Here's a diff that enables the - new in 2.7.0 - support for
configuring on the client nameservers possibly sent by the server.
At first I disabled the default script because it interferes with
resolvd(8), but it turns out hacking up a script for handling the
resolvd(8) case was easy. If resolvd is running, use route(8)
nameserver, else let the default script do the resolv.conf mangling.
The idea is to use upstream defaults here. If you wish to ignore DNS
servers provided by the server, you can do so with:
--pull-filter ignore 'dhcp-option DNS '
Search domains support is left as an exercise for the reader, as far
as I'm concerned I'm perfectly happy without it!
Feedback? ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.143 Makefile
--- Makefile 18 Feb 2026 21:17:24 -0000 1.143
+++ Makefile 27 Feb 2026 14:35:59 -0000
@@ -1,7 +1,7 @@
COMMENT= easy-to-use, robust, and highly configurable VPN
DISTNAME= openvpn-2.7.0
-REVISION= 0
+REVISION= 1
CATEGORIES= net security
@@ -31,8 +31,7 @@ CONFIGURE_STYLE= gnu
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \
SOFTHSM2_UTIL=no
-CONFIGURE_ARGS+=--disable-dns-updown-by-default \
- --with-openssl-engine=no
+CONFIGURE_ARGS= --with-openssl-engine=no
DEBUG_PACKAGES= ${BUILD_PACKAGES}
@@ -53,6 +52,9 @@ WANTLIB += crypto pkcs11-helper ssl
SAMPLES_DIR= ${PREFIX}/share/examples/openvpn
+pre-configure:
+ ${SUBST_CMD} ${WRKSRC}/distro/dns-scripts/resolvconf_file-dns-updown.sh
+
post-install:
cd ${WRKSRC}/sample/; \
find sample-config-files sample-keys sample-scripts -type d \
@@ -60,5 +62,7 @@ post-install:
find sample-config-files sample-keys sample-scripts -type f \
'(' ! -name '*.orig' -a ! -name '.gitignore' ')' \
-exec ${INSTALL_DATA} {} ${SAMPLES_DIR}/{} ';'
+ ${INSTALL_SCRIPT} ${FILESDIR}/resolvd-dns-updown.sh \
+ ${PREFIX}/libexec/openvpn/dns-updown.resolvd
.include <bsd.port.mk>
Index: files/resolvd-dns-updown.sh
===================================================================
RCS file: files/resolvd-dns-updown.sh
diff -N files/resolvd-dns-updown.sh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/resolvd-dns-updown.sh 27 Feb 2026 14:03:49 -0000
@@ -0,0 +1,90 @@
+#!/bin/ksh
+#
+# Simple OpenVPN up/down script for resolvd(8) integration
+# Modified from the openresolv script shipped in OpenVPN 2.7.0
+# (C) Copyright 2016 Baptiste Daroussin
+# 2024 OpenVPN Inc <[email protected]>
+# 2026 Jeremie Courreges-Anglas <[email protected]>
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Example env from openvpn (most are not applied):
+#
+# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp
+#
+# or
+#
+# dev tun0
+# script_type dns-up
+# dns_search_domain_1 mycorp.in
+# dns_search_domain_2 eu.mycorp.com
+# dns_server_1_address_1 192.168.99.254
+# dns_server_1_address_2 fd00::99:53
+# dns_server_1_port_1 53
+# dns_server_1_port_2 53
+# dns_server_1_resolve_domain_1 mycorp.in
+# dns_server_1_resolve_domain_2 eu.mycorp.com
+# dns_server_1_dnssec true
+# dns_server_1_transport DoH
+# dns_server_1_sni dns.mycorp.in
+#
+
+set -e +u
+
+only_standard_server_ports() {
+ i=1
+ while true; do
+ eval addr=\"\$dns_server_${n}_address_${i}\"
+ [ -n "$addr" ] || return 0
+
+ eval port=\"\$dns_server_${n}_port_${i}\"
+ [ -z "$port" -o "$port" = "53" ] || return 1
+
+ i=$((i + 1))
+ done
+}
+
+[ -z "${dns_vars_file}" ] || . "${dns_vars_file}"
+: ${script_type:=dns-down}
+case "${script_type}" in
+dns-up)
+ n=1
+ while :; do
+ eval addr=\"\$dns_server_${n}_address_1\"
+ [ -n "$addr" ] || {
+ echo "setting DNS failed, no compatible server profile"
+ exit 1
+ }
+
+ # Skip server profiles which require DNSSEC,
+ # secure transport or use a custom port
+ eval dnssec=\"\$dns_server_${n}_dnssec\"
+ eval transport=\"\$dns_server_${n}_transport\"
+ [ -z "$transport" -o "$transport" = "plain" ] \
+ && [ -z "$dnssec" -o "$dnssec" = "no" ] \
+ && only_standard_server_ports && break
+
+ n=$((n + 1))
+ done
+
+ i=1
+ maxns=5
+ nameservers=""
+ while :; do
+ maxns=$((maxns - 1))
+ [ $maxns -gt 0 ] || break
+ eval option=\"\$dns_server_${n}_address_${i}\" || break
+ [ "${option}" ] || break
+ if [ -n "$nameservers" ]; then
+ nameservers="${nameservers} ${option}"
+ else
+ nameservers="${option}"
+ fi
+ i=$((i + 1))
+ done
+ /sbin/route nameserver "${dev}" ${nameservers}
+ ;;
+dns-down)
+ /sbin/route nameserver "${dev}"
+ ;;
+esac
Index: patches/patch-distro_dns-scripts_resolvconf_file-dns-updown_sh
===================================================================
RCS file: patches/patch-distro_dns-scripts_resolvconf_file-dns-updown_sh
diff -N patches/patch-distro_dns-scripts_resolvconf_file-dns-updown_sh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-distro_dns-scripts_resolvconf_file-dns-updown_sh 27 Feb
2026 14:25:30 -0000
@@ -0,0 +1,15 @@
+Index: distro/dns-scripts/resolvconf_file-dns-updown.sh
+--- distro/dns-scripts/resolvconf_file-dns-updown.sh.orig
++++ distro/dns-scripts/resolvconf_file-dns-updown.sh
+@@ -41,6 +41,11 @@ only_standard_server_ports() {
+ done
+ }
+
++# If resolvd is running, don't touch /etc/resolv.conf
++if pgrep -q '^resolvd$'; then
++ exec ${PREFIX}/libexec/openvpn/dns-updown.resolvd "$@"
++fi
++
+ conf=/etc/resolv.conf
+ test -e "$conf" || exit 1
+ test -z "${dns_vars_file}" || . "${dns_vars_file}"
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/openvpn/pkg/PLIST,v
diff -u -p -r1.35 PLIST
--- pkg/PLIST 18 Feb 2026 21:06:32 -0000 1.35
+++ pkg/PLIST 27 Feb 2026 14:36:20 -0000
@@ -10,6 +10,7 @@ lib/openvpn/plugins/openvpn-plugin-down-
@so lib/openvpn/plugins/openvpn-plugin-down-root.so
libexec/openvpn/
libexec/openvpn/dns-updown
+libexec/openvpn/dns-updown.resolvd
@man man/man5/openvpn-examples.5
@man man/man8/openvpn.8
@bin sbin/openvpn
--
jca
