= Basic info = * Time: Wed 14th April 2021 14:00 CET (12:30 UTC) * Place: #openvpn-meeting channel on Freenode IRC network + https://demo.vct.spacenet.de/openvpn (Jitsi) = Topics = 1. Sync up on OpenVPN 2.5 and 2.6 - 2.5: next tuesday. - patches pending - route lookup - compress-restore-on-SIGUSR1 - 1666+1667 (fix client with --bind) - 2.6 - please get ACKed patches in! - configure.ac coming - DCOoooooh :-) 1. --key and --chroot (with and without --persist-key) - (Ordex, MaxF21, patches on the list) - key reloading on SIGUSR1 fails in chroot (it works with persist-key) - fix it? or make persist-key always-on? (**consensus**: we remove the "no-persist-key" path, make the feature always-on and the option a no-op) 1. Option to set http-proxy on Android - suggestion "dhcp-option HTTP-PROXY IP PORT" (this is for programs using the VPN, and they should use this proxy. Configured via the VPN API. Not "for OpenVPN" but "for everyone else". Check with 3 client on iOS what that one uses) 1. Lev: dco-win Driver in Windows installer - how do we want to do this? - msm package inside msi? (like for tap+wintun) - wintun created msm approach but uses different approach now - connect client brings tap binary + tapinstall.exe, no msm for tap-windows6 - cron2 and mattock seem to recall "msm works better for driver upgrades than the old NSIS approach" but nobody knew for sure - mattock is talking to MS about arm64 support, we can ask the experts - ask Simon :-) 1. --cipher in 2.6 currently this always adds that likely non-AEAD cipher to the data-ciphers list. This is bad for DCO We have to pick one: - make DCO work without having user to reconfigure --cipher/--data-ciphers - Requires modifying config if you still want to connect to a 2.3 server, allow 2.3 clients - keep configuration compatibility with non-NCP server/clients - Requires configuration changes to allow DCO - Windows OpenVPN 2.x with ovpn-dco-win will refuse to start with most configs - The complex interaction between data-ciphers, cipher and data-ciphers-fallback is still there. - need to add an option like 'occ-cipher' to avoid OCC warnings with 2.4/2.5 clients/server. - make behaviour of OpenVPN dependent on selected driver - Only interims solution. With 2.7 we still have to decide if we want to go one of the other options - will create a lot of confusion. - Breaks opportunistic approach of allowing OpenVPN to automatically enable DCO if the config is DCO compatible - Introduce "--compat-mode" - OpenVPN will behave like first option without option - Also increase tls min version to 1.2 by default - default to --nobind when --pull is active