diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index b2875639ce3e..8a202bca6b9a 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	ocserv
-PORTVERSION=	0.12.4
-PORTREVISION=	2
+PORTVERSION=	1.0.0
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
 
@@ -54,11 +53,12 @@ RADIUS_LIB_DEPENDS=	libradcli.so:net/radcli
 RADIUS_CONFIGURE_OFF=	--without-radius
 
 post-patch:
-	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
+	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
 		${WRKSRC}/src/main-user.c \
 		${WRKSRC}/doc/sample.config
-	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
+	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
 		${WRKSRC}/doc/ocserv.8
+	@${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' ${WRKSRC}/src/config.c
 
 post-install:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
index c14282c66ad5..c33db00e7d0d 100644
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1562531995
-SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
-SIZE (ocserv-0.12.4.tar.xz) = 763540
+TIMESTAMP = 1585072635
+SHA256 (ocserv-1.0.0.tar.xz) = 17440e78aadc800836824adb17088534740ebdce3e0cbd3a615fdbbd326b9e91
+SIZE (ocserv-1.0.0.tar.xz) = 785020
diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
index cf0f1eebd140..490a6a81c9c4 100644
--- a/net/ocserv/files/ocserv.conf
+++ b/net/ocserv/files/ocserv.conf
@@ -26,7 +26,7 @@
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries. The 'otp' suboption allows one to specify
 # an oath password file to be used for one time passwords; the format of
-# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
+# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
 #
 # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
 #  The radius option requires specifying freeradius-client configuration
@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
 # hostname.
 #listen-host = [IP|HOSTNAME]
 
+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
+# hostname. if not set, listen-host will be used
+#udp-listen-host = [IP|HOSTNAME]
+
 # When the server has a dynamic DNS address (that may change),
 # should set that to true to ask the client to resolve again on
 # reconnects.
@@ -172,6 +176,16 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
+# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
+# system calls allowed to a worker process, in order to reduce damage from a
+# bug in the worker process. It is available on Linux systems at a performance cost.
+# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+# Note however, that process isolation is restricted to the specific libc versions
+# the isolation was tested at. If you get random failures on worker processes, try
+# disabling that option and report the failures you, along with system and debugging
+# information at: https://gitlab.com/ocserv/ocserv/issues
+isolate-workers = true
+
 # A banner to be displayed on clients
 #banner = "Welcome"
 
@@ -391,7 +405,8 @@ rekey-method = ssl
 # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
 # will contain a space separated list of routes or DNS servers. A version
 # of these variables with the 4 or 6 suffix will contain only the IPv4 or
-# IPv6 values.
+# IPv6 values. The connect script must return zero as exit code, or the
+# client connection will be refused.
 
 # The disconnect script will receive the additional values: STATS_BYTES_IN,
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
@@ -566,7 +581,7 @@ no-route = 192.168.5.0/255.255.255.0
 #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
 #  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
 #  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
-#  and session-timeout.
+#  split-dns and session-timeout.
 #
 # Note that the 'iroute' option allows one to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c
index 46cdb1798c5b..437e31de7504 100644
--- a/net/ocserv/files/patch-src_config.c
+++ b/net/ocserv/files/patch-src_config.c
@@ -5,7 +5,7 @@
  
  #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
 -#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
-+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
++#define DEFAULT_CFG_FILE "%%PREFIX%%/etc/ocserv/conf"
  
  static void print_version(void);
  
diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c
new file mode 100644
index 000000000000..1018d8b381a5
--- /dev/null
+++ b/net/ocserv/files/patch-src_main-ban.c
@@ -0,0 +1,19 @@
+Commit c1428689: ban log: only log once when adding, not when
+increasing score when already banned
+
+https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a
+
+--- src/main-ban.c.orig	2020-03-24 20:04:58 UTC
++++ src/main-ban.c
+@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s
+ 	 * periodically polls the server */
+ 	if (e->score < GETCONFIG(s)->max_ban_score) {
+ 		e->expires = expiration;
+-		print_msg = 0;
+-	} else
+ 		print_msg = 1;
++	} else
++		print_msg = 0;
+ 
+ 	/* prevent overflow */
+ 	e->score = (e->score + score) > e->score ? (e->score + score) : (e->score);
diff --git a/net/ocserv/files/patch-src_tun.c b/net/ocserv/files/patch-src_tun.c
deleted file mode 100644
index 6fe5ed5e6246..000000000000
--- a/net/ocserv/files/patch-src_tun.c
+++ /dev/null
@@ -1,25 +0,0 @@
---- src/tun.c.orig	2018-04-14 07:52:35 UTC
-+++ src/tun.c
-@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
- 	return read(sockfd, buf, len);
- }
- #endif
-+
-+#ifndef __FreeBSD__
-+int tun_claim(int sockfd)
-+{
-+
-+	return (0);
-+}
-+#else
-+/*
-+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
-+ * and only that one process may close it.  When the controlling process closes
-+ * the tunnel, the state is torn down.
-+ */
-+int tun_claim(int sockfd)
-+{
-+
-+	return (ioctl(sockfd, TUNSIFPID, 0));
-+}
-+#endif	/* !__FreeBSD__ */
diff --git a/net/ocserv/files/patch-src_tun.h b/net/ocserv/files/patch-src_tun.h
deleted file mode 100644
index 0311177f3f78..000000000000
--- a/net/ocserv/files/patch-src_tun.h
+++ /dev/null
@@ -1,9 +0,0 @@
---- src/tun.h.orig	2018-01-13 18:43:41 UTC
-+++ src/tun.h
-@@ -35,5 +35,6 @@ struct tun_lease_st {
- 
- ssize_t tun_write(int sockfd, const void *buf, size_t len);
- ssize_t tun_read(int sockfd, void *buf, size_t len);
-+int tun_claim(int sockfd);
- 
- #endif
diff --git a/net/ocserv/files/patch-src_worker-auth.c b/net/ocserv/files/patch-src_worker-auth.c
deleted file mode 100644
index f7e01eeed392..000000000000
--- a/net/ocserv/files/patch-src_worker-auth.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/worker-auth.c.orig	2019-01-19 18:47:47 UTC
-+++ src/worker-auth.c
-@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
- 	case AUTH__REP__OK:
- 		if (socketfd != -1) {
- 			ws->tun_fd = socketfd;
--
-+			if (tun_claim(ws->tun_fd) != 0) {
-+				ret = ERR_AUTH_FAIL;
-+				goto cleanup;
-+			}
- 			if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
- 				ret = ERR_AUTH_FAIL;
- 				goto cleanup;