Add and hook up resolvd(8) DNS script, and enable dns-updown functionality

openvpn-2.7.0 comes with a system-specific DNS script whose role it to
update DNS resolver configuration on the client according to parameters
passed by the server.  So far the script rewriting resolv.conf wasn't
run by default on clients, because that interfered with resolvd(8) which
is started by default.

Add a script handling the resolvd(8) case using route(8) nameserver.
Plug it into the default resolv.conf script if resolvd(8) is running.

If this behavior change doesn't suit you, please use "--dns-updown
disable" (documented in the manpage) and feel free to report your
specific use case.

Tested by landry and me, ok landry@

net/openvpn/Makefile

@@ -1,7 +1,7 @@
 COMMENT=	easy-to-use, robust, and highly configurable VPN
 
 DISTNAME=	openvpn-2.7.0
-REVISION=	0
+REVISION=	1
 
 CATEGORIES=	net security
 
@@ -31,8 +31,7 @@ CONFIGURE_STYLE= gnu
 CONFIGURE_ENV=	CPPFLAGS="-I${LOCALBASE}/include" \
 		LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \
 		SOFTHSM2_UTIL=no
-CONFIGURE_ARGS+=--disable-dns-updown-by-default \
-		--with-openssl-engine=no
+CONFIGURE_ARGS=	--with-openssl-engine=no
 
 DEBUG_PACKAGES=	${BUILD_PACKAGES}
 
@@ -53,6 +52,9 @@ WANTLIB += crypto pkcs11-helper ssl
 
 SAMPLES_DIR=	${PREFIX}/share/examples/openvpn
 
+pre-configure:
+	${SUBST_CMD} ${WRKSRC}/distro/dns-scripts/resolvconf_file-dns-updown.sh
+
 post-install:
 	cd ${WRKSRC}/sample/; \
 	find sample-config-files sample-keys sample-scripts -type d \
@@ -60,5 +62,7 @@ post-install:
 	find sample-config-files sample-keys sample-scripts -type f \
 	    '(' ! -name '*.orig' -a ! -name '.gitignore' ')' \
 	    -exec ${INSTALL_DATA} {} ${SAMPLES_DIR}/{} ';'
+	${INSTALL_SCRIPT} ${FILESDIR}/resolvd-dns-updown.sh \
+	    ${PREFIX}/libexec/openvpn/dns-updown.resolvd
 
 .include <bsd.port.mk>

net/openvpn/files/resolvd-dns-updown.sh

@@ -0,0 +1,90 @@
+#!/bin/ksh
+#
+# Simple OpenVPN up/down script for resolvd(8) integration
+# Modified from the openresolv script shipped in OpenVPN 2.7.0
+# (C) Copyright 2016 Baptiste Daroussin
+#               2024 OpenVPN Inc <sales@openvpn.net>
+#               2026 Jeremie Courreges-Anglas <jca@wxcvbn.org>
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Example env from openvpn (most are not applied):
+#
+#   dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp
+#
+#      or
+#
+#   dev tun0
+#   script_type dns-up
+#   dns_search_domain_1 mycorp.in
+#   dns_search_domain_2 eu.mycorp.com
+#   dns_server_1_address_1 192.168.99.254
+#   dns_server_1_address_2 fd00::99:53
+#   dns_server_1_port_1 53
+#   dns_server_1_port_2 53
+#   dns_server_1_resolve_domain_1 mycorp.in
+#   dns_server_1_resolve_domain_2 eu.mycorp.com
+#   dns_server_1_dnssec true
+#   dns_server_1_transport DoH
+#   dns_server_1_sni dns.mycorp.in
+#
+
+set -e +u
+
+only_standard_server_ports() {
+    i=1
+    while true; do
+        eval addr=\"\$dns_server_${n}_address_${i}\"
+        [ -n "$addr" ] || return 0
+
+        eval port=\"\$dns_server_${n}_port_${i}\"
+        [ -z "$port" -o "$port" = "53" ] || return 1
+
+        i=$((i + 1))
+    done
+}
+
+[ -z "${dns_vars_file}" ] || . "${dns_vars_file}"
+: ${script_type:=dns-down}
+case "${script_type}" in
+dns-up)
+    n=1
+    while :; do
+        eval addr=\"\$dns_server_${n}_address_1\"
+        [ -n "$addr" ] || {
+            echo "setting DNS failed, no compatible server profile"
+            exit 1
+        }
+
+        # Skip server profiles which require DNSSEC,
+        # secure transport or use a custom port
+        eval dnssec=\"\$dns_server_${n}_dnssec\"
+        eval transport=\"\$dns_server_${n}_transport\"
+        [ -z "$transport" -o "$transport" = "plain" ] \
+            && [ -z "$dnssec" -o "$dnssec" = "no" ] \
+            && only_standard_server_ports && break
+
+        n=$((n + 1))
+    done
+
+    i=1
+    maxns=5
+    nameservers=""
+    while :; do
+        maxns=$((maxns - 1))
+        [ $maxns -gt 0 ] || break
+        eval option=\"\$dns_server_${n}_address_${i}\" || break
+        [ "${option}" ] || break
+	if [ -n "$nameservers" ]; then
+            nameservers="${nameservers} ${option}"
+        else
+            nameservers="${option}"
+        fi
+        i=$((i + 1))
+    done
+    /sbin/route nameserver "${dev}" ${nameservers}
+    ;;
+dns-down)
+    /sbin/route nameserver "${dev}"
+    ;;
+esac

net/openvpn/patches/patch-distro_dns-scripts_resolvconf_file-dns-updown_sh

@@ -0,0 +1,15 @@
+Index: distro/dns-scripts/resolvconf_file-dns-updown.sh
+--- distro/dns-scripts/resolvconf_file-dns-updown.sh.orig
++++ distro/dns-scripts/resolvconf_file-dns-updown.sh
+@@ -41,6 +41,11 @@ only_standard_server_ports() {
+     done
+ }
+ 
++# If resolvd is running, don't touch /etc/resolv.conf
++if pgrep -q '^resolvd$'; then
++    exec ${PREFIX}/libexec/openvpn/dns-updown.resolvd "$@"
++fi
++
+ conf=/etc/resolv.conf
+ test -e "$conf" || exit 1
+ test -z "${dns_vars_file}" || . "${dns_vars_file}"

net/openvpn/pkg/PLIST

@@ -10,6 +10,7 @@ lib/openvpn/plugins/openvpn-plugin-down-root.la
 @so lib/openvpn/plugins/openvpn-plugin-down-root.so
 libexec/openvpn/
 libexec/openvpn/dns-updown
+libexec/openvpn/dns-updown.resolvd
 @man man/man5/openvpn-examples.5
 @man man/man8/openvpn.8
 @bin sbin/openvpn