[arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes

Fri Dec 2 12:40:51 UTC 2016

Christian Hesse <list at eworm.de> on Sat, 2016/11/26 13:38:
> Hello everybody,
> 
> a new OpenVPN stable release is being prepared, namely version 2.4.0.
> Currently we have 2.4_beta2. I think about making changes to our package
> that require user intervention.

We have 2.4_rc1 as of today.

> We shipped a systemd unit file before OpenVPN upstream had one. Upstream now
> has unit files, but two (for server and client) instead of just one. I did
> backport some security features for our unit, but refused to migrate to the
> upstream solution within the 2.3.x branch.
> 
> That could change with 2.4.0. Instead of openvpn at .service we would have
> openvpn-server at .service and openvpn-client at .service. Additionally the
> 'daemon' option is no longer allowed with the upstream units.

Some news about this... I prepared patched for proper systemd support which
already have been committed to the upstream repository. So we have:

* proper error handling (and service ordering)
* option "daemon" is just ignored when started from systemd unit - so no more
  limitations here

We will see the shiny new systemd units in our package.

> Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use
> relative paths from that directory in configuration to call the plugins.
> This path is '/usr/lib/openvpn' - plugins are installed to
> '/usr/lib/openvpn/plugins', though. Any reason for that?

This will change... So extra 'plugins/' has to be removed from relative paths
in configuration.

I built packages for 2.4_rc1 to give a preview... Feel free to test! ;)

http://pkgbuild.com/~eworm/openvpn/openvpn-2.4_rc1-1-i686.pkg.tar.xz
http://pkgbuild.com/~eworm/openvpn/openvpn-2.4_rc1-1-x86_64.pkg.tar.xz

The news post will look something like this:

<snip>
The upgrade to openvpn 2.4.0 makes changes that are incompatible with
previous configurations. Take special care if you depend on VPN
connectivity for remote access! Administrative interaction is required:

* Configuration is expected in sub directories now. Move your files
  from `/etc/openvpn/` to `/etc/openvpn/server/` or `/etc/openvpn/client/`.
* The plugin lookup path changed, remove extra `plugins/` from relative
  paths.
* The systemd unit `openvpn at .service` was replaced with
  `openvpn-client at .service` and `openvpn-server at .service`. Restart and
  reenable accordingly.

This does not affect the functionality of `networkmanager`, `connman`
or `qopenvpn`.
</snip>
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161202/c43dd22d/attachment.asc>