IrcMeetings

Basic info

• Time: Wednesday 20 March 2024 at 13:00 CEST (11:00 UTC)
• Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

• Updated: openvpn 2.6.10 release
  This release should go out today.
  It contains a number of security fixes focused on Windows.
  

• OpenVPN 2.5.10 release
  According to our SupportedVersions guidelines we should do a release with the CVE fixes from 2.6.
  But we don't promise Windows installers there. But given that these issues are all focused around Windows, we will do a best effort attempt to deliver it anyway.
  This is something we'll pick up right after 2.6.10.
  

• New: tunnelblick and sophos UTM
  Need to investigate this issue. Possibly a client side fix.
  

• Updated: website release process
  This week a website release is planned that will enable a new way for updating Community Downloads page.
  The new way has a much faster release method separate from the rest of the website's release schedule.
  For today's release however the usual annoying method will be used to get it published on the main site.
  

• Updated: forums topics
  ecrist has gone ahead and launched the new forums and locked the old forums.
  The idea is that people and conversations migrate over to the new forums.
  There are still some issues with the new forums that should be resolved.
  The current situation is that old forums is new topics locked, and new forums has issues.
  Discussed and agreed to ask ecrist to either fix new forums quickly or unlock new topics on old forums until we fix things.
  - email delivery seems not to be working. email confirmation on registration was suggested.
  - spammers found the new forums - but an anti-spam module was installed so that should solve this in theory.
  - access to admin interface seems broken. have to find out where problem is exactly and solve it.
  - we still need to work on having some other people with some admin or high mod access.
  - mod guide, hard or soft delete (chuck board?), what to do with GDPR, etc. (write it down and actually make it available to mods, maybe a hidden topic)
  - access for mods to logs so one can see what others did
  

• Updated: Security mailing list procedure can stand improvement
  dazo and novaflash will start discussing this internally in openvpn inc.
  Goal of discussions is to work out a better internal procedure to connect security mailing list better with company product responsible people.
  

• Updated: mattock topics
  Talked about mattock's --dev null server testing implementation.
  Agreed that testing TCP and UDP servers and matching clients is a good start.
  Mattock will also check if t_client.sh could be used and/or adapted to do the client-side of this equation.
  

• community funding
  ordex has an initiative he wants to bring up regarding dev resources to be added to community.
  This may tie into the donations topic.
  In short ordex convinced OTF (Open Tech Fund) to provide a "test FOSS funding scheme" to OpenVPN.
  This would for example allow to pay for allocated hours for mattock and cron2 to work on OpenVPN community tasks.
  This is to be worked out more and in collaboration between OpenVPN Community, OpenVPN Inc., and OTF.
  

• Updated: donation collection
  ordex consulted an expert and it looks like doing a legal entity does not make sense when you're just starting out.
  The tricky part here is that only if we get a lot of donations and a lot of money does it make sense to have that kind of overhead.
  What we can do is start out with a company that collects the money and puts it to good community use. ordex volunteers to take this on.
  We want the donations to be collected in one place, and expenses made from that one place, so we are accountable.
  We need to figure out how to deal with that legally, and what payment methods to accept and how.
  Probably credit card is a must. Maybe paypal as well. Bitcoin seems to encounter some resistance in the discussions.
  And a reminder; we definitely do not want the donation thing to be forced - have a mechanism to do it, but keep it out of the way.
  

• inactive setting data counter in openvpn2 and openvpn3
  It looks like openvpn2 and openvpn3 handle the counting of traffic for this differently.
  After some discussion it was decided illia will submit some suggested fixes.
  

• Status of SBOM
  There was a discussion between MaxF and djpig and others.
  For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
  The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.
  

• status of trac/wiki
  No progress since last meeting.
  This will probably have to wait until "--dev null" is done
  Should have access controls so only approved members can edit.
  

• Tunnelcrack progress TunnelCrack community wiki article
  Current status: when mitigations start appearing we will mention them in meeting notes.
  

• OpenVPN community meetup 2024
  Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it, as we want to encourage developers and those interested in contributing to feel welcome.
  Where: Karlsruhe, Germany. It is a relatively central location in Europe and is fairly easily reachable by train. A meeting location is yet to be arranged.
  When: At the moment tentatively set to 20-22 September 2024.
  Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
  Shirts: There is plenty of time still to prepare a shirt design.
  

• Static-key mini how-to is outdated.
  This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
  company will send this to tech writer to redo based on ​https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
  and also retain a link to that github doc.
  having a simple guide online will help adoption
  

• OpenVPN 2.6 performance results.
  tests should cover: gre, ipsec, userland, dco
  linux, freebsd, windows
  requires time to be dedicated to doing this, when time available will do it
  

• What's going on with new taskbar icons?
  matt provided icons in ​https://github.com/OpenVPN/openvpn-gui/issues/595
  last update: will be picked up by selva when he has time
  

• software code signing topic
  company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
  in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
  depends on how hard/easy it is to access company key signing thingee from community infrastructure.
  also no high priority at the moment, we have a working solution now.
  

• Management interface documentation on main website will be updated with info from doc/management-notes.txt
  novaflash will pick this up at some point

Mattock topics

--dev null server testing

Mattock has implemented the first version of the so-called "--dev null server testing" and integrated it with "make check". The features are:

• Does what it says on the tin (more on that later)
• Mostly operating-system agnostic
• Should be POSIX shell compliant
• Uses the sample certificates and keys
• Supports running directly as root and with sudo
• Supports using different OpenVPN client versions
  • The "current" (just compiled) version
  • Any other OpenVPN versions (must be present on the filesystem)
• Support testing for success as well as failure
• Server configuration is currently static (i.e. no support for multiple server configurations yet)
• How would we go about running OpenVPN 2.4, 2.5, 2.6, etc. clients against the "--dev null server"

Here's how it works:

1. make check
   1. t_server_null.sh
      1. t_server_null_server.sh
         • Launches the compiled OpenVPN as root (if necessary with sudo)
         • OpenVPN server exits when all clients have been disconnected for ten seconds, based on its status file
      2. t_server_null_client.sh
         • Launches each individual client test
         • Client kills itself after some delay using an "--up" script

Current PoC code is available in mattock's "dev_null" branch. A good starting point is ​t_server_null.sh.

What should be the next steps?

• Basic approach ok?
• Is starting with a single server configuration ok?
• Which server configuration(s) should we test against?
• Which client configurations should we test (success or failure)?
• Which operating systems do we want to support in this context? Linux and BSDs? Something more esoteric?
• Which OpenVPN client versions should we run?

Debian/Ubuntu snapshot publishing

• In the last meeting we agreed to publish snapshot Debian/Ubuntu packages on *build.openvpn.net*
• The tool to use to publish is ​aptly
• aptly does not have direct support for running commands (e.g. rsync, scp) after publishing packages, e.g. to a local filesystem on the buildmaster
  • Option 1 (hacky): use inotifywait with rsync or scp to copy the published repo to build.openvpn.net
  • Option 2 (less hacky): use NFS to publish "directly" to build.openvpn.net
  • Both options require a fair amount of tinkering