IrcMeetings

Basic info

• Time: Wednesday 27 March 2024 at 13:00 CEST (11:00 UTC)
• Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

• New: when to deprecate weak ciphers
  Weak ciphers like 3DES and BF-CBC - what to do with them and when?
  Originally it looks like it was planned to remove in 2.7 but that may be too soon.
  For example OpenVPN Inc. still sees customers with 10+ year old installations fairly regularly.
  A proposal to consider may be to deprecate it when crypto libraries deprecate it.
  Weighing the expected complaints versus the low cost of just maintaining weak ciphers until crypto libraries deprecate them - the choice seems obvious.
  For now we'll stick with letting weak ciphers stay in unless there is some convincing reason to remove it.
  

• Closed: OpenVPN 2.6.10 release
  This was released 20th of March.
  

• Closed: OpenVPN 2.5.10 release
  This was released 21st of March, including new Windows installers.
  

• Closed: community funding initiative
  ordex convinced OTF (Open Tech Fund) to let OpenVPN join the "FOSS sustainability funding pilot run".
  This allows to pay for allocated hours for mattock and cron2 to work on OpenVPN community tasks.
  Some ongoing tasks are listed under 'Mattock Topics' in the meeting notes and have already been going on for a while.
  This topic is therefore considered closed for now.
  

• Closed: inactive setting data counter in openvpn2 and openvpn3
  It looks like openvpn2 and openvpn3 handle the counting of traffic for this differently.
  After some discussion it was decided illia will submit some suggested fixes.
  This will now follow standard procedure for patch submission and review. Closing topic.
  

• Closed: tunnelblick and sophos UTM
  Looks like Tunnelblick implemented a fix on their end.
  ​https://github.com/OpenVPN/openvpn/issues/525
  

• Updated: website release process
  Last week a website release was planned that would enable a new way for updating Community Downloads page.
  Postponed to this week. We'll see.
  

• Updated: forums topics
  ecrist still working on forums. admin access issue looks resolved. email issue looks resolved.
  Plan is to soon switch URLs so new forum is on forums.openvpn.net and old forums is on archive address.
  - email confirmation on registration was suggested.
  - we still need to work on having some other people with some admin or high mod access.
  - mod guide, hard or soft delete (chuck board?), what to do with GDPR, etc. (write it down and actually make it available to mods, maybe a hidden topic)
  - access for mods to logs so one can see what others did
  

• Updated: DCO and Linux upstreaming, API change
  Upstreaming DCO to Linux is proceeding, it is in review stage at the moment.
  ordex will prepare a v3 patchset soon based on feedback received.
  There will be an API change that makes it incompatible with the current implementation.
  A graceful solution to that was already discussed and in motion. giaan will be working on this.
  (in a nutshell, make OpenVPN understand old and new API, DKMS and kernel versions both will then use new API, then we drop old API)
  

• Updated: mattock topics
  Made it so --dev null tests can run arbitrary numbers of servers concurrently, and have arbitrary amount of clients run in parallel to these servers.
  Will probably look into separating the --dev null test data (test cases) from the test scripts.
  Also started on debian snapshot publishing but didn't get very far there yet.
  

• Security mailing list procedure can stand improvement
  dazo and novaflash will start discussing this internally in openvpn inc.
  Goal of discussions is to work out a better internal procedure to connect security mailing list better with company product responsible people.
  

• donation collection
  ordex consulted an expert and it looks like doing a legal entity does not make sense when you're just starting out.
  The tricky part here is that only if we get a lot of donations and a lot of money does it make sense to have that kind of overhead.
  What we can do is start out with a company that collects the money and puts it to good community use. ordex volunteers to take this on.
  We want the donations to be collected in one place, and expenses made from that one place, so we are accountable.
  We need to figure out how to deal with that legally, and what payment methods to accept and how.
  Probably credit card is a must. Maybe paypal as well. Bitcoin seems to encounter some resistance in the discussions.
  And a reminder; we definitely do not want the donation thing to be forced - have a mechanism to do it, but keep it out of the way.
  

• Status of SBOM
  There was a discussion between MaxF and djpig and others.
  For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
  The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.
  

• status of trac/wiki
  No progress since last meeting.
  This will probably have to wait until "--dev null" is done
  Should have access controls so only approved members can edit.
  

• Tunnelcrack progress TunnelCrack community wiki article
  Current status: when mitigations start appearing we will mention them in meeting notes.
  

• OpenVPN community meetup 2024
  Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it, as we want to encourage developers and those interested in contributing to feel welcome.
  Where: Karlsruhe, Germany. It is a relatively central location in Europe and is fairly easily reachable by train. A meeting location is yet to be arranged.
  When: At the moment tentatively set to 20-22 September 2024.
  Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
  Shirts: There is plenty of time still to prepare a shirt design.
  

• Static-key mini how-to is outdated.
  This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
  company will send this to tech writer to redo based on ​https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
  and also retain a link to that github doc.
  having a simple guide online will help adoption
  

• OpenVPN 2.6 performance results.
  tests should cover: gre, ipsec, userland, dco
  linux, freebsd, windows
  requires time to be dedicated to doing this, when time available will do it
  

• What's going on with new taskbar icons?
  matt provided icons in ​https://github.com/OpenVPN/openvpn-gui/issues/595
  last update: will be picked up by selva when he has time
  

• software code signing topic
  company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
  in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
  depends on how hard/easy it is to access company key signing thingee from community infrastructure.
  also no high priority at the moment, we have a working solution now.
  

• Management interface documentation on main website will be updated with info from doc/management-notes.txt
  novaflash will pick this up at some point

Mattock topics

--dev null server testing

Mattock has implemented the first version of the so-called "--dev null server testing" and integrated it with "make check". The features are:

• Does what it says on the tin (more on that later)
• Mostly operating-system agnostic
• Should be POSIX shell compliant
• Uses the sample certificates and keys
• Supports running directly as root and with sudo
• Supports using different OpenVPN client versions
  • The "current" (just compiled) version
  • Any other OpenVPN versions (must be present on the filesystem)
• Support testing for success as well as failure
• Server configuration is currently static (i.e. no support for multiple server configurations yet)
• How would we go about running OpenVPN 2.4, 2.5, 2.6, etc. clients against the "--dev null server"

Here's how it works:

1. make check
   1. t_server_null.sh
      1. t_server_null_server.sh
         • Launches the compiled OpenVPN as root (if necessary with sudo)
         • OpenVPN server exits when all clients have been disconnected for ten seconds, based on its status file
      2. t_server_null_client.sh
         • Launches each individual client test
         • Client kills itself after some delay using an "--up" script

Current PoC code is available in mattock's "dev_null" branch. A good starting point is ​t_server_null.sh.

What should be the next steps?

• Basic approach ok?
• Is starting with a single server configuration ok?
• Which server configuration(s) should we test against?
• Which client configurations should we test (success or failure)?
• Which operating systems do we want to support in this context? Linux and BSDs? Something more esoteric?
• Which OpenVPN client versions should we run?

Debian/Ubuntu snapshot publishing

• In the last meeting we agreed to publish snapshot Debian/Ubuntu packages on *build.openvpn.net*
• The tool to use to publish is ​aptly
• aptly does not have direct support for running commands (e.g. rsync, scp) after publishing packages, e.g. to a local filesystem on the buildmaster
  • Option 1 (hacky): use inotifywait with rsync or scp to copy the published repo to build.openvpn.net
  • Option 2 (less hacky): use NFS to publish "directly" to build.openvpn.net
  • Both options require a fair amount of tinkering