From: Jeremie Courreges-Anglas Subject: Re: openvpn: do not force --daemon as first argument To: Klemens Nanni Cc: Stuart Henderson , ports Date: Sat, 6 Dec 2025 16:50:16 +0100 On Sat, Dec 06, 2025 at 11:48:26AM +0000, Klemens Nanni wrote: > 06.12.2025 14:37, Stuart Henderson пишет: > > then if someone doesn't set --daemon themselves (either on the command line or in config) the script won't work properly. Which is a problem in itself that we're trying to avoid in other rc scripts. > not sure I see the problem with specifying --config? I didn't think that people could expect openvpn_flags=/etc/openvpn/server.conf to work, which wouldn't work because of the interaction with --daemon. I can see how that would confuse people, but it can be documented. > Hence the sentence about MESSAGE or current.html. > > Altough this is more about --daemon not being usable inside a config file > due to our rc.d script's assumption about it not taking arguments. This I did envision, and it was more of a compromise than an assumption. But I've been lazy and didn't document the trick to set the name in syslog messages. > > upstream supports multiple sockets in server mode now, btw. > > Oh? I'll take another look, thanks. That'll be only for openvpn-2.7. > I don't think it's super critical, but I'd still like to rectify this; > we have relatively few scripts forcing flags in `daemon' and for openvpn > this is not strictly neccessary. The reason we force some flags in $daemon in other scripts is precisely to get these programs to daemonize by default, whatever the user specifies in the flags. See below, [...] > >> Existing setups need adjusting, but I'm not sure whether MESSAGE or > >> current.html is the best way to signal that. Your use case isn't niche, but as you noted it can already be achieved with the current script. Dropping --daemon would be the wrong move anyway, both in itself and because it would break currently working setups. So what about just documenting the --config and --daemon quirks? I tried to make it reasonably concise but it can probably be improved. Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.138 Makefile --- Makefile 29 Nov 2025 15:43:27 -0000 1.138 +++ Makefile 6 Dec 2025 14:31:48 -0000 @@ -1,6 +1,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN DISTNAME= openvpn-2.6.17 +REVISION= 0 CATEGORIES= net security Index: pkg/README =================================================================== RCS file: /cvs/ports/net/openvpn/pkg/README,v diff -u -p -r1.9 README --- pkg/README 22 Feb 2023 18:04:27 -0000 1.9 +++ pkg/README 6 Dec 2025 15:35:46 -0000 @@ -14,7 +14,17 @@ Using the openvpn rc script # rcctl enable openvpn # rcctl set openvpn flags '--config /etc/openvpn/server.conf' +To avoid ambiguity in options handling, always explicitly +specify --config before the path to your configuration file. + To handle multiple openvpn instances see EXAMPLES in rcctl(8). + +The openvpn rc script always passes --daemon before the user-selectable +flags. This breaks the effets of 'daemon ' in +configuration files. To work around this, you can pass an optional + at the start of the user-selectable flags: + +# rcctl set openvpn flags 'openvpn-custom --config /etc/openvpn/custom.conf' Using an /etc/hostname.* file without persist-tun ------------------------------------------------- Index: pkg/openvpn.rc =================================================================== RCS file: /cvs/ports/net/openvpn/pkg/openvpn.rc,v diff -u -p -r1.2 openvpn.rc --- pkg/openvpn.rc 10 Mar 2022 00:04:07 -0000 1.2 +++ pkg/openvpn.rc 6 Dec 2025 14:31:48 -0000 @@ -1,5 +1,7 @@ #!/bin/ksh +# XXX "--daemon" must kept at the end of $daemon +# See pkg-readmes/openvpn daemon="${TRUEPREFIX}/sbin/openvpn --daemon" . /etc/rc.d/rc.subr -- jca