From: Klemens Nanni Subject: openvpn: update to 2.7.0 To: ports , Jeremie Courreges-Anglas Date: Wed, 11 Feb 2026 23:43:30 +0000 https://github.com/OpenVPN/openvpn/releases/tag/v2.7.0 Servers keep working fine, just like they did with the RC diffs I tested. I'm happy to see the multi-socket support land, which is great for dual-stack. On OpenBSD clients I noticed it now messes with resolv.conf, i.e. duplicate lines show up. Easiest way seems to disable the hook by default (until someone makes it use route(8) nameserver, I guess). patches/ hunks are just churn. Feedback? OK? Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.140 Makefile --- Makefile 11 Feb 2026 17:57:54 -0000 1.140 +++ Makefile 11 Feb 2026 23:29:17 -0000 @@ -1,6 +1,6 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.6.19 +DISTNAME= openvpn-2.7.0 CATEGORIES= net security @@ -25,7 +25,8 @@ CONFIGURE_STYLE= gnu CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" -CONFIGURE_ARGS+=--with-openssl-engine=no +CONFIGURE_ARGS= --disable-dns-updown-by-default \ + --with-openssl-engine=no DEBUG_PACKAGES= ${BUILD_PACKAGES} Index: distinfo =================================================================== RCS file: /cvs/ports/net/openvpn/distinfo,v diff -u -p -r1.71 distinfo --- distinfo 11 Feb 2026 17:57:54 -0000 1.71 +++ distinfo 11 Feb 2026 23:29:17 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.6.19.tar.gz) = E3AlJvaHwYslQMGj8uGJGHuqplIR7c9/9ncvpp8FNs8= -SIZE (openvpn-2.6.19.tar.gz) = 1926557 +SHA256 (openvpn-2.7.0.tar.gz) = Lw4Q6ycr5h6Psl/hz6IIdf8wrIV+8UGAAMAikL1t+kU= +SIZE (openvpn-2.7.0.tar.gz) = 2083303 Index: patches/patch-configure =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-configure,v diff -u -p -r1.41 patch-configure --- patches/patch-configure 11 Feb 2026 17:57:54 -0000 1.41 +++ patches/patch-configure 11 Feb 2026 23:29:17 -0000 @@ -1,7 +1,7 @@ Index: configure --- configure.orig +++ configure -@@ -19784,7 +19784,7 @@ else +@@ -19946,7 +19946,7 @@ else fi Index: patches/patch-include_Makefile_in =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-include_Makefile_in,v diff -u -p -r1.25 patch-include_Makefile_in --- patches/patch-include_Makefile_in 11 Feb 2026 17:57:54 -0000 1.25 +++ patches/patch-include_Makefile_in 11 Feb 2026 23:29:17 -0000 @@ -1,7 +1,7 @@ Index: include/Makefile.in --- include/Makefile.in.orig +++ include/Makefile.in -@@ -349,7 +349,7 @@ host_cpu = @host_cpu@ +@@ -359,7 +359,7 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ Index: patches/patch-sample_sample-config-files_client_conf =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_client_conf,v diff -u -p -r1.3 patch-sample_sample-config-files_client_conf --- patches/patch-sample_sample-config-files_client_conf 29 Jan 2023 12:06:09 -0000 1.3 +++ patches/patch-sample_sample-config-files_client_conf 11 Feb 2026 23:29:17 -0000 @@ -11,4 +11,4 @@ Index: sample/sample-config-files/client +group _openvpn # Try to preserve some state across restarts. - persist-key + persist-tun Index: patches/patch-sample_sample-config-files_server_conf =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_server_conf,v diff -u -p -r1.8 patch-sample_sample-config-files_server_conf --- patches/patch-sample_sample-config-files_server_conf 24 Sep 2025 17:00:29 -0000 1.8 +++ patches/patch-sample_sample-config-files_server_conf 11 Feb 2026 23:29:17 -0000 @@ -10,5 +10,5 @@ Index: sample/sample-config-files/server +user _openvpn +group _openvpn - # The persist options will try to avoid + # The persist option will try to avoid # accessing certain resources on restart Index: patches/patch-src_openvpn_route_c =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v diff -u -p -r1.22 patch-src_openvpn_route_c --- patches/patch-src_openvpn_route_c 16 Jan 2025 22:40:32 -0000 1.22 +++ patches/patch-src_openvpn_route_c 11 Feb 2026 23:29:17 -0000 @@ -3,7 +3,7 @@ Index: src/openvpn/route.c --- src/openvpn/route.c.orig +++ src/openvpn/route.c -@@ -1548,7 +1548,7 @@ local_route(in_addr_t network, +@@ -1468,7 +1468,7 @@ local_route(in_addr_t network, in_addr_t netmask, in_a /* Return true if the "on-link" form of the route should be used. This is when the gateway for * a route is specified as an interface rather than an address. */ @@ -12,24 +12,21 @@ Index: src/openvpn/route.c static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { -@@ -1820,12 +1820,17 @@ add_route(struct route_ipv4 *r, +@@ -1713,9 +1713,15 @@ add_route(struct route_ipv4 *r, const struct tuntap *t } #endif -- argv_printf_cat(&argv, "-net %s %s -netmask %s", -+ argv_printf_cat (&argv, "-net %s -netmask %s", - network, -- gateway, - netmask); +- argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask); ++ argv_printf_cat(&argv, "-net %s -netmask %s", network, netmask); - /* FIXME -- add on-link support for OpenBSD/NetBSD */ + /* FIXME -- add on-link support for NetBSD */ -+#ifdef TARGET_OPENBSD -+ if (is_on_link (is_local_route, flags, rgi)) -+ argv_printf_cat (&argv, "-link -iface %s", rgi->iface); ++#if defined(TARGET_OPENBSD) ++ if (is_on_link(is_local_route, flags, rgi)) ++ argv_printf_cat(&argv, "-link -iface %s", rgi->iface); + else +#endif -+ argv_printf_cat (&argv, "%s", gateway); ++ argv_printf_cat(&argv, "%s", gateway); argv_msg(D_ROUTE, &argv); - bool ret = openvpn_execve_check(&argv, es, 0, + bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v diff -u -p -r1.27 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 24 Sep 2025 17:00:29 -0000 1.27 +++ patches/patch-src_openvpn_tun_c 11 Feb 2026 23:29:17 -0000 @@ -3,33 +3,31 @@ Index: src/openvpn/tun.c --- src/openvpn/tun.c.orig +++ src/openvpn/tun.c -@@ -1446,21 +1446,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname - if (tun) +@@ -1353,19 +1353,24 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ + if (tun_p2p) { - argv_printf(&argv, -- "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", -+ "%s %s %s %s mtu %d netmask 255.255.255.255 up", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, + ifname, ifconfig_local, ifconfig_remote_netmask, tun_mtu); } - else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) + else if (tt->type == DEV_TYPE_TUN) { - remote_end = create_arbitrary_remote( tt ); -- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", -+ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", - IFCONFIG_PATH, ifname, ifconfig_local, - print_in_addr_t(remote_end, 0, &gc), tun_mtu, + remote_end = create_arbitrary_remote(tt); +- argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, ifname, ++ argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, ifname, + ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask); } - else + else /* tap */ { -- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", +- argv_printf(&argv, "%s %s %s netmask %s mtu %d link0", IFCONFIG_PATH, ifname, + /* + * OpenBSD has distinct tun and tap devices + * so we don't need the "link0" extra parameter to specify we want to do + * tunneling at the ethernet level + */ -+ argv_printf(&argv, "%s %s %s netmask %s mtu %d", - IFCONFIG_PATH, ifname, ifconfig_local, - ifconfig_remote_netmask, tun_mtu); ++ argv_printf(&argv, "%s %s %s netmask %s mtu %d", IFCONFIG_PATH, ifname, + ifconfig_local, ifconfig_remote_netmask, tun_mtu); } + argv_msg(M_INFO, &argv); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/openvpn/pkg/PLIST,v diff -u -p -r1.34 PLIST --- pkg/PLIST 24 Sep 2025 17:00:29 -0000 1.34 +++ pkg/PLIST 11 Feb 2026 23:29:17 -0000 @@ -9,6 +9,8 @@ lib/openvpn/plugins/ lib/openvpn/plugins/openvpn-plugin-down-root.a lib/openvpn/plugins/openvpn-plugin-down-root.la @so lib/openvpn/plugins/openvpn-plugin-down-root.so +libexec/openvpn/ +libexec/openvpn/dns-updown @man man/man5/openvpn-examples.5 @man man/man8/openvpn.8 @bin sbin/openvpn @@ -44,6 +46,7 @@ share/examples/openvpn/sample-keys/clien share/examples/openvpn/sample-keys/client.crt share/examples/openvpn/sample-keys/client.key share/examples/openvpn/sample-keys/client.p12 +share/examples/openvpn/sample-keys/ffdhe2048.pem share/examples/openvpn/sample-keys/gen-sample-keys.sh share/examples/openvpn/sample-keys/openssl.cnf share/examples/openvpn/sample-keys/server-ec.crt