git: 6853ab171eff - main - security/openvpn*: update to 2.6.0, keep openvpn25

From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Fri, 27 Jan 2023 21:32:25 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6853ab171eff406db8b2451117bae397f926f4d2

commit 6853ab171eff406db8b2451117bae397f926f4d2
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-01-25 22:29:50 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-01-27 21:32:22 +0000

    security/openvpn*: update to 2.6.0, keep openvpn25
    
    - copy openvpn to openvpn25, mark as deprecated and to expire March 31
    
    - update openvpn to openvpn 2.6.0, highlights from Frank Lichtenheld's
      release announcement e-mail, slightly edited:
    
     * Data Channel Offload (DCO) kernel acceleration support for Windows,
       Linux, and FreeBSD [14].
     * OpenSSL 3 support
     * Improved handling of tunnel MTU, including support for pushable MTU.
     * Outdated cryptographic algorithms disabled by default, but there are
       options to override if necessary.
     * Reworked TLS handshake, making OpenVPN immune to replay-packet state
       exhaustion attacks.
     * Added --peer-fingerprint mode for a more simplistic certificate setup
       and verification.
     * Improved protocol negotiation, leading to faster connection setup.
    
    ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst
---
 UPDATING                                           |  10 ++
 security/Makefile                                  |   1 +
 security/openvpn/Makefile                          |  30 ++--
 security/openvpn/distinfo                          |   6 +-
 security/openvpn/files/ovpn_dco_freebsd.h          |  71 +++++++++
 .../patch-doc_man-sections_generic-options.rst     |  11 ++
 security/openvpn25/Makefile                        | 164 +++++++++++++++++++++
 security/openvpn25/distinfo                        |   3 +
 security/openvpn25/files/openvpn-client.in         |   6 +
 security/openvpn25/files/openvpn.in                | 144 ++++++++++++++++++
 .../files/patch-doc_openvpn.8                      |   0
 .../files/patch-doc_openvpn.8.html                 |   0
 ...ch-sample__sample-config-files__loopback-client |  13 ++
 ...ch-sample__sample-config-files__loopback-server |  13 ++
 .../files/patch-src_openvpn_openssl__compat.h      |   0
 .../files/patch-src_plugins_auth-pam_auth-pam.c    |  10 ++
 security/openvpn25/files/patch-tests__t_cltsrv.sh  |  65 ++++++++
 security/openvpn25/files/pkg-message.in            |  34 +++++
 security/openvpn25/files/up-script.sample          |  27 ++++
 security/openvpn25/pkg-descr                       |   5 +
 security/openvpn25/pkg-plist                       |  10 ++
 21 files changed, 610 insertions(+), 13 deletions(-)

diff --git a/UPDATING b/UPDATING
index 5a3589afcb62..da07f5911da4 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,16 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20230127:
+  AFFECTS: users of security/openvpn
+  AUTHOR: mandree@freebsd.org
+
+  OpenVPN has been updated to the new upstream release v2.6.0, which
+  is quite compatible with v2.5 versions.
+
+  A copy of the latest v2.5.8 port is being kept as security/openvpn25 (or
+  openvpn25 package) until end of March 2023.
+
 20230116:
   AFFECTS: users of sysutils/nut and sysutils/nut-devel
   AUTHOR: cy@freebsd.org
diff --git a/security/Makefile b/security/Makefile
index a45295338dd3..9024548d290a 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -419,6 +419,7 @@
     SUBDIR += openvpn-auth-radius
     SUBDIR += openvpn-auth-script
     SUBDIR += openvpn-devel
+    SUBDIR += openvpn25
     SUBDIR += opie
     SUBDIR += ophcrack
     SUBDIR += ossec-hids
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index e14df3d594dc..409693652e0b 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=		openvpn
-DISTVERSION=		2.5.8
+DISTVERSION=		2.6.0
 PORTREVISION?=		0
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
@@ -8,24 +8,28 @@ MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
-WWW=		https://openvpn.net/community/
+WWW=			https://openvpn.net/community/
 
 LICENSE=		GPLv2
 LICENSE_FILE=		${WRKSRC}/COPYRIGHT.GPL
 
-USES=			cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz
+BUILD_DEPENDS+=		cmocka>=0:sysutils/cmocka \
+			rst2man:textproc/py-docutils@${PY_FLAVOR}
+
+USES=			cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl
 USE_RC_SUBR=		openvpn
 
-SHEBANG_FILES=		sample/sample-scripts/verify-cn \
-			sample/sample-scripts/auth-pam.pl \
-			sample/sample-scripts/ucn.pl
+SHEBANG_FILES=		sample/sample-scripts/auth-pam.pl \
+			sample/sample-scripts/totpauth.py \
+			sample/sample-scripts/ucn.pl \
+			sample/sample-scripts/verify-cn
 
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--enable-strict --with-crypto-library=openssl
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CONFIGURE_ENV+=		PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
 
-CONFLICTS_INSTALL?=	openvpn-2.[!5].* openvpn-devel openvpn-mbedtls
+CONFLICTS_INSTALL?=	openvpn-2* openvpn-devel openvpn-mbedtls
 
 SUB_FILES=		pkg-message openvpn-client
 
@@ -35,10 +39,14 @@ GROUPS=			openvpn
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
-OPTIONS_DEFINE=		ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
+OPTIONS_DEFINE=		ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
 			TEST UNITTESTS X509ALTUSERNAME
 OPTIONS_DEFAULT=	EASYRSA LZ4 LZO PKCS11 TEST
+OPTIONS_EXCLUDE_FreeBSD_12=	DCO # FreeBSD 14 only
+OPTIONS_EXCLUDE_FreeBSD_13=	DCO # FreeBSD 14 only
+
 ASYNC_PUSH_DESC=	Enable async-push support
+DCO_DESC=			Build with Data Channel Offload (ovpn(4)) support
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 LZO_DESC=		LZO compression (incompatible with LibreSSL)
 PKCS11_DESC=		Use security/pkcs11-helper, needs same SSL lib!
@@ -49,6 +57,8 @@ X509ALTUSERNAME_DESC=	Enable --x509-username-field
 ASYNC_PUSH_LIB_DEPENDS=	libinotify.so:devel/libinotify
 ASYNC_PUSH_CONFIGURE_ENABLE=	async-push
 
+DCO_CONFIGURE_ENABLE=	dco
+
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
@@ -98,8 +108,9 @@ post-patch:
 	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
 		-e 's/"nobody"( after init)/"openvpn" \1/' \
 		${WRKSRC}/sample/sample-config-files/*.conf \
-		${WRKSRC}/sample/sample-config-files/xinetd-*-config \
 		${WRKSRC}/doc/man-sections/generic-options.rst
+	# this header file was missed from the 2.6.0 tarball
+	${CP} ${FILESDIR}/ovpn_dco_freebsd.h ${WRKSRC}/src/openvpn/ # FIXME remove for 2.6.1
 
 pre-configure:
 	# just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
@@ -142,7 +153,6 @@ post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
-	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index b411c3f73145..7ba3f3c977d1 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1666977762
-SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
-SIZE (openvpn-2.5.8.tar.xz) = 1161288
+TIMESTAMP = 1674848325
+SHA256 (openvpn-2.6.0.tar.gz) = ebec933263c9850ef6f7ce125e2f22214be60b1cbb8ccff18892643fe083ae8f
+SIZE (openvpn-2.6.0.tar.gz) = 1840792
diff --git a/security/openvpn/files/ovpn_dco_freebsd.h b/security/openvpn/files/ovpn_dco_freebsd.h
new file mode 100644
index 000000000000..fec33835f007
--- /dev/null
+++ b/security/openvpn/files/ovpn_dco_freebsd.h
@@ -0,0 +1,71 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_OVPN_H_
+#define _NET_IF_OVPN_H_
+
+#include <sys/types.h>
+#include <netinet/in.h>
+
+/* Maximum size of an ioctl request. */
+#define OVPN_MAX_REQUEST_SIZE   4096
+
+enum ovpn_notif_type {
+    OVPN_NOTIF_DEL_PEER,
+};
+
+enum ovpn_del_reason {
+    OVPN_DEL_REASON_REQUESTED       = 0,
+    OVPN_DEL_REASON_TIMEOUT         = 1
+};
+
+enum ovpn_key_slot {
+    OVPN_KEY_SLOT_PRIMARY   = 0,
+    OVPN_KEY_SLOT_SECONDARY = 1
+};
+
+enum ovpn_key_cipher {
+    OVPN_CIPHER_ALG_NONE                    = 0,
+    OVPN_CIPHER_ALG_AES_GCM                 = 1,
+    OVPN_CIPHER_ALG_CHACHA20_POLY1305       = 2
+};
+
+#define OVPN_NEW_PEER           _IO('D', 1)
+#define OVPN_DEL_PEER           _IO('D', 2)
+#define OVPN_GET_STATS          _IO('D', 3)
+#define OVPN_NEW_KEY            _IO('D', 4)
+#define OVPN_SWAP_KEYS          _IO('D', 5)
+#define OVPN_DEL_KEY            _IO('D', 6)
+#define OVPN_SET_PEER           _IO('D', 7)
+#define OVPN_START_VPN          _IO('D', 8)
+#define OVPN_SEND_PKT           _IO('D', 9)
+#define OVPN_POLL_PKT           _IO('D', 10)
+#define OVPN_GET_PKT            _IO('D', 11)
+#define OVPN_SET_IFMODE         _IO('D', 12)
+#define OVPN_GET_PEER_STATS     _IO('D', 13)
+
+#endif /* ifndef _NET_IF_OVPN_H_ */
diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
new file mode 100644
index 000000000000..295f20cd7f1f
--- /dev/null
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -0,0 +1,11 @@
+--- doc/man-sections/generic-options.rst.orig	2023-01-25 10:00:58 UTC
++++ doc/man-sections/generic-options.rst
+@@ -507,5 +507,8 @@ which mode OpenVPN is configured as.
+   since it is usually used by other system services already. Always
+   create a dedicated user for openvpn.
+ 
++  The FreeBSD port creates a group and user named :code:`openvpn`
++  for this purpose.
++
+ --writepid file
+   Write OpenVPN's main process ID to ``file``.
diff --git a/security/openvpn25/Makefile b/security/openvpn25/Makefile
new file mode 100644
index 000000000000..565e30bd381c
--- /dev/null
+++ b/security/openvpn25/Makefile
@@ -0,0 +1,164 @@
+PORTNAME=		openvpn
+DISTVERSION=		2.5.8
+PORTREVISION?=		0
+CATEGORIES=		security net net-vpn
+MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
+			https://build.openvpn.net/downloads/releases/ \
+			LOCAL/mandree
+PKGNAMESUFFIX=		25
+
+MAINTAINER=		mandree@FreeBSD.org
+COMMENT?=		Secure IP/Ethernet tunnel daemon
+WWW=		https://openvpn.net/community/
+
+LICENSE=		GPLv2
+LICENSE_FILE=		${WRKSRC}/COPYRIGHT.GPL
+
+DEPRECATED=		replaced by new upstream release 2.6.0
+EXPIRATION_DATE=	2023-03-31
+
+USES=			cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz
+USE_RC_SUBR=		openvpn
+
+SHEBANG_FILES=		sample/sample-scripts/verify-cn \
+			sample/sample-scripts/auth-pam.pl \
+			sample/sample-scripts/ucn.pl
+
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--enable-strict --with-crypto-library=openssl
+# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
+CONFIGURE_ENV+=		PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
+
+CONFLICTS_INSTALL?=	openvpn-2* openvpn-devel openvpn-mbedtls
+
+SUB_FILES=		pkg-message openvpn-client
+
+USERS=			openvpn
+GROUPS=			openvpn
+
+PORTDOCS=		*
+PORTEXAMPLES=		*
+
+OPTIONS_DEFINE=		ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
+			TEST UNITTESTS X509ALTUSERNAME
+OPTIONS_DEFAULT=	EASYRSA LZ4 LZO PKCS11 TEST
+ASYNC_PUSH_DESC=	Enable async-push support
+EASYRSA_DESC=		Install security/easy-rsa RSA helper package
+LZO_DESC=		LZO compression (incompatible with LibreSSL)
+PKCS11_DESC=		Use security/pkcs11-helper, needs same SSL lib!
+SMALL_DESC=		Build a smaller executable with fewer features
+UNITTESTS_DESC=		Enable unit tests
+X509ALTUSERNAME_DESC=	Enable --x509-username-field
+
+ASYNC_PUSH_LIB_DEPENDS=	libinotify.so:devel/libinotify
+ASYNC_PUSH_CONFIGURE_ENABLE=	async-push
+
+EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
+
+LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
+LZ4_CONFIGURE_ENABLE=	lz4
+
+LZO_LIB_DEPENDS+=	liblzo2.so:archivers/lzo2
+LZO_CONFIGURE_ENABLE=	lzo
+
+PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
+PKCS11_CONFIGURE_ENABLE=	pkcs11
+
+SMALL_CONFIGURE_ENABLE=	small
+
+TEST_ALL_TARGET=	check
+TEST_TEST_TARGET_OFF=	check
+
+UNITTESTS_BUILD_DEPENDS=	cmocka>=0:sysutils/cmocka
+UNITTESTS_CONFIGURE_ENABLE=	unit-tests
+
+X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
+
+.ifdef (LOG_OPENVPN)
+CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
+.endif
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MLZO}
+IGNORE_SSL=libressl libressl-devel
+IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
+.endif
+
+.if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO}
+CONFIGURE_ARGS+=	--enable-comp-stub
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*)
+# in-depth security net if Mk/Uses/ssl.mk changes
+pre-everything::
+	@${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support."
+	@${SHELL} -c 'exit 1'
+.endif
+
+post-patch:
+	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
+		-e 's/"nobody"( after init)/"openvpn" \1/' \
+		${WRKSRC}/sample/sample-config-files/*.conf \
+		${WRKSRC}/sample/sample-config-files/xinetd-*-config \
+		${WRKSRC}/doc/man-sections/generic-options.rst
+
+pre-configure:
+	# just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
+	# and unused-function affects test---these are developer-side warnings, not relevant on end systems
+	${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure
+.ifdef (LOG_OPENVPN)
+	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
+.else
+	@${ECHO} ""
+	@${ECHO} "You may use the following build options:"
+	@${ECHO} ""
+	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
+	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
+	@${ECHO} ""
+.endif
+.if !empty(SSL_DEFAULT:Mlibressl*)
+	@${ECHO} "### --------------------------------------------------------- ###"
+	@${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN  ###"
+	@${ECHO} "### Do not report bugs without fixes/patches unless the issue ###"
+	@${ECHO} "### can be reproduced with a released OpenSSL version.        ###"
+	@${ECHO} "### --------------------------------------------------------- ###"
+	@sleep 10
+.endif
+
+post-configure:
+	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
+	 	${WRKSRC}/src/plugins/auth-pam/Makefile \
+	 	${WRKSRC}/src/plugins/down-root/Makefile
+
+# sanity check that we don't inherit incompatible SSL libs through,
+# for instance, pkcs11-helper:
+_tlslibs=libssl libcrypto
+post-build:
+	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
+	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
+	if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
+
+post-install:
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
+	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
+	${MKDIR} ${STAGEDIR}${PREFIX}/include
+
+post-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}/
+.for i in AUTHORS ChangeLog PORTS
+	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
+.endfor
+
+post-install-EXAMPLES-on:
+	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
+	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
+	${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig
+
+.include <bsd.port.post.mk>
diff --git a/security/openvpn25/distinfo b/security/openvpn25/distinfo
new file mode 100644
index 000000000000..b411c3f73145
--- /dev/null
+++ b/security/openvpn25/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1666977762
+SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
+SIZE (openvpn-2.5.8.tar.xz) = 1161288
diff --git a/security/openvpn25/files/openvpn-client.in b/security/openvpn25/files/openvpn-client.in
new file mode 100644
index 000000000000..471757811795
--- /dev/null
+++ b/security/openvpn25/files/openvpn-client.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+exec %%PREFIX%%/sbin/openvpn --script-security 2 \
+    --up %%PREFIX%%/libexec/openvpn-client.up \
+    --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
+    --config "$@"
diff --git a/security/openvpn25/files/openvpn.in b/security/openvpn25/files/openvpn.in
new file mode 100644
index 000000000000..9a59ed6f011e
--- /dev/null
+++ b/security/openvpn25/files/openvpn.in
@@ -0,0 +1,144 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
+# and Vasil Dimov
+# softrestart feature suggested by Nick Hibma
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+
+# -----------------------------------------------------------------------------
+#
+# This script supports running multiple instances of openvpn.
+# To run additional instances link this script to something like
+# % ln -s openvpn openvpn_foo
+# and define additional openvpn_foo_* variables in one of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
+#
+# Below NAME should be substituted with the name of this script. By default
+# it is openvpn, so read as openvpn_enable. If you linked the script to
+# openvpn_foo, then read as openvpn_foo_enable etc.
+#
+# The following variables are supported (defaults are shown).
+# You can place them in any of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
+#
+# NAME_enable="NO"	# set to YES to enable openvpn
+# NAME_if=		# driver(s) to load, set to "tun", "tap" or "tun tap"
+#			# it is OK to specify the if_ prefix.
+#
+# # optional:
+# NAME_flags=				# additional command line arguments
+# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf"	# --config file
+# NAME_dir="%%PREFIX%%/etc/openvpn"	# --cd directory
+#
+# You also need to set NAME_configfile and NAME_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. /etc/rc.subr
+
+# service(8) does not create an authentic environment, try to guess,
+# and as of 10.3-RELEASE-p0, it will not find the indented name=
+# assignments below. So give it a default.
+# Trailing semicolon also for service(8)'s benefit:
+name="$file" ;
+
+case "$0" in
+/etc/rc*)
+	# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
+	# so get the name of the script from $_file
+	name="$_file"
+	;;
+*/service)
+	# do not use this as $0
+	;;
+*)
+	name="$0"
+	;;
+esac
+
+# default name to "openvpn" if guessing failed
+# Trailing semicolon also for service(8)'s benefit:
+name="${name:-openvpn}" ;
+name="${name##*/}"
+rcvar=${name}_enable
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+softrestart()
+{
+    sig_reload=USR1 run_rc_command reload
+    exit $?
+}
+
+openvpn_stats()
+{
+	sig_reload=USR2
+	run_rc_command ${rc_prefix}reload $rc_extra_args
+}
+
+# reload: support SIGHUP to reparse configuration file
+# softrestart: support SIGUSR1 to reconnect without superuser privileges
+# stats: support SIGUSR2 to write statistics to the syslog
+extra_commands="reload softrestart stats"
+softrestart_cmd="softrestart"
+stats_cmd="openvpn_stats"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/openvpn"
+
+# run this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+
+eval ": \${${name}_enable:=\"NO\"}"
+eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
+eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
+
+configfile="$(eval echo \${${name}_configfile})"
+dir="$(eval echo \${${name}_dir})"
+interfaces="$(eval echo \${${name}_if})"
+flags="$(eval echo \${${name}_flags})"
+
+required_modules=
+for i in $interfaces ; do
+    required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
+done
+
+required_files=${configfile}
+
+command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile} ${flags}"
+
+run_rc_command "$1"
diff --git a/security/openvpn/files/patch-doc_openvpn.8 b/security/openvpn25/files/patch-doc_openvpn.8
similarity index 100%
rename from security/openvpn/files/patch-doc_openvpn.8
rename to security/openvpn25/files/patch-doc_openvpn.8
diff --git a/security/openvpn/files/patch-doc_openvpn.8.html b/security/openvpn25/files/patch-doc_openvpn.8.html
similarity index 100%
rename from security/openvpn/files/patch-doc_openvpn.8.html
rename to security/openvpn25/files/patch-doc_openvpn.8.html
diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-client b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client
new file mode 100644
index 000000000000..0b485a641d8a
--- /dev/null
+++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-client.orig	2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-client
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-server b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server
new file mode 100644
index 000000000000..58691b133de7
--- /dev/null
+++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-server.orig	2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-server
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16001
+-lport 16000
++rport 16101
++lport 16100
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-src_openvpn_openssl__compat.h b/security/openvpn25/files/patch-src_openvpn_openssl__compat.h
similarity index 100%
rename from security/openvpn/files/patch-src_openvpn_openssl__compat.h
rename to security/openvpn25/files/patch-src_openvpn_openssl__compat.h
diff --git a/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c
new file mode 100644
index 000000000000..633bc0f0204d
--- /dev/null
+++ b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c
@@ -0,0 +1,10 @@
+--- src/plugins/auth-pam/auth-pam.c.orig	2021-06-21 04:44:39 UTC
++++ src/plugins/auth-pam/auth-pam.c
+@@ -39,6 +39,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
diff --git a/security/openvpn25/files/patch-tests__t_cltsrv.sh b/security/openvpn25/files/patch-tests__t_cltsrv.sh
new file mode 100644
index 000000000000..9d0af3691c87
--- /dev/null
+++ b/security/openvpn25/files/patch-tests__t_cltsrv.sh
@@ -0,0 +1,65 @@
+--- tests/t_cltsrv.sh.orig	2016-08-23 13:10:22 UTC
++++ tests/t_cltsrv.sh
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+ #
+ # t_cltsrv.sh - script to test OpenVPN's crypto loopback
+-# Copyright (C) 2005, 2006, 2008  Matthias Andree
++# Copyright (C) 2005 - 2014  Matthias Andree
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -22,8 +22,9 @@ set -e
+ srcdir="${srcdir:-.}"
+ top_srcdir="${top_srcdir:-..}"
+ top_builddir="${top_builddir:-..}"
+-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
++root="${top_srcdir}/sample"
++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3
+ addopts=
+ case `uname -s` in
+     FreeBSD)
+@@ -45,18 +46,38 @@ esac
+ # make sure that the --down script is executable -- fail (rather than
+ # skip) test if it isn't.
+ downscript="../tests/t_cltsrv-down.sh"
+-root="${top_srcdir}/sample"
+ test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
+ echo "The following test will take about two minutes." >&2
+ echo "If the addresses are in use, this test will retry up to two times." >&2
+ 
++set -- $(ifconfig lo0 | grep -E '\<inet' | head -n1)
++add=
++if [ "x$1$2" = "x" ] ; then
++    echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###"
++    exit 77
++fi
++if [ "inet6" = "$1" ] ; then
++    add='proto udp6 '
++fi
++for i in server client ; do
++    sed -e "s|localhost|${2%/*}|" -e "/^remote /a\\
++$add" ${root}/sample-config-files/loopback-$i \
++    >${root}/sample-config-files/loopback-$i.test
++done
++
+ # go
+ success=0
+ for i in 1 2 3 ; do
+   set +e
+   (
+-  "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
+-  "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
++  "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++      --cd "${root}" ${addopts} --setenv role srv \
++      --down "${downscript}" --tls-exit --ping-exit 180 \
++      --config "sample-config-files/loopback-server.test" &
++  "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++      --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \
++      --down "${downscript}" --tls-exit --ping-exit 180 \
++      --config "sample-config-files/loopback-client.test"
+   ) 3>log.$$.signal >log.$$ 2>&1
+   e1=$?
+   wait $!
diff --git a/security/openvpn25/files/pkg-message.in b/security/openvpn25/files/pkg-message.in
new file mode 100644
index 000000000000..c527aec28683
--- /dev/null
+++ b/security/openvpn25/files/pkg-message.in
@@ -0,0 +1,34 @@
+[
+{ type: install
+  message: <<EOM
+Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
+startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
+
+Connect to VPN server as a client with this command to include
+the client.up/down scripts in the initialization:
+openvpn-client <spec>.ovpn
+
+For compatibility notes when interoperating with older OpenVPN
+versions, please see <http://openvpn.net/relnotes.html>
+
+Note that OpenVPN does not officially support LibreSSL.
+
+Note that OpenVPN configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+You may want to add user openvpn and group openvpn when creating your
+configuration files, the example configuration shows this only as comments.
+EOM
+}
+{ type: upgrade
+  message: <<EOM
+Note that OpenVPN now configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+It is advisable to review existing configuration files and
+to consider adding/changing user openvpn and group openvpn.
+EOM
+}
+]
diff --git a/security/openvpn25/files/up-script.sample b/security/openvpn25/files/up-script.sample
new file mode 100644
index 000000000000..2b9acee3dc85
--- /dev/null
+++ b/security/openvpn25/files/up-script.sample
@@ -0,0 +1,27 @@
+#!/bin/sh
+# OpenVPN simple up/down script for openresolvconf integration.
+# (C) Copyright 2016 Baptiste Daroussin
+# BSD 2-clause license.
+
+set -e +u
+: ${script_type:=down}
+case "${script_type}" in
+up)
+        i=1
+        while :; do
+                eval option=\"\$foreign_option_${i}\" || break
+                [ "${option}" ] || break
+                set -- ${option}
+                i=$((i + 1))
+                [ "$1" = "dhcp-option" ] || continue
+                case "$2" in
+                DNS)           echo "nameserver ${3}" ;;
+                DOMAIN)        echo "domain ${3}" ;;
+                DOMAIN-SEARCH) echo "search ${3}" ;;
+                esac
+        done | /sbin/resolvconf -a "${dev}"
+        ;;
+down)
+        /sbin/resolvconf -d "${dev}" -f
+        ;;
+esac
diff --git a/security/openvpn25/pkg-descr b/security/openvpn25/pkg-descr
new file mode 100644
index 000000000000..716b69051b64
--- /dev/null
+++ b/security/openvpn25/pkg-descr
@@ -0,0 +1,5 @@
+OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
+Network) daemon which can be used to securely link two or more private networks
+using an encrypted tunnel over the internet. It can operate over UDP or TCP,
+can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
+server can handle many clients.
diff --git a/security/openvpn25/pkg-plist b/security/openvpn25/pkg-plist
new file mode 100644
index 000000000000..d247b39c1eed
--- /dev/null
+++ b/security/openvpn25/pkg-plist
@@ -0,0 +1,10 @@
+include/openvpn-msg.h
+include/openvpn-plugin.h
+lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+lib/openvpn/plugins/openvpn-plugin-down-root.so
+libexec/openvpn-client.down
+libexec/openvpn-client.up
+man/man5/openvpn-examples.5.gz
+man/man8/openvpn.8.gz
+sbin/openvpn
+sbin/openvpn-client