TIMING

• Wk1 : 08.12 Planning and Scoping
• Wk2 - 10: 08.19 Dev
• Wk11: 10.14 Testing and release

RELEASES

Desktop client release: The upcoming release will be a maintenance/security release update of obfsvpn and a security fix. Plus, work on load balancing via initial geolocation dev and the invite system based on introducer implementation will be added for internal testing.. Release checklist: bitmask-vpn#893 (closed)

Android release The upcoming release will contain obf4 over kcp support. Integration of API v5 has been moved forward, but requires further work for full support of the new backend API. The new release contains an updated bitmask-core library with a added Java bindings to pass an invite code to the library. It's a public release and will contain all fixes and improvements developed of the beta releases 1.4.0RC1 and 1.4.0RC2, for example fixes for app crashes, memory leaks but also support for ed25519 private keys to setup VPN connections and updated translations. Release checklist: bitmask_android#9189 (closed)

Platform release The upcoming release will include several important updates. These include upgrading OpenVPN from version 2.5.1 to 2.6.3 and improving OpenVPN performance with a new flag to enable openvpn-dco. Additionally, we are switching the OpenVPN data cipher from AES-128-CBC to CHACHA20-POLY1305 for enhanced security. A new service , Introducer, will also be introduced, allowing connections to backend APIs from censored networks. Release checklist: leap/container-platform/lilypad#110 (closed)

Circumvention Tech There will be a refactor and release of obfsVPN to improve error handling for failing connections. This fix ensures that obfsvpn recovers from network failures and improves obfsvpn's overall robustness. Moreover obfsvpn in server mode now supports proxying TCP traffic, so that it can be used as an 'introducer' for the API. Moreover we developed and integrated QUIC as stream protocol into obfsVPN. It's a working proof of concept, which we will test in the field in our next test cycles. We finished field testing of port hopping via obfs4 and did the final preperations for use of obfs4+kcp via Bitmask. Release of obfs4+KCP checklist: obfsvpn#60

CIRCUMVENTION TECH

DELIVERABLES

• KCP+Obfs4: obfsvpn#60
• Port Hopping? obfsvpn#61
• Quic: obfsvpn#62
• DNSTT: obfsvpn#63

DEVELOPMENT

• refactoring and release ObfsVPN (max) obfsvpn@v1.1.0...v1.2.0
• QUIC as KCP-style stream protocol for obfs4 obfsvpn#53 (closed) (obfsvpn!65 (merged))
• Make adjustments to Hopping PT as needed
• KCP: documentation and explanation of results for the community
• Release Bitmask with obfs4+kcp

FIELD TESTING

• Finalize field testing and analysis of port hopping
• Deploy Plotly dashboard on monitoring machine
• Automated tests can be sent to infrastructure without user interaction
• start experimenting with new PT, e.g. DNSTT
• metrics documentation and write up

PROVIDER

• Release Bitmask (android) with obfs4+kcp bitmask_android!307 (merged)

INVITE SYSTEM

The Invite system will allow use of an invite code to establish connections with circumvention providers. It requires: 1) APIV5 implemented on the platform and clients, 2) The "Introducer", new proxy tech used for circumvention tech providers to protect the discovery process. In addition a Bucket system which creates resilency in the case of burnt bridges will be created, but is not neccessary to begin use. For desktop we will begin dev on the required bitmask multi-provider.

UX CHANGES

Create first run UX to include invite and implement it

• Create mocks. bitmask_android#9173 (closed)
• Implement UI in android:bitmask_android#9193 (closed)
• Desktop later.

UPGRADING to V5

ANDROID

• Android: implement code path for provider setup v5 using Bitmask-core bitmask_android#9185 (closed) (40hrs) ( bitmask_android!282 (closed))
• implement code path for provider setup v5 using Bitmask-core bitmask_android#9185 (closed) (40hrs) ( bitmask_android!282 (closed))
• add tests for v5 provider setup bitmask_android#9184 (16hrs)

BITMASK-CORE

• fetch and parse provider.json bitmask-core#9 (closed) (12h)
• fetch ca cert in API v5 menshen#53 (closed)

INTRODUCER

ANDROID

• setter for introducer config in mobile package (4h) bitmask-core!21 (merged)

BITMASK CORE

• Finalize client implementation of introducer (6h) bitmask-core#14 (closed)
• Re-Evaluate introducer feature/workflow/API bitmask-core#18 (closed) Add PoC for an Introducer (3h)
• (depends on bitmask-core#14 (closed)
• bitmask-core#18 (closed)) (4hr)
• bitmask-vpn#897 (closed)

DESKTOP

• Implement introducer flow for dev testing (env variable to set introducer)

LILYPAD

• Configure obfsvpn-server to point to a menshen backend: obfsvpn#38 (closed) (8hrs)
• Orchestration: deploy introducer within lilypad leap/container-platform/lilypad#90 (closed) (4hrs)
• Test deployment with obfsvpn-client and curl (4hrs)
• Stretch: make the API available to local network, only introducer speaks to api and close the public ports that expose the api and open vpn ports (6hrs)

BUCKET SYSTEM: work in progress, for next milestone.

LOAD BALANCING

Working to ease congestion of gateways is taking the following form:

GEO-LOCATION

CLIENTS

• Desktop: Add support for DoGeoLocationLookup (3h) bitmask-vpn#902 (closed) (DONE, NEEDS REVIEW)
• Android: Later

PLATFORM / MENSHEN

• implement menshen api endpoint to find nearest gateway

BITMASK CORE

• Update readme (1h) bitmask-core#10 (closed) (SMALL)
• IP resolution via stun server (8h) bitmask-core#12 (closed)
• Get country (code) for an ip address (6h) bitmask-core#15 (closed)
• Improve Config/API struct (support for STUN servers, Add config as a member to API) bitmask-core#17 (closed) bitmask-core!25 (merged)
• Create new repo with cli tools bitmask-core#19 (closed) (30m)

MENSHEN AGENT REPORTS CPU LOAD Next rounds

OPENVPNDCO AND OPENVPN OPTIMIZATION

• openvpn container upgrade
• openvpn-dco deployment and testing
• Optimizing openVPN to help with congestion (syam) (16hrs)

GENERAL LEAP VPN IMPROVEMENTS

ANDROID

• Fix language switching android issue bitmask_android#9156 (closed) (2h)

DESKTOP

• Handle error if Bitmaks.Init returns an error (2h) / Improve error/state handling in general bitmask-vpn#855 (closed) (Big Rabbit hole Topic)
• Add Makefile default target: clean + vendor + build bitmask-vpn#867 (closed)
• [Makefile] make build always builds a debug and a prod version bitmask-vpn#834 (closed)

---

• misc bug fixes (detection of udp supported by provider,etc.) (8h) bitmask-vpn#784 and bitmask-vpn#778 (closed)
• scope work for update system (windows and mac os) (12h) bitmask-vpn#895

PACKAGING

• [CI] build packages for debian and ubuntu in different docker images and in separate jobs (6h) bitmask-vpn#858 (closed)
• Sign and upload new version to ppa (0.24.8) (2h) bitmask-vpn#903 (closed)
• Sign and upload new version to ppa (0.24.9) (2h)

---

• documenting the macOS and windows signing steps (2h) bitmask-vpn#896 (closed)
• Release checklist/doc (tagging conventions, etc.) (4h) bitmask-vpn#789 (will work on this in the next milestone)

INFRASTRUCTURE IMPROVEMENTS

• Update sshd everywhere CVE-2024-6387 https://0xacab.org/leap/infrastructure/-/issues/26
• CVE-2023-45288 check https://0xacab.org/leap/infrastructure/-/issues/24
• Update Twitter info https://0xacab.org/leap/infrastructure/-/issues/22

PUBLIC FACE IMPROVEMENTS

• Bitmask.net determination and strategy (2h)

TUNNEL-TELEMETRY IMPROVEMENTS

• Segfault in FetchIPFromSTUNCall tunnel-telemetry#1 (closed)
• Add support for custom STUN servers, also custom CountryCodeLookupServer tunnel-telemetry#3 (closed)