-win as well and OpenVPN
project would benefit from getting proper Windows driver testing.
Potentially OpenVPN project could run its own test setup, but there's
not much need for it.

What we would have to do is create the base Windows images that will be
used in the test runs:



Some older documentation is here:



The provisioning of the base Windows images could use some improvement.
At the moment the base images "go sour" when the evaluation licenses
expire. Building them from scratch would solve this problem.

Mattock will take a closer look at this next week.

The Daynix guys will start hanging out at #openvpn-devel to help us out
with any issues that may arise.

--

Noted that the https://openvpn.net website can't be modified until
Monday or Tuesday as the Wordpress instances are being upgraded. This
postpones the next 2.5 release slightly.

--

Full chatlog attached
(21:02:20) mattock: hello
(21:02:49) mattock: meeting time
(21:02:53) mattock: anyone else? :)
(21:03:20) yanv: hello
(21:04:34) mattock: hi!
(21:08:53) yanv: I was invited by Samuli Sepp�nen to discuss possibility for 
automation of HLK\HCK tests of the OpenVPN drivers. We developed automation 
framework for the certification https://github.com/hck-ci and run it virtio-win 
drivers: https://github.com/virtio-win/kvm-guest-drivers-windows/pull/502.
(21:08:53) yanv: I wanted to see if it can be useful for your project as well.
(21:08:54) vpnHelper: Title: HCK-CI · GitHub (at github.com)
(21:09:30) mattock: that me
(21:09:41) yanv: :)
(21:09:51) mattock: it is surprisingly quiet today
(21:10:07) mattock: anyhow, I will write a summary so even if nobody else pops 
in here they can see all this
(21:10:39) mattock: yanv: what kind of test rigs do you have?
(21:10:42) mattock: all virtual?
(21:10:50) yanv: Yes
(21:10:56) mattock: ok
(21:11:04) yanv: We are working to enable it to run on the physical machines as 
well
(21:11:20) yanv: in general the part that automates the test runs can do it 
already today
(21:11:20) mattock: in our case it seemed necessary to use real hardware to be 
able to pass all the tests
(21:11:46) mattock: but we're not at this point really interested in HLK except 
for actual (regression) test purposes
(21:11:55) yanv: but we don't have the part that will re-provision the machines 
before the test execution (it is better to run on the clean machines and not 
ones that executed tests before)
(21:12:26) mattock: on what are the test VMs running on? VMWare, EC2, Azure?
(21:12:27) Pippin_ [Pippin_@gateway/vpn/protonvpn/pippin/x-75792076] è entrato 
nella stanza.
(21:12:35) yanv: QEMU\KVM
(21:12:41) mattock: ok, that should work as well
(21:12:45) yanv: Because we developed in to test virtio drivers
(21:12:59) mattock: is there any provisioning code in place?
(21:13:03) yanv: But then we changed it to be genreic
(21:13:04) mattock: or just manually installed KVM hosts
(21:13:14) mattock: +1 for the generic part :)
(21:13:18) yanv: The hosts are manual installed
(21:13:44) mattock: I've done my share of Windows automation with Puppet and 
Powershell DSC
(21:13:55) mattock: I actually do have some Puppet code that sets up HLK nodes
(21:14:05) yanv: also the initial preparation of the images is out of the scope 
now (the installation of the test kit).
(21:14:31) mattock: here: https://github.com/Puppet-Finland/puppet-hlk
(21:14:33) vpnHelper: Title: GitHub - Puppet-Finland/puppet-hlk: A Puppet 
module for setting up Windows Hardware Lab Kit (HLK) controllers and clients 
(at github.com)
(21:14:51) yanv: +1 > here: https://github.com/Puppet-Finland/puppet-hlk
(21:14:52) vpnHelper: Title: GitHub - Puppet-Finland/puppet-hlk: A Puppet 
module for setting up Windows Hardware Lab Kit (HLK) controllers and clients 
(at github.com)
(21:15:12) yanv: I saw it, can be a great idea to integrate it together.
(21:15:42) mattock: yeah, I think reprovisioning the test nodes makes perfect 
sense
(21:15:46) mattock: HLK beats them to death
(21:16:03) yanv: In any case, we use snapshots during the tests. So there are 

[Openvpn-devel] Community meetings in October 2020

2020-10-06 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 8th October 20:00 CET
- Wed 14th October 11:30 CET
- Thu 22nd October 20:00 CET
- Wed 28th October 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli




pEpkey.asc
Description: application/pgp-keys
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (30th September 2020)

2020-09-30 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 30th September 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev, mattock, plaisthos and zx2c4 participated in
this meeting.

---

OpenVPN 2.5-rc2 was tagged before the meeting started. It was released
later, just before this summary was sent. Packages for Red Hat were also
made available via Copr.

Noted that we may need to do an RC3 because of various Windows-related
issues and patches.

Discussed the possibility of moving away openvpnmsica (MSI custom
actions) and tapctl.exe source code from openvpn.git. That way we would
not have to do a full release if the changes only affect Windows installers.

Talked about the "MSM: Incomplete old driver removal" tap-windows6 issue:



We (possibly) leave behind driver files in System32\drivers and "break"
some registry entries. If that is not an issue then we're "ok". Lev
suggested giving this issue to OpenVPN Inc. QA for testing. It was
agreed that plan makes sense.

---

Zx2c4 mentioned that he plans on moving away from MSM distribution for
Wintun to make it more difficult for different consumers of Wintun to
step on each other's toes. He'll keep the OpenVPN project posted about it.

---

Talked about OpenVPN 2, 3 and NetworkManager. There is hope that
NetworkManager could integrate more easily with OpenVPN 3 than OpenVPN
2. What really happens remains to be seen.

---

Noted that right now the OpenVPN 2.5-rc2 MSI installer does not upgrade
the tap-windows6 driver properly. This is being looked into and a fix
will follow soon.

--

Full chatlog attached
(12:30:58) ***plaisthos whistles
(12:31:42) cron2: oh, indeed
(12:32:05) mattock: hello
(12:33:43) lev__: hi
(12:33:53) ordex: hi
(12:36:03) becm: hi
(12:36:05) cron2: s
(12:36:07) cron2: oops
(12:36:35) mattock: ok let's start
(12:36:45) mattock: I'll try to inch the release forward while the meeting is 
ongoing
(12:37:16) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-09-30
(12:37:39) mattock: then we have 
https://github.com/OpenVPN/tap-windows6/issues/129
(12:37:41) vpnHelper: Title: MSM: Incomplete old driver removal · Issue #129 · 
OpenVPN/tap-windows6 · GitHub (at github.com)
(12:39:23) mattock: so, who wants to start?
(12:39:45) ordex: I guess we go with a recap of the 2.5 status first ?
(12:39:52) ordex: as far as I understood rc2 was just tagged, right ?
(12:40:07) cron2: yes
(12:40:18) cron2: tagged and pushed, and installers are building
(12:40:28) dazo: hey!
(12:40:46) ordex: cool
(12:40:58) ordex: is there anything pending that we already know should go in a 
potential rc3?
(12:40:58) dazo: I'll get the Copr (RPM) builds running too
(12:41:12) ordex: or we have to get rc2 out and see what comes back?
(12:41:21) plaisthos: from my tree only the cipher none patch
(12:41:39) ordex: ok
(12:41:40) cron2: I was about to say "need to go through the plaisthos 
patches", and "none" was high on my list
(12:41:50) cron2: nothing else I'm aware of right now
(12:41:54) dazo: plaisthos: does that requires another RC round from your point 
of view?  Or is it ready for final release?
(12:43:31) plaisthos: it is a fairly small patch. I have tested it and some 
users of my app screaming at me also seem to be happy with it
(12:43:53) dazo: then I'm leaning towards release ready
(12:44:11) plaisthos: and unless you have cipher none in use it doesn't change 
the code
(12:44:21) cron2: I am a bit more careful with the windows installer issues
(12:44:37) plaisthos: the biggest change of it is that remote_cipher becomes 
'none' instead
(12:44:44) plaisthos: of [null-cipher]
(12:44:48) cron2: there is a patch from rozmansi regarding win7/msica that 
nobody understands, and the tap-windows6 issue above
(12:45:05) dazo: cron2: but are the windows installer issues related to the 
openvpn codebase itself now?
(12:45:12) cron2: sometims :)
(12:45:22) cron2: openvpnmsica lives in the openvpn git repo
(12:45:28) cron2: msm lives in the tap-windows6 git repo
(12:45:38) cron2: other stuff lives in the openvpn-build repo
(12:46:01) cron2: so, depending on *where* we need to fix the driver stuff, it 
might affect the openvpn git repo, or "just a new installer"
(12:46:10) mattock: yep
(12:46:16) lev__: I can ping rozmansi and ask for clarification regarding that 
patch
(12:46:19) cron2: as for "openvpn git repo -> src/openvpn/" I think we're 
fairly release ready
(12:46:45) lev__: I gave my comments but haven't got a reply yet
(12:46:54) cron2: yeah, seen that
(12:48:14) lev__: and tap-windows6 is not a regression, it has been there 
"forever", it should not stop us from releasing
(12:48:25) lev__: I can have a 

[Openvpn-devel] OpenVPN 2.5-rc2 released

2020-09-30 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN
2.5-rc2. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN, most of which affect
Windows only.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
MSI installer (Windows)
The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
  management

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Gert Doering (1):
  Preparing release 2.5_rc2

Lev Stipakov (1):
  Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN

Selva Nair (2):
  Set DNS Domain using iservice
  Improve documentation of --username-as-common-name

Simon Rozman via Openvpn-devel (4):
  netsh: Specify interfaces by index rather than name
  netsh: Clear existing IPv6 DNS servers before configuring new ones
  netsh: Delete WINS servers on TUN close
  openvpnmsica: Simplify find_adapters() to void return

Vladislav Grishenko (1):
  Fix update_time() and openvpn_gettimeofday() coexistence



pEpkey.asc
Description: application/pgp-keys
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (24th September 2020)

2020-09-24 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 24th September 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev and mattock participated in this meeting.

---

Talked about OpenVPN 2.5. Noted that MSI is getting into a nice shape,
though we have some fixes pending for it. We also have a new
tap-windows6 release in the pipe.

Agreed that we want to do an RC2 release for 2.5, mainly because there
is a fair amount of changes related to Windows.

Set the release date for 2.5-rc2 to "mid next week". This gives mattock
some time to build a new tap-windows6 driver as well as get his other
urgent stuff out of the way.

---

Noted that Trac tickets related to OpenVPN Connect should be assigned to
denys.babets. He will take them from there.

--

Full chatlog attached
(21:00:08) mattock: hello
(21:01:41) dazo: hey!
(21:01:45) dazo ha scelto come argomento: Agenda at 
https://community.openvpn.net/openvpn/wiki/Topics-2020-09-24
(21:01:46) lev__: guten nacht
(21:01:59) dazo: lev__: that's when the day starts!
(21:02:20) lev__: then guten abend
(21:02:33) dazo: :-P
(21:03:50) dazo: Btw ... how's the MSI stuff going?
(21:04:12) lev__: I think it is in a good shape
(21:04:41) dazo: Great!
(21:05:19) lev__: there is one issue which could be fixed, though, but I 
wouldn't call it showstopper (support for modify/repair)
(21:05:39) dazo: so that's more a feature than a bug?
(21:05:57) cron2: now!
(21:06:01) mattock: hi
(21:06:25) lev__: both
(21:06:45) mattock: there is also some activity on tap-windows6
(21:06:51) lev__: unprivileged user may break VPN connection of administrator
(21:07:13) lev__: but we have the same problem with Connect
(21:07:22) mattock: btw. 2.0 had 18 release candidates
(21:07:31) mattock: we can do a few before breaking the record
(21:07:35) mattock: https://build.openvpn.net/downloads/releases/
(21:07:37) vpnHelper: Title: Index of /downloads/releases/ (at 
build.openvpn.net)
(21:09:57) cron2: working on it :-)
(21:10:07) cron2: mattock: have you seen that we need a new tap driver?
(21:11:52) mattock: yes, and selva said "wait"
(21:11:57) mattock: did not check later today
(21:13:09) lev__: cron2: what is the thing with new tap driver ?
(21:14:31) cron2: changing the MAC address via control panel was doubly broken
(21:14:43) cron2: .inf file was broken, setting the wrong key - that was fixed 
yesterday
(21:14:54) cron2: driver was using the wrong variable for ARP and ND - that was 
fixed today
(21:15:04) cron2: so, now things should be fixed for good
(21:16:45) lev__: cool, we should update Connect client as well
(21:19:16) mattock: what about the next rc?
(21:19:19) mattock: what, when?
(21:19:56) cron2: you tell me :-) - it should come with the new tap driver.
(21:20:01) cron2: I can do the RC2 any time
(21:20:29) lev__: I would like to add dhcp-option DOMAIN support for wintun
(21:20:31) dazo: Do we need another RC?
(21:20:52) dazo: $ git shortlog v2.5_rc1..release/2.5
(21:20:52) dazo: Simon Rozman via Openvpn-devel (4):
(21:20:52) dazo:   netsh: Specify interfaces by index rather than name
(21:20:52) dazo:   netsh: Clear existing IPv6 DNS servers before 
configuring new ones
(21:20:52) dazo:   netsh: Delete WINS servers on TUN close
(21:20:52) dazo:   openvpnmsica: Simplify find_adapters() to void return
(21:21:09) dazo: These are bugfixes ... doesn't look that scary even
(21:21:32) cron2: dazo: not on the unix side, but windows with the new driver 
and "netsh config fixes" might need another round of testing
(21:21:53) cron2: also, we are aiming to beat 2.1, which made 2.1_rc22 (not to 
forget having an rc21b!)
(21:22:07) dazo: hahahaha  oh dear!
(21:22:09) mattock: 2.0 actually
(21:22:16) mattock: 2.1.4 was the last 2.1
(21:22:18) dazo: no, 2.1_rc22 was a thing
(21:22:31) cron2: mattock: release candidates come before 2.1.0 :-)
(21:22:33) dazo: 2.1.4 was the last release
(21:22:50) cron2: commit 1852709cd5093995f97ba4860d1a6083c6df6d6c (tag: 
v2.1_rc22)
(21:23:10) cron2: anyway
(21:23:13) mattock: yes of course, but 2.0-rc18 was the biggest achievement in 
RCs so far
(21:23:23) mattock: but yeah
(21:23:30) mattock: I propose "mid next week" for rc2
(21:23:31) cron2: mattock: uh - no?  2.1_rc22 is more than 2.0_rc18?
(21:23:35) dazo: mattock: you're awake?  22 comes after 18 ;-)
(21:23:44) mattock: where do you guys see 2.1_Rc22?
(21:23:49) mattock: not on build.openvpn.net?
(21:23:55) dazo:  git tag -l | grep v2.1_rc
(21:23:58) mattock: ok
(21:24:00) cron2: in the commit quoted above
(21:24:03) mattock: I withdraw my objections
(21:24:10) mattock: that's pretty incredible
(21:24:13) cron2: not sure what release had the most versions actually built 
and published :-)

[Openvpn-devel] OpenVPN 2.5-rc1 released

2020-09-22 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN
2.5-rc1. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN. On the Windows side
there are several changes:

- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
management

- OpenVPN GUI can now be run as admin without breaking Wintun with the
"Always use interactive service by default" checkbox.

- Windows performance is increased by enabling compile-time
optimizations for OpenVPN and OpenSSL.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

David Sommerseth (4):
  man: Add missing --server-ipv6
  man: Improve --remote entry
  sample-plugins: Partially autotoolize the sample-plugins build
  build: Fix make distclean/distcheck

Gert Doering (11):
  Fix handling of 'route remote_host' for IPv6 transport case.
  Replace 'echo -n' with 'printf' in tests/t_lpback.sh
  Fix description of --client-disconnect calling convention in manpage.
  Handle NULL returns from calloc() in sample plugins.
  Fix --show-gateway for IPv6 on NetBSD/i386.
  socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
  Fix netbits setting (in TAP mode) for IPv6 on Windows.
  If IPv6 pool specification sets pool start to ::0 address, increment.
  Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" 
paths
  Fix combination of --dev tap and --topology subnet across multiple 
platforms.
  Preparing release 2.5_rc1

Lev Stipakov (1):
  msvc: better support for 32bit architecture

Selva Nair (2):
  Add a remark on dropping privileges when --mlock is used
  Allow --dhcp-option in config file when windows-driver is wintun

Vladislav Grishenko (1):
  Fix fatal error at switching remotes (#629)



pEpkey.asc
Description: application/pgp-keys
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (16th September 2020)

2020-09-16 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 16th September 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev and mattock participated in this meeting.

---

Went through patches in Patchwork and tickets in Trac and assigned them
to people and milestones.

--

Agreed that the next release should be OpenVPN 2.5-rc1. Beta4 has been
really stable as far as we can see.

It was also agreed that EasyRSA 3 should go into rc1. This will require
some documentation fixes at the EasyRSA 3 side and hopefully only minor
changes to the MSI installer code. The rc1 install will not include
EasyRSA 2.

Noted that OpenVPN 3 support in OpenVPN GUI can't make it to 2.5-rc1,
but it can also be introduced later in a Windows installer release

Noted that the Debian 10 packaging fix should go into 2.5-rc1:



Set the release date for OpenVPN 2.5-rc1 to Monday 21st September 2020.

-- 

Full chatlog attached
(12:31:47) cron2: meeting time!
(12:31:55) lev__: yes
(12:34:54) dazo: Hey!
(12:39:22) cron2: mattock around?
(12:39:39) ***dazo pings him internally
(12:43:06) dazo: so should we just start somehow and while we wait for more 
people to arrive?
(12:43:34) cron2: yeah
(12:43:57) cron2: I have put stuff on the agenda
(12:44:16) dazo ha scelto come argomento: Agenda at 
https://community.openvpn.net/openvpn/wiki/Topics-2020-09-16
(12:44:21) cron2: right :)
(12:45:34) cron2: so.  I have a few patches in trac that are relevant for 2.5, 
and of course I'd love to see an ACK :-) - but none of these are crucial for 
2.5.0
(12:46:15) cron2: I intended to merge the plugin build patch from dazo today 
("it looks good"), but got distracted by a power outage... so it will take me 
some time to get my infra back up.
(12:46:27) cron2: "patches in patchwork", that is
(12:46:47) dazo: Could we just list the patchwork IDs here ... so we can 
quickly see what we can manage this week?
(12:47:33) cron2: #1454 (dazo v3), #1446 (FreeBSD/tap+subnet), #1441 
(client-connect plugin), #1439 (ipv6 pool +1)
(12:48:16) cron2: #1446+#1439 are easy for ordex
(12:48:29) dazo: I can follow up with ordex on those two
(12:48:35) cron2: #1441 is easy for dazo (v4 coming, as soon as #1454 is merged)
(12:48:50) dazo: perfect, that's a simple one then
(12:49:06) dazo: As soon as v4 hits pw/ml, I'll dive into it
(12:49:06) cron2: #1454 is easy for me (as soon as I have power... the openvpn 
infra is on "real" computers, not on the laptops)
(12:49:20) dazo: fair enough
(12:50:19) cron2: then we have a number of bugs in trac tagged as "milestone: 
release/2.5"
(12:50:22) cron2: https://community.openvpn.net/openvpn/report/3?asc=1=2
(12:50:26) cron2: (scroll down)
(12:51:36) cron2: some have patches in trac already, some will most certainly 
not make it ("feature wish" style), but we need to go through them and see 
"which category is it?  fix for 2.5, close because already fixed, bump to 2.6"
(12:52:43) dazo: isn't there a patch on the ML already for ticket #1085?
(12:53:16) cron2: yes, #1446
(12:53:23) cron2: review, merge, close :)
(12:53:36) dazo: okay, so that's fine
(12:53:45) dazo: #399 can probably be closed
(12:53:49) cron2: (or actually, in that case, review, merge, document, and 
upgrade to "release 2.6" for a proper rewrite)
(12:54:39) cron2: yeah
(12:55:13) dazo: #439 ... I think that one can be moved to a 2.5.1 target ... 
test using a script deemed to fail, if this is no longer an issue, close it
(12:55:51) cron2: yeah
(12:55:55) dazo: #538 is kinda out of our hands, it requires an updated 
pkcs11-helper lib
(12:56:32) dazo: I'd say it can be closed, we can't do much more about it from 
our end
(12:57:01) cron2: can we push other maintainers?
(12:57:24) dazo: you mean alonbl?
(12:57:45) cron2: no, the package maintainers on RH
(12:58:10) cron2: umm
(12:58:30) cron2: I'm confused.  This talks about Debian and CentOS.
(12:59:08) cron2: if I understand this right, "our side" is fixed.  Your last 
comment is "CentOS 6 and 7".  So maybe talk to the pkcs11-helper maintainers 
there to get it patched?
(13:00:09) dazo: In this case, pkcs11-helper comes from the Fedora EPEL repo, 
which CentOS can use  but the policy is to not upgrade package versions 
mid-releases ... and for some reason, it seems the package maintainer has 
settled with version 1.22, even on latest Fedora releases ...
(13:00:24) cron2: maybe backport the bugfix?
(13:00:30) cron2: or is it bigger?
(13:00:38) dazo: I fear it might be too big, but I'll investigate
(13:01:05) cron2: (definitely not "2.5", though... maybe just remove the 
milestone as not coupled to a particular openvpn release at all)
(13:01:23) dazo: Yeah, makes sense

[Openvpn-devel] OpenVPN 2.5-beta4 released

2020-09-11 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN
2.5-beta4. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

The 2.5-beta4 release includes important fixes to the Windows MSI
installers, plus some smaller fixes to OpenVPN itself.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


pEpkey.asc
Description: application/pgp-keys
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (2nd September 2020)

2020-09-02 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 2nd September 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

janjust, lev, mattock and plaisthos participated in this meeting.

---

Talked about OpenVPN 2.5-beta3. There are two known issues it in. The
first one is in the MSI installer:



The second issue manifests itself in the GUI, but is actually tapctl.exe
related (i.e. in the OpenVPN repo):



These need to be fixed.

--

Janjust noticed that (when using OpenVPN 2.5) Networkmanager is set to
ignore any ipv6 settings yet the default ipv6 route is over the VPN.
This seems like a Networkmanager bug, but janjust will investigate a bit
more.

--

Noted that WolfSSL has not responded to our request to provide an easy
fix and it has been 1.5 months now.

--

Plaisthos is working on implementing peer fingerprinting support. This
will also allow to do quick setup with self-signed certificates without
a CA. Each VPN client will have a fingerprint on the server side, so you
will need to restart the server when you add/remove a client.

--

Full chatlog attached
(12:30:56) mattock2: Hi!
(12:32:15) plaisthos: hey!
(12:33:49) janjust_ [~janjust@2001:610:120:e034::1001] è entrato nella stanza.
(12:34:23) janjust_ ha abbandonato la stanza (quit: Client Quit).
(12:34:54) mattock2: So: postpone 2.5.0 - thoughts?
(12:35:31) janjust [~janjust@2001:610:120:e034::1001] è entrato nella stanza.
(12:35:59) mattock2: There are a few major issues, in openvpn-gui and in MSI
(12:36:03) janjust: morning folks... and I immediately see a nicety of 
openvpn+networkmanager ;)
(12:36:43) mattock2: morning!
(12:36:43) lev__: what is GUI issue
(12:36:58) mattock2: second connection fails
(12:37:19) mattock2: can't recall the gui iasue ID
(12:37:20) plaisthos: what is a GUI?
(12:37:24) lev__: ah I think this is not about GUI
(12:37:45) plaisthos: janjust: if we wait for good networkmanager support, we 
can wait another 4 years I guess ;P
(12:37:48) mattock2: yeah  not really, but manifests itself in the gui
(12:37:53) lev__: it is just tap adapters created manually are missing registry 
key "allownonadmin"
(12:38:08) lev__: not sure why/how that regressed
(12:38:39) plaisthos: side note: WolfSSL has now been silent for 1,5 month for 
the quick fix for their OpenVPN support
(12:40:29) mattock2: yep, I recall we agree to not include wolfssl in 2.5 and 
if they continue silence then throw it out completely in 2.6
(12:40:36) lev__: mattock2: https://community.openvpn.net/openvpn/ticket/1321
(12:41:01) janjust: plaisthos yeah I know but I had not expected this: I told 
networkmanager to ignore any ipv6 settings yet my default ipv6 route is over 
the VPN
(12:41:51) lev__: I can look at it unless somebody fixes it first
(12:41:57) lev__: (allownonadmin)
(12:42:10) mattock2: go for it lev
(12:42:10) lev__: (after fixing/mitigating renaming issue)
(12:43:14) mattock2: +1
(12:46:01) mattock2: anyhow
(12:46:24) mattock2: postponing 2.5.0?
(12:46:28) janjust: just wondering about allownonadmin + openvpn interactive 
service etc...  does the gui filter any options before passing them on to the 
iservice?
(12:50:00) lev__: IIRC certain options can only be used by users in Admin group 
or configs in special place
(12:50:51) janjust: ah good
(12:52:46) lev__: yeah, "/* Authorized group who can use any options and config 
locations */"
(12:53:33) plaisthos: janjust: that sounds more like a networkmanager bug that 
anything else
(12:54:31) janjust: plaisthos: I agree and I'll need to test it with the latest 
(git) version of networkmanager before I file a bug report
(12:59:56) plaisthos: short status update: I am working on implement a 
(13:00:03) plaisthos: 
(13:00:06) plaisthos: fp1
(13:00:07) plaisthos: fp2
(13:00:10) plaisthos: 
(13:00:20) plaisthos: option to pin certificates of the peer
(13:00:45) plaisthos: This will also allow to do quick setup with self-signed 
certificates without a CA
(13:05:20) janjust: oh sweet!more or less the "pre-shared public key" method
(13:06:35) plaisthos: yeah
(13:06:44) plaisthos: and also allows use to deprecate --secret/static keys
(13:06:57) plaisthos: since from a user perspective it is almost as easy to 
setup
(13:07:31) janjust: throw in TOFU and openvpn is behaving more and more the 
same as SSH ;)
(13:08:46) plaisthos: TOFU?
(13:08:53) plaisthos: ah trust on first usage
(13:09:04) plaisthos: you will still need to do that manually
(13:09:25) plaisthos: but I am makeing that easy for you since I print the 
fingerprint of the peer in the error message
(13:13:05) janjust: yeah and with SSH it's the client that needs to 

Re: [Openvpn-devel] OpenVPN 2.5-beta3 released

2020-09-02 Thread Samuli Seppänen
Argh yes. Copy-and-paste from the 2.5-beta1 release notes which had that
typo :).

Samuli

Il 01/09/20 21:07, Thomas Schäfer ha scritto:
>> - IPv4-only VPN
> 
> Typo?
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Community meetings in September 2020

2020-09-01 Thread Samuli Seppänen
---

Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Wed 2nd September 11:30 CET
- Thu 10th September 20:00 CET
- Wed 16th September 11:30 CET
- Thu 24th September 20:00 CET
- Wed 30th September 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli














signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] OpenVPN 2.5-beta3 released

2020-09-01 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN
2.5-beta3. Source code and Windows installers can be downloaded from



Debian and Ubuntu packages are available in the official apt repositories:



On RedHat derivatives we recommend using the Fedora Copr repository:



This release includes fixes to MSI packaging and client NCP OCP fallback
behavior.

OpenVPN 2.5 is a new major release with many new features:

- Client-specific tls-crypt keys (--tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the
OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in --cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
- IPv4-only VPN

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Help testing OpenVPN 2.5-beta2 driver installation?

2020-08-28 Thread Samuli Seppänen
Hi,

It would be great if somebody would find time to test the following
installer:

https://build.openvpn.net/downloads/releases/OpenVPN-2.5-beta2-I601-amd64.msi

In particular I'd like to know if anyone else has problems installing
Wintun or Tap-windows6. My exact issue is described here:

https://github.com/OpenVPN/openvpn-build/issues/187

At the moment two people have successfully ran that installer and one
(me) have failed.

Samuli


PS. The installer has a known, upgrade-related issue as well, but we
already have plans on how to tackle that:

https://github.com/OpenVPN/openvpn-build/issues/188



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (27th August 2020)

2020-08-27 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 27th August 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev and mattock participated in this meeting.

---

Discussed libpkcs11-helper bundled with the current 2.5-beta1 Windows
installers. The updated patch that was supposedly included in 2.5-beta1
was actually not included at all as file renaming broke patch
auto-detection logic. That is now fixed in the (upcoming) 2.5-beta2
installers.

It was agreed to upgrade pkcs11-helper from version 1.22 to 1.26.0 while
we're at it.

--

OpenVPN 2.5-beta2 was tagged in Git yesterday. Mattock has been working
mostly on tap-windows6 build improvements today, and will wrap up the
OpenVPN 2.5-beta2 release tomorrow. There have been two issues so far:

- Windows MSI EXE wrapper build fails for reasons (yet) unknown
- Ubuntu 20.04 32-bit packages fail to build due to Ubuntu repo issues

Mattock will try to get these resolved, but they're not strictly release
blockers.

--

Noted that the MSI installers have received several improvements since
beta1. Unfortunately it is still possible to mount a sort of local,
unprivileged DoS using "msiexec /fu", even with the recent fixes.

--

Dazo will push out 2.5-beta2 to Fedora Copr as soon as mattock has the
GPG signatures on build.openvpn.net.

--

Agreed that advertising pkcs11-helper fixes/features makes sense to get
wider testing. There have been improvements in several areas such as RSA
padding, RFC7512 fixesand Elliptic Curve support.

--

Discussed enabling IPv6 on community. Noted that part of the hesitation
from the OpenVPN Inc. ops team is related to the fact that Cloudflare
does not allow turning off IPv6 if you turn it on, and the switch is
always domain-wide (openvpn.net).

That said, the ops team will contact Cloudflare and ask if they would
allow testing IPv6 support safely, that is, grant us a backpedaling
option if things go awfully bad.

While waiting Cloudflare has been turned off on community.openvpn.net.

--

Talked about discontinuing 32-bit Windows installer support. Decided to
get some download numbers for our installers to figure out if that is
realistic.

--

Full chatlog attached
(20:58:25) mattock: hello
(20:58:33) cron2: hiya
(21:00:21) lev__: guten aben
(21:00:22) dazo: hey!
(21:00:59) becm: 'n abend
(21:01:42) cron2: do we have an agenda?
(21:02:03) mattock: I have one topic
(21:02:11) cron2 ha scelto come argomento: Agenda at 
https://community.openvpn.net/openvpn/wiki/Topics-2020-08-27
(21:02:35) mattock: libpkcs11-helper -> 1.22.6 upgrade is fine to all?
(21:02:41) mattock: sorry
(21:02:44) mattock: 1.26.0
(21:02:44) cron2: wfm
(21:02:51) mattock: in windows installers
(21:03:02) mattock: 1.22 -> 1.26.0
(21:04:39) becm: can do tests if a binary is available (sample size: 1 token)
(21:04:52) dazo: I don't see anything worrying, as long as the patch we need 
applies
(21:05:29) cron2: becm: test reports of beta2 with that change would be very 
much appreciated (as soon as the installer is out)
(21:06:12) becm: mattock: was the "patch fix" the revert of the patch rename?
(21:06:45) mattock: yes
(21:06:52) mattock: the patch applied with some offset
(21:07:02) becm: as expected.
(21:08:00) becm: only way to avoid this would be to use the current pull 
request in pkcs11-helper
(21:09:18) becm: or wait until Fedora gets 1.26 into "official" state 
(https://bugzilla.redhat.com/show_bug.cgi?id=1849259)
(21:09:19) vpnHelper: Title: 1849259 pkcs11-helper-1.26 is available (at 
bugzilla.redhat.com)
(21:10:41) dazo: I expect it might take a little time before 1.26 is upgraded 
in Fedora; I suspect that to first go into the next major release (unless the 
upgrade does not break ABI) ... and there's lots of focus on F33 currently, it 
got branched out some weeks ago
(21:13:08) mattock: ok so what is the conclusion?
(21:13:14) mattock: I do have MSIs with 1.26.0
(21:13:24) mattock: I can rebuild them with 1.22 if we wish so
(21:13:26) cron2: not sure what Fedora has to do with windows release
(21:13:32) cron2: go for 1.26 :)
(21:13:39) mattock: I guess "some extra testing"
(21:13:42) mattock: fine by me
(21:13:47) mattock: this is a beta release anyways
(21:13:55) mattock: :D
(21:14:02) cron2: yep.  get this out to testers, and then we can see
(21:14:05) dazo: cron2: we pick a patch fixing some pkcs11-helper issues from 
Fedora (it's not strictly Fedora related) which we patch for the Windows build
(21:14:32) cron2: o-kay
(21:14:43) dazo: cron2: there's some resistance from the pkcs11-helper to add 
that particular fix, but no alternative has been applied
(21:16:53) mattock: mkay
(21:16:56) mattock: 1.26 it is
(21:17:17) mattock: I was trying out the EXE 

[Openvpn-devel] Summary of the community meeting (19th Aug 2020)

2020-08-19 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 19th August 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo, lev, mattock, ordex and plaisthos participated in
this meeting.

---

Talked about WolfSSL. Agreed that we cannot merge the WolfSSL patches to
release/2.5 branch with their current commitment level. We will merge
them to "master" and if they keep maintaining their patches actively
they will get merged into release/2.6 when the time comes. If not, we
will just have to throw out the patchset before the 2.6 release.

--

Talked about OpenVPN 2.5-beta2. Set the release date to next Wednesday
(26th Aug). It should include the following fixes:

tun.c: enable using wintun driver under SYSTEM
- https://patchwork.openvpn.net/patch/1395/

Fix client's poor man NCP fallback
- https://patchwork.openvpn.net/patch/1386/

Upgrade pkcs11-helper in MSI installers to 1.26.

Fix MSI behavior:  apparently current installer is programmed to invoke
"msiexec /repair" first time when user logs in, and it doesn't really
work well with drivers installations as it results in connection
interruption and installation prompts. Lev is discussing this with rozmansi.

Fix tap-windows6 installation on Windows 10 ARM64. It does not seem to
work. Mattock will provide install logs to rozmansi for debugging.

--

Discussed enabling IPv6 on community. Noted that krzee has spent
considerable time trying to reproduce the issue that raidz claimed had
happened "the last time" IPv6 was enabled in Cloudflare. As memories of
the original incident are very vague it is impossible to figure out if
the problem persists, or is not present/relevant anymore. Moreover,
Cloudflare only allows turning IPv6 on/off on a per-domain basis (e.g.
openvpn.net), which makes the switch scary as completely unrelated
infrastructure could break or start misbehaving. Mattock and krzee will
bring this up again in the internal ops meetings.

--

Full chatlog attached
(12:37:32) dazo: Meeting time?
(12:37:32) plaisthos: yes!
(12:37:32) lev__: hello
(12:37:32) dazo: if ordex and mattock appears now  then the whole company 
is gathered before the community :-P
(12:37:32) ***ordex is here
(12:37:32) ordex: will try to stick around for the whole hour
(12:37:32) ***: Playback Complete.
(12:37:36) mattock: hello!
(12:37:51) plaisthos: company meeting in the open :P
(12:38:59) dazo: oh, there you are, mattock!
(12:39:20) dazo: anyone heard from cron2 or syzzer?
(12:39:37) dazo: or syzzer colleague?
(12:39:49) mattock: nope
(12:40:55) becm [~b...@port-92-196-115-87.dynamic.as20676.net] è entrato nella 
stanza.
(12:41:06) dazo: cron2 is usually quite reliable to arrive at these meetings, 
so I expect something might have come up distracting him
(12:41:10) mattock: yep
(12:41:19) mattock: so, shall we talk about 2.5-beta1?
(12:41:25) dazo: yeah ... 
(12:41:33) dazo: any feedback so far?
(12:41:52) mattock: not really, which is a "good thing"(tm)
(12:42:02) dazo: I've seen some windows/wintun discussions  ... but not much 
more
(12:42:04) lev__: MSI issues on Win7, but!
(12:42:06) mattock: yeah
(12:42:23) plaisthos: there is the one NCP issue that wiscii reported
(12:42:30) plaisthos: and that has a fix on the ML
(12:42:38) lev__: I collected logs and contacted rozmansi, he said he knows 
what is wrong and will release a fix
(12:43:49) lev__: apparently current installer is programmed to invoke "msiexec 
/repair" first time when user logs in, and it doesn't really work well with 
drivers installations
(12:44:12) lev__: which results in connection interruption and installation 
prompts
(12:45:11) dazo: I do see the Copr repository gets some attention too ... 
mostly EPEL users and F32 ... I announced the beta in the Fedora devel mailing 
list too, but no response to that mail (other than increased Copr numbers)
(12:45:30) mattock: lev: there is also probably a problem with tap-windows6 + 
arm64
(12:45:36) becm: mattock: any plans to get the pkcs11-helper version bump into 
Win-releases so we can blame beta testers if it breaks something?
(12:45:38) mattock: I did not have time to really look into it
(12:45:50) lev__: also I managed to break running openvpn under SYSTEM without 
iservice (just removed the code together with elevation hack), but fix is 
already on ML 
(12:46:23) mattock: becm: to what version?
(12:46:31) dazo: Can we manage to get these changes reviewed and have a beta2 
out on Friday?
(12:46:39) dazo: or should we aim for rc1?
(12:47:40) mattock: mmm
(12:48:12) becm: mattock: as far as i can tell, we'd want 1.26 to include the 
"PSS padding fix"
(12:48:39) lev__: I think we need MSI fix for beta2
(12:49:19) mattock: yeah, I'd like to minimize the number of 

[Openvpn-devel] OpenVPN 2.5-beta1 released

2020-08-14 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN
2.5-beta1. Source code and Windows installers can be downloaded from



Debian and Ubuntu packages are available in the official apt repositories:



On RedHat derivatives we recommend using the Fedora Copr repository:



This is a new major release with many new features:

- Client-specific tls-crypt keys (--tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the
OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in --cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
- IPv4-only VPN

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (13th August 2020)

2020-08-13 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 13th August 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock and wiscii participated in this meeting.

---

Talked about OpenVPN 2.5-beta1.

Mattock is inching the release forward. Debian and Ubuntu packages have
already been built and they're in the apt repos.

Agreed that the pkcs11-helper Fedora patch should go in into the Windows
installers:




Mattock will make a static copy of it (to avoid refactoring openvpn-build).

Tentative OpenVPN 2.5-beta1 release time (for tarballs and Windows
installers) is tomorrow (Friday) around lunch time.

---

Noted that we now have Ubuntu 20.04 packages of OpenVPN 2.5-beta1
available. Also noted that we will no longer provide OpenVPN packages
for Ubuntu 14.04 and Debian 8 due to OpenSSL incompatibility. The former
is EOL and the latter does not have mainstream support anymore.

---

Talked about buildslaves. Noted that the Ubuntu 14.04 buildslave was
taken out (EOL). Also agreed that we can drop the CentOS 6 buildslave as
its EOL is only a few months away and supporting it in Buildbot would be
quite hard for a number of reasons.

Agreed that we should (soon) start building three branches in Buildbot:

- release/2.4 (present already)
- release/2.5 (not present yet)
- master (present already)

Agreed to drop "release/2.4" builds once 2.4 is "unsupported", which is
about 18 months from the time of 2.5.0 release. If there are major
issues in keeping "release/2.4" builds going then we can reconsider that
choice.

--

Full chatlog attached
(21:00:22) cron2: yay, meeting
(21:02:30) mattock: hello!
(21:04:26) wiscii [~tct@unaffiliated/slypknot] è entrato nella stanza.
(21:05:56) mattock: anyone else?
(21:06:03) dazo: hey!
(21:06:06) cron2: ho!
(21:06:27) mattock: hi!
(21:06:42) wiscii: hi
(21:07:41) mattock: let me give a quick update on 2.5-beta1 release status
(21:07:49) mattock: so, I'm inching the release forward
(21:07:49) cron2: wohoo, 2.5!
(21:08:23) mattock: "inching" because $child is home because she has had 
running nose since last Thursday -> no kindergarten -> childcare shifts -> ~3 
hours of effective working time per day
(21:08:34) mattock: Debian / Ubuntu packages are done and in the repo
(21:08:47) mattock: Windows installers are work in progress
(21:08:55) mattock: but the process was tested earlier, so it "should work"
(21:09:03) mattock: meaning "release tomorrow before lunch" is reasonable
(21:11:01) dazo: I can spin up a new beta RPM/YUM/DNF repo tonight/tomorrow for 
beta releases
(21:11:42) mattock: oh, minor update: we also have Ubuntu 20.04 packages now 
which wiscii kindly tested
(21:12:04) wiscii: also works on 2010 groovy gorilla !
(21:13:02) cron2: sounds good
(21:13:36) mattock: \o/
(21:14:26) mattock: one related note
(21:14:38) mattock: I dropped Debian 8 and Ubuntu 14.04 packages (OpenSSL 
issues)
(21:15:00) cron2: is debian 8 still supported?
(21:15:09) mattock: to some degree possibly
(21:15:39) mattock: but if the target machine does not have openssl 1.0.2 
(unlikely) then having an openvpn package for would possibly be pointless
(21:15:41) cron2: The Debian Long Term Support (LTS) Team hereby announces that 
Debian 8 jessie support has reached its end-of-life on June 30, 2020, five 
years after its initial release on April 26, 2015.
(21:15:42) mattock: we're at debian 10 now
(21:15:52) wiscii: my deb8 VM won't work right under vbox so i hoofed it out
(21:16:04) wiscii: yep deb10 is good
(21:17:03) dazo: Debian 8 is in extended LTS  which is a commercial 
offering only
(21:17:06) dazo: https://wiki.debian.org/LTS/Extended
(21:17:07) vpnHelper: Title: LTS/Extended - Debian Wiki (at wiki.debian.org)
(21:17:30) mattock: yep I saw something along those lines
(21:17:45) dazo: I'd say we can drop Debian 8 ... The standard EOL was reached 
in June
(21:17:53) mattock: +1
(21:18:11) mattock: and people who really need openvpn on debian 8 can still 
compile it
(21:18:20) mattock: it should not be too horrible to do
(21:18:24) mattock: though I could be wrong :)
(21:19:05) dazo: Ubuntu 16.04 is supported, until April next year; I'd say that 
can be on 2.4 ... 14.04 is EOL
(21:19:41) dazo: For RHEL, we have put EL-6 on the 2.4 only; 2.5 will be for 
EL-7 and EL-8
(21:20:01) dazo: (EL-6 goes EOL in November this year)
(21:21:05) dazo: mattock: well, for Debian 8 ... it might be challenging if the 
openssl library is too old
(21:21:26) mattock: if it is anything like ubuntu 14.04 then I agree :D
(21:21:28) mattock: such a pita
(21:21:45) mattock: while 

[Openvpn-devel] Community meetings in August 2020

2020-08-13 Thread Samuli Seppänen
Better late than never, I suppose :).

---

Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 13th August 20:00 CET (forgot to send the invite)
- Wed 19th August 11:30 CET
- Thu 27th August 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli












signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] MSI Installer: Add .ovpn file

2020-08-03 Thread Samuli Seppänen
Hi,

I have not developed the MSI installer and know only the basics about
MSI. Simon Rozman (rozmansi) is the right person to ask about this.

That said, I think using a "Merge Module" might be the way forward. The
tap-windows6 "installer" is implemented as such (MSM).

Samuli

Il 30/07/20 11:21, Robert Grätz ha scritto:
> Hello,
> 
> I am very happy that 2.5 will be hopefully soon released.
> 
> I want to integrate my config file inside the msi installer. I think
> that romansi mentioned that there will be a proper solution for this
> issue. Are there any news or documentation yet? I tried something with
> Microsoft Orca [1], but it doesn't work yet.
> 
> Best regards
> 
> Robert
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Updated GPG key for OpenVPN 2.x apt repositories

2020-07-28 Thread Samuli Seppänen
Hi,

Many of you may have noticed that the GPG key that was used for signing
our apt repositories had expired a few days ago. I updated the keys and
pushed them to our download server.

Instructions for renewing the GPG key are available here:



Best regards,

Samuli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] summary of the community meeting @ 2020-07-22

2020-07-27 Thread Samuli Seppänen
Wow, a summary that was not written by me :).

Thanks Gert!

Il 22/07/20 13:44, Gert Doering ha scritto:
> Good morning,
> 
> we had a nice meeting today, and here's the summary and chatlog:
> 
>  - 2.5 release is nicely taking shape, most features are in, and the
>code in master is very well tested already
> 
>  - we agree on renaming --ncp-ciphers to --data-ciphers, to make clear
>that this is not a debugging aid anymore but "the!" control switch
>to set (to-be-negotiated) data channel ciphers in the future.
> 
>  - we broke WolfSSL with the "nonconditional AEAD" patch, which was
>unintended but "we really require AEAD in 2.5 to be always available"
> 
>  - remaining bugs/warts for "must be in 2.5.0!" are to be tracked in TRAC 
>with "milestone 2.5.0"
> 
>- warts that are slightly annoying but not as urgent get set to
>  "milestone 2.5.1" ("fix after initial release")
> 
> 
>  - tentative release schedule (which looks doable)
>  
> * 2.5_beta1 on August 05
> * 2.5.0 on September 10
> 
> 
> 
> Slightly redacted chatlog:
> 
> 11:31 < ordex> aloha
> 11:32 < dazo> \o/
> 11:33 -!- dazo changed the topic of #openvpn-meeting to: Agenda at 
>   https://community.openvpn.net/openvpn/wiki/Topics-2020-07-22
> 11:35 < cron2> and indeed there it is :-)
> 11:36 < cron2> I've put a few things on the agenda so we can decide how to 
> move 
>onwards
> 11:36 < dazo> lets start on the top :)
> 11:36 < cron2> first, thank you all for amazing work in the last weeks - 
> we're 
>in pretty good shape for the release (though some odd corners 
>remain)
> 11:36 < ordex> yeehaaa!
> 11:37 < cron2> I totally love my newfound understanding of the plugin APIs :-)
> 11:37 < cron2> next thing: decided on "do we want to rename ncp-ciphers to 
>data-ciphers" - this is a bit more than "just code review", 
>which is why I put it here
> 11:38 < cron2> the patch is fine, and it also accepts the old option as 
> compat 
>alias, so it won't break anything
> 11:38 < ordex> imho, it makes the real goal of the directive more clear
> 11:38 < ordex> to the users and to us
> 11:38 < cron2> "the new real goal" :-) - but yes, I agree
> 11:38 < plaisthos> ncp-ciphers was a good and fitting name when it was 
>introduced and --cipher was still king of the hill
> 11:39 < dazo> yeah, I agree to the renaming --ncp-ciphers ... NCP itself is 
>   more a technical detail which users don't really need to care 
>   about ... --data-ciphers describes better what it does
> 11:39 < ordex> yap yap, what dazo says
> 11:39 < ordex> ncp is really an "under the hood detail"
> 11:39 < plaisthos> but moving forward (esp. when my ncp v2.5 patch gets in), 
>data-ciphers is only thing that remains
> 11:40 < cron2> good :-) - nobody objects, make it so (I'll review, ACK, merge 
>later)
> 11:40 < dazo> I would probably prefer to see a INFO (or WARNING?) when 
>   --ncp-cipehers is used, educate them to move to --data-ciphers 
> so 
>   we in can remove --ncp-ciphers in the future and only have 
>   --data-ciphers
> 11:40 < cron2> you need to excuse me for ~10 minutes - family business 
>(collison, unavoidable)
> 11:42 < plaisthos> dazo: I don't think we should remove ncp-ciphers
> 11:42 < dazo> why?
> 11:43 < plaisthos> it is an alias that does not complicate code and giving 
>people the opportunity to have config that are also 
>compatible with 2.4 is more important than forcing people 
> to 
>a bit nicer sounding option
> 11:43 < ordex> true, but we also don't want to carry legacy things for 
> decades, 
>no ? I think it would be nice to get rid of it at some point? 
>like any other deprecate doption
> 11:43 < dazo> Right, I'm not saying removing NOW ... But more in line of 2.8 
> or 
>   something like that ... but that we already now just add a 
>   INFO/WARN to tell users to switch to --data-ciphers whenever 
>   --ncp-ciphers is spotted
> 11:44 < plaisthos> dazo: as compromise, we can keep it around as long as we 
>kept udp-mtu as an alias for tun-mtu ;)
> 11:44 < ordex> from the user perspective, there is no difference between 
>ncp-cipher and anyother option we deprecate, I think >
> 11:44 < ordex> ?
> 11:44 < ordex> :D
> 11:44 < plaisthos> udp-mtu is an alias for link-mtu, sorry
> 11:44 < dazo> I was not aware of udp-mtu at all
> 11:45 < plaisthos> see
> 11:45 < plaisthos> ncp-cipher will fall out of use eventually anyway
> 11:45 < ordex> hehe
> 11:45 < plaisthos> and both data-ciphers and ncp-ciphers are not as necessary 
>as --cipher
> 11:45 < plaisthos> since they will always have good deafults
> 11:46 < 

[Openvpn-devel] Summary of the community meeting (2nd July 2020)

2020-07-02 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 2nd July 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, krzee, lev, mattock and plaisthos participated in this meeting.

---

Talked about the status of OpenVPN 2.5:



OpenVPN 2.5 MSI installers are available for wider testing now:



They seem to work on all platforms except Windows 10 ARM64 which has
driver installation issues. These issues may be caused by bad packaging,
or be genuine issues in the MSI installer code. Mattock will look into
it. Agreed that we should underline the fact that Wintun driver is
present in the MSI installers.

Talked about async-cc. Much of the code is in multi.c, which is a
tangled mess of magic. Plaisthos is not sure that his patches are
correct, so it will be looked into by him, cron2 and/or ordex. It was
noted that the band-aid fixes made by lev work ok, but regardlress may
not be correct.

The man-page patch also still needs some work.

Besides the above there's not really any work left for OpenVPN 2.5

That said, due to vacations and all that we may have to postpone the
first release post mid-August.

---

Talked about automating MSI installer generation. Mattock will try to
get it done tomorrow.

--

Talked about having krzee participate in the maintenance of community
servers. Nobody was opposed, but we want talk to ecrist as well.

Krzee is also working on fixing the IPv6 issues with community atm.

---

Agreed to follow our usual meeting schedule in July. Mattock will send
out the invites and setup the topic pages, even though he won't be
attending the meetings due to his vacation.

--

Full chatlog attached


(21:00:29) cron2: so!
(21:00:37) lev__: guten aben
(21:02:59) krzee: moinmoin
(21:03:00) mattock: hi!
(21:04:17) plaisthos: moin
(21:05:06) cron2: mattock: we need an agenda page!
(21:05:32) mattock: scheisse
(21:05:34) mattock: just a sec
(21:05:37) krzee: cron2, ive never used ipv6 really but i understand our domain 
being on CF is not favored because no ipv6 on there yet, i plan on looking in 
to fixing stuff to work properly when ipv6 is enabled there. are there any 
issues with us using CF on openvpn.net when ipv6 is working?
(21:05:43) lev__: schneller!
(21:06:15) cron2: krzee: I have no issue with CF... I totally fail to 
understand why someone went to the effort to turn *off* IPv6 on CF, which is 
now on-by-default
(21:06:50) ***plaisthos knows some of the ops team poeple and better keeps 
silent
(21:06:56) krzee: it broke some stuff, but that will be fixable
(21:07:12) krzee: i plan on fixing it
(21:07:13) cron2: I do not care too much about the corp web sites, but I am 
fully convinced that all community web sites MUST have IPv4 and IPv6
(21:07:16) cron2: thanks :-)
(21:07:36) cron2: and yes, enabling IPv6 used to break things, which is why you 
enable it, and then fix what is broken
(21:07:49) krzee: np, just wanted to be sure that my fix isnt pissing in the 
wind, that we're ok with CF once ipv6 is good on it
(21:08:20) cron2: mattock had some issues with CF and caching when we had to 
re-upload an installer file with a changed checksum - but I understand that 
this is "under control" now
(21:08:57) krzee: the double cache is annoying, for swupdate i made a jenkins 
script that corp people can run
(21:09:15) cron2: (if you ask me "would you put your personal web page on CF", 
the answer is no, because I have issues with the whole anti-ddos mafia - but I 
will not object or complain about openvpn stuff using CF)
(21:09:22) krzee: dazo def knows about the job, not sure if samuli does tho
(21:09:55) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-07-02
(21:10:15) krzee: also if there was private data going to openvpn.net i would 
be able to agree with CF being an issue, but we google index it all anyways so 
:shrug: there
(21:10:47) cron2: krzee: thanks for caring, and working on it.
(21:10:57) mattock: another meeting ended, now I have focus
(21:11:21) cron2: is dazo coming?
(21:11:54) mattock: I do not know
(21:11:57) lev__: he is on vacation, but let's see
(21:12:08) cron2: mmmh.
(21:12:14) krzee: yw :)
(21:12:15) mattock: so, shall we go through 2.5 status or what?
(21:12:41) cron2: I would say "quick update" (like 1-2 lines), and then big 
discussion on the way forward with async-cc
(21:13:00) mattock: MSI: works, except that arm64 seems to have tap-windows6 
problems
(21:13:17) cron2: "my" things are in :-) - and I want to work a bit on 
windows/netmask issues and help dazo with the manpage.  Plus, merge what comes 
up.
(21:13:18) mattock: not sure what the issue is - is it the 

[Openvpn-devel] Community meetings in July 2020

2020-07-02 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 2nd June 20:00 CET (forgot to send the invite)
- Wed 8th July 11:30 CET
- Thu 16th June 20:00 CET
- Wed 22nd June 11:30 CET
- Thu 30th June 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli











signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] OpenVPN 2.5 MSI installers for Windows available

2020-07-02 Thread Samuli Seppänen
Hi,

For anyone who is interested: here are MSI installers for OpenVPN 2.5:




They have been lightly tested and "seem to work" on Windows 7, Windows
10 and Windows Server 2016. Windows 10 on ARM64 fails driver in
installation, but we're looking into it.

OpenVPN comes with a number of big and small changes. Probably the most
authoritative list is the "Must have" section here:



The MSI installers bundle both tap-windows6 and wintun[1] drivers. If
you want to try out wintun add

  windows-driver wintun

to you config file. As the name implies wintun will only work in tun mode.

If you encounter any issues with the installer please let us know!

Samuli

[1] 



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (24th June 2020)

2020-06-24 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 24th June 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, plaisthos and uip participated in this meeting.

---

Talked about the status of OpenVPN 2.5:



Ordex promised to have a look at the async-cc patches this week.
Plaisthos, dazo and cron2 will follow-up on the review comments to get
them resolved quickly.

OpenVPN 2.5 MSI looks surprisingly good. Mattock was able to produce
tap-windows6 MSM ("merge module") which he then used to produce OpenVPN
2.5-based MSI installer. The only significant challenge is adding
code-signing support to openvpn-build/generic.

Automating MSI builds also seems easier than expected, given that the
existing openvpn-build buildslave can perform the actual build and push
the artifacts to the Windows packager, which can then build and push the
results to build.openvpn.net.

Code-vise 2.5-alpha1 is in a good shape, mainly missing

- compression
- async cc
- VRF (which is quite trivial)

The auth-token fixes are corner-cases and it was agreed that that can be
resolved between 2.5-alpha1 and 2.5-beta1.

---

Talked about moving 2.3 into "oldstable" support mode. Previously we had
agreed to do that when 2.3.19 was released. However, 2.3.18 was released
a long while ago and there's nothing queued for 2.3.19. So it was
decided to move 2.3 to "oldstable" now instead of later.

---

Talked about starting the deprecation of "--ncp-disable". The idea is
that --ncp-disable has been mostly a debug feature and as we move
forward and want to be able to manage VPN security more from server
side, we want to abandon the possibility to ignore NCP.

This is tied with deprecation of --cipher for everything except p2p:

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20062.html

Uip will bring these topics up with syzzer a.s.a.p.

---

Talked about OpenVPN 2.6. There are several things that are 2.6 material:

- Kernel acceleration module (client-side only beta ~next week)
- Work related to "making DNS handling nice"

It is possible that we'd also need to postpone the --ncp-disable and
--cipher changes.

However, it was agreed that doing a "quick" 2.6 release in, say, early
2021 is doable. It was also agreed that supporting both 2.5 and 2.6 as
"stable" for a while would be acceptable, as the changes would be mostly
in OpenVPN and the same release and automation tooling could be used for
both.

---

Talked about our use of IV_*. Agreed that rather than having tons of
IV_FOO=1 options IV_PROTO should be considered a wire-protocol-only
64-bit mask field and IV_FEAT would be a new 64-bit mask field
indicating which features the local side supports.

OpenVPN will need to handle a remote side not providing IV_FEAT.
Default behaviour when this field is missing must be documented.
IV_FEAT should be sent by OpenVPN 2.6 and newer. This approach allows
easier deprecation of features as well.

--

Full chatlog attached
(12:29:37) cron2: oh, a rare guest :-) - good morning uipko
(12:30:10) uip: morning
(12:30:21) dazo: hey!
(12:30:46) uip: trying to join the meetings more often
(12:31:59) dazo: that's great!
(12:32:34) plaisthos: hey
(12:32:39) lev__: hello
(12:32:52) uip: probably mainly reading/listening most of teh time ;)
(12:33:56) cron2: oh, feel free to take over and tell us what to do :-)  
(poking ordex and looking for lev__ ever so often starts to get boring)
(12:34:46) cron2: where is ordex anyway? :)
(12:35:09) dazo: Good question! :)
(12:35:36) mattock: hi!
(12:36:39) mattock: 2.5 updates first?
(12:37:11) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-06-24
(12:37:13) vpnHelper: Title: Topics-2020-06-24 – OpenVPN Community (at 
community.openvpn.net)
(12:37:32) cron2: first things first, and that's topic #1 :-)
(12:37:54) dazo: :)
(12:38:07) lev__: I will reply to plaisthos mail about optional compression, 
rebase my "fix some warnings" patch and write a test script/suite for testing 
async-cc (with the help of openvpn inc qa guy)
(12:38:24) dazo: So #1 means 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25  :)
(12:38:25) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:38:32) lev__: sorry, was busy lately with corp stuff and midsommer 
celebration
(12:38:58) dazo: corp/kernel module stuff ;-)
(12:39:25) cron2: lev__: happy dance :-)
(12:40:32) dazo: ordex promised to have a look at the async-cc patches this 
week.  plaisthos and I can follow-up on review comments, to get them resolved 
quickly
(12:41:20) cron2: I expect that this will be somewhat more work than "just 
review comments" 

[Openvpn-devel] Summary of the community meeting (18th June 2020)

2020-06-18 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 18th June 2020
Time: 20:00 CEST (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

becm, cron2, dazo and mattock participated in this meeting.

---

Talked about the status of OpenVPN 2.5:



Cron2 will continue merging plaisthos' patches, then look at
tap-and-netmask-and-IPv6 issues on windows and then the VRF patch.

No progress was made on reviewing the man-page patches. Dazo has some
additions in the pipeline for it already.

Mattock was able to produce a tap-windows6 MSM (~installer) today, so he
will move forward by creating the OpenVPN MSI installers.

---

Talked about automating OpenVPN MSI builds. The current Vagrant setup
has a linux VM for producing the build artifacts (with openvpn-build).
Those artifacts are then shared via Samba on the Windows packaging host,
which then produces the MSI packages. So the automation difficulty
factor is bigger than with our current "cross-compile on Linux with
openvpn-build" approach.

Mattock will gauge the difficulty of automating the MSI build process
after he has a good grasp of the process.

---

Froze the feature set of OpenVPN 2.5. The ones on "must have" list now
will be delivered, everything else will be postponed:



---

Talked about pkcs11-helper patching and upgrade for Windows installers:




One option is to upgrade from 1.22 to 1.23 and use the latest Fedora
patch. We could also move directly to 1.26 - the patch does apply with
some offset warnings and building pkcs11-helper still works.

Dazo sent email to fedora-devel mailing list and ask why Fedora is still
using / is stuck on pkcs11-helper 1.22. Meanwhile mattock will produce
OpenVPN 2.5 Windows installers that bundle 1.26 with the latest Fedora
patch.

Also noted that we can release updated pkcs11-helper in a 2.4.x Windows
installer release if the new version looks solid.

--

Full chatlog attached
(21:07:36) mattock: did everyone fall asleep already? :)
(21:08:04) cron2: 2.5 first :-)
(21:08:10) dazo: Perhaps tie this with 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(21:08:12) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(21:08:20) mattock: I can start
(21:08:23) cron2: I've merged 3 of 5 from the plaisthos patchset, and then got 
distracted by workers in the house (finisehd now)
(21:08:27) mattock: ok go ahead
(21:09:02) cron2: so, merge the remaining two, then go and look for 
tap-and-netmask-and-IPv6 issues on windows, and the VRF patch
(21:09:17) cron2: ordex is moving to a new flat this week, so, busy
(21:09:23) dazo: yeah
(21:09:41) cron2: lev__ is still missing
(21:09:45) dazo: cron2: did you have a chance to look at the man page stuff?  
Or should I just start to send patches to the ML?
(21:10:18) cron2: dazo: only the look from last week, no thorough review yet
(21:11:06) dazo: I see there might be some man page updates in the queue as 
well ... so this needs some careful coordination to ensure those additions 
doesn't get lost
(21:12:18) cron2: I won't merge any man-page related stuff
(21:14:08) cron2: anything from wiscii yet?
(21:14:15) dazo: nope
(21:14:48) dazo: Only that he forgot to checkout the right git branch ;-)
(21:15:17) cron2: oh, and that gitlab kicked him, right :)
(21:16:56) cron2: so, mattock, how's 2.5 coming along?
(21:17:02) dazo: ahh, right ... for the pull-req ... well, I'm willing to grab 
patches sent to the mailing list
(21:17:06) mattock: quick update from me: I was able to produce a tap-windows6 
MSM (~installer) today, so I will continue with the MSI installer
(21:17:35) cron2: can you - if it succeeds - integrate it into buildbot so we 
can get msi snapshots of "master"?
(21:17:44) dazo: +1
(21:17:55) mattock: good luck with that
(21:18:09) mattock: might be possible, assuming the Microsoft signing service 
has an API
(21:18:16) mattock: well
(21:18:20) mattock: for openvpn, maybe
(21:18:35) cron2: oh, .msi needs to be signed by microsoft?
(21:18:38) mattock: it will be tricky because MSI packaging will happen on a 
Windows host
(21:18:52) ***cron2 trusts mattock's insane windows python scripting abilities
(21:19:07) cron2: (talking about openvpn.msi, not tap6.msm, yes)
(21:19:12) dazo: hmmm pity
(21:19:17) mattock: I mean, I would love to automate it, but it will be even 
more challenging the openvpn-build/windows-nsis
(21:19:27) mattock: s/the/than
(21:19:48) cron2: I am full of trust that you will do this excellently!
(21:19:50) mattock: doable, but I would 

[Openvpn-devel] Summary of the community meeting (10th June 2020)

2020-06-10 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 10th June 2020
Time: 11:30 CEST (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex, plaisthos and uip participated in this meeting.

---

Talked about deprecating net30 topology. Agreed that in 2.5 we should
print a deprecation and warning:

"Topology net30 support will be removed in a future release. Please
migrate to topology subnet as soon as possible"

The client-side code is less harmful, so it can stay a bit longer than
the server-side code.

Noted that there are ways to work around lack of net30. Also agreed that
we should document those workarounds.

---

Had a lengthy discussion about deprecation/removal of obsolete options.
An option that was brought up was having "config levels" which would set
reasonable, modern defaults for several settings. The config level would
have to be defined explicitly by the user and the actual defaults would
not be touched.

Nobody was opposed to cron2's suggestion, which was "write up a list,
agree on what the goal should be, and whether we can get there with
negotiations or not".

---

Talked about the release schedule for OpenVPN 2.5. Agreed that given how
far we are now releasing 2.5-beta1 on 30th June is doable, followed by
2.5-rc1 on 3rd August. The 2.5.0 release would happen around 15th August.

---

Talked about dazo's man-page patches. The man-page is now split into
multiple sections:



Options in each section are currently sorted alphabetically. As the next
step we need to get people to review the section contents and the order
of the items to make sure they make sense.

---

Noted that the IPv6-only patchset is now merged.

Also noted that cron2 will merge the non-SSO patches "really soon now".

--

Full chatlog attached
(12:28:01) ***uip says hi!
(12:29:09) dazo: hey!
(12:29:47) cron2: ho
(12:31:05) ordex: hi
(12:31:18) mattock: hi!
(12:32:39) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-06-10
(12:32:41) vpnHelper: Title: Topics-2020-06-10 – OpenVPN Community (at 
community.openvpn.net)
(12:33:17) ordex: revised timeline!
(12:33:43) cron2: I have updated the StatusOf25 (or how it is called) page with 
a new proposed timeline
(12:33:51) cron2: discuss and agree or not :-)
(12:33:58) plaisthos: hey
(12:34:33) plaisthos: net30 deprecation, no problem for me
(12:34:54) plaisthos: It is hack anyway
(12:34:58) mattock: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(12:34:59) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:35:27) dazo: I don't think we can remove net30 ... it will break an 
incredibly amount of configs, as that has been the default since at least 2.0
(12:35:53) cron2: my idea was
(12:35:56) dazo: I agree to deprecate it, maybe even switch to subnet as 
default ... but I don't think we can remove it easily
(12:36:04) cron2:  - announce depreciation for 2.6 now
(12:36:18) cron2:  - but leave it "as it is" in 2.5, except for a warning 
message
(12:36:53) cron2: changing the default alone won't really do much good, as we'd 
still have to maintain all the special cases
(12:37:14) ordex: I agree this this plan
(12:37:34) dazo: Don't get me wrong, it would be good to see it gone.  I'm even 
open to accept that certain features won't work with net30 ... but I fear 2.6 
might be too early to see it gone
(12:37:40) cron2: we might decide to only depreciate it - and only remove it - 
for the server side initially
(12:38:07) ordex: if we add the warning now..we give people at least another 
year before it will break
(12:38:09) plaisthos: we have to deprecate it if we want to remove it 
(12:38:09) dazo: what is the challenge with net30 today?
(12:38:20) plaisthos: messy 
(12:38:27) dazo: yes, deprecate should be done
(12:38:27) ordex: legacy stuff that has no real reason to exist ? :D
(12:38:34) cron2: switch (pool->ipv4.type)
(12:38:37) cron2: case IFCONFIG_POOL_30NET:
(12:38:39) cron2: case IFCONFIG_POOL_INDIV:
(12:38:41) plaisthos: we also need something that sets better defaults
(12:38:57) plaisthos: we have a lot defaults that do not make sense today 
anymore
(12:39:07) cron2: dazo: it affects how pools are handled, and that is quite a 
bit of senseless code in pool.c
(12:39:17) cron2: plaisthos: yeah
(12:40:13) cron2: tun.c is actually fairly harmless, so we can keep the client 
side of net30 around for longer
(12:41:05) plaisthos: even with pool code gone you can do it manually with 
client-conn
(12:41:22) dazo: If removing net30 is mainly code cleanup in pool.c ... I'm not 
sure we're in such a hurry.  But I agree, add 

[Openvpn-devel] Summary of the community meeting (4th June 2020)

2020-06-04 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 4th June 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex and plaisthos participated in this meeting.

---

Noted that mattock had forgot to send out the meeting invite and to
create the topic pages. He fixed that at the beginning of this meeting.

--

The "not-SSO" patchset is now ready to be merged. Cron2 will do it when
he has a bit of time.

--

Noted that the IPv6-only patchset should be ready to merge now and it
passes t_server tests already. Cron2 shall eyeball it one more time,
just in case.

Also noted that the planned hacking session between ordex and cron2
worked out great in "I'm in a meeting, you may go away"-sense.

--

There is now a TestCoverage wiki page:



--

The two big things missing from 2.5 now are async client-connect and
MSI. Mattock will allocate a full day for MSI next week, as the flow of
infrastructure tasks to him shows no sign of stopping.

--

Talked about dazo's man-page reformatting patch. Dazo is wondering if
splitting the to-be man-page into several .rst files instead of one
would make sense. Cron2 will try his luck building a man-page with
dazo's new code.

--

Talked about HackerOne. Mattock was in a meeting with OSTIF and heard
that OpenSSL project has had similar low-quality HackerOne reports
mostly about website issues. Nobody in this OpenVPN community meeting
would feel sorry if we'd lose our HackerOne project.

--

Noted that some community people have complaints about the openvpn.net
website. It just so happens that dazo and mattock now do monthly
meetings with the corporate website people. So, if anyone has
feedback/rants about OpenVPN website(s) just let dazo or mattock know
and they'll do their best to make things suck less.

--

Full chatlog attached
(21:01:48) cron2: topic fixed! :)
(21:02:22) mattock: hello
(21:02:24) mattock: thanks!
(21:02:38) mattock: who else?
(21:02:55) cron2: I'm not here
(21:03:29) dazo: I'm here, I hope :-P
(21:03:30) mattock: ok good, then it is just me
(21:03:32) mattock: :D
(21:03:33) mattock: ok
(21:03:43) cron2: mass meeting!
(21:04:55) mattock: dazo: do you know if plaisthos, lev or ordex might be 
joining?
(21:05:04) dazo: Just sent them a message
(21:05:20) cron2: since the topic page is not yet existing, shall we just do 
the usual round of "working on it! for real!"? :-)
(21:06:14) dazo: hehe ... yeah
(21:06:33) cron2: but you actually got stuff done, so you can't speak in this 
round :-))
(21:07:01) dazo: I'm still on the man-page project ... it's ready to get some 
quick reviews and tests before I send the patches to the ML
(21:07:50) mattock: wow, I forgot to add the topic pages
(21:07:55) cron2: I saw your ACKs on the "not-SSO" patchset.  It's on my plate 
to be merged, and was planned for "last Sunday/Monday", right after 
ipv6-only...  *that* one turned out to be a bit more stubborn and needed a v5, 
and then I ran out of time
(21:07:59) mattock: I hope I did not forget to send the invites... :P
(21:08:04) cron2: I think I should be able to do this tomorro
(21:08:18) dazo: I've been through lots of the openvpn.8.rst file ... and there 
is some duplicated info, and some things which could use some cleanups ... I'm 
pondering on splitting the file into multiple file which is put together as a 
single man page ... to make it easier to see which section to put options into
(21:08:20) cron2: mattock: well, maybe you didn't send them on purpose? :)
(21:08:27) mattock: could be :)
(21:08:45) mattock: well, I've been bogged down - my infrastructure-related 
workload increased, not reduced this week
(21:09:06) mattock: I'll send the invites out now for the upcoming meetings
(21:10:52) mattock: sent
(21:11:02) mattock: creating topic lists while you discuss other stuff
(21:11:05) mattock: :)
(21:11:44) dazo: some encouragements to have people look at the openvpn.8.rst 
file and and come with suggestions for improvements would be great
(21:13:00) plaisthos: not really here ...
(21:14:57) cron2: but anyway, on the positive side, the ipv6-only patchset has 
been reviewed and reworked last week, and is now "ready for merge".  I intend 
to review and review each patch again (to be sure that no rebase/rework 
accidents happened), but that should be easy.  Passed the t_server test already 
:-)
(21:15:52) cron2: on the "testing coverage", I've started a bit on 
https://community.openvpn.net/openvpn/wiki/TestCoverage but this needs way more 
input (and possibly even a different format)...
(21:15:54) vpnHelper: Title: TestCoverage – OpenVPN Community (at 
community.openvpn.net)
(21:16:01) dazo: nice ... so ... the 

[Openvpn-devel] Community meetings in June 2020

2020-06-04 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 4th June 20:00 CET
- Wed 10th June 11:30 CET
- Thu 18th June 20:00 CET
- Wed 24th June 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli









signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (27th May 2020)

2020-05-27 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 27th May 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, ordex and syzzer participated in this meeting.

---

Talked about OpenVPN testing. We have a server-side testing setup which
is focused on testing the network side. However, the setup is currently
private and not easily reproducible. We agreed that allowing "anyone" to
setup server-side testing would be beneficial.

Fox-IT has a bunch of test tools they could possibly share:

- TLS test setup with loopback-like configuration files running on a
single node
- A C client to test management-external-key
- Python-based test framework that does regexp matching on OpenVPN
connection test logs

Syzzer will make inquiries to see if these tools could be open sourced
fully or partially. In the worst case they would provide "inspiration"
for the OpenVPN community.

Agreed that tests that are easy and quick to run locally by normal
users/developers should be part of our standard "make check" test suite.

Created a new repository in GitHub called "openvpn-tests":



This repository will contain server-side tests and other things that do
not fit into "make check". Existing test suites like
"openvpn-windows-buildtest" may be integrated with it later.

Also created a TestCoverage page in the Wiki:



--

Talked about man-page reformatting. In a nutshell it is looking pretty
good but will need some work to make it perfect.

--

Syzzer promised to review



--

Talked about OpenVPN 2.5.

Dazo will review and ACK plaisthos' INFO_PRE/AUTH patches today.

Cron2 and ordex will try to get the IPv6-only patchset sorted out
15:00-17:00 tomorrow (Thursday).

Mattock has not been able to continue the MSI work but hopes to be able
to do that next week.

--

Full chatlog attached
(12:30:01) mattock: hello
(12:31:36) lev__: hi
(12:32:50) cron2: yo!
(12:32:59) mattock: this look promising now! :)
(12:34:28) ordex: hi!
(12:35:39) mattock: ok let's do it
(12:35:52) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-05-27
(12:35:54) vpnHelper: Title: Topics-2020-05-27 – OpenVPN Community (at 
community.openvpn.net)
(12:36:09) mattock: I believe dazo is responsible for some of those topics
(12:37:18) cron2: !blame
(12:37:21) dazo: \o/
(12:37:23) mattock: hi
(12:38:03) eworm [~eworm@archlinux/developer/eworm] è entrato nella stanza.
(12:38:23) mattock: topic #1?
(12:39:55) dazo: I think we can all agree this is a great idea to have.  But 
who has something ready?  Who will pick up these tasks?
(12:40:36) mattock: krzee was interested in doing this and he should have the 
bandwidth
(12:40:43) cron2: I do have server side testing, with fairly good "network 
side" coverage
(12:40:53) cron2: (tun, tap, ipv6, ipv4, ...)
(12:41:10) cron2: it's lacking any sort of management interaction or plugins
(12:41:17) dazo: After haven looked at plaisthos' auth related patches, I do 
have some kind of ideas how to do some simple automated management based auth 
testing ... but, the annoying part there is to write some reliable code which 
does the management interface interaction
(12:41:44) syzzer_: hi
(12:41:49) mattock: \o/
(12:41:50) cron2: syzzer! \o/
(12:41:55) dazo: hey! long time, syzzer_!
(12:42:04) syzzer_: Running TLS tests can easily be done on a single host
(12:42:25) syzzer_: Just use loopback-like configs
(12:42:37) dazo: yeah
(12:42:47) cron2: t_lpback.sh and t_cltsrv.sh come to mind :-) 
(12:42:48) syzzer_: This is how we do this for OpenVPN-NL too
(12:43:16) dazo: TLS tests are kind of the lowest hanging fruits
(12:43:30) syzzer_: Yeah, but preferrably with less timeouts than t_cltsrv.sh :)
(12:43:55) dazo: and I think krzee would be perfect candidate for those tests, 
if he got a chance and time for it
(12:43:56) syzzer_: cron2 has reasonable coverage for the network side
(12:44:00) dazo: syzzer_: agreed!
(12:44:42) syzzer_: but having server-side tests that are easier to run "for 
everyone" would be really nice
(12:44:51) dazo: I did look into reducing those timeouts, the annoying part of 
that test is testing timeouts  so that kind of makes it odd to reduce 
timeouts when testing timeouts
(12:45:23) syzzer_: yeah, but for the other tests, you'd want a flag like "exit 
with 0 status if connectin setting succeeds" or so.
(12:45:49) syzzer_: Oh, end "immediately exit with exit code non-zero when TLS 
connection fails"
(12:45:53) syzzer_: *and
(12:46:00) cron2: yep, when adding tests run in the normal "make check" 
sequence, these should be "a few seconds each", not "2 

[Openvpn-devel] Summary of community meeting (13th May 2020)

2020-05-13 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 13th May 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, krzee, lev, mattock, ordex and plaisthos participated in this meeting.

---

Talked about MSI/MSM for OpenVPN and tap-windows6. Mattock is now
fighting his way through the MSI/MSM jungle.

---

Talked about improving the buildbot configuration. Agreed that it makes
sense to:

1) Upgrade buildbot to a more modern version (better webui etc)
2) Migrate lots of semi-manual testing that is currently internal to
OpenVPN Inc. to buildbot
3) Start building openvpn3 on buildbot
4) Testing latest server code through buildbot

After the meeting cron2 reminded us that he has t_server testing
framework already - it is just running outside of buildbot.

Krzee and mattock will work together on these buildbot improvements.

---

Discussed OpenVPN 2.5 patches. This week dazo will review plaisthos'
three patches and start the epic "man page struggle".

--

Full chatlog attached

(12:28:46) mattock: hello!
(12:28:56) dazo: hey!
(12:30:12) mattock: cron2 said he could not make it
(12:30:26) mattock: it would be nice if rozmansi was here by accident :)
(12:30:42) mattock: I'm working on tap-windows6 MSM and unsurprisingly there 
have been a number of issues I've had to resolve
(12:30:48) krzee [be50baf1@openvpn/corp/krzee] è entrato nella stanza.
(12:30:53) mattock: probably related to the build environment, but problems 
nevertheless
(12:31:59) ordex: ué
(12:32:25) lev__: hello
(12:33:29) plaisthos: hello
(12:34:03) krzee: heyhey
(12:35:21) mattock: hi all
(12:35:23) mattock: so
(12:35:38) mattock: I pretty much reported what I've been up to :)
(12:35:48) mattock: any topics besides openvpn 2.5?
(12:36:16) dazo: plaisthos: what's the status now on the auth-token patches?
(12:36:35) dazo: Lets have a look here: 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(12:36:37) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:37:15) dazo: I'm planning to start playing with the man page challenge this 
week
(12:37:32) mattock: \o/
(12:37:39) plaisthos: dazo: err chek patchwork
(12:37:44) mattock: sounds like e-sports
(12:38:51) krzee: id like to understand a little more about our unit tests 
(using buildbot as i understand), specifically because i think ovpn3 should be 
added to it when possible and i think that maybe corp and community could use 
the same tests so that efforts are not duplicated
(12:41:19) mattock: +1
(12:42:17) mattock: basically we'd just add openvpn3 build dependencies to a 
subset of our buildslaves and add a few builders to build openvpn3
(12:42:55) dazo: plaisthos: ahh, found it ... alright, 3 patches missing formal 
acks ... I'll try to complete that this week then
(12:44:57) dazo: mattock: Hmmm ... can we also please upgrade our buildbot to 
something more up-to-date?  So that it is simpler to get an overview what is 
being run/tested, split out build errors from test errors, etc
(12:46:23) mattock: yes that is the plan
(12:46:30) mattock: after MSI stuff
(12:46:50) dazo: good!  Then I'll keep quite for a bit more :-P
(12:46:51) plaisthos: like jenkins?
(12:46:55) dazo: *quiet
(12:47:06) plaisthos: or newer buildbot?
(12:47:10) mattock: no jenkinses
(12:47:14) mattock: update buildbot
(12:47:16) mattock: :)
(12:47:20) krzee: how many tests are already implemented in buildbot?
(12:47:22) dazo: plaisthos: hehe 
(12:47:35) dazo: krzee: Only `make check`
(12:47:36) mattock: not sure as those are created programmatically
(12:47:47) plaisthos: no was a serious question. People might have more 
experience with jenkin
(12:48:12) mattock: yes, and it is still a piece of crap especially from 
management perspective
(12:48:37) ordex: :D
(12:48:51) krzee: dazo, i dont understand the answer
(12:49:44) ordex: tests are defined in t_client
(12:49:44) dazo: krzee: buildbot runs 'make check' ... so what is being run is 
defined in tests/Makefile.am via the TESTS variable
(12:50:04) ordex: the buildbot just runs make check (which executes the unit 
tests and the various t_* scripts)
(12:50:07) dazo: t_client.sh is one of the defined tests in TESTS
(12:50:31) ordex: right
(12:51:07) mattock: krzee and I also talked about extending t_client to include 
server-side tests (i.e. connect clients to a server instance built from HEAD)
(12:51:28) mattock: at the moment our servers are static (version  of 
openvpn)
(12:51:36) dazo: 
https://github.com/OpenVPN/openvpn/blob/master/tests/Makefile.am#L17   oh 
and beware of SUBDIRS too ... so this is also evaluated, recursively
(12:51:38) vpnHelper: Title: openvpn/Makefile.am at master · OpenVPN/openvpn · 
GitHub (at github.com)

[Openvpn-devel] Summary of the community meeting (7th May 2020)

2020-05-07 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 7th May 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo and mattock participated in this meeting.

---

Noted that cloudflare has now been disabled on community.openvpn.net
(again) to get IPv6 working. This is hopefully just a stop-gap measure
before we get IPv6 enabled in Cloudflare - for community.openvpn.net or
for whole openvpn.net domain.

--

Noted that most of OpenVPN Inc. has been working on CloudVPN which has
now been released:



It is not clear if CloudVPN supports IPv6 transport. IPv6 payload seems
to be supported. Mattock made some queries during the meeting.

--

Discussed OpenVPN 2.5. Noted that the high-level status has not changed
recently:



The recent activity was directed at cleaning up the backlog, Trac
tickets, etc. which was also needed.

The amount of effort required by most "must have" tasks seems fairly
reasonable:

- async-cc stuff
  - it's there, it works
  - needs polishing, some refactoring and review
  - a few days of focused work
- MSI installers
  - needs final integration + testing
  - 1-2 days of work assuming no major roadblocks
- asymmetric compression
  - just needs the final ACK

Effort required by man-page reformatting and IPv6-only server were not
discussed.

Ordex is working on the OpenVPN kernel module which is why he's been
isolated from OpenVPN 2.5 tasks. However, dazo and lev have some
bandwidth for taking over tasks from ordex next week.

Mattock will start work on MSI a.s.a.p. so that if any issues are found
rozmansi will have some time to step in. Mattock will also try to locate
OpenVPN Inc. MSI experts, if any, to help with potential MSI issues.

--

Noted that syzzer's successor at OpenVPN-NL has been pretty quiet on the
community front. Also noted that syzzer said he might be able to do some
OpenVPN community work on his free time.

--

Full chatlog attached

(21:00:46) mattock: guten abend
(21:00:54) dazo: ciao!
(21:01:30) cron2: gr�ezi!
(21:04:22) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-05-07
(21:04:23) vpnHelper: Title: Topics-2020-05-07 – OpenVPN Community (at 
community.openvpn.net)
(21:05:25) mattock: IPv6 on community should work now or soon
(21:05:46) cron2: not now, so "soon" :)
(21:05:57) mattock: unfortunately the "IPv6 on all servers" thing had to be 
postponed - too much stuff going on
(21:06:17) cron2: yeah, it always is
(21:07:20) dazo: Most of the corp folks has been involved in this lately: 
https://openvpn.net/cloud-vpn/  first version finally released
(21:08:23) mattock: yeah, I got dragged into that too
(21:08:34) cron2: does it have IPv6?
(21:08:48) cron2: ah, yes, the web page says so \o/
(21:09:07) cron2: external *and* internal v6?
(21:09:52) dazo: You define all the internal IPs yourself, and I would be 
surprised if IPv6 was missing
(21:10:11) cron2: that's "internal", but what about IPv6 transport towards the 
"cloud"?
(21:10:33) cron2: ("--proto udp6")
(21:11:10) dazo: right ... external should be supported, but the ops team knows 
which IPs has been deployed into production
(21:11:32) dazo: I've not been involved on the production servers, so I dunno
(21:11:41) cron2: mattock: do you know?
(21:14:15) mattock: no, not sure
(21:17:13) mattock: ok, distractions over
(21:17:49) mattock: I would not count on IPv6 transport - knowing that our 
Cloudflare has IPv6 disabled I would not count on it
(21:18:19) mattock: now, openvpn 2.5 anyone?
(21:18:38) cron2: this is why I'm asking.  We've had problems here in DE with 
client networks behind DS-Lite ("double natted IPv4" plus native IPv6) and 
"server has no v6" starts being a problem
(21:18:45) cron2: (for all that is not "tcp port 80/443")
(21:19:56) mattock: I asked about IPv6 transport on our ops channel
(21:20:00) mattock: maybe somebody knows
(21:21:45) mattock: as far as OpenVPN 2.5 is concerned - no progress yet on my 
end unfortunately on MSI
(21:22:00) cron2: not too much progress on my end here either
(21:22:03) mattock: the big internal project I talked about ended today finally
(21:22:15) cron2: I've been digging through patches, working my way through 
_inline v11 right now
(21:22:16) mattock: the next project is starting but it should not be as 
involved
(21:22:32) cron2: good, so msi on you and v6-only on me :)
(21:22:59) cron2: (I had to do a quick patch to tcpdump yesterday, hah :-) )
(21:23:17) mattock: doorbell ...
(21:24:44) dazo: I got about 35 min until my next meeting starts
(21:25:17) cron2: dazo: so how's your time availability?  (and how's ordex'?)
(21:25:33) cron2: our major stumbling block 

[Openvpn-devel] Community meetings in May 2020

2020-05-06 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 7th May 20:00 CET
- Wed 13th May 11:30 CET
- Thu 21st May 20:00 CET
- Wed 27th May 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli







signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] is anybody running tests on Fedora ?

2020-05-05 Thread Samuli Seppänen
Il 04/05/20 15:14, Илья Шипицин ha scritto:
> 
> 
> пн, 4 мая 2020 г. в 16:41, Samuli Seppänen  <mailto:sam...@openvpn.net>>:
> 
> Hi,
> 
> We do have a Fedora 30 buildslave and run fping tests there. It also
> seems to run t_client IPv6 ping tests.
> 
> 
> can you please run the following
> 
> 
> dnf whatprovides fping6
> 
> ?

On Fedora 30 as well as 31:

$ dnf whatprovides fping6
Error: No Matches found


$ dnf whatprovides fping
fping-4.2-1.fc30.x86_64 : Scriptable, parallelized ping-like utility
Repo: @System
Matched from:
Provide: fping = 4.2-1.fc30

fping-4.2-1.fc30.x86_64 : Scriptable, parallelized ping-like utility
Repo: fedora
Matched from:
Provide: fping = 4.2-1.fc30




>  
> 
> 
> Samuli
> 
> Il 03/05/20 23:02, Илья Шипицин ha scritto:
> > Hello,
> >
> >
> > t_client.sh requires "fping6" binary, which is not available on
> Fedora.
> > on Fedora "fping" is capable of running ipv6 pings.
> >
> >
> > shall we adopt test ?
> >
> >
> > Cheers,
> > Ilya Shipitcin
> >
> >
> > ___
> > Openvpn-devel mailing list
> > Openvpn-devel@lists.sourceforge.net
> <mailto:Openvpn-devel@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> >
> 



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] is anybody running tests on Fedora ?

2020-05-04 Thread Samuli Seppänen
Hi,

We do have a Fedora 30 buildslave and run fping tests there. It also
seems to run t_client IPv6 ping tests.

Samuli

Il 03/05/20 23:02, Илья Шипицин ha scritto:
> Hello,
> 
> 
> t_client.sh requires "fping6" binary, which is not available on Fedora.
> on Fedora "fping" is capable of running ipv6 pings.
> 
> 
> shall we adopt test ?
> 
> 
> Cheers,
> Ilya Shipitcin
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (29th April 2020)

2020-04-29 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 29th April 2020
Time: 11:30 CEST (09:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, ordex and plaisthos participated in this meeting.

---

Talked about broken IPv6 connectivity to community.openvpn.net. This is
caused by Cloudflare, where IPv6 is turned off, apparently for the whole
openvpn.net domain. It apparently can't be selectively turned on for
just community.openvpn.net.

Mattock and plaisthos will try to convince the ops team to turn on IPv6
across the board, or otherwise resolve this issue.

--

Noted that right now it is still possible to amend the coding style for
the future. Nobody had any strong opinions on it.

--

Ordex sent the "ipv6-only" patch to OpenVPN Inc's QA team for testing.
This will pave the way for approval. Ordex will check the end of this
week to see what progress QA has made.

--

Mattock will try to reach the person who is responsible for corporate
(e.g. OpenVPN Connect) MSI packaging and recruit him/her to help with
OpenVPN 2.5 MSI installers.

--

Talked about the remaining 2.5 patches:

- client-connect (requires review)
- auth-token breakage when server is restarted and explicit-exit-notify
is set

--

Full chatlog attached

(12:31:32) ***plaisthos is here
(12:31:36) cron2: barely made it
(12:32:39) mattock: hi!
(12:33:33) lev__: hello
(12:34:00) cron2: good
(12:34:52) mattock: seems like we have a fair number of participants today
(12:36:28) mattock: ok let's start
(12:37:04) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-04-29
(12:37:18) mattock: I can give an update on the IPv6 situation on 
community.openvpn.net
(12:37:24) mattock: before we even start
(12:37:42) mattock: so, as I assumed, it is cloudflare that's breaking IPv6 
there
(12:38:12) cron2: why, and what can we do about it?
(12:38:28) mattock: basically IPv6 is turned off at the cloudflare end 
site-wide (*.openvpn.net I presume) and turning it on for community.openvpn.net 
was not trivially possible 
(12:39:05) cron2: why is turned off for *.openvpn.net?
(12:39:12) mattock: it may be possible, but if not, then there are two options:
(12:39:12) mattock: - take community.openvpn.net off off cloudflare (DoS 
becomes way more likely)
(12:39:12) mattock: - enable IPv6 site-wide
(12:39:16) mattock: I have no clue
(12:39:17) cron2: and why can it not be turned on for community?
(12:39:40) mattock: usually overrides are done with "page rules" and there did 
not seem to be an option for enabling IPv6 selectively
(12:39:55) mattock: but I did not look myself and I won't dare touch stuff 
there because everything could break if I did
(12:40:22) mattock: I will put pressure on raidz who is responsible for this to 
get this resolved somehow
(12:41:14) mattock: anyways, that all about it
(12:41:37) cron2: just break stuff, again and again, so they get aware of the 
consequences of not having IPv6! :-)
(12:41:52) cron2: 11:41 -!- There is no such nick raidz
(12:41:59) cron2: mmmh, smart man, hiding from me
(12:42:04) mattock: yes I guess so :P
(12:42:44) mattock: I think disabling IPv6 must be some "security" thing, 
though I don't see the point myself
(12:43:25) plaisthos: Yeah not supporting IPv6 in 2020 is really stupid
(12:43:47) cron2: if it's cloudflared, having IPv6 enabled on the outside is 
totally decoupled from IPv6 "between couldflare and the origin servers", so 
there is no security argument whatsoever
(12:43:47) mattock: plaisthos: maybe you can also help convince the ops team to 
agree on that
(12:44:00) plaisthos: mattock: sure
(12:44:30) mattock: I will bring this up again in tomorrow's meeting on a more 
"enable IPv6 across the board" level
(12:44:32) cron2: not having IPv6 inside is sort of "typical enterprise IT 
thinking" (this is new stuff, we do not know new stuff, we never want new 
stuff).  Seems OpenVPN has become quite a big success :-)
(12:44:47) cron2: plaisthos, mattock: thanks!
(12:45:22) mattock: np!
(12:45:26) mattock: shall we move on?
(12:45:42) cron2: yes
(12:45:54) mattock: any topics besides "2.5"?
(12:46:11) ordex: ops
(12:46:24) mattock: oops or ops? :)
(12:46:34) ordex: both
(12:46:36) cron2: I had planned on discussing uncrustify style for 
tests/unit_tests/ today, but events overtook it
(12:46:49) cron2: syzzer decided "we want a uniform coding style!" and so we did
(12:46:59) ordex: agreed
(12:47:03) ordex: better have it uniform
(12:47:13) ordex: having two styles in the same project can easily become .. 
annoying
(12:47:49) cron2: right (just for completeness: my argument was "test code is 
different shape anyway, so we *could* agree on a more compact style") - but I 
am perfectly fine with this
(12:48:06) plaisthos: yeah if we 

[Openvpn-devel] Summary of the community meeting (23rd April 2020)

2020-04-23 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 23rd April 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex and Pippin participated in this meeting.

---

Talked about the proposed update to our patch to pkcs11-helper:



It was agreed that using the patch version from Fedora Rawhide would
make more sense, as that is more widely tested. Plus the patch does not
seem to have any Linux-specifisms that could break on Windows (=our
target system here).

---

Mattock mentioned that OSTIF.org is currently waiting for 2.5.0 before
launching their security audit.

--

Discussed the OpenVPN 2.5 release.

Ordex and cron2 revived the ipv6-only patchset. Wiscii has tested it
already and has reported that it works. OpenVPN Inc. will provide
additional QA resources to test it as well.

Cron2 has a couple of Windows-specific patches on his plate (tun-mtu,
IPv6 netbits in netsh / iService) which need some focused review effort.

There are also a couple of patches from plaisthos which could be merged
easily once there's a bit of time for a review.

The async-cc patchset is waiting for testing, but we have a volunteer
who is willing to test the rebased code.

Ordex will review the tls-group patch in the upcoming days.

Mattock should have time to focus on the MSI work starting next week
after wrapping up a rather big internal project.

---

Noted that  record seems to be missing for community.openvpn.net.
Mattock will fix that. Also, he will add monitoring of the IPv6
addresses of the community services to OpenVPN Inc's monitoring system.

--

Full chatlog attached
(21:00:55) cron2: yeaaha
(21:01:02) mattock: hi
(21:01:09) ***cron2 complains about topic
(21:03:33) mattock: ok complain
(21:03:40) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-04-23
(21:06:37) ***dazo is here
(21:06:51) mattock: hi!
(21:09:35) cron2: hi dazo!
(21:09:40) cron2: how's madness?
(21:12:20) dazo: mad :-P
(21:13:47) cron2: you're all so talkative today... :)
(21:14:40) dazo: hehe ... looked at the #1 topic ... surprised to see a red hat 
bz reference in a project used for Windows builds  
(21:15:05) mattock: ok now distractions are over
(21:15:26) mattock: so, I wanted to bring up the pkcs11 patch because I don't 
want decide by myself whether it is acceptable or not
(21:15:30) mattock: thoughts?
(21:16:03) cron2: I have no idea what he's talking about
(21:16:20) cron2: ah
(21:16:46) cron2: so we import the pkcs11 patch from redhat (or a common 
source), and that patch has issues.  So it ended up in RH's BZ and they now let 
us know
(21:17:52) cron2: 2017
(21:18:55) dazo: okay ... so  there is a patch in the opensc project (where 
pkcs11-helper comes from, managed by alonb) ... which is not being accepted 
because it is "too complex", and it has been an open pull-req for 2 years.  And 
the patch we have in our build repo is based on that.  What I don't understand 
yet is how we have a "faulty" patch in our repo
(21:19:08) cron2: that patch has a bug
(21:19:15) cron2: which is explained in the RH BZ
(21:19:27) cron2: so we get a patch for the patch now :)
(21:20:18) cron2: and we actually have an open trac ticket (1075) related to 
"long IDs do not work"
(21:20:22) dazo: yeah ... I would probably look into what dwm2's git repo has 
and compare that patch/commit with our patch
(21:20:50) mattock: I would = I will?
(21:20:52) mattock: :P
(21:21:02) dazo: I suggest! :-P
(21:21:11) mattock: I thought so!
(21:22:09) ordex: are we doomed ?
(21:22:15) cron2: ordex: yes
(21:23:05) dazo: from a quick look ... the first change (token[1] -> token[0]) 
that looks fine and sane
(21:23:44) dazo: the second change I don't see in dwm2's repo during my quick 
glance  from a style perspective it looks odd too
(21:24:07) dazo: (but that style seems to be common in that repo)
(21:27:00) dazo: This is what Fedora ships in Rawhide ... and I would presume 
prior release has the same patch though ... 
https://src.fedoraproject.org/rpms/pkcs11-helper/blob/master/f/pkcs11-helper-rfc7512.patch
(21:27:01) vpnHelper: Title: Tree - rpms/pkcs11-helper - src.fedoraproject.org 
(at src.fedoraproject.org)
(21:27:12) dazo: (and that is related that rh bz)
(21:27:51) dazo: Rawhide ships with pkcs11-helper-1.22
(21:28:51) dazo: the patch was introduced Nov 2017 and seems to have been 
unmodified since then
(21:32:14) mattock: well
(21:32:15) mattock: https://github.com/OpenSC/pkcs11-helper
(21:32:17) vpnHelper: Title: GitHub - OpenSC/pkcs11-helper: Library that 
simplifies the interaction with PKCS#11 providers for end-user applications 
using a simple API and optional OpenSSL engine (at 

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-20 Thread Samuli Seppänen
Hi,

Il 19/04/20 13:03, Gert Doering ha scritto:
> Hi,
> 
> On Sat, Apr 18, 2020 at 02:30:46PM +0200, Simon Matter wrote:
>> A long time ago I was asking them to also show MD5/SHAXXX checksums so I
>> can easily verify the downloads. My request was turned down for reasons I
>> still don't understand. At least it could give us some peace of mind when
>> downloading OpenVPN and the PGP stuff doesn't work or is not used by the
>> person downloading it.
> 
> True... Samuli, are you listening?  Adding SHA256s to the release
> announcement might not be so hard to integrate into your process, and
> help in case GPG acts up again.

> (Mostly because "the mail on the list is signed, the other openvpn
> developers see it, and if someone tries to play games, we'll notice")

Having SHA256 sum in the _release announcement_ is good, because it
can't be forged easily. But I would also have have it on the download
page. I just need to ask our webmaster to add that field. If the website
is tampered then we still have the release announcement to refer to.

On a related note: I think we should consider stopping the distribution
of the security list's public key from our webservers and just instruct
people to fetch the key from the keyservers and refresh it if they have
trouble.

Meaning: I don't see the extra value distributing the key from our
webserver gives anyone. But please correct me if I'm missing something.

> 
> gert
> 
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
can be downloaded from here:



This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810, trac #1272)
which allows disrupting service of a freshly connected client that has
not yet not negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

A summary of all included changes is available here:



A full list of changes is available here:



Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:



Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)


Samuli

Antonio Quartulli (1):
  socks: use the right function when printing struct openvpn_sockaddr

Arne Schwabe (3):
  Fetch OpenSSL versions via source/old links
  Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
  Fix OpenSSL 1.1.1 not using auto elliptic curve selection

Gert Doering (1):
  Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst)

Lev Stipakov (4):
  Fix broken fragmentation logic when using NCP
  Fix building with --enable-async-push in FreeBSD
  Fix broken async push with NCP is used
  Fix illegal client float (CVE-2020-11810)

Maxim Plotnikov (1):
  OpenSSL: Fix --crl-verify not loading multiple CRLs in one file

Santtu Lakkala (1):
  Fix OpenSSL private key passphrase notices

Selva Nair (7):
  Swap the order of checks for validating interactive service user
  Move querying username/password from management interface to a function
  When auth-user-pass file has no password query the management interface 
(if available).
  Fix possibly uninitialized return value in GetOpenvpnSettings()
  Fix possible access of uninitialized pipe handles
  Skip expired certificates in Windows certificate store
  Allow unicode search string in --cryptoapicert option

Tom van Leeuwen (1):
  mbedTLS: Make sure TLS session survives move

WGH (1):
  docs: Add reference to X509_LOOKUP_hash_dir(3)



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (15th April 2020)

2020-04-15 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 15th April 2020
Time: 11:30 CEST (09:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, ordex and plaisthos participated in this meeting.

---

Talked about the WolfSSL patches. Agreed that they're much less invasive
and hence more acceptable now than previously. Some changes were
requested earlier and we're waiting for WolfSSL's response.

---

Talked about the upcoming OpenVPN 2.4.9 release. It will include an
important security fix and a few other things we wish to get in:

- NCP async fix from lev
- two patches from Selva
- the ecliptic curve patch (1/3)

Agreed that we should have a CVE for the security issue. Dazo had
promised to resurface at 14:00 CEST today, which means he can probably
handle the CVE generation as usual.

Our goal is to release 2.4.9 tomorrow, if possible.

---

Mattock will check if it would be possible to give unique identifiers to
Windows 7 and Windows 10 flavors of tap-windows6. This would prevent
situations where an existing, cached Windows 7 driver is preferred over
a Windows 10 (attestation signed) version, hence causing driver
installation failures.

Mattock will also check if we could, with a reasonable effort, provide
users with an easy way to clean up old tap-windows6 drivers in the NSIS
installer. The process is already known and can be done with external
scripts, but integration / reimplementation in NSIS is missing.

These changes would be nice to have in 2.4.9-I601, but we can postpone
them to another Windows installer release if needed.

--

Full chatlog attached
(12:31:17) mattock: meeting time
(12:31:21) cron2: hooray
(12:31:25) lev__: hello
(12:31:54) mattock: hi guys!
(12:32:27) plaisthos: hey!
(12:34:27) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-04-15
(12:34:51) plaisthos: Okay I will just start with one topic, the quality of the 
WolfSSL patch approaches a level that might consider it for inclusion
(12:35:36) plaisthos: but I would put a note there that it is in the not 
actively supported by the community project and bugs/problem with it that 
cannot replicated with OpenSSL need to be reported to WolfSSL
(12:35:40) ordex: hi
(12:35:46) plaisthos: hey ordex 
(12:36:18) ordex: well, issues will be reported to our mailing list in any case
(12:36:33) ordex: we just have to ensure that wolfssl will stick to the list
(12:37:05) cron2: I am fine with merging the patch, as it has nearly no code 
changes anymore, just pushing autoconf towards "yes, this function is there, 
even if it's a macro and you can't see it"
(12:37:32) ordex: yup
(12:37:35) ordex: much better
(12:37:36) cron2: and yes, documentation needs to be clear "this is not 
something we test, so if there are problems, talk to WolfSSL"
(12:38:24) ordex: can't the cryptoapi check be performed at configure time ?
(12:38:29) ordex: why an #error in the code ?
(12:39:38) cron2: ENABLE_CRYPTOAPI is not coming "from configure" but from 
syshead.h
(12:39:44) plaisthos: it basically breaks the build on win32
(12:39:48) cron2: but I think the #error is more an extra saveguard, because
(12:39:53) cron2: #if defined(_WIN32) && defined(ENABLE_CRYPTO) && 
defined(ENABLE_CRYPTO_OPENSSL)
(12:39:56) cron2: #define ENABLE_CRYPTOAPI
(12:39:59) cron2: #endif
(12:39:59) cron2: oh
(12:40:06) ordex: ah, so it's a windows thing only
(12:40:21) plaisthos: yeah cryptoapi is the windows key sotre
(12:40:23) ordex: but it needs ENABLE_CRYPTO_OPENSSL
(12:40:30) ordex: which on't be the case with WOLFSSL, no ?
(12:40:48) cron2: mmmh, now if WolfSSL enables ENABLE_CRYPTO_OPENSSL, which I 
think it needs to do (otherwise, we won't compile the openssl stuff...), it 
will break windows builds
(12:40:51) plaisthos: ah yes
(12:41:12) ordex: ah
(12:41:19) cron2: ssl_openssl.c is guarded by "#if defined(ENABLE_CRYPTO) && 
defined(ENABLE_CRYPTO_OPENSSL)"
(12:41:26) cron2: and WolfSSL provides "openssl compat" headers + API
(12:41:45) plaisthos: yeah basically wolfssl is not working on win32
(12:41:51) ordex: yeah
(12:41:56) plaisthos: something that I can live with
(12:41:58) cron2: I think that #error is not good.  They should adjust 
syshead.h instead, and have an extra WolfSSL check there
(12:42:03) ordex: right
(12:42:15) ordex: like: #if defined(_WIN32) && defined(ENABLE_CRYPTO) && 
defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL)
(12:42:17) ordex: no ?
(12:42:20) plaisthos: cron2: I think the cryptoapi stuff might be called in 
more places
(12:42:37) plaisthos: that might have the wrong ifdef or so
(12:42:38) cron2: plaisthos: it should all be wrapped with ENABLE_CRYPTOAPI
(12:42:51) cron2: so if we just not define it ("like when building with 
mbedtls")...
(12:43:05) 

[Openvpn-devel] Summary of the community meeting (9th April 2020)

2020-04-09 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 9th April 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

krzee, lev and mattock participated in this meeting.

---

Talked about having mod_cloudflare installed on Trac and Phpbb. This
would affect logging and not do any man in the middle stuff:



Nobody was opposed to this, but many key people were missing so no
decision could be reached.

---

Talked about OpenVPN 2.5 MSI work. The OpenVPN patches are now all in,
so it is possible to (more easily) move to testing the MSI packaging,
see bottom of this page:



The last time mattock touched MSI he created a vagrantied build
environment/process



It has not been touched in a while so testing is needed to see if it
still works.

Mattock and lev will have a session next week about Vagrant and this
environment in particular, so that lev can also participate in the MSI work.

---

Discussed the option of having OpenVPN 2.5 packages in the same apt
repository as OpenVPN 3 packages. Nobody was against this.

--

Talked about "python3-openvpn-connector-setup". It was originally
designed for an OpenVPN Inc product, but it is fairly general purpose
tool which other projects and people could use.

What it does is for setup a connector - essentially an OpenVPN 3 client
- which could be a VPN traffic exit node or, for example, used for
sharing an AWS VPC. It was agreed that it makes sense to have such code
open source. This is the case today, but the code has not been
officially released except in the form of an Debian package as far as we
know.

Dazo could fill in the blanks here, including giving URLs to any Git
repositories there might be.

--

Full chatlog attached

(20:56:37) mattock: almost meeting time
(20:56:49) krzee: \o/
(20:59:41) lev__: guten aben
(21:00:44) mattock: guten abend herr lev
(21:01:23) lev__: gutt gutt
(21:01:50) krzee: hyavaa illta
(21:02:02) mattock: hyvää iltaa!
(21:02:15) mattock: I guess we can have this meeting in Finnish
(21:02:21) krzee: :D
(21:02:32) lev__: joo, anna mennä vaan
(21:02:33) mattock: krzee knows several words
(21:02:36) mattock: tehdään niin
(21:02:42) krzee: perkele!
(21:02:48) mattock: aamen!
(21:03:10) mattock: poronkusema is another one he knows
(21:03:14) mattock: very useful
(21:03:24) krzee: that is the best word ever btw
(21:03:56) mattock: btw. "best" is probably the only word in english that is 
pronounced as it is written
(21:04:05) mattock: just occurred to me
(21:04:24) mattock: well, "is" is another :D
(21:04:33) krzee: and "well"
(21:04:40) mattock: +1
(21:05:14) mattock: seriously - do we have any other participants?
(21:05:15) krzee: english will throw a few softballs and then come with the 
"tough" curveball out of nowhere
(21:06:11) mattock: inglish will throu a fjuu softbools änd then kam with tö 
"taf" köörvbool aut of noveer?
(21:06:44) krzee: "tuf"
(21:06:50) krzee: haha
(21:07:16) mattock: ok maybe we can try to have a meeting of sorts
(21:07:21) mattock: if somebody joins that's good
(21:07:24) mattock: so I have one topic
(21:08:04) mattock: we (the ops team at openvpn) would like to install 
mod_cloudflare on Trac and forums - that would allow blocking DDoS attacks more 
effectively
(21:08:24) mattock: all it does it affect the logging format - there is no MITM 
stuff going on there
(21:08:43) krzee: prolly no fair if the only people here to talk about it is 
you me and lev :D
(21:08:58) mattock: well it will end up in meeting minutes so people can 
complain
(21:09:00) mattock: :)
(21:09:11) krzee: nice
(21:09:24) mattock: lev: anything on 2.5?
(21:12:24) mattock: I don't have any updates on my part there
(21:12:30) lev__: well, msi-installer related code has been merged to openvpn 
repo
(21:12:36) mattock: good!
(21:12:47) mattock: I will need to find time to start the MSI build tests again
(21:13:03) lev__: so we could srart testing openvpn-build msi branch
(21:13:10) mattock: yeah, we should definitely do that
(21:13:22) mattock: I have a Vagrant VM in a feature branch of openvpn-vagrant 
which can be used
(21:13:28) mattock: getting link
(21:14:06) mattock: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(21:14:09) mattock: at the bottom
(21:14:18) mattock: https://github.com/OpenVPN/openvpn-vagrant/pull/7
(21:14:19) vpnHelper: Title: Add MSI build support by mattock · Pull Request #7 
· OpenVPN/openvpn-vagrant · GitHub (at github.com)
(21:14:29) mattock: that's what I used the "last time" for testing MSI 

[Openvpn-devel] Community meetings in April 2020

2020-04-02 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 9th April 20:00 CET
- Wed 15th April 11:30 CET
- Thu 23rd April 20:00 CET
- Wed 29th April 11:30 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli





signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (1st April 2020)

2020-04-01 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 1st April 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock and plaisthos participated in this meeting.

---

Talked about issues in the current OpenVPN 2.x development model. It was
agreed that large patch series on the mailing list can be quite
problematic, in particular when review takes too much time and the
patches no longer apply cleanly to latest "master".

Nobody seemed to be opposed reviewing such large patchsets in an
external Git branch and, as the final step, rebasing the branch against
master and sending the emails to the mailing list for a formal ACK. This
way the ACK process would not be as likely to take too long to cause issues.

It was also noted that there is no technical substitute for spending
enough time on patch review, though we could always make use of more
automation for testing and merging.

Also noted that despite some disagreement on how to speed up our
development process the OpenVPN 2.5 release is moving forward nicely due
to the work put into it by the core developers.

Noticed that the Windows buildslave does not work for OpenVPN 2.4
builds. This should be fixed (by mattock).

---

Full chatlog attached
(12:25:33) cron2: hurr, no agenda page
(12:30:13) dazo: From last week:  the topic pages is not there, will 
need to create it soonish
(12:30:14) dazo: :-P
(12:30:27) dazo: soonish wasn't soon enough :-P
(12:30:58) dazo: mattock: do we still need CF to mangle the URLs?
(12:31:13) mattock: hello
(12:31:28) mattock: oh yes
(12:31:29) mattock: well
(12:31:48) mattock: I copy-and-paste a topic page during the meeting
(12:31:57) mattock: you guys start talking :P
(12:32:14) dazo: butbutbut we don't what to talk about! :-P
(12:32:22) dazo: don't *know
(12:32:23) mattock: we do, 2.5 :D
(12:32:39) cron2: plus "commit/review rules"
(12:32:49) dazo: :)
(12:34:27) dazo: so ... commit/review stuff?
(12:34:30) mattock: ok now you can start: 
https://community.openvpn.net/openvpn/wiki/Topics-2020-04-01
(12:35:33) cron2: dazo: basically, a continuation of the discussion on the ML
(12:36:15) cron2: what are the rules that govern the mailing list / ACK / merge 
process
(12:36:28) cron2: (and how can we speed it up without compromising transparency)
(12:36:58) cron2: "we have a patch on the list", "i review a patch somewhere 
else, which might or might not the same patch", "ACK on the list", "merge of 
something else?" is certainly not the best approach
(12:37:05) dazo: Background: The challenge we currently have is that we do have 
a bit of stuff for review which exists in git repos (mostly by active core 
community devs)  and the submit patchset to mailing list, watch it age and 
get behind master, rinse and repeat 1-2 times ... it gets a bit annoying when 
reviewing and committing acked patches
(12:37:49) cron2: I have no issue with you working in private to get a patch 
set into a good shape, then one dev sends it to the list, and we get an ACK 
from the colleague *on the patches on the list*
(12:37:54) cron2: this is perfectly fine
(12:38:14) cron2: but "sending the ACK for a patch which is not what was 
reviewed" is not
(12:38:34) dazo: Agreed ... and we should build on that
(12:39:00) cron2: (not only "perfectly fine" but for larger patch set maybe the 
only way to get the time delay and merge conflicts handled better)
(12:39:33) cron2: OTOH, this won't really help with lingering patch sets that 
cannot find an interested reviewer - if we do not post, we don't even *know* 
that review is needed...
(12:40:00) dazo: So I do suggest that we make more active use of the the 
merge-request git feature, which depends on stuff being pushed to a public git 
repo ... but a URL to the repo is added to a cover-mail generated by the git 
command line.
(12:40:22) dazo: Btw ... this is NOT for single patches
(12:40:31) dazo: this is useful for patch series
(12:40:37) cron2: Mmmh, not sure why this is an improvement
(12:41:04) cron2: if you are convinced that plaisthos' patch set is fine (for 
example), plaisthos can send-email, you can ACK on the list, I can merge
(12:41:34) cron2: full transparency, without having to rely on the continous 
existence of some other git repo which might go away
(12:41:46) dazo: My idea, which is not completely figured out yet, is to make 
more use of merge requests and that we do 'git merge' from external repos, 
while keeping the review history
(12:41:57) dazo: which will ease the review and commit process
(12:42:42) dazo: review process knows where to fetch stuff from a git repo, 
reviewer can document "I've reviewed these commit refs from this git repo" ... 
committer can fetch the git repo, verify the 

[Openvpn-devel] Summary of the community meeting (26th March 2020)

2020-03-26 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 26th March 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev and mattock participated in this meeting.

---

Discussed OpenVPN 2.5 status.

There is now a status section for MSI-related work:



All openvpn patches except for 11/12 have been merged which is very good
progress. Work on openvpn-build (MSI packaging) and tap-windows6 (MSM)
can really start once all of the openvpn work is in:




--

Noted that the "client-connect: split multi_connection_established into
separate functions" patch has a merge conflict in multi.c that somebody
needs to look at:



--

Noted that while --auth-token and --auth-gen-token are one of the nicest
new features in 2.5, they do not work right if combined with
--explicit-exit-notify on the server. This has to be fixed. Gory details
are available in the full chatlog.

--

Noted that the combination of a username-only --auth-user-pass and
--management-query-passwords does not work. Dazo will take a stab at
fixing the actual problem. There is already a
GET_USER_PASS_PASSWORD_ONLY flag which just needs to be processed
correctly when the management interface is in action.

An attempt to document the limitation plus related discussion is here:



Further discussion of the issue is available here:



--

Noted that removal of --disable-server needs review:



---

Full chatlog attached
(20:57:36) mattock: drum roll
(20:58:26) lev__: guten aben
(20:59:34) cron2: meow
(20:59:35) dazo: Hey!
(21:00:26) mattock: hi!
(21:01:52) dazo: mattock: can you put on your "checklist" after meetings to 
update /topic?  we always forget to update it 
(21:02:10) mattock: if somebody tells me how to do that
(21:02:14) mattock: I've never done it
(21:02:59) dazo: In (he)xchat it is just to modify the topic in the topic field 
and hit [enter]
(21:03:12) dazo: otherwise there is the /topic command
(21:03:34) mattock: ok, I'll check that out
(21:03:57) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-03-26
(21:04:17) mattock: https://patchwork.openvpn.net/patch/1045/ seems to be 
accepted already
(21:04:18) vpnHelper: Title: [Openvpn-devel,v3] travis-ci: add arm64, s390x 
builds. - Patchwork (at patchwork.openvpn.net)
(21:04:46) mattock: shall we move on to missing pieces in 2.5?
(21:05:21) dazo: Good idea
(21:05:43) mattock: I have the MSI/MSM status tracking in here now: 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25#MissingpiecesfromMSI
(21:05:50) cron2: I am mostly waiting to an 11/12 v2 from rozmansi, and a patch 
set from plaisthos...
(21:05:52) mattock: it seems that most of the openvpn patches are in
(21:05:58) mattock: not so earlier this week
(21:06:02) mattock: \o/
(21:06:05) cron2: lev has acked 01-10 + 12v2
(21:06:08) lev__: well, client connect isn't
(21:06:23) cron2: for MSM, most is in, for client-connect, waiting for the 
patch set
(21:06:48) mattock: once openvpn has all the pieces I think we can move to 
openvpn-build (MSI packaging) and tap-windows6 (MSM)
(21:08:52) mattock: the MSI PR in openvpn-build 
(https://github.com/OpenVPN/openvpn-build/pull/141) seems to have new commits 
to add the MSM stuff
(21:08:56) vpnHelper: Title: Windows MSI Packaging by rozmansi · Pull Request 
#141 · OpenVPN/openvpn-build · GitHub (at github.com)
(21:09:07) mattock: so I guess I just have to start experimenting with it once 
11/12 is in
(21:09:24) cron2: yes :)
(21:09:57) mattock: besides this MSI stuff: anything else in 2.5 that needs 
coordination?
(21:10:20) cron2: there's patches from plaisthos related to auth-gen-token
(21:10:27) cron2: which want a review :)
(21:11:31) dazo: It is still on my todo list ... I will try once again to dig 
it up once again ... I'm so sorry for these things falling through the cracks 
so often
(21:12:16) lev__: client-connect doesn't apply on latest master
(21:12:38) dazo: lev__: did you have a look on how complicated the conflict is?
(21:12:51) dazo: (using patch -p1 instead of git apply/am)
(21:13:15) lev__: no, I didn't
(21:13:24) lev__: something in multi.c
(21:18:02) dazo: lev__: do you have the patchwork link for it?  We should link 
to it on our status page
(21:18:56) cron2: 
https://patchwork.openvpn.net/project/openvpn2/list/?series=413
(21:18:57) vpnHelper: Title: OpenVPN 2 - Patchwork 

Re: [Openvpn-devel] OpenVPN git master builds for Fedora/RHEL/CentOS

2020-03-23 Thread Samuli Seppänen
Il 22/03/20 16:38, David Sommerseth ha scritto:
> 
> Hi,
> 
> I've put together a Fedora Copr repository which contains builds of the
> OpenVPN 2.x git master; which will contains what will arrive in the next major
> release.
> 
> 
> 
> Instructions are pretty simple when using yum copr.  If you are on
> RHEL/CentOS/Scientific Linux, ensure you have the 'yum-plugin-copr' package
> installed first.
> 
> Then you can just do:
> 
> # yum copr enable dsommers/openvpn-git
> # yum clean all
> 
> If the copr plugin is not available, see the URL above for direct access to
> the repository files.
> 
> If you already have openvpn installed:
> 
>   # yum update openvpn
> 
> Or replace 'update' with 'install' if this is a fresh openvpn install.
> 
> I will on some semi-regular intervals update these builds when I see git
> master has been updated.   If you have any issues, you can easily downgrade to
> the previous version by doing 'yum downgrade openvpn'.
> 
> If you have automated updates enabled on your system, you might want to
> consider to blacklist the openvpn package - as the openvpn git master might
> not be as stable yet as the released versions.
> 

Excellent work! I will enable this on my laptop.

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (18th March 2020)

2020-03-18 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 18th March 2020
Time: 11:30 CET (12:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2 and mattock participated in this meeting.

---

Mattock is on vacation this week so not much will happen at his end. He
will resume the MSI review/testing work next week.

Cron2 has done some patch merging but there is more to be done.

Agreed that the current Covid-19 situation which forces $kids to stay at
home is not optimal for productivity.

---

Full chatlog attached

(12:30:29) cron2: so
(12:30:32) cron2: good morning
(12:31:39) mattock: hello!
(12:33:24) cron2: so how's family life in .fi?
(12:33:44) cron2: .de is strange, but not too bad yet...
(12:37:10) mattock: everything is closed soon
(12:37:17) mattock: cabin fever is building up
(12:37:50) mattock: I mean, who would not love to spend 24/7 with one's $wife 
and $child(s)? :)
(12:37:52) cron2: $kid[1] is screaming at her mother right now... "something 
about correcting homeworks"... *sigh*
(12:38:33) mattock: maybe one hour walk every day would be a good practice
(12:38:41) cron2: now, if I had a) time (= no work to be done), and b) could 
actually go out and do something (museum, climbing gym, ...) I might enjoy 
having "no school for 5 weeks".  But mostly locked down...?
(12:38:57) mattock: yep
(12:39:43) mattock: anyone else here btw? dazo, plaisthos, lev, ordex, syzzer?
(12:39:58) mattock: oh, I probably forgot to mention, but I'm technically on 
vacation this week
(12:40:15) mattock: back to "normal" next week
(12:40:35) mattock: e.g. reviewing and testing rozmansi's MSI work
(12:41:04) cron2: indeed, lev__, rozmansi, dazo, plaisthos... *look around* 
*wave* *jump up and down*
(12:41:26) mattock: mentioned on #openvpn-devel
(12:43:25) mattock: seems silent
(12:43:37) mattock: shall we just skip this week and try again next week?
(12:44:19) cron2: you could do some reporting for the minutes ("I have not done 
anything, I had vacation! and kids!"), then I do some reporting ("I have not 
done much, some patches merged, more to do! kids!") and then we're done :-)
(12:44:48) mattock: ok, sounds good
(12:45:40) mattock: let's conclude the meeting, I'm already crafting the 
summary :)
(12:46:17) cron2: enjoy your vacation, with wife and kids all at home :-)
(12:46:21) cron2: (sorry)
(12:46:31) mattock: :D


signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (12th March 2020)

2020-03-12 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 12th March 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, plaisthos and rozmansi participated in this
meeting.

---

Mattock mentioned that he fixed the "unable to register [to community
services] due to plus sign in the mail address" issue today:



--

Talked about the OpenVPN MSI installer. Rozmansi's work consists of
several PRs and patches:




Mattock will review the PRs. It would be good if Windows-capable
developers such as lev or selvanair would do the same. The MSM code is
from the Wireguard project and modified only minimally.

Rozmansi has tested the MSI installers pretty thoroughly. Still it would
be good to get external testing as well. Rozmansi will provide test
installer for now and lev will put them on staging.openvpn.net.

It was agreed that we should only publish the EXE installer (will pick
32 or 64-bit MSI embedded). We will instruct IT admins to run
"openvpn-install.exe /extract" to get the MSI packages, e.g. for GPO
deployments.

--

Discussed the "disable DNS testing" patch. It was agreed that it is
still useful and should be merged.

--

Noted that the following things still need work before we can release 2.5:



- Purge NSIS installers
- Review and test of MSI changes (rozmansi, mattock, lev, selvanair)
- sync client-connect support (lev, plaisthos, dazo)
- async compress patch (plaisthos)
- man page formatting change

On top of that we should

- go through what we have on the list / in patchwork
- go through trac and see what's broken (a few tickets are important)

---

Full chatlog attached
(20:59:11) mattock: evening
(21:00:09) lev__: hello
(21:00:30) rozmansi [sid334387@gateway/web/irccloud.com/x-nzmdtcodbfqmjyci] è 
entrato nella stanza.
(21:00:38) rozmansi: 'evening
(21:02:13) cron2: hullo
(21:02:19) plaisthos: moin
(21:02:55) mattock: it seems we have a crowd here
(21:03:15) cron2: indeed... any word from dazo?
(21:03:28) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-03-12
(21:03:30) vpnHelper: Title: Topics-2020-03-12 – OpenVPN Community (at 
community.openvpn.net)
(21:04:16) mattock: checking
(21:06:05) mattock: nothing in my inbox from dazo
(21:06:11) dazo: hey!
(21:06:14) mattock: hi!
(21:06:37) dazo: sorry!  Just deep into coding ... and time flies 
(21:07:50) mattock: btw. I resolved this today: 
https://community.openvpn.net/openvpn/ticket/1171 ("unable to register due to 
plus sign in the mail address")
(21:07:52) vpnHelper: Title: #1171 (unable to register due to plus sign in the 
mail address) – OpenVPN Community (at community.openvpn.net)
(21:08:08) mattock: long-standing issue which some people really wanted
(21:08:11) mattock: to get fixed
(21:08:19) cron2: mattock: this is nice.  A friend of mine ran into this and 
then complained to me just the other day :)
(21:08:31) mattock: yep, and people complained on twitter which triggered this 
fix
(21:08:43) mattock: fortunately the fix did not require a Pwm upgrade (that 
would have been a big job)
(21:09:18) mattock: anyhow
(21:09:20) mattock: 2.5?
(21:09:38) mattock: MSI maybe? :P
(21:09:49) cron2: I've done a bit of merge-ACKed and also reviewed some of 
rozmansi's new work
(21:10:03) cron2: it would be good to have reviews and test on the 
openvpn-build and the msi work
(21:10:44) cron2: I am happy to merge everything that looks like "it does not 
introduce broken code" and "rozmansi knows what he's doing", though - so all 
the openvpnmsica stuff is his code anyway
(21:10:50) rozmansi: sure... I have tested it myself as much as I could... But 
still, everything is very fresh.
(21:10:57) lev__: are new MSI installers available somewhere
(21:11:10) rozmansi: I can build and post them...
(21:11:39) rozmansi: mind it's a set of three:
(21:11:40) rozmansi: https://github.com/OpenVPN/tap-windows6/pull/106
(21:11:41) vpnHelper: Title: MSM packaging by rozmansi · Pull Request #106 · 
OpenVPN/tap-windows6 · GitHub (at github.com)
(21:11:45) lev__: maybe upload them to 
https://build.openvpn.net/downloads/snapshots/
(21:11:47) vpnHelper: Title: Index of /downloads/snapshots/ (at 
build.openvpn.net)
(21:11:50) rozmansi: patches on mailing list (patchwork)
(21:12:10) cron2: it's not an openvpn patch
(21:12:13) rozmansi: and  https://github.com/OpenVPN/openvpn-build/pull/141
(21:12:15) vpnHelper: Title: Windows MSI Packaging by rozmansi · Pull Request 
#141 · OpenVPN/openvpn-build · GitHub (at github.com)
(21:12:31) cron2: lev__: 

[Openvpn-devel] Summary of the community meeting (4th March 2020)

2020-03-04 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 4th March 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, plaisthos and rozmansi participated in this meeting.

---

Talked about the OpenVPN MSI installer. Rozmansi took a week off from
work to wrap up the OpenVPN MSI installer. The original driver
installation approach that used WiX diffx extension had issues, so
rozmansi chose to reuse wintun's reliable and proven MSM (Merge module)
code, packing both wintun and tap-windows6 in it. This was desirable to
reinventing the wheel, and there was no license incompatibility either.
If any changes to the installer code are required we do want to get them
merged upstream in the wintun project.

--

Noted that the following things still need work before we can release 2.5:



The "must have" things that still need some work:

- Purge NSIS installers
- Implement asymmetric compression
- async client-connect support
- man page formatting change

On top of that we should

- go through what we have on the list / in patchwork
- go through trac and see what's broken (a few tickets are important)

--

Agreed that dazo should spend some time getting a Fedora Copr repo
running with openpvn git master to give Fedora and EPEL users
(RHEL/CentOS) a chance to test it out.

--

Agreed that it would be good if ecrist would update freebsd's
openvpn-current on a weekly basis until the release.

--

Mattock will work on the auth-user-pass documentation thing (see status
page above) which he had forgotten about.

--

Rozmansi has some more openvpn/src/tap.c windows-specific commits
pending and but he's hoping to get the existing patches through first.

--

Cron2 will review networking/routing related things before they are merged.

--

Noted that lzo 2.10 breaks comp-lzo when built with GCC 10. This may
become a problem on operating systems that ship both (e.g. Fedora 32).

Agreed that this is not our battle. Either operating system vendors
build with the workaround (-fno-strict-aliasing) or lzo project fixes
their software. We already quit with a good error message ("Cannot
initialize LZO compression library").

--

Discussed the release schedule for OpenVPN 2.5. Agreed that moving the
tentative deadline for 2.5_beta1 to late March is actually doable given
our current resources.

---

Full chatlog attached

(12:34:20) rozmansi: hi
(12:34:20) cron2: ho!
(12:34:20) dazo: hey!
(12:34:20) dazo: mattock: We need to get better at updating /topic 
(12:34:20) cron2: not sure if mattock had enough coffee yet
(12:34:20) ***: Playback Complete.
(12:34:26) mattock: hi
(12:34:37) mattock: I do not drink anything with caffeine except on Thursdays
(12:35:40) dazo: heh
(12:36:44) cron2: what is special about thursday?
(12:37:03) dazo: So shall we take a look at 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25 and try to get a 
path forward again?
(12:37:04) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:38:17) mattock: nothing special about Thursday, except that I'm at the 
office on Thursdays so I want to drink some cola then :)
(12:38:47) cron2: dazo: yes.  From my end of things, March looks much brighter 
now - as in: my DC move is nearly done
(12:38:49) mattock: when I got a 24 hour headache when going to Trento (plane 
was delayed, no coffee or tea to drink) I decided to stop caffeine misuse
(12:38:51) cron2: one more "midnight"
(12:39:04) mattock: let's have a look at the status
(12:39:15) mattock: rozmansi has been working on the MSI installer recently
(12:39:24) mattock: any news on that front?
(12:39:53) rozmansi: i made a tap-windows6.msm
(12:40:33) cron2: what I wanted to say was "I have more time for things after 
tomorrow", so we can get stuff tested and ACKed
(12:40:37) cron2: merged
(12:40:38) rozmansi: as discussed a lot of times: wix's diffx extension to 
install drivers has issues... so I decided to reuse the wintun reliable and 
tested approach.
(12:41:04) cron2: sounds good
(12:41:07) dazo: +1
(12:41:25) rozmansi: I am updating MSI packaging now to use it. Actually, it'll 
pack both wintun.msm and tap-windows6.msm.
(12:41:34) mattock: \o/
(12:42:07) rozmansi: I have taken a week off at work, so I can finally devote 
to openvpn msi packaging
(12:43:08) dazo: that's generous and awesome!
(12:43:22) rozmansi: dazo: thanks
(12:43:38) mattock: +1
(12:43:52) cron2: +1
(12:43:58) rozmansi: I may reuse existing wintun msm installer in tap-windows6, 
right? It is GPL v2.
(12:44:09) mattock: tap-windows6 is GPLv2 as well
(12:45:24) rozmansi: just double checking, since the copyright holder is not on 
very good 

[Openvpn-devel] Community meetings in March 2020

2020-03-03 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Wed 4th  March 11:30 CET
- Thu 12th March 20:00 CET
- Wed 18th March 11:30 CET
- Thu 26th March 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meetings (27th February 2020)

2020-02-27 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 27th February 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev and mattock participated in this meeting.

---

Discussed OpenVPN 2.5 status.

Noted that we're reaching a point where MSI installer is becoming "the"
blocker for 2.5. Everyone would like to drop NSIS in favor of MSI, if
possible. Mattock sent email to rozmansi asking about MSI status.

On top of that we have "asymmetric compression support" and "async
client-connect" and some isolated patches which lack ACKs or need work.

Selvanair volunteered to backport some of the patches from "master" to
"release/2.5". This was ok for everyone.

--

Decided to remove the ​--disable-server compile-time option from OpenVPN
2.5. We asked about doing that on our mailing lists and only one person
was against it, and the arguments were not particularly compelling.

---

Full chatlog attached
(21:00:20) mattock: good evening
(21:00:51) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-02-27
(21:02:24) lev__: hello
(21:02:44) mattock: hi!
(21:04:00) dazo: Hey!
(21:04:07) dazo: \o/ I remembered today!
(21:04:18) mattock: good
(21:04:20) mattock: :)
(21:05:49) mattock: cron2 said he'd be a bit late
(21:08:06) mattock: I see ​removing --disable-server 
(21:08:28) mattock: is that for 2.5 as well?
(21:09:14) dazo: That's a ./configure option ... so I think that's reasonable 
for 2.5
(21:10:18) mattock: where are we at 2.5-vise in general?
(21:12:07) dazo: I've tried to update this status page ... 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(21:12:33) lev__: mattock: in what state msi installer is?
(21:13:00) mattock: it is in the same state as rozmansi left it
(21:13:07) lev__: it is marked as "done", but I don't think this is the case
(21:13:27) mattock: definitely not "done" in the sense that I would know what 
to do when the release comes
(21:13:31) mattock: I will email rozmansi now
(21:14:59) dazo: We have "Purge NSIS installers" in "todo", "MSI testing" in 
work needed ... and "MSI packaging" in done ... almost like a Schrödingers cat 
experiment ... we might know when we do the release :-P
(21:15:13) mattock: sent email to rozmansi
(21:15:22) mattock: he knows the answer
(21:15:41) mattock: there were complications with WiX toolkits driver 
installation thing
(21:16:02) mattock: can't recall the exact details since hackathon is already 
months aways
(21:16:33) ***cron2 is here
(21:17:33) dazo: other than that  in the "must have" section, it's not much 
left  "asymmetric compression support" and "async client-connect" is the 
key main tasks left ... plus we have a few more ACKs on the mailing list which 
needs to be processed
(21:17:42) mattock: hi cron2!
(21:18:01) cron2: I'm on vacation, but will be back home on Saturday.  So, 
there is hope for these lonely ACKs :)
(21:18:43) dazo: I'll see what I can manage tomorrow too ... selva also wanted 
a few of the master patches to release/2.4, which is a reasonable request - 
just haven't had enough time to tackle them yet
(21:19:29) cron2: yes. I brought this up for one of the patches related to 
iservice, and he volunteered to rebase and send a 2.4 version - which makes 
lots of sense, I just had no time either
(21:20:24) dazo: on a not related note ... mattock, can we please  get rid of 
the cf ddos redirect thing by now?  This is how my URL to the status page looks 
like now: 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25?__cf_chl_jschl_tk__=32aa6ae7384606c6261e1081beedbf9a3b8c6c23-1582830709-0-ARvSxh8A4NhRY37f6YR06pLu8t936dtaEU4nC_9T84GXsI1RrYok6xG9wIC8u-6maiR3x7nYJORAK2NsHbuKK-xYpbmvTTlOxf-vvzaRWf0-ooRzsIbvVkTpH2AHDIC6lTFYoaZ-11mF08tNhmEt-
(21:20:24) dazo: 
y8WY6cSLUCwKvBw-oxkWqbtk9cDmcULvQLFO8A8riRgvgXfMORqMihsxxOxBuU49cuoo7U7qbYDuOBrTtIhRmBn3-aQT5R8nRq5g4vDtgvPfEPoQDCQeMXEZ3F4-f1AIm866cfoPnwkRs7Fg9-gXndRBkSV0udRhWvXqok8Ux3lcw
(21:20:37) cron2: ewww
(21:20:37) mattock: oh yes, I will ask andrew
(21:20:44) mattock: it hit me like 10 minutes ago
(21:20:45) cron2: haven't noticed, but looking at my browser, indeed
(21:21:16) mattock: done
(21:21:51) dazo: (and the other day ... these "shouldn't take more than 5 
seconds" took over 2 minutes ... )
(21:23:14) dazo: sorry for the de-rail
(21:23:30) dazo: anything else on the 2.5 release?
(21:24:37) mattock: not from my end
(21:25:11) cron2: not from my end, the last weeks have been too busy
(21:25:41) mattock: in any case we need MSI soon
(21:25:56) dazo: yes :)
(21:26:11) mattock: it would be a shame to have to continue with NSIS with so 
much effort gone into MSI...
(21:26:19) dazo: yeah
(21:26:19) cron2: yes :)
(21:26:26) dazo: so ... topic #2?
(21:26:35) 

[Openvpn-devel] Summary of the community meeting (19th Feb 2020)

2020-02-19 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 19th February 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, lev, mattock, plaisthos and syzzer participated in this meeting.

---

Dazo will try to get the ACKed (2.5) patches applied this week.

--

Syzzer will review the "Warn about insecure ciphers also in
init_key_type" patch from plaisthos.

--

Discussed moving people away from --cipher bf-cbc. One option is to make
--ncp-ciphers and --cipher aes-256-cbc the default via the
openvpn-server@.service unit file, but that would break static key
configurations unless we make an expection for them.

--

Agreed that deprecating current static key implementation in OpenVPN 2.5
would be a reasonable thing to do. Later, in 2.6 or later it would
probably be replaced by a new "static key" mode where certificates are
used as static keys. This would allow a high degree of code reuse.

--

Full chatlog attached
(12:35:02) lev__: meeting?
(12:35:08) lev__: ping mattock 
(12:35:43) mattock: hi!
(12:35:44) dazo: w00t!  Even I managed to appear here in time :-P
(12:36:07) mattock: I almost forgot, but fortunately I received a friendly beep 
from Pidgin :D
(12:36:17) mattock: thanks to lev!
(12:36:35) lev__: I am the one who beeps
(12:36:35) mattock: so, cron2 probably won't make it today
(12:36:39) mattock: indeed you are
(12:38:34) mattock: so
(12:38:38) syzzer: Short agenda today
(12:38:48) syzzer: morning all :)
(12:39:05) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-02-19
(12:39:08) mattock: yes, a short one
(12:39:30) mattock: topic #1: "OpenVPN 2.5. updates/planning"
(12:39:35) mattock: I've seen tons of patches fly by
(12:39:49) mattock: generally that indicates progress :)
(12:40:45) mattock: anyone else besides cron2 who knows what is still missing?
(12:41:15) dazo: plaisthos: you around?
(12:41:45) dazo: I know plaisthos has been going through the devel-ml and 
picked up some missing patches as well
(12:42:07) plaisthos: yepp
(12:42:15) dazo: the struct argv patches are all ACKed, iirc
(12:42:38) plaisthos: yeah and I think you also have the rights to commit them 
right?
(12:43:25) dazo: Yeah, technically I do ... but since it's a long time since 
I've done it  I don't know what else I'll break in the process  (like 
an elephant in a glass store)
(12:44:21) plaisthos: Was more thinking to get load off cron2
(12:44:41) dazo: I know ... I can try to take a stab at it this week
(12:44:50) dazo: look at all acked patches and get them applied
(12:45:32) plaisthos: syzzer: to make all the hyper active kids happy, I also 
implemnted chacha poly in openvpn3 ;)
(12:45:49) syzzer: plaisthos: ah, nice!
(12:45:55) mattock: :)
(12:48:47) mattock: so dazo will attempt to get patches applied
(12:48:58) mattock: anything else on 2.5? any blockers?
(12:49:17) plaisthos: there is a still a few of my patches pending iirc
(12:49:32) plaisthos: the async compress, warn if blowfish-cbc is in --cipher
(12:50:14) mattock: pending as in "needs review"?
(12:50:20) plaisthos: yes
(12:50:22) syzzer: I'll check that last one
(12:50:46) plaisthos: [Openvpn-devel] [PATCH] Warn about insecure ciphers also 
in init_key_type
(12:52:18) plaisthos: but we also need some plan forward to get rid of --cipher 
bf-cbc without forcing everyone to add cipher aes-256-gcm to their configs
(12:54:53) dazo: Since Fedora 27-ish, I applied some --ncp-ciphers and --cipher 
aes-256-cbc (iirc) as the default via the openvpn-server@.service unit file ... 
no one has complained about that
(12:55:12) dazo: 
https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN
(12:55:13) vpnHelper: Title: Changes/New default cipher in OpenVPN - Fedora 
Project Wiki (at fedoraproject.org)
(12:55:46) dazo: oh, aes-256-gcm is the "default" with some more ciphers in 
ncp-ciphers
(12:58:56) syzzer: dazo: thanks only works for tls-client / tls-server, not for 
static keys
(12:59:10) syzzer: how do you handle configs with --secret ?
(13:00:40) dazo: syzzer: right, you need a tls setup for this to work, indeed
(13:02:20) syzzer: but I like this approach, we might just make 2.5 act like 
this by default
(13:03:12) syzzer: that will break --secret configs. So we should consider 
whether we care enough to make en exception for --secret (fallback to BF-CBC, 
or use AES-256-CBC)
(13:03:30) dazo: perhaps it's about time to deprecate static key tunnels?  ... 
or that we "fix" the --secret key approach by deriving a pubkey out of it, and 
switch to TLS mode regardless?
(13:05:07) syzzer: dazo: I think that last approach is too much magic, and hard 
to get right in a backwards-compatible way
(13:05:16) dazo: yeah
(13:05:28) dazo: and I do see some pitfalls 

[Openvpn-devel] Summary of the community meeting (13th February 2020)

2020-02-13 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 13th February 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, plaisthos and wiscii participated in this meeting.

---

Lev and plaisthos got the ok from OpenVPN Inc. to spend as much time on
OpenVPN 2.5 as needed to get it out. One of the big motivations was the
upcoming OSTIF.org audit.

Noted that despite that meeting the "end of February" deadline might be
challenging as cron2 will be on vacation on next week (so merging will
be slow).

The main missing pieces from 2.5 are client-connect and joint (MSI)
installer with Wintun and tap-windows6. Plus plowing through the open
trac tickets and patchwork to see what needs to be fixed.

--

Noted that MSI installers will need - and were planned to - be
architecture specific, with a shim installer that is able to select the
correct installer based on architecture.

--

Full chatlog attached
(21:05:05) cron2: I am sort of here
(21:05:15) lev__: okay, so plaisthos and me got an approval from inc to spend 
as much time as needed to get 2.5 out soon
(21:06:04) cron2: wut
(21:06:16) cron2: this is great
(21:06:32) mattock: yep, I  brought this up in a meeting with CEO and others
(21:06:43) mattock: one of the big motivations was the upcoming OSTIF.org audit
(21:06:55) cron2: I have been crayzily busy for the last few weeks (like, 
charging 14.5 hours to $customer yesterday... starting work at 8, finishing at 
midnight)
(21:07:26) cron2: the next 3 days I go snowboarding with the kids, but will see 
that I can get a few things merged in the evenings :)
(21:07:59) mattock: good, because we need a merger :)
(21:08:02) cron2: we won't make "end of february", though, as that hits my 
vacation week...
(21:08:10) lev__: why not ski? :)
(21:08:37) cron2: did ski for ~35 years, decided it's too much effort and 
somewhat boring, started something new, liked snowboarding more
(21:08:42) cron2: fits my hairstyle better
(21:08:48) mattock: :D
(21:09:00) mattock: anyhow
(21:09:06) cron2: will do my best
(21:09:55) mattock: should we do some 2.5 coordination here? or just let lev 
and plaisthos plow through the patches?
(21:10:14) cron2: what about ordex?  that secret project keeping him busy?
(21:10:43) lev__: not sure how secret is it, but yes
(21:10:50) mattock: I was about to say exactly the same
(21:11:23) lev__: what critical things we are missing? client-connect, what 
else?
(21:11:44) cron2: client-connect and joint installer with wintun, I think
(21:12:15) cron2: and plowing through the open trac list which of those are 
real bugs and should be fixed :)
(21:12:25) lev__: current nsis installer already supports wintun
(21:13:01) lev__: but it won't be bad to have msi
(21:13:15) mattock: but I guess ordex could be detached for stuff nobody else 
can do
(21:14:17) mattock: MSI is at the mercy of rozmansi
(21:14:37) mattock: I won't have time to learn MSI well enough to take his 
place or even help him out except in testing
(21:16:11) lev__: by the way, our (inc) apps team told that they had to produce 
separate installers for x86 and x64, since wintun provides separates installer 
modules and apparently they cannot be used together
(21:16:39) mattock: this is about MSI, correct?
(21:16:49) lev__: yes
(21:17:20) mattock: rozmansi did plan on having separate installers anyways, 
and having a "shim" that is able to select which one to use, depending on the 
architecture
(21:17:25) mattock: so I guess that is covered
(21:17:43) lev__: wg also provides two separate installers
(21:22:12) cron2: yep
(21:22:40) mattock: anything else we should discuss?
(21:24:31) cron2: working my way through the ACK queue
(21:24:37) mattock: ok
(21:24:59) cron2: it's really nice to see so much activity (though I had 
preferred to have this in less busy times, like "last month", but anyway, ACKs 
and reviews are good)
(21:26:09) mattock: I will also dare open my INBOX - I've been avoiding for a 
day or so that I get work done :D
(21:29:48) plaisthos: hey, I am semi afk but yeah, I am trying to go through 
all patches in patchworks
(21:29:51) plaisthos: and I started with the oldest
(21:31:13) mattock: which year is that from? :P
(21:32:02) plaisthos: 2018
(21:32:59) mattock: well not that bad
(21:33:18) cron2: you have set NAKed patches to "changes wanted" (etc) already?
(21:33:29) cron2: like, the "alternative names support" patch?
(21:37:28) plaisthos: yeah
(21:37:43) plaisthos: I might have forgotten some but will do that eventually
(21:37:54) plaisthos: to what status do I set acked but not yet merged patches?
(21:41:20) cron2: if there is an ACK, I will hopefully pick em up by my own
(21:41:30) cron2: but you can delegate to me (if you 

[Openvpn-devel] Summary of the community meeting (5th February 2020)

2020-02-05 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 5th February 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, mattock and syzzer participated in this meeting.

---

Cron2 tried to do the argv patchset, but it needs a rebase + tun.c
adjustments from dazo.

---

Decided to start signing tags in tap-windows6 repository as suggested here:



Mattock will use his personal key for signing.

Also noted that it might be a good idea to sign our personal GPG keys
with the security mailing list key.

---

Noted that OSTIF wants to do an audit of "changes between 2.4.0 and
2.5.0". They were fine with postponing the audit until 2.5.0 is ready -
the original tentative deadline for first 2.5 alpha - "end of January
2020" - was not met.

---

Decided to ask dazo, ordex and plaisthos what their suggestion is for
the new tentative deadline for first 2.5 alpha is. Much of the remaining
work depends on them.

Also noted that MSI installers are not a hard dependency for the 2.5
release, but not having them would mean having to support NSIS for the
entire lifetime of 2.5, which is not nice. We'll revisit this topic if
the other missing pieces are completed before MSI and MSI starts
blocking the release.

--

Full chatlog attached

(12:30:34) mattock: ok, meeting time it is
(12:30:37) mattock: I have 30 minutes to spare
(12:30:54) mattock: who has joined our merry group today?
(12:31:16) ***cron2 !
(12:33:03) mattock: lev__, ordex, plaisthos, syzzer, rozmansi?
(12:33:07) cron2: not much to report, though... I tried to do the argv 
patchset, but it needs a rebase + tun.c adjustments, and dazo went into 
hiding...
(12:33:09) mattock: dazo said he can't make it
(12:33:26) mattock: I have a couple of small topics
(12:33:37) cron2: nice, useful meeting then :)
(12:33:54) mattock: #2 Signing tap-windows6 tags 
(12:33:59) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-02-05
(12:34:00) vpnHelper: Title: Topics-2020-02-05 – OpenVPN Community (at 
community.openvpn.net)
(12:34:04) mattock: https://github.com/OpenVPN/tap-windows6/issues/101
(12:34:05) vpnHelper: Title: Not able to verify source code. Push signed git 
tags? · Issue #101 · OpenVPN/tap-windows6 · GitHub (at github.com)
(12:34:22) mattock: I believe we do sign the tags for openvpn.git
(12:34:23) cron2: I've seen the issue and I whould agree that this is useful
(12:34:25) cron2: yes
(12:34:32) mattock: which key do we use for signing?
(12:34:38) mattock: security key or somebody's own key?
(12:34:41) cron2: my personal key
(12:34:45) mattock: ok
(12:34:51) cron2: because it's *me* who attests that this is what I pushed
(12:34:55) mattock: yes
(12:35:16) mattock: I can make signing the tags a part of the tap-windows6 
release process, i.e. sign with my key
(12:35:44) mattock: I think that covers that topic
(12:35:46) cron2: my key is signed by "all of you", but it might be an idea to 
use the security@ key to sign the personal keys
(12:36:08) mattock: yep, would not hurt
(12:36:15) cron2: so the link "this personal key indeed belongs to someone who 
is trusted by 'the organization'" is there
(12:36:32) mattock: indeed
(12:37:14) mattock: so I shall start signing tap-windows6 tags and we can 
improve the web of trust of our keys by signing our respective personal keys
(12:37:22) mattock: another topic I forgot to add to the topic list
(12:38:31) mattock: OSTIF wants to do an audit of "changes between 2.4.0 and 
2.5.0"
(12:38:53) mattock: I probably gave them our original estimate ("first alpha at 
the end of January")
(12:39:12) mattock: they were ok with postponing the audit until 2.5.0 is ready
(12:39:26) cron2: nice
(12:39:58) mattock: not much more on that, except that we'd need to make 2.5.0 
ready :D
(12:42:24) mattock: anything else today?
(12:42:41) mattock: oh
(12:42:49) cron2: missing plaisthos, dazo, syzzer, lev__, rozmansi...
(12:42:52) cron2: how's msi coming along?
(12:43:04) mattock: community.openvpn.net is not longer a "PenVPN" site
(12:43:11) mattock: https://community.openvpn.net/
(12:43:13) vpnHelper: Title: OpenVPN Community (at community.openvpn.net)
(12:43:15) mattock: logo changed
(12:43:33) mattock: I have no knowledge of the progress of the MSI
(12:43:45) mattock: we'd need to activate rozmansi for that
(12:43:59) mattock: he has been busy with lev, but on the MSI front probably not
(12:44:52) mattock: that said, we don't _need_ to make MSI a blocker - there's 
no reason we can't push MSI installers out after the initial release... but 
that would mean living with NSIS for the 2.5 lifetime, which is not nice
(12:45:41) syzzer: hi :)
(12:45:49) cron2: when we have everything else and MSI is not 

[Openvpn-devel] Community meetings in February 2020

2020-02-03 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Wed 5th  February 11:30 CET
- Thu 13th February 20:00 CET
- Wed 19th February 11:30 CET
- Thu 27th February 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli










signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (22nd January 2020)

2020-01-22 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 22nd January 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2 and mattock participated in this meeting.

---

Noted that the new openvpn-build buildslave is now building Windows
installers on every commit and publishing them here:



The branch name is included in the installer names now.

--

Cron2 has merged work from lev/simon and tried his luck with the argv
patch set but noticed a conflict with lev/simon's tun.c work). The rest
of the patches are waiting for dazo, plaisthos and ordex.

--

Full chatlog attached
(12:38:29) mattock: hello
(12:38:54) cron2: hello.  I did make it \o/ :)
(12:42:19) mattock: did anyone else make it?
(12:42:21) mattock: :P
(12:42:37) mattock2 ha abbandonato la stanza (quit: Quit: IRC for Sailfish 0.9).
(12:43:34) mattock: let's wait for a while and see if somebody appears
(12:46:52) cron2: mattock2 got lost
(12:47:17) cron2: I've already seen half of the good news - the 
windows-buildslave is back, and does uploads \o/
(12:47:59) mattock: yes, it is now building and hopefully the installer name 
will include the branch name
(12:48:43) mattock: so we'd get "feature installers" as well
(12:49:10) mattock: anyways, it looks like its just the two of us
(12:49:18) mattock: shall we skip this meeting?
(12:50:17) cron2: we made 1/3rd already :)
(12:50:57) cron2: but anyway... not much to report from my side either... 
merged lev/simon so far, tried my luck with the argv patch set (conflict with 
lev/simon's tun.c work), waiting for dazo...
(12:51:08) cron2: and for the rest, waiting for dazo, plaisthos, ordex :(
(12:51:16) mattock: ok
(12:51:42) cron2: (and gentoo folks are having fun with mbedtls version.h 
f*ups... :-) - https://bugs.gentoo.org/show_bug.cgi?id=705864
(12:51:45) vpnHelper: Title: 705864 net-libs/mbedtls-2.19.1 installs 
mbedtls/version.h which claims 2.17.0 (at bugs.gentoo.org)
(12:53:49) mattock: uh, interesting
(12:54:27) cron2: spent quite a bit of time on this, trying to figure out why 
my gentoo builds broke in such weird ways..
(12:56:23) mattock: do they just bundle a wrong header file?
(12:57:12) cron2: mbedtls*.tar.gz needs a second package mbedcrypto*.tar.gz 
nowadays, and the second one *also* packs an mbedtls/version.h, which - for 
mbedcrypto 2.0.0 - claims "mbedtls 2.17.0"
(12:57:26) cron2: mbedcrypto should not bundle mbedtls-version-claiming things
(12:57:29) mattock: ok
(12:57:34) cron2: or it should fail building if incompatible
(12:57:36) cron2: or whatever
(12:58:37) mattock: anyhow, I'll summarize this very brief discussion if 
there's nothing else we think is worth mentioning
(12:58:58) cron2: nothing here, except some amount of loneliness
(13:00:48) mattock: ok, summary shall be sent soon


signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (16th January 2020)

2020-01-16 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thu 16th January 2020
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev and mattock participated in this meeting.

---

Discussed status of OpenVPN 2.5 and tomorrow's mini-hackathon:



Agreed that we should have easy-rsa 3 in the OpenVPN 2.5 Windows MSI
installers. We probably had made this decision earlier as well.

Lev and rozmansi have been working on the wintun patches. Lev will
review the latest of rozmansi's patches tomorrow.

Mattock has a new buildslave that he will configure to build Windows
installers with openvpn-build in tomorrow's hackathon. Buildmaster will
need some restarts in the process. Later Debian/Ubuntu package building
can be added to buildbot as well.

Cron2 will merge what has already been ACKed tomorrow and will do some
other stuff as well.

Dazo has lots of deadlines at the moment but will do his best to
allocate time for the mini-hackathon.

Noted that two of plaisthos' patchsets require review: "2FA thing" and
async-cc. Also noted that the struct argv stuff could be reviewed by anyone.

--

Full chatlog attached
(20:59:29) lev__: hello
(21:00:09) dazo: hey!
(21:00:18) mattock: hello!
(21:01:46) lev__: guten aben
(21:02:03) lev__: *d
(21:02:20) mattock: anyone else here?
(21:03:15) dazo: hmm
(21:03:26) cron2: oh, meeting time
(21:03:31) mattock: yep!
(21:03:49) cron2: *and* people here :)
(21:04:04) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-01-16
(21:04:06) vpnHelper: Title: Topics-2020-01-16 – OpenVPN Community (at 
community.openvpn.net)
(21:04:13) mattock: anything to add to the topic list?
(21:04:20) mattock: #1 is probably enough though :D
(21:05:20) lev__: me and Simon are reviewing each other's wintun patches, 
mostly prettifying code
(21:06:04) mattock: I've setup a new buildslave which will soon start building 
stuff with openvpn-build
(21:06:48) mattock: it won't build any of the normal stuff, just run 
openvpn-build on each commit
(21:07:08) mattock: should be fairly straightforward
(21:07:10) cron2: nice
(21:07:33) lev__: speaking of 2.5, shall we switch to easyrsa3 in new msi 
installer?
(21:07:34) mattock: I'd _like_ to also automate creation of Debian/Ubuntu 
packages but that is slightly more involved
(21:07:50) mattock: lev: that would probably make sense
(21:07:57) mattock: not sure if we actually decided to do that or not
(21:08:53) mattock: also, as the MSI installer is still work in progress 
(afaik) there's little point in adding easy-rsa 2 to it
(21:09:01) mattock: why not just go directly to easy-rsa 3 that is
(21:09:48) cron2: lev__: I've seen ACKs, will go merge tomorrow
(21:10:39) dazo ha scelto come argomento: Next meeting 22/Jan/2020 at 11:30 
CET.  Agenda at https://community.openvpn.net/openvpn/wiki/Topics-2020-01-22
(21:11:39) dazo: I think the easyrsa3 move was depending on some easyrsa-2 
support ... so you could use existing easyrsa-2 or upgrade it to easyrsa-3
(21:11:51) dazo: ecrist should know, I think
(21:12:18) dazo: if that's already resolved (agreed, fixed, whatever), then all 
is fine to ship easyrsa 3
(21:12:29) cron2: I would say "ship easyrsa-3 and have a note in the README 
displayed at install time what to do when you have easyrsa 2 in active use"
(21:12:40) mattock: +1
(21:12:49) cron2: or better, make it a seamless replacement :)
(21:13:04) dazo: yeah, I think they were working the seamless approach :)
(21:16:54) mattock: ok, easy-rsa done
(21:17:15) mattock: more on 2.5 that needs coordination/updates?
(21:18:08) cron2: "get work done" :)
(21:18:32) mattock: :D
(21:18:39) dazo: :)
(21:18:54) mattock: speaking of which
(21:18:58) mattock: tomorrow's mini-hackathon
(21:19:05) cron2: yes!#
(21:19:05) mattock: who will join? what shall we do there?
(21:19:23) cron2: I'll merge what is ACKed and have a look at other stuff
(21:19:51) mattock: I will try to get openvpn-build running via buildbot
(21:21:19) cron2: dazo?
(21:21:21) dazo: Core team is pretty much loaded these days (lots of releases 
we're involved in + preparations for a bigger launch of a new service) ... but 
I'll try to see what we can manage.  ordex is also pretty much tied up with the 
kernel module work, so I don't want him to loose that focus anytime soon (where 
openvpn 2.x support is planned too)
(21:21:44) lev__: I'll review latest patch(es) from rozmansi
(21:23:04) dazo: I have a couple of releases I'll try to complete today, then I 
have more time for stuff tomorrow ... but due to unexpected things I'm involved 
in on the personal side, I soon need to schedule sleep in my calendar too :-/
(21:24:15) dazo: and everything I'm involved in 

[Openvpn-devel] Summary of the community meeting (8th Jan 2020)

2020-01-08 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 8th January 2020
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, plaisthos and rozmansi participated in this meeting.

---

Discussed status of OpenVPN 2.5:



Identified the missing parts and their current owners:

win buildslave: mattock
wintun: rozmansi, lev, mattock
do NCP right:   syzzer, cron
2FA patch set:  dazo, plaisthos
async-cc:   ordex, plaisthos
ipv6-only:  cron
argv:   plaisthos
msi:rozmansi, mattock

Mattock decided to put the Windows buildslave on the top of his queue.

Agreed that with the current level of involvement there is no way we can
make the January 31st 2020 deadline. Decided to try to get dazo more
actively involved in 2.5 release process - he can then pull the strings
to get OpenVPN 3 core team involved in completing the remaining pieces
of 2.5.

--

Full chatlog attached
(12:33:41) mattock: howdy
(12:37:13) mattock: quiet today?
(12:37:22) rozmansi: cron2: I have a v3 version of 
https://patchwork.openvpn.net/patch/960/, but forgot to send it...
(12:37:24) cron2: you joined late :)
(12:38:08) cron2: rozmansi: please re-send so lev__ can ACK :)
(12:38:10) mattock: hi guys!
(12:38:36) rozmansi: hi
(12:39:20) cron2: everyone else still on vacation?
(12:39:31) mattock: don't know
(12:39:44) mattock: dazo does not seem to be as he's been sending internal 
emails
(12:40:08) cron2: I've seen plaisthos in #openvpn-devel yesterday
(12:42:07) mattock: I've actually been sick for a week and doing only the bare 
minimum amount of work I have to
(12:42:17) mattock: throat infection if you're wondering
(12:42:38) mattock: the current horse medicine seems to be working through, 
which is very nice
(12:43:19) cron2: eww... 
(12:44:54) mattock: anyways, so what are the blockers for 2.5 now?
(12:45:05) mattock: "where are we at?"
(12:45:15) cron2: nothing has happened since last meeting
(12:45:49) mattock: let me poke at dazo et al internally and see if he could 
join
(12:46:31) mattock: done
(12:47:17) cron2: async-cc, msi, wintun, ipv6-only, argv, ...
(12:47:51) mattock: ordex was active about an hour ago
(12:47:57) mattock: no other discussion from the other guys
(12:51:09) mattock: who is responsible for what? if nobody else appears soon 
the best we can do is compile as list of "who should do what" and start putting 
some pressure on people :)
(12:51:13) lev__: hello
(12:51:22) mattock: hi lev!
(12:51:25) cron2: hi lev
(12:51:29) rozmansi: hi
(12:51:36) mattock: good to have at least one from the openvpn3 team here :)
(12:51:37) cron2: msi is on rozmansi and mattock, it seems :-)
(12:51:42) lev__: yes, please send V3 and I'll ack it
(12:51:49) cron2: wintun is on lev and rozmansi
(12:51:54) plaisthos: mattock: get well soon
(12:51:55) rozmansi: msi is on me
(12:52:02) cron2: windows buildslave / snapshot builder is on mattock
(12:52:09) lev__: also maybe rozmansi can look at 
https://patchwork.openvpn.net/patch/946/
(12:52:10) vpnHelper: Title: [Openvpn-devel] options.c: do not force route 
delay when not using DHCP - Patchwork (at patchwork.openvpn.net)
(12:52:12) mattock: plaishos: I'm doing my best :)
(12:52:17) plaisthos: argv review is on me
(12:52:52) mattock: cron2: yep, that is high up my queue - actually I could put 
it on the top now, just finished something else
(12:52:53) cron2: the "do NCP right" stuff is not on the list, but needs to go 
in - syzzer/dazo/me?
(12:53:35) plaisthos: syzzer reviewed the first patch of the series and that 
got almost an ACK
(12:53:48) cron2: saw that :)
(12:54:34) cron2: ISTR the "2FA patch set" is on dazo
(12:55:18) plaisthos: the ncp v2 sounds  like crypto but is actually not :D
(12:55:27) plaisthos: it is more comparing lists etc.
(12:55:46) cron2: I can certainly have a look on that
(12:56:18) plaisthos: okay 4/4 is a bit crypto related (normalising of cipher 
names)
(12:57:02) cron2: "two step authentication methods" is the name of the patchset
(12:57:27) cron2: v1 is on the list, and dazo agreed to work on a v2 
that is "ready for merge", if I recall...
(12:57:57) cron2: given work load, I assume it's sitting on dazo's queue
(13:04:35) mattock: async-cc, ipv6-only, argv?
(13:05:04) cron2: ipv6-only is on me, argv is on plaisthos ("he just said so"), 
async-cc on plaisthos+ordex
(13:05:41) mattock: ok, so here's the current list - looks good?
(13:05:47) mattock: win buildslave: mattock
(13:05:47) mattock: wintun: rozmansi, lev, mattock
(13:05:47) mattock: do NCP right:   syzzer  
(13:05:47) mattock: 2FA patch set:  dazo, plaisthos
(13:05:47) mattock: async-cc:   ordex, plaisthos

[Openvpn-devel] Community meetings in January 2020

2020-01-06 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Wed 8th  January 11:30 CET
- Thu 16th January 20:00 CET
- Wed 22nd January 11:30 CET
- Thu 30th January 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli








signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (19th December 2019)

2019-12-19 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thurday 19th December 2019
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock and rozmansi participated in this meeting.

---

Discussed the status of wintun patches. The original patches have been
merged, with some improvements like support for multiple tunnels. What
remains is refactoring and improvements.

The OpenVPN 2.5 MSI installer code needs to be updated to include wintun
support. Rozmansi is working on it.

--

Discussed moving from netsh to ipapi on Windows. And, by default, using
ipapi via iService. While netsh is easier to debug, using ipapi is much
faster, which has a big effect with a large number of routes. Also noted
that netsh set/add can use "validate=no" to speed up DNS provisioning.

--

Agreed that in the short term having a thin command-line launcher that
allows running OpenVPN with iService from the command-line. The iService
is required to use Wintun with OpenVPN.

--

Noted that IPv6 on forums was still unreachable. Cron2 and mattock
debugged and fixed this during the meeting.

--

Full chatlog attached

(20:54:28) mattock: almost time
(20:55:23) rozmansi [sid334387@gateway/web/irccloud.com/x-wjeamthsozplmfwu] è 
entrato nella stanza.
(20:55:35) rozmansi: hi
(20:58:24) mattock: hi!
(20:58:33) lev__: hello
(20:58:57) mattock: selvanair said he won't make it, but promised to check the 
chatlog
(20:59:04) mattock: cron2 said he'd be a bit late
(20:59:19) mattock: maybe we can start with wintun, if there is anything left 
to be discussed there :)
(21:00:43) lev__: original wintun patch series is merged
(21:00:59) lev__: next we have refactorings and improvements
(21:01:08) rozmansi: exactly
(21:01:17) lev__: some are acked, some are sent but not acked, some are not yet 
sent
(21:01:29) rozmansi: nothing drastical. just bits and odds (I suppose)
(21:01:46) lev__: IMO the most important is support of multiple tunnels
(21:01:58) lev__: functionality-wise
(21:02:02) rozmansi: oh, I can ack one right now. Tested it on my hardware 
today before I left for home...
(21:02:44) lev__: that's your patch :) 
(21:02:58) mattock: btw. "official" topic list is here: 
https://community.openvpn.net/openvpn/wiki/Topics-2019-12-19
(21:03:00) vpnHelper: Title: Topics-2019-12-19 – OpenVPN Community (at 
community.openvpn.net)
(21:03:04) lev__: the one with --dev-node support
(21:03:20) cron2: eww
(21:03:21) cron2: I'm here
(21:04:45) rozmansi: hi
(21:05:06) lev__: about installer - so far wintun support is in patch to 
openvpn-build, but that's NSIS installer 
(21:05:20) mattock: hi cron2!
(21:05:21) lev__: is it so that we plan to use MSI for 2,5
(21:05:27) mattock: yes
(21:05:29) lev__: guten aben
(21:05:33) rozmansi: lev__: yes
(21:06:09) lev__: so maybe we need wintun support there, too
(21:06:45) rozmansi: I have a PR to add MSI packaging on openvpn-build open a 
loong time now. But it's dusty and a lot of things changed in the meanwhile. I 
plan to get it in shape for 2.5
(21:07:41) rozmansi: That PR dates long before Wintun was created. So it has 
TAP-Windows6 driver install only.
(21:07:47) cron2: we want all the goodness in 2.5 :-)
(21:08:24) rozmansi: Adding Wintun to the MSI is easy, as Wintun is shipped as 
ready-to-use MSI merge module...
(21:09:24) rozmansi: What needs more work is to make something similar for the 
TAP-Windows6. The Wix's plugin used to install drivers (Difx) didn't perform 
very well on upgrades the last time I tested it.
(21:09:40) lev__: I've sent a patch today with removes 5s route-delay for 
non-dhcp IP set method. By default we use DHCP (expected wintun) and I was 
wondering, cannot we switch to IPAPI as a default to make connection 5 seconds 
faster
(21:10:18) rozmansi: Wintun should work with ipapi - WireGuard is using 
winipcfg to configure it.
(21:10:36) cron2: yes, we should be using ipapi via iservice by default
(21:10:41) lev__: as I mentioned in -devel, openvpn3 uses netsh and doesn't 
have that delay
(21:10:47) cron2: Selva has been talking about this for a long time
(21:11:06) cron2: netsh is easier to debug than ipapi ("because you can run the 
commands by hand") but ipapi is faster
(21:11:17) cron2: which makes a difference if you're isntalling like 10.000 
routes
(21:11:24) cron2: valdikss does this
(21:12:03) lev__: but that is relevant when you don't use iservice
(21:12:09) rozmansi: another delay, I fixed (but not sent a patch yet) with 
netsh is that netsh ipv4 dns set/add should have validate=no (as per IPv6). 
This speeds DNS provisioning considerably. I recon that's because routes are 
not set _before_ the DNS.
(21:12:25) cron2: we can use IPAPI without iservice
(21:12:52) cron2: and ACK to rozmansi :)

[Openvpn-devel] Summary of the community meeting (11th December 2019)

2019-12-11 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 11th December 2019
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, lev, mattock and plaisthos participated in this meeting.

---

Discussed status of OpenVPN 2.5:



Added the "agreed upon in Trento hackathon" code freeze date (January
31st 2020) to that page.

Noted that even though wintun-enabled installers are available on the
official download pages we have not really receive much feedback on
them. The wintun patches has been ACKed for the most part, but patch 4/7
will require special treatment. Mattock will ask rozmansi and selvanair
to join next Thursday's meeting (19:00 UTC):



Their review would be very valuable as they know Windows quite well.

--

Full chatlog attached
(12:32:30) mattock: hello
(12:32:44) plaisthos: hello mattock1 and mattock2
(12:33:39) mattock: I will kill one of my duplicates
(12:33:48) mattock2 ha abbandonato la stanza (quit: Quit: IRC for Sailfish 0.9).
(12:33:53) mattock: and there it goes
(12:34:46) mattock: who do we have here today?
(12:36:12) dazo: I'm here
(12:36:24) dazo: cron2 announced on -devel he couldn't make it
(12:37:45) dazo ha scelto come argomento: Next meeting 19/Dec/2019 at 20:00 
CET.  Agenda at https://community.openvpn.net/openvpn/wiki/Topics-2019-12-19
(12:38:02) mattock: ok
(12:38:18) mattock: once the bouncer I'm working on now works I may notice such 
messages :)
(12:38:22) mattock: so, topic
(12:38:23) mattock: s
(12:38:29) dazo: anyone heard from rozmanzi lately?
(12:38:51) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2019-12-11
(12:38:52) vpnHelper: Title: Topics-2019-12-11 – OpenVPN Community (at 
community.openvpn.net)
(12:38:53) mattock: I have not
(12:39:15) mattock: he is known to appear if his name is mentioned
(12:40:33) mattock: so, 2.5?
(12:41:36) mattock: https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(12:41:38) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:41:39) lev__: what is the code freeze date for 2.5 ?
(12:41:53) mattock: we don't have that afaik
(12:41:59) mattock: "Current tentative planning is "2.5 release on April 1st, 
2020". "
(12:42:05) mattock: that is 2.5.0
(12:42:21) mattock: we may want to set a freeze date to get things moving
(12:42:38) dazo: We discussed it briefly in Trento, IIRC we wanted all code to 
be applied by end of January
(12:42:50) ***lev__ looks for syzzer 
(12:43:11) dazo: then have stabilization process (rolling beta releases)  until 
release time
(12:44:18) lev__: we've added wintun-enabled client to download page and made 
an announcement to -users and -devel, but haven't got much feedback
(12:44:54) dazo: lev__: is everything you wanted merged in regards to wintun?
(12:44:58) mattock: I'll mention the January deadline on the planning page
(12:45:31) lev__: dazo: of course not :)
(12:45:49) lev__: 3 out of 7 is merged
(12:46:18) mattock: we may get more lucky with wintun testing during the 
stabilization phase
(12:46:21) lev__: 4 is most intrusive one, current version is v5
(12:46:44) lev__: mattock1: but that requires it to be merged into master
(12:46:44) mattock: while wintun installers are available on the download page 
"normal users" would just get the topmost release that opens up directly in 
their browsers
(12:46:49) plaisthos: client connect is waiting
(12:47:22) dazo: lev__: what are the risks of merging those patches to 
non-wintun users?
(12:50:00) lev__: good question
(12:51:01) lev__: while default option is tap-windows6 and users _should not_ 
be affected unless they explicitly set --windows-driver wintun, I have changed 
certain code paths
(12:52:21) lev__: I would say the goal of review is to make sure that overall 
code quality hasn't been made (much) worse
(12:54:29) lev__: but well, wintun bumps performance from 390 to 730 mbit/s, so 
I would say that is a huge step forward for Windows users
(12:55:43) dazo: I'm looking for a risk assessment, if we should consider 
applying the lazy-ack policy on these patches ... but then we need to have a 
better understanding of the risks associated with it
(12:58:01) lev__: the follow-up patches (5-7, or most of them) have been acked 
by Simon, they're mostly about interactive service
(13:01:35) dazo: I've updated the status page a swell with a few more 
corrections etc
(13:01:56) mattock: so the follow-up stuff could be merged?
(13:02:53) dazo: well, patch 5-7 might depend on changes from 1-4 ;-)
(13:03:44) lev__: 5-6 are acked (just checked)
(13:04:47) lev__: I can ask Simon to have a look at 7/7 and ack it

[Openvpn-devel] Summary of the community meeting (5th December 2019)

2019-12-05 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thursday 5th December 2019
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock and Pippin participated in this meeting.

---

Lev now has access to the Windows 10 ARM64 laptop. Mattock will have to
do one more check to ensure that the VPN connection will remain alive at
all times.

---

Noted that HTTP to forums is broken. This may have something to do with
the forum upgrade by ecrist:



---

Reviewed and updated OpenVPN 2.5 status:



No updates on the OpenVPN 2.5 MSI installer (since the hackathon). As
that starts to be the last remaining "must have" for the release we need
to start poking rozmansi now.

---

Discussed tomorrow's mini-hackathon. Cron2 will be able to join in the
afternoon. Mattock will take a stab at configuring the IRC bouncer
(finally).

--

Full chatlog attached
(21:00:50) mattock: hi
(21:02:51) dazo: Hey!
(21:04:58) mattock: anyone else?
(21:07:19) dazo: hmm
(21:08:01) cron2: ho
(21:09:31) mattock: hi!
(21:09:49) cron2: who broke http to forums.openvpn.net?
(21:09:54) mattock: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19196.html
(21:09:56) vpnHelper: Title: [Openvpn-devel] Summary of the community meeting 
(27th November 2019) (at www.mail-archive.com)
(21:09:59) mattock: lollis
(21:10:02) mattock: sorry, wrong link
(21:10:08) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2019-12-05
(21:10:53) mattock: cron2: I did not know it even worked
(21:11:05) cron2: I have monitoring on it, so it worked until a few days ago
(21:11:30) cron2: if it has a v6 address, all services need to work.  Otherwise 
user experience sucks if a poor user happens to have a v6-enabled client
(21:12:27) mattock: I have not touched forums in a long while
(21:12:50) cron2: I think ecrist did updates a few days ago, including a 
freebsd update... this might have caused firewall changes
(21:12:59) mattock: yeah, sounds likely
(21:13:21) Pippin_: Hi, see: 
https://forums.openvpn.net/viewtopic.php?f=20=29291
(21:13:33) vpnHelper: Title: Server Upgrades December 3, 2019 - OpenVPN Support 
Forum (at forums.openvpn.net)
(21:13:48) cron2: takes me a while to get there... v6 is not working :)
(21:15:03) cron2: anyway, posted there, let's see :)
(21:16:28) mattock: so, what else shall we discuss today?
(21:16:46) mattock: arm64 "seems stable" and lev has access
(21:17:03) mattock: need to check one more thing to make sure it stays connected
(21:17:18) mattock: IRC bouncer is probably the next on my list
(21:17:40) mattock: I fixed an email delivery issue to gmail from trac, related 
to urlwatch
(21:17:54) mattock: internal PR is pending
(21:21:37) cron2: nice
(21:21:46) mattock: anything anyone else wants to bring up?
(21:21:50) mattock: tomorrow's mini-hackaton?
(21:22:02) cron2: I have no particulars, except "moar ACKs and speedier 
discussions needed"
(21:22:17) cron2: my TODO list has argv and ipv6-only
(21:22:31) dazo: Should we have a quick look at the status page?  
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(21:22:32) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(21:22:37) mattock: yes we probably should
(21:22:40) cron2: but I've been down with flu (or a bad cold) the last week so 
I didn't get much done :(
(21:23:17) dazo: I know ordex has been discussing ipv6only testing with krzee 
internally ... krzee will help out testing and provide test env
(21:23:42) cron2: nie
(21:23:44) cron2: c
(21:25:51) dazo: The "​auth-gen-token: Inform client why auth-token was 
rejected" is replaced with plaisthos patches which should already be merged 
(the auth-gen-token patches we fiddled with for some time)
(21:26:18) dazo: struct argv overhaul is still in review  can move the 
responsibility for that one over to me
(21:26:42) dazo: (well, plaisthos volunteered to review it, but I'm following 
up the development of these patches now)
(21:27:30) cron2: dazo: well, since you did the last round of fixes, someone 
else can now do the review
(21:27:37) dazo: yeah
(21:27:41) cron2: has been sitting around too long, starts annoying me :)
(21:28:04) cron2: dazo: was the 2fa patchset fully ACKed?
(21:28:33) dazo: Need to double check the status of that 
(21:28:38) cron2: patchwork says "no ACK received on v2 of the patch set"
(21:29:14) cron2: on v1, only one ACK on 3/5 ("implement support for signalling 
IV_SSO")
(21:30:43) dazo: I dunno if there's been an updated set of patches sent to the 
ML ... I proposed to plaisthos to push out his stuff for review in a git 
branch, and we'll 

[Openvpn-devel] Community meetings in December 2019

2019-12-03 Thread Samuli Seppänen
Hi,

Our community meetings will alternate between Wed 11:30 CET and Thu
20:00 CET.

Next meetings have been scheduled to

- Thu 5th December 20:00 CET
- Wed 11th December 11:30 CET
- Thu 19th December 20:00 CET

The place is #openvpn-meeting IRC channel at Freenode. Meeting agendas
and summaries are in here:



Samuli






signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] Summary of the community meeting (27th November 2019)

2019-11-27 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 27th November 2019
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, lev, mattock, ordex and syzzer participated in this meeting.

---

The Windows 10 ARM64 laptop seems to now stay connected reliably.
Mattock will wrap up the firewalls for it and create users for those who
need to access it, then the task is done.

---

Mattock will test an OpenVPN executable with wintun support with the
OpenVPN Windows test scripts:



It was agreed that integrating these scripts with Buildbot is a good
goal. So far mattock has ran these scripts at release time only.

---

Noted that the conversion of the OpenVPN 2 man-page to RST format is
best done at 2.5 beta time, because some manual changes are necessary
after the automatic conversion process.

--

Full chatlog attached

(12:26:27) mattock: hello
(12:27:08) cron2: meow
(12:30:01) mattock: I have 30 mins today btw
(12:30:13) mattock: who do we have here besides cron2?
(12:30:18) ***syzzer present
(12:30:22) mattock: hi!
(12:30:27) syzzer: hello all :)
(12:31:44) lev__: hello
(12:31:50) mattock: hi lev!
(12:33:40) mattock: let's start this thing
(12:33:46) cron2: wooosh
(12:34:06) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2019-11-27
(12:34:08) vpnHelper: Title: Topics-2019-11-27 – OpenVPN Community (at 
community.openvpn.net)
(12:34:46) mattock: quick arm64 update
(12:35:03) mattock: connection to it "seems stable", as in: "windows update and 
reboots have not been able to kill it"
(12:35:10) mattock: nor has the thing completely shut down (yet)
(12:35:16) cron2: nice
(12:35:21) lev__: gutt
(12:35:56) mattock: firewall rules to isolate it from the rest of my network 
are in place, _but_ don't yet work as expected (-> need debugging)
(12:36:11) mattock: then its just about creating user accounts for those who 
need it (lev primarily)
(12:36:36) mattock: next topic
(12:36:37) mattock: :)
(12:37:52) lev__: wintun!
(12:38:07) ***lev__ looks around
(12:38:16) ***syzzer hides
(12:38:24) cron2: haha :)
(12:38:30) syzzer: Didn't find time yet...
(12:40:02) lev__: yeah that one is most invasive, touches event handling in 
OpenVPN
(12:41:00) syzzer: anyone actually *testing* that commit would be very welcome 
btw
(12:41:24) syzzer: I can do stare-at-code, but don't expect to find time to 
perform any decent testing
(12:44:03) cron2: mattock1: you have this windows testing framework...
(12:44:13) cron2: kind of t_client tests for windows
(12:44:26) lev__: it probably makes sense to test the whole thing, including 
interactive service support in follow-up commits. The signed installer is here 
http://staging.openvpn.net/openvpn2/
(12:44:50) cron2: can we hook this into the buildbot repo, so we can push stuff 
at it and see if it explodes? With configs for "--dev-type tap6" and "wintun"?
(12:44:51) ***dazo is here ... almost forgot again :-$
(12:45:19) mattock: yes I do have Powershell-based Windows smoke-testing
(12:45:40) lev__: sounds like a plan
(12:45:45) mattock: basically it can test openvpn.exe (directly), openvpn-gui 
and even openvpnservice
(12:45:56) mattock: I do run it prior to doing releases
(12:46:34) mattock: if somebody can give an openvpn.exe plus libs I can run 
some basic tests
(12:46:59) ***lev__ raises hand
(12:47:02) mattock: https://github.com/OpenVPN/openvpn-windows-test
(12:47:03) vpnHelper: Title: GitHub - OpenVPN/openvpn-windows-test: Powershells 
scripts for automating testing of OpenVPN on Windows (at github.com)
(12:47:34) mattock: I believe openvpn-gui nowadays supports --disconnect which 
that PS script does not yet use (but would be nice if it did)
(12:47:36) syzzer: cool
(12:47:44) lev__: or you could just install the client from the link above
(12:47:51) mattock: that works as well
(12:48:37) lev__: BTW, GUI now supports development with Visual Studio - Selva 
has merged my PR recently
(12:48:57) mattock: yep
(12:49:03) lev__: we are making msvc dev great again
(12:49:08) cron2: yep (thanks to Selva, in absence :) )
(12:49:19) cron2: lots of PRs that "just happened" without me having to do 
anything
(12:49:34) ordex: hi
(12:49:45) lev__: bongiorno
(12:50:03) mattock: hi
(12:50:31) mattock: ok, move on?
(12:50:33) mattock: I have 10 minutes
(12:51:21) cron2: mattock1: can you hook this smoke-framework into buildbot?
(12:51:35) syzzer: sure, what's next?
(12:51:50) mattock: cron2: I probably could
(12:52:05) mattock: not sure what kind of mess that would end up as, but it's a 
good goal
(12:52:48) mattock: I primarily connect to the t_client servers with it 
anyways...
(12:53:19) ***cron2 puts that on mattocks1 TODO shortlist :))

[Openvpn-devel] Summary of the community meeting (21st November 2019)

2019-11-21 Thread Samuli Seppänen
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Thursday 21st November 2019
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, mattock and ordex participated in this meeting.

---

Tomorrow mattock will resume work on "trying to make the Windows 10
ARM64 laptop connected to the VPN server at all times". The Powershell
script that does it (plus Puppet scheduled task glue) was finished and
tested during the hackathon.

---

Ordex resumed his async-cc patch review this week. He wants to get it
off his plate before it starts needing rebase again.

---

Cron2 would love if syzzer would find time to do the review of the v5
patch. He has had prior exposure.

--

Full chatlog attached
(21:00:48) mattock: hello
(21:03:08) cron2: hollo
(21:04:47) mattock: anybody else here?
(21:06:13) cron2: lots of folks idling in here...
(21:06:27) cron2: dazo, syzzer, ordex, plaistos: hello, good morning, how are 
you? *sing*
(21:08:09) ordex: unz unz
(21:08:18) mattock: oh we have somebody else! \o/
(21:08:20) cron2: ah, the rythm appears
(21:08:27) ordex: anything to talk about? o-o
(21:08:46) cron2: 2.5 plannings?  or patch review? :-)
(21:09:13) mattock: I can tell that I will resume work on the "keep ARM64 
laptop connected" task tomorrow
(21:09:18) cron2: there has been lots of activity around the wintun patch 
set... one is cleanup (and I'll tackle that tomorrow) but for the rest I'm 
hoping for syzzer
(21:09:26) cron2: mattock1: so what happened to it, when it decided to die?
(21:13:00) mattock: cron2: did not check yet, but it seemed to be "alive" at 
least
(21:13:12) mattock: probably the VPN connection just died (e.g. reboot) and for 
some reason did not come up
(21:13:24) cron2: yeah, win10 likes reboots...
(21:13:56) mattock: but I finished the monitoring/recovery powershell script 
during the hackathon so I can just make that run there and test reboots etc.
(21:14:08) mattock: so, soonish, lev will get his arm64 test rig
(21:14:14) cron2: nice
(21:14:25) ordex: cool
(21:15:00) cron2: ordex: how's your time planning wrt async-cc review?  busy 
with that other secret project?
(21:15:30) cron2: (or still recovering from the invasion of too many hairy 
geeks into peaceful trento? :) )
(21:19:14) ordex: cron2: no, that's the current thing on my list
(21:19:20) ordex: re-started that this week
(21:19:22) cron2: recovering?
(21:19:27) ordex: haha
(21:19:30) ordex: no, the review
(21:19:32) ordex: :p
(21:19:41) cron2: how's the secret project going on?
(21:20:15) cron2: but async-cc review is certainly welcome
(21:20:40) ordex: yeah, better shoot that down as soon as possible
(21:20:49) ordex: otherwise it will just idle in the todo list over and over..
(21:21:01) ordex: i really want to get over it
(21:21:03) cron2: and age, and require rebase, and break, ... :))
(21:21:08) ordex: yes
(21:21:09) ordex: :D
(21:21:21) ordex: plaisthos already rebased that recently (after a poke)
(21:21:26) cron2: ah, good
(21:21:31) ordex: so it is up to date at the moment
(21:25:52) mattock: mkay
(21:28:52) mattock: anything else?
(21:29:13) cron2: I have nothing in particular.  Will look a few hours at the 
explosion in my mailbox and patchwork.
(21:29:30) mattock: sarcasm at work
(21:29:43) cron2: I'd really really love if syzzer would find time to do the 
review of the v5 patch... "prior exposure"
(21:30:03) cron2: well, that was "tomorrow, I'll look..." :-)
(21:30:06) mattock: syzzer: "You're our only hope" ^^^
(21:31:00) mattock: now, if there is nothing else, let's end this thing
(21:31:43) cron2: good night :-)
(21:31:53) mattock: likevise!
(21:31:55) cron2: next week wednesday, with hopefully lots of motivated working 
folks around
(21:31:58) mattock: yes!
(21:32:14) mattock: and an ARM64 laptop that refuses to stay offline!
(21:32:28) mattock: and is always available, despite microsoft update and all 
that
(21:32:30) mattock: :D


signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


  1   2   3   4   5   6   7   8   9   10   >