15 files changed, 739 insertions, 0 deletions
diff --git a/net-misc/openvpn/Manifest b/net-misc/openvpn/Manifest
new file mode 100644
index 00000000..4c4ace65
--- /dev/null
+++ b/net-misc/openvpn/Manifest
@@ -0,0 +1,15 @@
+AUX 2.3.6-disable-compression.patch 579 SHA256 644068d1925a7b2866a4afaef15ebb27f5bbf1b55eed0894d34f7603c230bd9a SHA512 56acdd4716df4f6a0367fd583296718e30d3fa4b6b129159f61f913eba97769943a2354e9b51572314a206f68a20def091a89aec12bc942d94b05369128d3a97 WHIRLPOOL 1fb293d49f63a75cb772c262d9a55a6cb00be0f154387bf4fb3e9be1602038bd70348fad5f1a2b714fa7b45cbcd36a4db2c6f1441f3a00aff7d51732b3629708
+AUX 2.3.6-musl-compat.patch 433 SHA256 5837eef6d66b56ce9c0cb5fe93dac1a27900c085ab8a2e295c5a7b8fcae52e60 SHA512 ef002c1bff131924d8ca1ee41f10c3f274788c85fa122d2b9839bb571579fa836f1bcf865bcb8b825db21681ea7dd9290d796f7005690a2070f32439da105e0f WHIRLPOOL 482e1717c27b89ebd3d2294eea16d588a892ef984e947c0a06eb9c4924247af4a81f4877d6cd89d65840ff28ac8badd4bf5d7ee7b44889b4b8e465d3be1ca8fa
+AUX 2.3.6-null-cipher.patch 1531 SHA256 a3f8ac3630c9887d18d21e0ac9781d615cf8dff277c070306b36c5d0faa8a1ac SHA512 0aa288af3c0b43977bf84b099ea28dbf7ab9a1096d76e8f706989570984c70a4c298430eac35b0c80eab8bc05e6072d965c20a9e3689e7448e759abb92c93fb2 WHIRLPOOL cbefb2a1b6d63373890a76d3a6153335f8d05b07e4546893e7a8871c653d39f06941615181308fbf41a07cf702b2a730dfacc6a01840efdbfbeaf301a58362bb
+AUX 65openvpn 45 SHA256 d5758e39fdc75dcbb5a788b1afa743c3c1f08c63c535aa32c300b965474d765c SHA512 713345092b60d1322d3fa96fd72d69ed82dbfee5031a675114bc60acfdacaf0811f6bf4530cf937ca5a86b3f2665b28951b9087ec91c2c0faf75bdaf1e25bdbb WHIRLPOOL 534e7dcf2ac953e9ec5de05810022471cb26a16806cd036f25d02550e20f8aaa91410bd005bc7a5e4a549d8a40d01ae317be1d1e1e25d91ed989bbbea7ede9d2
+AUX down.sh 943 SHA256 39debebcd8c899f20e6d355cbc8eaab46e28b83a9f6c33a94c065688a4f3d2c7 SHA512 5defd61edf11cc63f3f8f60bef7fa730c4bcdd2545d664bd94666dd3aea80bd9d190263d8835a555e4287a594f6fce0f52426aed49c60233ff637a2a6164a997 WHIRLPOOL c66fd1e016656fe83d7f55b77bf232058397f9cd3054abe13ec006c227afe6746ee4ada310ff43761ec95510f736b8e542f136711d648642eecafe055975c57e
+AUX openvpn-2.1.conf 892 SHA256 330149a83684ddabe413d134d4c8efad4c88b18c2ab67165014deff5f7fffad2 SHA512 982ade883afbe2e656a9cbbe36c31c0e8b4f7bbbe5b63df9f7b834f02a9153032fb7445c85d3e91f62c68a7ddd13c3afbf420fb71cdd13d9c4b69f867bdd9f37 WHIRLPOOL 6ef644826e1e9e2a100e0fa20b5c9190e92c9e08a366dee28dccf3f70fa0593f3c4d271e42db3920630f03704aa2aef8e84d9efbb2b4b6a0d08e74bb340fb0a5
+AUX openvpn-2.1.init 4186 SHA256 d1b1f8a00935d77521bceb62535350444df3470fa45f4d33c3934051a1bb595b SHA512 7ecd0b4dc7341ea0df598752bec8ae6011bea7973ed9dbf17a12c308aed46362e1507fcb3a3bb26049619747f2f819deec1a42c6dce2c13d2a769f1e37735a2f WHIRLPOOL 9d34c438b7d9e45678e2aa48ab42a68b9e2801423688c6280cbb4934a8ef04cbf8a7953a061659f57fb02adf535596ac9313268c29e2dc18cffbf7315681da82
+AUX openvpn.init 1486 SHA256 c4b9e0899fa5ee0b90c5100da7711dc7a6a5658f10042b0feda9e7efb90a11cf SHA512 450595b9ec82ded74c26ed9f73182122e05f53655262a342b195dcedfe63a06a5d9927a3bbe50d0d04f810cc786ac3eb78843877f426c893e165b967bc8ac012 WHIRLPOOL e549221283b4b92c9ada312a746c4ad4c645493c1c844ddaddefecee4c31e17bd4bd8555618408e065c83143e157aaf7e75b44f01abe43f507835df2aa1149d3
+AUX openvpn.service 335 SHA256 a63a6e1505f2b3e20f2c82588dd0c23da9d8c750e1f36fec2ba20a8b5b0c9de1 SHA512 fbd41b80253aaae6750301ac95d8b3bf09e3a70556cc0513792c8e06faa70a716233d134d4928295f381f0f235fcde0eeac9cfa074924b6666a4b46ff7cf91a9 WHIRLPOOL 16f44d10ab03110a21a69716fbac2e64e5376426edd26783d7946d928dd0cc106810126436488843da8e16277d3aa83d208fe50c4aebd9cff86526ce1762b215
+AUX openvpn.tmpfile 39 SHA256 ef3453056a26487d27908d5ced124285403d8e88deb843fccdba9f6724966826 SHA512 659713b35eee340f2b6578796f4335dda391aa635892e802e3f2531f31c9470460b4e4b3be45457f81f3b08b7d60ce15d16f8d70b968fbf24f846ef5f8611a58 WHIRLPOOL 19e4611ffda68a99851921ccaf3a99d04350cd3e0d8833136da151119c267edc383ff96162aa47a2f77171ae908ad011e4119a7a18961ed0bddcbf38d997b976
+AUX up.sh 2865 SHA256 d887ee065261affd849227fa27e092cf66549d824a698f302312d15f787dd840 SHA512 35201b0e60ad20358080007e595eb4f96d186ba8e88f0485c55d164c28e3d78a12f3e09347ba3d76abb9b8b03fb4a53664bd74ab484be1548090022b956925fd WHIRLPOOL 8d25a66d192a6710466d149aec7a1719dfe91558205e8ba7e25b93e58869c8fedc96ba4ce2aedb0595b7e0b63299e6e41be1ba82c6b93ae6bbbb26d409c9bf51
+DIST openvpn-2.3.6.tar.gz 1213272 SHA256 7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26 SHA512 70e0045ea41f6588769ab8b98d8f550b69148adbf7fedcdc36900e25950df43379950492652e243ec6e7965bf9c7dcc86a56ba5dfdc44523aaa81cfc508b1c6e WHIRLPOOL 737f2d1d69ee1c7700d5cd5a4e7d5d1b2f55d8b2229f7c2565fcb8c731ebb719ec8d6bad3b76f763f36e5c70c6e40a666db3508f3024f8e4637c0659061dba48
+EBUILD openvpn-2.3.6-r99.ebuild 4426 SHA256 3f1264eced8d351e4e179b1d7b7522e8c1e3d440b3a608d914d8fe99d4f2ab79 SHA512 0fa7ea5f00d81d83a26b88ff4e7a8944357c85d1df023b76857b53a4b486b926c51efe73082ecc0b0c9d4dd17ae90ebbe02798493f494db95458bf1021b681df WHIRLPOOL 47500eb883a0e077f4a249570c4ebaab0fa033d9051f1e56a0c0d36e97023320ef77f889a9ce81e7a81ca06a4ca7aca826433394c04181f22b19944c532f27b2
+EBUILD openvpn-9999.ebuild 3941 SHA256 ef975ee9157e25b16aa4c59144b1fc0814c67def458a71e5166c70e7c41e5081 SHA512 7030ee666c7372b86a198f3780797a4253baed6e61e4bbb3f1bb166b95268b4ee00992c770c689ab6bb9326eb2d66a6c52cec65739e887ef39e6da1da6ce49b6 WHIRLPOOL 174bee3dc113263b7ebc24048613cc3039cd49f52cee4c9eff55d80d9436cead408d3c09cb6dad1318a4812fb00f7eb22b286f329499346240db2f38a066b2ff
+MISC metadata.xml 937 SHA256 3dfcc28012f2c92f044882c39d56b6ef82bb80749ce688b75d526cc6c8836dd3 SHA512 ad3f218ccc64249fda19d87fe79494280eb880841f2d1e69757e7093e62b446f273fecd074ccac02c28894924b02d6a9c9fbbc1bd12ab13493f7f77e50e5b1ce WHIRLPOOL 65bf683e35f44c306c9ed3297cd954eb490f658f97a2d03af2cba0484030b1eccdf401fdc867a5c35a602bd67bf7052d555c2a48b7bebb4469158e26a530a742
diff --git a/net-misc/openvpn/files/2.3.6-disable-compression.patch b/net-misc/openvpn/files/2.3.6-disable-compression.patch
new file mode 100644
index 00000000..d9d1c764
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-disable-compression.patch
@@ -0,0 +1,18 @@
+https://community.openvpn.net/openvpn/changeset/5d5233778868ddd568140c394adfcfc8e3453245/
+
+--- openvpn-2.3.6/src/openvpn/ssl_openssl.c.orig	2014-11-29 23:00:35.000000000 +0800
++++ openvpn-2.3.6/src/openvpn/ssl_openssl.c	2015-01-12 21:14:30.186993686 +0800
+@@ -238,6 +238,13 @@
+     if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
+       sslopt |= SSL_OP_NO_TLSv1_2;
+ #endif
++
++#ifdef SSL_OP_NO_COMPRESSION
++    msg (M_WARN, "[Workaround] disable SSL compression");
++    sslopt |= SSL_OP_NO_COMPRESSION;
++#endif
++
++
+     SSL_CTX_set_options (ctx->ctx, sslopt);
+   }
+ 
diff --git a/net-misc/openvpn/files/2.3.6-musl-compat.patch b/net-misc/openvpn/files/2.3.6-musl-compat.patch
new file mode 100644
index 00000000..9b1289b8
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-musl-compat.patch
@@ -0,0 +1,14 @@
+diff -Naur openvpn-2.3.6.orig/src/openvpn/syshead.h openvpn-2.3.6/src/openvpn/syshead.h
+--- openvpn-2.3.6.orig/src/openvpn/syshead.h	2014-11-29 16:00:35.000000000 +0100
++++ openvpn-2.3.6/src/openvpn/syshead.h	2015-05-08 00:42:34.171634884 +0200
+@@ -214,10 +214,6 @@
+ 
+ #ifdef TARGET_LINUX
+ 
+-#if defined(HAVE_NETINET_IF_ETHER_H)
+-#include <netinet/if_ether.h>
+-#endif
+-
+ #ifdef HAVE_LINUX_IF_TUN_H
+ #include <linux/if_tun.h>
+ #endif
diff --git a/net-misc/openvpn/files/2.3.6-null-cipher.patch b/net-misc/openvpn/files/2.3.6-null-cipher.patch
new file mode 100644
index 00000000..1e831cfa
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-null-cipher.patch
@@ -0,0 +1,46 @@
+The "really fix cipher none" patch has been merged to release/2.3 and master:
+
+commit 785838614afc20d362b64907b0212e9a779e2287 (release/2.3)
+commit 98156e90e1e83133a6a6a020db8e7333ada6156b (master)
+
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 8749878..4e45df0 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt);
+  *
+  * @return		true iff the cipher is a CBC mode cipher.
+  */
+-bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+-  __attribute__((nonnull));
++bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
+ 
+ /**
+  * Check if the supplied cipher is a supported OFB or CFB mode cipher.
+@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+  *
+  * @return		true iff the cipher is a OFB or CFB mode cipher.
+  */
+-bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
+-  __attribute__((nonnull));
++bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
+ 
+ 
+ /**
+diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
+index 8f88ad9..d7792cd 100755
+--- a/tests/t_lpback.sh
++++ b/tests/t_lpback.sh
+@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
+ # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
+ CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
+ 
++# Also test cipher 'none'
++CIPHERS=${CIPHERS}$(printf "\nnone")
++
+ "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
+ set +e
+ 
+-- 
+1.9.1
+
diff --git a/net-misc/openvpn/files/65openvpn b/net-misc/openvpn/files/65openvpn
new file mode 100644
index 00000000..4ddb0343
--- /dev/null
+++ b/net-misc/openvpn/files/65openvpn
@@ -0,0 +1 @@
+CONFIG_PROTECT="/usr/share/openvpn/easy-rsa"
diff --git a/net-misc/openvpn/files/down.sh b/net-misc/openvpn/files/down.sh
new file mode 100755
index 00000000..1c70db0e
--- /dev/null
+++ b/net-misc/openvpn/files/down.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then
+	/etc/openvpn/"${SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+	if [ -x /sbin/resolvconf ] ; then
+		/sbin/resolvconf -d "${dev}"
+	elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+		# Important that we copy instead of move incase resolv.conf is
+		# a symlink and not an actual file
+		cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+		rm -f /etc/resolv.conf-"${dev}".sv
+	fi
+fi
+
+if [ -n "${SVCNAME}" ]; then
+	# Re-enter the init script to start any dependant services
+	if /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/"${SVCNAME}" --quiet stop
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/files/openvpn-2.1.conf b/net-misc/openvpn/files/openvpn-2.1.conf
new file mode 100644
index 00000000..72510c34
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.conf
@@ -0,0 +1,18 @@
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+PEER_DNS="yes"
+
+# OpenVPN can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+DETECT_CLIENT="yes"
+
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
+RE_ENTER="no"
diff --git a/net-misc/openvpn/files/openvpn-2.1.init b/net-misc/openvpn/files/openvpn-2.1.init
new file mode 100755
index 00000000..d65e6f8b
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.init
@@ -0,0 +1,133 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR=${VPNDIR:-/etc/openvpn}
+VPN=${SVCNAME#*.}
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	use dns
+	after bootmisc
+}
+
+checkconfig() {
+	# Linux has good dynamic tun/tap creation
+	if [ $(uname -s) = "Linux" ] ; then
+		if [ ! -e /dev/net/tun ]; then
+			if ! modprobe tun ; then
+				eerror "TUN/TAP support is not available" \
+					"in this kernel"
+				return 1
+			fi
+		fi
+		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+			ebegin "Detected broken /dev/net/tun symlink, fixing..."
+			rm -f /dev/net/tun
+			ln -s /dev/misc/net/tun /dev/net/tun
+			eend $?
+		fi
+		return 0
+	fi
+
+	# Other OS's don't, so we rely on a pre-configured interface
+	# per vpn instance
+	local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+	if [ -z ${ifname} ] ; then
+		eerror "You need to specify the interface that this openvpn" \
+			"instance should use" \
+			"by using the dev option in ${VPNCONF}"
+		return 1
+	fi
+
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		# Try and create it
+		echo > /dev/"${ifname}" >/dev/null
+	fi
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		eerror "${VPNCONF} requires interface ${ifname}" \
+			"but that does not exist"
+		return 1
+	fi
+}
+
+start() {
+	# If we are re-called by the openvpn gentoo-up.sh script
+	# then we don't actually want to start openvpn
+	[ "${IN_BACKGROUND}" = "true" ] && return 0
+	
+	ebegin "Starting ${SVCNAME}"
+
+	checkconfig || return 1
+
+	local args="" reenter=${RE_ENTER:-no}
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+	
+	# We mark the service as inactive and then start it.
+	# When we get an authenticated packet from the peer then we run our script
+	# which configures our DNS if any and marks us as up.
+	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+	grep -q "^[ 	]*remote[ 	].*" "${VPNCONF}" ; then
+		reenter="yes"
+		args="${args} --up-delay --up-restart"
+		args="${args} --script-security 2"
+		args="${args} --up /etc/openvpn/up.sh"
+		args="${args} --down-pre --down /etc/openvpn/down.sh"
+
+		# Warn about setting scripts as we override them
+		if grep -Eq "^[ 	]*(up|down)[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You have defined your own up/down scripts"
+			ewarn "As you're running as a client, we now force Gentoo specific"
+			ewarn "scripts to be run for up and down events."
+			ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
+			ewarn "where you can put your own code."
+		fi
+
+		# Warn about the inability to change ip/route/dns information when
+		# dropping privs
+		if grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You are dropping root privileges!"
+			ewarn "As such openvpn may not be able to change ip, routing"
+			ewarn "or DNS configuration."
+		fi
+	else
+		# So we're a server. Run as openvpn unless otherwise specified
+		grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" || args="${args} --user openvpn"
+		grep -q "^[ 	]*group[ 	].*" "${VPNCONF}" || args="${args} --group openvpn"
+	fi
+
+	# Ensure that our scripts get the PEER_DNS variable
+	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+
+	[ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+		--setenv SVCNAME "${SVCNAME}" ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	# If we are re-called by the openvpn gentoo-down.sh script
+	# then we don't actually want to stop openvpn
+	if [ "${IN_BACKGROUND}" = "true" ] ; then
+		mark_service_inactive "${SVCNAME}"
+		return 0
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --quiet \
+		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: set ts=4 :
diff --git a/net-misc/openvpn/files/openvpn.init b/net-misc/openvpn/files/openvpn.init
new file mode 100644
index 00000000..489ab497
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.init
@@ -0,0 +1,63 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR="/etc/openvpn"
+VPN="${SVCNAME#*.}"
+if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	before netmount
+	after bootmisc
+}
+
+checktundevice() {
+	if [ ! -e /dev/net/tun ]; then
+		if ! modprobe tun ; then
+			eerror "TUN/TAP support is not available in this kernel"
+			return 1
+		fi
+	fi
+	if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+		ebegin "Detected broken /dev/net/tun symlink, fixing..."
+		rm -f /dev/net/tun
+		ln -s /dev/misc/net/tun /dev/net/tun
+		eend $?
+	fi
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+
+	checktundevice || return 1
+
+	if [ ! -e "${VPNCONF}" ]; then
+		eend 1 "${VPNCONF} does not exist"
+		return 1
+	fi
+
+	local args=""
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: ts=4
diff --git a/net-misc/openvpn/files/openvpn.service b/net-misc/openvpn/files/openvpn.service
new file mode 100644
index 00000000..358dcb79
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
+After=syslog.target network.target
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openvpn/files/openvpn.tmpfile b/net-misc/openvpn/files/openvpn.tmpfile
new file mode 100644
index 00000000..d5fca71a
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.tmpfile
@@ -0,0 +1 @@
+D /var/run/openvpn 0710 root openvpn -
diff --git a/net-misc/openvpn/files/up.sh b/net-misc/openvpn/files/up.sh
new file mode 100755
index 00000000..6ce82d61
--- /dev/null
+++ b/net-misc/openvpn/files/up.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+#  if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+min_route() {
+	local n=1
+	local m
+	local r
+
+	eval m="\$route_metric_$n"
+	while [ -n "${m}" ]; do
+		if [ -z "$r" ] || [ "$r" -gt "$m" ]; then
+			r="$m"
+		fi
+		n="$(($n+1))"
+		eval m="\$route_metric_$n"
+	done
+
+	echo "$r"
+}
+
+if [ "${PEER_DNS}" != "no" ]; then
+	NS=
+	DOMAIN=
+	SEARCH=
+	i=1
+	while true ; do
+		eval opt=\$foreign_option_${i}
+		[ -z "${opt}" ] && break
+		if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+			if [ -z "${DOMAIN}" ] ; then
+				DOMAIN="${opt#dhcp-option DOMAIN *}"
+			else
+				SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+			fi
+		elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+			NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+		fi
+		i=$((${i} + 1))
+	done
+
+	if [ -n "${NS}" ] ; then
+		DNS="# Generated by openvpn for interface ${dev}\n"
+		if [ -n "${SEARCH}" ] ; then
+			DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+		elif [ -n "${DOMAIN}" ]; then
+			DNS="${DNS}domain ${DOMAIN}\n"
+		fi
+		DNS="${DNS}${NS}"
+		if [ -x /sbin/resolvconf ] ; then
+			metric="$(min_route)"
+			printf "${DNS}" | /sbin/resolvconf -a "${dev}" ${metric:+-m ${metric}}
+		else
+			# Preserve the existing resolv.conf
+			if [ -e /etc/resolv.conf ] ; then
+				cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+			fi
+			printf "${DNS}" > /etc/resolv.conf
+			chmod 644 /etc/resolv.conf
+		fi
+	fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${SVCNAME}" ]; then
+	# If we have a service specific script, run this now
+	if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then
+		/etc/openvpn/"${SVCNAME}"-up.sh "$@"
+	fi
+
+	# Re-enter the init script to start any dependant services
+	if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/${SVCNAME} --quiet start
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/metadata.xml b/net-misc/openvpn/metadata.xml
new file mode 100644
index 00000000..ef30850f
--- /dev/null
+++ b/net-misc/openvpn/metadata.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer>
+    <email>djc@gentoo.org</email>
+    <name>Dirkjan Ochtman</name>
+  </maintainer>
+  <longdescription>OpenVPN is an easy-to-use, robust and highly
+configurable VPN daemon which can be used to securely link two or more
+networks using an encrypted tunnel.</longdescription>
+  <use>
+    <flag name="down-root">Enable the down-root plugin</flag>
+    <flag name="iproute2">Enabled iproute2 support instead of net-tools</flag>
+    <flag name="passwordsave">Enables openvpn to save passwords</flag>
+    <flag name="polarssl">Use PolarSSL instead of OpenSSL</flag>
+    <flag name="pkcs11">Enable PKCS#11 smartcard support</flag>
+    <flag name="plugins">Enable the OpenVPN plugin system</flag>
+  </use>
+  <upstream>
+    <remote-id type="cpe">cpe:/a:openvpn:openvpn</remote-id>
+  </upstream>
+</pkgmetadata>
diff --git a/net-misc/openvpn/openvpn-2.3.6-r99.ebuild b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild
new file mode 100644
index 00000000..ebb4c70a
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild
@@ -0,0 +1,137 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-2.3.6-r2.ebuild,v 1.1 2015/02/17 18:46:07 djc Exp $
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc x86"
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins +polarssl selinux +ssl systemd +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	# Set correct pass to systemd-ask-password binary
+	sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die
+	epatch "${FILESDIR}/2.3.6-null-cipher.patch" || die
+	epatch "${FILESDIR}/2.3.6-disable-compression.patch" || die
+	epatch "${FILESDIR}/2.3.6-musl-compat.patch" || die
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	echo "DROPPY"
+	use polarssl && echo "FLOZZY"
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit "${FILESDIR}"/${PN}.service 'openvpn@.service'
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-9999.ebuild b/net-misc/openvpn/openvpn-9999.ebuild
new file mode 100644
index 00000000..408b3956
--- /dev/null
+++ b/net-misc/openvpn/openvpn-9999.ebuild
@@ -0,0 +1,126 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-9999.ebuild,v 1.8 2014/11/02 09:13:00 swift Exp $
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user git-2
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+EGIT_REPO_URI="https://github.com/OpenVPN/${PN}.git"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS=""
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.1.0 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.05 )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	ewarn ""
+	ewarn "You are using a live ebuild building from the sources of openvpn"
+	ewarn "repository from http://openvpn.git.sourceforge.net. For reporting"
+	ewarn "bugs please contact: openvpn-devel@lists.sourceforge.net."
+}