Index: head/security/openvpn/Makefile
===================================================================
--- head/security/openvpn/Makefile	(revision 428094)
+++ head/security/openvpn/Makefile	(revision 428095)
@@ -1,130 +1,126 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
-DISTVERSION=		2.3.13
-PORTREVISION=		1
+DISTVERSION=		2.3.14
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=		yes
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 # avoid picking up CMAKE, we don't have cmocka anyways.
 CONFIGURE_ENV+=		ac_cv_prog_CMAKE= CMAKE=
 
 # let OpenVPN's configure script pick up the requisite libraries,
 # but do not break the plugin build if an older version is installed
 CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
-			TUNNELBLICK TEST FIXSUBNET
-OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST FIXSUBNET
+			TUNNELBLICK TEST
+OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 # The following feature is always enabled since 2.3.9 and no longer optional.
 # PW_SAVE_DESC=		Interactive passwords may be read from a file
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS via mbedTLS 1.3.X (not 2.x)
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
-FIXSUBNET_DESC=		Enable 'topology subnet' fix (experimental)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
-
-FIXSUBNET_EXTRA_PATCHES=	${FILESDIR}/extra-patch-fix-subnet
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	POLARSSL
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
 
 OPENSSL_USES=		ssl
 OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
 
 # Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or
 # newer from the security/mbedtls package. Upstream works in progress
 # for OpenVPN 2.4 to use mbedTLS 2.X.
 POLARSSL_LIB_DEPENDS=	libmbedtls.so.9:security/polarssl13
 POLARSSL_CONFIGURE_ON=	--with-crypto-library=polarssl
 
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
 # XXX Please remove this compatibility wrapper after 2017Q2 is branched.
 .ifdef(WITHOUT_CHECK)
 WARNING+=	"${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST."
 WITHOUT+=	TEST
 .endif
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
 	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>
Index: head/security/openvpn/distinfo
===================================================================
--- head/security/openvpn/distinfo	(revision 428094)
+++ head/security/openvpn/distinfo	(revision 428095)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1478247941
-SHA256 (openvpn-2.3.13.tar.xz) = 9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
-SIZE (openvpn-2.3.13.tar.xz) = 829484
+TIMESTAMP = 1481159357
+SHA256 (openvpn-2.3.14.tar.xz) = f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98
+SIZE (openvpn-2.3.14.tar.xz) = 831404
Index: head/security/openvpn/files/extra-patch-fix-subnet
===================================================================
--- head/security/openvpn/files/extra-patch-fix-subnet	(revision 428094)
+++ head/security/openvpn/files/extra-patch-fix-subnet	(nonexistent)
@@ -1,90 +0,0 @@
-commit 446ef5bda4cdc75d4cb955e274846faff0181fd3
-Author: Gert Doering <gert@greenie.muc.de>
-Date:   Tue Nov 8 13:45:06 2016 +0100
-
-    Repair topology subnet on FreeBSD 11
-    
-    We used to add "route for this subnet" by using our own address as
-    the gateway address, which used to mean "connected to the interface,
-    no gateway".  FreeBSD commit 293159 changed the kernel side of that
-    assumption so "my address" is now always bound to "lo0" - thus, our
-    subnet route also ended up pointing to "lo0", breaking connectivity
-    for all hosts in the subnet except the one we used as "remote".
-    
-    commit 60fd44e501f200 already introduced a "remote address" we use
-    for the "ifconfig tunX <us> <remote>" part - extend that to be used
-    as gateway address for the "tunX subnet" as well, and things will
-    work more robustly.
-    
-    Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
-    (this particular issue is not present before 11.0, but "adding the
-    subnet route" never worked right, not even in 7.4 - 11.0 just made
-    the problem manifest more clearly)
-    
-    Trac #425
-    URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831
-    
-    Signed-off-by: Gert Doering <gert@greenie.muc.de>
-    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
-    Message-Id: <20161108124506.32559-1-gert@greenie.muc.de>
-    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12950.html
-    Signed-off-by: Gert Doering <gert@greenie.muc.de>
-    (cherry picked from commit a433b3813d8c38b491d2baa7b433973f2d6cd7c6)
-
-diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
-index 11027dd..9bb586d 100644
---- ./src/openvpn/tun.c
-+++ ./src/openvpn/tun.c
-@@ -635,8 +635,8 @@ void delete_route_connected_v6_net(struct tuntap * tt,
-  * is still point to point and no layer 2 resolution is done...
-  */
- 
--const char *
--create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
-+in_addr_t
-+create_arbitrary_remote( struct tuntap *tt )
- {
-   in_addr_t remote;
- 
-@@ -644,7 +644,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
- 
-   if ( remote == tt->local ) remote ++;
- 
--  return print_in_addr_t (remote, 0, gc);
-+  return remote;
- }
- #endif
- 
-@@ -1126,6 +1126,8 @@ do_ifconfig (struct tuntap *tt,
- 
- #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
- 
-+      in_addr_t remote_end;		/* for "virtual" subnet topology */
-+
-       /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
-       if (tun)
- 	argv_printf (&argv,
-@@ -1138,12 +1140,13 @@ do_ifconfig (struct tuntap *tt,
- 			  );
-       else if ( tt->topology == TOP_SUBNET )
- 	{
-+	    remote_end = create_arbitrary_remote( tt );
- 	    argv_printf (&argv,
- 			  "%s %s %s %s mtu %d netmask %s up",
- 			  IFCONFIG_PATH,
- 			  actual,
- 			  ifconfig_local,
--			  create_arbitrary_remote( tt, &gc ),
-+			  print_in_addr_t (remote_end, 0, &gc),
- 			  tun_mtu,
- 			  ifconfig_remote_netmask
- 			  );
-@@ -1170,7 +1173,7 @@ do_ifconfig (struct tuntap *tt,
-           r.flags = RT_DEFINED;
-           r.network = tt->local & tt->remote_netmask;
-           r.netmask = tt->remote_netmask;
--          r.gateway = tt->local;
-+          r.gateway = remote_end;
-           add_route (&r, tt, 0, NULL, es);
-         }
- 

Property changes on: head/security/openvpn/files/extra-patch-fix-subnet
___________________________________________________________________
Deleted: fbsd:nokeywords
## -1 +0,0 ##
-yes
\ No newline at end of property
Deleted: svn:eol-style
## -1 +0,0 ##
-native
\ No newline at end of property
Deleted: svn:mime-type
## -1 +0,0 ##
-text/plain
\ No newline at end of property