Hi, Here's the summary of the IRC meeting.
--- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wed 2nd September 2020 Time: 11:30 CEST (9:30 UTC) Planned meeting topics for this meeting were here: <https://community.openvpn.net/openvpn/wiki/Topics-2020-09-02> Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> SUMMARY janjust, lev, mattock and plaisthos participated in this meeting. --- Talked about OpenVPN 2.5-beta3. There are two known issues it in. The first one is in the MSI installer: <https://github.com/OpenVPN/openvpn-build/issues/187> The second issue manifests itself in the GUI, but is actually tapctl.exe related (i.e. in the OpenVPN repo): <https://github.com/OpenVPN/openvpn-gui/issues/359> These need to be fixed. -- Janjust noticed that (when using OpenVPN 2.5) Networkmanager is set to ignore any ipv6 settings yet the default ipv6 route is over the VPN. This seems like a Networkmanager bug, but janjust will investigate a bit more. -- Noted that WolfSSL has not responded to our request to provide an easy fix and it has been 1.5 months now. -- Plaisthos is working on implementing peer fingerprinting support. This will also allow to do quick setup with self-signed certificates without a CA. Each VPN client will have a fingerprint on the server side, so you will need to restart the server when you add/remove a client. -- Full chatlog attached
(12:30:56) mattock2: Hi! (12:32:15) plaisthos: hey! (12:33:49) janjust_ [~janjust@2001:610:120:e034::1001] è entrato nella stanza. (12:34:23) janjust_ ha abbandonato la stanza (quit: Client Quit). (12:34:54) mattock2: So: postpone 2.5.0 - thoughts? (12:35:31) janjust [~janjust@2001:610:120:e034::1001] è entrato nella stanza. (12:35:59) mattock2: There are a few major issues, in openvpn-gui and in MSI (12:36:03) janjust: morning folks... and I immediately see a nicety of openvpn+networkmanager ;) (12:36:43) mattock2: morning! (12:36:43) lev__: what is GUI issue (12:36:58) mattock2: second connection fails (12:37:19) mattock2: can't recall the gui iasue ID (12:37:20) plaisthos: what is a GUI? (12:37:24) lev__: ah I think this is not about GUI (12:37:45) plaisthos: janjust: if we wait for good networkmanager support, we can wait another 4 years I guess ;P (12:37:48) mattock2: yeah not really, but manifests itself in the gui (12:37:53) lev__: it is just tap adapters created manually are missing registry key "allownonadmin" (12:38:08) lev__: not sure why/how that regressed (12:38:39) plaisthos: side note: WolfSSL has now been silent for 1,5 month for the quick fix for their OpenVPN support (12:40:29) mattock2: yep, I recall we agree to not include wolfssl in 2.5 and if they continue silence then throw it out completely in 2.6 (12:40:36) lev__: mattock2: https://community.openvpn.net/openvpn/ticket/1321 (12:41:01) janjust: plaisthos yeah I know but I had not expected this: I told networkmanager to ignore any ipv6 settings yet my default ipv6 route is over the VPN (12:41:51) lev__: I can look at it unless somebody fixes it first (12:41:57) lev__: (allownonadmin) (12:42:10) mattock2: go for it lev (12:42:10) lev__: (after fixing/mitigating renaming issue) (12:43:14) mattock2: +1 (12:46:01) mattock2: anyhow (12:46:24) mattock2: postponing 2.5.0? (12:46:28) janjust: just wondering about allownonadmin + openvpn interactive service etc... does the gui filter any options before passing them on to the iservice? (12:50:00) lev__: IIRC certain options can only be used by users in Admin group or configs in special place (12:50:51) janjust: ah good (12:52:46) lev__: yeah, "/* Authorized group who can use any options and config locations */" (12:53:33) plaisthos: janjust: that sounds more like a networkmanager bug that anything else (12:54:31) janjust: plaisthos: I agree and I'll need to test it with the latest (git) version of networkmanager before I file a bug report (12:59:56) plaisthos: short status update: I am working on implement a (13:00:03) plaisthos: <peer-fingerprint> (13:00:06) plaisthos: fp1 (13:00:07) plaisthos: fp2 (13:00:10) plaisthos: </...> (13:00:20) plaisthos: option to pin certificates of the peer (13:00:45) plaisthos: This will also allow to do quick setup with self-signed certificates without a CA (13:05:20) janjust: oh sweet! more or less the "pre-shared public key" method (13:06:35) plaisthos: yeah (13:06:44) plaisthos: and also allows use to deprecate --secret/static keys (13:06:57) plaisthos: since from a user perspective it is almost as easy to setup (13:07:31) janjust: throw in TOFU and openvpn is behaving more and more the same as SSH ;) (13:08:46) plaisthos: TOFU? (13:08:53) plaisthos: ah trust on first usage (13:09:04) plaisthos: you will still need to do that manually (13:09:25) plaisthos: but I am makeing that easy for you since I print the fingerprint of the peer in the error message (13:13:05) janjust: yeah and with SSH it's the client that needs to trust the server, not vice versa. Question is , does your update include server-side support? (13:13:37) plaisthos: yeah (13:13:44) plaisthos: the same option (13:13:53) janjust: Nice... (13:14:06) plaisthos: that is also the main reason to allow multiple fingerprint (13:14:11) plaisthos: one for each client (13:14:25) plaisthos: you will need to restart the server for adding/removing a client to that list (13:14:38) plaisthos: but if you need a larger setup without that, you should just use a CA (13:19:38) mattock2: mm (13:21:29) mattock2: Anything else? (13:25:22) janjust: don't think so.... (13:28:22) mattock2: Ok, lets end this thing
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
