OpenVPN Hackathon 2017


This year's hackathon is organized by Heiko Hund (d12fk).

We will stick to the format of the previous years, which means attendance is in principle limited to "active developers that are also regularly contributing to #openvpn-devel or the mailing list". We should have enough space in the meeting room for 16 devs.

who is coming?

Name Topics Arrival Departure Hotel
Heiko Hund - Fri. 10am Sun. 20pm @home
Antonio Quartulli traffic manipulation API Thu noon Sun afternoon Der Blaue Reiter
Samuli Seppänen OpenVPN 3 development Thu late evening Sun mid-afternoon Der Blaue Reiter
Steffan Karger Post-quantum key exchange, performance Fri 13:16 (Bhf Durlach) Sun mid-afternoon Blaue Reiter
Gert Döring  branch maintenance - what goes where, and why? Fri noon-ish Sun late afternoon Blauer Reiter
Arne Schwabe  - Fri 12 am at HBF Sun late afternoon Blauer Reiter
David Sommerseth clean-ups, plug-ins, OpenVPN 3 client Thursday evening Sun afternoon Blaue Reiter
Lev Stipakov ovpn3 Thu late evening Sun mid-afternoon Der Blaue Reiter
Jan Just Keijser performance, EduVPN Friday early afternoon Sun late-afternoon Der Blaue Reiter
Gert van Dijk Post-quantum key exchange, documentation Fri 13:16 (Bhf Durlach) Sun mid-afternoon Blaue Reiter
Johan Draaisma Moral support Thu noon-ish Sun at noon Der Blaue Reiter
James Yonan Thursday   
Simon Rozman eduVPN, MSI packaging Thu late evening Sun mid-afternoon Der Blaue Reiter
François Kooman eduVPN, OAuth Thu afternoon Mon Der Blaue Reiter


The meeting is held at the Sophos office in Karlsruhe (Germany):

Karlsruhe is an one hour ICE train ride away from Frankfurt Airport.

If you have any questions or got lost - please contact Heiko at +49 172 74 911 92.


The hackathon will take place from Friday November 10th 2017 to Sunday November 12th.


So what is the goal of the Hackathon?

  • should we get rid of LZ4 as bundled library and always rely on what the system has installed?
  • plan clean up route.c and tun.c - which approach should we use? improve OS/distro modularization? settle on an improved API?
  • add more topics here!

We're all open for additions here - I think the meetings in Brussels (2011+2012), Munich (2013+2014), Delft (2015) and Helsinki (2016) have shown that "just being able to sit together and hack" is a useful exercise.


There will be drinks and snacks to get us through the day. We have a kitchen, so you can also make sandwiches or a bowl of cereals. Chance of BBQ if there's demand in November.


Free Wifi and wired network is available


The closest Hotel is the "Der Blaue Reiter" just across the street.
Cheapest accomodation is IBIS budget a good 10 minute walk away.


(informal notes on some of the discussions that benefit from writing down)

  • MSI (samuli, simon, steffan)
    • TAP-Windows driver:
      • MSI (and MSM) packages are to be built on Windows using WiX Toolset.
      • Test certificates are injected prior driver installation on all supported Windows versions.
      • Possible later improvements:
        • tapinstall.exe is to be eventually replaced with vanilla GPL-licenced utility.
        • add metadata to the driver .inf file to allow it to be installed from the file's context menu in explorer
    • OpenVPN:
      • MSI package creation is integrated into openvpn-build using either msitools (preferred) or by running WiX toolset with Mono
      • The initial installer will be a silent one and aimed for enterprises and advanced users
        • It will not include any GUI, so normal users may/will get confused
    • Simon prepares the initial sample, we discuss options when we have something to work on.
    • UI while installing is not required or kept to the minimum.
    • MSI packages are also to be packed into an EXE installer for end-users.
  • route.c / tun.c rehaul (ordex, dazo, cron2, jjk)
    • Linux support for ifconfig/route is dropped
    • we keep iproute2 support (because jjk brought up special cases where you really want to call out to external programs that can be wrapped to "do local things", and --up scripts are just much more effort)
    • we add direct netlink support
    • netlink support needs to come along with strong unit tests that verifies all setter/getter operations using explicit "ip ..." calls to verify that our abstraction layer is really doing what it's meant to (cron2 worried about binary representations being error-prone)
    • the netlink library needs to clearly print what it does to the log ("what it thinks it does", and the unit test needs to ensure that this is actually true)
    • we split route.c to route.c and route-platform.c, but we do not want route-{linux,freebsd,netbsd,solaris,..}.c as that would be mostly copy-paste code duplication of mostly identical code with "one line different" (the route call)
    • we look into splitting tun.c into tun-unix.c and tun-win32.c, but not tun-{linux,freebsd,netbsd,solaris,...].c, for the same reasons
    • tun.c needs to see all those nearly-identical tun_read()/tun_write() functions merged into one place, and then we see what else is copy-paste code reuse
  • Vagrant (dazo, mattock, cron2, lev, johan, antonio)
    • we have a few use-cases for Vagrant
      • allow any developer to (build)test their patches on other platforms (e.g. OpenBSD 6) to reduce communication overhead
      • allow developers to run local tests against variously configured
    • mattock has a very rudimentary Vagrant setup [here|]
    • next steps
      • add basic provisioning scripts for each platform to install build requirements for OpenVPN
      • setup a t_client style server setup that can be used for manual testing
      • integrate client and server parts together with more automation
  • block-ipv6 patch
    • considered good idea, arne will cleanup patch and resend patch
  • --tls-cert-profile
    • The OpenSSL 'custom security callbacks' are undocumented and not very well fit to implement an mbed TLS-like tls-cert-profile option.
    • So, instead of trying to mimic the mbed TLS behaviour, just go for the much simpler approach and set OpenSSL seclevels. We'll accept slightly different behaviour between openssl and mbed TLS, at least for now.
    • Steffan will send David his patches that attemp to reimplement tls-cert-profile for openssl, so he can give it a try too if he wants to.
    • Steffan will send a v2 of the mbed patch that will print a warning for openssl build, instead of refusing to start, if --tls-cert-profile is used.
    • Steffan will later send a patch to implement the seclevel approach for openssl.
  • argv processing clean-up (David, Heiko)
    • Heiko has some patches on the ML which have been awaiting some updates since last Hackathon; approximately half of the patch-set have been applied but the rest have been lingering since that time. David and Heiko reviewed these last outstanding patches and agreed to clean them up and rebase on master to complete these patches
    • One bug is discovered and will be fixed before sent to the ML
    • Considered if callers of the argv_*() functions should be enforced to provide a gc_arena. Decided such a change would be quite intrusive and not providing any clear gains. The argv_*() functions already have an internal gc_arena which is used for the argv arrays of string pointers and is handled properly there. Where memory is allocated by argv_*() functions to be returned to the calling function, a gc_arena pointer is already provided in that call; that allocation happens in the gc_arena owned by the caller. This provides a clear separation between internal processing and callers.
    • Will also try to add a bit more code comments to ensure the code is easier to understand in the future
  • Version life cycle
    • Agreed that our current approach is quite good, but poorly documented and communicated.
    • David and Steffan wrote a draft that should help change that, comments and contributions very welcome:
    • We will aim for having all 2.5 features in for the 2018 hackathon, and go into 'produce a release mode' afterwards.
      • tls-crypt-v2
      • transport plugin (primary use case: obfuscation)
      • netlink support (includes route.c / tun.c refactoring)
      • 'make VPN fast again!'
      • remove ENABLE_CRYPTO
      • purge NSIS installers (migrate to MSI installers)
      • VLAN patch set
      • support for multiple sockets (UDP/TCP/multi-port/multi-IP)
      • dynamic routes ('route in ccd-file'), depends on netlink support
      • improve control channel performance
      • update the PRF to ditch MD5/SHA1 (not because broken crypto (it is not!), but for simplicity and marketing)
      • maybe: add PRF plugin interface
      • maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex)
      • maybe: add data channel separation (or, move to ovpn3, which already has this?)
      • maybe: fix radius-plugin - plugin is useful but not maintained very well
  • Control channel optimization
    • Gert van Dijk and Steffan will be looking into optimizing the control channel the coming weeks.
    • Discussed with Arne that we probably would need some dynamic window size to increase performance.
    • We want to keep the OpenVPN implementation simple, and have a very strong preference to not change the wire format (ie, must be backward compatible).
    • Arne will look into good candidate window size algorithms, and make a suggestion about which to use.
Last modified 6 years ago Last modified on 11/12/17 14:03:06