proj/gentoo: Initial commit

This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.

This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.

Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed

18 files changed, 1241 insertions, 0 deletions

diff --git a/net-misc/openvpn/Manifest b/net-misc/openvpn/Manifest
new file mode 100644
index 00000000000..64a2bbbc8dd
--- /dev/null
+++ b/net-misc/openvpn/Manifest
@@ -0,0 +1,3 @@
+DIST openvpn-2.3.6.tar.gz 1213272 SHA256 7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26 SHA512 70e0045ea41f6588769ab8b98d8f550b69148adbf7fedcdc36900e25950df43379950492652e243ec6e7965bf9c7dcc86a56ba5dfdc44523aaa81cfc508b1c6e WHIRLPOOL 737f2d1d69ee1c7700d5cd5a4e7d5d1b2f55d8b2229f7c2565fcb8c731ebb719ec8d6bad3b76f763f36e5c70c6e40a666db3508f3024f8e4637c0659061dba48
+DIST openvpn-2.3.7.tar.gz 1199706 SHA256 1f02a4cd6aeb6250ca9311560875b10ce8957a3c9101a8005bd1e17e5b03146e SHA512 35030eb432568e954d7d9543565c3c7d1268ff323e1a2da81047c497f3eeb6f4061d9cfc360aa98fe7c413282ee6d0eb70957d6d4a38d928348c706f20cb66df WHIRLPOOL 31b1cbdde3db8060f81b4b3fdc604dd357ad413ad18fcb7dae07c6bb4939f92d02271e6ecb677b5f3d80e305676c769232e9d114c667b85fab45125be10f49a4
+DIST openvpn-2.3.8.tar.gz 1214843 SHA256 532435eff61c14b44a583f27b72f93e7864e96c95fe51134ec0ad4b1b1107c51 SHA512 b619283d87eea2e47a2f0dfdbf0ffd1d10388fbdaadb33b43c7a2743748a4814f869fad6215d32fab156664d554ae94af456e7bf496890c68e6729b153d76db9 WHIRLPOOL 4868c735ca5e65b34f477457ea38eb6db45fae80563490d1e39ece9bf29b13976dd82d50d054da70c4ee146cb2e88e847bafc3f7ff47112d4494fa0f408d65d0
diff --git a/net-misc/openvpn/files/2.3.6-disable-compression.patch b/net-misc/openvpn/files/2.3.6-disable-compression.patch
new file mode 100644
index 00000000000..d9d1c764e90
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-disable-compression.patch
@@ -0,0 +1,18 @@
+https://community.openvpn.net/openvpn/changeset/5d5233778868ddd568140c394adfcfc8e3453245/
+
+--- openvpn-2.3.6/src/openvpn/ssl_openssl.c.orig	2014-11-29 23:00:35.000000000 +0800
++++ openvpn-2.3.6/src/openvpn/ssl_openssl.c	2015-01-12 21:14:30.186993686 +0800
+@@ -238,6 +238,13 @@
+     if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
+       sslopt |= SSL_OP_NO_TLSv1_2;
+ #endif
++
++#ifdef SSL_OP_NO_COMPRESSION
++    msg (M_WARN, "[Workaround] disable SSL compression");
++    sslopt |= SSL_OP_NO_COMPRESSION;
++#endif
++
++
+     SSL_CTX_set_options (ctx->ctx, sslopt);
+   }
+ 
diff --git a/net-misc/openvpn/files/2.3.6-null-cipher.patch b/net-misc/openvpn/files/2.3.6-null-cipher.patch
new file mode 100644
index 00000000000..1e831cfa213
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-null-cipher.patch
@@ -0,0 +1,46 @@
+The "really fix cipher none" patch has been merged to release/2.3 and master:
+
+commit 785838614afc20d362b64907b0212e9a779e2287 (release/2.3)
+commit 98156e90e1e83133a6a6a020db8e7333ada6156b (master)
+
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 8749878..4e45df0 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt);
+  *
+  * @return		true iff the cipher is a CBC mode cipher.
+  */
+-bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+-  __attribute__((nonnull));
++bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
+ 
+ /**
+  * Check if the supplied cipher is a supported OFB or CFB mode cipher.
+@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+  *
+  * @return		true iff the cipher is a OFB or CFB mode cipher.
+  */
+-bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
+-  __attribute__((nonnull));
++bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
+ 
+ 
+ /**
+diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
+index 8f88ad9..d7792cd 100755
+--- a/tests/t_lpback.sh
++++ b/tests/t_lpback.sh
+@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
+ # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
+ CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
+ 
++# Also test cipher 'none'
++CIPHERS=${CIPHERS}$(printf "\nnone")
++
+ "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
+ set +e
+ 
+-- 
+1.9.1
+
diff --git a/net-misc/openvpn/files/65openvpn b/net-misc/openvpn/files/65openvpn
new file mode 100644
index 00000000000..4ddb0343030
--- /dev/null
+++ b/net-misc/openvpn/files/65openvpn
@@ -0,0 +1 @@
+CONFIG_PROTECT="/usr/share/openvpn/easy-rsa"
diff --git a/net-misc/openvpn/files/down.sh b/net-misc/openvpn/files/down.sh
new file mode 100755
index 00000000000..1c70db0ec65
--- /dev/null
+++ b/net-misc/openvpn/files/down.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then
+	/etc/openvpn/"${SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+	if [ -x /sbin/resolvconf ] ; then
+		/sbin/resolvconf -d "${dev}"
+	elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+		# Important that we copy instead of move incase resolv.conf is
+		# a symlink and not an actual file
+		cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+		rm -f /etc/resolv.conf-"${dev}".sv
+	fi
+fi
+
+if [ -n "${SVCNAME}" ]; then
+	# Re-enter the init script to start any dependant services
+	if /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/"${SVCNAME}" --quiet stop
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/files/openvpn-2.1.conf b/net-misc/openvpn/files/openvpn-2.1.conf
new file mode 100644
index 00000000000..72510c34aed
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.conf
@@ -0,0 +1,18 @@
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+PEER_DNS="yes"
+
+# OpenVPN can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+DETECT_CLIENT="yes"
+
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
+RE_ENTER="no"
diff --git a/net-misc/openvpn/files/openvpn-2.1.init b/net-misc/openvpn/files/openvpn-2.1.init
new file mode 100755
index 00000000000..d65e6f8bd7c
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.init
@@ -0,0 +1,133 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR=${VPNDIR:-/etc/openvpn}
+VPN=${SVCNAME#*.}
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	use dns
+	after bootmisc
+}
+
+checkconfig() {
+	# Linux has good dynamic tun/tap creation
+	if [ $(uname -s) = "Linux" ] ; then
+		if [ ! -e /dev/net/tun ]; then
+			if ! modprobe tun ; then
+				eerror "TUN/TAP support is not available" \
+					"in this kernel"
+				return 1
+			fi
+		fi
+		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+			ebegin "Detected broken /dev/net/tun symlink, fixing..."
+			rm -f /dev/net/tun
+			ln -s /dev/misc/net/tun /dev/net/tun
+			eend $?
+		fi
+		return 0
+	fi
+
+	# Other OS's don't, so we rely on a pre-configured interface
+	# per vpn instance
+	local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+	if [ -z ${ifname} ] ; then
+		eerror "You need to specify the interface that this openvpn" \
+			"instance should use" \
+			"by using the dev option in ${VPNCONF}"
+		return 1
+	fi
+
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		# Try and create it
+		echo > /dev/"${ifname}" >/dev/null
+	fi
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		eerror "${VPNCONF} requires interface ${ifname}" \
+			"but that does not exist"
+		return 1
+	fi
+}
+
+start() {
+	# If we are re-called by the openvpn gentoo-up.sh script
+	# then we don't actually want to start openvpn
+	[ "${IN_BACKGROUND}" = "true" ] && return 0
+	
+	ebegin "Starting ${SVCNAME}"
+
+	checkconfig || return 1
+
+	local args="" reenter=${RE_ENTER:-no}
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+	
+	# We mark the service as inactive and then start it.
+	# When we get an authenticated packet from the peer then we run our script
+	# which configures our DNS if any and marks us as up.
+	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+	grep -q "^[ 	]*remote[ 	].*" "${VPNCONF}" ; then
+		reenter="yes"
+		args="${args} --up-delay --up-restart"
+		args="${args} --script-security 2"
+		args="${args} --up /etc/openvpn/up.sh"
+		args="${args} --down-pre --down /etc/openvpn/down.sh"
+
+		# Warn about setting scripts as we override them
+		if grep -Eq "^[ 	]*(up|down)[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You have defined your own up/down scripts"
+			ewarn "As you're running as a client, we now force Gentoo specific"
+			ewarn "scripts to be run for up and down events."
+			ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
+			ewarn "where you can put your own code."
+		fi
+
+		# Warn about the inability to change ip/route/dns information when
+		# dropping privs
+		if grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You are dropping root privileges!"
+			ewarn "As such openvpn may not be able to change ip, routing"
+			ewarn "or DNS configuration."
+		fi
+	else
+		# So we're a server. Run as openvpn unless otherwise specified
+		grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" || args="${args} --user openvpn"
+		grep -q "^[ 	]*group[ 	].*" "${VPNCONF}" || args="${args} --group openvpn"
+	fi
+
+	# Ensure that our scripts get the PEER_DNS variable
+	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+
+	[ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+		--setenv SVCNAME "${SVCNAME}" ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	# If we are re-called by the openvpn gentoo-down.sh script
+	# then we don't actually want to stop openvpn
+	if [ "${IN_BACKGROUND}" = "true" ] ; then
+		mark_service_inactive "${SVCNAME}"
+		return 0
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --quiet \
+		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: set ts=4 :
diff --git a/net-misc/openvpn/files/openvpn.init b/net-misc/openvpn/files/openvpn.init
new file mode 100644
index 00000000000..489ab497dce
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.init
@@ -0,0 +1,63 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR="/etc/openvpn"
+VPN="${SVCNAME#*.}"
+if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then
+	VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+	VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+	need localmount net
+	before netmount
+	after bootmisc
+}
+
+checktundevice() {
+	if [ ! -e /dev/net/tun ]; then
+		if ! modprobe tun ; then
+			eerror "TUN/TAP support is not available in this kernel"
+			return 1
+		fi
+	fi
+	if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+		ebegin "Detected broken /dev/net/tun symlink, fixing..."
+		rm -f /dev/net/tun
+		ln -s /dev/misc/net/tun /dev/net/tun
+		eend $?
+	fi
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+
+	checktundevice || return 1
+
+	if [ ! -e "${VPNCONF}" ]; then
+		eend 1 "${VPNCONF} does not exist"
+		return 1
+	fi
+
+	local args=""
+	# If the config file does not specify the cd option, we do
+	# But if we specify it, we override the config option which we do not want
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
+		args="${args} --cd ${VPNDIR}"
+	fi
+
+	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args}
+	eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	eend $?
+}
+
+# vim: ts=4
diff --git a/net-misc/openvpn/files/openvpn.service b/net-misc/openvpn/files/openvpn.service
new file mode 100644
index 00000000000..358dcb791a3
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
+After=syslog.target network.target
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openvpn/files/openvpn.tmpfile b/net-misc/openvpn/files/openvpn.tmpfile
new file mode 100644
index 00000000000..d5fca71a00a
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.tmpfile
@@ -0,0 +1 @@
+D /var/run/openvpn 0710 root openvpn -
diff --git a/net-misc/openvpn/files/up.sh b/net-misc/openvpn/files/up.sh
new file mode 100755
index 00000000000..6ce82d6113c
--- /dev/null
+++ b/net-misc/openvpn/files/up.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+#  if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+min_route() {
+	local n=1
+	local m
+	local r
+
+	eval m="\$route_metric_$n"
+	while [ -n "${m}" ]; do
+		if [ -z "$r" ] || [ "$r" -gt "$m" ]; then
+			r="$m"
+		fi
+		n="$(($n+1))"
+		eval m="\$route_metric_$n"
+	done
+
+	echo "$r"
+}
+
+if [ "${PEER_DNS}" != "no" ]; then
+	NS=
+	DOMAIN=
+	SEARCH=
+	i=1
+	while true ; do
+		eval opt=\$foreign_option_${i}
+		[ -z "${opt}" ] && break
+		if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+			if [ -z "${DOMAIN}" ] ; then
+				DOMAIN="${opt#dhcp-option DOMAIN *}"
+			else
+				SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+			fi
+		elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+			NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+		fi
+		i=$((${i} + 1))
+	done
+
+	if [ -n "${NS}" ] ; then
+		DNS="# Generated by openvpn for interface ${dev}\n"
+		if [ -n "${SEARCH}" ] ; then
+			DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+		elif [ -n "${DOMAIN}" ]; then
+			DNS="${DNS}domain ${DOMAIN}\n"
+		fi
+		DNS="${DNS}${NS}"
+		if [ -x /sbin/resolvconf ] ; then
+			metric="$(min_route)"
+			printf "${DNS}" | /sbin/resolvconf -a "${dev}" ${metric:+-m ${metric}}
+		else
+			# Preserve the existing resolv.conf
+			if [ -e /etc/resolv.conf ] ; then
+				cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+			fi
+			printf "${DNS}" > /etc/resolv.conf
+			chmod 644 /etc/resolv.conf
+		fi
+	fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${SVCNAME}" ]; then
+	# If we have a service specific script, run this now
+	if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then
+		/etc/openvpn/"${SVCNAME}"-up.sh "$@"
+	fi
+
+	# Re-enter the init script to start any dependant services
+	if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/${SVCNAME} --quiet start
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/metadata.xml b/net-misc/openvpn/metadata.xml
new file mode 100644
index 00000000000..7f3d1f95164
--- /dev/null
+++ b/net-misc/openvpn/metadata.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer>
+    <email>djc@gentoo.org</email>
+    <name>Dirkjan Ochtman</name>
+  </maintainer>
+  <longdescription>OpenVPN is an easy-to-use, robust and highly
+configurable VPN daemon which can be used to securely link two or more
+networks using an encrypted tunnel.</longdescription>
+  <use>
+    <flag name="down-root">Enable the down-root plugin</flag>
+    <flag name="iproute2">Enabled iproute2 support instead of net-tools</flag>
+    <flag name="passwordsave">Enables openvpn to save passwords</flag>
+    <flag name="polarssl">Use PolarSSL instead of OpenSSL</flag>
+    <flag name="pkcs11">Enable PKCS#11 smartcard support</flag>
+    <flag name="plugins">Enable the OpenVPN plugin system</flag>
+    <flag name="socks">Enable socks support</flag>
+  </use>
+  <upstream>
+    <remote-id type="cpe">cpe:/a:openvpn:openvpn</remote-id>
+  </upstream>
+</pkgmetadata>
diff --git a/net-misc/openvpn/openvpn-2.3.6-r1.ebuild b/net-misc/openvpn/openvpn-2.3.6-r1.ebuild
new file mode 100644
index 00000000000..8ad5a7ba268
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.6-r1.ebuild
@@ -0,0 +1,133 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl systemd +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	# Set correct pass to systemd-ask-password binary
+	sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die
+	epatch "${FILESDIR}/2.3.6-null-cipher.patch" || die
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit "${FILESDIR}"/${PN}.service 'openvpn@.service'
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-2.3.6-r2.ebuild b/net-misc/openvpn/openvpn-2.3.6-r2.ebuild
new file mode 100644
index 00000000000..f72f09502a1
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.6-r2.ebuild
@@ -0,0 +1,134 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl systemd +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	# Set correct pass to systemd-ask-password binary
+	sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die
+	epatch "${FILESDIR}/2.3.6-null-cipher.patch" || die
+	epatch "${FILESDIR}/2.3.6-disable-compression.patch" || die
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit "${FILESDIR}"/${PN}.service 'openvpn@.service'
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-2.3.6.ebuild b/net-misc/openvpn/openvpn-2.3.6.ebuild
new file mode 100644
index 00000000000..a18d0fd4a3e
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.6.ebuild
@@ -0,0 +1,132 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl systemd +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	# Set correct pass to systemd-ask-password binary
+	sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit "${FILESDIR}"/${PN}.service 'openvpn@.service'
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-2.3.7.ebuild b/net-misc/openvpn/openvpn-2.3.7.ebuild
new file mode 100644
index 00000000000..03bdc5632b6
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.7.ebuild
@@ -0,0 +1,129 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
+IUSE="examples down-root iproute2 +lzo pam passwordsave pkcs11 +plugins polarssl selinux socks +ssl static systemd userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable socks) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit distro/systemd/openvpn-client@.service openvpn-client@.service
+	systemd_newunit distro/systemd/openvpn-server@.service openvpn-server@.service
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-2.3.8.ebuild b/net-misc/openvpn/openvpn-2.3.8.ebuild
new file mode 100644
index 00000000000..30418adf599
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.8.ebuild
@@ -0,0 +1,129 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
+IUSE="examples down-root iproute2 +lzo pam passwordsave pkcs11 +plugins polarssl selinux socks +ssl static systemd userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			pkcs11? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable socks) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit distro/systemd/openvpn-client@.service openvpn-client@.service
+	systemd_newunit distro/systemd/openvpn-server@.service openvpn-server@.service
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	einfo ""
+	einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+	einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-9999.ebuild b/net-misc/openvpn/openvpn-9999.ebuild
new file mode 100644
index 00000000000..bcfcb96158c
--- /dev/null
+++ b/net-misc/openvpn/openvpn-9999.ebuild
@@ -0,0 +1,133 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user git-2
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+EGIT_REPO_URI="https://github.com/OpenVPN/${PN}.git"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS=""
+IUSE="examples down-root iproute2 +lzo pam passwordsave pkcs11 +plugins polarssl selinux socks +ssl static systemd userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+			polarssl? ( ssl )
+			!plugins? ( !pam !down-root )"
+
+DEPEND="
+	kernel_linux? (
+		iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+	)
+	pam? ( virtual/pam )
+	ssl? (
+		!polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+	)
+	lzo? ( >=dev-libs/lzo-1.07 )
+	pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+	eautoreconf
+}
+
+src_configure() {
+	use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+	local myconf
+	use polarssl && myconf="--with-crypto-library=polarssl"
+	econf \
+		${myconf} \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+		$(use_enable passwordsave password-save) \
+		$(use_enable ssl) \
+		$(use_enable ssl crypto) \
+		$(use_enable lzo) \
+		$(use_enable pkcs11) \
+		$(use_enable plugins) \
+		$(use_enable iproute2) \
+		$(use_enable socks) \
+		$(use_enable pam plugin-auth-pam) \
+		$(use_enable down-root plugin-down-root) \
+		$(use_enable systemd)
+}
+
+src_install() {
+	default
+	find "${ED}/usr" -name '*.la' -delete
+	# install documentation
+	dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+	# Install some helper scripts
+	keepdir /etc/openvpn
+	exeinto /etc/openvpn
+	doexe "${FILESDIR}/up.sh"
+	doexe "${FILESDIR}/down.sh"
+
+	# Install the init script and config file
+	newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+	newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+	# install examples, controlled by the respective useflag
+	if use examples ; then
+		# dodoc does not supportly support directory traversal, #15193
+		insinto /usr/share/doc/${PF}/examples
+		doins -r sample contrib
+	fi
+
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+	systemd_newunit distro/systemd/openvpn-client@.service openvpn-client@.service
+	systemd_newunit distro/systemd/openvpn-server@.service openvpn-server@.service
+}
+
+pkg_postinst() {
+	# Add openvpn user so openvpn servers can drop privs
+	# Clients should run as root so they can change ip addresses,
+	# dns information and other such things.
+	enewgroup openvpn
+	enewuser openvpn "" "" "" openvpn
+
+	if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+		ewarn "WARNING: The openvpn init script has changed"
+		ewarn ""
+	fi
+
+	elog "The openvpn init script expects to find the configuration file"
+	elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+	elog ""
+	elog "To create more VPNs, simply create a new .conf file for it and"
+	elog "then create a symlink to the openvpn init script from a link called"
+	elog "openvpn.newconfname - like so"
+	elog "   cd /etc/openvpn"
+	elog "   ${EDITOR##*/} foo.conf"
+	elog "   cd /etc/init.d"
+	elog "   ln -s openvpn openvpn.foo"
+	elog ""
+	elog "You can then treat openvpn.foo as any other service, so you can"
+	elog "stop one vpn and start another if you need to."
+
+	if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+		ewarn ""
+		ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+		ewarn "a client by our init script and as such we force up,down scripts."
+		ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+		ewarn "can move your scripts to."
+	fi
+
+	if use plugins ; then
+		einfo ""
+		einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+	fi
+
+	ewarn ""
+	ewarn "You are using a live ebuild building from the sources of openvpn"
+	ewarn "repository from http://openvpn.git.sourceforge.net. For reporting"
+	ewarn "bugs please contact: openvpn-devel@lists.sourceforge.net."
+}