7 files changed, 335 insertions, 0 deletions
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
new file mode 100644
index 0000000..cfa9047
--- /dev/null
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -0,0 +1,16 @@
+Description: Fix libpam.so filename to /lib/libpam.so.0 in pam plugin
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/306335
+Index: openvpn/src/plugins/auth-pam/auth-pam.c
+===================================================================
+--- openvpn.orig/src/plugins/auth-pam/auth-pam.c	2016-12-27 18:45:37.638198402 +0100
++++ openvpn/src/plugins/auth-pam/auth-pam.c	2016-12-27 18:45:37.638198402 +0100
+@@ -698,7 +698,7 @@
+     struct user_pass up;
+     int command;
+ #ifdef USE_PAM_DLOPEN
+-    static const char pam_so[] = "libpam.so";
++    static const char pam_so[] = "libpam.so.0";
+ #endif
+ 
+     /*
diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch
new file mode 100644
index 0000000..f7dcaaa
--- /dev/null
+++ b/debian/patches/debian_nogroup_for_sample_files.patch
@@ -0,0 +1,81 @@
+Description: Unpriviledged group in Debian is called nogroup instead of nobody
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/317987
+Index: openvpn/sample/sample-config-files/server.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/server.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/server.conf	2016-11-21 09:53:43.604863188 +0100
+@@ -272,7 +272,7 @@
+ # You can uncomment this out on
+ # non-Windows systems.
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # The persist options will try to avoid
+ # accessing certain resources on restart
+Index: openvpn/sample/sample-config-files/tls-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -43,7 +43,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -40,7 +40,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/client.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -59,7 +59,7 @@
+ 
+ # Downgrade privileges after initialization (non-Windows only)
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # Try to preserve some state across restarts.
+ persist-key
+Index: openvpn/sample/sample-config-files/tls-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
new file mode 100644
index 0000000..4445e0d
--- /dev/null
+++ b/debian/patches/kfreebsd_support.patch
@@ -0,0 +1,141 @@
+Description: Improve kFreeBSD support
+Author: Gonéri Le Bouder <goneri@rulezlan.org>
+Bug-Debian: http://bugs.debian.org/626062
+Index: openvpn/src/openvpn/route.c
+===================================================================
+--- openvpn.orig/src/openvpn/route.c	2017-06-22 13:17:05.754630908 +0200
++++ openvpn/src/openvpn/route.c	2017-06-22 13:17:05.750630880 +0200
+@@ -1689,7 +1689,7 @@
+     argv_msg(D_ROUTE, &argv);
+     status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s add",
+                 ROUTE_PATH);
+@@ -1875,7 +1875,7 @@
+     network = print_in6_addr( r6->network, 0, &gc);
+     gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN)    \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+     || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -2043,7 +2043,7 @@
+     argv_msg(D_ROUTE, &argv);
+     status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s add -inet6 %s/%d",
+                 ROUTE_PATH,
+@@ -2227,7 +2227,7 @@
+     argv_msg(D_ROUTE, &argv);
+     openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s delete -net %s %s %s",
+                 ROUTE_PATH,
+@@ -2334,7 +2334,7 @@
+     network = print_in6_addr( r6->network, 0, &gc);
+     gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN)    \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+     || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -2469,7 +2469,7 @@
+     argv_msg(D_ROUTE, &argv);
+     openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+     argv_printf(&argv, "%s delete -inet6 %s/%d",
+                 ROUTE_PATH,
+@@ -3514,7 +3514,8 @@
+ 
+ #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS)    \
+     || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)    \
+-    || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
++    || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)    \
++    || defined(__FreeBSD_kernel__)
+ 
+ #include <sys/types.h>
+ #include <sys/socket.h>
+Index: openvpn/src/openvpn/tun.c
+===================================================================
+--- openvpn.orig/src/openvpn/tun.c	2017-06-22 13:17:05.754630908 +0200
++++ openvpn/src/openvpn/tun.c	2017-06-22 13:17:05.750630880 +0200
+@@ -843,7 +843,7 @@
+ #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */
+ 
+ #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)  \
+-    || defined(TARGET_OPENBSD)
++    || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__)
+ /* we can't use true subnet mode on tun on all platforms, as that
+  * conflicts with IPv6 (wants to use ND then, which we don't do),
+  * but the OSes want "a remote address that is different from ours"
+@@ -1412,7 +1412,7 @@
+             add_route_connected_v6_net(tt, es);
+         }
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+         in_addr_t remote_end;           /* for "virtual" subnet topology */
+ 
+@@ -2770,7 +2770,7 @@
+     }
+ }
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__)
+ 
+ static inline int
+ freebsd_modify_read_write_return(int len)
+Index: openvpn/src/openvpn/lladdr.c
+===================================================================
+--- openvpn.orig/src/openvpn/lladdr.c	2017-06-22 13:17:05.754630908 +0200
++++ openvpn/src/openvpn/lladdr.c	2017-06-22 13:17:05.750630880 +0200
+@@ -50,7 +50,7 @@
+                 "%s %s lladdr %s",
+                 IFCONFIG_PATH,
+                 ifname, lladdr);
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+     argv_printf(&argv,
+                 "%s %s ether %s",
+                 IFCONFIG_PATH,
+Index: openvpn/src/openvpn/syshead.h
+===================================================================
+--- openvpn.orig/src/openvpn/syshead.h	2017-06-22 13:17:05.754630908 +0200
++++ openvpn/src/openvpn/syshead.h	2017-06-22 13:17:05.750630880 +0200
+@@ -297,7 +297,7 @@
+ 
+ #endif /* TARGET_OPENBSD */
+ 
+-#ifdef TARGET_FREEBSD
++#if defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+ #ifdef HAVE_SYS_UIO_H
+ #include <sys/uio.h>
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c	2017-06-22 13:17:05.754630908 +0200
++++ openvpn/src/openvpn/ssl.c	2017-06-22 13:17:05.750630880 +0200
+@@ -2269,7 +2269,7 @@
+         buf_printf(&out, "IV_PLAT=mac\n");
+ #elif defined(TARGET_NETBSD)
+         buf_printf(&out, "IV_PLAT=netbsd\n");
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+         buf_printf(&out, "IV_PLAT=freebsd\n");
+ #elif defined(TARGET_ANDROID)
+         buf_printf(&out, "IV_PLAT=android\n");
diff --git a/debian/patches/match-manpage-and-command-help.patch b/debian/patches/match-manpage-and-command-help.patch
new file mode 100644
index 0000000..39b899c
--- /dev/null
+++ b/debian/patches/match-manpage-and-command-help.patch
@@ -0,0 +1,22 @@
+From a88d8ba3e81ca34fc2675805a273cd85875c8973 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Wed, 4 Jan 2017 19:18:46 +0100
+Subject: [PATCH] Change command help to match man page and implementation
+
+---
+ src/openvpn/options.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openvpn/src/openvpn/options.c
+===================================================================
+--- openvpn.orig/src/openvpn/options.c	2017-06-22 13:17:12.806680520 +0200
++++ openvpn/src/openvpn/options.c	2017-06-22 13:17:12.802680492 +0200
+@@ -197,7 +197,7 @@
+     "                  is established.  Multiple routes can be specified.\n"
+     "                  netmask default: 255.255.255.255\n"
+     "                  gateway default: taken from --route-gateway or --ifconfig\n"
+-    "                  Specify default by leaving blank or setting to \"nil\".\n"
++    "                  Specify default by leaving blank or setting to \"default\".\n"
+     "--route-ipv6 network/bits [gateway] [metric] :\n"
+     "                  Add IPv6 route to routing table after connection\n"
+     "                  is established.  Multiple routes can be specified.\n"
diff --git a/debian/patches/move_log_dir.patch b/debian/patches/move_log_dir.patch
new file mode 100644
index 0000000..4518461
--- /dev/null
+++ b/debian/patches/move_log_dir.patch
@@ -0,0 +1,41 @@
+Description: Set default logdir to /var/log/openvpn
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444431
+            https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303
+Forwarded: not-needed
+Last-Update: 2017-10-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/sample/sample-config-files/server.conf
+===================================================================
+--- trunk.orig/sample/sample-config-files/server.conf
++++ trunk/sample/sample-config-files/server.conf
+@@ -105,7 +105,7 @@ server 10.8.0.0 255.255.255.0
+ # is restarted, reconnecting clients can be assigned
+ # the same virtual IP address from the pool that was
+ # previously assigned.
+-ifconfig-pool-persist ipp.txt
++ifconfig-pool-persist /var/log/openvpn/ipp.txt
+ 
+ # Configure server mode for ethernet bridging.
+ # You must first use your OS's bridging capability
+@@ -284,7 +284,7 @@ persist-tun
+ # Output a short status file showing
+ # current connections, truncated
+ # and rewritten every minute.
+-status openvpn-status.log
++status /var/log/openvpn/openvpn-status.log
+ 
+ # By default, log messages will go to the syslog (or
+ # on Windows, if running as a service, they will go to
+@@ -293,8 +293,8 @@ status openvpn-status.log
+ # "log" will truncate the log file on OpenVPN startup,
+ # while "log-append" will append to it.  Use one
+ # or the other (but not both).
+-;log         openvpn.log
+-;log-append  openvpn.log
++;log         /var/log/openvpn/openvpn.log
++;log-append  /var/log/openvpn/openvpn.log
+ 
+ # Set the appropriate level of log
+ # file verbosity.
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
new file mode 100644
index 0000000..1fabddd
--- /dev/null
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -0,0 +1,28 @@
+Description: Warn users about deprecated pkcs11 options
+Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
+Bug-Debian: http://bugs.debian.org/475353
+Index: openvpn/src/openvpn/options.c
+===================================================================
+--- openvpn.orig/src/openvpn/options.c	2017-06-22 13:16:58.862582114 +0200
++++ openvpn/src/openvpn/options.c	2017-06-22 13:16:58.862582114 +0200
+@@ -6818,6 +6818,20 @@
+         options->port_share_port = p[2];
+         options->port_share_journal_dir = p[3];
+     }
++  else if (streq (p[0], "pkcs11-id-type") ||
++           streq (p[0], "pkcs11-sign-mode") ||
++           streq (p[0], "pkcs11-slot") ||
++           streq (p[0], "pkcs11-slot-type") ||
++           streq (p[0], "show-pkcs11-objects") ||
++           streq (p[0], "show-pkcs11-slots"))
++    {
++      if (file)
++	msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             file, line, p[0], PACKAGE_VERSION);
++      else
++	msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             p[0], PACKAGE_VERSION);
++    }
+ #endif
+     else if (streq(p[0], "client-to-client") && !p[1])
+     {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..156ff6f
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+move_log_dir.patch
+auth-pam_libpam_so_filename.patch
+debian_nogroup_for_sample_files.patch
+openvpn-pkcs11warn.patch
+kfreebsd_support.patch
+match-manpage-and-command-help.patch