OpenVPN Hackathon 2018

This year's hackathon is organized by Andriy Revin and David Sommerseth

We will stick to the format of the previous years, which means attendance is in principle limited to "active developers that are also regularly contributing to #openvpn-devel or the mailing list". We should have enough space in the meeting room for 10-14 devs.

Who is coming?

Name Topics Arrival Departure Hotel
Andriy Revin - @home
David Sommerseth clean-ups, plug-ins, OpenVPN 3 client Thu evening (LO482/LO763) Tue (LO766/LO483) Ibis
Antonio Quartulli remaining IPv6-only work, VLAN patches, netlink, multi-socket/multi-protocol, transport API(?) Fri Tue Ibis
Steffan Karger Performance, clean ups, crypto stuff Thu (OS381, ETA 15:20 @ airport) Sun Ibis
Gert Döring VLAN Patches / Architecture, Challenge / Plugin stuff, Performance (Threading?) Fri (LH2550, ETA 11:30 @airport) Mon (LH2551) Ibis
Samuli Seppänen Packaging (MSI, DEB, RPM), HackerOne tuning Fri late evening Mon early morning  Ibis
James Yonan
Arne Schwabe random stuff Thu (LO410/LO765) Tue (LO766/LO407) Ibis
Johan Draaisma things 3 oct 8 oct somewhere
Lev Stipakov things Fri evening (TK443) Tue Ibis


The meeting is held at the OpenVPN office in Lviv (Ukraine): Shevchenka Ave 5.

Lviv Danylo Halytskyi International Airport is quite close to the city. Best way of public transport is via Uber.

If you have any questions - please contact Andriy Revin (andriy @


The hackathon will take place from Friday October 5th 2018 to Sunday October 7th.


  1. What features do we want in 2.5? Set the timeline accordingly. (See the OpenVPN 2.5 status page).
    • tls-crypt v2, sitnl, vlan patches, ipv6-only, transport plug-in?
    • MSI packaging?
    • EasyRSA 3 for Windows (NSIS/MSI) installers?
    • conclusion: check here
  2. Should OpenVPN be a "swiss army knife" or "secure vpn client for dummies"
    • Could the split between OpenVPN 2.x and 3.x reflect these two roles?
    • conclusion: making OpenVPN 2.x a simple client for dummies is not a priority, but devs will try to reduce complexity by removing as many ifdefs as possible and by reviewing options whenever it is possible.
  3. Feature changes
    • Do we need --opt-verify? Is this a feature strictly needed these days?
    • conclusion: check last item in the 2.5 discussion section
  4. MSI packaging
    • Available for testing for tap-windows6, but not yet for OpenVPN 2
    • conclusion: get MSI packaging working with 2.5 (NSIS will be dropped)




Free wifi network is available at the office


There are many options with hotels and Airbnb alternatives in walking distance from the office (5-10 minutes). Most reasonably priced hotels are fairly small and availability is varying a lot, but double check against,, or similar sites to ensure you get a good price.

Some hotels close by (4-8 minutes walk):

Hotel URL Comments
Ibis Styles Lviv Center Most likely one of the bigger ones, small rooms but decent
Swiss Hotel Reasonable hotel when getting good price offers
ANTARES Apart hotel -
Danylo Inn -


(informal notes on some of the discussions that benefit from writing down)


  • we need to do a 2.4.7 release "soonish", to fix the --opt-verify issue Lev and Johan have encountered with NCP (patch has been merged in master+release/2.4)
  • we want the "asymmetric compression" change from Arne in there as well
    • The new --allow-compression option will be added which forcefully allows the local side to send compressed data. The current patch will be updated to not allow this new option to be pushable. We will require this to be explicitly set in the configuration file on both sides to enable compression.
  • 2.4.7 will be inintially released with the old TAP6 driver, and then we can do a re-release with the new TAP6 driver after sufficient testing (when our new approach can get all testing/signing issues fixed, estimated ~4-6 weeks)
  • TLS1.3 related patches are acceptable for 2.4.7 if they do not change existing behaviour (unless you use --tls-ciphersuite


  • are buggy
  • 30 day refund policy

features in 2.5 that we want

The following is what was discussed in terms of "2.5 release" during the hackathon, but for a more schematic status report about 2.5, please check this link

  • we have a page in the wiki so people can read up on this
  • MSI packaging (Simon, Samuli) must have
    • TAP6 changes -> TAP6 MSI installer
    • Samuli is reading books about MSI
    • possibly drop NSIS, or offer both options
  • tls-cryptv2 must have
    • Antonio is reviewing, goal: this weekend
  • IPv6-only really nice to have
    • client side is already finished(!)
    • server side needs brains to closely check disentanglement of ipv4/ipv6 server pools for unexpected side effects
    • Gert needs to finish review and test bed
  • netlink / sitnl refactoring of tun.c, route.c must have/
    • Arne volunteers to review, but is entangled in ipv6-only changes (so might need rebasing) -> Antonio to check
    • code is there, but needs better coordination
    • blocker
  • transport plugin (obfuscation or others) nice to have
    • operator foundation, founded by google
    • coordinating with Antonio
    • patches based on 2.4 - asked to rebase on master
    • "nice to have"?
  • "make VPN fast again" (Antonio) - nice to have
    • split control/data channel -> separate threads
      • "client connect" activity will no longer interfere with "forwarding packets for other clients"
      • going from there to multiple workers for data channel
      • "all the complicated event handling" -> control thread
    • send/receive multi-messages
    • use tun driver more efficiently
    • tap6 on server 2016 - maybe slow because driver reports attributes wrongly?
    • initial connect speed of 2.x clients compared to 3.x clients
      • there is one "1 second" coarse timer left in the 2.x code base
      • Gert and Steffan did not dare to remove this one yet
    • OpenVPN3 offload API?
    • ongoing activity...
  • VLAN patchset must have
    • Antonio volunteers to rebase + adjust the code to master
    • Arne volunteers to review
    • Gert to build test infrastructure
    • David: suggest to checkout the code tree "right before the uncrustify changes", apply Fabian's v2 patch set, and proceed from there
  • asynchronous client-connect (?) patchset from Fabian Kittel - must have
  • multi-listen / multi-port / multi-ip patch set
    • multi-port is done, with multi-ip (if same protocol) (first chunk) "in beta" must have
    • multi-protocol (TCP+UDP) "not even alpha" postpone to 2.6, too early code
    • Arne feels like he needs to review this
  • dynamic-route (routes in CCD/)
    • today: OpenVPN only adds route at startup
    • adding routes at client-connect time needs to be done "outside"
    • nice to have(!!) - it can be done with --client-connect or in plugin code - but easier debugged if "built in"
  • enable --enable-async-push by default
    • it is tested fairly well now
    • get rid of extra #ifdef
    • cross-plattform - today this depends on inotify, which is not available on most platforms we support (Linux, maybe FreeBSD, nothing else)
    • David pushed out a new build enabling this by default for Fedora Rawhide (future Fedora 30) and Fedora 29
  • OpenSolaris?: fix fragment handling for IPv4 - *done*
    • IPv6 fragments over tun work, IPv4 fragments not
    • not an OpenVPN problem, but combination of OpenSolaris?, FreeBSD pf(4) and scrub in all without the no-df flag triggered this
  • AIX: tunnel emulation nice to have
    • AIX has no tun interface, only tap
    • to talk to "have no tap interface, only tun" peers, one side needs to emulate
    • AIX code nearly done, waiting for ICMPv6 generation code in OpenVPN 2.x code to show up (block-ipv6 v4)
    • Gert
  • --opt-verify handling
    • remove it from the AS config default ("it breaks clients")
    • the way it is now is not really needed anymore - most option mismatches can be pushed from the server, except for the caveats...
    • make all the --*mtu* things pushable (not easy: reallocation of buffers needed)
    • include "more sane ciphers" in the default NCP cipherlist (Arne, Steffan)
    • what else?

features we want in 2.6

  • asynchronous netlink (= do not block waiting for kernel ACK)
  • performance enhancements on multi-CPU machines
    • multithreading? Do we want to just go for 3.0 here?
Last modified 6 years ago Last modified on 10/07/18 08:13:59