On Sat, Jan 17, 2026 at 05:53:21PM +0000, Klemens Nanni wrote: > 06.12.2025 16:09, Klemens Nanni пишет: > > 01.11.2025 14:21, Jeremie Courreges-Anglas пишет: > >> On Sat, Nov 01, 2025 at 11:50:36AM +0100, Jeremie Courreges-Anglas wrote: > >>> > >>> If you depend on OpenVPN, better test this rc now. :) > >> > >> Requested by Landry: > >> https://github.com/OpenVPN/openvpn/blob/v2.7_rc1/Changes.rst#new-features > >> > >> The automatic resolv.conf handling appears to work but doesn't know > >> about resolvd. I might tweak this at some point. > >> > >> The multiple sockets support should allow us to listen both on 0.0.0.0 > >> and :: using a single config and server instance. > >> > >> https://github.com/OpenVPN/openvpn/blob/v2.7_rc1/Changes.rst#user-visible-changes > > > > Thanks for the hint, dual-socket works for me, simplifying my setup from > > two rc.d instances, openvpn config-sharing glue and partially duplicated > > pf.conf rules into one daemon with one file on one interface. > > > >> > >> Better check your server config! > >> > > > > Here's an rc3 diff plus a fix for crashes on bogus server-ipv6 arguments > > that I've already sent upstream. > > rc5 is out, fix got merged and out getaddrinfo handles NULL now, > x509-alt-username got default-enabled, BSD tun code got an update > and other small stuff; works for me as server and client so far.
Here's the diff I have here, adding --disable-dns-updown-by-default, as requested by landry@. Thanks for the heads-up about the x509 username option, I'll drop it when 2.7 actually is released (if said option really becomes the default). Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.139 Makefile --- Makefile 7 Dec 2025 15:55:26 -0000 1.139 +++ Makefile 17 Jan 2026 18:43:53 -0000 @@ -1,7 +1,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.6.17 -REVISION= 0 +DISTNAME= openvpn-2.7_rc5 +PKGNAME= openvpn-2.7rc5 CATEGORIES= net security @@ -17,6 +17,10 @@ WANTLIB += c lz4 lzo2 SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ +# Uses C11 +COMPILER= base-clang ports-gcc +COMPILER_LANGS= c + BUILD_DEPENDS= textproc/py-docutils LIB_DEPENDS= archivers/lzo2 \ archivers/lz4 @@ -25,8 +29,10 @@ TEST_DEPENDS= devel/cmocka CONFIGURE_STYLE= gnu CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ - LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" -CONFIGURE_ARGS+=--with-openssl-engine=no + LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \ + SOFTHSM2_UTIL=no +CONFIGURE_ARGS+=--disable-dns-updown-by-default \ + --with-openssl-engine=no DEBUG_PACKAGES= ${BUILD_PACKAGES} @@ -41,8 +47,11 @@ WANTLIB += mbedcrypto mbedtls mbedx509 p # ensure 'pkcs11-providers .../p11-kit-proxy.so' as default BUILD_DEPENDS+= security/p11-kit LIB_DEPENDS+= security/pkcs11-helper -CONFIGURE_ARGS+= --enable-pkcs11 \ - --enable-x509-alt-username +CONFIGURE_ARGS+= --enable-pkcs11 + +# XXX drop when it becomes the default +CONFIGURE_ARGS+= --enable-x509-alt-username + WANTLIB += crypto pkcs11-helper ssl .endif Index: distinfo =================================================================== RCS file: /cvs/ports/net/openvpn/distinfo,v diff -u -p -r1.70 distinfo --- distinfo 29 Nov 2025 15:43:27 -0000 1.70 +++ distinfo 16 Jan 2026 18:00:15 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.6.17.tar.gz) = TMjmP3ENMAFJOxPYoyzyKiFNXk9x3TfZODHi/TIIs3A= -SIZE (openvpn-2.6.17.tar.gz) = 1934219 +SHA256 (openvpn-2.7_rc5.tar.gz) = 6Rp2ol+zMbW389215rni8tVpWm/2e5EaH+b90MW0CtI= +SIZE (openvpn-2.7_rc5.tar.gz) = 2088032 Index: patches/patch-configure =================================================================== RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 18 Nov 2025 12:30:36 -0000 1.40 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: configure ---- configure.orig -+++ configure -@@ -20929,7 +20929,7 @@ else - fi - - --sampledir="\$(docdir)/sample" -+sampledir="\$(docdir)" - - - Index: patches/patch-include_Makefile_in =================================================================== RCS file: patches/patch-include_Makefile_in diff -N patches/patch-include_Makefile_in --- patches/patch-include_Makefile_in 18 Nov 2025 12:30:36 -0000 1.24 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: include/Makefile.in ---- include/Makefile.in.orig -+++ include/Makefile.in -@@ -352,7 +352,7 @@ host_cpu = @host_cpu@ - host_os = @host_os@ - host_vendor = @host_vendor@ - htmldir = @htmldir@ --includedir = @includedir@ -+includedir = @includedir@/openvpn - infodir = @infodir@ - install_sh = @install_sh@ - libdir = @libdir@ Index: patches/patch-sample_sample-config-files_client_conf =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_client_conf,v diff -u -p -r1.3 patch-sample_sample-config-files_client_conf --- patches/patch-sample_sample-config-files_client_conf 29 Jan 2023 12:06:09 -0000 1.3 +++ patches/patch-sample_sample-config-files_client_conf 16 Jan 2026 17:57:17 -0000 @@ -11,4 +11,4 @@ Index: sample/sample-config-files/client +group _openvpn # Try to preserve some state across restarts. - persist-key + persist-tun Index: patches/patch-sample_sample-config-files_server_conf =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_server_conf,v diff -u -p -r1.8 patch-sample_sample-config-files_server_conf --- patches/patch-sample_sample-config-files_server_conf 24 Sep 2025 17:00:29 -0000 1.8 +++ patches/patch-sample_sample-config-files_server_conf 16 Jan 2026 17:57:17 -0000 @@ -10,5 +10,5 @@ Index: sample/sample-config-files/server +user _openvpn +group _openvpn - # The persist options will try to avoid + # The persist option will try to avoid # accessing certain resources on restart Index: patches/patch-src_openvpn_route_c =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v diff -u -p -r1.22 patch-src_openvpn_route_c --- patches/patch-src_openvpn_route_c 16 Jan 2025 22:40:32 -0000 1.22 +++ patches/patch-src_openvpn_route_c 16 Jan 2026 17:57:17 -0000 @@ -3,7 +3,7 @@ Index: src/openvpn/route.c --- src/openvpn/route.c.orig +++ src/openvpn/route.c -@@ -1548,7 +1548,7 @@ local_route(in_addr_t network, +@@ -1468,7 +1468,7 @@ local_route(in_addr_t network, in_addr_t netmask, in_a /* Return true if the "on-link" form of the route should be used. This is when the gateway for * a route is specified as an interface rather than an address. */ @@ -12,15 +12,12 @@ Index: src/openvpn/route.c static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { -@@ -1820,12 +1820,17 @@ add_route(struct route_ipv4 *r, +@@ -1713,9 +1713,15 @@ add_route(struct route_ipv4 *r, const struct tuntap *t } #endif -- argv_printf_cat(&argv, "-net %s %s -netmask %s", -+ argv_printf_cat (&argv, "-net %s -netmask %s", - network, -- gateway, - netmask); +- argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask); ++ argv_printf_cat (&argv, "-net %s -netmask %s", network, netmask); - /* FIXME -- add on-link support for OpenBSD/NetBSD */ + /* FIXME -- add on-link support for NetBSD */ @@ -32,4 +29,4 @@ Index: src/openvpn/route.c + argv_printf_cat (&argv, "%s", gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v diff -u -p -r1.27 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 24 Sep 2025 17:00:29 -0000 1.27 +++ patches/patch-src_openvpn_tun_c 16 Jan 2026 17:57:17 -0000 @@ -3,33 +3,31 @@ Index: src/openvpn/tun.c --- src/openvpn/tun.c.orig +++ src/openvpn/tun.c -@@ -1446,21 +1446,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname - if (tun) +@@ -1353,19 +1353,24 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ + if (tun_p2p) { - argv_printf(&argv, -- "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", -+ "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, + ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } - else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) + else if (tt->type == DEV_TYPE_TUN) { - remote_end = create_arbitrary_remote( tt ); -- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", -+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", - IFCONFIG_PATH, ifname, ifconfig_local, - print_in_addr_t(remote_end, 0, &gc), tun_mtu, + remote_end = create_arbitrary_remote(tt); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, ifname, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, ifname, + ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask); } - else + else /* tap */ { -- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", +- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", IFCONFIG_PATH, ifname, + /* + * OpenBSD has distinct tun and tap devices + * so we don't need the "link0" extra parameter to specify we want to do + * tunneling at the ethernet level + */ -+ argv_printf(&argv, "%s %s %s netmask %s mtu %d", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); ++ argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } + argv_msg(M_INFO, &argv); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/openvpn/pkg/PLIST,v diff -u -p -r1.34 PLIST --- pkg/PLIST 24 Sep 2025 17:00:29 -0000 1.34 +++ pkg/PLIST 16 Jan 2026 17:57:17 -0000 @@ -1,14 +1,15 @@ @newgroup _openvpn:577 @newuser _openvpn:577:_openvpn::OpenVPN Daemon:/nonexistent:/sbin/nologin @rcscript ${RCDIR}/openvpn -include/openvpn/ -include/openvpn/openvpn-msg.h -include/openvpn/openvpn-plugin.h +include/openvpn-msg.h +include/openvpn-plugin.h lib/openvpn/ lib/openvpn/plugins/ lib/openvpn/plugins/openvpn-plugin-down-root.a lib/openvpn/plugins/openvpn-plugin-down-root.la @so lib/openvpn/plugins/openvpn-plugin-down-root.so +libexec/openvpn/ +libexec/openvpn/dns-updown @man man/man5/openvpn-examples.5 @man man/man8/openvpn.8 @bin sbin/openvpn @@ -44,6 +45,7 @@ share/examples/openvpn/sample-keys/clien share/examples/openvpn/sample-keys/client.crt share/examples/openvpn/sample-keys/client.key share/examples/openvpn/sample-keys/client.p12 +share/examples/openvpn/sample-keys/ffdhe2048.pem share/examples/openvpn/sample-keys/gen-sample-keys.sh share/examples/openvpn/sample-keys/openssl.cnf share/examples/openvpn/sample-keys/server-ec.crt -- jca
