Hi,
Here's the summary of previous IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 26th Oct 2015
Time: 20:00 CET (19:00 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2015-10-26>
The next meeting has not been scheduled yet, but is probably arranged
two weeks from now.
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, jamesyonan, janjust, lev, mattock, plai, ValdikSS and syzzer
participated in this meeting.
---
Discussed the Windows team ideas:
<http://thread.gmane.org/gmane.network.openvpn.devel/10292/focus=10319>
All people present were fine with creating a new #openvpn-windows IRC
channel and Windows-specific forum board. Samuli will discuss both of
these ideas with the people who are actually affected by them (i.e.
people on #openvpn and on forums) before moving forward.
It was also agreed to make OpenVPN-GUI a subproject in GitHub, and to
allow pull requests in the general case. Mattock will take care of the
technical side and co-maintain the repo with d12fk.
--
Talked about the OpenVPN T-shirts. All were in favor of the band T-shirt
style, with a logo and a list of OpenVPN hackathon years and locations.
The names of the locations will follow the English conventions (e.g.
"Munich" instead of "Mũnchen"). We'll wait until we know the location of
the next hackathon (2016) before printing the T-shirts.
--
Talked about the format of Changes.rst:
<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>
All were fine with the format. However, there is no Changes.rst in
release/2.3 branch, which needs to be fixed. Mattock will create the 2.3
Changes.rst and send in a patch.
--
Discussed the "Add Windows DNS Leak fix using WFP
('block-outside-dns')" patch:
<https://github.com/ValdikSS/openvpn-with-patches/commit/3bd4d503d21aa34636e4f97b3e32ae0acca407f0>
ValdikSS sent an improved version of the patch after the meeting:
<http://thread.gmane.org/gmane.network.openvpn.devel/10419>
There seems to be no way to merge this patch without building separate
installers for Windows XP and Windows Vista (and later). It was decided
to have three different binaries in the future:
1) Windows XP / 32-bit / NDIS5 tap-driver
2) Windows Vista+ / 32-bit / NDIS6 tap-driver / DNS leak fix
3) Windows Vista+ / 64-bit / NDIS6 tap-driver / DNS leak fix
Mattock will take a stab at modifying openvpn-build to support this setup.
---
Full chatlog has been attached to this email.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
(21:02:03) mattock: ok meeting time
(21:02:31) mattock: so lev, valdikss and cron2 are already here
(21:02:33) mattock: who else?
(21:02:37) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2015-10-26
(21:02:38) vpnHelper: Title: Topics-2015-10-26 – OpenVPN Community (at
community.openvpn.net)
(21:03:09) ***syzzer here too
(21:03:22) ***cron2_ is sort-of here, need to finish something first
(21:03:28) cron2_: but looks at the channel
(21:03:29) noko [pa...@gate6.zhovner.com] è entrato nella stanza.
(21:03:50) mattock: hi syzzer!
(21:04:04) syzzer: hi :)
(21:04:05) mattock: I emailed James, just in case he's interested in reviewing
the DNS leak fix
(21:05:35) syzzer: makes sense
(21:05:49) janjust [~janjust@openvpn/community/support/janjust] è entrato nella
stanza.
(21:05:49) modalità (+v janjust) da ChanServ
(21:06:07) janjust: g'evening folks
(21:06:18) syzzer: hi janjust :)
(21:06:25) ValdikSS: cześć!
(21:07:30) mattock: hi janjust!
(21:07:39) cron2_: h
(21:07:41) cron2_: i
(21:07:43) janjust: hi syzzer , mattock1
(21:07:43) cron2_: argh :)
(21:07:45) janjust: and cron2_
(21:07:50) lev__: begroeting!
(21:07:57) janjust: lol
(21:08:16) mattock: we have so many people today
(21:08:22) mattock: a good day for bikeshedding :)
(21:08:32) mattock: I suggest we start from the top while waiting for cron2
(21:08:47) mattock: #1 Windows team ideas
(21:08:52) janjust: the topic of utmost importance is, of course, what to print
on the t shirts
(21:09:01) mattock: yes, agreed :P
(21:09:08) syzzer: janjust, now you're here let me just hijack you ;) did you
find time to look at or test my polarssl counterpart of the
--client-cert-verify patch?
(21:09:14) janjust: it's been keeping me awake at night for days now ;)
(21:09:21) mattock: janjust: :D
(21:09:42) janjust: oops, syzzer , no not yet - I saw your patch but did not
look at the code just yet. will apply patch to my git tree later tonight
(21:10:15) syzzer: ah, ok, interested to hear your comments :)
(21:10:28) syzzer: good, back to the t-shirts then!
(21:10:43) janjust: but, for the windows team idea: I like the idea, feel like
I should spend time on it , perhaps just as tester, but am afraid that I will
not have the time for it that the team deserves
(21:10:57) mattock: well, none of us really do have the time
(21:11:06) mattock: but hopefully some Windows volunteers emerge
(21:11:14) janjust: yup
(21:11:23) janjust: I'll be team mascotte then ;)
(21:11:28) janjust: nah we need a woman for that :P
(21:11:41) ***janjust kicks himself for sexist remark #1
(21:12:21) mattock: so in a nutshell the basic approach is:
(21:12:21) mattock: 1. Separate IRC channel, but #openvpn remains the primary
support channel
(21:12:21) mattock: 2. Separate forum board
(21:12:21) mattock: 3. Put openvpn-gui to GitHub as a subproject (Heiko
suggested this himself)
(21:12:34) mattock: and then we sit back and see if something happens
(21:13:02) mattock: of course I will have to talk about this proposal on forums
and #openvpn before making any moves
(21:13:05) cron2_: no objections from me
(21:13:19) cron2_: it might work, or not, but I'm fairly sure it will not do
*harm*
(21:13:28) janjust: agreed
(21:13:29) mattock: yeah, my thoughts exactly :)
(21:14:00) mattock: if nobody is opposed, we can probably move on to the real
topic of today: T-shirts
(21:14:17) ValdikSS: openvpn-gui should really be on github and mattock1
already has a repo
(21:14:49) mattock: yeah, I can add the openvpn-gui repo myself
(21:14:55) syzzer: that is the easy part, the harder part is, who is going to
maintain that repo/
(21:15:03) mattock: yes
(21:15:35) janjust: not me - I haven't finished git 101 yet ;)
(21:15:43) syzzer: maybe d12fk + mattock1 makes sense
(21:15:46) mattock: I can merge some pull requests / patches, but if actual
code contribution come in, somebody else needs to take a look
(21:16:09) janjust: mattock1, +1
(21:16:40) cron2_: well, I'll give a look, and might see stupid (obviously
stupid) things...
(21:16:58) syzzer: ^^ yeah, I can do that too
(21:17:07) mattock: most excellent!
(21:17:39) mattock: and we might even get somebody interested in co-maintaining
the project in the long run
(21:17:53) mattock: someone new, you never know
(21:18:20) mattock: a guy did some pretty good job with NSIS in openvpn and
openvpn-gui a while back, coming out of nowhere
(21:18:32) mattock: anyways, T-shirts?
(21:18:36) ValdikSS: We should allow github pull-requests and not to force
patches via maillist then
(21:18:46) lev__: totally agree
(21:18:46) mattock: I tend to agree with that
(21:19:45) syzzer: I like the mailinglist actually, but won't object
(21:19:52) mattock: we could do thorough review if the patch in question looks
like it needs one
(21:20:08) mattock: many of the patches are language fixes and such
(21:20:35) ValdikSS: I don't like malilists. I'm not against it, but it's not
really convenient for 2015.
(21:20:52) janjust: #t-shirts: just read the idea of putting the list of
OpenVPN hackathons on the back : great idea!
(21:21:12) cron2_: +1
(21:21:19) janjust: #mailinglists: I'm old fashioned so I prefer mailinglists.
And come guys, we're here using IRC - that's sooooo 80s
(21:21:46) mattock: so many hooks for starting a bikeshedding discussion here :D
(21:22:00) cron2_: valdikss: what the windows team does is up to the windows
team, but dazo and I are very mailing list centric workers, so everything else
is making our workflow much more complex
(21:22:35) mattock: I think the mailing lists are fine, once you've subscribed
(21:22:35) cron2_: like, a github pull request is really "I have to download
the patch to my local machine, test it, merge, it, push it out again" as github
is not the primary repository but only pushed into
(21:22:47) mattock: they're a bit of a hurdle for "I just want to contribute
this one small patch"
(21:23:59) mattock: but having per-subproject contribution rules is fine
(21:24:13) syzzer: sure
(21:24:18) mattock: I think OpenVPN (core) needs more strict rules for what
goes in and how
(21:24:42) mattock: than most of the other subprojects
(21:25:14) syzzer: so, matttock will create the repo, and grant d12fk
superpowers?
(21:25:20) mattock: sounds good to me
(21:25:38) mattock: once d12fk tells me his GitHub account name
(21:25:49) mattock: I can probably guess it, but better safe than sorry
(21:27:16) mattock: so back to the T-shirts
(21:27:26) mattock: is the band T-shirt style ok?
(21:27:43) syzzer: I like it
(21:28:02) syzzer: even though I missed the two Brussels meetings
(21:28:31) cron2_: I like it too :)
(21:28:41) mattock: logo on the front and the "tour list" on the back?
(21:29:01) janjust: perhaps make the list go back to 1966 ;)
(21:29:19) syzzer: just make sure to put the extra e in Muenchen instead of
Brussels ;)
(21:29:57) janjust: but yeah I like the tour list idea. Muenchen? Can't we
add an umlaut? or do it fully in english?
(21:30:57) syzzer: hahaa, the bikeshedding has started! but yes, all in English
is probably better :) I just notice the extra e in Bruessels
(21:31:26) mattock: (james is trying to join, but he has nickserv identify
issues)
(21:31:27) cron2_: English is oK for me, but then "Munich" and "Brussels" :)
(21:31:55) mattock: fully english, no mutants please :P
(21:32:40) mattock: and the idea of converting umlauts in ae, oe and ue is a
horrible convention
(21:33:48) mattock: we can order the T-shirts before the next meetup
(21:33:57) mattock: so that we know the place for 2016
(21:34:11) syzzer: and you don't have to send them ;)
(21:34:35) mattock: yes, although there are probably a few guys who deserve a
shirt and can't make it
(21:34:39) janjust: errr, have we decided on the place for 2016? I'm fine with
Delft again, but I just wasn't aware that we had decided that
(21:34:49) mattock: no, no decisions
(21:34:50) lev__: Helsinki ?
(21:34:54) mattock: that is one option
(21:35:01) mattock: would be quite convenient for me and lev
(21:35:03) cron2_: lev__: so you have the OK from your boss? :)
(21:35:06) syzzer: lev__: you might know this by heart: what will a 2.3 client
do when it gets a P_DATA_V2 packet from a server?
(21:35:09) cron2_: MUC->Helsinki works out
(21:35:26) cron2_: syzzer: I think it should work fine
(21:35:34) lev__: not yet, but I see no reason to get NACK
(21:35:56) cron2_: syzzer: 0e1fd33247460bdfa65d306e8bcdd3cbafed8b73
(21:36:04) mattock: good, openvpn-speak spreading into real life
(21:36:23) cron2_: (if more recent than 2.3.6 or so, older versions will not
advertise IV_PROTO=2)
(21:36:39) cron2_: ((and "not understand the packet, and throw a tantrum", or
so))
(21:37:37) syzzer: ah, thanks. Looks like they will process it just fine
indeed :)
(21:37:43) cron2_: Acked-by: Steffan Karger <steffan.kar...@fox-it.com>
(21:37:46) cron2_: :)
(21:37:58) syzzer: I was wondering whether they would just be able to send or
could also receive
(21:38:22) syzzer: (thinking about what to do with all the mixed modes wrt AEAD)
(21:39:00) cron2_: well, they won't support these bits... only peer-id, no
AEAD, no COMP_V2
(21:39:24) syzzer: re location: Helsinki works for me too, and if it's not
possible, I'm happy to receive you once more in Delft
(21:40:03) cron2_: jftr, another year in Munich would be fine for me ("much
easier on the traveling" :) ) and I think Heiko also offered to host
(21:40:18) cron2_: Delft was nice, so I'm fine going there again... many optiosn
(21:40:19) mattock: yeah, heiko did that
(21:40:27) syzzer: no, but for AEAD mode it might make sense to make the server
always send V2 packets if the client supports it
(21:40:28) mattock: we can throw the dice if we can't decide
(21:40:37) mattock: plus we don't have to decide _now_
(21:40:39) mattock: :)
(21:40:47) janjust: exactly
(21:41:40) lev__: I try to get an ACK before spring 2016
(21:42:15) mattock: sounds good
(21:42:38) lev__: it is still 2015, isn't it?
(21:42:53) syzzer: I hope so...
(21:43:01) janjust: we just switched to winter time so it's 2016 :P
(21:43:04) cron2_: "date" agrees with me
(21:43:07) cron2_: 2015!
(21:44:16) mattock: yep, in /bin/date we trust
(21:44:36) mattock: shall we move on to topic #3, "Changes.rst"?
(21:45:30) cron2_: ok
(21:45:30) syzzer: it's in, right?
(21:45:54) cron2_: I think the question is "are we fine with what we have for
2.4 now, and what should be in changes.rst for 2.3"
(21:46:54) mattock: I have not actually had a look, but will do now
(21:47:07) syzzer: https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
(21:47:08) vpnHelper: Title: openvpn/Changes.rst at master · OpenVPN/openvpn ·
GitHub (at github.com)
(21:48:16) syzzer: it would be nice to maintain one for 2.3 too, but that would
also mean synchronising between 2.3 and master I think?
(21:48:47) cron2_: yeah, that puts a bit of burden on dazo and me
(21:49:06) syzzer: yes
(21:49:13) cron2_: "stuff that goes into 2.3 *and* has user-visible effects
needs to be hand-fitted to Changes.rst"
(21:49:21) cron2_: (because a patch wont apply)
(21:50:03) mattock: yep, it would get nasty
(21:50:17) mattock: another reason to release 2.4 a.s.a.p. so that we can ditch
2.3 :)
(21:50:18) cron2_: but I'm fine to do that - part of the release process
("ChangeLog, Changes.rst, version.m4, tag, ship")
(21:50:33) cron2_: mattock1: it will be the same for 2.5/master vs. 2.4 after
that :)
(21:50:56) mattock: oh yes, so there's no pot of gold at the end of the 2.4
rainbow
(21:51:12) cron2_: a small one :)
(21:51:16) mattock: :)
(21:51:55) mattock: ok so are we going to make a Changes.rst for 2.3?
(21:51:57) cron2_: as I'm a bit busy these days I would welcome a Changes.rst
for 2.3 based on the actual changes in there
(21:52:00) cron2_: yes!
(21:52:37) mattock: hmm, I believe the original 2.3 release announcement(s)
might have a crude list we could start from
(21:52:37) cron2_: I'm happy to maintain it, just the initial "go through
changelog and find report-worthy changes" would benefit from someone else
getting this started
(21:53:21) mattock: this is a good resource, very little noise:
http://news.gmane.org/gmane.network.openvpn.announce
(21:53:22) vpnHelper: Title: Gmane Loom (at news.gmane.org)
(21:53:28) methamp [m...@greyhat.pw] è entrato nella stanza.
(21:53:31) mattock: I can compile a proposal list
(21:53:46) syzzer: just send a patch ;)
(21:53:51) cron2_: I was about to say that :)
(21:54:01) mattock: well, I can do that
(21:54:09) syzzer: gets you one more commit in the repo :p
(21:54:41) syzzer: other than that, I think the format is fine like this
(21:54:42) mattock: then I can brag about it in a bar
(21:54:45) mattock: sounds good
(21:54:47) cron2_: :)
(21:55:12) mattock: so next topic: patch review?
(21:55:32) ValdikSS: By the way, there is another serious topic to discuss:
should OpenVPN drop Windows XP support?
(21:55:42) cron2_: we already did
(21:55:47) ValdikSS: Oh
(21:55:49) cron2_: 2.4 will no longer run on XP
(21:56:02) cron2_: 2.3 will continue to support XP as long as we can
(21:56:28) cron2_: (the problem is that some of the IPv6 API calls -
GetIpRoute2() and friends - are not supported on XP, and working around that is
more painful than we could be bothered, for an end-of-life os)
(21:56:35) mattock: =until supporting Windows XP would require significant work
on our part
(21:58:46) ValdikSS: Should we review my patch then?
(21:58:56) cron2_: is it on the list?
(21:59:12) ValdikSS: on the topic list but not on the maillist
(21:59:29) mattock: it was linked to this channel yesterday I believe
(21:59:52) mattock:
https://github.com/ValdikSS/openvpn-with-patches/commit/3bd4d503d21aa34636e4f97b3e32ae0acca407f0
(22:00:09) ValdikSS: Currently it won't work if server doesn't push dhcp-option
DNS or user doesn't set it in the config. As lev__ mentioned, user can set DNS
on the interface statically and I'm in doubt how should OpenVPN handle this —
ignore block-outside-dns as it does right now, block outside dns always even
without DNS or check it somehow.
(22:00:42) cron2_: I think it should do what it's told: "block DNS if
block-outside-dns is requested"
(22:01:49) cron2_: meh, if this is vista and up, it can't go into 2.3
(22:02:11) ValdikSS: Windows XP doesn't support WFP
(22:02:50) janjust: the patch only really applies to 8.1 and higher anyway,
right?
(22:02:56) ValdikSS: Yes.
(22:03:01) mattock: yeah
(22:03:10) ValdikSS: More to 10, as in 8.1 you can disable Smart DNS.
(22:03:11) cron2_: but that implies "building two different installers for 2.3,
at least"
(22:04:08) methamp: Maybe I should've posted this to -devel and not the main
channel. Is OpenVPN Connect still broken on iOS 9?
(22:04:14) mattock: no more 2.3 installers please... there are already NDIS 5
and NDIS 6 tap-driver versions
(22:04:21) methamp: I'm on what I believe is the latest version and while the
VPN looks like it's connected, no traffic is actually routed through it. Been
flipping through forum threads all day.
(22:04:29) ValdikSS: methamp: I believe it is.
(22:04:36) cron2_: methamp: just look into trac before spamming an ongoing
discussion
(22:04:38) mattock: methamp: we're having a meeting, but valdikss is probably
right
(22:04:42) ValdikSS: methamp: https://community.openvpn.net/openvpn/ticket/614
here's a workaround
(22:04:43) vpnHelper: Title: #614 (Connect on iOS 9: IPv4 routing doesn't work
with dual-stack) – OpenVPN Community (at community.openvpn.net)
(22:05:04) ValdikSS: methamp: just push 2 routes instead of redirect-gateway.
(22:06:17) cron2_: ValdikSS: well, the patch on the openvpn side of things
looks reasonable. win32.h definitely needs explanations what these magic
DEFINE_GUID things are good for
(22:06:57) cron2_: I wonder why you're not passing the adapter index right
away, and call win_adapter_index_to_luid() inside...
(22:07:01) ValdikSS: cron2_: actually, I'm not sure if this is only my mingw
which doesn't include that GUIDs or just mingw doesn't have them at all.
(22:07:29) methamp: If I understand this correctly, it's an OpenVPN server fix?
(22:07:37) methamp: Meaning, as an end-user of someone else's VPN I can do
nothing?
(22:07:49) cron2_: methamp: complain to the server operator and point to this
trac ticket
(22:08:07) methamp: Oh, jesus.... I might as well look for an alternative
OpenVPN client if one exists. My provider will not fix this anytime soon.
(22:08:18) ValdikSS: cron2_: hrmm, you're right, I should move luid to the
existing function.
(22:08:18) methamp: And I just left a provider that had their own custom client
:-x
(22:08:35) ValdikSS: methamp: add to your config: route-nopull route 0.0.0.0/1
route 128.0.0.0/1
(22:09:42) cron2_: mattock1: since methamp has so politely interrupted the
conversation anyway - have you heard anything from James about #614? He should
be argueing with Apple about this...
(22:10:35) ValdikSS: cron2_: just FYI, replacing redirect-gateway with routes
works perfectly fine with dual-stack.
(22:11:02) janjust: ValdikSS, those 2 routes just mean "redirect-gateway def1"
right?
(22:11:16) mattock: cron2: I only know that Aplle should fix it, and that we
have no clue when / if that happens
(22:11:18) methamp: cron2_: I apologize for chatting here as a basic user --
unfortunately, the main channel seemed fairly dead and this isn't a firewall
issue.
(22:11:22) methamp: Thank you for your time.
(22:11:26) ValdikSS: janjust: they technically work as redirect-gateway def1,
but works on apple.
(22:11:31) mattock: methamp: take care!
(22:11:39) cron2_: methamp: it's not the "chatting as user" but "interrupting
an ongoing discussion"
(22:11:46) mattock: =a community meeting
(22:11:54) mattock: scheduled one to be exact
(22:12:12) methamp: I didn't get the memo. I'll stop typing now.
(22:12:12) cron2_: mattock1: so he already raised the issue - this is important
to know :)
(22:12:32) mattock: methamp: np
(22:12:41) cron2_: methamp: it's basic well-behaviour: before starting to type,
look what's happening. If this looks like a discussion, maybe wait for it to
end?
(22:12:43) ValdikSS: Well, I don't think that's an issue. We should use another
channel if we don't want to get interruped.
(22:12:47) mattock: ok so back to the WIndows 10 DNS fix
(22:12:55) cron2_: it was really impolite and inconsiderate
(22:13:04) ValdikSS: I don't think so. Whatever.
(22:13:22) cron2_: well, I completely lost track of my review, so thanks a lot
(22:13:25) ***cron2_ goes fetch a beer now
(22:13:27) mattock: let's not sabotage our own discussion any further
(22:13:34) mattock: now there's an idea :)
(22:13:52) mattock: it seems jamesyonan is unable to join, nickserv is playing
tricks with him
(22:14:40) ValdikSS: Should block-outside-dns use OPT_P_IPWIN32 to make it
possible to ignore server push with route-nopull?
(22:15:33) ValdikSS: Should it always block outside DNS even if no DNS is
assigned?
(22:15:46) ValdikSS: no DNS inside tunnel*
(22:16:58) syzzer: ValdikSS: yes, I think it should. I the user doesn't want
to block, (s)he should simply not push or enable the option
(22:17:21) janjust: mattock1, I've created a channel #openvpn-meeting, can
james connect to that?
(22:17:30) mattock: janjust: I'll ask
(22:17:43) ValdikSS: Well, it should be blocked with route-nopull then
(22:18:19) ValdikSS: I just think about it from a point of view of VPN service.
User may want to do route-nopull and not to have blocked DNS.
(22:19:21) syzzer: makes sense to me (but, I'm not really the networking
authority here...)
(22:19:48) mattock: cron2: thoughts?
(22:20:12) mattock: guys: jamesyonan joined #openvpn-meeting channel
(22:20:14) cron2_: IPWIN32 is good
(22:20:16) janjust: all: I've created a channel #openvpn-meeting where james
could join
(22:20:19) mattock: let's move over there
(22:20:29) mattock: he has vested interested in ValdikSS's patch
(switched to #openvpn-meeting channel)
(22:18:17) janjust: hiya, there should be no restrictions on this channel AFAIK
(22:18:27) mattock: hi, I asked james to join this one
(22:19:37) jamesyonan [~jamesy...@c-67-166-32-18.hsd1.co.comcast.net] è entrato
nella stanza.
(22:19:42) syzzer: ah, there we go!
(22:19:44) janjust: hi james!
(22:19:50) janjust: let's get the rest into this channel
(22:19:54) jamesyonan: hi guys
(22:19:59) mattock: hi jamesyonan!
(22:20:00) ValdikSS [~valdikss@95.215.45.33] è entrato nella stanza.
(22:20:24) cron2_ [~gert@openvpn/community/developer/cron2] è entrato nella
stanza.
(22:20:27) cron2_: hey
(22:20:37) mattock: hi all
(22:20:44) ValdikSS: hello
(22:20:45) mattock: jamesyonan:
https://community.openvpn.net/openvpn/wiki/Topics-2015-10-26
(22:20:57) mattock: we just started discussing this patch:
https://github.com/ValdikSS/openvpn-with-patches/commit/3bd4d503d21aa34636e4f97b3e32ae0acca407f0
(22:21:21) lev__ [~l...@stipakov.fi] è entrato nella stanza.
(22:21:28) lev__: hello
(22:22:59) janjust: perhaps we should always use a channel like this for
meetings - keeps out the riff raff ;)
(22:24:20) jamesyonan: so does this patch work by simply firewalling off the
non-tap interfaces for DNS traffic?
(22:24:34) mattock: janjust: that would work for me
(22:24:34) ValdikSS: yes
(22:25:05) ValdikSS: it filters only exactly that tap interface that openvpn
instance uses.
(22:25:38) mattock: will this work on multiple simultaneous OpenVPN connections?
(22:25:42) ValdikSS: yes.
(22:25:55) jamesyonan: is this the main issue with OpenVPN DNS on Win 10 or
other there other DNS issues as well?
(22:26:35) ValdikSS: I don't know of any other issues regarding DNS on 10.
(22:29:23) jamesyonan: ValdikSS: this is great, thanks for figuring this out
(22:29:36) mattock: any issues with the patch itself?
(22:29:47) ValdikSS: So I should 1. drop win_adapter_index_to_luid and move
it's code to win_wfp_block_dns, 2. always block DNS even if it's not set
(22:30:05) lev__: well, I'd like to test it more
(22:30:06) jamesyonan: what about building on pre-Vista -- will this code
#ifdef itself out?
(22:30:28) ValdikSS: I'm afraid it won't
(22:30:39) ValdikSS: Are there any defines for Windows XP only?
(22:33:03) ValdikSS: And regarding merging it into 2.3 — this is really needed
only on Windows 8.1 and higher and not really on XP.
(22:33:13) jamesyonan: well if you were building for XP, you'd be using a lower
platform SDK version (7.1A I believe)
(22:33:21) ValdikSS: Or it's a rule that all the functions should work with any
Windows versions?
(22:33:22) cron2_: there's NTDDI_VERSION which is >= NTDDI_VISTA if you have,
well, vista and up
(22:33:47) cron2_: ValdikSS: the rule is "we only build a single openvpn.exe
which should work on XP, since we still support XP"... which is a bit
problematic here
(22:34:32) cron2_: so to get this in, you'd need to convince mattock1 to start
building "XP-only" and "vista and up" installers now
(22:34:34) ValdikSS: cron2_: Oh, I though that Windows XP and Vista+ packages
have different openvpn.exes. Do they have only different tap adapter drivers?
(22:34:49) cron2_: only different TAP driver (plus 32/64 bit bundles)
(22:34:59) ValdikSS: I see.
(22:35:10) jamesyonan: I've been finding with my recent work porting OpenVPN 3
to windows, that's its often more convenient to build separate versions of
binaries for XP and Vista+
(22:35:44) mattock: yeah, and having eight different flavors of openvpn
installers (bitness/tap-driver/this patch) does not make sense
(22:35:47) mattock: we have four already
(22:36:19) syzzer: can we drop the NDIS5 by now?
(22:36:25) mattock: not if we want to support XP
(22:36:32) mattock: it only supports NDIS5
(22:36:51) cron2_: I could see an "XP+NDIS5" and "Vista+NDIS6" bundle (and both
in 32/64)
(22:37:03) syzzer: ^^ yes, that
(22:37:18) mattock: that would make sense
(22:37:22) jamesyonan: with openvpn 3, we're supporting XP, and it looks like
we'll have three binaries in the installer : XP 32-bit, Vista+ 32 and 64 bits
(22:37:48) mattock: yeah, only some random guy is using XP 64-bit
(22:37:50) ValdikSS: I have 7,35% visitors with Windows XP on my Russian
website.
(22:38:18) ValdikSS: AFAIK Windows XP is still huge in China.
(22:38:27) mattock: yep, pirated versions
(22:38:44) ValdikSS: In Russia, too.
(22:39:18) ValdikSS: I even have 2 users from Windows 2000.
(22:39:19) mattock: so there is no way to merge the DNS fix without producing
different binaries for XP and Vista?
(22:39:22) ValdikSS: with*
(22:39:23) mattock: :)
(22:39:41) ValdikSS: mattock1: I'm afraid you're right.
(22:40:00) jamesyonan: well we would already need to have 32 vs. 64 bits, so
adding a third option shouldn't be a big deal
(22:40:06) ValdikSS: But I don't think that's a huge problem since we have
different installers anyway.
(22:40:11) mattock: that might require quite heavy amending of openvpn-build,
but it should be doable
(22:40:36) mattock: openvpn-build works in a bit straightforward fashion, but
I'll have a look
(22:40:58) mattock: so there are a few changes that have to be made, and lev
wants to test this patch a bit more
(22:41:10) mattock: and I'll have a look at what needs to be done at the
installer / build end
(22:41:22) mattock: anything else about this patch?
(22:42:04) ValdikSS: It's not very efficient since it adds additional rules if
there is another openvpn instance is running, but I don't know how to solve it
(22:42:51) ValdikSS: Well, I know how to solve it, with all filters
enumeration, but that would add additional code.
(22:42:57) mattock: but adding the rules in one-time task at connection time?
(22:43:39) ValdikSS: Right now it add rules to block svchost.exe every time.
(22:44:00) syzzer: when will the rules get removed?
(22:44:42) ValdikSS: I mean, if you run 2 openvpns in parallel, it would add 2
firewall subclasses, each of them blocks svchost and allows tap adapter
(22:44:48) jamesyonan: are there any performance issues? such as time to add
and remove the rules?
(22:44:56) lev__: it also missing library references to vcxproj file but that's
not a showstopper
(22:45:09) ValdikSS: Ideally it should detect another running openvpn and add
only permit rule for another tap
(22:45:30) ValdikSS: I don't think this is a performance issue, more like a
"not ideal code" issue.
(22:45:49) ValdikSS: I mean, you definitely won't spot any performance
differences
(22:45:59) ValdikSS: Maybe on 10gbit+ links only
(22:46:01) mattock: is the rule-adding function (or rather, the firewall thing)
reliable?
(22:46:07) jamesyonan: I don't think very many people run concurrent tunnels
(22:46:08) mattock: or could it, say, hang and block openvpn
(22:46:22) ValdikSS: No, all the functions are non-blocking
(22:46:30) mattock: ok
(22:46:42) mattock: so in the worst case DNS leakage does not get fixed
(22:46:46) ValdikSS: I checked some cases like when the internet connection
suddenly drops and it works fine.
(22:46:59) ValdikSS: Doesn't block openvpn from reconnecting
(22:47:22) ValdikSS: Oh, another important thing. This code is written in a way
that all the errors are non-fatal
(22:47:25) ValdikSS: Is this correct?
(22:47:35) jamesyonan: do the firewall rules automatically disappear when TAP
interface goes down, or do they need to be manually removed?
(22:47:40) ValdikSS: Like, if we can't block outside DNS, it would produce only
warning.
(22:48:04) ValdikSS: jamesyonan: They disappear on disconnect or crash.
(22:48:16) ValdikSS: jamesyonan: If openvpn.exe crashes, firewall rules are
cleared.
(22:49:00) ValdikSS: jamesyonan: didn't test it when tap interface suddenly
does down.
(22:49:06) jamesyonan: ValdikSS: I tend to use this to bracket Vista+ code: #if
_WIN32_WINNT >= 0x0600
(22:49:48) jamesyonan: MS headers don't set this automatically though, because
they want you to tell them what is the minimum Windows version being targetted
(22:50:08) jamesyonan:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa383745(v=vs.85).aspx
(22:51:25) ValdikSS: jamesyonan: thanks for the hint, i'll try to use it
(22:52:09) ValdikSS: I need someone to test if their mingw versions have that
GUIDs defined or it's only my (probably outdated) mingw version
(22:52:47) mattock: valdikss: just let me know what needs to be done
(22:52:57) cron2_: the mingw64 version shipped with ubuntu 14 seems to be
fairly up to date
(22:53:19) ValdikSS: mattock1: remove all DEFINE_GUID in win32.h and try to
compile
(22:53:37) mattock: ok
(22:54:22) mattock: so I suppose we can't really give a (preliminary) ACK at
this point, right?
(22:54:37) mattock: we're approaching the two-hour limit
(22:55:13) jamesyonan: ValdikSS: what did you mean when you said "I know how to
solve it, with all filters enumeration, but that would add additional code"
(22:55:46) ValdikSS: jamesyonan: there is no api call to search sublayer by name
(22:56:09) jamesyonan: is this for detecting other tap instances?
(22:56:40) ValdikSS: jamesyonan: well, the proper way is to add only one
sublayer for all running openvpn instances
(22:56:57) ValdikSS: jamesyonan: it should block svchost.exe only once and add
all allowed tap adapters
(22:57:23) ValdikSS: jamesyonan: right now every instance adds its own sublayer
which blocks svchost.exe
(22:57:37) ValdikSS: jamesyonan: so it's just a duplicate of firewall rules
(22:58:17) jamesyonan: so it's only an issue with multiple tap instances?
(22:58:39) ValdikSS: I still not sure if it's really an issue. What all of you
think?
(23:00:36) jamesyonan: I would tend to think your current approach is okay
(23:01:03) mattock: so the additional code would be to list all filters, parse
the list and see if the rules that are about to be added already exist?
(23:01:18) mattock: and if the exist, not add them
(23:01:51) mattock: if so, just adding possibly redundant rules (in case there
are multiple openvpn instances) is probably not any worse
(23:02:14) ValdikSS: mattock1: yes.
(23:02:40) ValdikSS: mattock1: and it should delete or not delete that rules on
termination
(23:02:52) jamesyonan: doesn't it seem cleaner though to have each tap
interface have its own separate rules?
(23:03:33) jamesyonan: if different tap interfaces were sharing the same rules,
might that introduce race conditions for creation/deletion?
(23:03:38) ValdikSS: I just understood another problem. If we have more than
one openvpn instance, another instance could have problems with reconnecting
(23:04:24) ValdikSS: One instance would block svchost.exe and another instance
would have problem resolving domain name
(23:05:34) ValdikSS: Not sure how to solve this problem without shared bus with
multiple openvpn instances
(23:06:24) jamesyonan: well I think if you were running multiple tunnels, that
certain options could only make sense on one of the tunnels, such as
redirect-gateway and DNS forwarding
(23:07:39) jamesyonan: which is one of the reasons why I suspect multiple
concurrent tunnels is a rare use case
(23:09:11) jamesyonan: I assume this code requires admin privileges?
(23:09:34) ValdikSS: jamesyonan: yes.
(23:10:09) ValdikSS: So, should this code fail with a non-fatal error or should
it terminate openvpn?
(23:11:51) jamesyonan: maybe block-outside-dns should have a parameter for
optional or required?
(23:12:05) jamesyonan: to control whether failure is fatal
(23:13:24) ValdikSS: And another question: should this code be ansi-compatible,
or unicode only?
(23:13:39) jamesyonan: are those GUIDs unique to your code, or are they
well-known GUIDs from Windows?
(23:14:10) jamesyonan: what sort of strings are you dealing with?
(23:15:08) ValdikSS: jamesyonan: that one from win32.h? They are well-known
GUIDs, I got it from visual studio.
(23:15:38) ValdikSS: jamesyonan: functions like GetSystemDirectoryA/W, TCHAR vs
wchar_t
(23:15:51) jamesyonan: so they should be #ifdefed out when building with visual
studio?
(23:17:16) jamesyonan: Unicode is probably better.
(23:17:32) ValdikSS: jamesyonan: probably yes.
(23:17:40) ValdikSS: I didn't test with visual studio
(23:18:08) mattock: I have to split, it's getting late
(23:18:23) mattock: feel free to go on, though
(23:18:31) jamesyonan: ok, thanks guys
(23:18:55) ValdikSS: we should leave this patch and continue
(23:18:57) jamesyonan: I will probably be able to test this in the context of
openvpn 3
(23:18:59) lev__: I compiled that patch with Visual Studio
(23:19:09) plai [~arne@openvpn/community/developer/plaisthos] è entrato nella
stanza.
(23:19:16) ***plai is back from Sports!
(23:19:18) mattock: oh plaisthos
(23:19:21) mattock: hi plai!
(23:19:25) plai: but meeting is probably over ;)
(23:19:27) ValdikSS: lev__: without commenting guids in win32.h?
(23:19:33) mattock: yeah, almost at least
(23:19:34) janjust: hi arne, nope still going strong
(23:19:51) mattock: those who have the endurance are still here
(23:20:04) lev__: ValdikSS: yeah, MSVS 2013
(23:20:12) mattock: I will split now, but I'll check what happened here
tomorrow morning and send the summary
(23:20:13) mattock: buy!
(23:20:15) mattock: sorry
(23:20:19) mattock: bye! :)
(23:20:19) jamesyonan: or those on western hemisphere time
(23:20:25) mattock: yeah
(23:20:45) ***syzzer still lurking...
(23:23:45) lev__: cron2_: are you planning to merge server restart notification
patch
(23:24:11) cron2_: you keep asking and I will continue to give the same answer
(23:24:42) cron2_: "yes, as time permits, unless i find something that plai
overlooked in reviewing" (which is unlikely, though)
(23:25:05) cron2_: what about plai's remark about a followup patch to not
accept new connections after "GO AWAY, CLIENT!" has been sent?
(23:25:50) lev__: I agree that it makes sence
(23:25:53) lev__: sense
(23:26:45) lev__: will implement, just have to find a correct way of doing it
(23:30:41) lev__: it is a bit more than one flag in multi_context (or whatever
it is called which holds all multi_instances) "i am shutting down"
(23:59:39) ValdikSS: Is the meeting over?
(23:59:57) syzzer: usually mattock1 is the one to call the meeting over
(27/10/2015 00:00:39) syzzer: but I think it is, yes...
(00:01:26) syzzer: must be really late in Moscow by now
(00:01:30) janjust: I'm out... I need to install a new version of OpenVPN for
Android ;)
(00:01:39) ValdikSS: Just made v2 of block-outside-dns, if anyone interested
https://github.com/ValdikSS/openvpn-with-patches/commit/ce580f983345dfbb8d900df2fb1b1300569c1f17
(00:01:56) syzzer: you should probably send it to the list
(00:03:24) ValdikSS: syzzer: ok I will
(00:07:33) syzzer: ok, I'm out too :)
(00:07:35) syzzer: good night!
(00:08:32) plai: good night
