OpenVPN changes, upgrades and fixes:

- Upgrade security/openvpn to v2.3.0 (changes installed layout a bit),
  splitting and re-diffing patches.
- Retain v2.2.2 as security/openvpn22
- Mark security/openvpn20 as deprecated and to expire 6 months from now
- Fix TCP_NODELAY option (openvpn 2.3, 2.2), see
  <http://community.openvpn.net/openvpn/ticket/158>
- Fix PassTOS option (openvpn 2.2, 2.0), see
  http://community.openvpn.net/openvpn/ticket/135

19 files changed, 478 insertions, 97 deletions

diff --git a/security/Makefile b/security/Makefile
index 018dd87c3f7b..f7a6dba49ce3 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -363,6 +363,7 @@
     SUBDIR += openvpn-beta
     SUBDIR += openvpn-devel
     SUBDIR += openvpn20
+    SUBDIR += openvpn22
     SUBDIR += ophcrack
     SUBDIR += opieprint
     SUBDIR += osiris
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 516ccf0e902a..dfcf0d0f2fff 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openvpn
-DISTVERSION=	2.2.2
+DISTVERSION=	2.3.0
 CATEGORIES=	security net
 # MASTER_SITES points to hosts in distinct data centers,
 # so just one MASTER_SITES entry should be OK.
@@ -14,15 +14,17 @@ COMMENT=	Secure IP/Ethernet tunnel daemon
 
 LICENSE=	GPLv2
 
-CONFLICTS_INSTALL=	openvpn-devel-[0-9]* openvpn-2.0* openvpn-beta-[0-9]*
+CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=	yes
 USE_OPENSSL=	yes
 USE_XZ=		yes
-CONFIGURE_ARGS=	--with-lzo-lib=${LOCALBASE}/lib \
-		--with-lzo-headers=${LOCALBASE}/include
+# let OpenVPN's configure script pick up the libraries
+CPPFLAGS+=	-I${LOCALBASE}/include
+LDFLAGS+=	-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=	PW_SAVE PKCS11
+# PolarSSL missing: OpenVPN does not currently compile with PolarSSL 1.2.0+
+OPTIONS_DEFINE=		PW_SAVE PKCS11
 PW_SAVE_DESC=	Interactive passwords may be read from a file
 PKCS11_DESC=	Use security/pkcs11-helper
 
@@ -63,14 +65,6 @@ LIB_DEPENDS+=	pkcs11-helper:${PORTSDIR}/security/pkcs11-helper
 CONFIGURE_ARGS+=	--disable-pkcs11
 .endif
 
-post-patch:
-	@${FIND} ${WRKSRC}/easy-rsa/?.0 -type f \
-	    -exec ${REINPLACE_CMD} -e 's;#!/bin/bash;#!/bin/sh;' \
-				   -e 's,source ./vars,. ./vars,' \{\} +
-	@${FIND} ${WRKSRC}/plugin -name Makefile \
-	    -exec ${REINPLACE_CMD} -e 's;gcc;${CC};g' '{}' +
-	@${FIND} ${WRKSRC} \( -name \*.orig -o -name \*.bak \) -delete
-
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
@@ -84,8 +78,6 @@ pre-configure:
 .endif
 
 post-build:
-	cd ${WRKSRC}/plugin/down-root && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${_MAKE_JOBS} ${MAKE_ARGS}
-	cd ${WRKSRC}/plugin/auth-pam && ${CC} ${CPPFLAGS} -I../.. -DDLOPEN_PAM=0 ${CFLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.c pamdl.c -lc -lpam
 	@# self-tests here
 .if !defined(WITHOUT_CHECK)
 	@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
@@ -94,21 +86,18 @@ post-build:
 
 post-install:
 	${MKDIR} ${PREFIX}/lib
-	${INSTALL_PROGRAM} ${WRKSRC}/plugin/down-root/openvpn-down-root.so ${PREFIX}/lib/
-	${INSTALL_PROGRAM} ${WRKSRC}/plugin/auth-pam/openvpn-auth-pam.so ${PREFIX}/lib/
 .if ${PORT_OPTIONS:MDOCS}
 	${MKDIR} ${DOCSDIR}
-	${INSTALL_DATA} ${WRKSRC}/plugin/down-root/README ${DOCSDIR}/README.openvpn-down-root
-	${INSTALL_DATA} ${WRKSRC}/plugin/auth-pam/README ${DOCSDIR}/README.openvpn-auth-pam
 .for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL \
 	PORTS README
 	${INSTALL_DATA} ${WRKSRC}/${docs} ${DOCSDIR}/
 .endfor
-.for dir in easy-rsa easy-rsa/1.0 easy-rsa/2.0 sample-config-files
+.for dir in sample/sample-config-files
+	${RM} -f ${WRKSRC}/${dir}/*.orig
 	${MKDIR} ${DOCSDIR}/${dir}
 	${FIND} ${WRKSRC}/${dir}/ -maxdepth 1 -type f -exec ${INSTALL_DATA} \{\} ${DOCSDIR}/${dir} \;
 .endfor
-.for dir in sample-scripts
+.for dir in sample/sample-scripts
 	${MKDIR} ${DOCSDIR}/${dir}
 	${FIND} ${WRKSRC}/${dir}/ -maxdepth 1 -type f -exec ${INSTALL_SCRIPT} \{\} ${DOCSDIR}/${dir} \;
 .endfor
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index a9bca63e4151..0a0ff0d9b6fe 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.2.2.tar.xz) = a694b9f661a0db30c048c94a4b4fc63d1460aea4dbc504a4f233f3c15997f4cd
-SIZE (openvpn-2.2.2.tar.xz) = 649356
+SHA256 (openvpn-2.3.0.tar.xz) = a9fcf7bc1c1cd88cd8867ff567e8f8df5e695f0e983bd0aed3a3e1f6ae14d107
+SIZE (openvpn-2.3.0.tar.xz) = 762052
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-client b/security/openvpn/files/patch-sample__sample-config-files__loopback-client
new file mode 100644
index 000000000000..47cac942e0b9
--- /dev/null
+++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-client
@@ -0,0 +1,13 @@
+--- ./sample/sample-config-files/loopback-client.orig	2012-09-10 17:01:08.000000000 +0200
++++ ./sample/sample-config-files/loopback-client	2013-01-11 21:30:07.000000000 +0100
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
new file mode 100644
index 000000000000..cd55ac640678
--- /dev/null
+++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
@@ -0,0 +1,13 @@
+--- ./sample/sample-config-files/loopback-server.orig	2012-09-10 17:01:08.000000000 +0200
++++ ./sample/sample-config-files/loopback-server	2013-01-11 21:30:07.000000000 +0100
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16001
+-lport 16000
++rport 16101
++lport 16100
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-src__openvpn__syshead.h b/security/openvpn/files/patch-src__openvpn__syshead.h
new file mode 100644
index 000000000000..a30a7c95765f
--- /dev/null
+++ b/security/openvpn/files/patch-src__openvpn__syshead.h
@@ -0,0 +1,16 @@
+Work around "missing" TCP_NODELAY,
+obtained from: http://community.openvpn.net/openvpn/ticket/158
+
+--- ./src/openvpn/syshead.h.orig	2012-11-22 13:07:51.000000000 +0100
++++ ./src/openvpn/syshead.h	2013-01-11 21:30:07.000000000 +0100
+@@ -307,6 +307,10 @@
+ #include <netinet/ip.h>
+ #endif
+ 
++#ifdef HAVE_NETINET_TCP_H
++#include <netinet/tcp.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
diff --git a/security/openvpn/pkg-plist b/security/openvpn/pkg-plist
index 7200816ad93e..1e13653e3e26 100644
--- a/security/openvpn/pkg-plist
+++ b/security/openvpn/pkg-plist
@@ -1,81 +1,45 @@
+include/openvpn-plugin.h
+lib/openvpn/plugins/openvpn-plugin-auth-pam.la
+lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+lib/openvpn/plugins/openvpn-plugin-down-root.la
+lib/openvpn/plugins/openvpn-plugin-down-root.so
 sbin/openvpn
-lib/openvpn-auth-pam.so
-lib/openvpn-down-root.so
 %%PORTDOCS%%%%DOCSDIR%%/AUTHORS
+%%PORTDOCS%%%%DOCSDIR%%/ChangeLog
 %%PORTDOCS%%%%DOCSDIR%%/COPYING
 %%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
-%%PORTDOCS%%%%DOCSDIR%%/ChangeLog
 %%PORTDOCS%%%%DOCSDIR%%/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/management-notes.txt
 %%PORTDOCS%%%%DOCSDIR%%/PORTS
 %%PORTDOCS%%%%DOCSDIR%%/README
-%%PORTDOCS%%%%DOCSDIR%%/README.openvpn-auth-pam
-%%PORTDOCS%%%%DOCSDIR%%/README.openvpn-down-root
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/README
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-ca
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-dh
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-inter
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-pass
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-pkcs12
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-server
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-req
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-req-pass
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/clean-all
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/list-crl
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/make-crl
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/openssl.cnf
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/revoke-crt
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/revoke-full
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/sign-req
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/vars
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/Makefile
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-0.9.6.cnf
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-0.9.8.cnf
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-1.0.0.cnf
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
-%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/whichopensslcnf
-%%PORTDOCS%%%%DOCSDIR%%/management-notes.txt
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/home.up
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/loopback-client
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/loopback-server
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/office.up
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/openvpn-shutdown.sh
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/openvpn-startup.sh
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/server.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/static-home.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/static-office.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/tls-home.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/tls-office.conf
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/xinetd-client-config
-%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/xinetd-server-config
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/auth-pam.pl
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/bridge-start
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/bridge-stop
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/openvpn.init
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/ucn.pl
-%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
-%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
-%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
-%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
-%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/1.0
-%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
+%%PORTDOCS%%%%DOCSDIR%%/README.auth-pam
+%%PORTDOCS%%%%DOCSDIR%%/README.down-root
+%%PORTDOCS%%%%DOCSDIR%%/README.IPv6
+%%PORTDOCS%%%%DOCSDIR%%/README.polarssl
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/README
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/client.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/firewall.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/home.up
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/loopback-client
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/loopback-server
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/office.up
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/openvpn-shutdown.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/openvpn-startup.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/server.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/static-home.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/static-office.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/tls-home.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/tls-office.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/xinetd-client-config
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-config-files/xinetd-server-config
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-scripts/auth-pam.pl
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-scripts/bridge-start
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-scripts/bridge-stop
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-scripts/ucn.pl
+%%PORTDOCS%%%%DOCSDIR%%/sample/sample-scripts/verify-cn
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample/sample-scripts
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample
 %%PORTDOCS%%@dirrm %%DOCSDIR%%
+@dirrm lib/openvpn/plugins
+@dirrm lib/openvpn
diff --git a/security/openvpn20/Makefile b/security/openvpn20/Makefile
index 9a75381a1b8d..6d3b0cdcb587 100644
--- a/security/openvpn20/Makefile
+++ b/security/openvpn20/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	openvpn
 PORTVERSION=	2.0.9
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security net
 # MASTER_SITES points to hosts in distinct data centers,
 # so just one MASTER_SITES entry should be OK.
@@ -12,6 +12,9 @@ MASTER_SITES=	http://openvpn.net/release/
 MAINTAINER=	mandree@FreeBSD.org
 COMMENT=	Secure IP/Ethernet tunnel daemon
 
+DEPRECATED=		Please migrate to a newer OpenVPN version
+EXPIRATION_DATE=	2013-07-11
+
 LATEST_LINK=	openvpn20
 CONFLICTS_INSTALL=	openvpn-2.[!0]* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
diff --git a/security/openvpn20/files/patch-socket.h b/security/openvpn20/files/patch-socket.h
new file mode 100644
index 000000000000..3030077c8ca2
--- /dev/null
+++ b/security/openvpn20/files/patch-socket.h
@@ -0,0 +1,11 @@
+--- ./socket.h.orig	2005-11-01 12:06:11.000000000 +0100
++++ ./socket.h	2013-01-11 21:51:45.000000000 +0100
+@@ -204,7 +204,7 @@
+ 
+ #if PASSTOS_CAPABILITY
+   /* used to get/set TOS. */
+-  uint8_t ptos;
++  int ptos;
+   bool ptos_defined;
+ #endif
+ 
diff --git a/security/openvpn22/Makefile b/security/openvpn22/Makefile
new file mode 100644
index 000000000000..291440df6901
--- /dev/null
+++ b/security/openvpn22/Makefile
@@ -0,0 +1,122 @@
+# Created by: Matthias Andree <matthias.andree@gmx.de>
+# $FreeBSD$
+
+PORTNAME=	openvpn
+DISTVERSION=	2.2.2
+PORTREVISION=	1
+CATEGORIES=	security net
+# MASTER_SITES points to hosts in distinct data centers,
+# so just one MASTER_SITES entry should be OK.
+MASTER_SITES=	http://swupdate.openvpn.net/community/releases/ \
+		${MASTER_SITE_LOCAL:S,$,mandree/,}
+
+MAINTAINER=	mandree@FreeBSD.org
+COMMENT=	Secure IP/Ethernet tunnel daemon
+
+LICENSE=	GPLv2
+
+LATEST_LINK=	openvpn22
+CONFLICTS_INSTALL=	openvpn-devel-[0-9]* openvpn-2.[!2]* openvpn-beta-[0-9]*
+
+GNU_CONFIGURE=	yes
+USE_OPENSSL=	yes
+USE_XZ=		yes
+CONFIGURE_ARGS=	--with-lzo-lib=${LOCALBASE}/lib \
+		--with-lzo-headers=${LOCALBASE}/include
+
+OPTIONS_DEFINE=	PW_SAVE PKCS11
+PW_SAVE_DESC=	Interactive passwords may be read from a file
+PKCS11_DESC=	Use security/pkcs11-helper
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MDOCS}
+INSTALL_TARGET=	install
+.else
+INSTALL_TARGET=	install-exec install-man
+.endif
+
+INSTALL_TARGET+=	mandir=${MANPREFIX}/man
+MAN8=		openvpn.8
+
+USE_RC_SUBR=	openvpn
+USE_LDCONFIG=	${PREFIX}/lib
+
+SUB_FILES=	pkg-message
+SUB_LIST+=	OSVERSION=${OSVERSION}
+
+.include <bsd.port.pre.mk>
+
+.ifdef (LOG_OPENVPN)
+CFLAGS+=	-DLOG_OPENVPN=${LOG_OPENVPN}
+.endif
+
+LIB_DEPENDS+=	lzo2:${PORTSDIR}/archivers/lzo2
+
+.if ${PORT_OPTIONS:MPW_SAVE}
+CONFIGURE_ARGS+=	--enable-password-save
+.else
+CONFIGURE_ARGS+=	--disable-password-save
+.endif
+
+.if ${PORT_OPTIONS:MPKCS11}
+LIB_DEPENDS+=	pkcs11-helper:${PORTSDIR}/security/pkcs11-helper
+.else
+CONFIGURE_ARGS+=	--disable-pkcs11
+.endif
+
+post-patch:
+	@${FIND} ${WRKSRC}/easy-rsa/?.0 -type f \
+	    -exec ${REINPLACE_CMD} -e 's;#!/bin/bash;#!/bin/sh;' \
+				   -e 's,source ./vars,. ./vars,' \{\} +
+	@${FIND} ${WRKSRC}/plugin -name Makefile \
+	    -exec ${REINPLACE_CMD} -e 's;gcc;${CC};g' '{}' +
+	@${FIND} ${WRKSRC} \( -name \*.orig -o -name \*.bak \) -delete
+
+pre-configure:
+.ifdef (LOG_OPENVPN)
+	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
+.else
+	@${ECHO} ""
+	@${ECHO} "You may use the following build options:"
+	@${ECHO} ""
+	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
+	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_DAEMON"
+	@${ECHO} ""
+.endif
+
+post-build:
+	cd ${WRKSRC}/plugin/down-root && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${_MAKE_JOBS} ${MAKE_ARGS}
+	cd ${WRKSRC}/plugin/auth-pam && ${CC} ${CPPFLAGS} -I../.. -DDLOPEN_PAM=0 ${CFLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.c pamdl.c -lc -lpam
+	@# self-tests here
+.if !defined(WITHOUT_CHECK)
+	@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
+	cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${_MAKE_JOBS} ${MAKE_ARGS} check
+.endif
+
+post-install:
+	${MKDIR} ${PREFIX}/lib
+	${INSTALL_PROGRAM} ${WRKSRC}/plugin/down-root/openvpn-down-root.so ${PREFIX}/lib/
+	${INSTALL_PROGRAM} ${WRKSRC}/plugin/auth-pam/openvpn-auth-pam.so ${PREFIX}/lib/
+.if ${PORT_OPTIONS:MDOCS}
+	${MKDIR} ${DOCSDIR}
+	${INSTALL_DATA} ${WRKSRC}/plugin/down-root/README ${DOCSDIR}/README.openvpn-down-root
+	${INSTALL_DATA} ${WRKSRC}/plugin/auth-pam/README ${DOCSDIR}/README.openvpn-auth-pam
+.for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL \
+	PORTS README
+	${INSTALL_DATA} ${WRKSRC}/${docs} ${DOCSDIR}/
+.endfor
+.for dir in easy-rsa easy-rsa/1.0 easy-rsa/2.0 sample-config-files
+	${MKDIR} ${DOCSDIR}/${dir}
+	${FIND} ${WRKSRC}/${dir}/ -maxdepth 1 -type f -exec ${INSTALL_DATA} \{\} ${DOCSDIR}/${dir} \;
+.endfor
+.for dir in sample-scripts
+	${MKDIR} ${DOCSDIR}/${dir}
+	${FIND} ${WRKSRC}/${dir}/ -maxdepth 1 -type f -exec ${INSTALL_SCRIPT} \{\} ${DOCSDIR}/${dir} \;
+.endfor
+.else
+	-@${RMDIR} ${DOCSDIR}
+.endif
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/openvpn22/distinfo b/security/openvpn22/distinfo
new file mode 100644
index 000000000000..a9bca63e4151
--- /dev/null
+++ b/security/openvpn22/distinfo
@@ -0,0 +1,2 @@
+SHA256 (openvpn-2.2.2.tar.xz) = a694b9f661a0db30c048c94a4b4fc63d1460aea4dbc504a4f233f3c15997f4cd
+SIZE (openvpn-2.2.2.tar.xz) = 649356
diff --git a/security/openvpn22/files/openvpn.in b/security/openvpn22/files/openvpn.in
new file mode 100644
index 000000000000..f4f1dbdbb7ad
--- /dev/null
+++ b/security/openvpn22/files/openvpn.in
@@ -0,0 +1,125 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
+# and Vasil Dimov
+# softrestart feature suggested by Nick Hibma
+#
+# $FreeBSD$
+# 
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+
+# -----------------------------------------------------------------------------
+#
+# This script supports running multiple instances of openvpn.
+# To run additional instances link this script to something like
+# % ln -s openvpn openvpn_foo
+# and define additional openvpn_foo_* variables in one of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
+#
+# Below NAME should be substituted with the name of this script. By default
+# it is openvpn, so read as openvpn_enable. If you linked the script to
+# openvpn_foo, then read as openvpn_foo_enable etc.
+#
+# The following variables are supported (defaults are shown).
+# You can place them in any of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
+#
+# NAME_enable="NO"	# set to YES to enable openvpn
+# NAME_if=		# driver(s) to load, set to "tun", "tap" or "tun tap"
+#			# it is OK to specify the if_ prefix.
+#
+# # optional:
+# NAME_flags=				# additional command line arguments
+# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf"	# --config file
+# NAME_dir="%%PREFIX%%/etc/openvpn"	# --cd directory
+#
+# You also need to set NAME_configfile and NAME_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. /etc/rc.subr
+
+case "$0" in
+/etc/rc*)
+	# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
+	# so get the name of the script from $_file
+	name="$_file"
+	;;
+*)
+	name="$0"
+	;;
+esac
+
+name="${name##*/}"
+rcvar=${name}_enable
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+softrestart()
+{
+    sig_reload=USR1 run_rc_command reload
+    exit $?
+}
+
+# reload: support SIGHUP to reparse configuration file
+# softrestart: support SIGUSR1 to reconnect without superuser privileges
+extra_commands="reload softrestart"
+softrestart_cmd="softrestart"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/openvpn"
+
+# run this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+
+eval ": \${${name}_enable:=\"NO\"}"
+eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
+eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
+
+configfile="$(eval echo \${${name}_configfile})"
+dir="$(eval echo \${${name}_dir})"
+interfaces="$(eval echo \${${name}_if})"
+
+required_modules=
+for i in $interfaces ; do
+    required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
+done
+
+required_files=${configfile}
+
+command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}"
+
+run_rc_command "$1"
diff --git a/security/openvpn/files/patch-selftest-ports b/security/openvpn22/files/patch-selftest-ports
index 5e195261eecb..5e195261eecb 100644
--- a/security/openvpn/files/patch-selftest-ports
+++ b/security/openvpn22/files/patch-selftest-ports
diff --git a/security/openvpn22/files/patch-socket.h b/security/openvpn22/files/patch-socket.h
new file mode 100644
index 000000000000..657069e17c3c
--- /dev/null
+++ b/security/openvpn22/files/patch-socket.h
@@ -0,0 +1,11 @@
+--- ./socket.h.orig	2011-12-13 17:58:56.000000000 +0100
++++ ./socket.h	2013-01-11 21:50:11.000000000 +0100
+@@ -225,7 +225,7 @@
+ 
+ #if PASSTOS_CAPABILITY
+   /* used to get/set TOS. */
+-  uint8_t ptos;
++  int ptos;
+   bool ptos_defined;
+ #endif
+ 
diff --git a/security/openvpn22/files/patch-syshead.h b/security/openvpn22/files/patch-syshead.h
new file mode 100644
index 000000000000..8f050287569f
--- /dev/null
+++ b/security/openvpn22/files/patch-syshead.h
@@ -0,0 +1,16 @@
+Work around "missing" TCP_NODELAY,
+obtained from: http://community.openvpn.net/openvpn/ticket/158
+
+--- ./syshead.h.orig	2012-11-22 13:07:51.000000000 +0100
++++ ./syshead.h	2013-01-11 21:30:07.000000000 +0100
+@@ -298,6 +298,10 @@
+ #include <netinet/ip.h>
+ #endif
+ 
++#ifdef HAVE_NETINET_TCP_H
++#include <netinet/tcp.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
diff --git a/security/openvpn/files/patch-t_cltsrv.sh b/security/openvpn22/files/patch-t_cltsrv.sh
index fbb05b3bd162..fbb05b3bd162 100644
--- a/security/openvpn/files/patch-t_cltsrv.sh
+++ b/security/openvpn22/files/patch-t_cltsrv.sh
diff --git a/security/openvpn22/files/pkg-message.in b/security/openvpn22/files/pkg-message.in
new file mode 100644
index 000000000000..57da107dbe67
--- /dev/null
+++ b/security/openvpn22/files/pkg-message.in
@@ -0,0 +1,7 @@
+### ------------------------------------------------------------------------
+###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
+###  startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
+### ------------------------------------------------------------------------
+###  For compatibility notes when interoperating with older OpenVPN
+###  versions, please, see <http://openvpn.net/relnotes.html>
+### ------------------------------------------------------------------------
diff --git a/security/openvpn22/pkg-descr b/security/openvpn22/pkg-descr
new file mode 100644
index 000000000000..751e62d362d1
--- /dev/null
+++ b/security/openvpn22/pkg-descr
@@ -0,0 +1,7 @@
+OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
+Network) daemon which can be used to securely link two or more private networks
+using an encrypted tunnel over the internet. It can operate over UDP or TCP,
+can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
+server can handle many clients.
+
+WWW: http://openvpn.net/index.php/open-source.html
diff --git a/security/openvpn22/pkg-plist b/security/openvpn22/pkg-plist
new file mode 100644
index 000000000000..7200816ad93e
--- /dev/null
+++ b/security/openvpn22/pkg-plist
@@ -0,0 +1,81 @@
+sbin/openvpn
+lib/openvpn-auth-pam.so
+lib/openvpn-down-root.so
+%%PORTDOCS%%%%DOCSDIR%%/AUTHORS
+%%PORTDOCS%%%%DOCSDIR%%/COPYING
+%%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
+%%PORTDOCS%%%%DOCSDIR%%/ChangeLog
+%%PORTDOCS%%%%DOCSDIR%%/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/PORTS
+%%PORTDOCS%%%%DOCSDIR%%/README
+%%PORTDOCS%%%%DOCSDIR%%/README.openvpn-auth-pam
+%%PORTDOCS%%%%DOCSDIR%%/README.openvpn-down-root
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/make-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/openssl.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/revoke-crt
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/1.0/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/Makefile
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-0.9.6.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-0.9.8.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl-1.0.0.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/whichopensslcnf
+%%PORTDOCS%%%%DOCSDIR%%/management-notes.txt
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/home.up
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/loopback-client
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/loopback-server
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/office.up
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/openvpn-shutdown.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/openvpn-startup.sh
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/server.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/static-home.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/static-office.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/tls-home.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/tls-office.conf
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/xinetd-client-config
+%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/xinetd-server-config
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/auth-pam.pl
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/bridge-start
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/bridge-stop
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/openvpn.init
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/ucn.pl
+%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/1.0
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
+%%PORTDOCS%%@dirrm %%DOCSDIR%%