Basic info
- Time: Wed 14th April 2021 14:00 CET (12:30 UTC)
- Place: #openvpn-meeting channel on Freenode IRC network + https://demo.vct.spacenet.de/openvpn (Jitsi)
Topics
- Sync up on OpenVPN 2.5 and 2.6
- 2.5: next tuesday.
- patches pending
- route lookup
- compress-restore-on-SIGUSR1
- 1666+1667 (fix client with --bind)
- 2.6
- please get ACKed patches in!
- configure.ac coming
- DCOoooooh :-)
- --key and --chroot (with and without --persist-key)
- (Ordex, MaxF21, patches on the list)
- key reloading on SIGUSR1 fails in chroot (it works with persist-key)
- fix it? or make persist-key always-on? (consensus: we remove the "no-persist-key" path, make the feature always-on and the option a no-op)
- Option to set http-proxy on Android
- suggestion "dhcp-option HTTP-PROXY IP PORT" (this is for programs using the VPN, and they should use this proxy. Configured via the VPN API. Not "for OpenVPN" but "for everyone else". Check with 3 client on iOS what that one uses)
- Lev: dco-win Driver in Windows installer
- how do we want to do this?
- msm package inside msi? (like for tap+wintun)
- wintun created msm approach but uses different approach now
- connect client brings tap binary + tapinstall.exe, no msm for tap-windows6
- cron2 and mattock seem to recall "msm works better for driver upgrades than the old NSIS approach" but nobody knew for sure
- mattock is talking to MS about arm64 support, we can ask the experts
- ask Simon :-)
- --cipher in 2.6
currently this always adds that likely non-AEAD cipher to the data-ciphers list. This is bad for DCO
We have to pick one:
- make DCO work without having user to reconfigure --cipher/--data-ciphers
- Requires modifying config if you still want to connect to a 2.3 server, allow 2.3 clients
- keep configuration compatibility with non-NCP server/clients
- Requires configuration changes to allow DCO
- Windows OpenVPN 2.x with ovpn-dco-win will refuse to start with most configs
- The complex interaction between data-ciphers, cipher and data-ciphers-fallback is still there.
- need to add an option like 'occ-cipher' to avoid OCC warnings with 2.4/2.5 clients/server.
- make behaviour of OpenVPN dependent on selected driver
- Only interims solution. With 2.7 we still have to decide if we want to go one of the other options
- will create a lot of confusion.
- Breaks opportunistic approach of allowing OpenVPN to automatically enable DCO if the config is DCO compatible
- Introduce "--compat-mode"
- OpenVPN will behave like first option without option
- Also increase tls min version to 1.2 by default
- default to --nobind when --pull is active
Last modified 3 years ago
Last modified on 04/21/21 12:06:08