Commit openvpn 2.2.1 with ipv6 support.

Signed-off-by: Vladimir Smirnov <civil.over@gmail.com>
alphallc · Jan 22, 2012 · 8cbd727 · 8cbd727
1 parent 8b2bcfc
commit 8cbd727
Show file tree

Hide file tree

Showing 12 changed files with 1,478 additions and 0 deletions.
diff --git a/net-misc/openvpn/ChangeLog b/net-misc/openvpn/ChangeLog
diff --git a/net-misc/openvpn/Manifest b/net-misc/openvpn/Manifest
@@ -0,0 +1,13 @@
+AUX 65openvpn 45 RMD160 580e7f52f0c5ba91d3bc91f1155afc43fb153a96 SHA1 0d58cc3a3093e8df4b6e423934e93691722739b3 SHA256 d5758e39fdc75dcbb5a788b1afa743c3c1f08c63c535aa32c300b965474d765c
+AUX down.sh 943 RMD160 db43a525c9eb2ccb538e938e0b7f4359af22e4de SHA1 261acc68a24108526345a7d117bba15dbcebaa6e SHA256 39debebcd8c899f20e6d355cbc8eaab46e28b83a9f6c33a94c065688a4f3d2c7
+AUX openvpn-2.1.conf 892 RMD160 687a747ed2f801b051438d02da8fcd44c6954484 SHA1 e65db7d972483c9391ef92d2931d9db7b69e4329 SHA256 330149a83684ddabe413d134d4c8efad4c88b18c2ab67165014deff5f7fffad2
+AUX openvpn-2.1.init 4186 RMD160 e71c8cb5abee5d1b7c6485fc910f35822330a853 SHA1 a25b319834208d7ac65b090f85ee500f5e752cdc SHA256 d1b1f8a00935d77521bceb62535350444df3470fa45f4d33c3934051a1bb595b
+AUX openvpn-2.1_rc13-peercred.patch 251 RMD160 26123eedc9b685fb01de93c1141588f8008562f5 SHA1 8132510ebbd891ec55ef36d0cb8a86cb64a0145f SHA256 e7c2025ec49d3a5c2d95d80ee3c26ed9ccd0587d1664860b3a1eceb2bb7c778f
+AUX openvpn-2.2.1-pkcs11.patch 1080 RMD160 1ed385f7137e75a085ae59a98ea32c7430347b66 SHA1 c09bb78d9b2312f198fb7ce2363d07179976a932 SHA256 20247a5f5962ca1f6c09209ff07d7dfbc34899ad420b2f658cc5071e46ec1942
+AUX openvpn.init 1486 RMD160 7005230b0dc3ea400aa22c9a01c2aa034d8baace SHA1 1670c08a2bec65c2e3529aec8d377bad6cb2e0e5 SHA256 c4b9e0899fa5ee0b90c5100da7711dc7a6a5658f10042b0feda9e7efb90a11cf
+AUX up.sh 2594 RMD160 17576f73e6de08828aeda2a8776b4a36331fa855 SHA1 4eb4d1e857053f86ea886dec8e8e6f45174df774 SHA256 848da0929c37b2112769232fbbdf61961b6107c6726d4b74d1ceb034b39ad5dd
+DIST openvpn-2.2.1-ipv6-20110825-1.patch.gz 34877 RMD160 dbefda0f86a39046d8ad333d80b740d6aa5c0999 SHA1 6522312cb78adef12d1c0ffff56f7e48bff22456 SHA256 431f463c5230477b7c99b6be586843f2a1b64251b0a341c59bdb19db6268c7aa
+DIST openvpn-2.2.1.tar.gz 911472 RMD160 115ff6ac548014d38da9e21bbb91103bcbb0cd09 SHA1 d5a8e9c635aa330eae8e66e1ccbe2b98e4c3047b SHA256 a860858cc92d4573399bb2ff17ac62d9b4b8939e6af0b8cc69150ba39d6e94e0
+EBUILD openvpn-2.2.1.ebuild 5297 RMD160 5b391272210fb9f149671715537e566101d57633 SHA1 1b51aa2d40c080b2d21ce86c18391727f0ddb5ed SHA256 675c0f8c7fb7608ebd59205ce3078664c5caa6694c8303689e99d8e3e0ceec24
+MISC ChangeLog 31866 RMD160 483e2a7e215d13361f2e1fa0fa3be19fe3b083d4 SHA1 704e915e263fea454454b2cf55524fba7c328842 SHA256 322465f769690d3e78c1faa278c44b24bcdff1589d38d7e37bc5778542558ba2
+MISC metadata.xml 808 RMD160 40e1ada3063edc2ae986c33b1ad78d150bcb4523 SHA1 5a8edc3cf4a935ebc255b71327c4e5cc8362f0ed SHA256 06fb4ae72a9389520966db3f497088b9d23de0ef0b1e74d5c2066980bef221a1
diff --git a/net-misc/openvpn/files/65openvpn b/net-misc/openvpn/files/65openvpn
@@ -0,0 +1 @@
+CONFIG_PROTECT="/usr/share/openvpn/easy-rsa"
diff --git a/net-misc/openvpn/files/down.sh b/net-misc/openvpn/files/down.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then
+	/etc/openvpn/"${SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+	if [ -x /sbin/resolvconf ] ; then
+		/sbin/resolvconf -d "${dev}"
+	elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+		# Important that we copy instead of move incase resolv.conf is
+		# a symlink and not an actual file
+		cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+		rm -f /etc/resolv.conf-"${dev}".sv
+	fi
+fi
+
+if [ -n "${SVCNAME}" ]; then
+	# Re-enter the init script to start any dependant services
+	if /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/"${SVCNAME}" --quiet stop
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/files/openvpn-2.1.conf b/net-misc/openvpn/files/openvpn-2.1.conf
@@ -0,0 +1,18 @@
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+PEER_DNS="yes"
+
+# OpenVPN can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+DETECT_CLIENT="yes"
+
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
+RE_ENTER="no"
diff --git a/net-misc/openvpn/files/openvpn-2.1.init b/net-misc/openvpn/files/openvpn-2.1.init
@@ -0,0 +1,133 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR=${VPNDIR:-/etc/openvpn}
+VPN=${SVCNAME#*.}
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	use dns
+	after bootmisc
+}
+
+checkconfig() {
+	# Linux has good dynamic tun/tap creation
+	if [ $(uname -s) = "Linux" ] ; then
+		if [ ! -e /dev/net/tun ]; then
+			if ! modprobe tun ; then
+				eerror "TUN/TAP support is not available" \
+					"in this kernel"
+				return 1
+			fi
+		fi
+		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+			ebegin "Detected broken /dev/net/tun symlink, fixing..."
+			rm -f /dev/net/tun
+			ln -s /dev/misc/net/tun /dev/net/tun
+			eend $?
+		fi
+		return 0
+	fi
+
+	# Other OS's don't, so we rely on a pre-configured interface
+	# per vpn instance
+	local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+	if [ -z ${ifname} ] ; then
+		eerror "You need to specify the interface that this openvpn" \
+			"instance should use" \
+			"by using the dev option in ${VPNCONF}"
+		return 1
+	fi
+
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		# Try and create it
+		echo > /dev/"${ifname}" >/dev/null
+	fi
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		eerror "${VPNCONF} requires interface ${ifname}" \
+			"but that does not exist"
+		return 1
+	fi
+}
+
+start() {
+	# If we are re-called by the openvpn gentoo-up.sh script
+	# then we don't actually want to start openvpn
+	[ "${IN_BACKGROUND}" = "true" ] && return 0
+
+	ebegin "Starting ${SVCNAME}"
+
+	checkconfig || return 1
+
+	local args="" reenter=${RE_ENTER:-no}
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+
+	# We mark the service as inactive and then start it.
+	# When we get an authenticated packet from the peer then we run our script
+	# which configures our DNS if any and marks us as up.
+	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+	grep -q "^[ 	]*remote[ 	].*" "${VPNCONF}" ; then
+		reenter="yes"
+		args="${args} --up-delay --up-restart"
+		args="${args} --script-security 2"
+		args="${args} --up /etc/openvpn/up.sh"
+		args="${args} --down-pre --down /etc/openvpn/down.sh"
+
+		# Warn about setting scripts as we override them
+		if grep -Eq "^[ 	]*(up|down)[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You have defined your own up/down scripts"
+			ewarn "As you're running as a client, we now force Gentoo specific"
+			ewarn "scripts to be run for up and down events."
+			ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
+			ewarn "where you can put your own code."
+		fi
+
+		# Warn about the inability to change ip/route/dns information when
+		# dropping privs
+		if grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You are dropping root privileges!"
+			ewarn "As such openvpn may not be able to change ip, routing"
+			ewarn "or DNS configuration."
+		fi
+	else
+		# So we're a server. Run as openvpn unless otherwise specified
+		grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" || args="${args} --user openvpn"
+		grep -q "^[ 	]*group[ 	].*" "${VPNCONF}" || args="${args} --group openvpn"
+	fi
+
+	# Ensure that our scripts get the PEER_DNS variable
+	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+
+	[ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+		--setenv SVCNAME "${SVCNAME}" ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	# If we are re-called by the openvpn gentoo-down.sh script
+	# then we don't actually want to stop openvpn
+	if [ "${IN_BACKGROUND}" = "true" ] ; then
+		mark_service_inactive "${SVCNAME}"
+		return 0
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --quiet \
+		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: set ts=4 :
diff --git a/net-misc/openvpn/files/openvpn-2.1_rc13-peercred.patch b/net-misc/openvpn/files/openvpn-2.1_rc13-peercred.patch
@@ -0,0 +1,10 @@
+--- socket.c~	2008-11-02 01:39:00.406009999 +0100
++++ socket.c	2008-11-02 01:39:00.406009999 +0100
+@@ -22,6 +22,7 @@
+  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+  */
+
++#define _GNU_SOURCE
+ #include "syshead.h"
+
+ #include "socket.h"
diff --git a/net-misc/openvpn/files/openvpn-2.2.1-pkcs11.patch b/net-misc/openvpn/files/openvpn-2.2.1-pkcs11.patch
@@ -0,0 +1,32 @@
+--- openvpn-2.1_rc20~/easy-rsa/2.0/openssl-0.9.8.cnf~	2011-10-10 15:10:33.027120093 +0400
++++ openvpn-2.1_rc20~/easy-rsa/2.0/openssl-0.9.8.cnf	2011-10-10 15:11:07.447120924 +0400
+@@ -283,8 +283,8 @@
+ #pkcs11 = pkcs11_section
+
+ [ pkcs11_section ]
+-engine_id = pkcs11
+-dynamic_path = /usr/lib/engines/engine_pkcs11.so
+-MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+-PIN = $ENV::PKCS11_PIN
+-init = 0
++#engine_id = pkcs11
++#dynamic_path = /usr/lib/engines/engine_pkcs11.so
++#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
++#PIN = $ENV::PKCS11_PIN
++#init = 0
+--- openvpn-2.1_rc20~/easy-rsa/2.0/openssl-1.0.0.cnf~	2011-10-10 15:10:36.257120163 +0400
++++ openvpn-2.1_rc20~/easy-rsa/2.0/openssl-1.0.0.cnf	2011-10-10 15:11:20.296121202 +0400
+@@ -278,8 +278,8 @@
+ #pkcs11 = pkcs11_section
+
+ [ pkcs11_section ]
+-engine_id = pkcs11
+-dynamic_path = /usr/lib/engines/engine_pkcs11.so
+-MODULE_PATH = $ENV::PKCS11_MODULE_PATH
+-PIN = $ENV::PKCS11_PIN
+-init = 0
++#engine_id = pkcs11
++#dynamic_path = /usr/lib/engines/engine_pkcs11.so
++#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
++#PIN = $ENV::PKCS11_PIN
++#init = 0
diff --git a/net-misc/openvpn/files/openvpn.init b/net-misc/openvpn/files/openvpn.init
@@ -0,0 +1,63 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR="/etc/openvpn"
+VPN="${SVCNAME#*.}"
+if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	before netmount
+	after bootmisc
+}
+
+checktundevice() {
+	if [ ! -e /dev/net/tun ]; then
+		if ! modprobe tun ; then
+			eerror "TUN/TAP support is not available in this kernel"
+			return 1
+		fi
+	fi
+	if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+		ebegin "Detected broken /dev/net/tun symlink, fixing..."
+		rm -f /dev/net/tun
+		ln -s /dev/misc/net/tun /dev/net/tun
+		eend $?
+	fi
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+
+	checktundevice || return 1
+
+	if [ ! -e "${VPNCONF}" ]; then
+		eend 1 "${VPNCONF} does not exist"
+		return 1
+	fi
+
+	local args=""
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: ts=4
diff --git a/net-misc/openvpn/files/up.sh b/net-misc/openvpn/files/up.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+#  if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+if [ "${PEER_DNS}" != "no" ]; then
+	NS=
+	DOMAIN=
+	SEARCH=
+	i=1
+	while true ; do
+		eval opt=\$foreign_option_${i}
+		[ -z "${opt}" ] && break
+		if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+			if [ -z "${DOMAIN}" ] ; then
+				DOMAIN="${opt#dhcp-option DOMAIN *}"
+			else
+				SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+			fi
+		elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+			NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+		fi
+		i=$((${i} + 1))
+	done
+
+	if [ -n "${NS}" ] ; then
+		DNS="# Generated by openvpn for interface ${dev}\n"
+		if [ -n "${SEARCH}" ] ; then
+			DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+		elif [ -n "${DOMAIN}" ]; then
+			DNS="${DNS}domain ${DOMAIN}\n"
+		fi
+		DNS="${DNS}${NS}"
+		if [ -x /sbin/resolvconf ] ; then
+			printf "${DNS}" | /sbin/resolvconf -a "${dev}"
+		else
+			# Preserve the existing resolv.conf
+			if [ -e /etc/resolv.conf ] ; then
+				cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+			fi
+			printf "${DNS}" > /etc/resolv.conf
+			chmod 644 /etc/resolv.conf
+		fi
+	fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${SVCNAME}" ]; then
+	# If we have a service specific script, run this now
+	if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then
+		/etc/openvpn/"${SVCNAME}"-up.sh "$@"
+	fi
+
+	# Re-enter the init script to start any dependant services
+	if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/${SVCNAME} --quiet start
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :