9 files changed, 419 insertions, 0 deletions
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
new file mode 100644
index 0000000..2e7e5c4
--- /dev/null
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -0,0 +1,16 @@
+Description: Fix libpam.so filename to /lib/libpam.so.0 in pam plugin
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/306335
+Index: trunk/src/plugins/auth-pam/auth-pam.c
+===================================================================
+--- trunk.orig/src/plugins/auth-pam/auth-pam.c
++++ trunk/src/plugins/auth-pam/auth-pam.c
+@@ -716,7 +716,7 @@ pam_server(int fd, const char *service,
+     struct user_pass up;
+     int command;
+ #ifdef USE_PAM_DLOPEN
+-    static const char pam_so[] = "libpam.so";
++    static const char pam_so[] = "libpam.so.0";
+ #endif
+ 
+     /*
diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch
new file mode 100644
index 0000000..f7dcaaa
--- /dev/null
+++ b/debian/patches/debian_nogroup_for_sample_files.patch
@@ -0,0 +1,81 @@
+Description: Unpriviledged group in Debian is called nogroup instead of nobody
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/317987
+Index: openvpn/sample/sample-config-files/server.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/server.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/server.conf	2016-11-21 09:53:43.604863188 +0100
+@@ -272,7 +272,7 @@
+ # You can uncomment this out on
+ # non-Windows systems.
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # The persist options will try to avoid
+ # accessing certain resources on restart
+Index: openvpn/sample/sample-config-files/tls-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -43,7 +43,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -40,7 +40,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/client.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -59,7 +59,7 @@
+ 
+ # Downgrade privileges after initialization (non-Windows only)
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # Try to preserve some state across restarts.
+ persist-key
+Index: openvpn/sample/sample-config-files/tls-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
new file mode 100644
index 0000000..7780e0d
--- /dev/null
+++ b/debian/patches/kfreebsd_support.patch
@@ -0,0 +1,141 @@
+Description: Improve kFreeBSD support
+Author: Gonéri Le Bouder <goneri@rulezlan.org>
+Bug-Debian: http://bugs.debian.org/626062
+Index: trunk/src/openvpn/route.c
+===================================================================
+--- trunk.orig/src/openvpn/route.c
++++ trunk/src/openvpn/route.c
+@@ -1693,7 +1693,7 @@ add_route(struct route_ipv4 *r,
+     argv_msg(D_ROUTE, &argv);
+     status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s add",
+                 ROUTE_PATH);
+@@ -1879,7 +1879,7 @@ add_route_ipv6(struct route_ipv6 *r6, co
+     network = print_in6_addr( r6->network, 0, &gc);
+     gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN)    \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+     || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -2047,7 +2047,7 @@ add_route_ipv6(struct route_ipv6 *r6, co
+     argv_msg(D_ROUTE, &argv);
+     status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s add -inet6 %s/%d",
+                 ROUTE_PATH,
+@@ -2239,7 +2239,7 @@ delete_route(struct route_ipv4 *r,
+     argv_msg(D_ROUTE, &argv);
+     openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s delete -net %s %s %s",
+                 ROUTE_PATH,
+@@ -2346,7 +2346,7 @@ delete_route_ipv6(const struct route_ipv
+     network = print_in6_addr( r6->network, 0, &gc);
+     gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN)    \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+     || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -2481,7 +2481,7 @@ delete_route_ipv6(const struct route_ipv
+     argv_msg(D_ROUTE, &argv);
+     openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s delete -inet6 %s/%d",
+                 ROUTE_PATH,
+@@ -3532,7 +3532,8 @@ done:
+ 
+ #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+-    || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
++    || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)    \
++    || defined(__FreeBSD_kernel__)
+ 
+ #include <sys/types.h>
+ #include <sys/socket.h>
+Index: trunk/src/openvpn/tun.c
+===================================================================
+--- trunk.orig/src/openvpn/tun.c
++++ trunk/src/openvpn/tun.c
+@@ -845,7 +845,7 @@ delete_route_connected_v6_net(struct tun
+ #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */
+ 
+ #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)  \
+-    || defined(TARGET_OPENBSD)
++    || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__)
+ /* we can't use true subnet mode on tun on all platforms, as that
+  * conflicts with IPv6 (wants to use ND then, which we don't do),
+  * but the OSes want "a remote address that is different from ours"
+@@ -1414,7 +1414,7 @@ do_ifconfig(struct tuntap *tt,
+             add_route_connected_v6_net(tt, es);
+         }
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+         in_addr_t remote_end;           /* for "virtual" subnet topology */
+ 
+@@ -2770,7 +2770,7 @@ read_tun(struct tuntap *tt, uint8_t *buf
+     }
+ }
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__)
+ 
+ static inline int
+ freebsd_modify_read_write_return(int len)
+Index: trunk/src/openvpn/lladdr.c
+===================================================================
+--- trunk.orig/src/openvpn/lladdr.c
++++ trunk/src/openvpn/lladdr.c
+@@ -50,7 +50,7 @@ set_lladdr(const char *ifname, const cha
+                 "%s %s lladdr %s",
+                 IFCONFIG_PATH,
+                 ifname, lladdr);
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+     argv_printf(&argv,
+                 "%s %s ether %s",
+                 IFCONFIG_PATH,
+Index: trunk/src/openvpn/syshead.h
+===================================================================
+--- trunk.orig/src/openvpn/syshead.h
++++ trunk/src/openvpn/syshead.h
+@@ -297,7 +297,7 @@
+ 
+ #endif /* TARGET_OPENBSD */
+ 
+-#ifdef TARGET_FREEBSD
++#if defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+ #ifdef HAVE_SYS_UIO_H
+ #include <sys/uio.h>
+Index: trunk/src/openvpn/ssl.c
+===================================================================
+--- trunk.orig/src/openvpn/ssl.c
++++ trunk/src/openvpn/ssl.c
+@@ -2265,7 +2265,7 @@ push_peer_info(struct buffer *buf, struc
+         buf_printf(&out, "IV_PLAT=mac\n");
+ #elif defined(TARGET_NETBSD)
+         buf_printf(&out, "IV_PLAT=netbsd\n");
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+         buf_printf(&out, "IV_PLAT=freebsd\n");
+ #elif defined(TARGET_ANDROID)
+         buf_printf(&out, "IV_PLAT=android\n");
diff --git a/debian/patches/match-manpage-and-command-help.patch b/debian/patches/match-manpage-and-command-help.patch
new file mode 100644
index 0000000..39b899c
--- /dev/null
+++ b/debian/patches/match-manpage-and-command-help.patch
@@ -0,0 +1,22 @@
+From a88d8ba3e81ca34fc2675805a273cd85875c8973 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Wed, 4 Jan 2017 19:18:46 +0100
+Subject: [PATCH] Change command help to match man page and implementation
+
+---
+ src/openvpn/options.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openvpn/src/openvpn/options.c
+===================================================================
+--- openvpn.orig/src/openvpn/options.c	2017-06-22 13:17:12.806680520 +0200
++++ openvpn/src/openvpn/options.c	2017-06-22 13:17:12.802680492 +0200
+@@ -197,7 +197,7 @@
+     "                  is established.  Multiple routes can be specified.\n"
+     "                  netmask default: 255.255.255.255\n"
+     "                  gateway default: taken from --route-gateway or --ifconfig\n"
+-    "                  Specify default by leaving blank or setting to \"nil\".\n"
++    "                  Specify default by leaving blank or setting to \"default\".\n"
+     "--route-ipv6 network/bits [gateway] [metric] :\n"
+     "                  Add IPv6 route to routing table after connection\n"
+     "                  is established.  Multiple routes can be specified.\n"
diff --git a/debian/patches/move_log_dir.patch b/debian/patches/move_log_dir.patch
new file mode 100644
index 0000000..4518461
--- /dev/null
+++ b/debian/patches/move_log_dir.patch
@@ -0,0 +1,41 @@
+Description: Set default logdir to /var/log/openvpn
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444431
+            https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303
+Forwarded: not-needed
+Last-Update: 2017-10-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/sample/sample-config-files/server.conf
+===================================================================
+--- trunk.orig/sample/sample-config-files/server.conf
++++ trunk/sample/sample-config-files/server.conf
+@@ -105,7 +105,7 @@ server 10.8.0.0 255.255.255.0
+ # is restarted, reconnecting clients can be assigned
+ # the same virtual IP address from the pool that was
+ # previously assigned.
+-ifconfig-pool-persist ipp.txt
++ifconfig-pool-persist /var/log/openvpn/ipp.txt
+ 
+ # Configure server mode for ethernet bridging.
+ # You must first use your OS's bridging capability
+@@ -284,7 +284,7 @@ persist-tun
+ # Output a short status file showing
+ # current connections, truncated
+ # and rewritten every minute.
+-status openvpn-status.log
++status /var/log/openvpn/openvpn-status.log
+ 
+ # By default, log messages will go to the syslog (or
+ # on Windows, if running as a service, they will go to
+@@ -293,8 +293,8 @@ status openvpn-status.log
+ # "log" will truncate the log file on OpenVPN startup,
+ # while "log-append" will append to it.  Use one
+ # or the other (but not both).
+-;log         openvpn.log
+-;log-append  openvpn.log
++;log         /var/log/openvpn/openvpn.log
++;log-append  /var/log/openvpn/openvpn.log
+ 
+ # Set the appropriate level of log
+ # file verbosity.
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
new file mode 100644
index 0000000..71b2ac8
--- /dev/null
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -0,0 +1,28 @@
+Description: Warn users about deprecated pkcs11 options
+Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
+Bug-Debian: http://bugs.debian.org/475353
+Index: trunk/src/openvpn/options.c
+===================================================================
+--- trunk.orig/src/openvpn/options.c
++++ trunk/src/openvpn/options.c
+@@ -6861,6 +6861,20 @@ add_option(struct options *options,
+         options->port_share_port = p[2];
+         options->port_share_journal_dir = p[3];
+     }
++  else if (streq (p[0], "pkcs11-id-type") ||
++           streq (p[0], "pkcs11-sign-mode") ||
++           streq (p[0], "pkcs11-slot") ||
++           streq (p[0], "pkcs11-slot-type") ||
++           streq (p[0], "show-pkcs11-objects") ||
++           streq (p[0], "show-pkcs11-slots"))
++    {
++      if (file)
++	msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             file, line, p[0], PACKAGE_VERSION);
++      else
++	msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             p[0], PACKAGE_VERSION);
++    }
+ #endif
+     else if (streq(p[0], "client-to-client") && !p[1])
+     {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a903d3d
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,8 @@
+move_log_dir.patch
+auth-pam_libpam_so_filename.patch
+debian_nogroup_for_sample_files.patch
+openvpn-pkcs11warn.patch
+kfreebsd_support.patch
+match-manpage-and-command-help.patch
+spelling_errors.patch
+systemd.patch
diff --git a/debian/patches/spelling_errors.patch b/debian/patches/spelling_errors.patch
new file mode 100644
index 0000000..cac36d3
--- /dev/null
+++ b/debian/patches/spelling_errors.patch
@@ -0,0 +1,53 @@
+Description: correct tspelling errors
+Author: Jörg Frings-Fürst <debian@jff.email>
+Last-Update: 2018-07-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/src/openvpn/buffer.c
+===================================================================
+--- trunk.orig/src/openvpn/buffer.c
++++ trunk/src/openvpn/buffer.c
+@@ -44,7 +44,7 @@ array_mult_safe(const size_t m1, const s
+     unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra;
+     if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit))
+     {
+-        msg(M_FATAL, "attemped allocation of excessively large array");
++        msg(M_FATAL, "attempted allocation of excessively large array");
+     }
+     return (size_t) res;
+ }
+Index: trunk/src/openvpn/options.c
+===================================================================
+--- trunk.orig/src/openvpn/options.c
++++ trunk/src/openvpn/options.c
+@@ -448,7 +448,7 @@ static const char usage_message[] =
+     "                  user/pass via environment, if method='via-file', pass\n"
+     "                  user/pass via temporary file.\n"
+     "--auth-gen-token  [lifetime] Generate a random authentication token which is pushed\n"
+-    "                  to each client, replacing the password.  Usefull when\n"
++    "                  to each client, replacing the password.  Useful when\n"
+     "                  OTP based two-factor auth mechanisms are in use and\n"
+     "                  --reneg-* options are enabled. Optionally a lifetime in seconds\n"
+     "                  for generated tokens can be set.\n"
+Index: trunk/doc/openvpn.8
+===================================================================
+--- trunk.orig/doc/openvpn.8
++++ trunk/doc/openvpn.8
+@@ -2181,7 +2181,7 @@ that
+ is parsed on the command line even though
+ the daemonization point occurs later.  If one of the
+ .B \-\-log
+-options is present, it will supercede syslog
++options is present, it will supersede syslog
+ redirection.
+ 
+ The optional
+@@ -2292,7 +2292,7 @@ If
+ already exists it will be truncated.
+ This option takes effect
+ immediately when it is parsed in the command line
+-and will supercede syslog output if
++and will supersede syslog output if
+ .B \-\-daemon
+ or
+ .B \-\-inetd
diff --git a/debian/patches/systemd.patch b/debian/patches/systemd.patch
new file mode 100644
index 0000000..ccbecfd
--- /dev/null
+++ b/debian/patches/systemd.patch
@@ -0,0 +1,29 @@
+Description: remove syslog.target
+Author: Jörg Frings-Fürst <debian@jff.email>
+Last-Update: 2018-07-29 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/distro/systemd/openvpn-client@.service.in
+===================================================================
+--- trunk.orig/distro/systemd/openvpn-client@.service.in
++++ trunk/distro/systemd/openvpn-client@.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=OpenVPN tunnel for %I
+-After=syslog.target network-online.target
++After=network-online.target
+ Wants=network-online.target
+ Documentation=man:openvpn(8)
+ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Index: trunk/distro/systemd/openvpn-server@.service.in
+===================================================================
+--- trunk.orig/distro/systemd/openvpn-server@.service.in
++++ trunk/distro/systemd/openvpn-server@.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=OpenVPN service for %I
+-After=syslog.target network-online.target
++After=network-online.target
+ Wants=network-online.target
+ Documentation=man:openvpn(8)
+ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage