On Sat, Dec 06, 2025 at 11:48:26AM +0000, Klemens Nanni wrote:
> 06.12.2025 14:37, Stuart Henderson пишет:
> > then if someone doesn't set --daemon themselves (either on the command line or in config) the script won't work properly.

Which is a problem in itself that we're trying to avoid in other rc
scripts.

> not sure I see the problem with specifying --config?

I didn't think that people could expect

  openvpn_flags=/etc/openvpn/server.conf

to work, which wouldn't work because of the interaction with --daemon.
I can see how that would confuse people, but it can be documented.

> Hence the sentence about MESSAGE or current.html.
>
> Altough this is more about --daemon not being usable inside a config file
> due to our rc.d script's assumption about it not taking arguments.

This I did envision, and it was more of a compromise than an
assumption.  But I've been lazy and didn't document the trick to set
the name in syslog messages.

> > upstream supports multiple sockets in server mode now, btw.
> 
> Oh?  I'll take another look, thanks.

That'll be only for openvpn-2.7.

> I don't think it's super critical, but I'd still like to rectify this;
> we have relatively few scripts forcing flags in `daemon' and for openvpn
> this is not strictly neccessary.

The reason we force some flags in $daemon in other scripts is
precisely to get these programs to daemonize by default, whatever the
user specifies in the flags.

See below,

[...]
> >> Existing setups need adjusting, but I'm not sure whether MESSAGE or
> >> current.html is the best way to signal that.

Your use case isn't niche, but as you noted it can already be achieved
with the current script.  Dropping --daemon would be the wrong move
anyway, both in itself and because it would break currently working
setups.

So what about just documenting the --config and --daemon quirks?
I tried to make it reasonably concise but it can probably be improved.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.138 Makefile
--- Makefile	29 Nov 2025 15:43:27 -0000	1.138
+++ Makefile	6 Dec 2025 14:31:48 -0000
@@ -1,6 +1,7 @@
 COMMENT=	easy-to-use, robust, and highly configurable VPN
 
 DISTNAME=	openvpn-2.6.17
+REVISION=	0
 
 CATEGORIES=	net security
 
Index: pkg/README
===================================================================
RCS file: /cvs/ports/net/openvpn/pkg/README,v
diff -u -p -r1.9 README
--- pkg/README	22 Feb 2023 18:04:27 -0000	1.9
+++ pkg/README	6 Dec 2025 15:35:46 -0000
@@ -14,7 +14,17 @@ Using the openvpn rc script
 # rcctl enable openvpn
 # rcctl set openvpn flags '--config /etc/openvpn/server.conf'
 
+To avoid ambiguity in options handling, always explicitly
+specify --config before the path to your configuration file.
+
 To handle multiple openvpn instances see EXAMPLES in rcctl(8).
+
+The openvpn rc script always passes --daemon before the user-selectable
+flags.  This breaks the effets of 'daemon <custom-progname>' in
+configuration files.  To work around this, you can pass an optional
+<custom-progname> at the start of the user-selectable flags:
+
+# rcctl set openvpn flags 'openvpn-custom --config /etc/openvpn/custom.conf'
 
 Using an /etc/hostname.* file without persist-tun
 -------------------------------------------------
Index: pkg/openvpn.rc
===================================================================
RCS file: /cvs/ports/net/openvpn/pkg/openvpn.rc,v
diff -u -p -r1.2 openvpn.rc
--- pkg/openvpn.rc	10 Mar 2022 00:04:07 -0000	1.2
+++ pkg/openvpn.rc	6 Dec 2025 14:31:48 -0000
@@ -1,5 +1,7 @@
 #!/bin/ksh
 
+# XXX "--daemon" must kept at the end of $daemon
+# See pkg-readmes/openvpn
 daemon="${TRUEPREFIX}/sbin/openvpn --daemon"
 
 . /etc/rc.d/rc.subr

-- 
jca