Merge tag 'debian/2.4.7-1' into stretch-backports

openvpn Debian release 2.4.7-1

18 files changed, 562 insertions, 126 deletions

diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..b286c8f
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,18 @@
+Hello,
+
+now I use the branching model from Vincent Driessen[1].
+
+I use the gitflow-avh[2]. with the Documentation[3].
+The Debian package can be found here[4].
+
+Please upload unattended uploads use a branch feature/<your title>.
+
+
+Many thanks.
+
+ -- Jörg Frings-Fürst <debian@jff.email>  Sun, 29 Jul 2018 13:59:15 +0200
+
+[1] http://nvie.com/posts/a-successful-git-branching-model/
+[2] https://github.com/petervanderdoes/gitflow-avh
+[3] https://github.com/petervanderdoes/gitflow-avh/wiki
+[4] https://tracker.debian.org/pkg/git-flow
diff --git a/debian/changelog b/debian/changelog
index 91bcf9e..f676f8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,68 @@
-openvpn (2.4.4-2~bpo9+1) stretch-backports; urgency=medium
+openvpn (2.4.7-1) unstable; urgency=medium
 
-  * Rebuild for stretch-backports.
-    - Revert to OpenSSL 1.0.2, libpkcs11-helper1-dev is not compatible
-      with OpenSSL 1.1.0 in stretch
+  [ Bernhard Schmidt ]
+  * New upstream version 2.4.7
+    - improvements regarding TLSv1.3
+    - Add CAP_AUDIT_WRITE for auth_pam for upstream units (Closes: #868806)
+  * adjust kfreebsd_support.patch for new upstream version
+  * Also Add CAP_AUDIT_WRITE for auth_pam for openvpn@.service (Closes: #868806)
+  * openvpn@.service: Bump LimitNPROC to 100, see #861923
+
+  [ Simon Deziel ]
+  * d/control: suggests openvpn-systemd-resolved (Closes: #913265)
+
+  [ Hilko Bengen ]
+  * Avoid hangs when spawning child processes by not setting pkcs11-helper
+    "safe fork mode" (Closes: #772812, #900805, #907452)
 
- -- Bernhard Schmidt <berni@debian.org>  Sat, 30 Dec 2017 22:21:24 +0100
+ -- Bernhard Schmidt <berni@debian.org>  Wed, 20 Feb 2019 14:50:03 +0100
+
+openvpn (2.4.6-1) unstable; urgency=medium
+
+  [ Jörg Frings-Fürst ]
+  * New upstream release.
+    - Refresh patches.
+    - Fix "does not start if link-mtu is too low" (Closes: #867113).
+    - Fix "auth-tokens are purged if auth-nocache is set" (Closes: #883601).
+  * Migrate to debhelper 11:
+    - Change debian/compat to 11.
+    - Bump minimum debhelper version in debian/control to >= 11.
+  * Declare compliance with Debian Policy 4.1.5 (No changes needed).
+  * New debian/patches/spelling_errors.patch to correct spelling errors.
+  * New debian/patches/systemd.patch to remove obsolete syslog.target.
+  * debian/changelog:
+    - Rewrite to DEP5 copyright format.
+  * debian/control:
+    - Change to my new email address.
+    - Remove trailing whitespaces.
+  * debian/rules:
+    - Remove trailing whitespaces.
+    - Replace outdated dh_installsystemd with dh_systemd_start.
+    - Remove usr/share/doc/openvpn/COPYING.
+    - Replace rm -f with $(RM).
+  * debian/update-resolv-conf:
+    - Fix "preserve order of pushed parameters" (Closes: #807808).
+      Thanks to Thibaut Chèze.
+    - Add syslog message if used without binary resolvconf (Closes: #895135).
+      Thanks to Roger Price <debian@rogerprice.org>.
+  * debian/watch:
+    - Use secure URI.
+  * Remove obsolete debian/openvpn.lintian-overrides.
+  * New README.source to explain the branching model used.
+
+ -- Jörg Frings-Fürst <debian@jff.email>  Mon, 30 Jul 2018 14:08:13 +0200
+
+openvpn (2.4.5-1) unstable; urgency=medium
+
+  * New upstream version 2.4.5 (Closes: #873302)
+  * Fix wrong Bug# in previous changelog
+  * Change Vcs-* to salsa (gitlab)
+
+ -- Bernhard Schmidt <berni@debian.org>  Sun, 04 Mar 2018 22:23:47 +0100
 
 openvpn (2.4.4-2) unstable; urgency=medium
 
-  * Build against OpenSSL 1.1.0 (Closes: #828447)
+  * Build against OpenSSL 1.1.0 (Closes: #828477)
   * Bump Standards-Version to 4.1.2, no changes necessary
 
  -- Bernhard Schmidt <berni@debian.org>  Mon, 11 Dec 2017 00:22:11 +0100
@@ -97,7 +151,7 @@ openvpn (2.4.3-1) unstable; urgency=high
     - CVE-2017-7521
     - CVE-2017-7522
   * Plugin libs have been moved to /usr/lib/ARCH/openvpn/plugins
-  * debian/rules: 
+  * debian/rules:
     - Remove obsolete options to configure script (enable-password-save,
       with-plugindir (now in ENV_VARS))
     - No need to install upstream's systemd unit files from debian/rules
@@ -270,7 +324,7 @@ openvpn (2.3.7-1) unstable; urgency=medium
 openvpn (2.3.5-1) unstable; urgency=medium
 
   * New upstream release. Removed patches applied upstream:
-    client_connect_tmp_files.patch 
+    client_connect_tmp_files.patch
     better_systemd_detection.patch
   * Add Build-Depends on libsystemd-daemon-dev.
 
@@ -519,7 +573,7 @@ openvpn (2.2.0-2) unstable; urgency=low
 openvpn (2.2.0-1) experimental; urgency=low
 
   * New upstream release (Closes: #625281)
-  * Removed Depends on open(ssl|vpn)-blacklist, since 
+  * Removed Depends on open(ssl|vpn)-blacklist, since
     debian_openssl_vulnkeys.patch is no longer used.
     Removed templates referring it too.
   * Removed manpage_dash_escaping.patch, applied upstream
@@ -812,7 +866,7 @@ openvpn (2.1~rc7-2) unstable; urgency=high
   * init.c: Warn of use of known vulnerable weak SSL/TLS
     and shared secret keys caused by Debian openssl bug.
     Patch taken from Ubuntu. CVE-2008-0166
-  * debian/(templates|postinst): Add warning on vulnerable 
+  * debian/(templates|postinst): Add warning on vulnerable
     secrect/key files.
   * debian/control: Add dependencies on openssl-blacklist and
     openvpn-blacklist. Bumped dependency on libssl version.
@@ -902,7 +956,7 @@ openvpn (2.0.9-6) unstable; urgency=low
     /etc/network/interfaces integration. (Closes: #413732)
   * Also included joeyh's suggestion on the previous subject.
     (Closes: 419797)
-  * Avoid restarting a vpn instead of reloading it due to wrong 
+  * Avoid restarting a vpn instead of reloading it due to wrong
     detection of 'user' option in init.d script. Thanks Josip Rodin.
     (Closes: 403503)
   * Added Russian debconf translation. (Closes: #414088)
@@ -980,7 +1034,7 @@ openvpn (2.0.6-2) unstable; urgency=low
     a fresh install or stop2upgrade=true. (Closes: #366085, #338956)
   * Updated Czech debconf translation (Closes: #333989)
     Thanks Miroslav Kure.
-  * Bumped Standards-Version to 3.7.2.0, no change. 
+  * Bumped Standards-Version to 3.7.2.0, no change.
   * debian/rules: Avoid compressing 'pkitool' (Closes: #354478)
   * debian/templates: Corrected typo on init scripts order change.
     (Closes: #351664)
@@ -1024,9 +1078,9 @@ openvpn (2.0.2-1) unstable; urgency=low
   * The [VAC] upload. Thanks Vorbis Gdynia for the free internet access :)
   * New upstream release (Closes: #323594)
   * Fixed use of backslash in username authentication. (Closes: #309787)
-  * Fixes several DoS vulnerabilities: CAN-2005-2531 CAN-2005-2532 
+  * Fixes several DoS vulnerabilities: CAN-2005-2531 CAN-2005-2532
     CAN-2005-2533 CAN-2005-2534. (Closes: #324167)
-  * Changed group option from 'nobody' to 'nogroup' in all the 
+  * Changed group option from 'nobody' to 'nogroup' in all the
     *example* files... (Closes: #317987)
   * Included openvpn-plugin.h to allow building third party plugins.
     (Closes: #316139)
@@ -1079,7 +1133,7 @@ openvpn (2.0-1) unstable; urgency=low
     Thanks Thomas Hood for the patch.
   * debian/control. Rewrote Description: field.
     Now it's more useful and complete. (Closes: #304895)
-  * init.d script: 
+  * init.d script:
      - Fixed restarting of multiple VPNs
      - Fixed TAB converted to spaces.
      - Remove status file on VPN stop
@@ -1122,7 +1176,7 @@ openvpn (1.99+2.rc12-1) unstable; urgency=low
 
 openvpn (1.99+2.rc11-2) unstable; urgency=low
 
-  * Added --enable-password-save to configure call to allow 
+  * Added --enable-password-save to configure call to allow
     --askpass and --auth-user-pass passwords to be read from a file.
 
  -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu,  3 Feb 2005 18:19:28 +0100
@@ -1192,7 +1246,7 @@ openvpn (1.99+2.beta17-1) unstable; urgency=low
 
 openvpn (1.99+2.beta16-2) unstable; urgency=low
 
-  * Patched ssl.c to fix bug in --key-method 1, that prevented 
+  * Patched ssl.c to fix bug in --key-method 1, that prevented
     OpenVPN 2.x from working with 1.x using that method.
     Thanks James for the prompt answer & patch.
     Thanks weasel for finding it out.
@@ -1242,7 +1296,7 @@ openvpn (1.99+2.beta15-1) unstable; urgency=low
     and not tell the maintainer directly.
   * Added Brazilian Portuguese debconf templates. (Closes: #279351)
   * Modified init.d script so that specifying a daemon option in a
-    VPN configuration won't make it fail. 
+    VPN configuration won't make it fail.
     Thanks Christoph Biedl for the patch. (Closes: #278302)
   * Added scripts to allow specifying 'openvpn name' in
     /etc/network/interfaces to have the tunnel created and destroyed with
@@ -1356,7 +1410,7 @@ openvpn (1.4.3-2) unstable; urgency=low
   * Moved initscripts sequence number to S16 from S20. This will make
     openvpn start earlier and be ready for other services. (Closes: #209225)
   * Added Depends: on debconf, it's used in the maintainer's scripts now.
-  * Added debconf template to ask for the creation of the TUN/TAP device 
+  * Added debconf template to ask for the creation of the TUN/TAP device
     node. (Closes: #211198)
 
  -- Alberto Gonzalez Iniesta <agi@agi.as>  Thu,  2 Oct 2003 21:39:46 +0200
@@ -1364,7 +1418,7 @@ openvpn (1.4.3-2) unstable; urgency=low
 openvpn (1.4.3-1) unstable; urgency=low
 
   * New upstream release
-  * Bumped Standards-Version to 3.6.1.0, no change. 
+  * Bumped Standards-Version to 3.6.1.0, no change.
   * Patched init.d script to support single vpn stop/start/restart.
     Thanks to Richard Mueller and Norbert Tretkowski (Closes: #204100)
 
@@ -1395,7 +1449,7 @@ openvpn (1.4.0-2) unstable; urgency=low
 openvpn (1.4.0-1) unstable; urgency=low
 
   * New upstream release (Closes: #179551)
-  * Re-enabled liblzo support. LZO's author made an exception in LZO's 
+  * Re-enabled liblzo support. LZO's author made an exception in LZO's
     license that permits OpenVPN to use LZO and OpenSSL. See copyright
     file.
 
@@ -1410,9 +1464,9 @@ openvpn (1.3.2-3) unstable; urgency=low
 
 openvpn (1.3.2-2) unstable; urgency=low
 
-  * Disabled liblzo1 support to fix license issues with Openssl. 
+  * Disabled liblzo1 support to fix license issues with Openssl.
     (Closes: #177497)
-  * Bumped Standards-Version to 3.5.8, no change. 
+  * Bumped Standards-Version to 3.5.8, no change.
 
  -- Alberto Gonzalez Iniesta <agi@agi.as>  Mon, 20 Jan 2003 16:09:16 +0100
 
@@ -1453,4 +1507,3 @@ openvpn (1.2.0-1) unstable; urgency=low
   * Initial Release. (Closes: #140463)
 
  -- Alberto Gonzalez Iniesta <agi@agi.as>  Thu, 23 May 2002 11:00:37 +0200
-
diff --git a/debian/compat b/debian/compat
index f599e28..b4de394 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-10
+11
diff --git a/debian/control b/debian/control
index 223ddc8..8f48a74 100644
--- a/debian/control
+++ b/debian/control
@@ -2,9 +2,9 @@ Source: openvpn
 Section: net
 Priority: optional
 Maintainer: Bernhard Schmidt <berni@debian.org>
-Uploaders: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Uploaders: Jörg Frings-Fürst <debian@jff.email>
 Build-Depends:
- debhelper (>= 10),
+ debhelper (>= 11),
  dpkg-dev (>= 1.16.1),
  iproute2 [linux-any],
  liblz4-dev,
@@ -16,14 +16,14 @@ Build-Depends:
  net-tools [!linux-any],
  pkg-config,
  systemd [linux-any]
-Standards-Version: 4.1.2
+Standards-Version: 4.1.5
 Homepage: https://openvpn.net/
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git
-Vcs-Browser: https://anonscm.debian.org/git/collab-maint/openvpn.git
+Vcs-Git: https://salsa.debian.org/debian/openvpn.git
+Vcs-Browser: https://salsa.debian.org/debian/openvpn
 
 Package: openvpn
 Architecture: any
-Depends: 
+Depends:
  debconf | debconf-2.0,
  ${shlibs:Depends},
  ${misc:Depends},
@@ -32,7 +32,8 @@ Depends:
  lsb-base (>= 3.0-6)
 Suggests:
  openssl,
- resolvconf
+ resolvconf,
+ openvpn-systemd-resolved
 Recommends: easy-rsa
 Description: virtual private network daemon
  OpenVPN is an application to securely tunnel IP networks over a
@@ -46,4 +47,3 @@ Description: virtual private network daemon
  OpenVPN may use static, pre-shared keys or TLS-based dynamic key exchange. It
  also supports VPNs with dynamic endpoints (DHCP or dial-up clients), tunnels
  over NAT or connection-oriented stateful firewalls (such as Linux's iptables).
-
diff --git a/debian/copyright b/debian/copyright
index bb0313c..a87a863 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,47 +1,321 @@
-This package was debianized by Alberto Gonzalez Iniesta <agi@agi.as> on
-Tue,  2 Apr 2002 12:24:50 +0200.
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: OpenVPN
+Upstream-Contact: OpenVPN Solutions LLC <info@openvpn.net>
+Source: https://openvpn.net/
 
-It was downloaded from http://www.openvpn.net
+Files: *
+Copyright: 2002-2018 OpenVPN Inc <sales@openvpn.net>
+License: GPL-2 with OpenSSL exception
 
-Upstream Author: James Yonan <jim@yonan.net>
+Files: aclocal.m4
+       compile
+       config.guess
+       config.sub
+       configure
+       depcomp
+       ltmain.sh
+       missing
+       m4/libtool.m4
+       m4/ltversion.m4
+Copyright: 1994-2015 Free Software Foundation, Inc.
+License: GPL-2+
 
-Copyright: (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+Files: */Makefile.*
+Copyright: 1994-2015 Free Software Foundation, Inc.
+           2002-2018 OpenVPN Inc <sales@openvpn.net>
+           2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
+License: GPL-2
 
-   This package is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
+Files: src/openvpn/crypto.*
+       src/openvpn/crypto_*.*
+       src/openvpn/pkcs11_*.*
+       src/openvpn/ssl*
+       src/openvpn/tls_*
+       src/openvpn/openssl_compat.h
+       tests/unit_tests/openvpn/*
+Copyright: 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
+License: GPL-2
 
-   This package is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
+Files: build/ltrc.inc
+       build/msvc/msvc-generate/Makefile.mak
+Copyright: 2008-2012 Alon Bar-Lev <alon.barlev@gmail.com>
+License: GPL-2
 
-   You should have received a copy of the GNU General Public License
-   along with this package; if not, write to the Free Software 
-   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
-   MA 02110-1301, USA.
+Files: build/msvc/msvc-generate/msvc-generate.js
+Copyright: 2008-2012 Alon Bar-Lev <alon.barlev@gmail.com>
+License: BSD-3
 
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL-2'.
+Files: sample/sample-plugins/log/log_v3.c
+       src/compat/compat-basename.c
+       src/compat/compat-daemon.c
+       src/compat/compat-dirname.c
+       src/compat/compat-inet_ntop.c
+       src/compat/compat-inet_pton.c
+       src/compat/compat.h
+       src/openvpn/console.c
+       src/openvpn/console.h
+       src/openvpn/console_builtin.c
+       src/openvpn/console_systemd.c
+       src/openvpn/console_systemd.c
+       src/openvpn/misc.c
+       src/openvpn/options.c
+       src/openvpn/ssl.c
+       src/plugins/down-root/down-root.c
+Copyright: 2010-2016 David Sommerseth <davids@redhat.com>
+License: GPL-2
 
-    In addition, as a special exception, James Yonan gives
-    permission to link the code of this program with the OpenSSL
-    library (or with modified versions of OpenSSL that use the same
-    license as OpenSSL), and distribute linked combinations including
-    the two.  You must obey the GNU General Public License in all
-    respects for all of the code used other than OpenSSL.  If you modify
-    this file, you may extend this exception to your version of the
-    file, but you are not obligated to do so.  If you do not wish to
-    do so, delete this exception statement from your version.
+Files: src/compat/compat-lz4.c
+       src/compat/compat-lz4.h
+Copyright: 2011-2016 Yann Collet
+License: BSD-2
 
-Markus F.X.J. Oberhumer <markus@oberhumer.com> made the following 
-exception in LZO's license to make possible the use of LZO with OpenSSL
-in OpenVPN:
+Files: src/openvpn/base64.c
+       src/openvpn/base64.h
+Copyright: 1995 -2001 Kungliga Tekniska Högskolan
+License: BSD-3
 
-  Hereby I grant a special exception to the OpenVPN project
-  (http://openvpn.sourceforge.net) to link the LZO library with
-  the OpenSSL library (http://www.openssl.org).
+Files: include/openvpn-msg.h
+       src/openvpnserv/common.c
+       src/openvpnserv/service.h
+       src/openvpnserv/interactive.c
+Copyright: 2011-2018 Heiko Hund <heiko.hund@sophos.com>
+License: GPL-2
 
-        Markus F.X.J. Oberhumer
+Files: src/openvpn/block_dns.c
+Copyright: 2002-2018 OpenVPN Inc <sales@openvpn.net>
+           2015-2016  <iam@valdikss.org.ru>
+           2016 Selva Nair <selva.nair@gmail.com>
+License: GPL-2
 
+Files: src/openvpn/block_dns.h
+       src/openvpnserv/validate.h
+       src/openvpnserv/validate.c
+Copyright: 2016 Selva Nair <selva.nair@gmail.com>
+License: GPL-2
 
+Files: src/openvpn/comp-lz4.c
+       src/openvpn/comp-lz4.h
+Copyright: 2002-2018 OpenVPN Inc <sales@openvpn.net>
+           2013-2018 Gert Doering <gert@greenie.muc.de>
+License: GPL-2
+
+Files: src/openvpn/cryptoapi.c
+Copyright: 2004      Peter 'Luna' Runestig <peter@runestig.com>
+License: BSD-3
+
+Files: src/openvpn/ntlm.c
+Copyright: 2004      William Preston
+License: GPL-2
+
+Files: src/openvpn/ssl_mbedtls.c
+Copyright: 2002-2018 OpenVPN Inc <sales@openvpn.net>
+           2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
+           2006-2010 Brainspark B.V.
+License: GPL-2
+
+Files: src/openvpn/ssl_mbedtls.h
+Copyright: 2002-2018 OpenVPN Inc <sales@openvpn.net>
+           2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
+License: GPL-2
+
+Files: src/openvpnserv/service.c
+Copyright: 1993-2000 Microsoft Corporation
+           2013      Heiko Hund <heiko.hund@sophos.com>
+License: other
+
+Files: sample/sample-keys/gen-sample-keys.sh
+Copyright: 2014      Steffan Karger <steffan@karger.me>
+License: GPL-2
+
+Files: m4/pkg.m4
+Copyright: 2004      Scott James Remnant <scott@netsplit.com>.
+License: GPL-2+
+
+Files: install-sh
+Copyright: 1994      X Consortium
+License: MIT
+
+Files: tests/t_cltsrv.sh
+Copyright: 2005-2008  Matthias Andree
+License: GPL-2+
+
+Files: tests/t_lpback.sh
+Copyright: 2005       Matthias Andree
+           2014       Steffan Karger
+License: GPL-2+
+
+Files: debian/*
+Copyright: 2002-2017 Alberto Gonzalez Iniesta <agi@inittab.org>
+           2017-2018 Bernhard Schmidt <berni@debian.org>
+           2017-2018 Jörg Frings-Fürst <debian@jff.email>
+License: GPL-3+
+
+License: BSD-2
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+     * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+     * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following disclaimer
+ in the documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ 
+License: BSD-3
+ All rights reserved.
+ .
+ Redistribution and use in source and binary forms, with or without 
+ modification, are permitted provided that the following conditions are met:
+ .
+ 1. Redistributions of source code must retain the above copyright notice, 
+    this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright notice, 
+    this list of conditions and the following disclaimer in the documentation 
+    and/or other materials provided with the distribution.
+ .
+ 3. Neither the name of the copyright holder nor the names of its contributors
+    may be used to endorse or promote products derived from this software 
+    without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+ POSSIBILITY OF SUCH DAMAGE.
+
+License: GPL-2
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation version
+ 2 of the License.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this package; if not, write to the Free
+ Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+ Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 2 can be found in the file
+ `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2 with OpenSSL exception
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 2 of the
+ License.
+ .
+ This program is distributed in the hope that it will be useful, but
+ is provided AS IS, WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, and
+ NON-INFRINGEMENT.  See the GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .
+ The complete text of the GNU General Public License
+ can be found in /usr/share/common-licenses/GPL-2 file.
+ .
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations
+ including the two.
+ You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL.  If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so.  If you
+ do not wish to do so, delete this exception statement from your
+ version.  If you delete this exception statement from all source
+ files in the program, then also delete it here.
+
+License: GPL-2+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .
+ The complete text of the GNU General Public License
+ can be found in /usr/share/common-licenses/GPL-2 file.
+
+License: GPL-3+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
+
+License: MIT
+ All rights reserved.  No part of this source code may be reproduced,
+ stored in a retrieval system, or transmitted, in any form or by any
+ means, electronic, mechanical, photocopying, recording or otherwise,
+ except as stated in the end-user licence agreement, without the prior
+ permission of the copyright owners.
+ .
+ Permission to use, copy, modify, and distribute this software and its
+ documentation for any purpose and without fee is hereby granted, provided
+ that the above copyright notice appear in all copies and that both that
+ copyright notice and this permission notice appear in supporting
+ documentation, and that the name of OSF, UI or X/Open not be used in 
+ advertising or publicity pertaining to distribution of the software 
+ without specific, written prior permission.  OSF, UI and X/Open make 
+ no representations about the suitability of this software for any purpose.  
+ It is provided "as is" without express or implied warranty.
+ .
+ OSF, UI and X/Open DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 
+ INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 
+ EVENT SHALL OSF, UI or X/Open BE LIABLE FOR ANY SPECIAL, INDIRECT OR 
+ CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 
+ USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 
+ OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 
+ PERFORMANCE OF THIS SOFTWARE.
+
+License: other
+ THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+ ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+ TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+ PARTICULAR PURPOSE.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..cec628c
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff --git a/debian/openvpn.lintian-overrides b/debian/openvpn.lintian-overrides
deleted file mode 100644
index 91ae65a..0000000
--- a/debian/openvpn.lintian-overrides
+++ /dev/null
@@ -1,4 +0,0 @@
-# ChangeLog and Changes.rst are not the same.
-# ChangeLog contains the source changes and Changes.rst describes 
-# the program development.
-duplicate-changelog-files
diff --git a/debian/openvpn@.service b/debian/openvpn@.service
index 7f0134b..da7adc7 100644
--- a/debian/openvpn@.service
+++ b/debian/openvpn@.service
@@ -17,8 +17,8 @@ ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10
 PIDFile=/run/openvpn/%i.pid
 KillMode=process
 ExecReload=/bin/kill -HUP $MAINPID
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=100
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 ProtectSystem=true
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
index cfa9047..2e7e5c4 100644
--- a/debian/patches/auth-pam_libpam_so_filename.patch
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -1,11 +1,11 @@
 Description: Fix libpam.so filename to /lib/libpam.so.0 in pam plugin
 Author: Alberto Gonzalez Iniesta <agi@inittab.org>
 Bug-Debian: http://bugs.debian.org/306335
-Index: openvpn/src/plugins/auth-pam/auth-pam.c
+Index: trunk/src/plugins/auth-pam/auth-pam.c
 ===================================================================
---- openvpn.orig/src/plugins/auth-pam/auth-pam.c	2016-12-27 18:45:37.638198402 +0100
-+++ openvpn/src/plugins/auth-pam/auth-pam.c	2016-12-27 18:45:37.638198402 +0100
-@@ -698,7 +698,7 @@
+--- trunk.orig/src/plugins/auth-pam/auth-pam.c
++++ trunk/src/plugins/auth-pam/auth-pam.c
+@@ -716,7 +716,7 @@ pam_server(int fd, const char *service,
      struct user_pass up;
      int command;
  #ifdef USE_PAM_DLOPEN
diff --git a/debian/patches/fix-pkcs11-helper-hang.patch b/debian/patches/fix-pkcs11-helper-hang.patch
new file mode 100644
index 0000000..41d9be1
--- /dev/null
+++ b/debian/patches/fix-pkcs11-helper-hang.patch
@@ -0,0 +1,13 @@
+Index: openvpn/src/openvpn/pkcs11.c
+===================================================================
+--- openvpn.orig/src/openvpn/pkcs11.c
++++ openvpn/src/openvpn/pkcs11.c
+@@ -312,7 +312,7 @@ pkcs11_initialize(
+ 
+     pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level()));
+ 
+-    if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK)
++    if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK)
+     {
+         msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
+         goto cleanup;
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
index 4445e0d..4e89f32 100644
--- a/debian/patches/kfreebsd_support.patch
+++ b/debian/patches/kfreebsd_support.patch
@@ -1,11 +1,9 @@
 Description: Improve kFreeBSD support
 Author: Gonéri Le Bouder <goneri@rulezlan.org>
 Bug-Debian: http://bugs.debian.org/626062
-Index: openvpn/src/openvpn/route.c
-===================================================================
---- openvpn.orig/src/openvpn/route.c	2017-06-22 13:17:05.754630908 +0200
-+++ openvpn/src/openvpn/route.c	2017-06-22 13:17:05.750630880 +0200
-@@ -1689,7 +1689,7 @@
+--- a/src/openvpn/route.c
++++ b/src/openvpn/route.c
+@@ -1693,7 +1693,7 @@
      argv_msg(D_ROUTE, &argv);
      status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
  
@@ -14,7 +12,7 @@ Index: openvpn/src/openvpn/route.c
  
      argv_printf(&argv, "%s add",
                  ROUTE_PATH);
-@@ -1875,7 +1875,7 @@
+@@ -1879,7 +1879,7 @@
      network = print_in6_addr( r6->network, 0, &gc);
      gateway = print_in6_addr( r6->gateway, 0, &gc);
  
@@ -23,7 +21,7 @@ Index: openvpn/src/openvpn/route.c
      || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
      || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
  
-@@ -2043,7 +2043,7 @@
+@@ -2047,7 +2047,7 @@
      argv_msg(D_ROUTE, &argv);
      status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
  
@@ -32,7 +30,7 @@ Index: openvpn/src/openvpn/route.c
  
      argv_printf(&argv, "%s add -inet6 %s/%d",
                  ROUTE_PATH,
-@@ -2227,7 +2227,7 @@
+@@ -2239,7 +2239,7 @@
      argv_msg(D_ROUTE, &argv);
      openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
  
@@ -41,7 +39,7 @@ Index: openvpn/src/openvpn/route.c
  
      argv_printf(&argv, "%s delete -net %s %s %s",
                  ROUTE_PATH,
-@@ -2334,7 +2334,7 @@
+@@ -2346,7 +2346,7 @@
      network = print_in6_addr( r6->network, 0, &gc);
      gateway = print_in6_addr( r6->gateway, 0, &gc);
  
@@ -50,7 +48,7 @@ Index: openvpn/src/openvpn/route.c
      || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
      || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
  
-@@ -2469,7 +2469,7 @@
+@@ -2481,7 +2481,7 @@
      argv_msg(D_ROUTE, &argv);
      openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
  
@@ -59,7 +57,7 @@ Index: openvpn/src/openvpn/route.c
  
      argv_printf(&argv, "%s delete -inet6 %s/%d",
                  ROUTE_PATH,
-@@ -3514,7 +3514,8 @@
+@@ -3532,7 +3532,8 @@
  
  #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS)    \
      || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
@@ -69,20 +67,18 @@ Index: openvpn/src/openvpn/route.c
  
  #include <sys/types.h>
  #include <sys/socket.h>
-Index: openvpn/src/openvpn/tun.c
-===================================================================
---- openvpn.orig/src/openvpn/tun.c	2017-06-22 13:17:05.754630908 +0200
-+++ openvpn/src/openvpn/tun.c	2017-06-22 13:17:05.750630880 +0200
-@@ -843,7 +843,7 @@
+--- a/src/openvpn/tun.c
++++ b/src/openvpn/tun.c
+@@ -845,7 +845,7 @@
  #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */
  
  #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)  \
--    || defined(TARGET_OPENBSD)
-+    || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__)
+-    || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD)
++    || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__)
  /* we can't use true subnet mode on tun on all platforms, as that
   * conflicts with IPv6 (wants to use ND then, which we don't do),
   * but the OSes want "a remote address that is different from ours"
-@@ -1412,7 +1412,7 @@
+@@ -1429,7 +1429,7 @@
              add_route_connected_v6_net(tt, es);
          }
  
@@ -91,7 +87,7 @@ Index: openvpn/src/openvpn/tun.c
  
          in_addr_t remote_end;           /* for "virtual" subnet topology */
  
-@@ -2770,7 +2770,7 @@
+@@ -2785,7 +2785,7 @@
      }
  }
  
@@ -100,10 +96,8 @@ Index: openvpn/src/openvpn/tun.c
  
  static inline int
  freebsd_modify_read_write_return(int len)
-Index: openvpn/src/openvpn/lladdr.c
-===================================================================
---- openvpn.orig/src/openvpn/lladdr.c	2017-06-22 13:17:05.754630908 +0200
-+++ openvpn/src/openvpn/lladdr.c	2017-06-22 13:17:05.750630880 +0200
+--- a/src/openvpn/lladdr.c
++++ b/src/openvpn/lladdr.c
 @@ -50,7 +50,7 @@
                  "%s %s lladdr %s",
                  IFCONFIG_PATH,
@@ -113,10 +107,8 @@ Index: openvpn/src/openvpn/lladdr.c
      argv_printf(&argv,
                  "%s %s ether %s",
                  IFCONFIG_PATH,
-Index: openvpn/src/openvpn/syshead.h
-===================================================================
---- openvpn.orig/src/openvpn/syshead.h	2017-06-22 13:17:05.754630908 +0200
-+++ openvpn/src/openvpn/syshead.h	2017-06-22 13:17:05.750630880 +0200
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
 @@ -297,7 +297,7 @@
  
  #endif /* TARGET_OPENBSD */
@@ -126,11 +118,9 @@ Index: openvpn/src/openvpn/syshead.h
  
  #ifdef HAVE_SYS_UIO_H
  #include <sys/uio.h>
-Index: openvpn/src/openvpn/ssl.c
-===================================================================
---- openvpn.orig/src/openvpn/ssl.c	2017-06-22 13:17:05.754630908 +0200
-+++ openvpn/src/openvpn/ssl.c	2017-06-22 13:17:05.750630880 +0200
-@@ -2269,7 +2269,7 @@
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -2270,7 +2270,7 @@
          buf_printf(&out, "IV_PLAT=mac\n");
  #elif defined(TARGET_NETBSD)
          buf_printf(&out, "IV_PLAT=netbsd\n");
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
index 1fabddd..71b2ac8 100644
--- a/debian/patches/openvpn-pkcs11warn.patch
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -1,11 +1,11 @@
 Description: Warn users about deprecated pkcs11 options
 Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
 Bug-Debian: http://bugs.debian.org/475353
-Index: openvpn/src/openvpn/options.c
+Index: trunk/src/openvpn/options.c
 ===================================================================
---- openvpn.orig/src/openvpn/options.c	2017-06-22 13:16:58.862582114 +0200
-+++ openvpn/src/openvpn/options.c	2017-06-22 13:16:58.862582114 +0200
-@@ -6818,6 +6818,20 @@
+--- trunk.orig/src/openvpn/options.c
++++ trunk/src/openvpn/options.c
+@@ -6861,6 +6861,20 @@ add_option(struct options *options,
          options->port_share_port = p[2];
          options->port_share_journal_dir = p[3];
      }
diff --git a/debian/patches/series b/debian/patches/series
index 156ff6f..8b19c3d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,6 @@ debian_nogroup_for_sample_files.patch
 openvpn-pkcs11warn.patch
 kfreebsd_support.patch
 match-manpage-and-command-help.patch
+spelling_errors.patch
+systemd.patch
+fix-pkcs11-helper-hang.patch
diff --git a/debian/patches/spelling_errors.patch b/debian/patches/spelling_errors.patch
new file mode 100644
index 0000000..cac36d3
--- /dev/null
+++ b/debian/patches/spelling_errors.patch
@@ -0,0 +1,53 @@
+Description: correct tspelling errors
+Author: Jörg Frings-Fürst <debian@jff.email>
+Last-Update: 2018-07-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/src/openvpn/buffer.c
+===================================================================
+--- trunk.orig/src/openvpn/buffer.c
++++ trunk/src/openvpn/buffer.c
+@@ -44,7 +44,7 @@ array_mult_safe(const size_t m1, const s
+     unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
+     if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit))
+     {
+-        msg(M_FATAL, "attemped allocation of excessively large array");
++        msg(M_FATAL, "attempted allocation of excessively large array");
+     }
+     return (size_t) res;
+ }
+Index: trunk/src/openvpn/options.c
+===================================================================
+--- trunk.orig/src/openvpn/options.c
++++ trunk/src/openvpn/options.c
+@@ -448,7 +448,7 @@ static const char usage_message[] =
+     "                  user/pass via environment, if method='via-file', pass\n"
+     "                  user/pass via temporary file.\n"
+     "--auth-gen-token  [lifetime] Generate a random authentication token which is pushed\n"
+-    "                  to each client, replacing the password.  Usefull when\n"
++    "                  to each client, replacing the password.  Useful when\n"
+     "                  OTP based two-factor auth mechanisms are in use and\n"
+     "                  --reneg-* options are enabled. Optionally a lifetime in seconds\n"
+     "                  for generated tokens can be set.\n"
+Index: trunk/doc/openvpn.8
+===================================================================
+--- trunk.orig/doc/openvpn.8
++++ trunk/doc/openvpn.8
+@@ -2181,7 +2181,7 @@ that
+ is parsed on the command line even though
+ the daemonization point occurs later.  If one of the
+ .B \-\-log
+-options is present, it will supercede syslog
++options is present, it will supersede syslog
+ redirection.
+ 
+ The optional
+@@ -2292,7 +2292,7 @@ If
+ already exists it will be truncated.
+ This option takes effect
+ immediately when it is parsed in the command line
+-and will supercede syslog output if
++and will supersede syslog output if
+ .B \-\-daemon
+ or
+ .B \-\-inetd
diff --git a/debian/patches/systemd.patch b/debian/patches/systemd.patch
new file mode 100644
index 0000000..ccbecfd
--- /dev/null
+++ b/debian/patches/systemd.patch
@@ -0,0 +1,29 @@
+Description: remove syslog.target
+Author: Jörg Frings-Fürst <debian@jff.email>
+Last-Update: 2018-07-29 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/distro/systemd/openvpn-client@.service.in
+===================================================================
+--- trunk.orig/distro/systemd/openvpn-client@.service.in
++++ trunk/distro/systemd/openvpn-client@.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=OpenVPN tunnel for %I
+-After=syslog.target network-online.target
++After=network-online.target
+ Wants=network-online.target
+ Documentation=man:openvpn(8)
+ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Index: trunk/distro/systemd/openvpn-server@.service.in
+===================================================================
+--- trunk.orig/distro/systemd/openvpn-server@.service.in
++++ trunk/distro/systemd/openvpn-server@.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=OpenVPN service for %I
+-After=syslog.target network-online.target
++After=network-online.target
+ Wants=network-online.target
+ Documentation=man:openvpn(8)
+ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
diff --git a/debian/rules b/debian/rules
index 603d9a0..7bec9d2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,7 +3,7 @@
 ifeq ($(DEB_HOST_ARCH_OS), kfreebsd)
 # Avoid the /sbin/route wrapper which doesn't provide FreeBSD CLI as expected
 ENV_VARS	:= IFCONFIG=/sbin/ifconfig ROUTE=/lib/freebsd/route
-EXTRA_ARGS	:= 
+EXTRA_ARGS	:=
 else
 ENV_VARS	:= SYSTEMD_ASK_PASSWORD=/bin/systemd-ask-password IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route IPROUTE=/sbin/ip SYSTEMD_UNIT_DIR=/lib/systemd/system TMPFILES_DIR=/usr/lib/tmpfiles.d
 EXTRA_ARGS	:= --enable-systemd --enable-iproute2
@@ -52,7 +52,7 @@ override_dh_auto_install:
 	install -m 755 debian/openvpn.if-up.d $(CURDIR)/debian/openvpn/etc/network/if-up.d/openvpn
 	install -m 755 debian/openvpn.if-down.d $(CURDIR)/debian/openvpn/etc/network/if-down.d/openvpn
 	# remove unwanted plugin files
-	rm -f $(CURDIR)/debian/openvpn/usr/lib/$(DEB_HOST_GNU_TYPE)/openvpn/plugins/*.la
+	$(RM) $(CURDIR)/debian/openvpn/usr/lib/$(DEB_HOST_GNU_TYPE)/openvpn/plugins/*.la
 	# resolvconf script
 	install -m 755 debian/update-resolv-conf $(CURDIR)/debian/openvpn/etc/openvpn/update-resolv-conf
 	# bash completion
@@ -61,14 +61,15 @@ override_dh_auto_install:
 ifeq ($(DEB_HOST_ARCH_OS), linux)
 	cat debian/openvpn.conf >> $(CURDIR)/debian/openvpn/usr/lib/tmpfiles.d/openvpn.conf
 endif
+	$(RM) $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/COPYING
 
 override_dh_installexamples:
 	dh_installexamples
 	## remove windoze stuff
-	rm -rf $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/examples/easy-rsa/Windows
-	rm -rf $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/sample
+	$(RM) -r $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/examples/easy-rsa/Windows
+	$(RM) -r $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/sample
 	# remove gitignore file from samples
-	rm -f $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/examples/sample-keys/.gitignore
+	$(RM) $(CURDIR)/debian/openvpn/usr/share/doc/openvpn/examples/sample-keys/.gitignore
 
 override_dh_installinit:
 	dh_installinit --no-start -- defaults 16 80
@@ -76,6 +77,5 @@ override_dh_installinit:
 override_dh_compress:
 	dh_compress --exclude=.cnf --exclude=pkitool
 
-override_dh_systemd_start:
-	dh_systemd_start --restart-after-upgrade
-
+override_dh_installsystemd:
+	dh_installsystemd --restart-after-upgrade
diff --git a/debian/update-resolv-conf b/debian/update-resolv-conf
index fc2f031..61b15d9 100644
--- a/debian/update-resolv-conf
+++ b/debian/update-resolv-conf
@@ -15,7 +15,11 @@
 #     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
 #
 
-[ -x /sbin/resolvconf ] || exit 0
+if [ ! -x /sbin/resolvconf ] ; then
+    logger "[OpenVPN:update-resolve-conf] missing binary /sbin/resolvconf";
+    exit 0;
+fi
+
 [ "$script_type" ] || exit 0
 [ "$dev" ] || exit 0
 
@@ -30,7 +34,8 @@ case "$script_type" in
   up)
 	NMSRVRS=""
 	SRCHS=""
-	for optionvarname in ${!foreign_option_*} ; do
+	foreign_options=$(printf '%s\n' ${!foreign_option_*} | sort -t _ -k 3 -g)
+	for optionvarname in ${foreign_options} ; do
 		option="${!optionvarname}"
 		echo "$option"
 		split_into_parts $option
diff --git a/debian/watch b/debian/watch
index bffdf20..cda3cd9 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
-version=3
-http://openvpn.net/index.php/open-source/downloads.html \
+version=4
+https://openvpn.net/index.php/open-source/downloads.html \
 (?:|.*/)openvpn(?:[_\-]v?|)(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)