Accepting request 1297937 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/1297937
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=121

0001-Handle-missing-DCO-peer-by-restarting-the-session.patch

@@ -0,0 +1,285 @@
+From: Ralf Lici <ralf@mandelbit.com>
+Date: Wed, 5 Mar 2025 18:17:30 +0100
+Subject: Handle missing DCO peer by restarting the session
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: 6f9ba8bfd259742ee19b173898a9bfd20e22fcf3
+Patch-mainline: v2.7
+
+Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
+openvpn process from registering the event. To handle this case, we
+check if calls to the Linux DCO module return an error, and, if so, send
+a SIGUSR1 signal to reset the session.
+
+Most DCO commands that return an error already trigger a SIGUSR1 signal
+or even call _exit(1). This commit extends that behavior to include
+dco_get_peer_stats_multi() and dco_get_peer_stats().
+
+Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c
+Signed-off-by: Ralf Lici <ralf@mandelbit.com>
+Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
+Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco.h         | 18 +++++++++++-------
+ src/openvpn/dco_freebsd.c |  5 +++--
+ src/openvpn/dco_linux.c   | 28 +++++++++++++++++++++++++---
+ src/openvpn/dco_win.c     |  5 +++--
+ src/openvpn/forward.c     |  3 +--
+ src/openvpn/manage.c      | 10 ++++++++--
+ src/openvpn/multi.c       | 10 ++++++++--
+ src/openvpn/sig.c         |  5 ++++-
+ 8 files changed, 63 insertions(+), 21 deletions(-)
+
+diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
+index 35ceace3aac5..ed194cc5017c 100644
+--- a/src/openvpn/dco.h
++++ b/src/openvpn/dco.h
+@@ -231,17 +231,20 @@ void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi);
+ /**
+  * Update traffic statistics for all peers
+  *
+- * @param dco   DCO device context
+- * @param m     the server context
++ * @param dco                   DCO device context
++ * @param m                     the server context
++ * @param raise_sigusr1_on_err  whether to raise SIGUSR1 on error
+  **/
+-int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m);
++int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
++                             const bool raise_sigusr1_on_err);
+ 
+ /**
+  * Update traffic statistics for single peer
+  *
+- * @param c   instance context of the peer
++ * @param c                     instance context of the peer
++ * @param raise_sigusr1_on_err  whether to raise SIGUSR1 on error
+  **/
+-int dco_get_peer_stats(struct context *c);
++int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err);
+ 
+ /**
+  * Retrieve the list of ciphers supported by the current platform
+@@ -373,13 +376,14 @@ dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
+ }
+ 
+ static inline int
+-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
++dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
++                         const bool raise_sigusr1_on_err)
+ {
+     return 0;
+ }
+ 
+ static inline int
+-dco_get_peer_stats(struct context *c)
++dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
+ {
+     return 0;
+ }
+diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
+index 0e536de80500..b8816c63bd43 100644
+--- a/src/openvpn/dco_freebsd.c
++++ b/src/openvpn/dco_freebsd.c
+@@ -713,7 +713,8 @@ dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *n
+ }
+ 
+ int
+-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
++dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
++                         const bool raise_sigusr1_on_err)
+ {
+ 
+     struct ifdrv drv;
+@@ -781,7 +782,7 @@ retry:
+ }
+ 
+ int
+-dco_get_peer_stats(struct context *c)
++dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
+ {
+     /* Not implemented. */
+     return 0;
+diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
+index 68c1a8d3271a..b0a85fdaf365 100644
+--- a/src/openvpn/dco_linux.c
++++ b/src/openvpn/dco_linux.c
+@@ -952,7 +952,8 @@ dco_parse_peer_multi(struct nl_msg *msg, void *arg)
+ }
+ 
+ int
+-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
++dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
++                         const bool raise_sigusr1_on_err)
+ {
+     msg(D_DCO_DEBUG, "%s", __func__);
+ 
+@@ -963,6 +964,14 @@ dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
+     int ret = ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
+ 
+     nlmsg_free(nl_msg);
++
++    if (raise_sigusr1_on_err && ret < 0)
++    {
++        msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer"
++            "may have been deleted from the kernel without notifying "
++            "userspace. Restarting the session");
++        register_signal(m->top.sig, SIGUSR1, "dco peer stats error");
++    }
+     return ret;
+ }
+ 
+@@ -1008,9 +1017,14 @@ dco_parse_peer(struct nl_msg *msg, void *arg)
+ }
+ 
+ int
+-dco_get_peer_stats(struct context *c)
++dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
+ {
+-    uint32_t peer_id = c->c2.tls_multi->dco_peer_id;
++    int peer_id = c->c2.tls_multi->dco_peer_id;
++    if (peer_id == -1)
++    {
++        return 0;
++    }
++
+     msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id);
+ 
+     if (!c->c1.tuntap)
+@@ -1030,6 +1044,14 @@ dco_get_peer_stats(struct context *c)
+ 
+ nla_put_failure:
+     nlmsg_free(nl_msg);
++
++    if (raise_sigusr1_on_err && ret < 0)
++    {
++        msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer"
++            "may have been deleted from the kernel without notifying "
++            "userspace. Restarting the session");
++        register_signal(c->sig, SIGUSR1, "dco peer stats error");
++    }
+     return ret;
+ }
+ 
+diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
+index 45cb919277c6..8b47124631bf 100644
+--- a/src/openvpn/dco_win.c
++++ b/src/openvpn/dco_win.c
+@@ -712,14 +712,15 @@ dco_do_read(dco_context_t *dco)
+ }
+ 
+ int
+-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
++dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
++                         const bool raise_sigusr1_on_err)
+ {
+     /* Not implemented. */
+     return 0;
+ }
+ 
+ int
+-dco_get_peer_stats(struct context *c)
++dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
+ {
+     struct tuntap *tt = c->c1.tuntap;
+ 
+diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
+index b0253443aa3a..fce7ac8bb5ee 100644
+--- a/src/openvpn/forward.c
++++ b/src/openvpn/forward.c
+@@ -488,7 +488,7 @@ check_add_routes(struct context *c)
+ static void
+ check_inactivity_timeout(struct context *c)
+ {
+-    if (dco_enabled(&c->options) && dco_get_peer_stats(c) == 0)
++    if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
+     {
+         int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
+         int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
+@@ -497,7 +497,6 @@ check_inactivity_timeout(struct context *c)
+         {
+             c->c2.inactivity_bytes = tot_bytes;
+             event_timeout_reset(&c->c2.inactivity_interval);
+-
+             return;
+         }
+     }
+diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
+index 484042ada70e..0e73942762af 100644
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -4146,8 +4146,13 @@ management_check_bytecount(struct context *c, struct management *man, struct tim
+         counter_type dco_read_bytes = 0;
+         counter_type dco_write_bytes = 0;
+ 
+-        if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
++        if (dco_enabled(&c->options))
+         {
++            if (dco_get_peer_stats(c, true) < 0)
++            {
++                return;
++            }
++
+             dco_read_bytes = c->c2.dco_read_bytes;
+             dco_write_bytes = c->c2.dco_write_bytes;
+         }
+@@ -4166,7 +4171,8 @@ management_check_bytecount(struct context *c, struct management *man, struct tim
+ void
+ man_persist_client_stats(struct management *man, struct context *c)
+ {
+-    if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
++    /* no need to raise SIGUSR1 since we are already closing the instance */
++    if (dco_enabled(&c->options) && (dco_get_peer_stats(c, false) == 0))
+     {
+         management_bytes_client(man, c->c2.dco_read_bytes, c->c2.dco_write_bytes);
+     }
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index 85a1712e2334..9d244be6d794 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -548,7 +548,10 @@ setenv_stats(struct multi_context *m, struct context *c)
+ {
+     if (dco_enabled(&m->top.options))
+     {
+-        dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
++        if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, false) < 0)
++        {
++            return;
++        }
+     }
+ 
+     setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
+@@ -856,7 +859,10 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int
+ 
+         if (dco_enabled(&m->top.options))
+         {
+-            dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
++            if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, true) < 0)
++            {
++                return;
++            }
+         }
+ 
+         if (version == 1)
+diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
+index 8323f0d97f21..b0f8935d4302 100644
+--- a/src/openvpn/sig.c
++++ b/src/openvpn/sig.c
+@@ -489,7 +489,10 @@ print_status(struct context *c, struct status_output *so)
+ 
+     if (dco_enabled(&c->options))
+     {
+-        dco_get_peer_stats(c);
++        if (dco_get_peer_stats(c, true) < 0)
++        {
++            return;
++        }
+     }
+ 
+     status_printf(so, "OpenVPN STATISTICS");
+-- 
+2.49.0
+

0001-Implement-ovpn-version-detection.patch

@@ -0,0 +1,105 @@
+From: Ralf Lici <ralf@mandelbit.com>
+Date: Thu, 15 May 2025 17:00:31 +0200
+Subject: Implement ovpn version detection
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: f6c95ac2ffa69a1caaf2785859c48295a3bea199
+Patch-mainline: v2.7.0
+
+Add detection of the ovpn kernel module type: if a backported
+(out-of-tree) version is loaded, the MODULE_VERSION string is read from
+sysfs; otherwise, for the in-tree module, the function reports the
+kernel release and version.
+
+Change-Id: I7fc033a7ffee73045316763356a95d75ef23f5ad
+Signed-off-by: Ralf Lici <ralf@mandelbit.com>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20250515150038.30097-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31652.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco_linux.c |   69 +++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 68 insertions(+), 1 deletion(-)
+
+--- a/src/openvpn/dco_linux.c
++++ b/src/openvpn/dco_linux.c
+@@ -1117,10 +1117,77 @@ dco_available(int msglevel)
+     return true;
+ }
+ 
++/**
++ * There's no version indicator in the ovpn in-tree module, so we return a
++ * string containing info about the kernel version and release.
++ */
++static const char *
++dco_version_string_in_tree(struct gc_arena *gc)
++{
++    struct buffer buf = alloc_buf_gc(256, gc);
++    struct utsname system;
++
++    if (uname(&system))
++    {
++        return "ERR";
++    }
++
++    buf_puts(&buf, system.release);
++    buf_puts(&buf, " ");
++    buf_puts(&buf, system.version);
++    return BSTR(&buf);
++}
++
++/**
++ * When the module is loaded, the backports version of ovpn has a version file
++ * in sysfs. Read it and return the string.
++ *
++ * The caller is responsible for closing the file pointer.
++ */
++static const char *
++dco_version_string_backports(FILE *fp, struct gc_arena *gc)
++{
++    char *str = gc_malloc(PATH_MAX, false, gc);
++
++    if (!fgets(str, PATH_MAX, fp))
++    {
++        return "ERR";
++    }
++
++    /* remove potential newline at the end of the string */
++    char *nl = strchr(str, '\n');
++    if (nl)
++    {
++        *nl = '\0';
++    }
++
++    return str;
++}
++
+ const char *
+ dco_version_string(struct gc_arena *gc)
+ {
+-    return "Unknown";
++    const char *version;
++    struct stat sb;
++    FILE *fp;
++
++    if (stat("/sys/module/ovpn", &sb) != 0 || !S_ISDIR(sb.st_mode))
++    {
++        return "N/A";
++    }
++
++    /* now that we know for sure that the module is loaded, if there's no
++     * version file it means we're dealing with the in-tree version, otherwise
++     * it's backports */
++    fp = fopen("/sys/module/ovpn/version", "r");
++    if (!fp)
++    {
++        return dco_version_string_in_tree(gc);
++    }
++    version = dco_version_string_backports(fp, gc);
++
++    fclose(fp);
++    return version;
+ }
+ 
+ void

0001-dco-better-naming-for-function-parameters.patch

@@ -0,0 +1,121 @@
+From: Lev Stipakov <lev@openvpn.net>
+Date: Fri, 27 Sep 2024 11:30:45 +0200
+Subject: dco: better naming for function parameters
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: 95e5a0b4f0f0f45d29a5a995f151677b760ddf76
+Patch-mainline: v2.7
+
+Current naming (remote_in4/6) is confusing, since
+those are in fact VPN IPv4/v6 addresses and not
+related to remote at all.
+
+Change-Id: I101bbc9f682375ec733bca10b52da82f0abfec27
+Signed-off-by: Lev Stipakov <lev@openvpn.net>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Message-Id: <20240927093045.22753-1-frank@lichtenheld.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29460.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco_freebsd.c  | 12 ++++++------
+ src/openvpn/dco_internal.h |  2 +-
+ src/openvpn/dco_linux.c    | 10 +++++-----
+ src/openvpn/dco_win.c      |  2 +-
+ 4 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
+index 2bfbda1243c8..d2b8092cb27d 100644
+--- a/src/openvpn/dco_freebsd.c
++++ b/src/openvpn/dco_freebsd.c
+@@ -75,7 +75,7 @@ sockaddr_to_nvlist(const struct sockaddr *sa)
+ int
+ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+              struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+-             struct in_addr *remote_in4, struct in6_addr *remote_in6)
++             struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+ {
+     struct ifdrv drv;
+     nvlist_t *nvl, *local_nvl, *remote_nvl;
+@@ -97,15 +97,15 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+         nvlist_add_nvlist(nvl, "remote", remote_nvl);
+     }
+ 
+-    if (remote_in4)
++    if (vpn_ipv4)
+     {
+-        nvlist_add_binary(nvl, "vpn_ipv4", &remote_in4->s_addr,
+-                          sizeof(remote_in4->s_addr));
++        nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr,
++                          sizeof(vpn_ipv4->s_addr));
+     }
+ 
+-    if (remote_in6)
++    if (vpn_ipv6)
+     {
+-        nvlist_add_binary(nvl, "vpn_ipv6", remote_in6, sizeof(*remote_in6));
++        nvlist_add_binary(nvl, "vpn_ipv6", vpn_ipv6, sizeof(*vpn_ipv6));
+     }
+ 
+     nvlist_add_number(nvl, "fd", sd);
+diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h
+index 624c11050c04..4bbcc82bbb14 100644
+--- a/src/openvpn/dco_internal.h
++++ b/src/openvpn/dco_internal.h
+@@ -62,7 +62,7 @@ dco_get_cipher(const char *cipher)
+ 
+ int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+                  struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+-                 struct in_addr *remote_in4, struct in6_addr *remote_in6);
++                 struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6);
+ 
+ int dco_del_peer(dco_context_t *dco, unsigned int peerid);
+ 
+diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
+index 1f1907ef830c..9f3c4ca05408 100644
+--- a/src/openvpn/dco_linux.c
++++ b/src/openvpn/dco_linux.c
+@@ -220,7 +220,7 @@ mapped_v4_to_v6(struct sockaddr *sock, struct gc_arena *gc)
+ int
+ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+              struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+-             struct in_addr *remote_in4, struct in6_addr *remote_in6)
++             struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+ {
+     struct gc_arena gc = gc_new();
+     const char *remotestr = "[undefined]";
+@@ -263,14 +263,14 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+     }
+ 
+     /* Set the primary VPN IP addresses of the peer */
+-    if (remote_in4)
++    if (vpn_ipv4)
+     {
+-        NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_IPV4, remote_in4->s_addr);
++        NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_IPV4, vpn_ipv4->s_addr);
+     }
+-    if (remote_in6)
++    if (vpn_ipv6)
+     {
+         NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_IPV6, sizeof(struct in6_addr),
+-                remote_in6);
++                vpn_ipv6);
+     }
+     nla_nest_end(nl_msg, attr);
+ 
+diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
+index b0b13592cdbe..42df1cc5acbe 100644
+--- a/src/openvpn/dco_win.c
++++ b/src/openvpn/dco_win.c
+@@ -247,7 +247,7 @@ dco_create_socket(HANDLE handle, struct addrinfo *remoteaddr, bool bind_local,
+ int
+ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+              struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+-             struct in_addr *remote_in4, struct in6_addr *remote_in6)
++             struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
+ {
+     msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
+     return 0;
+-- 
+2.49.0
+

0001-dco-linux-avoid-redefining-ovpn-enums.patch

@@ -0,0 +1,58 @@
+From: Ralf Lici <ralf@mandelbit.com>
+Date: Mon, 23 Jun 2025 16:07:43 +0200
+Subject: dco linux: avoid redefining ovpn enums
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: 1d3c2b67a73a0aa011c13e62f876d24e49d41df0
+Patch-mainline: 2.7
+
+Starting with Linux kernel version 6.16, a couple of ovpn-related enum
+definitions were introduced in the `include/uapi/linux/if_link.h`
+header. Redefining them in openvpn when they are already present in the
+system headers can lead to conflicts or build issues.
+
+This commit ensures that enum redefinitions are avoided by conditionally
+using the existing definitions from the system header when available.
+
+Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
+Signed-off-by: Ralf Lici <ralf@mandelbit.com>
+Message-Id: <20250623140748.13960-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31961.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco_linux.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
+index 273a6ada1291..4e441ec77490 100644
+--- a/src/openvpn/dco_linux.h
++++ b/src/openvpn/dco_linux.h
+@@ -40,6 +40,8 @@ typedef enum ovpn_cipher_alg dco_cipher_t;
+ 
+ /* OVPN section */
+ 
++#ifndef IFLA_OVPN_MAX
++
+ enum ovpn_mode {
+     OVPN_MODE_P2P,
+     OVPN_MODE_MP,
+@@ -49,10 +51,13 @@ enum ovpn_ifla_attrs {
+     IFLA_OVPN_UNSPEC = 0,
+     IFLA_OVPN_MODE,
+ 
+-    __IFLA_OVPN_AFTER_LAST,
+-    IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1,
++    __IFLA_OVPN_MAX,
+ };
+ 
++#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
++
++#endif /* ifndef IFLA_OVPN_MAX */
++
+ typedef struct
+ {
+     struct nl_sock *nl_sock;
+-- 
+2.50.1
+

0001-dco_linux-avoid-bogus-text-when-netlink-message-is-n.patch

@@ -0,0 +1,53 @@
+From: Antonio Quartulli <antonio@mandelbit.com>
+Date: Fri, 23 May 2025 09:38:41 +0200
+Subject: dco_linux: avoid bogus text when netlink message is not parsed
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: 4a48841da2d4179a96348994f841661ec9e5ce1d
+Patch-mainline: v2.7.0
+
+We may bail out parsing an incoming DCO message because it may
+concern a different interface.
+In that case we print the following debug messages:
+
+    dco_do_read
+    ovpn-dco: ignoring message (type=5) for foreign ifindex 313
+    process_incoming_dco: received message of type 0 - ignoring
+
+However, the last message is confusing, because there is no message
+of type 0 being received, but the message_type was simply not
+initialized.
+
+Bail out parsing earlier and avoid printing any bogus text.
+
+Change-Id: I568faa12a5960e8b69de23c2df413b70b231592c
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20250523073848.20848-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31763.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/forward.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
+index 022afdb929a3..a83b2582e7ac 100644
+--- a/src/openvpn/forward.c
++++ b/src/openvpn/forward.c
+@@ -1251,6 +1251,12 @@ process_incoming_dco(struct context *c)
+ 
+     dco_do_read(dco);
+ 
++    /* no message for us to handle - platform specific code has logged details */
++    if (dco->dco_message_type == 0)
++    {
++        return;
++    }
++
+     /* FreeBSD currently sends us removal notifcation with the old peer-id in
+      * p2p mode with the ping timeout reason, so ignore that one to not shoot
+      * ourselves in the foot and removing the just established session */
+-- 
+2.49.0
+

0001-dco_linux-extend-netlink-error-cb-with-extra-info.patch

@@ -0,0 +1,100 @@
+From: Antonio Quartulli <antonio@mandelbit.com>
+Date: Tue, 28 Jan 2025 14:44:54 +0100
+Subject: dco_linux: extend netlink error cb with extra info
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: edad5fa42bff2f291d7d416ccb90f4e7cd5b3f39
+Patch-mainline: v2.7
+
+A netlink error may contain more specific attributes: i.e.
+missing attributes or missing neted objects.
+
+Parse and print this information too.
+
+Note that we are re-defining some enum entries that exist
+in netlink.h starting with linux-6.1.
+Since we do support distros not shipping an up-to-date
+netlink.h, we had to re-define the entries we need for
+this patch.
+
+Change-Id: I9e27ff335d892429334137d028f8503da4e4ca5b
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
+Message-Id: <20250128134454.2888-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30658.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco_linux.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
+index b03838281a33..fa7abd3fa3c4 100644
+--- a/src/openvpn/dco_linux.c
++++ b/src/openvpn/dco_linux.c
+@@ -291,6 +291,25 @@ ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg)
+     return NL_SKIP;
+ }
+ 
++/* The following enum members exist in netlink.h since linux-6.1.
++ * However, some distro we support still ship an old header, thus
++ * failing the OpenVPN compilation.
++ *
++ * For the time being we add the needed defines manually.
++ * We will drop this definition once we stop supporting those old
++ * distros.
++ *
++ * @NLMSGERR_ATTR_MISS_TYPE: type of a missing required attribute,
++ *  %NLMSGERR_ATTR_MISS_NEST will not be present if the attribute was
++ *  missing at the message level
++ * @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing
++ */
++enum ovpn_nlmsgerr_attrs {
++    OVPN_NLMSGERR_ATTR_MISS_TYPE = 5,
++    OVPN_NLMSGERR_ATTR_MISS_NEST = 6,
++    OVPN_NLMSGERR_ATTR_MAX = 6,
++};
++
+ /* This function is used as error callback on the netlink socket.
+  * When something goes wrong and the kernel returns an error, this function is
+  * invoked.
+@@ -304,7 +323,7 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
+                  struct nlmsgerr *err, void *arg)
+ {
+     struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
+-    struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
++    struct nlattr *tb_msg[OVPN_NLMSGERR_ATTR_MAX + 1];
+     int len = nlh->nlmsg_len;
+     struct nlattr *attrs;
+     int *ret = arg;
+@@ -330,7 +349,7 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
+     attrs = (void *)((unsigned char *)nlh + ack_len);
+     len -= ack_len;
+ 
+-    nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
++    nla_parse(tb_msg, OVPN_NLMSGERR_ATTR_MAX, attrs, len, NULL);
+     if (tb_msg[NLMSGERR_ATTR_MSG])
+     {
+         len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
+@@ -339,6 +358,18 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
+             (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
+     }
+ 
++    if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST])
++    {
++        msg(M_WARN, "kernel error: missing required nesting type %u\n",
++            nla_get_u32(tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST]));
++    }
++
++    if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_TYPE])
++    {
++        msg(M_WARN, "kernel error: missing required attribute type %u\n",
++            nla_get_u32(tb_msg[OVPN_NLMSGERR_ATTR_MISS_TYPE]));
++    }
++
+     return NL_STOP;
+ }
+ 
+-- 
+2.49.0
+

0001-dco_linux-fix-peer-stats-parsing-with-new-ovpn-kerne.patch

@@ -0,0 +1,124 @@
+From: Antonio Quartulli <antonio@mandelbit.com>
+Date: Sat, 17 May 2025 10:32:23 +0200
+Subject: dco_linux: fix peer stats parsing with new ovpn kernel module
+References: bsc#1239783
+Git-repo: https://github.com/OpenVPN/openvpn.git
+Git-commit: 6c33e3761ecb476d047bc14e7948ffddba800915
+Patch-mainline: v2.7.0
+
+The new ovpn kernel module has changed the netlink attribute
+type of the fields containing the pkt/bytes counters in the
+peer stats.
+
+We moved from uint64 to uint (a dynamic type can be either
+32 or 64 bits), therefore the parsing code must be adapted
+accordingly.
+
+While at it, also fix the peer object parsing in the P2P code path.
+
+The fix can be verified by enabling --status with verb 6 and
+watching the counters increasing:
+
+	2025-05-16 22:23:56 us=649488 dco_get_peer_stats_multi
+	2025-05-16 22:23:56 us=651008 dco_parse_peer_multi: parsing message...
+	2025-05-16 22:23:56 us=651734 dco_update_peer_stat / dco_read_bytes: 116280
+	2025-05-16 22:23:56 us=652682 dco_update_peer_stat / dco_write_bytes: 115776
+	2025-05-16 22:23:56 us=653467 dco_update_peer_stat / tun_read_bytes: 90048
+	2025-05-16 22:23:56 us=654110 dco_update_peer_stat / tun_write_bytes: 90048
+
+Change-Id: I104b4adeb9f65cce3487b82f35470174acba92bc
+Github: closes OpenVPN/openvpn#746
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20250517083231.27977-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31666.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ src/openvpn/dco_linux.c |   31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+--- a/src/openvpn/dco_linux.c
++++ b/src/openvpn/dco_linux.c
+@@ -908,12 +908,26 @@ dco_do_read(dco_context_t *dco)
+     return ovpn_nl_recvmsgs(dco, __func__);
+ }
+ 
++/* libnl < 3.11.0 does not implement nla_get_uint() */
++static uint64_t
++ovpn_nla_get_uint(struct nlattr *attr)
++{
++    if (nla_len(attr) == sizeof(uint32_t))
++    {
++        return nla_get_u32(attr);
++    }
++    else
++    {
++        return nla_get_u64(attr);
++    }
++}
++
+ static void
+ dco_update_peer_stat(struct context_2 *c2, struct nlattr *tb[], uint32_t id)
+ {
+     if (tb[OVPN_A_PEER_LINK_RX_BYTES])
+     {
+-        c2->dco_read_bytes = nla_get_u64(tb[OVPN_A_PEER_LINK_RX_BYTES]);
++        c2->dco_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_RX_BYTES]);
+         msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__,
+             c2->dco_read_bytes);
+     }
+@@ -925,7 +939,7 @@ dco_update_peer_stat(struct context_2 *c
+ 
+     if (tb[OVPN_A_PEER_LINK_TX_BYTES])
+     {
+-        c2->dco_write_bytes = nla_get_u64(tb[OVPN_A_PEER_LINK_TX_BYTES]);
++        c2->dco_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_TX_BYTES]);
+         msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__,
+             c2->dco_write_bytes);
+     }
+@@ -937,7 +951,7 @@ dco_update_peer_stat(struct context_2 *c
+ 
+     if (tb[OVPN_A_PEER_VPN_RX_BYTES])
+     {
+-        c2->tun_read_bytes = nla_get_u64(tb[OVPN_A_PEER_VPN_RX_BYTES]);
++        c2->tun_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_RX_BYTES]);
+         msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__,
+             c2->tun_read_bytes);
+     }
+@@ -949,7 +963,7 @@ dco_update_peer_stat(struct context_2 *c
+ 
+     if (tb[OVPN_A_PEER_VPN_TX_BYTES])
+     {
+-        c2->tun_write_bytes = nla_get_u64(tb[OVPN_A_PEER_VPN_TX_BYTES]);
++        c2->tun_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_TX_BYTES]);
+         msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__,
+             c2->tun_write_bytes);
+     }
+@@ -1028,12 +1042,12 @@ static int
+ dco_parse_peer(struct nl_msg *msg, void *arg)
+ {
+     struct context *c = arg;
+-    struct nlattr *tb[OVPN_A_MAX];
++    struct nlattr *tb[OVPN_A_MAX + 1];
+     struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
+ 
+     msg(D_DCO_DEBUG, "%s: parsing message...", __func__);
+ 
+-    nla_parse(tb, OVPN_A_PEER_MAX, genlmsg_attrdata(gnlh, 0),
++    nla_parse(tb, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
+               genlmsg_attrlen(gnlh, 0), NULL);
+ 
+     if (!tb[OVPN_A_PEER])
+@@ -1043,10 +1057,7 @@ dco_parse_peer(struct nl_msg *msg, void
+     }
+ 
+     struct nlattr *tb_peer[OVPN_A_PEER_MAX + 1];
+-
+-    nla_parse(tb_peer, OVPN_A_PEER,
+-              nla_data(tb[OVPN_A_PEER]),
+-              nla_len(tb[OVPN_A_PEER]), NULL);
++    nla_parse_nested(tb_peer, OVPN_A_PEER_MAX, tb[OVPN_A_PEER], NULL);
+ 
+     if (!tb_peer[OVPN_A_PEER_ID])
+     {

openvpn-2.3-plugin-man.dif

@@ -1,7 +1,7 @@
 Index: doc/openvpn.8
 ===================================================================
---- doc/openvpn.8.orig
+--- a/doc/openvpn.8.orig
-+++ doc/openvpn.8
++++ b/doc/openvpn.8
 @@ -6690,9 +6690,9 @@ For more information and examples on how
  modules, see the README file in the \fBplugin\fP folder of the OpenVPN
  source distribution.

openvpn-2.6.10.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmX6sakACgkQQdIJZcLo
-LcemTxAA5fwUDLHWQjE9Mf86NZbRup6aSo5S751pou/bcVYWQVbYqjFJIgdJEY7r
-HS4cKlOmJ74S5SqALwqmD4lqUP1LfGocvHUR1ACXppm/rtebWa3upRRI3/svBhp2
-6IqQjW0gkiDib56mKn2RFkyLkUiWpBOW15gqe/NgRjoVlIaCCQuvZhii8fAHMHzS
-HeJrTmdmbINTyVr6Ag4hZS+rKivVXR3j8z2YTuTwH1NPmCuclyoODRSv7rL3A1tU
-wiol0go/aLaDXx1EEnGtHrPtWjA6Gti1pDbteQBKn4Q9v2svuhFncyeux0R9a2Jk
-FLWXLZGI5JOQOTvuIrRnGBuUCpbhJalHQHtgKgNzhIqfToHfIYgc+2gQYSh4pDYi
-rZVMdws9lNqWctSLAeyCyojpYGiL3YU4tnORGzsqypszzznk/JtlkTb6rjGxrh3w
-Ejg5rE7cwgNstGqEaHihJaHG7mnnazZ9US3J1DFcg9NgpDD2Y7Gate6E2GEtmSFg
-BoLUK1tRRl9GayEc8mKN+ThzcW9U1YOzMdZTIRQX9ToaqHdMdpeOGV1+dwYqMT+e
-dYrmEO1COqvfp5Qxk+Q+fFBvUluMM7PQ1w0ncyTRn7jdlxdDu4XB9CfBP5fvXvwl
-teabifAm0iglOeCEYdUWtgYSkvebu1FaIhh1w3I1uQwrKOF7ZXM=
-=6sO3
------END PGP SIGNATURE-----

openvpn-2.6.14.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEV+lQSddqo5p0Q5YDUzpoYFKfI8UFAmftKAQACgkQUzpoYFKf
+I8U6jBAAkE9eRWgXki+826vZtyGNR1WgFrtX6dd3mBd9A9fv+ygWRkuNhDo3OHYj
+XGHcgAYjNI+ueOgS0UlVnJE+1P8YCcqNjhakyWO2XhwJwAIydgsMjDrSkefwY4zC
+k1OqGK+DAueaAMISFh91MON1HSOAfa4zPB2PvqZ1u5uIFHL+f4Hh2hHj74YV7X+I
+rr7jED5XGjvWy2H60JEeZlpNj+jzydz2yWvoZCab4Ae71CDE5GU2q2qt+HsQpdlo
+7tzlic97X9pqXN540MDb2pZoxmt+8uTtZn9UOAJ02IbjZRaNf2hmpgfJd6Xh1Wke
+m9loEuhjjVDZfO78Tx9a9uLloEQgxYmhftunc7gZbXcBhCrgtrhPNawff7XIA2Qw
+fVmJxJejaSG9YL0ecVI4Ef2GY5yxB11gOVIjQMuNLeBRsvd7r3n/Mn0J+3qtobyT
+Wr1A4auv+HpeCRwias+OeMmYezCjTsrkq3VLy85r7+KW5kb82b4IjEZkRqJhVxbn
+KXvHNhUBNnZ8SfYp5Fb1r+458bZ5nBG/KXexqS0Twe+VQGe70x/p/FarfrBP+NVe
+0DXA9RpPY0RQscmqWJK1EZhD3YOtZ8x0RUnRkQKH74JIxElxdUcmKR0kwJcdj0aq
+HFit6eAlRzhZukmEa9A0TshBcrNlmQ3BjPg8diIrYB60f5ZW9g8=
+=qqV2
+-----END PGP SIGNATURE-----

openvpn.changes

@@ -1,3 +1,92 @@
+-------------------------------------------------------------------
+Wed Aug  6 10:49:15 UTC 2025 - Jiri Slaby <jslaby@suse.cz>
+
+- add (bsc#1239783) -- fix build against 6.16
+  * 0001-dco-linux-avoid-redefining-ovpn-enums.patch
+
+-------------------------------------------------------------------
+Fri May 30 07:03:28 UTC 2025 - Jiri Slaby <jslaby@suse.cz>
+
+- Don't recommend ovpn-dco-kmp if it is in the kernel already (newer and
+  safer version):
+  https://build.opensuse.org/requests/1255536
+- add (bsc#1239783)
+  * 0001-dco-better-naming-for-function-parameters.patch
+  * 0001-dco_linux-extend-netlink-error-cb-with-extra-info.patch
+  * 0001-Handle-missing-DCO-peer-by-restarting-the-session.patch
+  * 0001-dco_linux-Introduce-new-uAPIs.patch
+  * 0001-Implement-ovpn-version-detection.patch
+  * 0001-dco_linux-fix-peer-stats-parsing-with-new-ovpn-kerne.patch
+  * 0001-dco_linux-avoid-bogus-text-when-netlink-message-is-n.patch
+
+-------------------------------------------------------------------
+Fri Apr  4 20:24:19 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 2.6.14:
+  * CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
+  * Linux DCO: repair source IP selection for --multihome
+- update to 2.6.13:
+  * on non-windows clients (MacOS, Linux, Unix) send "release" string from
+    uname() call as IV_PLAT_VER to server
+  * Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default
+    timeout of 90 seconds
+  * improve server-side handling of clients sending usernames or passwords
+    longer than USER_PASS_LEN
+  * purge proxy authentication credentials from memory after use
+- update to 2.6.12:
+  * the fix for CVE-2024-5594 (refuse control channel messages with
+    nonprintable characters) was too strict, breaking user configurations
+  * Http-proxy: fix bug preventing proxy credentials caching
+- update to 2.6.11:
+  * CVE-2024-5594: control channel: refuse control channel messages with
+    nonprintable characters in them. Security scope: a malicious openvpn
+    peer can send garbage to openvpn log, or cause high CPU load.
+  * CVE-2024-28882: only call schedule_exit() once (on a given peer).
+    Security scope: an authenticated client can make the server "keep the
+    session" even when the server has been told to disconnect this client
+  * Fix connect timeout when using SOCKS proxies
+  * Add bracket in fingerprint message and do not warn about missing
+    verification
+  * Remove "experimental" denotation for --fast-io
+  * Correctly document ifconfig_* variables passed to scripts
+  * Documentation: make section levels consistent
+  * Samples: Update sample configurations (remove compression & old cipher
+    settings, add more informative comments)
+- update keyring, as the old one doesn't verify anymore (and attach an url)
+- remove openvpn-CVE-2024-28882.patch and openvpn-CVE-2024-5594.patch, as
+  the latest version include fixes for the CVEs
+
+-------------------------------------------------------------------
+Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop rcFOO symlinks for CODE16 (PED-266).
+
+-------------------------------------------------------------------
+Wed Jan 22 08:55:44 UTC 2025 - Rahul Jain <rahul.jain@suse.com>
+
+- FIX:VUL-0 CVE-2024-5594: openvpn: properly handle null bytes and 
+  invalid characters in control messages(bsc#1235147 CVE-2024-5594)
+  Patchname:openvpn-CVE-2024-5594.patch
+
+-------------------------------------------------------------------
+Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Set %_buildshell because of bashisms in build recipe
+- Replace over-the-top `find -exec rm` by just -delete
+
+-------------------------------------------------------------------
+Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
+
+- Fix multiple exit notifications from authenticated clients will
+  extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
+  Patchname:openvpn-CVE-2024-28882.patch
+
+-------------------------------------------------------------------
+Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
+  if libnl >= 3.4 is available
+
 -------------------------------------------------------------------
 Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
 

openvpn.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package openvpn
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,11 +17,12 @@
 #
 
 
+%define _buildshell /bin/bash
 %if ! %{defined _rundir}
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.6.10
+Version:        2.6.14
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception
@@ -31,12 +33,20 @@ Source1:        https://swupdate.openvpn.org/community/releases/openvpn-%{versio
 Source3:        %{name}.README.SUSE
 Source4:        client-netconfig.up
 Source5:        client-netconfig.down
-Source7:        %{name}.keyring
+Source7:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf554a3687412cffebdefe0a312f5f7b42f2b01e7#/%{name}.keyring
 Source8:        %{name}.service
 Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:         0001-dco-better-naming-for-function-parameters.patch
+Patch3:         0001-dco_linux-extend-netlink-error-cb-with-extra-info.patch
+Patch4:         0001-Handle-missing-DCO-peer-by-restarting-the-session.patch
+Patch5:         0001-dco_linux-Introduce-new-uAPIs.patch
+Patch6:         0001-Implement-ovpn-version-detection.patch
+Patch7:         0001-dco_linux-fix-peer-stats-parsing-with-new-ovpn-kerne.patch
+Patch8:         0001-dco_linux-avoid-bogus-text-when-netlink-message-is-n.patch
+Patch9:         0001-dco-linux-avoid-redefining-ovpn-enums.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
@@ -49,10 +59,13 @@ BuildRequires:  pam-devel
 BuildRequires:  pkcs11-helper-devel >= 1.11
 BuildRequires:  pkgconfig
 BuildRequires:  xz
+BuildRequires:  pkgconfig(libnl-genl-3.0)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires:       pkcs11-helper >= 1.11
+# the former is KMP (for older distros), the latter is kernel-default
+Recommends:     (kmod(ovpn_dco_v2.ko) or kmod(ovpn.ko))
 %systemd_ordering
 
 %description
@@ -116,7 +129,7 @@ Requires:       %{name} = %{version}
 This package provides the header file to build external plugins.
 
 %prep
-%autosetup -p0
+%autosetup -p1
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c
@@ -135,8 +148,14 @@ export LDFLAGS
 # usrmerge
 export IPROUTE="%{_sbindir}/ip"
 %endif
+libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
+if [[ $libnlversion == 3.[0-3].* ]] ; then
+  confopt=--enable-iproute2
+else
+  confopt=--enable-dco
+fi
 %configure \
-	--enable-iproute2		\
+	$confopt			\
 	--enable-x509-alt-username	\
 	--enable-pkcs11			\
 	--enable-systemd		\
@@ -149,7 +168,7 @@ export IPROUTE="%{_sbindir}/ip"
 
 %install
 %make_install
-find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
+find %{buildroot} -type f -name "*.la" -print -delete
 mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
 mkdir -p %{buildroot}/%{_rundir}/openvpn
 mkdir -p %{buildroot}/%{_datadir}/openvpn
@@ -159,7 +178,9 @@ rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
 rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
 install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
 install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
+%if 0%{?suse_version} < 1600
 install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
+%endif
 # tmpfiles.d
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -169,7 +190,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
 
 # we install docs via spec into _defaultdocdir/name/management-notes.txt
 rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
-find sample -name .gitignore -exec rm -f {} +
+find sample -name .gitignore -delete
 
 %pre
 %service_add_pre %{name}.target
@@ -202,7 +223,9 @@ find sample -name .gitignore -exec rm -f {} +
 %{_unitdir}/%{name}.target
 %{_tmpfilesdir}/%{name}.conf
 %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
+%if 0%{?suse_version} < 1600
 %{_sbindir}/rcopenvpn
+%endif
 %{_sbindir}/openvpn
 
 %files down-root-plugin