diff options
9 files changed, 423 insertions, 0 deletions
diff --git a/README.html b/README.html
new file mode 100644
index 0000000..ffd1b46
--- /dev/null
+++ b/README.html
@@ -0,0 +1,75 @@
+ This is an overlay voor the Gentoo Linux distribution, it provides ebuilds for
+ <a href="https://openvpn.fox-it.com">OpenVPN-NL</a>.
+<h2>Why this overlay?</h2>
+ When i was experimenting with hardware security tokens and OpenVPN i got
+ really bad performance, tunnel setup took multiple minutes. When i found
+ OpenVPN-NL and tried it, it worked a lot better. So i initually
+ created this overlay for personal use, and now hope it will be useful for
+ others too. My forum topic on this subject can be found
+ <a href="https://forums.gentoo.org/viewtopic-t-1114346.html">here</a>.
+<h2>What is in this overlay?</h2>
+ This overlay carries a single package: net-vpn/openvpn-nl. OpenVPN-NL is
+ modified version of OpenVPN made by and for the Dutch government (hence the
+ -NL). The modifications to both mbed TLS and OpenVPN include disabling of
+ insecure configurations and ciphers. I did a full diff on the packages and
+ their originals and there's no backdoor-ish stuff. Of course you don't have
+ to beleve me, all the source is out there.
+ The package has a single USE flag: the use-expanded CPU_FLAGS_X86 flag aes.
+ The official way of using OpenVPN-NL prohibits using hardware accelerated
+ crypto, for private use you can of course change that. If this flag is set it
+ will enable AES-NI support in mbet TLS, allowing hardware acceleration.
+ All files and directories with &quot;openvpn&quot; in their names have been
+ renamed to &quot;openvpn-nl&quot;, this ensures the OpenVPN and OpenVPN-NL
+ can both be installed at the same time.
+ You might notice that the package does not specify any dependencies, this is
+ because they are not specified and we'll have to find out while we're going.
+ On my system I also have OpenVPN installed which will take care of most
+ dependencies.
+<h2>How to use this overlay?</h2>
+ First you'll have to clone this overlay on a place you like, a common place
+ these days is <b>/var/db/repos</b>. So cd into that directory and use
+ <b>git clone https://code.pa4wdh.nl.eu.org/gentoo/openvpn-nl</b>, this will
+ create a directory called openvpn-nl with the overlay in it.
+ Next you have to make portage aware of the repo, for that you'll have to
+ create a config file under <b>/etc/portage/repos.conf</b>. Create a file
+ called <b>openvpn-nl.conf</b> and give it these contents:
+location = /var/db/repos/openvpn-nl
+sync-type = git
+sync-uri = https://code.pa4wdh.nl.eu.org/gentoo/openvpn-nl
+ If you placed the overlay on a different place than <b>/var/db/repos</b> make
+ sure to adapt the <b>location</b> line to your needs.
+<h2>What can i do with this?</h2>
+ For me this is the best way to get OpenVPN running with hardware crypto
+ tokens. If that's what you like, or if you'd simply like to run OpenVPN-NL
+ instead of OpenVPN on Gentoo, this is the easiest way.
+ If you have any feedback on this overlay, you're quite likely to find me on
+ the <a href="https://forums.gentoo.org">Gentoo forums</a>.
+ Have fun!
diff --git a/metadata/layout.conf b/metadata/layout.conf
new file mode 100644
index 0000000..c673a95
--- /dev/null
+++ b/metadata/layout.conf
@@ -0,0 +1,2 @@
+masters = gentoo
+auto-sync = false
diff --git a/net-vpn/openvpn-nl/Manifest b/net-vpn/openvpn-nl/Manifest
new file mode 100644
index 0000000..bc9b2e9
--- /dev/null
+++ b/net-vpn/openvpn-nl/Manifest
@@ -0,0 +1,6 @@
+AUX down.sh 949 BLAKE2B 1598e2e876ca52423166ee71872723c5736b1a6625e74d8c41d20bb177e3c73f83cbbb2d6f301b527dec779a55b4c7212a658602433baedaa0b0bd6bd511da93 SHA512 49e1f6819a3ad2291e93bbea3e528e46a7ae28bfa587e53b71f3305492600526fbe73ad235338c99fc0506451832b7d2e5f4dc24b613e8eec9ce348a7c000c32
+AUX openvpn-nl.conf 898 BLAKE2B 6679d8cbde00665d439c88dc0db41ec7e445ff3ccf301209247807e12b95220422755cae94baf662ec1867d789ce8316e7895b45685f95317e61c6671f6480ba SHA512 672c9c9450b841b5d3828a0523b25692e7221af2ef00e78205c7e21d909bc590ef18073c6312d1cc310f54cec08c3465066d0d5032198467aacde3f38de05668
+AUX openvpn-nl.init 4235 BLAKE2B a74e34cc21f109c4fbb917d47a297eebf824a0c2a05d4ef75219741fa9d00d97eee6e2bf5187229c2146c7c1b2b91208275ecb87b69ccb313c3b405cba286dbc SHA512 0d40f1a751349a1eb24a41609f0cb452ef0ac376615ef0a976c01c1bb28b0dfe971f228b14f6d678257be92c3c069bd1847fb0dadf29b1f07ce7ca64eabadc0d
+AUX up.sh 2877 BLAKE2B c11d4f5eee8e416bd05e40566377f75ccf23290e071558f6bd8cb5654452ed385ab2fe22a67bf5166a272f014a78a0da269ac9266244699f19b364b66e079848 SHA512 d8ce50421d1b5e218c60da1c3a948648b2df851e2a395bc96690d07e7bb3d625a4e5f7c02717bcaab28f0c417047829f3fd71b24e4c47a97fe9b26448578c52f
+DIST openvpn-nl-src-2.4.9-nl1.tar.gz 4721730 BLAKE2B fb3840d5cdf9c69e981b8e09ab2614ad852cc3fb949a63f4887b41fac77fcbe1a051768dd76049651421c8c500e65463e6c84fd45f3573ef3b763b4b9a553642 SHA512 1569e97ce6f60a3302815d28512c0b2acd2e7c7716b797400de1ce5f46f4d415a3035ba91c792c36507e1c511559c9bcc8f5d1c35a96b452e12169ec89553ffe
+EBUILD openvpn-nl-2.4.9.ebuild 1194 BLAKE2B 89f55e8e661f47792ec9488fd5f566f2872a3eac552775eec6fe3f425b5b54535cbe25150812aff8c0d8920527e900100cbe4102e3bc1d4de55109cd0ac04f72 SHA512 92a49c99adbcc3bd9f7e53531299879ab76ad7e3e70f138af90a1633fdc61d19571f188088936532ca7eae6a9b62f02e263a748ca43020d663cf4c5372151f13
diff --git a/net-vpn/openvpn-nl/files/down.sh b/net-vpn/openvpn-nl/files/down.sh
new file mode 100644
index 0000000..afd7330
--- /dev/null
+++ b/net-vpn/openvpn-nl/files/down.sh
@@ -0,0 +1,33 @@
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn-nl/"${SVCNAME}"-down.sh ] ; then
+ /etc/openvpn-nl/"${SVCNAME}"-down.sh "$@"
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+ if [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d "${dev}"
+ elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+ # Important that we copy instead of move incase resolv.conf is
+ # a symlink and not an actual file
+ cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+ rm -f /etc/resolv.conf-"${dev}".sv
+ fi
+if [ -n "${SVCNAME}" ]; then
+ # Re-enter the init script to start any dependant services
+ if /etc/init.d/"${SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/"${SVCNAME}" --quiet stop
+ fi
+exit 0
+# vim: ts=4 :
diff --git a/net-vpn/openvpn-nl/files/openvpn-nl.conf b/net-vpn/openvpn-nl/files/openvpn-nl.conf
new file mode 100644
index 0000000..b928895
--- /dev/null
+++ b/net-vpn/openvpn-nl/files/openvpn-nl.conf
@@ -0,0 +1,18 @@
+# OpenVPN-NL automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+# OpenVPN-NL can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
diff --git a/net-vpn/openvpn-nl/files/openvpn-nl.init b/net-vpn/openvpn-nl/files/openvpn-nl.init
new file mode 100644
index 0000000..4b59b9d
--- /dev/null
+++ b/net-vpn/openvpn-nl/files/openvpn-nl.init
@@ -0,0 +1,133 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn-nl" ]; then
+ VPNPID="/var/run/openvpn-nl.${VPN}.pid"
+ VPNPID="/var/run/openvpn-nl.pid"
+depend() {
+ need localmount net
+ use dns
+ after bootmisc
+checkconfig() {
+ # Linux has good dynamic tun/tap creation
+ if [ $(uname -s) = "Linux" ] ; then
+ if [ ! -e /dev/net/tun ]; then
+ if ! modprobe tun ; then
+ eerror "TUN/TAP support is not available" \
+ "in this kernel"
+ return 1
+ fi
+ fi
+ if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+ ebegin "Detected broken /dev/net/tun symlink, fixing..."
+ rm -f /dev/net/tun
+ ln -s /dev/misc/net/tun /dev/net/tun
+ eend $?
+ fi
+ return 0
+ fi
+ # Other OS's don't, so we rely on a pre-configured interface
+ # per vpn instance
+ local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+ if [ -z ${ifname} ] ; then
+ eerror "You need to specify the interface that this openvpn-nl" \
+ "instance should use" \
+ "by using the dev option in ${VPNCONF}"
+ return 1
+ fi
+ if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+ # Try and create it
+ echo > /dev/"${ifname}" >/dev/null
+ fi
+ if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+ eerror "${VPNCONF} requires interface ${ifname}" \
+ "but that does not exist"
+ return 1
+ fi
+start() {
+ # If we are re-called by the openvpn-nl gentoo-up.sh script
+ # then we don't actually want to start openvpn-nl
+ [ "${IN_BACKGROUND}" = "true" ] && return 0
+ ebegin "Starting ${SVCNAME}"
+ checkconfig || return 1
+ local args="" reenter=${RE_ENTER:-no}
+ # If the config file does not specify the cd option, we do
+ # But if we specify it, we override the config option which we do not want
+ if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then
+ args="${args} --cd ${VPNDIR}"
+ fi
+ # We mark the service as inactive and then start it.
+ # When we get an authenticated packet from the peer then we run our script
+ # which configures our DNS if any and marks us as up.
+ if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+ grep -q "^[ ]*remote[ ].*" "${VPNCONF}" ; then
+ reenter="yes"
+ args="${args} --up-delay --up-restart"
+ args="${args} --script-security 2"
+ args="${args} --up /etc/openvpn-nl/up.sh"
+ args="${args} --down-pre --down /etc/openvpn-nl/down.sh"
+ # Warn about setting scripts as we override them
+ if grep -Eq "^[ ]*(up|down)[ ].*" "${VPNCONF}" ; then
+ ewarn "WARNING: You have defined your own up/down scripts"
+ ewarn "As you're running as a client, we now force Gentoo specific"
+ ewarn "scripts to be run for up and down events."
+ ewarn "These scripts will call /etc/openvpn-nl/${SVCNAME}-{up,down}.sh"
+ ewarn "where you can put your own code."
+ fi
+ # Warn about the inability to change ip/route/dns information when
+ # dropping privs
+ if grep -q "^[ ]*user[ ].*" "${VPNCONF}" ; then
+ ewarn "WARNING: You are dropping root privileges!"
+ ewarn "As such openvpn-nl may not be able to change ip, routing"
+ ewarn "or DNS configuration."
+ fi
+ else
+ # So we're a server. Run as openvpn-nl unless otherwise specified
+ grep -q "^[ ]*user[ ].*" "${VPNCONF}" || args="${args} --user openvpn"
+ grep -q "^[ ]*group[ ].*" "${VPNCONF}" || args="${args} --group openvpn"
+ fi
+ # Ensure that our scripts get the PEER_DNS variable
+ [ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+ [ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
+ start-stop-daemon --start --exec /usr/sbin/openvpn-nl --pidfile "${VPNPID}" \
+ -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+ --setenv SVCNAME "${SVCNAME}" ${args}
+ eend $? "Check your logs to see why startup failed"
+stop() {
+ # If we are re-called by the openvpn-nl gentoo-down.sh script
+ # then we don't actually want to stop openvpn-nl
+ if [ "${IN_BACKGROUND}" = "true" ] ; then
+ mark_service_inactive "${SVCNAME}"
+ return 0
+ fi
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --quiet \
+ --exec /usr/sbin/openvpn-nl --pidfile "${VPNPID}"
+ eend $?
+# vim: set ts=4 :
diff --git a/net-vpn/openvpn-nl/files/up.sh b/net-vpn/openvpn-nl/files/up.sh
new file mode 100644
index 0000000..186ba71
--- /dev/null
+++ b/net-vpn/openvpn-nl/files/up.sh
@@ -0,0 +1,100 @@
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+# if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+min_route() {
+ local n=1
+ local m
+ local r
+ eval m="\$route_metric_$n"
+ while [ -n "${m}" ]; do
+ if [ -z "$r" ] || [ "$r" -gt "$m" ]; then
+ r="$m"
+ fi
+ n="$(($n+1))"
+ eval m="\$route_metric_$n"
+ done
+ echo "$r"
+if [ "${PEER_DNS}" != "no" ]; then
+ NS=
+ i=1
+ while true ; do
+ eval opt=\$foreign_option_${i}
+ [ -z "${opt}" ] && break
+ if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+ if [ -z "${DOMAIN}" ] ; then
+ DOMAIN="${opt#dhcp-option DOMAIN *}"
+ else
+ SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+ fi
+ elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+ NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+ fi
+ i=$((${i} + 1))
+ done
+ if [ -n "${NS}" ] ; then
+ DNS="# Generated by openvpn-nl for interface ${dev}\n"
+ if [ -n "${SEARCH}" ] ; then
+ DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+ elif [ -n "${DOMAIN}" ]; then
+ DNS="${DNS}domain ${DOMAIN}\n"
+ fi
+ DNS="${DNS}${NS}"
+ if [ -x /sbin/resolvconf ] ; then
+ metric="$(min_route)"
+ printf "${DNS}" | /sbin/resolvconf -a "${dev}" ${metric:+-m ${metric}}
+ else
+ # Preserve the existing resolv.conf
+ if [ -e /etc/resolv.conf ] ; then
+ cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+ fi
+ printf "${DNS}" > /etc/resolv.conf
+ chmod 644 /etc/resolv.conf
+ fi
+ fi
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn-nl service
+if [ -n "${SVCNAME}" ]; then
+ # If we have a service specific script, run this now
+ if [ -x /etc/openvpn-nl/"${SVCNAME}"-up.sh ] ; then
+ /etc/openvpn-nl/"${SVCNAME}"-up.sh "$@"
+ fi
+ # Re-enter the init script to start any dependant services
+ if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/${SVCNAME} --quiet start
+ fi
+exit 0
+# vim: ts=4 :
diff --git a/net-vpn/openvpn-nl/openvpn-nl-2.4.9.ebuild b/net-vpn/openvpn-nl/openvpn-nl-2.4.9.ebuild
new file mode 100644
index 0000000..a28bb7e
--- /dev/null
+++ b/net-vpn/openvpn-nl/openvpn-nl-2.4.9.ebuild
@@ -0,0 +1,55 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+DESCRIPTION="Modified version of OpenVPN with mbedtls and pkcs11 support"
+SRC_URI="https://openvpn.fox-it.com/repos/source/${PV}-nl1/${PN}-src-${PV}-nl1.tar.gz https://code.pa4wdh.nl.eu.org/distfiles/${PN}-src-${PV}-nl1.tar.gz"
+KEYWORDS="amd64 x86"
+src_unpack() {
+ unpack ${A}
+ mv openvpn-nl ${P}
+src_prepare() {
+ eapply_user
+src_configure() {
+ if use cpu_flags_x86_aes; then
+ einfo "Enabling AES-NI support"
+ cd ${WORKDIR}/${P}/mbedtls
+ scripts/config.pl set MBEDTLS_AESNI_C
+ else
+ einfo "Not enabling AES-NI support"
+ fi
+src_compile() {
+ cd ${WORKDIR}/${P}
+ ./build-openvpn-nl.sh
+src_install() {
+ newsbin ${WORKDIR}/${P}/build-openvpn-nl/src/openvpn/openvpn openvpn-nl
+ newinitd "${FILESDIR}/openvpn-nl.init" openvpn-nl
+ newconfd "${FILESDIR}/openvpn-nl.conf" openvpn-nl
+ exeinto /etc/openvpn-nl
+ doexe "${FILESDIR}/up.sh"
+ doexe "${FILESDIR}/down.sh"
+ newman ${WORKDIR}/${P}/openvpn/doc/openvpn.8 openvpn-nl.8
diff --git a/profiles/repo_name b/profiles/repo_name
new file mode 100644
index 0000000..0e4adec
--- /dev/null
+++ b/profiles/repo_name
@@ -0,0 +1 @@