wiki:OpenVPN2.4

Version 13 (modified by David Sommerseth, 7 years ago) (diff)

--

Introduction

In the IRC meeting on 26th Apr 2012 the following was agreed upon (from summary):

Agreed that focusing 2.4 release cycle to cleaning up, refactoring and
modularizing the codebase makes sense and addresses many of concerns
pointed out regarding project's long-term viability. This cleanup and
simplification work would also help bring in new contributors, i.e.
lower the barriers to entry due to simpler and more understandable codebase.

This page intends to outline the changes that will be needed in 2.4 to reach those goals.

Tasks

These tasks were originally from an IRC meeting agenda:

  • Android patchsets done
  • Dual stack client patches done*
  • Dual stack server and --inetd cleanup
  • --preresolve patch
  • utun on mac os x done*
    • native tun, no need for extra tun.kext
    • Supported for all OS X >= 10.6.8 (latest PPC version)
      • Unfortunatly requires root
      • Real question: Drop tun.kext support and support only utun or "try utun first, fall back to tun.kext if it fails"
  • svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273) cancelled (LZ4 support came instead, which is slicker and faster)
  • management interface changes (status 2/3) done*
  • Formatting and whitespace fixes (just before 2.4 release) done
  • --version to include git commit id and branch? yes, done
  • OpenVPN-GUI installer from mattock

Cleaning up IPv4/IPv6 split

  • what is this?

Android/iPhone/Windows Phone 7 support

  • what is this?

Windows Interactive Service

  • d12fk's new windows privilege separation scheme, permitting fully unprivileged users to safely run OpenVPN (described and agreed-upon at the MunichHackathon2013) done

new frame format for data packets

  • fix alignment performance penalty (byte-swap control byte with last byte of payload) done DATA_V2 packet format is in v2.4
  • enable DoS-safe --float in TLS mode by transmitting session ID in data frames "ever so often" (like "when not having seen a packet from the server since more than 500 milliseconds" or whatever) done --peer-id support
  • agreed-upon at the MunichHackathon2013 (last section), nothing implemented yet

cipher negotiation for data packets

  • make cipher a per-client setting in the server, and pushable on the client (right now it's a "global" thing, set once and valid forever) done --ncp-cipher with negotiation implemented in v2.4 and a simpler approach (poor-mans NCP) implemented in v2.3.
  • then add dynamic negotiation based on client/server capabilities

the grand compression cleanup

  • have the server select the "best" compression algorithm the client supports (lz4/snappy/lzo/none), based on pushed peer-info and server capabilities (can be done by a client-connect script, but "built-in" would be less error-prone)
  • rework the whole "compress" and "comp-lzo " section of the openvpn.8 man page
  • get rid of --enable-comp-stub - always include that, so a well-defined fallback exist (to be discussed)

IPv6 payload / payload/routing integration

  • implement "redirect-gateway ipv6" in 2.x code base as well (3 has it) done
  • add --block-ipv6
  • handle ipv6 payload over ipv6 transport, when the VPN server is inside the pushed IPv6 routes
    • discover IPv6 default gateway
    • install IPv6 route to VPN server via gateway
    • cleanup afterwards
  • handle iroute-ipv6 and pushed route-ipv6 consistently with IPv4: do not send pushed routes to the very client that the iroute-ipv6 points to (local route confusion at client), also trac#354.
  • have a way to signal IPv6 DNS (and other "DHCP") information to client, as currently "dhcp-option DNS ..." is IPv4-only (as is using DHCPv4 to signal this). See trac#243 in progress, partially implemented