From: Stuart Henderson Subject: Re: openvpn: do not force --daemon as first argument To: Klemens Nanni , ports Date: Sat, 6 Dec 2025 16:14:22 +0000 I think that's fine. On 2025/12/06 16:50, Jeremie Courreges-Anglas wrote: > On Sat, Dec 06, 2025 at 11:48:26AM +0000, Klemens Nanni wrote: > > 06.12.2025 14:37, Stuart Henderson пишет: > > > then if someone doesn't set --daemon themselves (either on the command line or in config) the script won't work properly. > > Which is a problem in itself that we're trying to avoid in other rc > scripts. > > > not sure I see the problem with specifying --config? > > I didn't think that people could expect > > openvpn_flags=/etc/openvpn/server.conf > > to work, which wouldn't work because of the interaction with --daemon. > I can see how that would confuse people, but it can be documented. > > > Hence the sentence about MESSAGE or current.html. > > > > Altough this is more about --daemon not being usable inside a config file > > due to our rc.d script's assumption about it not taking arguments. > > This I did envision, and it was more of a compromise than an > assumption. But I've been lazy and didn't document the trick to set > the name in syslog messages. > > > > upstream supports multiple sockets in server mode now, btw. > > > > Oh? I'll take another look, thanks. > > That'll be only for openvpn-2.7. > > > I don't think it's super critical, but I'd still like to rectify this; > > we have relatively few scripts forcing flags in `daemon' and for openvpn > > this is not strictly neccessary. > > The reason we force some flags in $daemon in other scripts is > precisely to get these programs to daemonize by default, whatever the > user specifies in the flags. > > See below, > > [...] > > >> Existing setups need adjusting, but I'm not sure whether MESSAGE or > > >> current.html is the best way to signal that. > > Your use case isn't niche, but as you noted it can already be achieved > with the current script. Dropping --daemon would be the wrong move > anyway, both in itself and because it would break currently working > setups. > > So what about just documenting the --config and --daemon quirks? > I tried to make it reasonably concise but it can probably be improved. > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/openvpn/Makefile,v > diff -u -p -r1.138 Makefile > --- Makefile 29 Nov 2025 15:43:27 -0000 1.138 > +++ Makefile 6 Dec 2025 14:31:48 -0000 > @@ -1,6 +1,7 @@ > COMMENT= easy-to-use, robust, and highly configurable VPN > > DISTNAME= openvpn-2.6.17 > +REVISION= 0 > > CATEGORIES= net security > > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/net/openvpn/pkg/README,v > diff -u -p -r1.9 README > --- pkg/README 22 Feb 2023 18:04:27 -0000 1.9 > +++ pkg/README 6 Dec 2025 15:35:46 -0000 > @@ -14,7 +14,17 @@ Using the openvpn rc script > # rcctl enable openvpn > # rcctl set openvpn flags '--config /etc/openvpn/server.conf' > > +To avoid ambiguity in options handling, always explicitly > +specify --config before the path to your configuration file. > + > To handle multiple openvpn instances see EXAMPLES in rcctl(8). > + > +The openvpn rc script always passes --daemon before the user-selectable > +flags. This breaks the effets of 'daemon ' in > +configuration files. To work around this, you can pass an optional > + at the start of the user-selectable flags: > + > +# rcctl set openvpn flags 'openvpn-custom --config /etc/openvpn/custom.conf' > > Using an /etc/hostname.* file without persist-tun > ------------------------------------------------- > Index: pkg/openvpn.rc > =================================================================== > RCS file: /cvs/ports/net/openvpn/pkg/openvpn.rc,v > diff -u -p -r1.2 openvpn.rc > --- pkg/openvpn.rc 10 Mar 2022 00:04:07 -0000 1.2 > +++ pkg/openvpn.rc 6 Dec 2025 14:31:48 -0000 > @@ -1,5 +1,7 @@ > #!/bin/ksh > > +# XXX "--daemon" must kept at the end of $daemon > +# See pkg-readmes/openvpn > daemon="${TRUEPREFIX}/sbin/openvpn --daemon" > > . /etc/rc.d/rc.subr > > -- > jca