+ Update patch set for crypto engine fix [1].

Change option name so it is presented anew, default disabled.

+ Add openvpn-client wrapper script and up/down scripts to trigger
  resolvconf, with minor edits. [2]

+ Set proper PLUGIN_LIBDIR so that plugins in the default directory can
  be found with relative paths.

+ Compile shipped plugins with -fPIC.

PR:		195004 [1]
PR:		199529 [2]
Submitted by:	yuri@rawbw.com [2]
Obtained from:	https://community.openvpn.net/openvpn/ticket/480#comment:21

security/openvpn/Makefile

@@ -3,7 +3,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.6
-PORTREVISION=		3
+PORTREVISION=		4
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -25,7 +25,10 @@ SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 CPPFLAGS+=		-I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX
+# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
+CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
+
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX2
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
@@ -34,7 +37,7 @@ PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
-ENGINEFIX_DESC=		EXPERIMENTAL patch to fix SSL engine use
+ENGINEFIX2_DESC=	New EXPERIMENTAL patchset for SSL engine use (OpenSSL)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
@@ -47,15 +50,18 @@ X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 .include <bsd.port.options.mk>
 
-.if ${PORT_OPTIONS:MENGINEFIX}
+# patches to fix PR 195004, https://community.openvpn.net/openvpn/ticket/480
-EXTRA_PATCHES+=		${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1
+.if ${PORT_OPTIONS:MENGINEFIX2}
+EXTRA_PATCHES+=		${FILESDIR}/EF1.patch:-p1 \
+			${FILESDIR}/EF2.patch:-p1 \
+			${FILESDIR}/EF3.patch:-p1
 .endif
 
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
 . else
-LIB_DEPENDS+=		libpolarssl.so.5:${PORTSDIR}/security/polarssl
+LIB_DEPENDS+=		libpolarssl.so:${PORTSDIR}/security/polarssl
 CONFIGURE_ARGS+=	--with-crypto-library=polarssl
 . endif
 .else
@@ -66,7 +72,7 @@ CONFIGURE_ARGS+=	--with-crypto-library=openssl
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
-SUB_FILES=		pkg-message
+SUB_FILES=		pkg-message openvpn-client
 
 .include <bsd.port.pre.mk>
 
@@ -91,6 +97,11 @@ pre-configure:
 	@${ECHO} ""
 .endif
 
+post-configure:
+	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
+	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
+	    ${WRKSRC}/src/plugins/down-root/Makefile
+
 post-build:
 	@# self-tests here
 .if !defined(WITHOUT_CHECK)
@@ -101,6 +112,10 @@ post-build:
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
+	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 .if ${PORT_OPTIONS:MDOCS}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/

security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch

@@ -1,171 +0,0 @@
-From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan@karger.me>
-Date: Sun, 22 Mar 2015 19:51:25 +0100
-Subject: [PATCH] Reload OpenSSL engines after forking
-
-As reported in trac ticket #480, the cryptodev OpenSSL engine opens
-/dev/crypto on load, but runs into trouble when the pid changes due to a
-call to daemon().  We cannot simply call daemon() before intilializing,
-because that will change the interpretation of relative paths in the config
-file.  To work around that, not only fixup the PKCS#11 state after calling
-daemon(), but also reload the OpenSSL engines.
-
-Signed-off-by: Steffan Karger <steffan@karger.me>
----
- src/openvpn/crypto.c          | 17 +++++++++++++++++
- src/openvpn/crypto.h          |  7 +++++++
- src/openvpn/crypto_backend.h  |  8 +++++++-
- src/openvpn/crypto_openssl.c  | 21 +++++++++++++--------
- src/openvpn/crypto_polarssl.c |  5 +++++
- src/openvpn/init.c            |  4 +---
- 6 files changed, 50 insertions(+), 12 deletions(-)
-
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index c1b9df3..5353479 100644
---- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -36,6 +36,7 @@
- #include "crypto.h"
- #include "error.h"
- #include "misc.h"
-+#include "pkcs11.h"
- 
- #include "memdbg.h"
- 
-@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame,
-       __func__, crypto_overhead);
- }
- 
-+void
-+crypto_fork_fixup(const char *crypto_engine)
-+{
-+#if defined(ENABLE_PKCS11)
-+  pkcs11_forkFixup ();
-+#endif
-+
-+  if (crypto_engine)
-+    {
-+      /* Reload crypto engines, because a cryptodev engine opens file
-+       * descriptors, which might no longer be usable after forking. */
-+      crypto_uninit_lib_engine();
-+      crypto_init_lib_engine(crypto_engine);
-+    }
-+}
-+
- /*
-  * Build a struct key_type.
-  */
-diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
-index 82158f9..2e57765 100644
---- a/src/openvpn/crypto.h
-+++ b/src/openvpn/crypto.h
-@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame,
- 				    bool packet_id,
- 				    bool packet_id_long_form);
- 
-+/**
-+ * Try to fixup crypto stuff that breaks after forking.
-+ *
-+ * @param crypto_engine		Name of the crypto engine to reload.
-+ */
-+void crypto_fork_fixup(const char *crypto_engine);
-+
- 
- /* Minimum length of the nonce used by the PRNG */
- #define NONCE_SECRET_LEN_MIN 16
-diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
-index 4e45df0..db6421a 100644
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -49,11 +49,17 @@ void crypto_uninit_lib (void);
- 
- void crypto_clear_error (void);
- 
--/*
-+/**
-  * Initialise the given named crypto engine.
-  */
- void crypto_init_lib_engine (const char *engine_name);
- 
-+/**
-+ * Uninitialise previously loaded crypto engines.
-+ */
-+void crypto_uninit_lib_engine (void);
-+
-+
- #ifdef DMALLOC
- /*
-  * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 2d81a6d..5e91752 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name)
- #endif
- }
- 
-+void
-+crypto_uninit_lib_engine (void) {
-+#if HAVE_OPENSSL_ENGINE
-+  if (engine_initialized)
-+    {
-+      ENGINE_cleanup ();
-+      engine_persist = NULL;
-+      engine_initialized = false;
-+    }
-+#endif
-+}
-+
- /*
-  *
-  * Functions related to the core crypto library
-@@ -168,14 +180,7 @@ crypto_uninit_lib (void)
-   fclose (fp);
- #endif
- 
--#if HAVE_OPENSSL_ENGINE
--  if (engine_initialized)
--    {
--      ENGINE_cleanup ();
--      engine_persist = NULL;
--      engine_initialized = false;
--    }
--#endif
-+  crypto_uninit_lib_engine();
- }
- 
- void
-diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
-index c038f8e..900a98a 100644
---- a/src/openvpn/crypto_polarssl.c
-+++ b/src/openvpn/crypto_polarssl.c
-@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name)
-       "available");
- }
- 
-+void
-+crypto_uninit_lib_engine (void)
-+{
-+}
-+
- /*
-  *
-  * Functions related to the core crypto library
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index b97d2da..2680c59 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options)
-       if (options->log)
- 	set_std_files_to_null (true);
- 
--#if defined(ENABLE_PKCS11)
--      pkcs11_forkFixup ();
--#endif
-+      crypto_fork_fixup (options->engine);
- 
-       ret = true;
-     }
--- 
-2.1.0
-

security/openvpn/files/EF1.patch

@@ -0,0 +1,43 @@
+commit c7f3fd9c603bfd9cef600316d5e76210e6cf54a7
+Author: Steffan Karger <steffan@karger.me>
+Date:   Thu Mar 26 01:01:29 2015 +0100
+
+    Remove unneeded parameter 'first_time' from possibly_become_daemon()
+    
+    The static helper function possibly_become_daemon() is called only once,
+    by do_init_first_time(), which checks 'first_time' to be true before
+    calling possibly_become_daemon().  This makes the parameter useless.
+    
+    Signed-off-by: Steffan Karger <steffan@karger.me>
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
+    URL: http://article.gmane.org/gmane.network.openvpn.devel/9555
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    (cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576)
+
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index 48b28fc..3a67a50 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -942,10 +942,10 @@ do_persist_tuntap (const struct options *options)
+  * Return true if we did it.
+  */
+ static bool
+-possibly_become_daemon (const struct options *options, const bool first_time)
++possibly_become_daemon (const struct options *options)
+ {
+   bool ret = false;
+-  if (first_time && options->daemon)
++  if (options->daemon)
+     {
+       ASSERT (!options->inetd);
+       if (daemon (options->cd_dir != NULL, options->log) < 0)
+@@ -2776,7 +2776,7 @@ do_init_first_time (struct context *c)
+       get_pid_file (c->options.writepid, &c0->pid_state);
+ 
+       /* become a daemon if --daemon */
+-      c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
++      c->did_we_daemonize = possibly_become_daemon (&c->options);
+ 
+       /* should we disable paging? */
+       if (c->options.mlock && c->did_we_daemonize)

security/openvpn/files/EF2.patch

@@ -0,0 +1,186 @@
+
+[Openvpn-devel] [PATCH] Call daemon() before initializing crypto library
+From: Steffan Karger <steffan@ka...> - 2015-04-27 14:29:09
+
+But keep the chdir to / at the place where deamon() was before, to preserve
+the current behaviour wrt relative paths in the config.
+
+This should fix the issue reported in trac #480, without changing the
+behaviour visible to the end user.
+
+Note that by moving the daemon() call to an earlier stage of the init
+process, we no longer have to call platform_mlockall() again, or do a
+pkcs11_forkFixup().
+
+Signed-off-by: Steffan Karger <steffan@...>
+---
+ src/openvpn/init.c    | 32 +++++++++++---------------------
+ src/openvpn/init.h    |  2 ++
+ src/openvpn/openvpn.c |  4 ++++
+ src/openvpn/pkcs11.c  |  5 -----
+ src/openvpn/pkcs11.h  |  3 ---
+ 5 files changed, 17 insertions(+), 29 deletions(-)
+
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index 73c6aff..5b22c38 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -916,23 +916,20 @@ do_persist_tuntap (const struct options *options)
+  * Should we become a daemon?
+  * Return true if we did it.
+  */
+-static bool
++bool
+ possibly_become_daemon (const struct options *options)
+ {
+   bool ret = false;
+   if (options->daemon)
+     {
+       ASSERT (!options->inetd);
+-      if (daemon (options->cd_dir != NULL, options->log) < 0)
++      /* Don't chdir immediately, but the end of the init sequence, if needed */
++      if (daemon (1, options->log) < 0)
+ 	msg (M_ERR, "daemon() failed or unsupported");
+       restore_signal_state ();
+       if (options->log)
+ 	set_std_files_to_null (true);
+ 
+-#if defined(ENABLE_PKCS11)
+-      pkcs11_forkFixup ();
+-#endif
+-
+       ret = true;
+     }
+   return ret;
+@@ -1809,15 +1806,11 @@ do_deferred_options (struct context *c, const unsigned int found)
+  * Possible hold on initialization
+  */
+ static bool
+-do_hold (struct context *c)
++do_hold (void)
+ {
+ #ifdef ENABLE_MANAGEMENT
+   if (management)
+     {
+-      /* if c is defined, daemonize before hold */
+-      if (c && c->options.daemon && management_should_daemonize (management))
+-	do_init_first_time (c);
+-
+       /* block until management hold is released */
+       if (management_hold (management))
+ 	return true;
+@@ -1867,7 +1860,7 @@ socket_restart_pause (struct context *c)
+   c->persist.restart_sleep_seconds = 0;
+ 
+   /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
+-  if (do_hold (NULL))
++  if (do_hold ())
+     sec = 0;
+ 
+   if (sec)
+@@ -1886,7 +1879,7 @@ do_startup_pause (struct context *c)
+   if (!c->first_time)
+     socket_restart_pause (c);
+   else
+-    do_hold (NULL); /* do management hold on first context initialization */
++    do_hold (); /* do management hold on first context initialization */
+ }
+ 
+ /*
+@@ -2743,7 +2736,7 @@ do_compute_occ_strings (struct context *c)
+ static void
+ do_init_first_time (struct context *c)
+ {
+-  if (c->first_time && !c->did_we_daemonize && !c->c0)
++  if (c->first_time && !c->c0)
+     {
+       struct context_0 *c0;
+ 
+@@ -2758,12 +2751,9 @@ do_init_first_time (struct context *c)
+       /* get --writepid file descriptor */
+       get_pid_file (c->options.writepid, &c0->pid_state);
+ 
+-      /* become a daemon if --daemon */
+-      c->did_we_daemonize = possibly_become_daemon (&c->options);
+-
+-      /* should we disable paging? */
+-      if (c->options.mlock && c->did_we_daemonize)
+-	platform_mlockall (true);	/* call again in case we daemonized */
++      /* perform postponed chdir if --daemon */
++      if (c->did_we_daemonize && c->options.cd_dir == NULL)
++	platform_chdir("/");
+ 
+       /* save process ID in a file */
+       write_pid (&c0->pid_state);
+@@ -3221,7 +3211,7 @@ open_management (struct context *c)
+ 	    }
+ 
+ 	  /* initial management hold, called early, before first context initialization */
+-	  do_hold (c);
++	  do_hold ();
+ 	  if (IS_SIG (c))
+ 	    {
+ 	      msg (M_WARN, "Signal received from management interface, exiting");
+diff --git a/src/openvpn/init.h b/src/openvpn/init.h
+index 5a1d1dc..d1908ed 100644
+--- a/src/openvpn/init.h
++++ b/src/openvpn/init.h
+@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options);
+ 
+ bool do_persist_tuntap (const struct options *options);
+ 
++bool possibly_become_daemon (const struct options *options);
++
+ void pre_setup (const struct options *options);
+ 
+ void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags);
+diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
+index fd87fc1..2f327f3 100644
+--- a/src/openvpn/openvpn.c
++++ b/src/openvpn/openvpn.c
+@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[])
+ 	  if (do_test_crypto (&c.options))
+ 	    break;
+ 	  
++	  /* become a daemon if --daemon */
++	  if (c.first_time)
++	    c.did_we_daemonize = possibly_become_daemon (&c.options);
++
+ #ifdef ENABLE_MANAGEMENT
+ 	  /* open management subsystem */
+ 	  if (!open_management (&c))
+diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
+index 3a15ef6..a1f13c5 100644
+--- a/src/openvpn/pkcs11.c
++++ b/src/openvpn/pkcs11.c
+@@ -336,11 +336,6 @@ pkcs11_terminate () {
+ 	);
+ }
+ 
+-void
+-pkcs11_forkFixup () {
+-	pkcs11h_forkFixup ();
+-}
+-
+ bool
+ pkcs11_addProvider (
+ 	const char * const provider,
+diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
+index 4261871..b49401c 100644
+--- a/src/openvpn/pkcs11.h
++++ b/src/openvpn/pkcs11.h
+@@ -38,9 +38,6 @@ pkcs11_initialize (
+ void
+ pkcs11_terminate ();
+ 
+-void
+-pkcs11_forkFixup ();
+-
+ bool
+ pkcs11_addProvider (
+ 	const char * const provider,
+-- 
+2.1.4
+
+
+

security/openvpn/files/EF3.patch

@@ -0,0 +1,38 @@
+commit ac1c2f259b44d1229a65a3e639b09d57a4e2a53b
+Author: Arne Schwabe <arne@rfc2549.org>
+Date:   Fri Mar 21 14:18:35 2014 +0100
+
+    Move the initialization of the environment to the top so c2.es is initialized
+    
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org>
+    URL: http://article.gmane.org/gmane.network.openvpn.devel/8372
+    
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index 3b72b96..c50b5c2 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -3339,6 +3339,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
+   /* init garbage collection level */
+   gc_init (&c->c2.gc);
+ 
++  /* inherit environmental variables */
++  if (env)
++     do_inherit_env (c, env);
++
+   /* signals caught here will abort */
+   c->sig->signal_received = 0;
+   c->sig->signal_text = NULL;
+@@ -3390,10 +3394,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
+   if (c->mode == CM_P2P || c->mode == CM_TOP)
+     do_option_warnings (c);
+ 
+-  /* inherit environmental variables */
+-  if (env)
+-    do_inherit_env (c, env);
+-
+ #ifdef ENABLE_PLUGIN
+   /* initialize plugins */
+   if (c->mode == CM_P2P || c->mode == CM_TOP)

security/openvpn/files/openvpn-client.in

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+exec %%PREFIX%%/sbin/openvpn --script-security 2 \
+    --up %%PREFIX%%/libexec/openvpn-client.up \
+    --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
+    --config "$@"

security/openvpn/files/patch-sample__sample-config-files__loopback-client

@@ -1,5 +1,5 @@
---- ./sample/sample-config-files/loopback-client.orig	2012-09-10 17:01:08.000000000 +0200
+--- sample/sample-config-files/loopback-client.orig	2014-11-29 14:59:45 UTC
-+++ ./sample/sample-config-files/loopback-client	2013-01-11 21:30:07.000000000 +0100
++++ sample/sample-config-files/loopback-client
 @@ -9,8 +9,8 @@
  #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
  #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 

security/openvpn/files/patch-sample__sample-config-files__loopback-server

@@ -1,5 +1,5 @@
---- ./sample/sample-config-files/loopback-server.orig	2012-09-10 17:01:08.000000000 +0200
+--- sample/sample-config-files/loopback-server.orig	2014-11-29 14:59:45 UTC
-+++ ./sample/sample-config-files/loopback-server	2013-01-11 21:30:07.000000000 +0100
++++ sample/sample-config-files/loopback-server
 @@ -9,8 +9,8 @@
  #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
  #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 

security/openvpn/files/patch-tests__t_cltsrv.sh

@@ -1,5 +1,5 @@
---- ./tests/t_cltsrv.sh.orig	2013-05-31 14:00:07.000000000 +0200
+--- tests/t_cltsrv.sh.orig	2014-11-29 14:59:46 UTC
-+++ ./tests/t_cltsrv.sh	2014-01-27 18:51:13.000000000 +0100
++++ tests/t_cltsrv.sh
 @@ -1,7 +1,7 @@
  #! /bin/sh
  #
@@ -9,7 +9,7 @@
  #
  # This program is free software; you can redistribute it and/or
  # modify it under the terms of the GNU General Public License
-@@ -22,8 +22,9 @@
+@@ -22,8 +22,9 @@ set -e
  srcdir="${srcdir:-.}"
  top_srcdir="${top_srcdir:-..}"
  top_builddir="${top_builddir:-..}"
@@ -21,7 +21,7 @@
  addopts=
  case `uname -s` in
      FreeBSD)
-@@ -45,18 +46,38 @@
+@@ -45,18 +46,38 @@ esac
  # make sure that the --down script is executable -- fail (rather than
  # skip) test if it isn't.
  downscript="../tests/t_cltsrv-down.sh"

security/openvpn/files/pkg-message.in

@@ -2,6 +2,10 @@
 ###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
 ###  startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
 ### ------------------------------------------------------------------------
+###  Connect to VPN server as a client with this command to include
+###  the client.up/down scripts in the initialization:
+###  openvpn-client <spec>.ovpn
+### ------------------------------------------------------------------------
 ###  For compatibility notes when interoperating with older OpenVPN
 ###  versions, please, see <http://openvpn.net/relnotes.html>
 ### ------------------------------------------------------------------------

security/openvpn/pkg-plist

@@ -3,3 +3,6 @@ lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 lib/openvpn/plugins/openvpn-plugin-down-root.so
 man/man8/openvpn.8.gz
 sbin/openvpn
+sbin/openvpn-client
+libexec/openvpn-client.up
+libexec/openvpn-client.down