= OpenVPN Hackathon 2017 = [[TOC(inline, depth=1)]] == who == This year's hackathon is organized by Heiko Hund (d12fk). We will stick to the format of the previous years, which means attendance is in principle limited to "active developers that are also regularly contributing to #openvpn-devel or the mailing list". We should have enough space in the meeting room for 16 devs. == who is coming? == ||= Name =||= Topics =||= Arrival =||= Departure =||= Hotel =|| || Heiko Hund || - || Fri. 10am || Sun. 20pm || @home || || Antonio Quartulli || traffic manipulation API || Thu noon || Sun afternoon || Der Blaue Reiter || || Samuli Seppänen || OpenVPN 3 development || Thu late evening || Sun mid-afternoon || Der Blaue Reiter || || Steffan Karger || Post-quantum key exchange, performance || Fri 13:16 (Bhf Durlach) || Sun mid-afternoon || Blaue Reiter || || Gert Döring || branch maintenance - what goes where, and why? || Fri noon-ish || Sun late afternoon || Blauer Reiter || || Arne Schwabe || - || Fri 12 am at HBF || Sun late afternoon || Blauer Reiter || || David Sommerseth || clean-ups, plug-ins, OpenVPN 3 client || Thursday evening || Sun afternoon || Blaue Reiter || || Lev Stipakov || ovpn3 || Thu late evening || Sun mid-afternoon || Der Blaue Reiter || || Jan Just Keijser || performance, EduVPN || Friday early afternoon || Sun late-afternoon || Der Blaue Reiter || || Gert van Dijk || Post-quantum key exchange, documentation || Fri 13:16 (Bhf Durlach) || Sun mid-afternoon || Blaue Reiter || || Johan Draaisma || Moral support || Thu noon-ish || Sun at noon || Der Blaue Reiter || || James Yonan || || Thursday || || || || Simon Rozman || eduVPN, MSI packaging || Thu late evening || Sun mid-afternoon || Der Blaue Reiter || || François Kooman || eduVPN, OAuth || Thu afternoon || Mon || Der Blaue Reiter || == where? == The meeting is held at the Sophos office in Karlsruhe (Germany): [https://osm.org/go/0DlEda7Ld?m=&node=2127345937]. Karlsruhe is an one hour ICE train ride away from Frankfurt Airport. If you have any questions or got lost - please contact Heiko at +49 172 74 911 92. == when? == The hackathon will take place from Friday November 10th 2017 to Sunday November 12th. == what? == So what is the goal of the Hackathon? * should we get rid of LZ4 as bundled library and always rely on what the system has installed? * plan clean up route.c and tun.c - which approach should we use? improve OS/distro modularization? settle on an improved API? * add more topics here! We're all open for additions here - I think the meetings in Brussels (2011+2012), Munich (2013+2014), Delft (2015) and Helsinki (2016) have shown that "just being able to sit together and hack" is a useful exercise. == input == There will be drinks and snacks to get us through the day. We have a kitchen, so you can also [https://xkcd.com/149/ make sandwiches] or a bowl of cereals. Chance of BBQ if there's demand in November. == internet == Free Wifi and wired network is available == accommodation == The closest Hotel is the "Der Blaue Reiter" just across the street.[[BR]] Cheapest accomodation is [http://www.ibis.com/gb/hotel-3179-ibis-budget-karlsruhe/index.shtml IBIS budget] a good 10 minute walk away. == results == (informal notes on some of the discussions that benefit from writing down) * MSI (samuli, simon, steffan) * TAP-Windows driver: * MSI (and MSM) packages are to be built on Windows using WiX Toolset. * Test certificates are injected prior driver installation on all supported Windows versions. * Possible later improvements: * tapinstall.exe is to be eventually replaced with vanilla GPL-licenced utility. * add metadata to the driver .inf file to allow it to be installed from the file's context menu in explorer * OpenVPN: * MSI package creation is integrated into openvpn-build using either msitools (preferred) or by running WiX toolset with Mono * The initial installer will be a silent one and aimed for enterprises and advanced users * It will not include any GUI, so normal users may/will get confused * Simon prepares the initial sample, we discuss options when we have something to work on. * UI while installing is not required or kept to the minimum. * MSI packages are also to be packed into an EXE installer for end-users. * route.c / tun.c rehaul (ordex, dazo, cron2, jjk) * Linux support for ifconfig/route is dropped * we keep iproute2 support (because jjk brought up special cases where you really want to call out to external programs that can be wrapped to "do local things", and --up scripts are just much more effort) * we add direct netlink support * netlink support needs to come along with strong unit tests that verifies all setter/getter operations using explicit "ip ..." calls to verify that our abstraction layer is really doing what it's meant to (cron2 worried about binary representations being error-prone) * the netlink library needs to clearly print what it does to the log ("what it thinks it does", and the unit test needs to ensure that this is actually true) * we split route.c to route.c and route-platform.c, but we do not want route-{linux,freebsd,netbsd,solaris,..}.c as that would be mostly copy-paste code duplication of mostly identical code with "one line different" (the route call) * we look into splitting tun.c into tun-unix.c and tun-win32.c, but not tun-{linux,freebsd,netbsd,solaris,...].c, for the same reasons * tun.c needs to see all those nearly-identical tun_read()/tun_write() functions merged into one place, and then we see what else is copy-paste code reuse * Vagrant (dazo, mattock, cron2, lev, johan, antonio) * we have a few use-cases for Vagrant * allow any developer to (build)test their patches on other platforms (e.g. OpenBSD 6) to reduce communication overhead * allow developers to run local tests against variously configured * mattock has a very rudimentary Vagrant setup [here|https://github.com/mattock/openvpn-vagrant] * next steps * add basic provisioning scripts for each platform to install build requirements for OpenVPN * setup a t_client style server setup that can be used for manual testing * integrate client and server parts together with more automation * block-ipv6 patch * considered good idea, arne will cleanup patch and resend patch * `--tls-cert-profile` * The OpenSSL 'custom security callbacks' are undocumented and not very well fit to implement an mbed TLS-like tls-cert-profile option. * So, instead of trying to mimic the mbed TLS behaviour, just go for the much simpler approach and set OpenSSL seclevels. We'll accept slightly different behaviour between openssl and mbed TLS, at least for now. * Steffan will send David his patches that attemp to reimplement tls-cert-profile for openssl, so he can give it a try too if he wants to. * Steffan will send a v2 of the mbed patch that will print a warning for openssl build, instead of refusing to start, if --tls-cert-profile is used. * Steffan will later send a patch to implement the seclevel approach for openssl. * argv processing clean-up (David, Heiko) * Heiko has some patches on the ML which have been awaiting some updates since last Hackathon; approximately half of the patch-set have been applied but the rest have been lingering since that time. David and Heiko reviewed these last outstanding patches and agreed to clean them up and rebase on master to complete these patches * One bug is discovered and will be fixed before sent to the ML * Considered if callers of the argv_*() functions should be enforced to provide a gc_arena. Decided such a change would be quite intrusive and not providing any clear gains. The argv_*() functions already have an internal gc_arena which is used for the argv arrays of string pointers and is handled properly there. Where memory is allocated by argv_*() functions to be returned to the calling function, a gc_arena pointer is already provided in that call; that allocation happens in the gc_arena owned by the caller. This provides a clear separation between internal processing and callers. * Will also try to add a bit more code comments to ensure the code is easier to understand in the future