On Wed, Feb 11, 2026 at 11:43:30PM +0000, Klemens Nanni wrote:
> https://github.com/OpenVPN/openvpn/releases/tag/v2.7.0
>
> Servers keep working fine, just like they did with the RC diffs I tested.
>
> I'm happy to see the multi-socket support land, which is great for dual-stack.
>
> On OpenBSD clients I noticed it now messes with resolv.conf, i.e. duplicate
> lines show up. Easiest way seems to disable the hook by default (until
> someone makes it use route(8) nameserver, I guess).
>
> patches/ hunks are just churn.
>
> Feedback? OK?
sigh
I don't understand why you're sending this on release day with no
communication whatsoever when I, the maintainer of the port, have sent
diffs for rc releases, asking for test results - diffs with content
and rationale that you have obviously ignored. Looks like pointless
commit stealing, a behavior at least one other developer has already
complained about in the past. I find it difficult working with you
under those terms.
I'll go with my diff and update the port in my own terms. Please
spend your energy in another part of the tree and rethink the way
you're contributing to ports actively maintained.
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/Makefile,v
> diff -u -p -r1.140 Makefile
> --- Makefile 11 Feb 2026 17:57:54 -0000 1.140
> +++ Makefile 11 Feb 2026 23:29:17 -0000
> @@ -1,6 +1,6 @@
> COMMENT= easy-to-use, robust, and highly configurable VPN
>
> -DISTNAME= openvpn-2.6.19
> +DISTNAME= openvpn-2.7.0
>
> CATEGORIES= net security
>
> @@ -25,7 +25,8 @@ CONFIGURE_STYLE= gnu
>
> CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
> LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
> -CONFIGURE_ARGS+=--with-openssl-engine=no
> +CONFIGURE_ARGS= --disable-dns-updown-by-default \
> + --with-openssl-engine=no
>
> DEBUG_PACKAGES= ${BUILD_PACKAGES}
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/distinfo,v
> diff -u -p -r1.71 distinfo
> --- distinfo 11 Feb 2026 17:57:54 -0000 1.71
> +++ distinfo 11 Feb 2026 23:29:17 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (openvpn-2.6.19.tar.gz) = E3AlJvaHwYslQMGj8uGJGHuqplIR7c9/9ncvpp8FNs8=
> -SIZE (openvpn-2.6.19.tar.gz) = 1926557
> +SHA256 (openvpn-2.7.0.tar.gz) = Lw4Q6ycr5h6Psl/hz6IIdf8wrIV+8UGAAMAikL1t+kU=
> +SIZE (openvpn-2.7.0.tar.gz) = 2083303
> Index: patches/patch-configure
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/patches/patch-configure,v
> diff -u -p -r1.41 patch-configure
> --- patches/patch-configure 11 Feb 2026 17:57:54 -0000 1.41
> +++ patches/patch-configure 11 Feb 2026 23:29:17 -0000
> @@ -1,7 +1,7 @@
> Index: configure
> --- configure.orig
> +++ configure
> -@@ -19784,7 +19784,7 @@ else
> +@@ -19946,7 +19946,7 @@ else
> fi
>
>
> Index: patches/patch-include_Makefile_in
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/patches/patch-include_Makefile_in,v
> diff -u -p -r1.25 patch-include_Makefile_in
> --- patches/patch-include_Makefile_in 11 Feb 2026 17:57:54 -0000 1.25
> +++ patches/patch-include_Makefile_in 11 Feb 2026 23:29:17 -0000
> @@ -1,7 +1,7 @@
> Index: include/Makefile.in
> --- include/Makefile.in.orig
> +++ include/Makefile.in
> -@@ -349,7 +349,7 @@ host_cpu = @host_cpu@
> +@@ -359,7 +359,7 @@ host_cpu = @host_cpu@
> host_os = @host_os@
> host_vendor = @host_vendor@
> htmldir = @htmldir@
> Index: patches/patch-sample_sample-config-files_client_conf
> ===================================================================
> RCS file:
> /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_client_conf,v
> diff -u -p -r1.3 patch-sample_sample-config-files_client_conf
> --- patches/patch-sample_sample-config-files_client_conf 29 Jan 2023
> 12:06:09 -0000 1.3
> +++ patches/patch-sample_sample-config-files_client_conf 11 Feb 2026
> 23:29:17 -0000
> @@ -11,4 +11,4 @@ Index: sample/sample-config-files/client
> +group _openvpn
>
> # Try to preserve some state across restarts.
> - persist-key
> + persist-tun
> Index: patches/patch-sample_sample-config-files_server_conf
> ===================================================================
> RCS file:
> /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_server_conf,v
> diff -u -p -r1.8 patch-sample_sample-config-files_server_conf
> --- patches/patch-sample_sample-config-files_server_conf 24 Sep 2025
> 17:00:29 -0000 1.8
> +++ patches/patch-sample_sample-config-files_server_conf 11 Feb 2026
> 23:29:17 -0000
> @@ -10,5 +10,5 @@ Index: sample/sample-config-files/server
> +user _openvpn
> +group _openvpn
>
> - # The persist options will try to avoid
> + # The persist option will try to avoid
> # accessing certain resources on restart
> Index: patches/patch-src_openvpn_route_c
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v
> diff -u -p -r1.22 patch-src_openvpn_route_c
> --- patches/patch-src_openvpn_route_c 16 Jan 2025 22:40:32 -0000 1.22
> +++ patches/patch-src_openvpn_route_c 11 Feb 2026 23:29:17 -0000
> @@ -3,7 +3,7 @@
> Index: src/openvpn/route.c
> --- src/openvpn/route.c.orig
> +++ src/openvpn/route.c
> -@@ -1548,7 +1548,7 @@ local_route(in_addr_t network,
> +@@ -1468,7 +1468,7 @@ local_route(in_addr_t network, in_addr_t netmask, in_a
>
> /* Return true if the "on-link" form of the route should be used. This is
> when the gateway for
> * a route is specified as an interface rather than an address. */
> @@ -12,24 +12,21 @@ Index: src/openvpn/route.c
> static inline bool
> is_on_link(const int is_local_route, const unsigned int flags, const struct
> route_gateway_info *rgi)
> {
> -@@ -1820,12 +1820,17 @@ add_route(struct route_ipv4 *r,
> +@@ -1713,9 +1713,15 @@ add_route(struct route_ipv4 *r, const struct tuntap *t
> }
> #endif
>
> -- argv_printf_cat(&argv, "-net %s %s -netmask %s",
> -+ argv_printf_cat (&argv, "-net %s -netmask %s",
> - network,
> -- gateway,
> - netmask);
> +- argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway,
> netmask);
> ++ argv_printf_cat(&argv, "-net %s -netmask %s", network, netmask);
>
> - /* FIXME -- add on-link support for OpenBSD/NetBSD */
> + /* FIXME -- add on-link support for NetBSD */
> -+#ifdef TARGET_OPENBSD
> -+ if (is_on_link (is_local_route, flags, rgi))
> -+ argv_printf_cat (&argv, "-link -iface %s", rgi->iface);
> ++#if defined(TARGET_OPENBSD)
> ++ if (is_on_link(is_local_route, flags, rgi))
> ++ argv_printf_cat(&argv, "-link -iface %s", rgi->iface);
> + else
> +#endif
> -+ argv_printf_cat (&argv, "%s", gateway);
> ++ argv_printf_cat(&argv, "%s", gateway);
>
> argv_msg(D_ROUTE, &argv);
> - bool ret = openvpn_execve_check(&argv, es, 0,
> + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD
> route add command failed");
> Index: patches/patch-src_openvpn_tun_c
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v
> diff -u -p -r1.27 patch-src_openvpn_tun_c
> --- patches/patch-src_openvpn_tun_c 24 Sep 2025 17:00:29 -0000 1.27
> +++ patches/patch-src_openvpn_tun_c 11 Feb 2026 23:29:17 -0000
> @@ -3,33 +3,31 @@
> Index: src/openvpn/tun.c
> --- src/openvpn/tun.c.orig
> +++ src/openvpn/tun.c
> -@@ -1446,21 +1446,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char
> *ifname
> - if (tun)
> +@@ -1353,19 +1353,24 @@ do_ifconfig_ipv4(struct tuntap *tt, const char
> *ifname
> + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask
> 255.255.255.255 up */
> + if (tun_p2p)
> {
> - argv_printf(&argv,
> -- "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0",
> -+ "%s %s %s %s mtu %d netmask 255.255.255.255 up",
> - IFCONFIG_PATH, ifname, ifconfig_local,
> - ifconfig_remote_netmask, tun_mtu);
> +- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up
> -link0", IFCONFIG_PATH,
> ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up",
> IFCONFIG_PATH,
> + ifname, ifconfig_local, ifconfig_remote_netmask,
> tun_mtu);
> }
> - else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
> + else if (tt->type == DEV_TYPE_TUN)
> {
> - remote_end = create_arbitrary_remote( tt );
> -- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0",
> -+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up",
> - IFCONFIG_PATH, ifname, ifconfig_local,
> - print_in_addr_t(remote_end, 0, &gc), tun_mtu,
> + remote_end = create_arbitrary_remote(tt);
> +- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0",
> IFCONFIG_PATH, ifname,
> ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up",
> IFCONFIG_PATH, ifname,
> + ifconfig_local, print_in_addr_t(remote_end, 0, &gc),
> tun_mtu,
> ifconfig_remote_netmask);
> }
> - else
> + else /* tap */
> {
> -- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0",
> +- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0",
> IFCONFIG_PATH, ifname,
> + /*
> + * OpenBSD has distinct tun and tap devices
> + * so we don't need the "link0" extra parameter to specify we want
> to do
> + * tunneling at the ethernet level
> + */
> -+ argv_printf(&argv, "%s %s %s netmask %s mtu %d",
> - IFCONFIG_PATH, ifname, ifconfig_local,
> - ifconfig_remote_netmask, tun_mtu);
> ++ argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH,
> ifname,
> + ifconfig_local, ifconfig_remote_netmask, tun_mtu);
> }
> + argv_msg(M_INFO, &argv);
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/pkg/PLIST,v
> diff -u -p -r1.34 PLIST
> --- pkg/PLIST 24 Sep 2025 17:00:29 -0000 1.34
> +++ pkg/PLIST 11 Feb 2026 23:29:17 -0000
> @@ -9,6 +9,8 @@ lib/openvpn/plugins/
> lib/openvpn/plugins/openvpn-plugin-down-root.a
> lib/openvpn/plugins/openvpn-plugin-down-root.la
> @so lib/openvpn/plugins/openvpn-plugin-down-root.so
> +libexec/openvpn/
> +libexec/openvpn/dns-updown
> @man man/man5/openvpn-examples.5
> @man man/man8/openvpn.8
> @bin sbin/openvpn
> @@ -44,6 +46,7 @@ share/examples/openvpn/sample-keys/clien
> share/examples/openvpn/sample-keys/client.crt
> share/examples/openvpn/sample-keys/client.key
> share/examples/openvpn/sample-keys/client.p12
> +share/examples/openvpn/sample-keys/ffdhe2048.pem
> share/examples/openvpn/sample-keys/gen-sample-keys.sh
> share/examples/openvpn/sample-keys/openssl.cnf
> share/examples/openvpn/sample-keys/server-ec.crt
>
--
jca
