= OpenVPN Hackathon 2018 = [[TOC(inline, depth=1)]] This year's hackathon is organized by Andriy Revin and David Sommerseth We will stick to the format of the previous years, which means attendance is in principle limited to "active developers that are also regularly contributing to #openvpn-devel or the mailing list". We should have enough space in the meeting room for 10-14 devs. == Who is coming? == ||= Name =||= Topics =||= Arrival =||= Departure =||= Hotel =|| || Andriy Revin || - || || || @home || || David Sommerseth || clean-ups, plug-ins, OpenVPN 3 client || Thu evening (LO482/LO763) || Tue (LO766/LO483) || Ibis || || Antonio Quartulli || remaining IPv6-only work, VLAN patches, netlink, multi-socket/multi-protocol, transport API(?) || Fri || Tue || Ibis || || Steffan Karger || Performance, clean ups, crypto stuff || Thu (OS381, ETA 15:20 @ airport) || Sun || Ibis || || Gert Döring || VLAN Patches / Architecture, Challenge / Plugin stuff, Performance (Threading?) || Fri (LH2550, ETA 11:30 @airport) || Mon (LH2551) || Ibis || || Samuli Seppänen || Packaging (MSI, DEB, RPM), !HackerOne tuning || Fri late evening || Mon early morning || Ibis || || James Yonan || || || || || || Arne Schwabe || random stuff || Thu (LO410/LO765) || Tue (LO766/LO407) || Ibis || || Johan Draaisma || things || 3 oct || 8 oct || somewhere || || Lev Stipakov || things || Fri evening (TK443) || Tue || Ibis || == Where? == The meeting is held at the OpenVPN office in Lviv (Ukraine): [https://www.openstreetmap.org/search?query=49.83826%2C24.03129#map=19/49.83826/24.03129&layers=N Shevchenka Ave 5]. Lviv Danylo Halytskyi International Airport is quite close to the city. Best way of public transport is via Uber. If you have any questions - please contact Andriy Revin (andriy @ openvpn.net). == When? == The hackathon will take place from Friday October 5th 2018 to Sunday October 7th. == What? == 1. What features do we want in 2.5? Set the timeline accordingly. (See [wiki:StatusOfOpenvpn25 the OpenVPN 2.5 status page]). * tls-crypt v2, sitnl, vlan patches, ipv6-only, transport plug-in? * MSI packaging? * EasyRSA 3 for Windows (NSIS/MSI) installers? * **conclusion:** [https://community.openvpn.net/openvpn/wiki/LvivHackathon2018#featuresin2.5thatwewant check here] 1. Should OpenVPN be a "swiss army knife" or "secure vpn client for dummies" * Could the split between OpenVPN 2.x and 3.x reflect these two roles? * **conclusion:** making OpenVPN 2.x a simple client for dummies is not a priority, but devs will try to reduce complexity by removing as many ifdefs as possible and by reviewing options whenever it is possible. 1. Feature changes * Do we need `--opt-verify`? Is this a feature strictly needed these days? * **conclusion:** check last item in the [https://community.openvpn.net/openvpn/wiki/LvivHackathon2018#featuresin2.5thatwewant 2.5 discussion section] 1. MSI packaging * Available for testing for tap-windows6, but not yet for OpenVPN 2 * **conclusion:** get MSI packaging working with 2.5 (NSIS will be dropped) == Input == TBD == Internet == Free wifi network is available at the office == Accommodation == There are many options with hotels and Airbnb alternatives in walking distance from the office (5-10 minutes). Most reasonably priced hotels are fairly small and availability is varying a lot, but double check against hotels.com, booking.com, trivago.com or similar sites to ensure you get a good price. Some hotels close by (4-8 minutes walk): ||=Hotel =||=URL =||=Comments =|| || Ibis Styles Lviv Center || https://www.accorhotels.com/gb/hotel-9709-ibis-styles-lviv-center/index.shtml || Most likely one of the bigger ones, small rooms but decent || || Swiss Hotel || http://swiss-hotel.lviv.ua/en/ || Reasonable hotel when getting good price offers || || ANTARES Apart hotel || https://antares-apart.com.ua/en/ || - || || Danylo Inn || http://www.danyloinn.com/ || - || || == Results == (informal notes on some of the discussions that benefit from writing down) === 2.4.7 === * we need to do a 2.4.7 release "soonish", to fix the {{{--opt-verify}}} issue Lev and Johan have encountered with NCP (patch has been merged in master+release/2.4) * we want the "asymmetric compression" change from Arne in there as well * The new `--allow-compression` option will be added which forcefully allows the local side to send compressed data. The current patch will be updated to **not** allow this new option to be pushable. We will require this to be explicitly set in the configuration file on both sides to enable compression. * 2.4.7 will be inintially released with the old TAP6 driver, and then we can do a re-release with the new TAP6 driver after sufficient testing (when our new approach can get all testing/signing issues fixed, estimated ~4-6 weeks) * TLS1.3 related patches are acceptable for 2.4.7 if they do not change existing behaviour (unless you use {{{--tls-ciphersuite}}} === T-Shirts === * are buggy * 30 day refund policy === features in 2.5 that we want === The following is what was discussed in terms of "2.5 release" during the hackathon, but for a more schematic status report about 2.5, please check [https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25 this link] * we have a page in the wiki so people can read up on this * MSI packaging (Simon, Samuli) //must have// * TAP6 changes -> TAP6 MSI installer * Samuli is reading books about MSI * possibly drop NSIS, or offer both options * tls-cryptv2 //must have// * Antonio is reviewing, goal: this weekend * IPv6-only //really nice to have// * client side is already finished(!) * server side needs brains to closely check disentanglement of ipv4/ipv6 server pools for unexpected side effects * Gert needs to finish review and test bed * netlink / sitnl refactoring of tun.c, route.c //must have/ * Arne volunteers to review, but is entangled in ipv6-only changes (so might need rebasing) -> Antonio to check * code is there, but needs better coordination * blocker * transport plugin (obfuscation or others) //nice to have// * operator foundation, founded by google * coordinating with Antonio * patches based on 2.4 - asked to rebase on master * "nice to have"? * "make VPN fast again" (Antonio) - //nice to have// * split control/data channel -> separate threads * "client connect" activity will no longer interfere with "forwarding packets for other clients" * going from there to multiple workers for data channel * "all the complicated event handling" -> control thread * send/receive multi-messages * use tun driver more efficiently * tap6 on server 2016 - maybe slow because driver reports attributes wrongly? * initial connect speed of 2.x clients compared to 3.x clients * there is one "1 second" coarse timer left in the 2.x code base * Gert and Steffan did not dare to remove this one yet * OpenVPN3 offload API? * ongoing activity... * VLAN patchset //must have// * Antonio volunteers to rebase + adjust the code to master * Arne volunteers to review * Gert to build test infrastructure * David: suggest to checkout the code tree "right before the uncrustify changes", apply Fabian's v2 patch set, and proceed from there * asynchronous client-connect (?) patchset from Fabian Kittel - //must have// * Gert/Arne/Antonio * multi-listen / multi-port / multi-ip patch set * multi-port is done, with multi-ip (if same protocol) (first chunk) "in beta" //must have// * multi-protocol (TCP+UDP) "not even alpha" //postpone to 2.6, too early code// * Arne feels like he needs to review this * dynamic-route (routes in CCD/) * today: OpenVPN only adds route at startup * adding routes at client-connect time needs to be done "outside" * //nice to have(!!)// - it can be done with {{{--client-connect}}} or in plugin code - but easier debugged if "built in" * enable {{{--enable-async-push}}} by default * it is tested fairly well now * get rid of extra #ifdef * cross-plattform - today this depends on inotify, which is not available on most platforms we support (Linux, maybe FreeBSD, nothing else) * David pushed out a new build enabling this by default for [https://koji.fedoraproject.org/koji/buildinfo?buildID=1150556 Fedora Rawhide] (future Fedora 30) and [https://bodhi.fedoraproject.org/updates/openvpn-2.4.6-3.fc29 Fedora 29] * OpenSolaris: fix fragment handling for IPv4 - ***done*** * IPv6 fragments over tun work, IPv4 fragments not * not an OpenVPN problem, but combination of OpenSolaris, FreeBSD pf(4) and {{{scrub in all}}} without the {{{no-df}}} flag triggered this * AIX: tunnel emulation //nice to have// * AIX has no tun interface, only tap * to talk to "have no tap interface, only tun" peers, one side needs to emulate * AIX code nearly done, waiting for ICMPv6 generation code in OpenVPN 2.x code to show up (block-ipv6 v4) * Gert * {{{--opt-verify}}} handling * remove it from the AS config default ("it breaks clients") * the way it is now is not really needed anymore - most option mismatches can be pushed from the server, except for the caveats... * make all the {{{--*mtu*}}} things pushable (not easy: reallocation of buffers needed) * include "more sane ciphers" in the default NCP cipherlist (Arne, Steffan) * what else? === features we want in 2.6 === * asynchronous netlink (= do not block waiting for kernel ACK) * performance enhancements on multi-CPU machines * multithreading? Do we want to just go for 3.0 here?