Add experimental patch by Gert Döring to fix PR #194745.

Must be enabled through the options framework ("make config").

PR:		194745

2 files changed, 72 insertions, 2 deletions

diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 94728a7d8371..ff4774b164bc 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.6
-PORTREVISION=		4
+PORTREVISION=		5
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -28,7 +28,8 @@ LDFLAGS+=		-L${LOCALBASE}/lib
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX2
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
+			ENGINEFIX2 SUBNETFIX
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
@@ -38,6 +39,7 @@ EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
 ENGINEFIX2_DESC=	New EXPERIMENTAL patchset for SSL engine use (OpenSSL)
+SUBNETFIX_DESC=		EXPERIMENTAL patch to fix subnet mode (tkt \#481)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
@@ -57,6 +59,11 @@ EXTRA_PATCHES+=		${FILESDIR}/EF1.patch:-p1 \
 			${FILESDIR}/EF3.patch:-p1
 .endif
 
+# patch to fix PR 194745, https://community.openvpn.net/openvpn/ticket/481
+.if ${PORT_OPTIONS:MSUBNETFIX}
+EXTRA_PATCHES+=		${FILESDIR}/EF-subnet.patch:-p1
+.endif
+
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
diff --git a/security/openvpn/files/EF-subnet.patch b/security/openvpn/files/EF-subnet.patch
new file mode 100644
index 000000000000..82b48c5081dc
--- /dev/null
+++ b/security/openvpn/files/EF-subnet.patch
@@ -0,0 +1,63 @@
+From b8f70b0f25c44e6d6a17b9f76756de87146a55d9 Mon Sep 17 00:00:00 2001
+From: Gert Doering <gert@greenie.muc.de>
+Date: Sun, 26 Apr 2015 18:16:39 +0200
+Subject: [PATCH] Fix FreeBSD ifconfig for topology subnet tunnels.
+
+For "topology subnet", we only pretend to have a subnet and keep
+using the tun if in point-to-point mode - but for that to fully
+work, the "remote" address needs to be different from the "local"
+address.  So just arbitrarily construct one from the on-link
+subnet - base+1, if "that is not us", base+2, otherwise.
+
+Fix trac #481
+
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/tun.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
+index 11a6d71..aa7a9f0 100644
+--- a/src/openvpn/tun.c
++++ b/src/openvpn/tun.c
+@@ -626,6 +626,28 @@ void delete_route_connected_v6_net(struct tuntap * tt,
+ }
+ #endif
+ 
++#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
++/* we can't use true subnet mode on tun on all platforms, as that
++ * conflicts with IPv6 (wants to use ND then, which we don't do),
++ * but the OSes want "a remote address that is different from ours"
++ * - so we construct one, normally the first in the subnet, but if
++ * this is the same as ours, use the second one.
++ * The actual address does not matter at all, as the tun interface
++ * is still point to point and no layer 2 resolution is done...
++ */
++
++char *
++create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
++{
++  in_addr_t remote;
++
++  remote = (tt->local & tt->remote_netmask) +1;
++
++  if ( remote == tt->local ) remote ++;
++
++  return print_in_addr_t (remote, 0, &gc);
++}
++#endif
+ 
+ /* execute the ifconfig command through the shell */
+ void
+@@ -1150,7 +1172,7 @@ do_ifconfig (struct tuntap *tt,
+ 			  IFCONFIG_PATH,
+ 			  actual,
+ 			  ifconfig_local,
+-			  ifconfig_local,
++			  create_arbitrary_remote( tt, &gc ),
+ 			  tun_mtu,
+ 			  ifconfig_remote_netmask
+ 			  );
+-- 
+2.2.2
+