wiki:Topics-2021-04-14

Basic info

Topics

  1. Sync up on OpenVPN 2.5 and 2.6
    • 2.5: next tuesday.
    • patches pending
      • route lookup
      • compress-restore-on-SIGUSR1
      • 1666+1667 (fix client with --bind)
    • 2.6
      • please get ACKed patches in!
      • configure.ac coming
      • DCOoooooh :-)
  2. --key and --chroot (with and without --persist-key)
    • (Ordex, MaxF21, patches on the list)
    • key reloading on SIGUSR1 fails in chroot (it works with persist-key)
    • fix it? or make persist-key always-on? (consensus: we remove the "no-persist-key" path, make the feature always-on and the option a no-op)
  3. Option to set http-proxy on Android
    • suggestion "dhcp-option HTTP-PROXY IP PORT" (this is for programs using the VPN, and they should use this proxy. Configured via the VPN API. Not "for OpenVPN" but "for everyone else". Check with 3 client on iOS what that one uses)
  4. Lev: dco-win Driver in Windows installer
    • how do we want to do this?
    • msm package inside msi? (like for tap+wintun)
      • wintun created msm approach but uses different approach now
    • connect client brings tap binary + tapinstall.exe, no msm for tap-windows6
    • cron2 and mattock seem to recall "msm works better for driver upgrades than the old NSIS approach" but nobody knew for sure
    • mattock is talking to MS about arm64 support, we can ask the experts
    • ask Simon :-)
  5. --cipher in 2.6

currently this always adds that likely non-AEAD cipher to the data-ciphers list. This is bad for DCO

We have to pick one:

  • make DCO work without having user to reconfigure --cipher/--data-ciphers
    • Requires modifying config if you still want to connect to a 2.3 server, allow 2.3 clients
  • keep configuration compatibility with non-NCP server/clients
    • Requires configuration changes to allow DCO
    • Windows OpenVPN 2.x with ovpn-dco-win will refuse to start with most configs
    • The complex interaction between data-ciphers, cipher and data-ciphers-fallback is still there.
    • need to add an option like 'occ-cipher' to avoid OCC warnings with 2.4/2.5 clients/server.
  • make behaviour of OpenVPN dependent on selected driver
    • Only interims solution. With 2.7 we still have to decide if we want to go one of the other options
    • will create a lot of confusion.
    • Breaks opportunistic approach of allowing OpenVPN to automatically enable DCO if the config is DCO compatible
  • Introduce "--compat-mode"
    • OpenVPN will behave like first option without option
    • Also increase tls min version to 1.2 by default
    • default to --nobind when --pull is active
Last modified 5 months ago Last modified on 04/21/21 12:06:08