Context Navigation

Basic info

Updated: forums topics
novaflash got access just last week, will look into the forums situation and set up a new PoC server.

Updated: OpenVPN community meetup 2024
Determined that venue will be at SteamWork?, Karlsruhe. Details will be added to the wiki.
Wiki coordination page: https://community.openvpn.net/openvpn/wiki/CommunityMeetup2024
Where: Karlsruhe, Germany. Meeting room found, need to find out how many participants roughly.
When: Set to 20-22 September 2024.
Shirts: novaflash spoke to matt - he will get us some design in august.

Updated: community.openvpn.net trac wiki
novaflash tried out a few things and updated: https://community.openvpn.net/openvpn/wiki/NewWiki
the search continues.
the security level on community.openvpn.net was lowered by one notch. immediately attacks happened again.
turns out trac has a reflection attack vulnerability and this was mitigated. let's see how it runs now.
we know we need to replace this but need to find a solution that fits our needs first.

Updated: release openvpn 2.6.12
This should address the slightly-too-aggressive security fix in 2.6.11 that could affect people sending custom messages with trailing newline characters.
Tentatively we will release this version next week.

Tunnelcrack progress TunnelCrack community wiki article
Status update on TunnelCrack mitigations:
The tunnelcrack mitigation for Windows has gone in master, which will go to 2.7 release. There is the possibility for it to go to 2.6.x if we can find testers for this.
Windows, openvpn2: merged to master, not to 2.6.x. openvpn3: in code review.
Linux, openvpn2: in progress. openvpn3: in progress.
macOS: to be determined.
iOS: to be determined.
Android: not vulnerable.

DCO and Linux upstreaming, API change
Upstreaming DCO to Linux is proceeding, it is in review stage at the moment.
ordex has sent in patchset version 5.
There will be an API change that makes it incompatible with the current implementation.
A graceful solution to that was already discussed and in motion. giaan will be working on this.
(in a nutshell, make OpenVPN understand old and new API, DKMS and kernel versions both will then use new API, then we drop old API)

fixing openvpn3-linux builds in Buildbot
Mattock has this almost working. Some platforms will have to be skipped because openvpn3-linux / gdbuspp dependencies (Meson in particular) are too old or missing.
As an aside, OpenVPN3 Linux v22 dev for Ubuntu 24.04 LTS and Fedora 39 and 40 are in the release process.
Next step is a 'regular' OpenVPN3 Linux v23 release again.

Linux arm64 buildbot workers
Mattock has done initial research.
Docker seems to support (QEMU) emulated non-native containers, but Buildbot might be missing the glue to make it work.
Patching Buildbot should not be *that* difficult.
External (arm64) Docker host might be a more performant alternative option.

how to proceed with lzo2.pc
pc file suggests "all includes should be done without lzo/ prefix" - which is generally not a bad idea, but needs code changes beyond configure (right?)
There are some options to make changes here. For now we'll just keep working around this issue.'
One thing seems clear; it would be too early to rip it out, it would most likely affect too many people still using it despite the fact that they shouldn't.
An option we have is to use the OpenVPN3 implementation of lzo and port that to OpenVPN2, to solve this.
This is a topic that will be moved to the OpenVPN community meetup 2024.

run tests of 2.x against openvpn3? how?
There is a 'null client' variant of ovpncli that allows to make VPN connections but not fully, for testing purposes.
This is in the openvpn3 repository.

donation collection
From earlier exploration it is clear that setting up a legal entity is not worth the expense at this point. We're just starting out with donations.
What we can do is start out with an existing company that can collect the money and puts it to good community use. ordex volunteers to take this on.
There are some options to consider. There may be existing solutions that we want to consider.
PayPal? seems overly expensive with all their fees.
Stripe could be worth considering for credit card processing.
GitHub? Sponsors was mentioned as a possible solution, this is worth investigating.
Open Collective was also mentioned, that needs some investigating how that exactly would work for us.

website release process
Waiting for faster way to update community downloads and security advisories on main site.
Again postponed due to issues. Now planned for this week. We'll see.

Status of SBOM
There was a discussion between MaxF and djpig and others.
For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.

Static-key mini how-to is outdated.
This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
company will send this to tech writer to redo based on https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
and also retain a link to that github doc.
having a simple guide online will help adoption

OpenVPN 2.6 performance results.
tests should cover: gre, ipsec, userland, dco
linux, freebsd, windows
requires time to be dedicated to doing this, when time available will do it

What's going on with new taskbar icons?
matt provided icons in https://github.com/OpenVPN/openvpn-gui/issues/595
last update: will be picked up by selva when he has time

software code signing topic
company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
depends on how hard/easy it is to access company key signing thingee from community infrastructure.
also no high priority at the moment, we have a working solution now.

Last modified 2 months ago Last modified on 07/10/24 12:42:09