Created attachment 156792 [details] option + patch as flat diff against head via: https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch
Created attachment 157330 [details] option + patch as git diff
Created attachment 157331 [details] portlint output
Created attachment 157332 [details] poudriere build log
Comment on attachment 157330 [details] option + patch as git diff This is hard to judge for me without further context. What is the patch supposed to do?
The history and controversy of the patch is explained in detail on the following wiki page: https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch The patch obfuscates the OpenVPN header to make it harder for layer 7 inspection to identify such traffic, which may come with blocking or recording actions in certain territories of the world. This patch, in a nutshell, increases privacy and range of communication for some users. The patch made its way into OPNsense's ports; I am providing this PR in order to enable FreeBSD to pull in an off-by-default option of this patch. Thanks, Franco
Any new thoughts on this?
What does upstream say? If at all, this could be an experimental patch, disabled by default.
Citing the wiki page provided says upstream won't have this, but multiple OpenVPN clients including Tunnelblick have this patch included. It is *not* a default option. I can mark it as experimental if you want.
I would suggest adding at least a comment above TXP_EXTRA_PATCHES line providing references/URL's to the Tunneblick wiki. That way there is information that users can use to make an informed decision. Franco, if you could update your patch accordingly that would be great. Resetting timeout for MAINTAINER feedback.
Franco, can you add a note with URL references to the Tunnelblick Wiki to the patch?
Matthias, sure thing. Where do you want the note to appear exactly?
Franco, please see comment #9 by Kubilay Kocak.
Ah, got it, thanks. Patch tonight. :)
Created attachment 162012 [details] option + annotated patch as git diff
Annotated the patch with a description and the latest wiki URL. Reworded it slightly to make sure that this is remains opt-in even when compiled into OpenVPN. :)
@franco, no further testing required for the updated version?
We've shipped this particular version in OPNsense in August: https://forum.opnsense.org/index.php?topic=1247 I don't know of any problems. https://forum.opnsense.org/index.php?topic=398.0 Cheers mate :)
Created attachment 162270 [details] option + annotated patch as git diff New diff to adapt to current HEAD
Comment on attachment 162270 [details] option + annotated patch as git diff Thanks Franco!
Anything missing here? Please let me know. :)
A commit references this bug: Author: mandree Date: Fri Nov 20 18:41:16 UTC 2015 New revision: 402095 URL: https://svnweb.freebsd.org/changeset/ports/402095 Log: Add optional extra patch for Tunnelblick obfuscation. Adds a --scramble method to the executable but not documentation. Requires careful review of implications before enabling, and has not been accepted upstream. https://tunnelblick.net/cOpenvpn_xorpatch.html PR: 200215 Submitted by: Franco Fichtner Changes: head/security/openvpn/Makefile head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch head/security/openvpn/pkg-help
Thank you, Matthias! Closing ticket. :)