Basic info

• Time: Wed 14th April 2021 14:00 CET (12:30 UTC)
• Place: #openvpn-meeting channel on Freenode IRC network + ​https://demo.vct.spacenet.de/openvpn (Jitsi)

Topics

1. Sync up on OpenVPN 2.5 and 2.6
   • 2.5: next tuesday.
   • patches pending
     • route lookup
     • compress-restore-on-SIGUSR1
     • 1666+1667 (fix client with --bind)
   • 2.6
     • please get ACKed patches in!
     • configure.ac coming
     • DCOoooooh :-)
2. --key and --chroot (with and without --persist-key)
   • (Ordex, MaxF21, patches on the list)
   • key reloading on SIGUSR1 fails in chroot (it works with persist-key)
   • fix it? or make persist-key always-on? (consensus: we remove the "no-persist-key" path, make the feature always-on and the option a no-op)
3. Option to set http-proxy on Android
   • suggestion "dhcp-option HTTP-PROXY IP PORT" (this is for programs using the VPN, and they should use this proxy. Configured via the VPN API. Not "for OpenVPN" but "for everyone else". Check with 3 client on iOS what that one uses)
4. Lev: dco-win Driver in Windows installer
   • how do we want to do this?
   • msm package inside msi? (like for tap+wintun)
     • wintun created msm approach but uses different approach now
   • connect client brings tap binary + tapinstall.exe, no msm for tap-windows6
   • cron2 and mattock seem to recall "msm works better for driver upgrades than the old NSIS approach" but nobody knew for sure
   • mattock is talking to MS about arm64 support, we can ask the experts
   • ask Simon :-)
5. --cipher in 2.6

currently this always adds that likely non-AEAD cipher to the data-ciphers list. This is bad for DCO

We have to pick one:

• make DCO work without having user to reconfigure --cipher/--data-ciphers
  • Requires modifying config if you still want to connect to a 2.3 server, allow 2.3 clients

• keep configuration compatibility with non-NCP server/clients
  • Requires configuration changes to allow DCO
  • Windows OpenVPN 2.x with ovpn-dco-win will refuse to start with most configs
  • The complex interaction between data-ciphers, cipher and data-ciphers-fallback is still there.
  • need to add an option like 'occ-cipher' to avoid OCC warnings with 2.4/2.5 clients/server.

• make behaviour of OpenVPN dependent on selected driver
  • Only interims solution. With 2.7 we still have to decide if we want to go one of the other options
  • will create a lot of confusion.
  • Breaks opportunistic approach of allowing OpenVPN to automatically enable DCO if the config is DCO compatible

• Introduce "--compat-mode"
  • OpenVPN will behave like first option without option
  • Also increase tls min version to 1.2 by default
  • default to --nobind when --pull is active