diff options
| -rw-r--r-- | security/openvpn/Makefile | 8 | ||||
| -rw-r--r-- | security/openvpn/files/extra-patch-fix-subnet | 90 |
2 files changed, 96 insertions, 2 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 3368a096b68a..b16360401078 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -3,6 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.13 +PORTREVISION= 1 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -31,8 +32,8 @@ LDFLAGS+= -L${LOCALBASE}/lib CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ - TUNNELBLICK TEST -OPTIONS_DEFAULT= EASYRSA OPENSSL TEST + TUNNELBLICK TEST FIXSUBNET +OPTIONS_DEFAULT= EASYRSA OPENSSL TEST FIXSUBNET OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL # The following feature is always enabled since 2.3.9 and no longer optional. @@ -42,6 +43,7 @@ EASYRSA_DESC= Install security/easy-rsa RSA helper package POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x) TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) +FIXSUBNET_DESC= Enable 'topology subnet' fix (experimental) EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa @@ -50,6 +52,8 @@ PKCS11_CONFIGURE_ENABLE= pkcs11 TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch +FIXSUBNET_EXTRA_PATCHES= ${FILESDIR}/extra-patch-fix-subnet + X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username X509ALTUSERNAME_PREVENTS= POLARSSL diff --git a/security/openvpn/files/extra-patch-fix-subnet b/security/openvpn/files/extra-patch-fix-subnet new file mode 100644 index 000000000000..4f95dac692f2 --- /dev/null +++ b/security/openvpn/files/extra-patch-fix-subnet @@ -0,0 +1,90 @@ +commit 446ef5bda4cdc75d4cb955e274846faff0181fd3 +Author: Gert Doering <gert@greenie.muc.de> +Date: Tue Nov 8 13:45:06 2016 +0100 + + Repair topology subnet on FreeBSD 11 + + We used to add "route for this subnet" by using our own address as + the gateway address, which used to mean "connected to the interface, + no gateway". FreeBSD commit 293159 changed the kernel side of that + assumption so "my address" is now always bound to "lo0" - thus, our + subnet route also ended up pointing to "lo0", breaking connectivity + for all hosts in the subnet except the one we used as "remote". + + commit 60fd44e501f200 already introduced a "remote address" we use + for the "ifconfig tunX <us> <remote>" part - extend that to be used + as gateway address for the "tunX subnet" as well, and things will + work more robustly. + + Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server) + (this particular issue is not present before 11.0, but "adding the + subnet route" never worked right, not even in 7.4 - 11.0 just made + the problem manifest more clearly) + + Trac #425 + URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831 + + Signed-off-by: Gert Doering <gert@greenie.muc.de> + Acked-by: Steffan Karger <steffan.karger@fox-it.com> + Message-Id: <20161108124506.32559-1-gert@greenie.muc.de> + URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12950.html + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit a433b3813d8c38b491d2baa7b433973f2d6cd7c6) + +diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c +index 11027dd..9bb586d 100644 +--- ./src/openvpn/tun.c ++++ ./src/openvpn/tun.c +@@ -635,8 +635,8 @@ void delete_route_connected_v6_net(struct tuntap * tt, + * is still point to point and no layer 2 resolution is done... + */ + +-const char * +-create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) ++in_addr_t ++create_arbitrary_remote( struct tuntap *tt ) + { + in_addr_t remote; + +@@ -644,7 +644,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) + + if ( remote == tt->local ) remote ++; + +- return print_in_addr_t (remote, 0, gc); ++ return remote; + } + #endif + +@@ -1126,6 +1126,8 @@ do_ifconfig (struct tuntap *tt, + + #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) + ++ in_addr_t remote_end; /* for "virtual" subnet topology */ ++ + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ + if (tun) + argv_printf (&argv, +@@ -1138,12 +1140,13 @@ do_ifconfig (struct tuntap *tt, + ); + else if ( tt->topology == TOP_SUBNET ) + { ++ remote_end = create_arbitrary_remote( tt ); + argv_printf (&argv, + "%s %s %s %s mtu %d netmask %s up", + IFCONFIG_PATH, + actual, + ifconfig_local, +- create_arbitrary_remote( tt, &gc ), ++ print_in_addr_t (remote_end, 0, &gc), + tun_mtu, + ifconfig_remote_netmask + ); +@@ -1170,7 +1173,7 @@ do_ifconfig (struct tuntap *tt, + r.flags = RT_DEFINED; + r.network = tt->local & tt->remote_netmask; + r.netmask = tt->remote_netmask; +- r.gateway = tt->local; ++ r.gateway = remote_end; + add_route (&r, tt, 0, NULL, es); + } + |