From: Klemens Nanni Subject: Re: [pretest] openvpn-2.7_rc1 To: ports@openbsd.org Date: Sat, 06 Dec 2025 13:09:54 +0000 01.11.2025 14:21, Jeremie Courreges-Anglas пишет: > On Sat, Nov 01, 2025 at 11:50:36AM +0100, Jeremie Courreges-Anglas wrote: >> >> If you depend on OpenVPN, better test this rc now. :) > > Requested by Landry: > https://github.com/OpenVPN/openvpn/blob/v2.7_rc1/Changes.rst#new-features > > The automatic resolv.conf handling appears to work but doesn't know > about resolvd. I might tweak this at some point. > > The multiple sockets support should allow us to listen both on 0.0.0.0 > and :: using a single config and server instance. > > https://github.com/OpenVPN/openvpn/blob/v2.7_rc1/Changes.rst#user-visible-changes Thanks for the hint, dual-socket works for me, simplifying my setup from two rc.d instances, openvpn config-sharing glue and partially duplicated pf.conf rules into one daemon with one file on one interface. > > Better check your server config! > Here's an rc3 diff plus a fix for crashes on bogus server-ipv6 arguments that I've already sent upstream. diff --git net/openvpn/Makefile net/openvpn/Makefile index e22f74ce0f8..5cca175fc9b 100644 --- net/openvpn/Makefile +++ net/openvpn/Makefile @@ -1,6 +1,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.6.17 +DISTNAME= openvpn-2.7_rc3 +PKGNAME= openvpn-2.7rc3 CATEGORIES= net security @@ -16,6 +17,10 @@ WANTLIB += c lz4 lzo2 SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ +# Uses C11 +COMPILER= base-clang ports-gcc +COMPILER_LANGS= c + BUILD_DEPENDS= textproc/py-docutils LIB_DEPENDS= archivers/lzo2 \ archivers/lz4 @@ -24,7 +29,8 @@ TEST_DEPENDS= devel/cmocka CONFIGURE_STYLE= gnu CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ - LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" + LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \ + SOFTHSM2_UTIL=no CONFIGURE_ARGS+=--with-openssl-engine=no DEBUG_PACKAGES= ${BUILD_PACKAGES} diff --git net/openvpn/distinfo net/openvpn/distinfo index d47b5bd6c09..579de8eb854 100644 --- net/openvpn/distinfo +++ net/openvpn/distinfo @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.6.17.tar.gz) = TMjmP3ENMAFJOxPYoyzyKiFNXk9x3TfZODHi/TIIs3A= -SIZE (openvpn-2.6.17.tar.gz) = 1934219 +SHA256 (openvpn-2.7_rc3.tar.gz) = PH9e8mtJ7JUGM4UQ2jcg1GtAoYKDpJPFIjUBeh3stTE= +SIZE (openvpn-2.7_rc3.tar.gz) = 2078992 diff --git net/openvpn/patches/patch-configure net/openvpn/patches/patch-configure index d8689841fbd..bd27515bd9f 100644 --- net/openvpn/patches/patch-configure +++ net/openvpn/patches/patch-configure @@ -1,7 +1,7 @@ Index: configure --- configure.orig +++ configure -@@ -20929,7 +20929,7 @@ else +@@ -21415,7 +21415,7 @@ else fi diff --git net/openvpn/patches/patch-include_Makefile_in net/openvpn/patches/patch-include_Makefile_in index 3a62a108b6a..005f274d34f 100644 --- net/openvpn/patches/patch-include_Makefile_in +++ net/openvpn/patches/patch-include_Makefile_in @@ -1,7 +1,7 @@ Index: include/Makefile.in --- include/Makefile.in.orig +++ include/Makefile.in -@@ -352,7 +352,7 @@ host_cpu = @host_cpu@ +@@ -361,7 +361,7 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ diff --git net/openvpn/patches/patch-sample_sample-config-files_client_conf net/openvpn/patches/patch-sample_sample-config-files_client_conf index 2c01ae1c9e3..c5db6092ffa 100644 --- net/openvpn/patches/patch-sample_sample-config-files_client_conf +++ net/openvpn/patches/patch-sample_sample-config-files_client_conf @@ -11,4 +11,4 @@ Index: sample/sample-config-files/client.conf +group _openvpn # Try to preserve some state across restarts. - persist-key + persist-tun diff --git net/openvpn/patches/patch-sample_sample-config-files_server_conf net/openvpn/patches/patch-sample_sample-config-files_server_conf index e3063898c82..6036b9495a4 100644 --- net/openvpn/patches/patch-sample_sample-config-files_server_conf +++ net/openvpn/patches/patch-sample_sample-config-files_server_conf @@ -10,5 +10,5 @@ Index: sample/sample-config-files/server.conf +user _openvpn +group _openvpn - # The persist options will try to avoid + # The persist option will try to avoid # accessing certain resources on restart diff --git net/openvpn/patches/patch-src_openvpn_route_c net/openvpn/patches/patch-src_openvpn_route_c index 65e1334084c..08b03e55f20 100644 --- net/openvpn/patches/patch-src_openvpn_route_c +++ net/openvpn/patches/patch-src_openvpn_route_c @@ -3,7 +3,7 @@ Index: src/openvpn/route.c --- src/openvpn/route.c.orig +++ src/openvpn/route.c -@@ -1548,7 +1548,7 @@ local_route(in_addr_t network, +@@ -1466,7 +1466,7 @@ local_route(in_addr_t network, in_addr_t netmask, in_a /* Return true if the "on-link" form of the route should be used. This is when the gateway for * a route is specified as an interface rather than an address. */ @@ -12,15 +12,12 @@ Index: src/openvpn/route.c static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { -@@ -1820,12 +1820,17 @@ add_route(struct route_ipv4 *r, +@@ -1711,9 +1711,15 @@ add_route(struct route_ipv4 *r, const struct tuntap *t } #endif -- argv_printf_cat(&argv, "-net %s %s -netmask %s", -+ argv_printf_cat (&argv, "-net %s -netmask %s", - network, -- gateway, - netmask); +- argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask); ++ argv_printf_cat (&argv, "-net %s -netmask %s", network, netmask); - /* FIXME -- add on-link support for OpenBSD/NetBSD */ + /* FIXME -- add on-link support for NetBSD */ @@ -32,4 +29,4 @@ Index: src/openvpn/route.c + argv_printf_cat (&argv, "%s", gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); diff --git net/openvpn/patches/patch-src_openvpn_socket_c net/openvpn/patches/patch-src_openvpn_socket_c new file mode 100644 index 00000000000..a679edf59bf --- /dev/null +++ net/openvpn/patches/patch-src_openvpn_socket_c @@ -0,0 +1,17 @@ +pending https://github.com/OpenVPN/openvpn/pull/930 + +Index: src/openvpn/socket.c +--- src/openvpn/socket.c.orig ++++ src/openvpn/socket.c +@@ -189,7 +189,10 @@ get_addr_generic(sa_family_t af, unsigned int flags, c + *sep = '/'; + } + out: +- freeaddrinfo(ai); ++ if (ai) ++ { ++ freeaddrinfo(ai); ++ } + free(var_host); + + return ret; diff --git net/openvpn/patches/patch-src_openvpn_tun_c net/openvpn/patches/patch-src_openvpn_tun_c index 9c6cb8d8343..64c3aa3be52 100644 --- net/openvpn/patches/patch-src_openvpn_tun_c +++ net/openvpn/patches/patch-src_openvpn_tun_c @@ -3,33 +3,31 @@ Index: src/openvpn/tun.c --- src/openvpn/tun.c.orig +++ src/openvpn/tun.c -@@ -1446,21 +1446,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname - if (tun) +@@ -1353,19 +1353,24 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ + if (tun_p2p) { - argv_printf(&argv, -- "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", -+ "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, + ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } - else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) + else if (tt->type == DEV_TYPE_TUN) { - remote_end = create_arbitrary_remote( tt ); -- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", -+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", - IFCONFIG_PATH, ifname, ifconfig_local, - print_in_addr_t(remote_end, 0, &gc), tun_mtu, + remote_end = create_arbitrary_remote(tt); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, ifname, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, ifname, + ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask); } - else + else /* tap */ { -- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", +- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", IFCONFIG_PATH, ifname, + /* + * OpenBSD has distinct tun and tap devices + * so we don't need the "link0" extra parameter to specify we want to do + * tunneling at the ethernet level + */ -+ argv_printf(&argv, "%s %s %s netmask %s mtu %d", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); ++ argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } + argv_msg(M_INFO, &argv); diff --git net/openvpn/pkg/PLIST net/openvpn/pkg/PLIST index 928c4de1392..308a686adca 100644 --- net/openvpn/pkg/PLIST +++ net/openvpn/pkg/PLIST @@ -9,6 +9,8 @@ lib/openvpn/plugins/ lib/openvpn/plugins/openvpn-plugin-down-root.a lib/openvpn/plugins/openvpn-plugin-down-root.la @so lib/openvpn/plugins/openvpn-plugin-down-root.so +libexec/openvpn/ +libexec/openvpn/dns-updown @man man/man5/openvpn-examples.5 @man man/man8/openvpn.8 @bin sbin/openvpn @@ -44,6 +46,7 @@ share/examples/openvpn/sample-keys/client-pass.key share/examples/openvpn/sample-keys/client.crt share/examples/openvpn/sample-keys/client.key share/examples/openvpn/sample-keys/client.p12 +share/examples/openvpn/sample-keys/ffdhe2048.pem share/examples/openvpn/sample-keys/gen-sample-keys.sh share/examples/openvpn/sample-keys/openssl.cnf share/examples/openvpn/sample-keys/server-ec.crt