openvpn : Bump to 2.5.8

package/network/services/openvpn/Config-mbedtls.in

@@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
 	bool "Enable LZO compression support"
-	default y
+	default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
 	bool "Enable LZ4 compression support"
 	default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n

package/network/services/openvpn/Config-openssl.in

@@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
 	bool "Enable the --x509-username-field feature"
 	default n
 
-config OPENVPN_openssl_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
 #config OPENVPN_openssl_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n

package/network/services/openvpn/Config-wolfssl.in

@@ -0,0 +1,63 @@
+if PACKAGE_openvpn-wolfssl
+
+config OPENVPN_wolfssl
+	bool
+	default y
+	select WOLFSSL_HAS_OPENVPN
+
+config OPENVPN_wolfssl_ENABLE_LZO
+	bool "Enable LZO compression support"
+	default n
+
+config OPENVPN_wolfssl_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_X509_ALT_USERNAME
+	bool "Enable the --x509-username-field feature"
+	default n
+
+#config OPENVPN_wolfssl_ENABLE_EUREPHIA
+#	bool "Enable support for the eurephia plug-in"
+#	default n
+
+config OPENVPN_wolfssl_ENABLE_MANAGEMENT
+	bool "Enable management server support"
+	default n
+
+#config OPENVPN_wolfssl_ENABLE_PKCS11
+#	bool "Enable pkcs11 support"
+#	default n
+
+config OPENVPN_wolfssl_ENABLE_FRAGMENT
+	bool "Enable internal fragmentation support (--fragment)"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_MULTIHOME
+	bool "Enable multi-homed UDP server support (--multihome)"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_PORT_SHARE
+	bool "Enable TCP server port-share support (--port-share)"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_DEF_AUTH
+	bool "Enable deferred authentication"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_PF
+	bool "Enable internal packet filter"
+	default y
+
+config OPENVPN_wolfssl_ENABLE_IPROUTE2
+	bool "Enable support for iproute2"
+	default n
+
+config OPENVPN_wolfssl_ENABLE_SMALL
+	bool "Enable size optimization"
+	default y
+	help
+	  enable smaller executable size (disable OCC, usage
+	  message, and verb 4 parm list)
+
+endif

package/network/services/openvpn/Makefile

@@ -9,16 +9,16 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.12
+PKG_VERSION:=2.5.8
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=7426b99b2058b942552af2680ee58546fbf63712992557328bd0014093aa7da4
+PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
 
-PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
 
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf
@@ -42,6 +42,7 @@ endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl)
 
 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
@@ -49,6 +50,7 @@ endef
 
 Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
 Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
+Package/openvpn-wolfssl/config=$(call Package/openvpn/config/Default,wolfssl)
 
 ifeq ($(BUILD_VARIANT),mbedtls)
 CONFIG_OPENVPN_MBEDTLS:=y
@@ -56,10 +58,11 @@ endif
 ifeq ($(BUILD_VARIANT),openssl)
 CONFIG_OPENVPN_OPENSSL:=y
 endif
+ifeq ($(BUILD_VARIANT),wolfssl)
+CONFIG_OPENVPN_WOLFSSL:=y
+endif
 
 CONFIGURE_VARS += \
-	IFCONFIG=/sbin/ifconfig \
-	ROUTE=/sbin/route \
 	IPROUTE=/sbin/ip \
 	NETSTAT=/sbin/netstat
 
@@ -77,7 +80,6 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
-		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
@@ -85,13 +87,15 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
-		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
+		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
 		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
+		$(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \
 	)
 endef
 
 define Package/openvpn-$(BUILD_VARIANT)/conffiles
 /etc/config/openvpn
+/etc/openvpn.user
 endef
 
 define Package/openvpn-$(BUILD_VARIANT)/install
@@ -101,7 +105,10 @@ define Package/openvpn-$(BUILD_VARIANT)/install
 		$(1)/etc/init.d \
 		$(1)/etc/config \
 		$(1)/etc/openvpn \
-		$(1)/lib/upgrade/keep.d
+		$(1)/lib/functions \
+		$(1)/lib/upgrade/keep.d \
+		$(1)/usr/libexec \
+		$(1)/etc/hotplug.d/openvpn
 
 	$(INSTALL_BIN) \
 		$(PKG_INSTALL_DIR)/usr/sbin/openvpn \
@@ -110,6 +117,23 @@ define Package/openvpn-$(BUILD_VARIANT)/install
 	$(INSTALL_BIN) \
 		files/openvpn.init \
 		$(1)/etc/init.d/openvpn
+
+	$(INSTALL_BIN) \
+		files/usr/libexec/openvpn-hotplug \
+		$(1)/usr/libexec/openvpn-hotplug
+
+	$(INSTALL_DATA) \
+		files/lib/functions/openvpn.sh \
+		$(1)/lib/functions/openvpn.sh
+
+	$(INSTALL_DATA) \
+		files/etc/hotplug.d/openvpn/01-user \
+		$(1)/etc/hotplug.d/openvpn/01-user
+
+	$(INSTALL_DATA) \
+		files/etc/openvpn.user \
+		$(1)/etc/openvpn.user
+
 	$(INSTALL_DATA) \
 		files/openvpn.options \
 		$(1)/usr/share/openvpn/openvpn.options
@@ -124,3 +148,4 @@ endef
 
 $(eval $(call BuildPackage,openvpn-openssl))
 $(eval $(call BuildPackage,openvpn-mbedtls))
+$(eval $(call BuildPackage,openvpn-wolfssl))

package/network/services/openvpn/files/etc/hotplug.d/openvpn/01-user

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+[ -e "/etc/openvpn.user" ] && {
+	env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \
+		/bin/sh \
+		/etc/openvpn.user \
+		$*
+}
+
+# Wrap user defined scripts on up/down events
+case "$ACTION" in
+	up) command=$user_up ;;
+	down) command=$user_down ;;
+	*) command= ;;
+esac
+
+if [ -n "$command" ]; then
+	shift
+	exec /bin/sh -c "$command $*"
+fi
+
+exit 0

package/network/services/openvpn/files/etc/openvpn.user

@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# This file is interpreted as shell script.
+# Put your custom openvpn action here, they will
+# be executed with each opevnp event.
+#
+# $ACTION
+#      <down>    down action is generated after the TUN/TAP device is closed
+#      <up>      up action is generated after the TUN/TAP device is opened
+# $INSTANCE  Name of the openvpn instance which went up or down
+

package/network/services/openvpn/files/lib/functions/openvpn.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+get_openvpn_option() {
+	local config="$1"
+	local variable="$2"
+	local option="$3"
+
+	local value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+'"'([^']+)'"'[ \t]*$/\1/p' "$config" | tail -n1)"
+	[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+"(([^"\\]|\\.)+)"[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
+	[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+(([^ \t\\]|\\.)+)[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
+	[ -n "$value" ] || return 1
+
+	export -n "$variable=$value"
+	return 0
+}
+

package/network/services/openvpn/files/openvpn.config

@@ -9,6 +9,13 @@ config openvpn custom_config
 	# Set to 1 to enable this instance:
 	option enabled 0
 
+	# Credentials to login
+	#option username 'login'
+	#option password 'password'
+
+	# Password for client certificate
+	#option cert_password 'cert_password'
+
 	# Include OpenVPN configuration
 	option config /etc/openvpn/my-vpn.conf
 
@@ -77,10 +84,10 @@ config openvpn sample_server
 
 	# Diffie hellman parameters.
 	# Generate your own with:
-	#   openssl dhparam -out dh1024.pem 1024
+	#   openssl dhparam -out dh2048.pem 2048
 	# Substitute 2048 for 1024 if you are using
-	# 2048 bit keys.
-	option dh /etc/openvpn/dh1024.pem
+	# 1024 bit keys.
+	option dh /etc/openvpn/dh2048.pem
 
 	# Configure server mode and supply a VPN subnet
 	# for OpenVPN to draw client addresses from.
@@ -228,24 +235,84 @@ config openvpn sample_server
 	# This file is secret:
 #	option tls_auth "/etc/openvpn/ta.key 0"
 
-	# Select a cryptographic cipher.
-	# This config item must be copied to
-	# the client config file as well.
-	# Blowfish (default):
-#	option cipher BF-CBC
-	# AES:
-#	option cipher AES-128-CBC
-	# Triple-DES:
-#	option cipher DES-EDE3-CBC
+	# For additional privacy, a shared secret key
+	# can be used for both authentication (as in tls_auth)
+	# and encryption of the TLS control channel.
+	#
+	# Generate a shared secret with:
+	# openvpn --genkey --secret ta.key
+	#
+	# The server and each client must have
+	# a copy of this key.
+	#
+	# tls_auth and tls_crypt should NOT
+	# be combined, as tls_crypt implies tls_auth.
+	# Use EITHER tls_crypt, tls_auth, or neither option.
+#	option tls_crypt "/etc/openvpn/ta.key"
+
+	# Set the minimum required TLS protocol version
+	# for all connections.
+	#
+	# Require at least TLS 1.1
+#	option tls_version_min "1.1"
+	# Require at least TLS 1.2
+#	option tls_version_min "1.2"
+	# Require TLS 1.2, or the highest version supported
+	# on the system
+#	option tls_version_min "1.2 'or-highest'"
+
+	# List the preferred ciphers to use for the data channel.
+	# Run openvpn --show-ciphers to see all supported ciphers.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher in order to be compatible with
+	# peers that do not support cipher negotiation.
+	#
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
+
+	# OpenVPN versions 2.4 and later will attempt to
+	# automatically negotiate the most secure cipher
+	# between the client and server, regardless of a
+	# configured "option cipher" (see below).
+	# Automatic negotiation is recommended.
+	#
+	# Uncomment this option to disable this behavior,
+	# and force all OpenVPN peers to use the configured
+	# cipher option instead (not recommended).
+#	option ncp_disable
 
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
+	#
+	# Compression is not recommended, as compression and
+	# encryption in combination can weaken the security
+	# of the connection.
+	#
 	# LZ4 requires OpenVPN 2.4+ client and server
 #	option compress lz4
+	# LZO is available by default only in openvpn-openssl variant
 	# LZO is compatible with most OpenVPN versions
-	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
-	option compress lzo
+#	option compress lzo
+	
+	# Control how OpenVPN handles peers using compression
+	#
+	# Do not allow any connections using compression
+#	option allow_compression 'no'
+	# Allow incoming compressed packets, but do not send compressed packets to other peers
+	# This can be useful when migrating old configurations with compression activated
+#	option allow_compression 'asym'
+	# Both incoming and outgoing packets may be compressed
+#	option allow_compression 'yes'
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -371,7 +438,7 @@ config openvpn sample_client
 	option key /etc/openvpn/client.key
 
 	# Verify server certificate by checking
-	# that the certicate has the nsCertType
+	# that the certicate has the key usage
 	# field set to "server".  This is an
 	# important precaution to protect against
 	# a potential attack discussed here:
@@ -381,24 +448,56 @@ config openvpn sample_client
 	# your server certificates with the nsCertType
 	# field set to "server".  The build_key_server
 	# script in the easy_rsa folder will do this.
-#	option ns_cert_type server
+#	option remote_cert_tls server
 
 	# If a tls_auth key is used on the server
 	# then every client must also have the key.
 #	option tls_auth "/etc/openvpn/ta.key 1"
 
-	# Select a cryptographic cipher.
-	# If the cipher option is used on the server
-	# then you must also specify it here.
-#	option cipher x
+	# If a tls_crypt key is used on the server
+	# every client must also have the key.
+#	option tls_crypt "/etc/openvpn/ta.key"
+
+	# Set the minimum required TLS protocol version
+	# for all connections.
+	#
+	# Require at least TLS 1.1
+#	option tls_version_min "1.1"
+	# Require at least TLS 1.2
+#	option tls_version_min "1.2"
+	# Require TLS 1.2, or the highest version supported
+	# on the system
+#	option tls_version_min "1.2 'or-highest'"
+
+	# List the preferred ciphers for the data channel.
+#	list data_ciphers 'AES-256-GCM'
+#	list data_ciphers 'AES-128-GCM'
+#	list data_ciphers 'CHACHA20-POLY1305'
+
+	# Set a fallback cipher if you connect to a peer that does
+	# not support cipher negotiation.
+	# Use AES-256-CBC as fallback
+#	option data_ciphers_fallback 'AES-128-CBC'
+	# Use AES-128-CBC as fallback
+#	option data_ciphers_fallback 'AES-256-CBC'
+	# Use Triple-DES as fallback
+#	option data_ciphers_fallback 'DES-EDE3-CBC'
+	# Use BF-CBC as fallback
+#	option data_ciphers_fallback 'BF-CBC'
 
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
 	# enabled in the server config file.
+	#
+	# Compression is not recommended, as compression and
+	# encryption in combination can weaken the security
+	# of the connection.
+	#
 	# LZ4 requires OpenVPN 2.4+ on server and client
 #	option compress lz4
+	# LZO is available by default only in openvpn-openssl variant
 	# LZO is compatible with most OpenVPN versions
-	option compress lzo
+#	option compress lzo
 
 	# Set log file verbosity.
 	option verb 3

package/network/services/openvpn/files/openvpn.init

@@ -42,8 +42,9 @@ append_params() {
 		config_get v "$s" "$p"
 		IFS="$LIST_SEP"
 		for v in $v; do
+			[ "$v" = "frames_only" ] && [ "$p" = "compress" ] && unset v && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf"
 			[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
-			[ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
+			[ -n "$v" ] && [ "$p" = "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
 		done
 		unset IFS
 	done
@@ -69,17 +70,94 @@ section_enabled() {
 	[ $enable -gt 0 ] || [ $enabled -gt 0 ]
 }
 
+create_temp_file() {
+	mkdir -p "$(dirname "$1")"
+	rm -f "$1"
+	touch "$1"
+	chown root "$1"
+	chmod 0600 "$1"
+}
+
+openvpn_get_dev() {
+	local dev dev_type
+	local name="$1"
+	local conf="$2"
+
+	# Do override only for configurations with config_file
+	config_get config_file "$name" config
+	[ -n "$config_file" ] || return
+
+	# Check there is someething to override
+	config_get dev "$name" dev
+	config_get dev_type "$name" dev_type
+	[ -n "$dev" ] || return
+
+	# If there is a no dev_type, try to guess it
+	if [ -z "$dev_type" ]; then
+		. /lib/functions/openvpn.sh
+
+		local odev odev_type
+		get_openvpn_option "$conf" odev dev
+		get_openvpn_option "$conf" odev_type dev-type
+		[ -n "$odev_type" ] || odev_type="$odev"
+
+		case "$odev_type" in
+			tun*) dev_type="tun" ;;
+			tap*) dev_type="tap" ;;
+			*) return;;
+		esac
+	fi
+
+	# Return overrides
+	echo "--dev-type $dev_type --dev $dev"
+}
+
+openvpn_get_credentials() {
+	local name="$1"
+	local ret=""
+
+	config_get cert_password "$name" cert_password
+	config_get password "$name" password
+	config_get username "$name" username
+
+	if [ -n "$cert_password" ]; then
+		create_temp_file /var/run/openvpn.$name.pass
+		echo "$cert_password" > /var/run/openvpn.$name.pass
+		ret=" --askpass /var/run/openvpn.$name.pass "
+	fi
+
+	if [ -n "$username" ]; then
+		create_temp_file /var/run/openvpn.$name.userpass
+		echo "$username" > /var/run/openvpn.$name.userpass
+		echo "$password" >> /var/run/openvpn.$name.userpass
+		ret=" --auth-user-pass /var/run/openvpn.$name.userpass "
+	fi
+
+	# Return overrides
+	echo "$ret"
+}
+
 openvpn_add_instance() {
 	local name="$1"
 	local dir="$2"
 	local conf="$3"
+	local security="$4"
+	local up="$5"
+	local down="$6"
 
 	procd_open_instance "$name"
 	procd_set_param command "$PROG"	\
 		--syslog "openvpn($name)" \
 		--status "/var/run/openvpn.$name.status" \
 		--cd "$dir" \
-		--config "$conf"
+		--config "$conf" \
+		--up "/usr/libexec/openvpn-hotplug up $name" \
+		--down "/usr/libexec/openvpn-hotplug down $name" \
+		${up:+--setenv user_up "$up"} \
+		${down:+--setenv user_down "$down"} \
+		--script-security "${security:-2}" \
+		$(openvpn_get_dev "$name" "$conf") \
+		$(openvpn_get_credentials "$name" "$conf")
 	procd_set_param file "$dir/$conf"
 	procd_set_param term_timeout 15
 	procd_set_param respawn
@@ -100,22 +178,28 @@ start_instance() {
 		return 1
 	}
 
+	local up down script_security
+	config_get up "$s" up
+	config_get down "$s" down
+	config_get script_security "$s" script_security
+
 	[ ! -d "/var/run" ] && mkdir -p "/var/run"
 
 	if [ ! -z "$config" ]; then
 		append UCI_STARTED "$config" "$LIST_SEP"
-		openvpn_add_instance "$s" "${config%/*}" "$config"
+		[ -n "$up" ] || get_openvpn_option "$config" up up
+		[ -n "$down" ] || get_openvpn_option "$config" down down
+		openvpn_add_instance "$s" "${config%/*}" "$config" "$script_security" "$up" "$down"
 		return
 	fi
 
-	[ ! -d "/var/etc" ] && mkdir -p "/var/etc"
-	[ -f "/var/etc/openvpn-$s.conf" ] && rm "/var/etc/openvpn-$s.conf"
+	create_temp_file "/var/etc/openvpn-$s.conf"
 
 	append_bools "$s" $OPENVPN_BOOLS
 	append_params "$s" $OPENVPN_PARAMS
 	append_list "$s" $OPENVPN_LIST
 
-	openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
+	openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" "$script_security" "$up" "$down"
 }
 
 start_service() {
@@ -132,6 +216,7 @@ start_service() {
 		fi
 	}
 
+	. /lib/functions/openvpn.sh
 	. /usr/share/openvpn/openvpn.options
 	config_load 'openvpn'
 
@@ -141,7 +226,7 @@ start_service() {
 	else
 		config_foreach start_instance 'openvpn'
 
-		local path name
+		local path name up down
 		for path in /etc/openvpn/*.conf; do
 			if [ -f "$path" ]; then
 				name="${path##*/}"; name="${name%.conf}"
@@ -156,7 +241,9 @@ start_service() {
 					continue
 				fi
 
-				openvpn_add_instance "$name" "${path%/*}" "$path"
+				get_openvpn_option "$path" up up || up=""
+				get_openvpn_option "$path" down down || down=""
+				openvpn_add_instance "$name" "${path%/*}" "$path" "" "$up" "$down"
 			fi
 		done
 	fi

package/network/services/openvpn/files/openvpn.options

@@ -1,10 +1,12 @@
 OPENVPN_PARAMS='
+allow_compression
 askpass
 auth
 auth_retry
 auth_user_pass
 auth_user_pass_verify
 bcast_buffers
+bind_dev
 ca
 capath
 cd
@@ -21,11 +23,11 @@ connect_retry
 connect_retry_max
 connect_timeout
 crl_verify
+data_ciphers_fallback
 dev
 dev_node
 dev_type
 dh
-down
 ecdh_curve
 echo
 engine
@@ -52,7 +54,6 @@ iroute_ipv6
 keepalive
 key
 key_direction
-key_method
 keysize
 learn_address
 link_mtu
@@ -70,7 +71,6 @@ mssfix
 mtu_disc
 mute
 nice
-ns_cert_type
 ping
 ping_exit
 ping_restart
@@ -103,11 +103,11 @@ route_metric
 route_pre_down
 route_up
 rport
-script_security
 secret
 server
 server_bridge
 server_ipv6
+server_poll_timeout
 setenv
 shaper
 sndbuf
@@ -118,6 +118,9 @@ syslog
 tcp_queue_limit
 tls_auth
 tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
 tls_timeout
 tls_verify
 tls_version_min
@@ -127,11 +130,12 @@ tran_window
 tun_mtu
 tun_mtu_extra
 txqueuelen
-up
 user
 verb
 verify_client_cert
 verify_x509_name
+vlan_accept
+vlan_pvid
 x509_username_field
 '
 
@@ -140,6 +144,7 @@ allow_recursive_routing
 auth_nocache
 auth_user_pass_optional
 bind
+block_ipv6
 ccd_exclusive
 client
 client_to_client
@@ -172,6 +177,7 @@ persist_remote_ip
 persist_tun
 ping_timer_rem
 pull
+push_peer_info
 push_reset
 remote_random
 rmtun
@@ -188,10 +194,13 @@ tls_server
 up_delay
 up_restart
 username_as_common_name
+vlan_tagging
 '
 
 OPENVPN_LIST='
+data_ciphers
 ncp_ciphers
 tls_cipher
 tls_ciphersuites
+tls_groups
 '

package/network/services/openvpn/files/usr/libexec/openvpn-hotplug

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+ACTION=$1
+shift
+INSTANCE=$1
+shift
+
+export ACTION=$ACTION
+export INSTANCE=$INSTANCE
+exec /sbin/hotplug-call openvpn "$@"

package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch

@@ -1,9 +1,9 @@
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -106,7 +106,6 @@ const char title_string[] =
- #ifdef HAVE_AEAD_CIPHER_MODES
-     " [AEAD]"
+@@ -105,7 +105,6 @@ const char title_string[] =
+ #endif
  #endif
+     " [AEAD]"
 -    " built on " __DATE__
  ;
  

package/network/services/openvpn/patches/002-add-wolfssl-support.patch

@@ -0,0 +1,190 @@
+From: Gert Doering <gert@greenie.muc.de>
+
+Support for wolfSSL in OpenVPN
+
+This patch adds support for wolfSSL in OpenVPN. Support is added by using
+wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
+and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
+linked against the wolfSSL library. The wolfSSL installation directory is
+detected using pkg-config.
+
+As requested by OpenVPN maintainers, this patch does not include
+wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
+in the configure script wolfSSL will include wolfssl/options.h on its own
+(change added in wolfSSL/wolfssl#2825). The patch
+adds an option '--disable-wolfssl-options-h' in case the user would like
+to supply their own settings file for wolfSSL.
+
+wolfSSL:
+Support added in: wolfSSL/wolfssl#2503
+
+git clone https://github.com/wolfSSL/wolfssl.git
+cd wolfssl
+./autogen.sh
+./configure --enable-openvpn
+make
+sudo make install
+
+OpenVPN:
+
+autoreconf -i -v -f
+./configure --with-crypto-library=wolfssl
+make
+make check
+sudo make install
+
+Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ src/openvpn/syshead.h | 3 ++-
+ 2 files changed, 110 insertions(+), 3 deletions(-)
+--- a/configure.ac
++++ b/configure.ac
+@@ -271,16 +271,23 @@ AC_ARG_WITH(
+ 
+ AC_ARG_WITH(
+ 	[crypto-library],
+-	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
++	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
+ 	[
+ 		case "${withval}" in
+-			openssl|mbedtls) ;;
++			openssl|mbedtls|wolfssl) ;;
+ 			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
+ 		esac
+ 	],
+ 	[with_crypto_library="openssl"]
+ )
+ 
++AC_ARG_ENABLE(
++	[wolfssl-options-h],
++	[AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
++	,
++	[enable_wolfssl_options_h="yes"]
++)
++
+ AC_ARG_WITH(
+ 	[openssl-engine],
+ 	[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
+@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
+ 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
+ 	CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
+ 	CRYPTO_LIBS="${MBEDTLS_LIBS}"
++
++elif test "${with_crypto_library}" = "wolfssl"; then
++	AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
++								  contain the regular wolfSSL header files but also the
++								  wolfSSL OpenSSL header files. Ex: -I/usr/local/include
++								  -I/usr/local/include/wolfssl])
++	AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
++
++	saved_CFLAGS="${CFLAGS}"
++	saved_LIBS="${LIBS}"
++
++	if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
++		# if the user did not explicitly specify flags, try to autodetect
++		PKG_CHECK_MODULES(
++			[WOLFSSL],
++			[wolfssl],
++			[],
++			[AC_MSG_ERROR([Could not find wolfSSL.])]
++		)
++		PKG_CHECK_VAR(
++			[WOLFSSL_INCLUDEDIR],
++			[wolfssl],
++			[includedir],
++			[],
++			[AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
++		)
++		WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
++	fi
++	saved_CFLAGS="${CFLAGS}"
++	saved_LIBS="${LIBS}"
++	CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
++	LIBS="${LIBS} ${WOLFSSL_LIBS}"
++
++	AC_CHECK_LIB(
++		[wolfssl],
++		[wolfSSL_Init],
++		[],
++		[AC_MSG_ERROR([Could not link wolfSSL library.])]
++	)
++	AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
++
++	# wolfSSL signal EKM support
++	have_export_keying_material="yes"
++
++	AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++	AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++
++	if test "${enable_wolfssl_options_h}" = "yes"; then
++		AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
++	else
++		AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
++	fi
++
++	have_export_keying_material="yes"
++
++	CFLAGS="${saved_CFLAGS}"
++	LIBS="${saved_LIBS}"
++
++	AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
++	AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
++	CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
++	CRYPTO_LIBS="${WOLFSSL_LIBS}"
+ else
+ 	AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
+ fi
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
+ /*
+  * Do we have CryptoAPI capability?
+  */
+-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
++#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
++	!defined(ENABLE_CRYPTO_WOLFSSL)
+ #define ENABLE_CRYPTOAPI
+ #endif
+ 

package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch

@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1415,7 +1415,7 @@ const char *
+@@ -1539,7 +1539,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];

package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1074,68 +1074,15 @@ dnl
+@@ -1211,68 +1211,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then

package/network/services/openvpn/patches/220-disable_des.patch

@@ -1,24 +1,17 @@
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
-@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
  /*
   * Should we include NTLM proxy functionality
   */
--#if defined(ENABLE_CRYPTO)
 -#define NTLM 1
--#else
-+//#if defined(ENABLE_CRYPTO)
 +//#define NTLM 1
-+//#else
- #define NTLM 0
--#endif
-+//#endif
  
  /*
   * Should we include proxy digest auth functionality
 --- a/src/openvpn/crypto_mbedtls.c
 +++ b/src/openvpn/crypto_mbedtls.c
-@@ -319,6 +319,7 @@ int
+@@ -396,6 +396,7 @@ int
  key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
  {
      int ret = 0;
@@ -26,7 +19,7 @@
      if (kt->type == MBEDTLS_CIPHER_DES_CBC)
      {
          ret = 1;
-@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
      {
          ret = 3;
      }
@@ -34,7 +27,7 @@
  
      dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
      return ret;
-@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
  bool
  key_des_check(uint8_t *key, int key_len, int ndc)
  {
@@ -42,7 +35,7 @@
      int i;
      struct buffer b;
  
-@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
  
  err:
      return false;
@@ -58,7 +51,7 @@
      int i;
      struct buffer b;
  
-@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
          }
          mbedtls_des_key_set_parity(key);
      }
@@ -66,7 +59,7 @@
  }
  
  /*
-@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
                         unsigned char *src,
                         unsigned char *dst)
  {

package/network/services/openvpn/test.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+case "$1" in
+	"openvpn-mbedtls")
+		openvpn --version | grep "$2.*SSL (mbed TLS)"
+		;;
+	"openvpn-openssl"|"openvpn-wolfssl")
+		openvpn --version | grep "$2.*SSL (OpenSSL)"
+		;;
+esac