IrcMeetings

Basic info

• Time: Wednesday 13 March 2024 at 13:00 CEST (11:00 UTC)
• Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

• New: topic from an openvpn inc contributor to community (illia)
  Would like to discuss about --inactive option that disconnects a VPN when it is not sending/receiving more than the set seconds timeout.
  One part of it is that openvpn2 only counts outgoing packets and openvpn3 counts incoming and outgoing. Which is correct?
  Another part is type of packets to count - this is all not so clear.
  For now we counting any packets and ICMP spam from router resets inactive timeout very often for openvpn3 so it disconnects later than 2
  Current proposal: count also incoming packets for openvpn2 and do not reset inactive timeout on ICMP packets for both ovpn3 and 2
  There was argument made that "this is how it has been in openvpn2 forever and we had no complaints" but oddly the documentation claims incoming and outgoing is counted.
  after looking into this a bit some screwiness was found with tracking the data in openvpn2 that could use fixing, and illia will work on it.
  and there is some voodoo happening in openvpn2 that skips inactive reset packets and similar magic is missing in ovpn3, so illia will work on that too.
  

• New: breaking DCO changes, how to approach?
  During the upstreaming process to the Linux kernel some alterations had to be made.
  This made the updated implementation different enough from ovpn-dco-v2 that OpenVPN 2.6 won't work with it anymore.
  The plan is to adjust OpenVPN 2.6 so it can support the ovpn-dco-v2 delivered as out-of-tree kernel module, and the in-tree new kernel module.
  We can then update the out-of-tree kernel module to work in the new way and have a graceful transition period.
  So when it goes upstream and is in the Linux kernel, or DCO is installed out-of-tree, it will work the same.
  We can later decide on when to drop the support for ovpn-dco-v2 old methods.
  

• Updated: openvpn 2.6.10 release
  There are some Windows related issues to be resolved in this release.
  Was planned for this week - pushed to begin next week.
  

• Updated: website release process
  Next week a website release is planned that will enable a new way for updating Community Downloads page.
  The new way has a much faster release method separate from the rest of the website's release schedule.
  

• server-side testing status and next meeting
  
  • mattock has created a PoC of --dev null "does a client connect" check
    • client config has "--dev null" and "ifconfig-noexec"
      • uses an "up" script to stop the parent (openvpn) process gracefully soon after connection initialization
      • the "up" script almost certainly includes some Linux-specifisms
      • example usage:
        • openvpn --config client.conf |grep "Initialization Sequence Completed"
      • integration with "make check", buildbot, etc. is still missing
      • next steps:
        • integrate the PoC with "make check"
        • make the script portable
        • buildbot integration (if required separately)
    We want to continue on this topic once a bit more progress has been made.
    

• forums topics
  A new forum is under construction. But already spammers have found it.
  Suggestion is to give openvpn_inc user novaflash and Pippin_ full admin rights so they can help find a solution and help maintain the forums.
  To be discussed with ecrist.
  Layout and categories look ok?
  Access for Mod to delete users that put spam url in profile and never post a message, currently I cannot discover a way to delete those(1)
  Related to above, Access for Mod to edit user profiles (asks for AdminCP password)(1)
  Mod guide, hard or soft delete (chuck board?), what to do with GDPR, etc. (write it down and actually make it available to mods, maybe a hidden topic)
  Access for mods to logs so one can see what others did
  Email confirmation on register?
  ​Forgot password or user name? and ​Contact?
  Considering some existing platform to do discussions next to forum?
  (1) May not be necessary if enough admin available
  

• Status of SBOM
  There was a discussion between MaxF and djpig and others.
  For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
  The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.
  

• Debian and Ubuntu snapshot packages and buildbot
  
  • Cloudfront + S3 + aptly PoC is complete and seems to work fine
  • Cloudfront caches need to be invalidated when new packages are added or removed, or the apt repository will end up in an inconsistent state almost immediately
  • If we use swupdate.openvpn.net to publish the snapshots we will have to deal with cloudfront + cloudflare.
  • We can choose to just publish snapshots on build.openvpn.net. This seems the preferred option.
  • Alternatively a new S3 bucket + cloudfront can be done. Whatever people like best.
  • Buildbot integration is missing, but should be fairly straightforward
  • This will probably have to wait until "--dev null" is done

• status of trac/wiki
  No progress since last meeting.
  This will probably have to wait until "--dev null" is done
  Should have access controls so only approved members can edit.
  

• Security mailing list procedure can stand improvement
  To be discussed in more detail later.
  

• community funding
  ordex has an initiative he wants to bring up regarding dev resources to be added to community.
  This may tie into the donations topic.
  In short ordex convinced OTF (Open Tech Fund) to provide a "test FOSS funding scheme" to OpenVPN.
  This would for example allow to pay for allocated hours for mattock and cron2 to work on OpenVPN community tasks.
  This is to be worked out more and in collaboration between OpenVPN Community, OpenVPN Inc., and OTF.
  

• donation collection
  what are the options?
  

• Tunnelcrack progress TunnelCrack community wiki article
  Current status: when mitigations start appearing we will mention them in meeting notes.
  

• OpenVPN community meetup 2024
  Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it, as we want to encourage developers and those interested in contributing to feel welcome.
  Where: Karlsruhe, Germany. It is a relatively central location in Europe and is fairly easily reachable by train. A meeting location is yet to be arranged.
  When: At the moment tentatively set to 20-22 September 2024.
  Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
  Shirts: There is plenty of time still to prepare a shirt design.
  

• Static-key mini how-to is outdated.
  This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
  company will send this to tech writer to redo based on ​https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
  and also retain a link to that github doc.
  having a simple guide online will help adoption
  

• OpenVPN 2.6 performance results.
  tests should cover: gre, ipsec, userland, dco
  linux, freebsd, windows
  requires time to be dedicated to doing this, when time available will do it
  

• What's going on with new taskbar icons?
  matt provided icons in ​https://github.com/OpenVPN/openvpn-gui/issues/595
  last update: will be picked up by selva when he has time
  

• software code signing topic
  company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
  in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
  depends on how hard/easy it is to access company key signing thingee from community infrastructure.
  also no high priority at the moment, we have a working solution now.
  

• Management interface documentation on main website will be updated with info from doc/management-notes.txt
  novaflash will pick this up at some point