IrcMeetings

Basic info

• Time: Wednesday 19 June 2024 at 14:00 CEST (12:00 UTC)
• Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

• Updated: release openvpn 2.6.11
  There is a security issue reported by reynir that is resolved, and we want to get that out in 2.6.11 tomorrow.
  The tunnelcrack mitigations for Windows are held back because we have had absolutely no response on the mailing lists for testing these and confirming that it doesn't break things.
  If someone can contribute to testing this we can follow up with a 2.6.12 release in a few weeks that contains the tunnelcrack mitigations for Windows.
  

• New: buildbot PRs need attention
  Getting these merged soonish would help avoid nasty merge conflicts down the line
  ​Allow skipping build types
  ​Add smoketest builds for openvpn3, openvpn3-linux and ovpn-dco
  ​https://github.com/OpenVPN/openvpn-buildbot/pull/48
  Developers have been pinged in the meeting about these, so they'll take a look when they can.
  

• New: fixing openvpn3-linux builds in Buildbot
  Mattock has this almost working. Some platforms will have to be skipped because openvpn3-linux / gdbuspp dependencies (Meson in particular) are too old or missing.
  As an aside, OpenVPN3 Linux v22 dev for Ubuntu 24.04 LTS and Fedora 39 and 40 are in the release process.
  Next step is a 'regular' OpenVPN3 Linux v23 release again.
  

• New: Linux arm64 buildbot workers
  Mattock has done initial research.
  Docker seems to support (QEMU) emulated non-native containers, but Buildbot might be missing the glue to make it work.
  Patching Buildbot should not be *that* difficult.
  External (arm64) Docker host might be a more performant alternative option.
  

• New: how to proceed with lzo2.pc
  pc file suggests "all includes should be done without lzo/ prefix" - which is generally not a bad idea, but needs code changes beyond configure (right?)
  There are some options to make changes here. For now we'll just keep working around this issue.'
  One thing seems clear; it would be too early to rip it out, it would most likely affect too many people still using it despite the fact that they shouldn't.
  An option we have is to use the OpenVPN3 implementation of lzo and port that to OpenVPN2, to solve this.
  This is a topic that will be moved to the OpenVPN community meetup 2024.
  

• New: run tests of 2.x against openvpn3? how?
  There is a 'null client' variant of ovpncli that allows to make VPN connections but not fully, for testing purposes.
  This is in the openvpn3 repository.
  

• Updated: community.openvpn.net trac wiki
  Wiki.js felt quite awkward and counterintuitive in practical tests done by mattock. It seems to focus on bling rather than usability.
  Xwiki felt quite bulky and enterprisey (a.k.a. full of "stuff") in the practical tests by mattock. It seems an overkill for our simple use-case.
  Mediawiki no longer feels as nasty as it once did :)
  Maybe some Git-based wiki-type solution would be ok?
  

• DCO and Linux upstreaming, API change
  Upstreaming DCO to Linux is proceeding, it is in review stage at the moment.
  ordex will send a patchset v4 based on feedback received over the past days.
  There will be an API change that makes it incompatible with the current implementation.
  A graceful solution to that was already discussed and in motion. giaan will be working on this.
  (in a nutshell, make OpenVPN understand old and new API, DKMS and kernel versions both will then use new API, then we drop old API)
  

• OpenVPN community meetup 2024
  There's a wiki page up now where we can coordinate: ​https://community.openvpn.net/openvpn/wiki/CommunityMeetup2024
  We're basically at the point where we can prepare a mailing and send out invites to people.
  Where: Karlsruhe, Germany. Exact details of meeting room to be determined.
  When: Set to 20-22 September 2024.
  Shirts: novaflash will talk to matt about this.
  

• forums topics
  rob0 and novaflash will work to get access and then find some time to look at solving the cloudflare related issue.
  Unfortunately the past weeks were difficult to find time - holidays and travel and such. Will find time and push this forward.
  Plan is to soon switch URLs so new forum is on forums.openvpn.net and old forums is on archive address.
  - email confirmation on registration was suggested.
  - mod permissions, guide, hard or soft delete (chuck board?), what to do with GDPR, etc. (write it down and actually make it available to mods, maybe a hidden topic)
  - access for mods to logs so one can see what others did
  

• Tunnelcrack progress TunnelCrack community wiki article
  Status update on TunnelCrack mitigations:
  Windows, openvpn2: ready to merge. openvpn3: in code review.
  Linux, openvpn2: in progress. openvpn3: in progress.
  macOS: to be determined.
  iOS: to be determined.
  Android: not vulnerable.
  

• donation collection
  From earlier exploration it is clear that setting up a legal entity is not worth the expense at this point. We're just starting out with donations.
  What we can do is start out with an existing company that can collect the money and puts it to good community use. ordex volunteers to take this on.
  There are some options to consider. There may be existing solutions that we want to consider.
  PayPal? seems overly expensive with all their fees.
  Stripe could be worth considering for credit card processing.
  GitHub? Sponsors was mentioned as a possible solution, this is worth investigating.
  Open Collective was also mentioned, that needs some investigating how that exactly would work for us.
  

• website release process
  Waiting for faster way to update community downloads and security advisories on main site.
  Again postponed due to issues. Now planned for this week. We'll see.
  

• Status of SBOM
  There was a discussion between MaxF and djpig and others.
  For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
  The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.
  

• Security mailing list
  

• Static-key mini how-to is outdated.
  This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
  company will send this to tech writer to redo based on ​https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
  and also retain a link to that github doc.
  having a simple guide online will help adoption
  

• OpenVPN 2.6 performance results.
  tests should cover: gre, ipsec, userland, dco
  linux, freebsd, windows
  requires time to be dedicated to doing this, when time available will do it
  

• What's going on with new taskbar icons?
  matt provided icons in ​https://github.com/OpenVPN/openvpn-gui/issues/595
  last update: will be picked up by selva when he has time
  

• software code signing topic
  company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
  in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
  depends on how hard/easy it is to access company key signing thingee from community infrastructure.
  also no high priority at the moment, we have a working solution now.