It seems that since some time already openvpn in "subnet" topology is half-broken.
Thu Nov 17 05:27:42 2016 us=851072 /sbin/route add -net 0.0.0.0 -netmask 128.0.0.0 <redacted> add net 0.0.0.0: gateway <redacted>: Too many levels of symbolic links Thu Nov 17 05:27:42 2016 us=853123 ERROR: OpenBSD/NetBSD route add command failed: external program exited with error status: 1 Thu Nov 17 05:27:42 2016 us=853286 /sbin/route add -net 128.0.0.0 -netmask 128.0.0.0 <redacted> add net 128.0.0.0: gateway <redacted>: Too many levels of symbolic links Thu Nov 17 05:27:42 2016 us=855262 ERROR: OpenBSD/NetBSD route add command failed: external program exited with error status: 1 IIUC the kernel used to support indirect route gateways. Now we have to work around this. On Linux, ''ip address add $addr peer $prefix'' is used to set up the route, which automatically adds a local route to $prefix. Maybe we could amend base to support a similar syntax and automatically add a network route, but in the meantime here's a fix. The diff also includes unrelated bits. - the previous HOMEPAGE wasn't particularly helpful - add support for on-link routes (TBH i'm not sure yet if it is useful at all) - kill gcc2 patch Those changes would be committed separately. Test reports / feedback / oks welcome. Index: Makefile =================================================================== RCS file: /d/cvs/ports/net/openvpn/Makefile,v retrieving revision 1.65 diff -u -p -r1.65 Makefile --- Makefile 14 May 2016 13:14:46 -0000 1.65 +++ Makefile 17 Nov 2016 06:53:48 -0000 @@ -3,9 +3,10 @@ COMMENT= easy-to-use, robust, and highly configurable VPN DISTNAME= openvpn-2.3.11 +REVISION= 0 CATEGORIES= net security -HOMEPAGE= http://openvpn.net/ +HOMEPAGE= https://openvpn.net/index.php/open-source/ # GPLv2 only PERMIT_PACKAGE_CDROM= Yes Index: patches/patch-src_openvpn_route_c =================================================================== RCS file: patches/patch-src_openvpn_route_c diff -N patches/patch-src_openvpn_route_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_openvpn_route_c 17 Nov 2016 09:34:09 -0000 @@ -0,0 +1,24 @@ +$OpenBSD$ + +- add support for on-link routes + +--- src/openvpn/route.c.orig Tue May 10 08:02:33 2016 ++++ src/openvpn/route.c Thu Nov 17 07:15:54 2016 +@@ -1501,12 +1501,14 @@ add_route (struct route_ipv4 *r, + argv_printf_cat (&argv, "-rtt %d", r->metric); + #endif + +- argv_printf_cat (&argv, "-net %s %s -netmask %s", ++ argv_printf_cat (&argv, "-net %s -netmask %s", + network, +- gateway, + netmask); + +- /* FIXME -- add on-link support for OpenBSD/NetBSD */ ++ if (is_on_link (is_local_route, flags, rgi)) ++ argv_printf_cat (&argv, "-link -iface %s", rgi->iface); ++ else ++ argv_printf_cat (&argv, "%s", gateway); + + argv_msg (D_ROUTE, &argv); + status = openvpn_execve_check (&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); Index: patches/patch-src_openvpn_syshead_h =================================================================== RCS file: patches/patch-src_openvpn_syshead_h diff -N patches/patch-src_openvpn_syshead_h --- patches/patch-src_openvpn_syshead_h 20 Apr 2013 16:22:55 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_openvpn_syshead_h,v 1.1 2013/04/20 16:22:55 sthen Exp $ ---- src/openvpn/syshead.h.orig Thu Nov 22 13:07:51 2012 -+++ src/openvpn/syshead.h Thu Mar 7 14:02:35 2013 -@@ -29,7 +29,7 @@ - #include "compat-stdbool.h" - - /* branch prediction hints */ --#if defined(__GNUC__) -+#if defined(__GNUC__) && __GNUC__ >= 3 - # define likely(x) __builtin_expect((x),1) - # define unlikely(x) __builtin_expect((x),0) - #else Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v retrieving revision 1.8 diff -u -p -r1.8 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 18 Dec 2015 02:17:45 -0000 1.8 +++ patches/patch-src_openvpn_tun_c 17 Nov 2016 09:45:22 -0000 @@ -1,6 +1,12 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.8 2015/12/18 02:17:45 sthen Exp $ ---- src/openvpn/tun.c.orig Wed Dec 16 11:39:07 2015 -+++ src/openvpn/tun.c Fri Dec 18 01:24:47 2015 + +- no need for link0 any more, we have separate tap interfaces +- our ifconfig doesn't support passing a prefix as point-to-point dest + address. In subnet topology, use the local address as a fake dest addr, and + manually add a route for the prefix on the interface. + +--- src/openvpn/tun.c.orig Tue May 10 08:02:33 2016 ++++ src/openvpn/tun.c Thu Nov 17 10:42:55 2016 @@ -914,8 +914,17 @@ do_ifconfig (struct tuntap *tt, tt->did_ifconfig = true; @@ -134,13 +140,13 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.8 + /* On OpenBSD, add a network route for the local tun interface */ + if (!tun && tt->topology == TOP_SUBNET) + { -+ struct route_ipv4 r; -+ CLEAR (r); -+ r.flags = RT_DEFINED; -+ r.network = tt->local & tt->remote_netmask; -+ r.netmask = tt->remote_netmask; -+ r.gateway = tt->local; -+ add_route (&r, tt, 0, NULL, es); ++ char *ifconfig_remote_network = ++ print_in_addr_t (tt->local & tt->remote_netmask, 0, &gc); ++ argv_printf(&argv, "%s add %s -netmask %s -link -iface %s", ++ ROUTE_PATH, ifconfig_remote_network, ifconfig_remote_netmask, ++ actual); ++ argv_msg (M_INFO, &argv); ++ openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD route failed"); + } +#endif #elif defined(TARGET_DARWIN) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
