diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 2fd0f2dcf85f..18f50eac70b2 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,168 +1,168 @@
 PORTNAME=		openvpn
 DISTVERSION=		2.6.7
-PORTREVISION?=		0
+PORTREVISION?=		1
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/ \
 			LOCAL/mandree
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 WWW=			https://openvpn.net/community/
 
 LICENSE=		GPLv2
 LICENSE_FILE=		${WRKSRC}/COPYRIGHT.GPL
 
 BUILD_DEPENDS+=		cmocka>=0:sysutils/cmocka \
 			rst2man:textproc/py-docutils@${PY_FLAVOR}
 
 USES=			cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl
 USE_RC_SUBR=		openvpn
 
 SHEBANG_FILES=		sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/totpauth.py \
 			sample/sample-scripts/ucn.pl \
 			sample/sample-scripts/verify-cn
 
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--enable-strict --with-crypto-library=openssl
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CONFIGURE_ENV+=		PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
 
 CONFLICTS_INSTALL?=	openvpn-2* openvpn-devel openvpn-mbedtls
 
 SUB_FILES=		pkg-message openvpn-client
 
 USERS=			openvpn
 GROUPS=			openvpn
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 OPTIONS_DEFINE=		ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
 			TEST UNITTESTS X509ALTUSERNAME
 OPTIONS_DEFAULT=	DCO EASYRSA LZ4 LZO PKCS11 TEST
 OPTIONS_EXCLUDE_FreeBSD_12=	DCO # FreeBSD 14 only
 OPTIONS_EXCLUDE_FreeBSD_13=	DCO # FreeBSD 14 only
 
 ASYNC_PUSH_DESC=	Enable async-push support
 DCO_DESC=		Build with Data Channel Offload (ovpn(4)) support
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 LZO_DESC=		LZO compression (incompatible with LibreSSL)
 PKCS11_DESC=		Use security/pkcs11-helper, needs same SSL lib!
 SMALL_DESC=		Build a smaller executable with fewer features
 UNITTESTS_DESC=		Enable unit tests
 X509ALTUSERNAME_DESC=	Enable --x509-username-field
 
 ASYNC_PUSH_LIB_DEPENDS=	libinotify.so:devel/libinotify
 ASYNC_PUSH_CONFIGURE_ENABLE=	async-push
 
 DCO_CONFIGURE_ENABLE=	dco
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
 LZ4_CONFIGURE_ENABLE=	lz4
 
 LZO_LIB_DEPENDS+=	liblzo2.so:archivers/lzo2
 LZO_CONFIGURE_ENABLE=	lzo
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 
 SMALL_CONFIGURE_ENABLE=	small
 
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
 UNITTESTS_BUILD_DEPENDS=	cmocka>=0:sysutils/cmocka
 UNITTESTS_CONFIGURE_ENABLE=	unit-tests
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MLZO}
 IGNORE_SSL=libressl libressl-devel
 IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
 .endif
 
 .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO}
 CONFIGURE_ARGS+=	--enable-comp-stub
 .endif
 
 .include <bsd.port.pre.mk>
 
 .if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*)
 # in-depth security net if Mk/Uses/ssl.mk changes
 pre-everything::
 	@${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support."
 	@${SHELL} -c 'exit 1'
 .endif
 
 post-patch:
 	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
 		-e 's/"nobody"( after init)/"openvpn" \1/' \
 		${WRKSRC}/sample/sample-config-files/*.conf \
 		${WRKSRC}/doc/man-sections/generic-options.rst
 
 pre-configure:
 	# just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
 	# and unused-function affects test---these are developer-side warnings, not relevant on end systems
 	${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 .if !empty(SSL_DEFAULT:Mlibressl*)
 	@${ECHO} "### --------------------------------------------------------- ###"
 	@${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN  ###"
 	@${ECHO} "### Do not report bugs without fixes/patches unless the issue ###"
 	@${ECHO} "### can be reproduced with a released OpenSSL version.        ###"
 	@${ECHO} "### --------------------------------------------------------- ###"
 	@sleep 10
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	 	${WRKSRC}/src/plugins/auth-pam/Makefile \
 	 	${WRKSRC}/src/plugins/down-root/Makefile
 
 # sanity check that we don't inherit incompatible SSL libs through,
 # for instance, pkcs11-helper:
 _tlslibs=libssl libcrypto
 post-build:
 	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
 	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
 	if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 	${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig
 
 .include <bsd.port.post.mk>
diff --git a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
new file mode 100644
index 000000000000..9939c46f3d36
--- /dev/null
+++ b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
@@ -0,0 +1,89 @@
+From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001
+From: Aquila Macedo <aquilamacedo@riseup.net>
+Date: Thu, 19 Oct 2023 16:40:49 -0300
+Subject: [PATCH] doc: Correct typos in multiple documentation files
+
+Fixed typographical errors in various documentation files for improved clarity and readability.
+
+Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
+Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
+Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)
+---
+ doc/man-sections/client-options.rst      | 4 ++--
+ doc/man-sections/generic-options.rst     | 2 +-
+ doc/man-sections/server-options.rst      | 2 +-
+ doc/man-sections/vpn-network-options.rst | 2 +-
+ src/openvpn/options.c                    | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
+index 3616ed7f3f8..54c4ec63073 100644
+--- ./doc/man-sections/client-options.rst
++++ b/doc/man-sections/client-options.rst
+@@ -51,9 +51,9 @@ configuration.
+   react according to ``--auth-retry``
+ 
+ --auth-token-user base64username
+-  Companion option to ``--auth-token``. This options allows to override
++  Companion option to ``--auth-token``. This options allows one to override
+   the username used by the client when reauthenticating with the ``auth-token``.
+-  It also allows to use ``--auth-token`` in setups that normally do not use
++  It also allows one to use ``--auth-token`` in setups that normally do not use
+   username and password.
+ 
+   The username has to be base64 encoded.
+diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
+index 97e1b5aa610..95e4ca233bd 100644
+--- ./doc/man-sections/generic-options.rst
++++ b/doc/man-sections/generic-options.rst
+@@ -483,7 +483,7 @@ which mode OpenVPN is configured as.
+ 
+   * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns
+     success/failure via :code:`auth_control_file` when using deferred auth
+-    method and pending authentification via :code:`pending_auth_file`.
++    method and pending authentication via :code:`pending_auth_file`.
+ 
+ --use-prediction-resistance
+   Enable prediction resistance on mbed TLS's RNG.
+diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
+index 6b9ad21b816..e7a7b2dba43 100644
+--- ./doc/man-sections/server-options.rst
++++ b/doc/man-sections/server-options.rst
+@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.
+ 
+ --vlan-pvid v
+   Specifies which VLAN identifier a "port" is associated with. Only valid
+-  when ``--vlan-tagging`` is speficied.
++  when ``--vlan-tagging`` is specified.
+ 
+   In the client context, the setting specifies which VLAN ID a client is
+   associated with. In the global context, the VLAN ID of the server TAP
+diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
+index 3fa3ccf1073..41d367bfd0e 100644
+--- ./doc/man-sections/vpn-network-options.rst
++++ b/doc/man-sections/vpn-network-options.rst
+@@ -548,7 +548,7 @@ routing.
+   It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
+   with MTU sizing issues.
+ 
+-  Note: Depending on the platform, the operating system allows to receive
++  Note: Depending on the platform, the operating system allows one to receive
+   packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms
+   (like macOS) limit received packets to the same size as the MTU.
+ 
+diff --git a/src/openvpn/options.c b/src/openvpn/options.c
+index 631ac73db8f..895ce830f6a 100644
+--- ./src/openvpn/options.c
++++ b/src/openvpn/options.c
+@@ -598,7 +598,7 @@ static const char usage_message[] =
+     "                  Windows Certificate System Store.\n"
+ #endif
+     "--tls-cipher l  : A list l of allowable TLS ciphers separated by : (optional).\n"
+-    "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
++    "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
+     "                : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
+     "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
+     "                  (default=legacy).\n"
diff --git a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
new file mode 100644
index 000000000000..4c347593ac7a
--- /dev/null
+++ b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
@@ -0,0 +1,48 @@
+From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Wed, 15 Nov 2023 11:33:31 +0100
+Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state
+
+When a key_state is in S_UNDEF the send_reliable is not initialised. So
+checking it might access invalid memory or null pointers.
+
+Github: fixes OpenVPN/openvpn#449
+
+Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
+[a@unstable.cc: add check for !send_reliable and message]
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index cee4afe19f3..b4cd8f5a567 100644
+--- ./src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
+     for (int i = 0; i < KS_SIZE; i++)
+     {
+         struct key_state *ks = &session->key[i];
++        if (ks->state == S_UNDEF)
++        {
++            continue;
++        }
++
++        /* we don't expect send_reliable to be NULL when state is
++         * not S_UNDEF, but people have reported crashes nonetheless,
++         * therefore we better catch this event, report and exit.
++         */
++        if (!ks->send_reliable)
++        {
++            msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
++                "while key state is %s. Exiting.",
++                i, state_name(ks->state));
++        }
++
+         for (int j = 0; j < ks->send_reliable->size; j++)
+         {
+             if (ks->send_reliable->array[i].buf.data == dataptr)