From: Klemens Nanni Subject: Re: openvpn: do not force --daemon as first argument To: Stuart Henderson , ports Date: Sat, 06 Dec 2025 19:05:27 +0000 06.12.2025 18:50, Jeremie Courreges-Anglas пишет: > On Sat, Dec 06, 2025 at 11:48:26AM +0000, Klemens Nanni wrote: >> 06.12.2025 14:37, Stuart Henderson пишет: >>> then if someone doesn't set --daemon themselves (either on the command line or in config) the script won't work properly. > > Which is a problem in itself that we're trying to avoid in other rc > scripts. If whatever you set for flags doesn't work, the first thing should be to check the rc.d script's defaults, the package's README/MESSAGE, etc. OpenVPN isn't as trivial as, say tftpd(8), so I'd expect users to have already read the manual and know how to deal with our service scripts before starting them. > >> not sure I see the problem with specifying --config? > > I didn't think that people could expect > > openvpn_flags=/etc/openvpn/server.conf > > to work, which wouldn't work because of the interaction with --daemon. > I can see how that would confuse people, but it can be documented. Sure, documenting works here and causes less friction, but not mandating usage by hardcoding flags in `daemon' would be straight forward and allow users to use the simplest form wrt. rc.conf.local: a single file argument with everything else being in there - all without README/MESSAGE bits. > >> Hence the sentence about MESSAGE or current.html. >> >> Altough this is more about --daemon not being usable inside a config file >> due to our rc.d script's assumption about it not taking arguments. > > This I did envision, and it was more of a compromise than an > assumption. But I've been lazy and didn't document the trick to set > the name in syslog messages. > >>> upstream supports multiple sockets in server mode now, btw. >> >> Oh? I'll take another look, thanks. > > That'll be only for openvpn-2.7. > >> I don't think it's super critical, but I'd still like to rectify this; >> we have relatively few scripts forcing flags in `daemon' and for openvpn >> this is not strictly neccessary. > > The reason we force some flags in $daemon in other scripts is > precisely to get these programs to daemonize by default, whatever the > user specifies in the flags. Right, but here it has more impact than that: [...] The syslog redirection occurs immediately at the point that --daemon is parsed on the command line even though the daemonization point occurs later. If one of the --log options is present, it will supersede syslog redirection. This renders -d to debug service startups useless, because everything is syslog'd immediately, which is bad, imho: # rcctl enable openvpn # rcctl set openvpn flags --ops # rcctl -d start openvpn doing _rc_parse_conf openvpn_flags >--oops< doing rc_check openvpn doing rc_start doing _rc_wait_for_start doing rc_check doing _rc_rm_runfile (failed) Without hardcoded flag, careful readers of the manual can defer their `daemon' option in flags or their config file. It's just another minor issue, but we can fix it, so why not? > > See below, > > [...] >>>> Existing setups need adjusting, but I'm not sure whether MESSAGE or >>>> current.html is the best way to signal that. > > Your use case isn't niche, but as you noted it can already be achieved > with the current script. Dropping --daemon would be the wrong move > anyway, both in itself and because it would break currently working > setups. > > So what about just documenting the --config and --daemon quirks? > I tried to make it reasonably concise but it can probably be improved. > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/openvpn/Makefile,v > diff -u -p -r1.138 Makefile > --- Makefile 29 Nov 2025 15:43:27 -0000 1.138 > +++ Makefile 6 Dec 2025 14:31:48 -0000 > @@ -1,6 +1,7 @@ > COMMENT= easy-to-use, robust, and highly configurable VPN > > DISTNAME= openvpn-2.6.17 > +REVISION= 0 > > CATEGORIES= net security > > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/net/openvpn/pkg/README,v > diff -u -p -r1.9 README > --- pkg/README 22 Feb 2023 18:04:27 -0000 1.9 > +++ pkg/README 6 Dec 2025 15:35:46 -0000 > @@ -14,7 +14,17 @@ Using the openvpn rc script > # rcctl enable openvpn > # rcctl set openvpn flags '--config /etc/openvpn/server.conf' > > +To avoid ambiguity in options handling, always explicitly > +specify --config before the path to your configuration file. > + openvpn(8) itself explains the details and it only doesn't work because of what is now explained below, so I'd drop that sentence. > To handle multiple openvpn instances see EXAMPLES in rcctl(8). > + > +The openvpn rc script always passes --daemon before the user-selectable > +flags. This breaks the effets of 'daemon ' in > +configuration files. To work around this, you can pass an optional > + at the start of the user-selectable flags: > + > +# rcctl set openvpn flags 'openvpn-custom --config /etc/openvpn/custom.conf' If we go that way, this seems good enough, although I'd say just "progname" to match openvpn(8) wording and use ... instead of --config /file for brevity. > > Using an /etc/hostname.* file without persist-tun > ------------------------------------------------- > Index: pkg/openvpn.rc > =================================================================== > RCS file: /cvs/ports/net/openvpn/pkg/openvpn.rc,v > diff -u -p -r1.2 openvpn.rc > --- pkg/openvpn.rc 10 Mar 2022 00:04:07 -0000 1.2 > +++ pkg/openvpn.rc 6 Dec 2025 14:31:48 -0000 > @@ -1,5 +1,7 @@ > #!/bin/ksh > > +# XXX "--daemon" must kept at the end of $daemon > +# See pkg-readmes/openvpn > daemon="${TRUEPREFIX}/sbin/openvpn --daemon" > > . /etc/rc.d/rc.subr >