Second half of net-vpn/ move

106 files changed, 3870 insertions, 0 deletions

diff --git a/net-vpn/6tunnel/6tunnel-0.10.ebuild b/net-vpn/6tunnel/6tunnel-0.10.ebuild
new file mode 100644
index 000000000000..0b4cadb97a0e
--- /dev/null
+++ b/net-vpn/6tunnel/6tunnel-0.10.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+DESCRIPTION="TCP proxy for applications that don't speak IPv6"
+HOMEPAGE="http://toxygen.net/6tunnel"
+SRC_URI="http://toxygen.net/6tunnel/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="s390 x86"
+IUSE=""
+
+DEPEND=""
+
+src_install() {
+	dobin 6tunnel || die
+	doman 6tunnel.1
+}
diff --git a/net-vpn/6tunnel/6tunnel-0.11_rc1.ebuild b/net-vpn/6tunnel/6tunnel-0.11_rc1.ebuild
new file mode 100644
index 000000000000..c650cdba07b4
--- /dev/null
+++ b/net-vpn/6tunnel/6tunnel-0.11_rc1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+DESCRIPTION="TCP proxy for applications that don't speak IPv6"
+HOMEPAGE="http://toxygen.net/6tunnel"
+SRC_URI="http://toxygen.net/6tunnel/${P/_/}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~s390"
+IUSE=""
+
+DEPEND=""
+
+S=${WORKDIR}/6tunnel-0.11
+
+src_install() {
+	dobin 6tunnel || die
+	doman 6tunnel.1
+}
diff --git a/net-vpn/6tunnel/6tunnel-0.12.ebuild b/net-vpn/6tunnel/6tunnel-0.12.ebuild
new file mode 100644
index 000000000000..1fedcca11208
--- /dev/null
+++ b/net-vpn/6tunnel/6tunnel-0.12.ebuild
@@ -0,0 +1,13 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+DESCRIPTION="TCP proxy for applications that don't speak IPv6"
+HOMEPAGE="http://toxygen.net/6tunnel"
+SRC_URI="http://toxygen.net/6tunnel/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~s390 ~x86"
+IUSE=""
diff --git a/net-vpn/6tunnel/Manifest b/net-vpn/6tunnel/Manifest
new file mode 100644
index 000000000000..c989f86e246f
--- /dev/null
+++ b/net-vpn/6tunnel/Manifest
@@ -0,0 +1,3 @@
+DIST 6tunnel-0.10.tar.gz 37882 SHA256 3cd467038bc8185baee10bc0f627a25897cd4bc9c83b8273d20b84a640c7636b SHA512 f8d328eb1ab6fedae8a641bdf5326eb919d53a3dea2a2268afec9d7b04f37feba3ec4362864cee011f13e68d69751b4c3b22d17f8f1119e1ea8b600fb73fd6ee WHIRLPOOL 339a316066222627855edfdae4edfd334ddcc4b50159a1d5bf1672095ac64a8386b1530078b1c54669ba7b48e9d70098dc7a0b77c890de37e6881ab475001352
+DIST 6tunnel-0.11rc1.tar.gz 38126 SHA256 29f3b148d3569ce6ef4f34d37c8158acadb27964a54554e8d6746612fe46ba66 SHA512 7651ccdb8d98885ad4afd50421efd21d4c92fcc2e7f0374ed456b193481972965b94db4061b0ab055309e09836a10cd0ecfa09591bae2c8bb74cf639be52c7e8 WHIRLPOOL f1e7a9aef4d7128f690155464c0b69b80ee8da833092e511df79b306986ec8e55657bcf8796ba7631d2cbb531b225e4171794ca6989ba24fcc4e9df17c0cf119
+DIST 6tunnel-0.12.tar.gz 96364 SHA256 80dbe91bb92282c3c5e98dec871dcd1738ae824e532f9fd6db0d6ebd469d79bf SHA512 56c5b8b285c730e25a1bd57a37fc6d169c4c54a842e7763a1580231158858a098b8eb5549dd8adf0c5ae4516cce9c70b00ae82f27b6e152ca10eba7681b8808b WHIRLPOOL 86b4da2155fff16e6f5dc45a239165e6e300ebda57bc2aab389fed5c7780db52d1f22b74486047d820d5108e05a060ab071be0aa7650a206324a181c43e1bc7c
diff --git a/net-vpn/6tunnel/metadata.xml b/net-vpn/6tunnel/metadata.xml
new file mode 100644
index 000000000000..6f49eba8f496
--- /dev/null
+++ b/net-vpn/6tunnel/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/net-vpn/aiccu/Manifest b/net-vpn/aiccu/Manifest
new file mode 100644
index 000000000000..d3919d5dc977
--- /dev/null
+++ b/net-vpn/aiccu/Manifest
@@ -0,0 +1 @@
+DIST aiccu_20070115.tar.gz 70056 SHA256 2260f426c13471169ccff8cb4a3908dc5f79fda18ddb6a55363e7824e6c4c760 SHA512 15b2f0dab51843e58abbd8a0cc13139e492057ee348e368e1b65476bb2760119e88982cd03ffc6ec2cb563a1b7a061e1f66a98861eaad15972d486ac17b7bc78 WHIRLPOOL a5743e9c28ec3b9f6bc43f1b715553842a13872f18281239ed76d3b322e3a4c3c3e0f0c5d80b47694bbedaf831d1b3feed285af9f37174cac323b2c1814813d7
diff --git a/net-vpn/aiccu/aiccu-2007.01.15-r5.ebuild b/net-vpn/aiccu/aiccu-2007.01.15-r5.ebuild
new file mode 100644
index 000000000000..4c92c3258bda
--- /dev/null
+++ b/net-vpn/aiccu/aiccu-2007.01.15-r5.ebuild
@@ -0,0 +1,58 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit eutils linux-info systemd toolchain-funcs
+
+DESCRIPTION="AICCU Client to configure an IPv6 tunnel to SixXS"
+HOMEPAGE="http://www.sixxs.net/tools/aiccu"
+SRC_URI="http://www.sixxs.net/archive/sixxs/aiccu/unix/${PN}_${PV//\./}.tar.gz"
+
+LICENSE="SixXS"
+SLOT="0"
+KEYWORDS="amd64 arm hppa ppc sparc x86"
+IUSE="systemd"
+
+RDEPEND="
+	net-libs/gnutls
+	sys-apps/iproute2
+	systemd? ( sys-apps/systemd )
+"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+"
+
+S=${WORKDIR}/${PN}
+
+CONFIG_CHECK="~TUN"
+
+src_prepare() {
+	epatch \
+		"${FILESDIR}"/${P}-r2-init.gentoo.patch \
+		"${FILESDIR}"/${P}-Makefile.patch \
+		"${FILESDIR}"/${P}-setupscript.patch \
+		"${FILESDIR}"/${P}-uclibc.patch \
+		"${FILESDIR}"/${P}-systemd.patch \
+		"${FILESDIR}"/${P}-gnutls-3.4.patch
+}
+
+src_compile() {
+	# Don't use main Makefile since it requires additional
+	# dependencies which are useless for us.
+	emake CC=$(tc-getCC) STRIP= -C unix-console \
+		HAVE_SYSTEMD=$(usex systemd 1 0)
+}
+
+src_install() {
+	dosbin unix-console/${PN}
+
+	insopts -m 600
+	insinto /etc
+	doins doc/${PN}.conf
+	newinitd doc/${PN}.init.gentoo ${PN}
+
+	use systemd && systemd_dounit doc/${PN}.service
+
+	dodoc doc/{HOWTO,README,changelog}
+}
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-Makefile.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-Makefile.patch
new file mode 100644
index 000000000000..c0eabbefd906
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-Makefile.patch
@@ -0,0 +1,79 @@
+--- unix-console/Makefile.old	2010-06-28 21:56:32.287782600 +0200
++++ unix-console/Makefile	2010-06-28 22:15:56.232637681 +0200
+@@ -25,14 +25,11 @@ CWARNS += -W -Wall -Wshadow -Wpointer-ar
+ # CWARNS += -Wpacked
+ 
+ #CFLAGS	+= $(CWARNS) -D_GNU_SOURCE -D_DEBUG -g3 -O0
+-CFLAGS	+= $(CWARNS) -D_GNU_SOURCE
++CFLAGS ?= $(CWARNS) -O3
++CFLAGS	+= -D_GNU_SOURCE
+ CC      = @gcc
+ RM      = rm
+-
+-# Add -O3 when nothing is specified yet
+-ifeq ($(shell echo $(CFLAGS) | grep -c "\-O"),0)
+-CFLAGS	+= -O3
+-endif
++STRIP   = strip
+ 
+ # This is a console client
+ CFLAGS	+= -D AICCU_CONSOLE
+@@ -42,7 +39,7 @@ CFLAGS	+= -D AICCU_CONSOLE
+ # Currently defaultly builds only on Linux, but other platforms might easily also support it
+ ifeq ($(shell uname | grep -c "Linux"),1)
+ CFLAGS	+= -D AICCU_GNUTLS
+-LDFLAGS += -lgnutls
++LIBS += -lgnutls
+ endif
+ 
+ # Linux
+@@ -50,7 +47,7 @@ ifeq ($(shell uname | grep -c "Linux"),1
+ CFLAGS  += -D_LINUX -D HAS_IFHEAD -D AICCU_TYPE="\"linux\""
+ SRCS	+= ../common/aiccu_linux.c
+ OBJS	+= ../common/aiccu_linux.o
+-LDFLAGS	+= -lpthread -lresolv
++LIBS	+= -lpthread -lresolv
+ endif
+ 
+ # FreeBSD
+@@ -118,7 +115,7 @@ ifeq ($(shell uname | grep -c "Darwin"),
+ CFLAGS	+= -D_DARWIN -D NEED_IFHEAD -D AICCU_TYPE="\"darwin\""
+ SRCS	+= ../common/aiccu_darwin.c
+ OBJS	+= ../common/aiccu_darwin.o
+-LDFLAGS	+= -lresolv
++LIBS	+= -lresolv
+ endif
+ 
+ # SunOS / Solaris
+@@ -126,7 +123,7 @@ ifeq ($(shell uname | grep -c "SunOS"),1
+ CFLAGS	+= -D_SUNOS -D AICCU_TYPE="\"sunos\""
+ SRCS	+= ../common/aiccu_sunos.c
+ OBJS	+= ../common/aiccu_sunos.o
+-LDFLAGS	+= -lsocket -lnsl -lresolv
++LIBS	+= -lsocket -lnsl -lresolv
+ endif
+ 
+ # AIX
+@@ -137,17 +134,19 @@ CFLAGS	+= -D AICCU_CONSOLE
+ CFLAGS	+= -D_AIX -D AICCU_TYPE="\"aix\""
+ SRCS	+= ../common/aiccu_aix.c
+ OBJS	+= ../common/aiccu_aix.o
+-LDFLAGS	+= -lpthread
++LIBS	+= -lpthread
+ endif
+ 
+ 
+ all: aiccu
+ 
+ aiccu:	$(OBJS) ${SRCS} ${INCS}
+-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS)
++	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+ ifeq ($(shell echo $(CFLAGS) | grep -c "DEBUG"),0)
+ ifeq ($(shell echo "$(RPM_OPT_FLAGS)" | wc -c),1)
+-	strip $@
++ifdef STRIP
++	$(STRIP) $@
++endif
+ endif
+ endif
+ 
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-gnutls-3.4.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-gnutls-3.4.patch
new file mode 100644
index 000000000000..ee637a761029
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-gnutls-3.4.patch
@@ -0,0 +1,22 @@
+from http://git.alpinelinux.org/cgit/aports/tree/main/aiccu
+
+--- aiccu/common/common.c	2015-04-17 23:08:32.543680010 +0200
++++ aiccu/common/common.c.new	2015-04-17 23:14:02.152457972 +0200
+@@ -272,7 +272,6 @@
+ {
+ #ifdef AICCU_GNUTLS
+ 	/* Allow connections to servers that have OpenPGP keys as well */
+-	const int	cert_type_priority[3] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
+ 	int		ret;
+ #endif /* AICCU_GNUTLS*/
+ 
+@@ -300,8 +299,7 @@
+ 	gnutls_set_default_priority(sock->session);
+ 	/* XXX: Return value is not documented in GNUTLS documentation! */
+ 
+-	gnutls_certificate_type_set_priority(sock->session, cert_type_priority);
+-	/* XXX: Return value is not documented in GNUTLS documentation! */
++	gnutls_priority_set_direct(sock->session, "NORMAL:+CTYPE-OPENPGP", NULL);
+ 
+ 	/* Configure the x509 credentials for the current session */
+ 	gnutls_credentials_set(sock->session, GNUTLS_CRD_CERTIFICATE, g_aiccu->tls_cred);
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-r2-init.gentoo.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-r2-init.gentoo.patch
new file mode 100644
index 000000000000..35ca2b8a6719
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-r2-init.gentoo.patch
@@ -0,0 +1,33 @@
+--- aiccu/doc/aiccu.init.gentoo
++++ aiccu/doc/aiccu.init.gentoo
+@@ -2,7 +2,7 @@
+ 
+ depend() {
+ 	need net
+-	after ntp-client
++	after ntp-client ntpd
+ }
+ 
+ checkconfig() {
+@@ -23,14 +23,19 @@
+ start() {
+ 	checkconfig || return 1
+ 	ebegin "Starting aiccu"
+-	start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/aiccu -- start
++	start-stop-daemon --start --quiet --exec /usr/sbin/aiccu -- start
+ 	eend $?
+ }
+ 
+ 
+ stop() {
+ 	ebegin "Stopping aiccu"
+-	start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/aiccu -- stop
++	start-stop-daemon --stop --pidfile /var/run/aiccu.pid --quiet --exec /usr/sbin/aiccu -- stop
+ 	eend $?
+ }
+ 
++restart() {
++	stop
++	sleep 3
++	start
++}
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-setupscript.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-setupscript.patch
new file mode 100644
index 000000000000..8981530435f3
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-setupscript.patch
@@ -0,0 +1,17 @@
+--- aiccu/unix-console/main.c
++++ aiccu/unix-console/main.c
+@@ -471,6 +471,14 @@
+ 	 */
+ 	if (aiccu_setup(hTunnel, true))
+ 	{
++
++		/* Running setup script */
++		if (g_aiccu->setupscript)
++		{
++			aiccu_exec("%s", g_aiccu->setupscript);
++		}
++
++
+ 		/* We need to stay running when doing Heartbeat or AYIYA */
+ 		if (	strcasecmp(hTunnel->sType, "6in4-heartbeat") == 0 ||
+ 			strcasecmp(hTunnel->sType, "ayiya") == 0)
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-systemd.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-systemd.patch
new file mode 100644
index 000000000000..e8616d04b3fc
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-systemd.patch
@@ -0,0 +1,52 @@
+--- /dev/null
++++ aiccu-2007.01.15/doc/aiccu.service
+@@ -0,0 +1,13 @@
++[Unit]
++Description=Automatic IPv6 Connectivity Client Utility
++After=time-sync.target network.target
++ConditionPathExists=/etc/aiccu.conf
++
++
++[Service]
++Type=notify
++ExecStart=/usr/sbin/aiccu start
++ExecStop=/usr/sbin/aiccu stop
++
++[Install]
++WantedBy=multi-user.target
+--- aiccu-2007.01.15/unix-console/Makefile
++++ aiccu-2007.01.15/unix-console/Makefile
+@@ -48,6 +48,10 @@ ifeq ($(shell uname | grep -c "Linux"),1)
+ SRCS	+= ../common/aiccu_linux.c
+ OBJS	+= ../common/aiccu_linux.o
+ LIBS	+= -lpthread -lresolv
++ifeq (1,$(HAVE_SYSTEMD))
++LIBS	+= $(shell pkg-config --libs libsystemd 2>/dev/null || pkg-config --libs libsystemd-daemon)
++CFLAGS += -DHAVE_SYSTEMD
++endif
+ endif
+ 
+ # FreeBSD
+--- aiccu-2007.01.15/unix-console/main.c
++++ aiccu-2007.01.15/unix-console/main.c
+@@ -12,6 +12,9 @@
+ 
+ #include "../common/aiccu.h"
+ #include "../common/tun.h"
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
+ 
+ #ifndef _WIN32
+ /* Enable/Disable heartbeating */
+@@ -478,6 +481,10 @@ int main(int argc, char *argv[])
+ 			aiccu_exec("%s", g_aiccu->setupscript);
+ 		}
+ 
++#ifdef HAVE_SYSTEMD
++		/* Tell systemd we are operational. */
++		sd_notify(0, "READY=1");
++#endif
+ 
+ 		/* We need to stay running when doing Heartbeat or AYIYA */
+ 		if (	strcasecmp(hTunnel->sType, "6in4-heartbeat") == 0 ||
diff --git a/net-vpn/aiccu/files/aiccu-2007.01.15-uclibc.patch b/net-vpn/aiccu/files/aiccu-2007.01.15-uclibc.patch
new file mode 100644
index 000000000000..56341dea72f4
--- /dev/null
+++ b/net-vpn/aiccu/files/aiccu-2007.01.15-uclibc.patch
@@ -0,0 +1,29 @@
+--- aiccu/common/resolver.c
++++ aiccu/common/resolver.c
+@@ -26,7 +26,7 @@
+ 
+ int getrrs(const char *label, int rrtype, void gotrec(unsigned int num, int type, const char *record))
+ {
+-#ifdef _LINUX
++#if defined(_LINUX) && ! defined(__UCLIBC__)
+ 	struct __res_state	res;
+ #endif
+ 	unsigned char		answer[8192];
+@@ -38,7 +38,7 @@
+ 	uint16_t		type = 0, class = 0;
+ 	uint32_t		ttl = 0;
+ 
+-#ifdef _LINUX
++#if defined(_LINUX) && ! defined(__UCLIBC__)
+ 	memset(&res, 0, sizeof(res));
+ 	res.options = RES_DEBUG;
+ 	res_ninit(&res);
+@@ -47,7 +47,7 @@
+ #endif
+ 
+ 	memset(answer, 0, sizeof(answer));
+-#ifdef _LINUX
++#if defined(_LINUX) && ! defined(__UCLIBC__)
+ 	ret = res_nquery(&res, label, C_IN, rrtype, answer, sizeof(answer));
+ #else
+ 	ret = res_query(label, C_IN, rrtype, answer, sizeof(answer));
diff --git a/net-vpn/aiccu/metadata.xml b/net-vpn/aiccu/metadata.xml
new file mode 100644
index 000000000000..a535b8852829
--- /dev/null
+++ b/net-vpn/aiccu/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="person">
+<email>xmw@gentoo.org</email>
+<name>Michael Weber</name>
+</maintainer>
+</pkgmetadata>
diff --git a/net-vpn/corkscrew/Manifest b/net-vpn/corkscrew/Manifest
new file mode 100644
index 000000000000..3cb1d976bd02
--- /dev/null
+++ b/net-vpn/corkscrew/Manifest
@@ -0,0 +1 @@
+DIST corkscrew-2.0.tar.gz 56749 SHA256 0d0fcbb41cba4a81c4ab494459472086f377f9edb78a2e2238ed19b58956b0be SHA512 bfea81064601cdf67ba1730b49e3a5f7aa377423edbfb052ff0f6b2776b49e104852b7f126f4668d37541a706313ef37d9b4535126e94bb202db4ac38f693e6f WHIRLPOOL 3a765adb7d17e3d48df6396e2da7796ee90b3f25bf99737ddb40f28193183821b363b21bb071cfbf6bf7166c66e069066cf429d2aceff5c08bea4b2ed719e022
diff --git a/net-vpn/corkscrew/corkscrew-2.0.ebuild b/net-vpn/corkscrew/corkscrew-2.0.ebuild
new file mode 100644
index 000000000000..2982c2a8fddf
--- /dev/null
+++ b/net-vpn/corkscrew/corkscrew-2.0.ebuild
@@ -0,0 +1,32 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=4
+inherit autotools
+
+DESCRIPTION="a tool for tunneling SSH through HTTP proxies"
+HOMEPAGE="http://www.agroman.net/corkscrew/"
+SRC_URI="http://www.agroman.net/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm ~ppc ~sparc x86"
+IUSE=""
+
+DOCS="AUTHORS ChangeLog README TODO"
+
+src_prepare() {
+	# Christoph Mende <angelos@gentoo.org (23 Jun 2010)
+	# Shipped configure doesn't work with some locales (bug #305771)
+	# Shipped missing doesn't work with new configure, so we'll force
+	# regeneration
+	rm -f install-sh missing mkinstalldirs || die
+
+	# Samuli Suominen <ssuominen@gentoo.org> (24 Jun 2012)
+	# AC_HEADER_STDC is called separately and #include <string.h> is
+	# without #ifdef in corkscrew.c. Instead of using AC_C_PROTOTYPES,
+	# remove the call entirely as unused wrt bug #423193
+	sed -i -e 's:AM_C_PROTOTYPES:dnl &:' configure.in || die
+
+	eautoreconf
+}
diff --git a/net-vpn/corkscrew/metadata.xml b/net-vpn/corkscrew/metadata.xml
new file mode 100644
index 000000000000..306c354edf5b
--- /dev/null
+++ b/net-vpn/corkscrew/metadata.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+	<email>sysadmin@gentoo.org</email>
+	<name>Gentoo Sysadmin Project</name>
+</maintainer>
+<longdescription>
+Corkscrew is a tool for tunneling SSH through HTTP proxies.
+</longdescription>
+<longdescription lang="ja">
+Corkscrew は HTTP プロクシ経由の SSH トンネルを構築するツールです。
+</longdescription>
+</pkgmetadata>
diff --git a/net-vpn/httptunnel/Manifest b/net-vpn/httptunnel/Manifest
new file mode 100644
index 000000000000..baa7722c26ba
--- /dev/null
+++ b/net-vpn/httptunnel/Manifest
@@ -0,0 +1 @@
+DIST httptunnel-3.3.tar.gz 262749 SHA256 142f82b204876c2aa90f19193c7ff78d90bb4c2cba99dfd4ef625864aed1c556 SHA512 84503e27e84cd39441a7592d6446e30fce07a54b940e4398407dc105fabc6c8f96d3b5d05137d6dab22b2088c5b114728551337429748c900bd6fe7d6b6109e5 WHIRLPOOL 2a747d5c7b0feb563a055013a330d8842b7cddbb4864aa13c98a47aaadab04480c48ffe00a4a26c44a52fe9afd7820646307b4d815ee1038d65a1e2546c451d4
diff --git a/net-vpn/httptunnel/files/httptunnel-3.3-fix_write_stdin.patch b/net-vpn/httptunnel/files/httptunnel-3.3-fix_write_stdin.patch
new file mode 100644
index 000000000000..904df6f91159
--- /dev/null
+++ b/net-vpn/httptunnel/files/httptunnel-3.3-fix_write_stdin.patch
@@ -0,0 +1,12 @@
+diff -dur httptunnel-3.3/common.c httptunnel-3.3-fix_write_stdin/common.c
+--- httptunnel-3.3/common.c	2001-02-25 12:45:41.000000000 +0100
++++ httptunnel-3.3-fix_write_stdin/common.c	2007-06-20 21:38:54.000000000 +0200
+@@ -314,7 +314,7 @@
+ 
+       /* If fd == 0, then we are using --stdin-stdout so write to stdout,
+        * not fd. */
+-      m = write_all (fd ? fd : 0, buf, (size_t)n);
++      m = write_all (fd ? fd : 1, buf, (size_t)n);
+       log_annoying ("write_all (%d, %p, %d) = %d", fd ? fd : 1, buf, n, m);
+       return m;
+     }
diff --git a/net-vpn/httptunnel/httptunnel-3.3-r2.ebuild b/net-vpn/httptunnel/httptunnel-3.3-r2.ebuild
new file mode 100644
index 000000000000..74bc2848e259
--- /dev/null
+++ b/net-vpn/httptunnel/httptunnel-3.3-r2.ebuild
@@ -0,0 +1,30 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=4
+
+inherit eutils toolchain-funcs
+
+DESCRIPTION="httptunnel can create IP tunnels through firewalls/proxies using HTTP"
+HOMEPAGE="http://www.nocrew.org/software/httptunnel.html"
+SRC_URI="http://www.nocrew.org/software/${PN}/${P}.tar.gz"
+LICENSE="GPL-2"
+KEYWORDS="amd64 ppc x86 ~x86-fbsd"
+IUSE=""
+SLOT="0"
+
+DEPEND=""
+RDEPEND=""
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-fix_write_stdin.patch
+	tc-export CC
+}
+
+src_configure() {
+	./configure \
+		--host=${CHOST} \
+		--prefix=/usr \
+		--infodir=/usr/share/info \
+		--mandir=/usr/share/man || die
+}
diff --git a/net-vpn/httptunnel/metadata.xml b/net-vpn/httptunnel/metadata.xml
new file mode 100644
index 000000000000..6f49eba8f496
--- /dev/null
+++ b/net-vpn/httptunnel/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/net-vpn/htun/Manifest b/net-vpn/htun/Manifest
new file mode 100644
index 000000000000..355750f42f01
--- /dev/null
+++ b/net-vpn/htun/Manifest
@@ -0,0 +1 @@
+DIST htun-0.9.6.tar.gz 63745 SHA256 acf330a37f1ac676dcb82160f43f12e0b266263f8bf918d9990f1e17e57ed83f SHA512 d709e9b6a809df5711b3c3c61c207a0ce72a054904fbe0a39bb9c60f174b19eb5fe183e3218100f45941035f72c5212fcbd716858631d1f117e6f88608f8ea0d WHIRLPOOL 3ce553377c2107814455f9d421d5bf2cbfdb40b68e371fc3f078b2a32bfe486861d4d8a683b427238952873651606184186f9e425f22f57d34a0295c0f105a36
diff --git a/net-vpn/htun/files/README.gentoo b/net-vpn/htun/files/README.gentoo
new file mode 100644
index 000000000000..1710c726723a
--- /dev/null
+++ b/net-vpn/htun/files/README.gentoo
@@ -0,0 +1,3 @@
+NOTE: HTun requires the Universal TUN/TAP module
+available in the Linux kernel.  Make sure you have
+compiled the tun.o driver as a module!
diff --git a/net-vpn/htun/files/htun-0.9.6-glibc.patch b/net-vpn/htun/files/htun-0.9.6-glibc.patch
new file mode 100644
index 000000000000..3f281c526388
--- /dev/null
+++ b/net-vpn/htun/files/htun-0.9.6-glibc.patch
@@ -0,0 +1,14 @@
+get things building with glibc-2.8
+
+http://bugs.gentoo.org/248100
+
+--- a/include/common.h
++++ b/include/common.h
+@@ -23,6 +23,7 @@
+ #ifndef __COMMON_H
+ #define __COMMON_H
+ 
++#include <limits.h>
+ #include <netinet/in.h>
+ #include <time.h>
+ #include "queue.h"
diff --git a/net-vpn/htun/files/htun-0.9.6-makefile.patch b/net-vpn/htun/files/htun-0.9.6-makefile.patch
new file mode 100644
index 000000000000..c1f0b76bfa14
--- /dev/null
+++ b/net-vpn/htun/files/htun-0.9.6-makefile.patch
@@ -0,0 +1,34 @@
+* Fix build system to not hardcode CC
+* Fix build system to respect user flags
+
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -20,16 +20,14 @@
+ 
+ # $Id: Makefile,v 2.16 2002/08/11 15:57:07 jehsom Exp $
+ 
+-
+-CFLAGS = -I../include -I. -O -W -Wall -g -D_REENTRANT #-pg -a
+-LDFLAGS = -lfl -lpthread # -flex for linux, solaris ?
+-LEX_CFLAGS = -I../include -I. -g -D_REENTRANT #-pg -a
++CFLAGS := $(CFLAGS) -I../include -I. -O -W -Wall -D_REENTRANT
++LDFLAGS := $(LDFLAGS) -lfl -lpthread
++LEX_CFLAGS = -I../include -I. -D_REENTRANT
+ 
+ # in Linux, LFLAGS is empty. In Solaris, LFLAGS = -lnsl -lsocket
+ #LFLAGS = -lnsl -lsocket
+ 
+ VPATH	= .:../include
+-CC      := gcc
+ LEX     = flex
+ YACC    = yacc
+ INCLUDE := $(wildcard ../include/*.h)
+@@ -52,7 +50,7 @@
+ $(OBJS): $(INCLUDE)
+ 
+ $(CONFOBS): $(CONFSRC)
+-	$(CC) $(LEX_CFLAGS) -c $(@:.o=.c)
++	$(CC) $(CFLAGS) $(LEX_CFLAGS) -c $(@:.o=.c)
+ 
+ lex.yy.c: parse.l
+ 	$(LEX) $^
diff --git a/net-vpn/htun/htun-0.9.6.ebuild b/net-vpn/htun/htun-0.9.6.ebuild
new file mode 100644
index 000000000000..a04679b6af39
--- /dev/null
+++ b/net-vpn/htun/htun-0.9.6.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs
+
+DESCRIPTION="Project to tunnel IP traffic over HTTP"
+HOMEPAGE="http://linux.softpedia.com/get/System/Networking/HTun-14751.shtml"
+SRC_URI="http://www.sourcefiles.org/Networking/Tools/Proxy/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+# should not be replaced by virtual/yacc
+# at least failed with dev-util/bison
+DEPEND="dev-util/yacc"
+RDEPEND=""
+
+PATCHES=(
+	"${FILESDIR}"/${P}-glibc.patch #248100
+	"${FILESDIR}"/${P}-makefile.patch
+)
+
+src_configure() {
+	# Fix multiple symbol definitions due to
+	# C99/C11 inline semantics, bug 571458
+	append-cflags -std=gnu89
+}
+
+src_compile() {
+	emake -C src CC="$(tc-getCC)"
+}
+
+src_install() {
+	dosbin src/htund
+
+	insinto /etc
+	doins doc/htund.conf
+
+	local DOCS=( doc/. README )
+	einstalldocs
+	readme.gentoo_create_doc
+}
diff --git a/net-vpn/htun/metadata.xml b/net-vpn/htun/metadata.xml
new file mode 100644
index 000000000000..6f49eba8f496
--- /dev/null
+++ b/net-vpn/htun/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/net-vpn/i2p/Manifest b/net-vpn/i2p/Manifest
new file mode 100644
index 000000000000..b9bde310e97b
--- /dev/null
+++ b/net-vpn/i2p/Manifest
@@ -0,0 +1,3 @@
+DIST i2psource_0.9.26.tar.bz2 27039859 SHA256 49fbaea7f4d5ea0606de68ebb270fc3d4380631ecfd5c9ad82ed9356e29df937 SHA512 2b3f96fe97418c176b4e0058817bde81909e46d136ed5cadf9f8fb4323b0a35e0a5d3fc0eaadacbfe8f9578376d8a6c6757121452cd9f7c1c3c7d019169a914d WHIRLPOOL b8161e77a491d26f24e786bf185f9eba35aa4421ba17e668f3a8f73fc481c6c8b7ea630b8c860f4cb2c877660a703aaa0dfa2d03d8163ea98a151302067e1600
+DIST i2psource_0.9.27.tar.bz2 27339726 SHA256 89808fa062735fc880d28d232fae27028d9ecdc13b1695a251ecfec119bc15da SHA512 44825a638c0867701825e3098ca570d240db7bce761261ce6b3ebf0d781d096969275e27774a0fdf65fde11231e4f762b113abb40b9cd4edcadfd696397c719f WHIRLPOOL ae3d10635c1f508ca6e9d58a2bdaa258d62f1b6841d7555c86ae5551faaf5ef12ac620c3f6be65e1104115dbcfdde3768df97d2242852081d1ee48f497e044c0
+DIST i2psource_0.9.28.tar.bz2 27137199 SHA256 7bb27444bd1074a0f670276ad07e0b5b2a7a29ed6d25d93e6f95646981cd0aaf SHA512 95510e391e2b594c87b61cf6915d69f4f8cd08e7791b3710b5da28b1df8ec63a7e6829d37b1242fc603398495445e7024522f3554266aaf0028a6f82569660f6 WHIRLPOOL 2d7b82c64570d17e7484a51745cabeedbb54a219610d1b82e9c3f276e6c204be335d73bfe0cb05b1fbd50eee0e4d7dcc7ec1c124831d7b5cfd81a2dcc6b6807a
diff --git a/net-vpn/i2p/files/i2p-0.9.26-add_libs.patch b/net-vpn/i2p/files/i2p-0.9.26-add_libs.patch
new file mode 100644
index 000000000000..945366966ca4
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.26-add_libs.patch
@@ -0,0 +1,22 @@
+diff -Naur a/wrapper.config b/wrapper.config
+--- a/installer/resources/wrapper.config	2016-02-07 23:19:48.714569016 +0100
++++ b/installer/resources/wrapper.config	2016-02-07 23:20:37.523566840 +0100
+@@ -61,12 +61,18 @@
+ # Be sure there are no other duplicate classes.
+ #
+ wrapper.java.classpath.1=$INSTALL_PATH/lib/*.jar
++wrapper.java.classpath.2=/usr/share/tomcat-jstl-impl/lib/*.jar
++wrapper.java.classpath.3=/usr/share/tomcat-jstl-spec/lib/*.jar
++wrapper.java.classpath.4=/usr/share/java-service-wrapper/lib/*.jar
++wrapper.java.classpath.5=/usr/share/bcprov-1.50/lib/*.jar
++wrapper.java.classpath.6=/usr/share/jrobin/lib/*.jar
+ #  uncomment this to use the system classpath as well (e.g. to get tools.jar)
+ # wrapper.java.classpath.2=%CLASSPATH%
+ 
+ # Java Library Path (location of Wrapper.DLL or libwrapper.so)
+ wrapper.java.library.path.1=$INSTALL_PATH
+ wrapper.java.library.path.2=$INSTALL_PATH/lib
++wrapper.java.library.path.3=/usr/lib/java-service-wrapper
+ 
+ # Java Bits.  On applicable platforms, tells the JVM to run in 32 or 64-bit mode.
+ wrapper.java.additional.auto_bits=TRUE
diff --git a/net-vpn/i2p/files/i2p-0.9.26.initd b/net-vpn/i2p/files/i2p-0.9.26.initd
new file mode 100644
index 000000000000..ae4774e2051c
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.26.initd
@@ -0,0 +1,35 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need net
+}
+
+HOME="/var/lib/i2p"
+USER_HOME="$HOME"
+JAVABINARY="/etc/java-config-2/current-system-vm/bin/java"
+INSTALL_PATH="/usr/share/i2p"
+I2P="$INSTALL_PATH"
+I2P_CONFIG_DIR="$USER_HOME/.i2p"
+SYSTEM_java_io_tmpdir="$I2P_CONFIG_DIR"
+I2PTEMP="$SYSTEM_java_io_tmpdir"
+LOGFILE="$I2P_CONFIG_DIR/wrapper.log"
+PIDFILE="/var/run/i2p.pid"
+WRAPPER_CMD="$I2P/i2psvc"
+WRAPPER_CONF="$I2P/wrapper.config"
+
+start() {
+	ebegin "Starting I2P"
+	start-stop-daemon --start -b -m -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -- -c $WRAPPER_CONF wrapper.daemonize=FALSE wrapper.syslog.ident=i2p wrapper.java.command="$JAVABINARY" wrapper.name=i2p wrapper.displayname="I2P Service" wrapper.statusfile="$I2P_CONFIG_DIR/i2p.status" wrapper.java.statusfile="$I2P_CONFIG_DIR/i2p.java.status" wrapper.logfile="$LOGFILE"
+	sleep 1
+	[ -e "$PIDFILE" -a -e /proc/$(cat "$PIDFILE") ]
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping I2P"
+	start-stop-daemon --stop -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -R SIGTERM/20 SIGKILL/20 -P
+	eend $?
+}
+
diff --git a/net-vpn/i2p/files/i2p-0.9.26.service b/net-vpn/i2p/files/i2p-0.9.26.service
new file mode 100644
index 000000000000..ccbadbd4d167
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.26.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Invisible Internet Project
+After=network.target
+
+[Service]
+User=i2p
+Type=forking
+ExecReload=/usr/bin/i2prouter restart
+ExecStart=/usr/bin/i2prouter start
+ExecStop=/usr/bin/i2prouter stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/i2p/files/i2p-0.9.27-add_libs.patch b/net-vpn/i2p/files/i2p-0.9.27-add_libs.patch
new file mode 100644
index 000000000000..0ea3149a3628
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.27-add_libs.patch
@@ -0,0 +1,22 @@
+diff -Naur a/installer/resources/wrapper.config b/installer/resources/wrapper.config
+--- a/installer/resources/wrapper.config	2016-11-07 11:42:42.503030002 +0100
++++ b/installer/resources/wrapper.config	2016-11-07 11:43:11.873031594 +0100
+@@ -61,12 +61,18 @@
+ # Be sure there are no other duplicate classes.
+ #
+ wrapper.java.classpath.1=$INSTALL_PATH/lib/*.jar
++wrapper.java.classpath.2=/usr/share/tomcat-jstl-impl/lib/*.jar
++wrapper.java.classpath.3=/usr/share/tomcat-jstl-spec/lib/*.jar
++wrapper.java.classpath.4=/usr/share/java-service-wrapper/lib/*.jar
++wrapper.java.classpath.5=/usr/share/bcprov-1.50/lib/*.jar
++wrapper.java.classpath.6=/usr/share/jrobin/lib/*.jar
+ #  uncomment this to use the system classpath as well (e.g. to get tools.jar)
+ # wrapper.java.classpath.2=%CLASSPATH%
+ 
+ # Java Library Path (location of Wrapper.DLL or libwrapper.so)
+ wrapper.java.library.path.1=$INSTALL_PATH
+ wrapper.java.library.path.2=$INSTALL_PATH/lib
++wrapper.java.library.path.3=/usr/lib/java-service-wrapper
+ 
+ # Java Bits.  On applicable platforms, tells the JVM to run in 32 or 64-bit mode.
+ wrapper.java.additional.auto_bits=TRUE
diff --git a/net-vpn/i2p/files/i2p-0.9.27.initd b/net-vpn/i2p/files/i2p-0.9.27.initd
new file mode 100644
index 000000000000..216d19474cb8
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.27.initd
@@ -0,0 +1,35 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need net
+}
+
+HOME="/var/lib/i2p"
+USER_HOME="$HOME"
+JAVABINARY="/etc/java-config-2/current-system-vm/bin/java"
+INSTALL_PATH="/usr/share/i2p"
+I2P="$INSTALL_PATH"
+I2P_CONFIG_DIR="$USER_HOME/.i2p"
+SYSTEM_java_io_tmpdir="$I2P_CONFIG_DIR"
+I2PTEMP="$SYSTEM_java_io_tmpdir"
+LOGFILE="$I2P_CONFIG_DIR/wrapper.log"
+PIDFILE="/var/run/i2p.pid"
+WRAPPER_CMD="$I2P/i2psvc"
+WRAPPER_CONF="$I2P/wrapper.config"
+
+start() {
+	ebegin "Starting I2P"
+	start-stop-daemon --start -b -m -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -- -c $WRAPPER_CONF wrapper.daemonize=FALSE wrapper.syslog.ident=i2p wrapper.java.command="$JAVABINARY" wrapper.name=i2p wrapper.displayname="I2P Service" wrapper.statusfile="$I2P_CONFIG_DIR/i2p.status" wrapper.java.statusfile="$I2P_CONFIG_DIR/i2p.java.status" wrapper.logfile="$LOGFILE"
+	sleep 1
+	[ -e "$PIDFILE" -a -e /proc/$(cat "$PIDFILE") ]
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping I2P"
+	start-stop-daemon --stop -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -R SIGTERM/20 SIGKILL/20 -P
+	eend $?
+}
+
diff --git a/net-vpn/i2p/files/i2p-0.9.27.service b/net-vpn/i2p/files/i2p-0.9.27.service
new file mode 100644
index 000000000000..ccbadbd4d167
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.27.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Invisible Internet Project
+After=network.target
+
+[Service]
+User=i2p
+Type=forking
+ExecReload=/usr/bin/i2prouter restart
+ExecStart=/usr/bin/i2prouter start
+ExecStop=/usr/bin/i2prouter stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/i2p/files/i2p-0.9.28-add_libs.patch b/net-vpn/i2p/files/i2p-0.9.28-add_libs.patch
new file mode 100644
index 000000000000..0ea3149a3628
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.28-add_libs.patch
@@ -0,0 +1,22 @@
+diff -Naur a/installer/resources/wrapper.config b/installer/resources/wrapper.config
+--- a/installer/resources/wrapper.config	2016-11-07 11:42:42.503030002 +0100
++++ b/installer/resources/wrapper.config	2016-11-07 11:43:11.873031594 +0100
+@@ -61,12 +61,18 @@
+ # Be sure there are no other duplicate classes.
+ #
+ wrapper.java.classpath.1=$INSTALL_PATH/lib/*.jar
++wrapper.java.classpath.2=/usr/share/tomcat-jstl-impl/lib/*.jar
++wrapper.java.classpath.3=/usr/share/tomcat-jstl-spec/lib/*.jar
++wrapper.java.classpath.4=/usr/share/java-service-wrapper/lib/*.jar
++wrapper.java.classpath.5=/usr/share/bcprov-1.50/lib/*.jar
++wrapper.java.classpath.6=/usr/share/jrobin/lib/*.jar
+ #  uncomment this to use the system classpath as well (e.g. to get tools.jar)
+ # wrapper.java.classpath.2=%CLASSPATH%
+ 
+ # Java Library Path (location of Wrapper.DLL or libwrapper.so)
+ wrapper.java.library.path.1=$INSTALL_PATH
+ wrapper.java.library.path.2=$INSTALL_PATH/lib
++wrapper.java.library.path.3=/usr/lib/java-service-wrapper
+ 
+ # Java Bits.  On applicable platforms, tells the JVM to run in 32 or 64-bit mode.
+ wrapper.java.additional.auto_bits=TRUE
diff --git a/net-vpn/i2p/files/i2p-0.9.28.initd b/net-vpn/i2p/files/i2p-0.9.28.initd
new file mode 100644
index 000000000000..216d19474cb8
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.28.initd
@@ -0,0 +1,35 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need net
+}
+
+HOME="/var/lib/i2p"
+USER_HOME="$HOME"
+JAVABINARY="/etc/java-config-2/current-system-vm/bin/java"
+INSTALL_PATH="/usr/share/i2p"
+I2P="$INSTALL_PATH"
+I2P_CONFIG_DIR="$USER_HOME/.i2p"
+SYSTEM_java_io_tmpdir="$I2P_CONFIG_DIR"
+I2PTEMP="$SYSTEM_java_io_tmpdir"
+LOGFILE="$I2P_CONFIG_DIR/wrapper.log"
+PIDFILE="/var/run/i2p.pid"
+WRAPPER_CMD="$I2P/i2psvc"
+WRAPPER_CONF="$I2P/wrapper.config"
+
+start() {
+	ebegin "Starting I2P"
+	start-stop-daemon --start -b -m -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -- -c $WRAPPER_CONF wrapper.daemonize=FALSE wrapper.syslog.ident=i2p wrapper.java.command="$JAVABINARY" wrapper.name=i2p wrapper.displayname="I2P Service" wrapper.statusfile="$I2P_CONFIG_DIR/i2p.status" wrapper.java.statusfile="$I2P_CONFIG_DIR/i2p.java.status" wrapper.logfile="$LOGFILE"
+	sleep 1
+	[ -e "$PIDFILE" -a -e /proc/$(cat "$PIDFILE") ]
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping I2P"
+	start-stop-daemon --stop -u i2p --pidfile "$PIDFILE" --quiet --exec $WRAPPER_CMD -R SIGTERM/20 SIGKILL/20 -P
+	eend $?
+}
+
diff --git a/net-vpn/i2p/files/i2p-0.9.28.service b/net-vpn/i2p/files/i2p-0.9.28.service
new file mode 100644
index 000000000000..ccbadbd4d167
--- /dev/null
+++ b/net-vpn/i2p/files/i2p-0.9.28.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Invisible Internet Project
+After=network.target
+
+[Service]
+User=i2p
+Type=forking
+ExecReload=/usr/bin/i2prouter restart
+ExecStart=/usr/bin/i2prouter start
+ExecStop=/usr/bin/i2prouter stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/i2p/i2p-0.9.26.ebuild b/net-vpn/i2p/i2p-0.9.26.ebuild
new file mode 100644
index 000000000000..6514c7a98dcd
--- /dev/null
+++ b/net-vpn/i2p/i2p-0.9.26.ebuild
@@ -0,0 +1,159 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils java-pkg-2 java-ant-2 systemd user
+
+DESCRIPTION="A privacy-centric, anonymous network."
+HOMEPAGE="https://geti2p.net"
+SRC_URI="https://download.i2p2.de/releases/${PV}/i2psource_${PV}.tar.bz2"
+
+LICENSE="Apache-2.0 Artistic BSD CC-BY-2.5 CC-BY-3.0 CC-BY-SA-3.0 EPL-1.0 GPL-2 GPL-3 LGPL-2.1 LGPL-3 MIT public-domain WTFPL-2"
+SLOT="0"
+
+# Until the deps reach other arches
+KEYWORDS="~amd64 ~x86"
+IUSE="+ecdsa nls"
+
+# dev-java/ant-core is automatically added due to java-ant-2.eclass
+CDEPEND="dev-java/bcprov:1.50
+	dev-java/jrobin:0
+	dev-java/slf4j-api:0
+	dev-java/tomcat-jstl-impl:0
+	dev-java/tomcat-jstl-spec:0
+	dev-java/java-service-wrapper:0"
+
+DEPEND="${CDEPEND}
+	dev-java/eclipse-ecj:*
+	dev-libs/gmp:0
+	nls? ( >=sys-devel/gettext-0.19 )
+	>=virtual/jdk-1.7"
+
+RDEPEND="${CDEPEND}
+	ecdsa? (
+		|| (
+			dev-java/icedtea:7[-sunec]
+			dev-java/icedtea:8[-sunec]
+			dev-java/icedtea:7[nss,-sunec]
+			dev-java/icedtea-bin:7[nss]
+			dev-java/icedtea-bin:7
+			dev-java/icedtea-bin:8
+			dev-java/oracle-jre-bin
+			dev-java/oracle-jdk-bin
+		)
+	)
+	!ecdsa? ( >=virtual/jre-1.7 )"
+
+EANT_BUILD_TARGET="pkg"
+EANT_GENTOO_CLASSPATH="java-service-wrapper,jrobin,slf4j-api,tomcat-jstl-impl,tomcat-jstl-spec,bcprov-1.50"
+JAVA_ANT_ENCODING="UTF-8"
+
+I2P_ROOT='/usr/share/i2p'
+I2P_CONFIG_HOME='/var/lib/i2p'
+I2P_CONFIG_DIR="${I2P_CONFIG_HOME}/.i2p"
+
+RES_DIR='installer/resources'
+
+PATCHES=(
+	"${FILESDIR}/${P}-add_libs.patch"
+)
+
+pkg_setup() {
+	java-pkg-2_pkg_setup
+
+	enewgroup i2p
+	enewuser i2p -1 -1 "${I2P_CONFIG_HOME}" i2p
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}" || die
+	java-ant_rewrite-classpath
+}
+
+src_prepare() {
+	java-pkg-2_src_prepare
+
+	# We're on GNU/Linux, we don't need .exe files
+	echo "noExe=true" > override.properties || die
+	if ! use nls; then
+		echo "require.gettext=false" >> override.properties || die
+	fi
+
+	# avoid auto starting browser
+	sed -i 's|clientApp.4.startOnLoad=true|clientApp.4.startOnLoad=false|' \
+		"${RES_DIR}/clients.config" || die
+
+	# we do it now so we can resolve path after
+	default
+
+	# replace paths as the installer would
+	sed -i "s|%INSTALL_PATH|${I2P_ROOT}|" \
+		"${RES_DIR}/"{eepget,i2prouter,runplain.sh}  || die
+	sed -i "s|\$INSTALL_PATH|${I2P_ROOT}|" "${RES_DIR}/wrapper.config" || die
+	sed -i "s|%SYSTEM_java_io_tmpdir|${I2P_CONFIG_DIR}|" \
+		"${RES_DIR}/"{i2prouter,runplain.sh} || die
+	sed -i "s|%USER_HOME|${I2P_CONFIG_HOME}|" "${RES_DIR}/i2prouter" || die
+}
+
+src_install() {
+	# cd into pkg-temp.
+	cd "${S}/pkg-temp" || die
+
+	# This is ugly, but to satisfy all non-system .jar dependencies, jetty
+	# would need to be packaged. It would be too large a task
+	# for an unseasoned developer. This seems to be the most pragmatic solution
+	java-pkg_jarinto "${I2P_ROOT}/lib"
+	local i
+	for i in BOB commons-el commons-logging i2p i2psnark i2ptunnel \
+		jasper-compiler jasper-runtime javax.servlet jbigi jetty* mstreaming org.mortbay.* router* \
+		sam standard streaming systray; do
+		java-pkg_dojar lib/${i}.jar
+	done
+
+	# Set up symlinks for binaries
+	dosym /usr/bin/wrapper "${I2P_ROOT}/i2psvc"
+	dosym "${I2P_ROOT}/i2prouter" /usr/bin/i2prouter
+	dosym "${I2P_ROOT}/eepget" /usr/bin/eepget
+
+	# Install main files and basic documentation
+	exeinto "${I2P_ROOT}"
+	insinto "${I2P_ROOT}"
+	doins blocklist.txt hosts.txt *.config
+	doexe eepget i2prouter runplain.sh
+	dodoc history.txt INSTALL-headless.txt LICENSE.txt
+	doman man/*
+
+	# Install other directories
+	doins -r certificates docs eepsite geoip scripts
+	dodoc -r licenses
+	java-pkg_dowar webapps/*.war
+
+	# Install daemon files
+	newinitd "${FILESDIR}/${P}.initd" i2p
+	systemd_newunit "${FILESDIR}/${P}.service" i2p.service
+
+	# setup user
+	keepdir "${I2P_CONFIG_DIR}"
+	fowners -R i2p:i2p "${I2P_CONFIG_DIR}"
+}
+
+pkg_postinst() {
+	elog "Custom configuration belongs in /var/lib/i2p/.i2p/ to avoid being overwritten."
+	elog "I2P can be configured through the web interface at http://localhost:7657/index.jsp"
+
+	ewarn 'Currently, the i2p team does not enforce to use ECDSA keys. But it is more and'
+	ewarn 'more pushed. To help the network, you are recommended to have either:'
+	ewarn '  dev-java/icedtea[-sunec,nss]'
+	ewarn '  dev-java/icedtea-bin[nss]'
+	ewarn '  dev-java/icedtea[-sunec] and bouncycastle (bcprov)'
+	ewarn '  dev-java/icedtea-bin and bouncycastle (bcprov)'
+	ewarn '  dev-java/oracle-jre-bin'
+	ewarn '  dev-java/oracle-jdk-bin'
+	ewarn 'Alternatively you can just use Ed25519 keys - which is a stronger algorithm anyways.'
+	ewarn
+	ewarn "This is purely a run-time issue. You're free to build i2p with any JDK, as long as"
+	ewarn 'the JVM you run it with is one of the above listed and from the same or a newer generation'
+	ewarn 'as the one you built with.'
+}
diff --git a/net-vpn/i2p/i2p-0.9.27.ebuild b/net-vpn/i2p/i2p-0.9.27.ebuild
new file mode 100644
index 000000000000..6514c7a98dcd
--- /dev/null
+++ b/net-vpn/i2p/i2p-0.9.27.ebuild
@@ -0,0 +1,159 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils java-pkg-2 java-ant-2 systemd user
+
+DESCRIPTION="A privacy-centric, anonymous network."
+HOMEPAGE="https://geti2p.net"
+SRC_URI="https://download.i2p2.de/releases/${PV}/i2psource_${PV}.tar.bz2"
+
+LICENSE="Apache-2.0 Artistic BSD CC-BY-2.5 CC-BY-3.0 CC-BY-SA-3.0 EPL-1.0 GPL-2 GPL-3 LGPL-2.1 LGPL-3 MIT public-domain WTFPL-2"
+SLOT="0"
+
+# Until the deps reach other arches
+KEYWORDS="~amd64 ~x86"
+IUSE="+ecdsa nls"
+
+# dev-java/ant-core is automatically added due to java-ant-2.eclass
+CDEPEND="dev-java/bcprov:1.50
+	dev-java/jrobin:0
+	dev-java/slf4j-api:0
+	dev-java/tomcat-jstl-impl:0
+	dev-java/tomcat-jstl-spec:0
+	dev-java/java-service-wrapper:0"
+
+DEPEND="${CDEPEND}
+	dev-java/eclipse-ecj:*
+	dev-libs/gmp:0
+	nls? ( >=sys-devel/gettext-0.19 )
+	>=virtual/jdk-1.7"
+
+RDEPEND="${CDEPEND}
+	ecdsa? (
+		|| (
+			dev-java/icedtea:7[-sunec]
+			dev-java/icedtea:8[-sunec]
+			dev-java/icedtea:7[nss,-sunec]
+			dev-java/icedtea-bin:7[nss]
+			dev-java/icedtea-bin:7
+			dev-java/icedtea-bin:8
+			dev-java/oracle-jre-bin
+			dev-java/oracle-jdk-bin
+		)
+	)
+	!ecdsa? ( >=virtual/jre-1.7 )"
+
+EANT_BUILD_TARGET="pkg"
+EANT_GENTOO_CLASSPATH="java-service-wrapper,jrobin,slf4j-api,tomcat-jstl-impl,tomcat-jstl-spec,bcprov-1.50"
+JAVA_ANT_ENCODING="UTF-8"
+
+I2P_ROOT='/usr/share/i2p'
+I2P_CONFIG_HOME='/var/lib/i2p'
+I2P_CONFIG_DIR="${I2P_CONFIG_HOME}/.i2p"
+
+RES_DIR='installer/resources'
+
+PATCHES=(
+	"${FILESDIR}/${P}-add_libs.patch"
+)
+
+pkg_setup() {
+	java-pkg-2_pkg_setup
+
+	enewgroup i2p
+	enewuser i2p -1 -1 "${I2P_CONFIG_HOME}" i2p
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}" || die
+	java-ant_rewrite-classpath
+}
+
+src_prepare() {
+	java-pkg-2_src_prepare
+
+	# We're on GNU/Linux, we don't need .exe files
+	echo "noExe=true" > override.properties || die
+	if ! use nls; then
+		echo "require.gettext=false" >> override.properties || die
+	fi
+
+	# avoid auto starting browser
+	sed -i 's|clientApp.4.startOnLoad=true|clientApp.4.startOnLoad=false|' \
+		"${RES_DIR}/clients.config" || die
+
+	# we do it now so we can resolve path after
+	default
+
+	# replace paths as the installer would
+	sed -i "s|%INSTALL_PATH|${I2P_ROOT}|" \
+		"${RES_DIR}/"{eepget,i2prouter,runplain.sh}  || die
+	sed -i "s|\$INSTALL_PATH|${I2P_ROOT}|" "${RES_DIR}/wrapper.config" || die
+	sed -i "s|%SYSTEM_java_io_tmpdir|${I2P_CONFIG_DIR}|" \
+		"${RES_DIR}/"{i2prouter,runplain.sh} || die
+	sed -i "s|%USER_HOME|${I2P_CONFIG_HOME}|" "${RES_DIR}/i2prouter" || die
+}
+
+src_install() {
+	# cd into pkg-temp.
+	cd "${S}/pkg-temp" || die
+
+	# This is ugly, but to satisfy all non-system .jar dependencies, jetty
+	# would need to be packaged. It would be too large a task
+	# for an unseasoned developer. This seems to be the most pragmatic solution
+	java-pkg_jarinto "${I2P_ROOT}/lib"
+	local i
+	for i in BOB commons-el commons-logging i2p i2psnark i2ptunnel \
+		jasper-compiler jasper-runtime javax.servlet jbigi jetty* mstreaming org.mortbay.* router* \
+		sam standard streaming systray; do
+		java-pkg_dojar lib/${i}.jar
+	done
+
+	# Set up symlinks for binaries
+	dosym /usr/bin/wrapper "${I2P_ROOT}/i2psvc"
+	dosym "${I2P_ROOT}/i2prouter" /usr/bin/i2prouter
+	dosym "${I2P_ROOT}/eepget" /usr/bin/eepget
+
+	# Install main files and basic documentation
+	exeinto "${I2P_ROOT}"
+	insinto "${I2P_ROOT}"
+	doins blocklist.txt hosts.txt *.config
+	doexe eepget i2prouter runplain.sh
+	dodoc history.txt INSTALL-headless.txt LICENSE.txt
+	doman man/*
+
+	# Install other directories
+	doins -r certificates docs eepsite geoip scripts
+	dodoc -r licenses
+	java-pkg_dowar webapps/*.war
+
+	# Install daemon files
+	newinitd "${FILESDIR}/${P}.initd" i2p
+	systemd_newunit "${FILESDIR}/${P}.service" i2p.service
+
+	# setup user
+	keepdir "${I2P_CONFIG_DIR}"
+	fowners -R i2p:i2p "${I2P_CONFIG_DIR}"
+}
+
+pkg_postinst() {
+	elog "Custom configuration belongs in /var/lib/i2p/.i2p/ to avoid being overwritten."
+	elog "I2P can be configured through the web interface at http://localhost:7657/index.jsp"
+
+	ewarn 'Currently, the i2p team does not enforce to use ECDSA keys. But it is more and'
+	ewarn 'more pushed. To help the network, you are recommended to have either:'
+	ewarn '  dev-java/icedtea[-sunec,nss]'
+	ewarn '  dev-java/icedtea-bin[nss]'
+	ewarn '  dev-java/icedtea[-sunec] and bouncycastle (bcprov)'
+	ewarn '  dev-java/icedtea-bin and bouncycastle (bcprov)'
+	ewarn '  dev-java/oracle-jre-bin'
+	ewarn '  dev-java/oracle-jdk-bin'
+	ewarn 'Alternatively you can just use Ed25519 keys - which is a stronger algorithm anyways.'
+	ewarn
+	ewarn "This is purely a run-time issue. You're free to build i2p with any JDK, as long as"
+	ewarn 'the JVM you run it with is one of the above listed and from the same or a newer generation'
+	ewarn 'as the one you built with.'
+}
diff --git a/net-vpn/i2p/i2p-0.9.28.ebuild b/net-vpn/i2p/i2p-0.9.28.ebuild
new file mode 100644
index 000000000000..103ad6ed5e12
--- /dev/null
+++ b/net-vpn/i2p/i2p-0.9.28.ebuild
@@ -0,0 +1,152 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils java-pkg-2 java-ant-2 systemd user
+
+DESCRIPTION="A privacy-centric, anonymous network."
+HOMEPAGE="https://geti2p.net"
+SRC_URI="https://download.i2p2.de/releases/${PV}/i2psource_${PV}.tar.bz2"
+
+LICENSE="Apache-2.0 Artistic BSD CC-BY-2.5 CC-BY-3.0 CC-BY-SA-3.0 EPL-1.0 GPL-2 GPL-3 LGPL-2.1 LGPL-3 MIT public-domain WTFPL-2"
+SLOT="0"
+
+# Until the deps reach other arches
+KEYWORDS="~amd64 ~x86"
+IUSE="+ecdsa nls"
+
+# dev-java/ant-core is automatically added due to java-ant-2.eclass
+CP_DEPEND="dev-java/bcprov:1.50
+	dev-java/jrobin:0
+	dev-java/slf4j-api:0
+	dev-java/tomcat-jstl-impl:0
+	dev-java/tomcat-jstl-spec:0
+	dev-java/java-service-wrapper:0"
+
+DEPEND="${CP_DEPEND}
+	dev-java/eclipse-ecj:*
+	dev-libs/gmp:0
+	nls? ( >=sys-devel/gettext-0.19 )
+	>=virtual/jdk-1.7"
+
+RDEPEND="${CP_DEPEND}
+	ecdsa? (
+		|| (
+			dev-java/icedtea:7[-sunec]
+			dev-java/icedtea:8[-sunec]
+			dev-java/icedtea-bin:7
+			dev-java/icedtea-bin:8
+			dev-java/oracle-jre-bin
+			dev-java/oracle-jdk-bin
+		)
+	)
+	!ecdsa? ( >=virtual/jre-1.7 )"
+
+EANT_BUILD_TARGET="pkg"
+JAVA_ANT_ENCODING="UTF-8"
+
+I2P_ROOT='/usr/share/i2p'
+I2P_CONFIG_HOME='/var/lib/i2p'
+I2P_CONFIG_DIR="${I2P_CONFIG_HOME}/.i2p"
+
+RES_DIR='installer/resources'
+
+PATCHES=(
+	"${FILESDIR}/${P}-add_libs.patch"
+)
+
+pkg_setup() {
+	java-pkg-2_pkg_setup
+
+	enewgroup i2p
+	enewuser i2p -1 -1 "${I2P_CONFIG_HOME}" i2p
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}" || die
+	java-ant_rewrite-classpath
+}
+
+src_prepare() {
+	java-pkg-2_src_prepare
+
+	# We're on GNU/Linux, we don't need .exe files
+	echo "noExe=true" > override.properties || die
+	if ! use nls; then
+		echo "require.gettext=false" >> override.properties || die
+	fi
+
+	# avoid auto starting browser
+	sed -i 's|clientApp.4.startOnLoad=true|clientApp.4.startOnLoad=false|' \
+		"${RES_DIR}/clients.config" || die
+
+	# we do it now so we can resolve path after
+	default
+
+	# replace paths as the installer would
+	sed -i "s|%INSTALL_PATH|${I2P_ROOT}|" \
+		"${RES_DIR}/"{eepget,i2prouter,runplain.sh}  || die
+	sed -i "s|\$INSTALL_PATH|${I2P_ROOT}|" "${RES_DIR}/wrapper.config" || die
+	sed -i "s|%SYSTEM_java_io_tmpdir|${I2P_CONFIG_DIR}|" \
+		"${RES_DIR}/"{i2prouter,runplain.sh} || die
+	sed -i "s|%USER_HOME|${I2P_CONFIG_HOME}|" "${RES_DIR}/i2prouter" || die
+}
+
+src_install() {
+	# cd into pkg-temp.
+	cd "${S}/pkg-temp" || die
+
+	# This is ugly, but to satisfy all non-system .jar dependencies, jetty
+	# would need to be packaged. It would be too large a task
+	# for an unseasoned developer. This seems to be the most pragmatic solution
+	java-pkg_jarinto "${I2P_ROOT}/lib"
+	local i
+	for i in BOB commons-el commons-logging i2p i2psnark i2ptunnel \
+		jasper-compiler jasper-runtime javax.servlet jbigi jetty* mstreaming org.mortbay.* router* \
+		sam standard streaming systray; do
+		java-pkg_dojar lib/${i}.jar
+	done
+
+	# Set up symlinks for binaries
+	dosym /usr/bin/wrapper "${I2P_ROOT}/i2psvc"
+	dosym "${I2P_ROOT}/i2prouter" /usr/bin/i2prouter
+	dosym "${I2P_ROOT}/eepget" /usr/bin/eepget
+
+	# Install main files and basic documentation
+	exeinto "${I2P_ROOT}"
+	insinto "${I2P_ROOT}"
+	doins blocklist.txt hosts.txt *.config
+	doexe eepget i2prouter runplain.sh
+	dodoc history.txt INSTALL-headless.txt LICENSE.txt
+	doman man/*
+
+	# Install other directories
+	doins -r certificates docs eepsite geoip scripts
+	dodoc -r licenses
+	java-pkg_dowar webapps/*.war
+
+	# Install daemon files
+	newinitd "${FILESDIR}/${P}.initd" i2p
+	systemd_newunit "${FILESDIR}/${P}.service" i2p.service
+
+	# setup user
+	keepdir "${I2P_CONFIG_DIR}"
+	fowners -R i2p:i2p "${I2P_CONFIG_DIR}"
+}
+
+pkg_postinst() {
+	elog "Custom configuration belongs in ${I2P_CONFIG_DIR} to avoid being overwritten."
+	elog 'I2P can be configured through the web interface at http://localhost:7657/console'
+
+	if use !ecdsa
+	then
+		ewarn 'Currently, the i2p team does not enforce to use ECDSA keys. But it is more and'
+		ewarn 'more pushed. To help the network, you are recommended to have the ecdsa USE.'
+		ewarn
+		ewarn "This is purely a run-time issue. You're free to build i2p with any JDK, as long as"
+		ewarn 'the JVM you run it with is one of the above listed and from the same or a newer generation'
+		ewarn 'as the one you built with.'
+	fi
+}
diff --git a/net-vpn/i2p/metadata.xml b/net-vpn/i2p/metadata.xml
new file mode 100644
index 000000000000..52ff64217713
--- /dev/null
+++ b/net-vpn/i2p/metadata.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="person">
+	<email>tharvik@gmail.com</email>
+	<name>Tharvik</name>
+	<description>Proxy-maintainer; add or CC them for bugs</description>
+</maintainer>
+<maintainer type="person">
+	<email>tomboy64@sina.cn</email>
+	<name>M.B.</name>
+	<description>Proxy-maintainer; add or CC them for bugs</description>
+</maintainer>
+<maintainer type="project">
+	<email>java@gentoo.org</email>
+	<name>Java</name>
+</maintainer>
+<maintainer type="project">
+	<email>proxy-maint@gentoo.org</email>
+	<name>Proxy Maintainers</name>
+</maintainer>
+<longdescription>I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other.</longdescription>
+<use>
+	<flag name="ecdsa">Enables additional checks to make sure a setup is available that is capable of using I2Ps ECDSA provisions. I2P will work without it, but you will likely see warnings.</flag>
+	<flag name="nls">Adds Native Language Support using GNU gettext.</flag>
+</use>
+</pkgmetadata>
diff --git a/net-vpn/i2pd/Manifest b/net-vpn/i2pd/Manifest
new file mode 100644
index 000000000000..b322a15a60c6
--- /dev/null
+++ b/net-vpn/i2pd/Manifest
@@ -0,0 +1,2 @@
+DIST i2pd-2.11.0.tar.gz 3091516 SHA256 4d7946e33a6a1dd4439590ea23b494f36e6fbcb81f7b36857bf264413a19e9db SHA512 c4964c23f6852e6ce225de6f6f03ce4e5c52a6ec2b925b82c01be574b14196112079ada5864b10f353c3dd385645db550d5ce290647b6d980225a79c64f19ddb WHIRLPOOL f2a4c42ad2df09188b5be8fad23f7f2ec2080e17b980b55c1647c13499c6b3cce88d6e9c2fbfd34bf8783a0b52c15659775351835ae181e58357c455ebb1dea1
+DIST i2pd-2.12.0.tar.gz 3150471 SHA256 afb763aea2a4f4b51e327352d5da82ec08e84735d28db9af7710563a117fc648 SHA512 70b6143e713d43e24b780239aed899fb17d6224ef053020c738369ca110241e4624ae5c69b04a75a037b68094d3030be5296509ff699905ef7c175447d093232 WHIRLPOOL 8b5fb9a5123ce700a646de72a81e476b3545ad62f4bb8d143438bc1e1b6393b381e13224b3d538fa063d24b732588df5b3abe9b2d5485473d83038f01d296b4e
diff --git a/net-vpn/i2pd/files/99i2pd b/net-vpn/i2pd/files/99i2pd
new file mode 100644
index 000000000000..3cf3b46797c4
--- /dev/null
+++ b/net-vpn/i2pd/files/99i2pd
@@ -0,0 +1 @@
+CONFIG_PROTECT="/var/lib/i2pd/certificates"
diff --git a/net-vpn/i2pd/files/i2pd-2.5.1-fix_installed_components.patch b/net-vpn/i2pd/files/i2pd-2.5.1-fix_installed_components.patch
new file mode 100644
index 000000000000..0416901117c5
--- /dev/null
+++ b/net-vpn/i2pd/files/i2pd-2.5.1-fix_installed_components.patch
@@ -0,0 +1,30 @@
+--- a/build/CMakeLists.txt.old	2016-02-04 21:30:50.954251000 +0100
++++ b/build/CMakeLists.txt	2016-02-04 21:34:50.457793484 +0100
+@@ -356,10 +356,6 @@
+   endif ()
+ endif ()
+ 
+-install(FILES ../LICENSE
+-  DESTINATION .
+-  COMPONENT Runtime
+-  )
+ # Take a copy on Appveyor
+ install(FILES "C:/projects/openssl-$ENV{OPENSSL}/LICENSE"
+   DESTINATION .
+@@ -369,7 +365,6 @@
+   )
+ 
+ file(GLOB_RECURSE I2PD_SOURCES "../*.cpp" "../build" "../Win32" "../Makefile*")
+-install(FILES ${I2PD_SOURCES} DESTINATION src/ COMPONENT Source)
+ # install(DIRECTORY ../ DESTINATION src/
+ #   # OPTIONAL
+ #   COMPONENT Source FILES_MATCHING
+@@ -378,7 +373,7 @@
+ #   )
+ 
+ file(GLOB I2PD_HEADERS "../*.h")
+-install(FILES ${I2PD_HEADERS} DESTINATION src/ COMPONENT Headers)
++install(FILES ${I2PD_HEADERS} DESTINATION "include/${PROJECT_NAME}" COMPONENT Headers)
+ # install(DIRECTORY ../ DESTINATION src/
+ #   # OPTIONAL
+ #   COMPONENT Headers FILES_MATCHING
diff --git a/net-vpn/i2pd/files/i2pd-2.6.0-r3.confd b/net-vpn/i2pd/files/i2pd-2.6.0-r3.confd
new file mode 100644
index 000000000000..d2ef16b0f61c
--- /dev/null
+++ b/net-vpn/i2pd/files/i2pd-2.6.0-r3.confd
@@ -0,0 +1,12 @@
+I2PD_USER=i2pd
+I2PD_GROUP=i2pd
+I2PD_LOG=/var/log/i2pd.log
+I2PD_PID=/run/i2pd/i2pd.pid
+
+# max number of open files (for floodfill)
+rc_ulimit="-n 4096"
+
+# Options to i2pd
+I2PD_OPTIONS="--daemon --service --pidfile=${I2PD_PID} \
+--log=file --logfile=${I2PD_LOG} \
+--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf"
diff --git a/net-vpn/i2pd/files/i2pd-2.6.0-r3.initd b/net-vpn/i2pd/files/i2pd-2.6.0-r3.initd
new file mode 100644
index 000000000000..09c83927b206
--- /dev/null
+++ b/net-vpn/i2pd/files/i2pd-2.6.0-r3.initd
@@ -0,0 +1,45 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+description="C++ daemon for accessing the I2P network"
+description_graceful="Graceful shutdown, takes 10 minutes"
+
+command="/usr/bin/i2pd"
+command_args="${I2PD_OPTIONS}"
+user="${I2PD_USER}:${I2PD_GROUP}"
+start_stop_daemon_args="
+    --user \"${user}\"
+    --pidfile \"${I2PD_PID}\"
+    --progress --retry 'SIGTERM/20/SIGKILL/20'
+"
+I2PD_PID_DIR=$(dirname "${I2PD_PID}")
+
+extra_started_commands="graceful"
+
+depend() {
+    use dns logger netmount
+}
+
+start_pre() {
+    if [ -z "${I2PD_USER}" ] || \
+       [ -z "${I2PD_GROUP}" ] || \
+       [ -z "${I2PD_PID}" ] || \
+       [ -z "${I2PD_LOG}" ] || \
+       [ -z "${I2PD_OPTIONS}" ] ; then
+        eerror "Not all variables I2PD_USER, I2PD_GROUP, I2PD_PID, I2PD_OPTIONS, I2PD_LOG are defined."
+        eerror "Check your /etc/conf.d/i2pd."
+        return 1
+    fi
+    checkpath -f -o "${user}" "${I2PD_LOG}"
+    checkpath -d -m 0750 -o "${user}" "${I2PD_PID_DIR}"
+}
+
+graceful() {
+    # on SIGINT, i2pd stops accepting tunnels and shuts down in 600 seconds
+    ebegin "Gracefully stopping i2pd, this takes 10 minutes"
+    mark_service_stopping
+    eval start-stop-daemon --stop ${start_stop_daemon_args} \
+        --exec "${command}" --retry 'SIGINT/620/SIGTERM/20/SIGKILL/20'
+    eend $? && mark_service_stopped
+}
diff --git a/net-vpn/i2pd/files/i2pd-2.6.0-r3.logrotate b/net-vpn/i2pd/files/i2pd-2.6.0-r3.logrotate
new file mode 100644
index 000000000000..251128b7be78
--- /dev/null
+++ b/net-vpn/i2pd/files/i2pd-2.6.0-r3.logrotate
@@ -0,0 +1,11 @@
+/var/log/i2pd.log {
+        rotate 4
+        weekly
+        missingok
+        notifempty
+        create 640 i2pd i2pd
+        postrotate
+                /bin/kill -HUP $(cat /run/i2pd/i2pd.pid)
+        endscript
+}
+
diff --git a/net-vpn/i2pd/files/i2pd-2.6.0-r3.service b/net-vpn/i2pd/files/i2pd-2.6.0-r3.service
new file mode 100644
index 000000000000..6821a00552df
--- /dev/null
+++ b/net-vpn/i2pd/files/i2pd-2.6.0-r3.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=C++ daemon for accessing the I2P network
+After=network.target
+
+[Service]
+Type=forking
+Restart=on-abnormal
+PIDFile=/run/i2pd/i2pd.pid
+User=i2pd
+Group=i2pd
+LimitNOFILE=4096
+PermissionsStartOnly=yes
+ExecStartPre=/bin/mkdir -p /run/i2pd
+ExecStartPre=/bin/chown i2pd:i2pd /run/i2pd
+ExecStartPre=/bin/touch /run/i2pd/i2pd.pid /var/log/i2pd.log
+ExecStartPre=/bin/chown i2pd:i2pd /run/i2pd/i2pd.pid /var/log/i2pd.log
+ExecStart=/usr/bin/i2pd --daemon --service --pidfile=/run/i2pd/i2pd.pid --log=file --logfile=/var/log/i2pd.log --conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/net-vpn/i2pd/i2pd-2.11.0.ebuild b/net-vpn/i2pd/i2pd-2.11.0.ebuild
new file mode 100644
index 000000000000..64023985fd56
--- /dev/null
+++ b/net-vpn/i2pd/i2pd-2.11.0.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit eutils systemd user cmake-utils
+
+DESCRIPTION="A C++ daemon for accessing the I2P anonymous network"
+HOMEPAGE="https://github.com/PurpleI2P/i2pd"
+SRC_URI="https://github.com/PurpleI2P/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="cpu_flags_x86_aes i2p-hardening libressl pch static +upnp"
+
+RDEPEND="!static? ( >=dev-libs/boost-1.49[threads]
+			!libressl? ( dev-libs/openssl:0[-bindist] )
+			libressl? ( dev-libs/libressl )
+			upnp? ( net-libs/miniupnpc )
+		)"
+DEPEND="${RDEPEND}
+	static? ( >=dev-libs/boost-1.49[static-libs,threads]
+		!libressl? ( dev-libs/openssl:0[static-libs] )
+		libressl? ( dev-libs/libressl[static-libs] )
+		upnp? ( net-libs/miniupnpc[static-libs] ) )
+	i2p-hardening? ( >=sys-devel/gcc-4.7 )
+	|| ( >=sys-devel/gcc-4.7 >=sys-devel/clang-3.3 )"
+
+I2PD_USER=i2pd
+I2PD_GROUP=i2pd
+
+CMAKE_USE_DIR="${S}/build"
+
+DOCS=( README.md docs/i2pd.conf docs/tunnels.conf )
+
+PATCHES=( "${FILESDIR}/${PN}-2.5.1-fix_installed_components.patch" )
+
+src_configure() {
+	mycmakeargs=(
+		-DWITH_AESNI=$(usex cpu_flags_x86_aes ON OFF)
+		-DWITH_HARDENING=$(usex i2p-hardening ON OFF)
+		-DWITH_PCH=$(usex pch ON OFF)
+		-DWITH_STATIC=$(usex static ON OFF)
+		-DWITH_UPNP=$(usex upnp ON OFF)
+		-DWITH_LIBRARY=ON
+		-DWITH_BINARY=ON
+	)
+	cmake-utils_src_configure
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	# config
+	insinto /etc/i2pd
+	doins docs/i2pd.conf
+	doins docs/tunnels.conf
+
+	# grant i2pd group read and write access to config files
+	fowners "root:${I2PD_GROUP}" \
+		/etc/i2pd/i2pd.conf \
+		/etc/i2pd/tunnels.conf
+	fperms 660 \
+		/etc/i2pd/i2pd.conf \
+		/etc/i2pd/tunnels.conf
+
+	# working directory
+	keepdir /var/lib/i2pd
+	insinto /var/lib/i2pd
+	doins -r contrib/certificates
+	fowners "${I2PD_USER}:${I2PD_GROUP}" /var/lib/i2pd/
+	fperms 700 /var/lib/i2pd/
+
+	# add /var/lib/i2pd/certificates to CONFIG_PROTECT
+	doenvd "${FILESDIR}/99i2pd"
+
+	# openrc and systemd daemon routines
+	newconfd "${FILESDIR}/i2pd-2.6.0-r3.confd" i2pd
+	newinitd "${FILESDIR}/i2pd-2.6.0-r3.initd" i2pd
+	systemd_newunit "${FILESDIR}/i2pd-2.6.0-r3.service" i2pd.service
+
+	# logrotate
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/i2pd-2.6.0-r3.logrotate" i2pd
+}
+
+pkg_setup() {
+	enewgroup "${I2PD_GROUP}"
+	enewuser "${I2PD_USER}" -1 -1 /var/lib/run/i2pd "${I2PD_GROUP}"
+}
+
+pkg_postinst() {
+	if [[ -f ${EROOT%/}/etc/i2pd/subscriptions.txt ]]; then
+		ewarn
+		ewarn "Configuration of the subscriptions has been moved from"
+		ewarn "subscriptions.txt to i2pd.conf. We recommend updating"
+		ewarn "i2pd.conf accordingly and deleting subscriptions.txt."
+	fi
+}
diff --git a/net-vpn/i2pd/i2pd-2.12.0.ebuild b/net-vpn/i2pd/i2pd-2.12.0.ebuild
new file mode 100644
index 000000000000..64023985fd56
--- /dev/null
+++ b/net-vpn/i2pd/i2pd-2.12.0.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit eutils systemd user cmake-utils
+
+DESCRIPTION="A C++ daemon for accessing the I2P anonymous network"
+HOMEPAGE="https://github.com/PurpleI2P/i2pd"
+SRC_URI="https://github.com/PurpleI2P/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="cpu_flags_x86_aes i2p-hardening libressl pch static +upnp"
+
+RDEPEND="!static? ( >=dev-libs/boost-1.49[threads]
+			!libressl? ( dev-libs/openssl:0[-bindist] )
+			libressl? ( dev-libs/libressl )
+			upnp? ( net-libs/miniupnpc )
+		)"
+DEPEND="${RDEPEND}
+	static? ( >=dev-libs/boost-1.49[static-libs,threads]
+		!libressl? ( dev-libs/openssl:0[static-libs] )
+		libressl? ( dev-libs/libressl[static-libs] )
+		upnp? ( net-libs/miniupnpc[static-libs] ) )
+	i2p-hardening? ( >=sys-devel/gcc-4.7 )
+	|| ( >=sys-devel/gcc-4.7 >=sys-devel/clang-3.3 )"
+
+I2PD_USER=i2pd
+I2PD_GROUP=i2pd
+
+CMAKE_USE_DIR="${S}/build"
+
+DOCS=( README.md docs/i2pd.conf docs/tunnels.conf )
+
+PATCHES=( "${FILESDIR}/${PN}-2.5.1-fix_installed_components.patch" )
+
+src_configure() {
+	mycmakeargs=(
+		-DWITH_AESNI=$(usex cpu_flags_x86_aes ON OFF)
+		-DWITH_HARDENING=$(usex i2p-hardening ON OFF)
+		-DWITH_PCH=$(usex pch ON OFF)
+		-DWITH_STATIC=$(usex static ON OFF)
+		-DWITH_UPNP=$(usex upnp ON OFF)
+		-DWITH_LIBRARY=ON
+		-DWITH_BINARY=ON
+	)
+	cmake-utils_src_configure
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	# config
+	insinto /etc/i2pd
+	doins docs/i2pd.conf
+	doins docs/tunnels.conf
+
+	# grant i2pd group read and write access to config files
+	fowners "root:${I2PD_GROUP}" \
+		/etc/i2pd/i2pd.conf \
+		/etc/i2pd/tunnels.conf
+	fperms 660 \
+		/etc/i2pd/i2pd.conf \
+		/etc/i2pd/tunnels.conf
+
+	# working directory
+	keepdir /var/lib/i2pd
+	insinto /var/lib/i2pd
+	doins -r contrib/certificates
+	fowners "${I2PD_USER}:${I2PD_GROUP}" /var/lib/i2pd/
+	fperms 700 /var/lib/i2pd/
+
+	# add /var/lib/i2pd/certificates to CONFIG_PROTECT
+	doenvd "${FILESDIR}/99i2pd"
+
+	# openrc and systemd daemon routines
+	newconfd "${FILESDIR}/i2pd-2.6.0-r3.confd" i2pd
+	newinitd "${FILESDIR}/i2pd-2.6.0-r3.initd" i2pd
+	systemd_newunit "${FILESDIR}/i2pd-2.6.0-r3.service" i2pd.service
+
+	# logrotate
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/i2pd-2.6.0-r3.logrotate" i2pd
+}
+
+pkg_setup() {
+	enewgroup "${I2PD_GROUP}"
+	enewuser "${I2PD_USER}" -1 -1 /var/lib/run/i2pd "${I2PD_GROUP}"
+}
+
+pkg_postinst() {
+	if [[ -f ${EROOT%/}/etc/i2pd/subscriptions.txt ]]; then
+		ewarn
+		ewarn "Configuration of the subscriptions has been moved from"
+		ewarn "subscriptions.txt to i2pd.conf. We recommend updating"
+		ewarn "i2pd.conf accordingly and deleting subscriptions.txt."
+	fi
+}
diff --git a/net-vpn/i2pd/metadata.xml b/net-vpn/i2pd/metadata.xml
new file mode 100644
index 000000000000..80f4f859ab46
--- /dev/null
+++ b/net-vpn/i2pd/metadata.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>kaikaikai@yandex.ru</email>
+		<name>Alexey Korepanov</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>klondike@gentoo.org</email>
+		<name>Francisco Blas Izquierdo Riera</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>blueness@gentoo.org</email>
+		<name>Anthony G. Basile</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>tomboy64@sina.cn</email>
+		<name>Proxy maintainer. Please subscribe to bugs.</name>
+	</maintainer>
+	<use>
+		<flag name="i2p-hardening">
+			Compile with hardening on vanilla compilers/linkers
+		</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">PurpleI2P/i2pd</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/net-vpn/iodine/Manifest b/net-vpn/iodine/Manifest
new file mode 100644
index 000000000000..080608ceadf0
--- /dev/null
+++ b/net-vpn/iodine/Manifest
@@ -0,0 +1 @@
+DIST iodine-0.7.0.tar.gz 96181 SHA256 ad2b40acf1421316ec15800dcde0f587ab31d7d6f891fa8b9967c4ded93c013e SHA512 49fe4f0cf614d3400cbfdade84eb4f50430f8f92004f663a08acc1514e8ff342443a8c3f855828bbca1864a3fafe419b5256f8a80fc4024b364d4c8c953fc0ec WHIRLPOOL ac098f9a409c75768b6b2da0f755560ea932a97855df32aefe860237a28ebf1ef1b576860378575522221214d9dc65c26f0297fafe628ea770e4449217c5d593
diff --git a/net-vpn/iodine/files/iodine-0.7.0-TestMessage.patch b/net-vpn/iodine/files/iodine-0.7.0-TestMessage.patch
new file mode 100644
index 000000000000..6b814b6f2d74
--- /dev/null
+++ b/net-vpn/iodine/files/iodine-0.7.0-TestMessage.patch
@@ -0,0 +1,12 @@
+--- iodine-0.7.0/Makefile
++++ iodine-0.7.0/Makefile
+@@ -35,8 +35,7 @@
+ 	$(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
+ 
+ test: all
+-	@echo "!! The check library is required for compiling and running the tests"
+-	@echo "!! Get it at http://check.sf.net"
++	@echo "Executing tests target"
+ 	@(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all)
+ 
+ clean:
diff --git a/net-vpn/iodine/files/iodine-0.7.0-new-systemd.patch b/net-vpn/iodine/files/iodine-0.7.0-new-systemd.patch
new file mode 100644
index 000000000000..e18b64a086fe
--- /dev/null
+++ b/net-vpn/iodine/files/iodine-0.7.0-new-systemd.patch
@@ -0,0 +1,16 @@
+diff --git a/src/osflags b/src/osflags
+index 9eda8f0..0f8a26c 100755
+--- a/src/osflags
++++ b/src/osflags
+@@ -19,7 +19,7 @@ link)
+ 		Linux)
+ 			FLAGS="";
+ 			[ -e /usr/include/selinux/selinux.h ] && FLAGS="$FLAGS -lselinux";
+-			[ -e /usr/include/systemd/sd-daemon.h ] && FLAGS="$FLAGS -lsystemd-daemon";
++			[ -e /usr/include/systemd/sd-daemon.h ] && FLAGS="$FLAGS $(pkg-config --libs libsystemd)";
+ 			echo $FLAGS;
+ 		;;
+ 	esac
+-- 
+1.9.3
+
diff --git a/net-vpn/iodine/files/iodined-1.init b/net-vpn/iodine/files/iodined-1.init
new file mode 100644
index 000000000000..edee6c6ac31a
--- /dev/null
+++ b/net-vpn/iodine/files/iodined-1.init
@@ -0,0 +1,61 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+PID_FILE="/run/iodined.pid"
+
+depend() {
+	need net
+}
+
+start() {
+	ebegin "Starting iodined"
+	ARGS=""
+	if [ "$IODINED_USER" ]; then
+		ARGS="$ARGS -u $IODINED_USER"
+	fi
+	if [ "$IODINED_CHROOT" ]; then
+		ARGS="$ARGS -t $IODINED_CHROOT"
+	fi
+	if [ "$IODINED_MTU" ]; then
+		ARGS="$ARGS -m $IODINED_MTU"
+	fi
+	if [ "$IODINED_LISTENPORT" ]; then
+		ARGS="$ARGS -p $IODINED_LISTENPORT"
+	fi
+	if [ "$IODINED_EXTERN_IP" ]; then
+		ARGS="$ARGS -n $IODINED_EXTERN_IP"
+	fi
+	if [ "$IODINED_LOCAL_DNS_PORT" ]; then
+		ARGS="$ARGS -b $IODINED_LOCAL_DNS_PORT"
+	fi
+	if [ "$IODINED_LISTENIP" ]; then
+		ARGS="$ARGS -l $IODINED_LISTENIP"
+	fi
+	if [ "$IODINED_PASSWD" ]; then
+		ARGS="$ARGS -P $IODINED_PASSWD"
+	else
+		eerror "Please set a password (IODINED_PASSWD) in /etc/conf.d/iodined!"
+		return 1
+	fi
+	if [ "$IODINED_IP" ]; then
+		ARGS="$ARGS $IODINED_IP"
+	else
+		eerror "Please set an IP (IODINED_IP) in /etc/conf.d/iodined!"
+		return 1
+	fi
+	if [ "$IODINED_DOMAIN" ]; then
+		ARGS="$ARGS $IODINED_DOMAIN"
+	else
+		eerror "Please set a domain (IODINED_DOMAIN) in /etc/conf.d/iodined!"
+		return 1
+	fi
+	start-stop-daemon --start --exec /usr/sbin/iodined --pidfile $PID_FILE -- -F $PID_FILE $ARGS
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping iodined"
+	start-stop-daemon --stop --exec /usr/sbin/iodined --pidfile $PID_FILE
+	eend $?
+}
diff --git a/net-vpn/iodine/files/iodined.conf b/net-vpn/iodine/files/iodined.conf
new file mode 100644
index 000000000000..7889b0892eea
--- /dev/null
+++ b/net-vpn/iodine/files/iodined.conf
@@ -0,0 +1,44 @@
+# /etc/conf.d/iodined: config file for /etc/init.d/iodined
+
+# Drop privileges to this user after startup
+# This is used by the -u argument. Comment out to keep running as root.
+IODINED_USER="nobody"
+
+# Chroot to this directory after startup
+# This is used by the -t argument. Comment out to avoid chroot.
+IODINED_CHROOT="/var/empty"
+
+# This password needs to be used in all clients when they connect
+# This is used by the -P argument
+IODINED_PASSWD=""
+
+# This is the MTU (Max Transmit Unit) used in the tunnel.
+# You probably dont need this field at all, downstream data will
+# now be fragmented. This is used by the -m argument
+#IODINED_MTU=1020
+
+# The server port to listen on. You should normally not change this.
+# See man page. This is used by the -p argument
+#IODINED_LISTENPORT=53
+
+# The IP address to return as reply to NS queries. If not set, it will
+# be the destination address of the query. Used by the -n argument
+#IODINED_EXTERN_IP=1.1.1.1
+
+# The port used by a "real" DNS server on localhost. Queries for
+# domains not handled by iodined will be forwarded to this port,
+# and answers will be routed back. Used by the -b argument
+#IODINED_LOCAL_DNS_PORT=5353
+
+# The IP number to listen on.
+# This is used by the -l argument
+#IODINED_LISTENIP=127.0.0.1
+
+# This IP number will be used by the local tun device.
+IODINED_IP="172.28.0.1"
+
+# Use subdomains to this domain for network tunneling
+# If a real domain is used, it should be delegated to this server with 
+# a NS entry in the domain zone (see man page)
+IODINED_DOMAIN="blah.abc"
+
diff --git a/net-vpn/iodine/iodine-0.7.0-r2.ebuild b/net-vpn/iodine/iodine-0.7.0-r2.ebuild
new file mode 100644
index 000000000000..a45c117fe2a1
--- /dev/null
+++ b/net-vpn/iodine/iodine-0.7.0-r2.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit linux-info eutils toolchain-funcs
+
+DESCRIPTION="IP over DNS tunnel"
+HOMEPAGE="http://code.kryo.se/iodine/"
+SRC_URI="http://code.kryo.se/${PN}/${P}.tar.gz"
+
+CONFIG_CHECK="~TUN"
+
+LICENSE="ISC GPL-2" #GPL-2 for init script bug #426060
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="test"
+
+RDEPEND="sys-libs/zlib"
+DEPEND="${RDEPEND}
+	test? ( dev-libs/check )"
+
+src_prepare(){
+	epatch "${FILESDIR}"/${P}-TestMessage.patch
+	epatch "${FILESDIR}"/${P}-new-systemd.patch
+
+	sed -e '/^\s@echo \(CC\|LD\)/d' \
+		-e 's:^\(\s\)@:\1:' \
+		-i {,src/}Makefile || die
+
+	tc-export CC
+}
+
+src_compile() {
+	#shipped ./Makefiles doesn't pass -j<n> to submake
+	emake -C src TARGETOS=Linux all
+}
+
+src_install() {
+	#don't re-run submake
+	sed -e '/^install:/s: all: :' \
+		-i Makefile || die
+	emake prefix="${EPREFIX}"usr DESTDIR="${D}" install
+
+	dodoc CHANGELOG README TODO
+
+	newinitd "${FILESDIR}"/iodined-1.init iodined
+	newconfd "${FILESDIR}"/iodined.conf iodined
+	keepdir /var/empty
+	fperms 600 /etc/conf.d/iodined
+}
diff --git a/net-vpn/iodine/metadata.xml b/net-vpn/iodine/metadata.xml
new file mode 100644
index 000000000000..073848fe4147
--- /dev/null
+++ b/net-vpn/iodine/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>root@kryo.se</email>
+		<name>Erik Ekman</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>zx2c4@gentoo.org</email>
+		<name>Jason A. Donenfeld</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription>iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed</longdescription>
+</pkgmetadata>
diff --git a/net-vpn/isatapd/Manifest b/net-vpn/isatapd/Manifest
new file mode 100644
index 000000000000..e74c4cf5662d
--- /dev/null
+++ b/net-vpn/isatapd/Manifest
@@ -0,0 +1 @@
+DIST isatapd-0.9.7.tar.gz 111524 SHA256 927e1bb5fff4582723c642b41561c5ee6d57b15d05c19ea00c589168898897fa SHA512 3ddfc8385b666ec8c0552c7b46841f2b5e8ebb5d9aa3119a9a6d4cacea728cb81dced802d51b7c98da4bbb839de6fe68ef1bc5f62914b48638b6f168fc06100a WHIRLPOOL 8f5cde92cf61ef2cd1c0027802a18ec0aba8e8c0935be30650c62a22f011e03e255976e4858a7490844ab55afee6e83303f616e95fb72c13c61db8ad8e7895a4
diff --git a/net-vpn/isatapd/files/isatapd.service-r2 b/net-vpn/isatapd/files/isatapd.service-r2
new file mode 100644
index 000000000000..8d695eda35ca
--- /dev/null
+++ b/net-vpn/isatapd/files/isatapd.service-r2
@@ -0,0 +1,15 @@
+[Unit]
+Description=ISATAP Client for Linux
+After=network.target nss-lookup.target
+
+[Service]
+ExecStart=/usr/sbin/isatapd ${DAEMON_OPTS} \
+	--interval ${ISATAP_INTERVAL} \
+	--name ${ISATAP_NAME} \
+	--link ${ISATAP_LINK} \
+	--mtu ${ISATAP_MTU} \
+	--check-dns ${ISATAP_CHECK_DNS} \
+	${ISATAP_ROUTERS}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/isatapd/files/isatapd.service.conf b/net-vpn/isatapd/files/isatapd.service.conf
new file mode 100644
index 000000000000..87fe0be4a23d
--- /dev/null
+++ b/net-vpn/isatapd/files/isatapd.service.conf
@@ -0,0 +1,30 @@
+[Service]
+# A space separated list of one or more hostnames/IPv4 addresses to use as
+# potential routers.
+# The default is the unqualified hostname 'isatap'
+Environment="ISATAP_ROUTERS=isatap"
+
+# Interval in seconds to send router solicitations.
+# Default (unset): 'auto'
+Environment="ISATAP_INTERVAL=auto"
+
+# Interval in seconds to check for DNS changes. Set to 0 to disable.
+# Default: 3600
+Environment="ISATAP_CHECK_DNS=3600"
+
+# Link tunnel to device
+# Default (unset): automatically find outgoing device
+Environment="ISATAP_LINK=auto"
+
+# The name of the ISATAP tunnel device
+# Default is 'is0' if ISATAP_LINK is unset and 'is_${ISATAP_LINK}' otherwise.
+Environment="ISATAP_NAME=auto"
+
+# IPv6 MTU of the created ISATAP tunnel interface. The IPv4 path to
+# the ISATAP router and all other ISATAP clients should be able to
+# handle at least MTU+20 bytes. 
+# The minimum IPv6 MTU (1280 Bytes) is the safest choice here
+Environment="ISATAP_MTU=1280"
+
+# Additional options, see isatapd(8) for details
+Environment="DAEMON_OPTS="
diff --git a/net-vpn/isatapd/isatapd-0.9.7-r2.ebuild b/net-vpn/isatapd/isatapd-0.9.7-r2.ebuild
new file mode 100644
index 000000000000..9474bf9461e8
--- /dev/null
+++ b/net-vpn/isatapd/isatapd-0.9.7-r2.ebuild
@@ -0,0 +1,34 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+inherit linux-info systemd
+
+DESCRIPTION="creates and maintains an ISATAP tunnel (rfc5214)"
+HOMEPAGE="http://www.saschahlusiak.de/linux/isatap.htm"
+SRC_URI="http://www.saschahlusiak.de/linux/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE=""
+
+DEPEND=""
+RDEPEND=""
+
+CONFIG_CHECK="~TUN"
+ERROR_TUN="CONFIG_TUN is needed for isatapd to work"
+
+src_prepare() {
+	sed -e '/^opts/s:opts:extra_started_commands:' \
+		-i openrc/isatapd.init.d || die
+}
+
+src_install() {
+	default
+
+	newinitd openrc/isatapd.init.d isatapd
+	newconfd openrc/isatapd.conf.d isatapd
+	systemd_newunit "${FILESDIR}"/${PN}.service-r2 ${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf
+}
diff --git a/net-vpn/isatapd/metadata.xml b/net-vpn/isatapd/metadata.xml
new file mode 100644
index 000000000000..a535b8852829
--- /dev/null
+++ b/net-vpn/isatapd/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="person">
+<email>xmw@gentoo.org</email>
+<name>Michael Weber</name>
+</maintainer>
+</pkgmetadata>
diff --git a/net-vpn/miredo/Manifest b/net-vpn/miredo/Manifest
new file mode 100644
index 000000000000..3eb6bd6e06be
--- /dev/null
+++ b/net-vpn/miredo/Manifest
@@ -0,0 +1,2 @@
+DIST miredo-1.2.5.tar.xz 474236 SHA256 9d6c6aacfbde0e152481273cda4dc9a62f8724c4c941fa8e0806e89ab9992262 SHA512 94bc71b7093783ad103a0aceb95ad3de1739e4ec1d763b3c6cea9bb1768f55359448957f623ee3f966955c555bb9f71ff0216d9d4e8d2ff244bb058731702c70 WHIRLPOOL 45b38f19fc50bb5661dcc51166c721c507d70b29072c7a2c3195c093ec91259dfbcdc40e3889f5242af79cf2f04fb7fdb3e48f7bd2cc15d6262813891fa9624c
+DIST miredo-1.2.6.tar.xz 477668 SHA256 fa26d2f4a405415833669e2e2e22677b225d8f83600844645d5683535ea43149 SHA512 9cbc604aecde566f921834a220be7675981e1c603cbcc81c3e2e9c58fdcdae2e78ec6ffc180939d5b8f6d7598ba3967270532b2c0c04de8b688a86c436719caf WHIRLPOOL 5b2723568e1cc583e15b32dbb578c12438ba30802bc1e11a912829c010d655d8a867f8070e1b9a4a2c1c910ca4abc1ef6109d87372f382e8787d4514d035d513
diff --git a/net-vpn/miredo/files/miredo-1.2.5-configure-libcap.diff b/net-vpn/miredo/files/miredo-1.2.5-configure-libcap.diff
new file mode 100644
index 000000000000..cffdbf1e562e
--- /dev/null
+++ b/net-vpn/miredo/files/miredo-1.2.5-configure-libcap.diff
@@ -0,0 +1,33 @@
+--- configure.ac.ori	2012-06-14 21:55:13.756603416 +0200
++++ configure.ac	2012-06-14 23:12:01.425399836 +0200
+@@ -150,16 +150,23 @@
+ 
+ # POSIX capabilities
+ LIBCAP=""
+-AC_CHECK_HEADERS([sys/capability.h], [
+-	AC_CHECK_LIB(cap, cap_set_proc, [
+-		LIBCAP="-lcap"
+-		AC_DEFINE(HAVE_LIBCAP, 1,
+-			  [Define to 1 if you have the `cap' library (-lcap).])
+-	])
++AC_ARG_WITH(libcap,
++  AS_HELP_STRING([--with-libcap], [enable POSIX 1003.1e capabilities]),
++    with_libcap=$withval,
++    with_libcap=auto)
++AC_MSG_CHECKING([whether to enable POSIX 1003.1e capabilities])
++AC_MSG_RESULT($with_libcap)
++
++AS_IF([test "x$with_libcap" != "xno"], [
++  AC_CHECK_HEADERS([sys/capability.h])
++  AC_CHECK_LIB(cap, cap_set_proc, [
++    LIBCAP="-lcap"
++    AC_DEFINE(HAVE_LIBCAP, 1,
++      [Define to 1 if you have the cap library (-lcap).])
++  ])
+ ])
+ AC_SUBST(LIBCAP)
+ 
+-
+ # Judy
+ AC_ARG_WITH(Judy,
+ 	    [AS_HELP_STRING(--with-Judy,
diff --git a/net-vpn/miredo/files/miredo-1.2.5-ip-path.patch b/net-vpn/miredo/files/miredo-1.2.5-ip-path.patch
new file mode 100644
index 000000000000..1d7b0fc39f6e
--- /dev/null
+++ b/net-vpn/miredo/files/miredo-1.2.5-ip-path.patch
@@ -0,0 +1,28 @@
+Index: miredo-1.2.5/misc/client-hook.iproute
+===================================================================
+--- miredo-1.2.5.orig/misc/client-hook.iproute
++++ miredo-1.2.5/misc/client-hook.iproute
+@@ -5,7 +5,10 @@
+ # Distributed under the terms of the GNU General Public License version 2.
+ 
+ # Linux iproute2 path:
+-IP="/sbin/ip"
++IP="ip"
++
++test -x "/sbin/ip" && IP=/sbin/ip
++test -x "/bin/ip" && IP=/bin/ip
+ 
+ # Linux default route default metric is 1024
+ # (we put 1029 so that Teredo is used as a last resort):
+@@ -23,11 +26,6 @@ PRIO=32765
+ # (default: specified by the Teredo server, or 1280)
+ #MTU=1400
+ 
+-if ! test -x "$IP"; then
+-	echo "$0: iproute2 is required! Please install it." >&2
+-	exit 1
+-fi
+-
+ # Nothing to do with destroy event
+ if test "$STATE" = "destroy"; then exit 0; fi
+ 
diff --git a/net-vpn/miredo/files/miredo.conf.2 b/net-vpn/miredo/files/miredo.conf.2
new file mode 100644
index 000000000000..f4ef08a23112
--- /dev/null
+++ b/net-vpn/miredo/files/miredo.conf.2
@@ -0,0 +1,2 @@
+# Options to pass to the daemon
+EXTRA_OPTS=""
diff --git a/net-vpn/miredo/files/miredo.rc.2 b/net-vpn/miredo/files/miredo.rc.2
new file mode 100644
index 000000000000..c0ae6d0d1495
--- /dev/null
+++ b/net-vpn/miredo/files/miredo.rc.2
@@ -0,0 +1,13 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need localmount
+	after net modules
+	use dns logger
+}
+
+command=/usr/sbin/${SVCNAME}
+command_args="${MIREDO_OPTS}"
+pidfile=/var/run/${SVCNAME}.pid
diff --git a/net-vpn/miredo/metadata.xml b/net-vpn/miredo/metadata.xml
new file mode 100644
index 000000000000..52ee8970cb99
--- /dev/null
+++ b/net-vpn/miredo/metadata.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="person">
+  <email>xmw@gentoo.org</email>
+  <name>Michael Weber</name>
+</maintainer>
+<longdescription lang="en">
+Miredo is an open-source Teredo IPv6 tunneling software, for Linux and the 
+BSD operating systems. It includes functional implementations of all 
+components of the Teredo specification (client, relay and server). It is 
+meant to provide IPv6 connectivity even from behind NAT devices.
+</longdescription>
+</pkgmetadata>
diff --git a/net-vpn/miredo/miredo-1.2.5-r2.ebuild b/net-vpn/miredo/miredo-1.2.5-r2.ebuild
new file mode 100644
index 000000000000..74773d853de8
--- /dev/null
+++ b/net-vpn/miredo/miredo-1.2.5-r2.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=4
+
+inherit autotools eutils linux-info user
+
+DESCRIPTION="Miredo is an open-source Teredo IPv6 tunneling software"
+HOMEPAGE="http://www.remlab.net/miredo/"
+SRC_URI="http://www.remlab.net/files/${PN}/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="+caps"
+
+RDEPEND="sys-apps/iproute2
+	dev-libs/judy
+	caps? ( sys-libs/libcap )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils"
+
+CONFIG_CHECK="~IPV6" #318777
+
+#tries to connect to external networks (#339180)
+RESTRICT="test"
+
+DOCS=( AUTHORS ChangeLog NEWS README TODO THANKS )
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-configure-libcap.diff
+	epatch "${FILESDIR}"/${P}-ip-path.patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--disable-static \
+		--enable-miredo-user \
+		--localstatedir=/var \
+		$(use_with caps libcap)
+}
+
+src_install() {
+	default
+	prune_libtool_files
+
+	newinitd "${FILESDIR}"/miredo.rc.2 miredo
+	newconfd "${FILESDIR}"/miredo.conf.2 miredo
+	newinitd "${FILESDIR}"/miredo.rc.2 miredo-server
+	newconfd "${FILESDIR}"/miredo.conf.2 miredo-server
+
+	insinto /etc/miredo
+	doins misc/miredo-server.conf
+}
+
+pkg_preinst() {
+	enewgroup miredo
+	enewuser miredo -1 -1 /var/empty miredo
+}
diff --git a/net-vpn/miredo/miredo-1.2.6.ebuild b/net-vpn/miredo/miredo-1.2.6.ebuild
new file mode 100644
index 000000000000..63494b5abd31
--- /dev/null
+++ b/net-vpn/miredo/miredo-1.2.6.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=4
+
+inherit autotools eutils linux-info user
+
+DESCRIPTION="Miredo is an open-source Teredo IPv6 tunneling software"
+HOMEPAGE="http://www.remlab.net/miredo/"
+SRC_URI="http://www.remlab.net/files/${PN}/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="+caps"
+
+RDEPEND="sys-apps/iproute2
+	dev-libs/judy
+	caps? ( sys-libs/libcap )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils"
+
+CONFIG_CHECK="~IPV6" #318777
+
+#tries to connect to external networks (#339180)
+RESTRICT="test"
+
+DOCS=( AUTHORS ChangeLog NEWS README TODO THANKS )
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-1.2.5-configure-libcap.diff
+	epatch "${FILESDIR}"/${PN}-1.2.5-ip-path.patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--disable-static \
+		--enable-miredo-user \
+		--localstatedir=/var \
+		$(use_with caps libcap)
+}
+
+src_install() {
+	default
+	prune_libtool_files
+
+	newinitd "${FILESDIR}"/miredo.rc.2 miredo
+	newconfd "${FILESDIR}"/miredo.conf.2 miredo
+	newinitd "${FILESDIR}"/miredo.rc.2 miredo-server
+	newconfd "${FILESDIR}"/miredo.conf.2 miredo-server
+
+	insinto /etc/miredo
+	doins misc/miredo-server.conf
+}
+
+pkg_preinst() {
+	enewgroup miredo
+	enewuser miredo -1 -1 /var/empty miredo
+}
diff --git a/net-vpn/nstx/Manifest b/net-vpn/nstx/Manifest
new file mode 100644
index 000000000000..ee371c6c8439
--- /dev/null
+++ b/net-vpn/nstx/Manifest
@@ -0,0 +1,2 @@
+DIST nstx-1.1-beta6.tgz 20458 SHA256 57a1962a66e9cb64fe70839d852c56cd253092260eab589a8173740b75b21450 SHA512 93aa795446d1fe38239559c5a82e595ed59b37ab8ab674b1cb80c6a079ecb9e14bef87b670febe77920560239001206da4ce4875092ff5334770eb1f3447d45f WHIRLPOOL 058cda5a036446e6009250830b65929b4d22ad73507e874df2a84a72a2b595d4da54568e46545c1d7e476797e07ff3e9af9e78032751a4275cded81e28209036
+DIST nstx_1.1-beta6-5.diff.gz 10063 SHA256 ee301d0bee2a3e44f576a6c8cf1534878264f6d79a489eae5ca7237262cd0d32 SHA512 32cfada863154b83217195d3423ecb9367c7f6e56877feed197dc59fa6497fa295cbb76eeb694e658baa346beb2e288c3a45233dae9419a613d759025829a306 WHIRLPOOL 1b1dfdec95032488294b33ef1dfa39a2482ec7a6df2fb8c6c57ce84284f7e0789a74a8d7a06d31d31633acbbe3836e49bef9a91b96fe305face22b4bcc082050
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_00-linux-tuntap.patch b/net-vpn/nstx/files/nstx-1.1_beta6_00-linux-tuntap.patch
new file mode 100644
index 000000000000..524fd705a86e
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_00-linux-tuntap.patch
@@ -0,0 +1,465 @@
+diff -ru nstx-1.1-beta6.orig/nstx_tuntap.c nstx-1.1-beta6/nstx_tuntap.c
+--- nstx-1.1-beta6.orig/nstx_tuntap.c	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstx_tuntap.c	2009-03-16 22:45:28.000000000 +0000
+@@ -19,13 +19,15 @@
+ 
+ #ifdef linux
+ #include <linux/if_tun.h>
+-#define TUNDEV "/dev/net/tun"
++#define TUNINT "tun0"
++#define TUNDEVNODE "/dev/net/tun"
+ #else
+ #	include <net/if_tun.h>
++#	define TUNINT "NULL?"
+ #	if __FreeBSD_version < 500000
+-#		define TUNDEV "/dev/tun2"
++#		define TUNDEVNODE "/dev/tun2"
+ #	else
+-#		define TUNDEV "/dev/tun"
++#		define TUNDEVNODE "/dev/tun"
+ #	endif
+ #endif
+ 
+@@ -33,127 +35,135 @@
+ 
+ #define MAXPKT 2000
+ 
+-#define TAPDEV "/dev/tap0"
++#define TAPINT "tap0"
++#define TAPDEVNODE "/dev/net/tun"
+ 
+ int tfd = -1, nfd = -1;
+ static char dev[IFNAMSIZ+1];
+ 
+-static int tun_alloc (const char *path);
++static int tun_alloc (const char * interface, const char * device_node);
++static int tap_alloc (const char * interface, const char * device_node);
++
+ #ifdef linux
+-static int tap_alloc (const char *path);
++static int tuntap_alloc_linux(const char * interface, const char * device_node,
++        int mode);
++#else
++static int tun_alloc_bsd(const char * interface, const char * device_node);
+ #endif
+ 
+ void
+-open_tuntap(const char *device)
++open_tuntap(const char * interface, const char * device_node, int tun)
+ {
+-   int	tunerr;
+-#ifdef linux
+-   int	taperr;
+-#endif
++   int err;
++
++   if (!interface)
++       interface = (tun ? TUNINT : TAPINT);
++
++   if (!device_node)
++       device_node = (tun ? TUNDEVNODE : TAPDEVNODE);
++
++   fprintf(stderr, "Opening %s interface %s at %s... ", tun ? "tun" : "tap",
++           interface, device_node);
++
++   err = (tun ? tun_alloc(interface, device_node) : tap_alloc(interface,
++               device_node));
++
++   if (!err) {
++       fprintf(stderr, "using interface %s\n", dev);
++
++       if (tun)
++           fprintf(stderr, "you will now need to assign an ip and routing to "
++                   "this interface\n");
++       else
++           fprintf(stderr, "you will now need to add bridging or other rules "
++                   "to this interface\n");
++       return;
++   }
+    
+-   fprintf(stderr, "Opening tun/tap-device... ");
+-   if ((tunerr = tun_alloc(device ? device : TUNDEV))
++   fprintf(stderr, "failed! (%s)\n", strerror(err));
++
++   fprintf(stderr, "Diagnostics: ");
++
++   if (err == EPERM)
++       fprintf(stderr, "you usually have to be root to use nstx.\n");
++   else if (err == ENOENT)
++       fprintf(stderr, "maybe you need kernel support -- did you modprobe "
++               "tap?\n");
++   else if (err == ENODEV)
++       fprintf(stderr, "maybe you need kernel support -- did you modprobe "
++               "tap?\n");
+ #ifdef linux
+-	&& (taperr = tap_alloc(device ? device : TAPDEV))
++#else
++   else if ((err == EINVAL) && !tun)
++       fprintf(stderr, "tap support is only available under linux\n");
+ #endif
+-   ) {
+-      fprintf(stderr, "failed!\n"
+-	              "Diagnostics:\nTun ("TUNDEV"): ");
+-      switch (tunerr) {
+-       case EPERM:
+-	 fprintf(stderr, "Permission denied. You usually have to "
+-		         "be root to use nstx.\n");
+-	 break;
+-       case ENOENT:
+-	 fprintf(stderr, TUNDEV " not found. Please create /dev/net/ and\n"
+-		 "     mknod /dev/net/tun c 10 200 to use the tun-device\n");
+-	 break;
+-       case ENODEV:
+-	 fprintf(stderr, "Device not available. Make sure you have "
+-		 "kernel-support\n     for the tun-device. Under linux, you "
+-		 "need tun.o (Universal tun/tap-device)\n");
+-	 break;
+-       default:
+-	 perror("Unexpected error");
+-	 break;
+-      }
+-      fprintf(stderr, "Tap ("TAPDEV"):\n(only available under linux)\n");
++   else
++       fprintf(stderr, "none, sorry\n");
++
++   exit(EXIT_FAILURE);
++}
++
++int tun_alloc(const char * interface, const char * device_node) 
++{
+ #ifdef linux
+-      switch (taperr) {
+-       case EPERM:
+-	 fprintf(stderr, "Permission denied. You generally have to "
+-		 "be root to use nstx.\n");
+-	 break;
+-       case ENOENT:
+-	 fprintf(stderr, TAPDEV " not found. Please\n"
+-		 "     mknod /dev/tap0 c 36 16 to use the tap-device\n");
+-	 break;
+-       case ENODEV:
+-	 fprintf(stderr, "Device not available. Make sure you have kernel-support\n"
+-		 "     for the tap-device. Under linux, you need netlink_dev.o and ethertap.o\n");
+-	 break;
+-       default:
+-	 fprintf(stderr, "Unexpected error: %s\n", strerror(taperr));
+-	 break;
+-      }
++    return tuntap_alloc_linux(interface, device_node, IFF_TUN);
++#else
++    return tun_alloc_bsd(interface, device_node);
+ #endif
+-      exit(EXIT_FAILURE);
+-   }
+-   
+-   fprintf(stderr, "using device %s\n"
+-	  "Please configure this device appropriately (IP, routes, etc.)\n", dev);
+ }
+ 
+-int
+-tun_alloc (const char *path) 
++int tap_alloc(const char * interface, const char * device_node) 
+ {
+ #ifdef linux
+-   struct ifreq ifr;
++    return tuntap_alloc_linux(interface, device_node, IFF_TAP);
+ #else
+-   struct stat st;
++    return EINVAL;
+ #endif
+- 
+-   if ((tfd = open(path, O_RDWR)) < 0)
+-     return errno;
++}
+ 
+ #ifdef linux
+-   memset(&ifr, 0, sizeof(ifr));
++
++int tuntap_alloc_linux(const char * interface, const char * device_node,
++        int mode)
++{
++    struct ifreq ifr;
++
++    if ((tfd = open(device_node, O_RDWR)) < 0)
++        return errno;
++
++    memset(&ifr, 0, sizeof(ifr));
+    
+-   ifr.ifr_flags = IFF_TUN|IFF_NO_PI;
++    ifr.ifr_flags = mode | IFF_NO_PI;
++    strncpy(ifr.ifr_name, interface, sizeof(ifr.ifr_name));
++    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0;
+    
+-   if (ioctl(tfd, TUNSETIFF, (void *) &ifr) < 0)
+-     {
+-	close(tfd);
+-	tfd = -1;
+-	return errno;
+-     }
+-   strncpy(dev, ifr.ifr_name, IFNAMSIZ+1);
+-#else
+-   fstat(tfd, &st);
+-   strncpy(dev, devname(st.st_rdev, S_IFCHR), IFNAMSIZ+1);
+-#endif
++    if (ioctl(tfd, TUNSETIFF, (void *) &ifr) < 0) {
++        close(tfd);
++        tfd = -1;
++        return errno;
++    }
++
++    strncpy(dev, ifr.ifr_name, IFNAMSIZ+1);
+    
+-   return 0;
++    return 0;
+ }
+ 
++#else /* bsd */
+ 
+-#ifdef linux
+-int
+-tap_alloc(const char *path)
++int tun_alloc_bsd(const char * interface, const char * device_node)
+ {
+-   char *ptr;
+-   
+-   if ((tfd = open(path, O_RDWR)) < 0)
++   struct stat st;
++
++   if ((tfd = open(device_node, O_RDWR)) < 0)
+      return errno;
+-   
+-   if ((ptr = strrchr(path, '/')))
+-     strncpy(dev, ptr+1, IFNAMSIZ+1);
+-   else
+-     strncpy(dev, path, IFNAMSIZ+1);
++
++   fstat(tfd, &st);
++   strncpy(dev, devname(st.st_rdev, S_IFCHR), IFNAMSIZ+1);
+    
+    return 0;
+ }
+-#endif
++
++#endif /* linux/bsd */
+ 
+ void
+ open_ns(const char *ip)
+diff -ru nstx-1.1-beta6.orig/nstxcd.8 nstx-1.1-beta6/nstxcd.8
+--- nstx-1.1-beta6.orig/nstxcd.8	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstxcd.8	2009-03-16 23:16:21.000000000 +0000
+@@ -3,7 +3,7 @@
+ nstxcd \- IP over DNS tunneling client
+ 
+ .SH SYNOPSIS
+-.B "nstxcd \fIDOMAIN\fR \fIIPADDRESS\fR"
++.B "nstxcd \fIOPTIONS\fR \fIDOMAIN\fR \fIIPADDRESS\fR"
+ 
+ .SH DESCRIPTION
+ .B nstxcd
+@@ -13,6 +13,14 @@
+ .SH OPTIONS
+ .B nstxcd
+ takes the following options:
++.IP \-I tun/tap interface
++Use this tun/tap interface instead of the default (tun0/tap0)
++.IP \-d tun/tap device node
++Use this tun/tap device node instead of the default (/dev/net/tun on Linux)
++.IP \-t
++Tun mode (default)
++.IP \-T
++Tap mode
+ .IP "domain"
+ The domain that nstxcd will send requests to. This domain must be delegated
+ to a machine that is running nstxd.
+@@ -22,9 +30,9 @@
+ .SH USAGE
+ .Bnstxcd
+ should be run against a domain that has been delegated to a machine running
+-nstxd. It will then take any packets that are sent to the tun0 interface and
+-send them over DNS to the other tunnel endpoint. Responses will appear on 
+-the tun0 interface.
++nstxd. It will then take any packets that are sent to the tun/tap interface and
++send them over DNS to the other tunnel endpoint. Responses will appear on the
++tun/tap interface.
+ 
+ .SH AUTHORS
+ 
+diff -ru nstx-1.1-beta6.orig/nstxcd.c nstx-1.1-beta6/nstxcd.c
+--- nstx-1.1-beta6.orig/nstxcd.c	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstxcd.c	2009-03-16 23:16:07.000000000 +0000
+@@ -55,25 +55,44 @@
+ static void
+ usage(const char *prog, int code)
+ {
+-	fprintf(stderr, "Usage: %s [-d tun-device] <domainname> <dns-server>\n"
+-	    "Example: %s tun.yomama.com 125.23.53.12\n", prog, prog);
++	fprintf(stderr, "Usage: %s [options] <domainname> <dns-server>\n"
++	    "Where options are:\n"
++	    "\t-d path (use this tun/tap device node instead of default)\n"
++	    "\t-I interface (use this tun/tap interface instead of default)\n"
++#ifdef linux
++	    "\t-t (tun mode, default)\n"
++	    "\t-T (tap mode)\n"
++#endif
++	    "example:\n"
++	    "%s tun.yomama.com 125.23.53.12\n", prog, prog);
+ 	exit(code);
+ }
+ 
+ int main (int argc, char * argv[]) {
+   struct nstxmsg *msg;
+-  const char	*device = NULL;
++  const char	*interface = NULL;
++  const char	*device_node = NULL;
+   int 		 ch;
++  int tun = 1;
+ 
+   nsid = time(NULL);
+  
+   if (argc < 3)
+ 	usage(argv[0], EX_USAGE);
+ 
+-  while ((ch = getopt(argc, argv, "hd:")) != -1) {
++  while ((ch = getopt(argc, argv, "hd:I:tT")) != -1) {
+ 	switch (ch) {
++	case 'I':
++		interface = optarg;
++		break;
+ 	case 'd':
+-		device = optarg;
++		device_node = optarg;
++		break;
++	case 't':
++        tun = 1;
++		break;
++	case 'T':
++        tun = 0;
+ 		break;
+ 	case 'h':
+ 		usage(argv[0], 0);
+@@ -85,7 +104,7 @@
+   dns_setsuffix(argv[optind]);
+ 
+   qsettimeout(10);
+-  open_tuntap(device);
++  open_tuntap(interface, device_node, tun);
+   open_ns(argv[optind + 1]);
+ 
+   for (;;) {
+diff -ru nstx-1.1-beta6.orig/nstxd.8 nstx-1.1-beta6/nstxd.8
+--- nstx-1.1-beta6.orig/nstxd.8	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstxd.8	2009-03-16 23:16:32.000000000 +0000
+@@ -3,7 +3,7 @@
+ nstxd \- IP over DNS tunneling daemon
+ 
+ .SH SYNOPSIS
+-.B "nstxd \fIOPTION\fR \fIDOMAIN\fR"
++.B "nstxd \fIOPTIONS\fR \fIDOMAIN\fR"
+ 
+ .SH DESCRIPTION
+ .B nstxd
+@@ -14,8 +14,14 @@
+ .SH OPTIONS
+ .B nstxd
+ takes the following option:
+-.IP \-d tun-device
+-Use this tun device instead of tun0
++.IP \-I tun/tap interface
++Use this tun/tap interface instead of the default (tun0/tap0)
++.IP \-d tun/tap device node
++Use this tun/tap device node instead of the default (/dev/net/tun on linux)
++.IP \-t
++Tun mode (default)
++.IP \-T
++Tap mode
+ .IP \-i ipaddr
+ Bind to this IP address rather than every available address
+ .IP \-C dir
+@@ -33,9 +39,9 @@
+ .SH USAGE
+ A domain should be delegated to the machine that will run nstxd. nstxd should
+ then be run giving that domain as the only argument. nstxd will then listen
+-for requests and translate them into IP packets that will appear on the tun0
+-interface. Packets sent to the tun0 interface will be transferred back to
+-the client as DNS answers.
++for requests and translate them into IP packets that will appear on the given
++tun/tap interface. Packets sent to the tun/tap interface will be transferred
++back to the client as DNS answers.
+ 
+ .SH AUTHORS
+ 
+diff -ru nstx-1.1-beta6.orig/nstxd.c nstx-1.1-beta6/nstxd.c
+--- nstx-1.1-beta6.orig/nstxd.c	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstxd.c	2009-03-16 23:15:30.000000000 +0000
+@@ -55,7 +55,12 @@
+ {
+ 	fprintf (stderr, "usage: %s [options] <domainname>\n"
+ 	    "Where options are:\n"
+-	    "\t-d tun-device (use this tun/tap device instead of default\n"
++	    "\t-d path (use this tun/tap device node instead of default)\n"
++	    "\t-I interface (use this tun/tap interface instead of default)\n"
++#ifdef linux
++	    "\t-t (tun mode, default)\n"
++	    "\t-T (tap mode)\n"
++#endif
+ 	    "\t-i ip.to.bi.nd (bind to port 53 on this IP only)\n"
+ 	    "\t-C dir (chroot() to this directory after initialization)\n"
+ 	    "\t-D (call daemon(3) to detach from terminal)\n"
+@@ -68,13 +73,15 @@
+ 
+ int main (int argc, char *argv[]) {
+    signed char	 ch;
+-   const char	*device = NULL, *dir = NULL;
++   const char	*interface = NULL, *dir = NULL;
++   const char	*device_node = NULL;
+    in_addr_t	 bindto = INADDR_ANY;
+    uid_t	 uid = 0;
+    int		 daemonize = 0;
+    int		 logmask = LOG_UPTO(LOG_INFO);
++   int tun = 1;
+    
+-   while ((ch = getopt(argc, argv, "gDC:u:hd:i:")) != -1) {
++   while ((ch = getopt(argc, argv, "gDC:u:hd:I:i:tT")) != -1) {
+ 	switch(ch) {
+ 	case 'i':
+ 		bindto = inet_addr(optarg);
+@@ -84,8 +91,17 @@
+ 			exit(EX_USAGE);
+ 		}
+ 		break;
++	case 'I':
++		interface = optarg;
++		break;
+ 	case 'd':
+-		device = optarg;
++		device_node = optarg;
++		break;
++	case 't':
++        tun = 1;
++		break;
++	case 'T':
++        tun = 0;
+ 		break;
+ 	case 'D':
+ 		daemonize = 1;
+@@ -121,7 +137,7 @@
+ 
+    dns_setsuffix(argv[optind]);
+    
+-   open_tuntap(device);
++   open_tuntap(interface, device_node, tun);
+    open_ns_bind(bindto);
+    
+    if (dir) {
+diff -ru nstx-1.1-beta6.orig/nstxfun.h nstx-1.1-beta6/nstxfun.h
+--- nstx-1.1-beta6.orig/nstxfun.h	2009-03-16 05:31:24.000000000 +0000
++++ nstx-1.1-beta6/nstxfun.h	2009-03-16 22:40:44.000000000 +0000
+@@ -52,7 +52,7 @@
+ 
+ /* DNS */
+ 
+-void open_tuntap (const char *device);
++void open_tuntap (const char * interface, const char * device_node, int tun);
+ void open_ns (const char *ip);
+ void open_ns_bind(in_addr_t ip);
+ 
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_01-bind-interface-name.patch b/net-vpn/nstx/files/nstx-1.1_beta6_01-bind-interface-name.patch
new file mode 100644
index 000000000000..0d65f0f6d68b
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_01-bind-interface-name.patch
@@ -0,0 +1,134 @@
+diff -ru nstx-1.1-beta6.tuntap/Makefile nstx-1.1-beta6/Makefile
+--- nstx-1.1-beta6.tuntap/Makefile	2009-03-16 23:22:11.000000000 +0000
++++ nstx-1.1-beta6/Makefile	2009-03-16 23:27:09.000000000 +0000
+@@ -1,9 +1,9 @@
+ CFLAGS += -ggdb -Wall -Werror -Wsign-compare 
+ 
+-NSTXD_SRCS = nstxd.c nstx_encode.c nstx_pstack.c nstx_dns.c nstx_tuntap.c nstx_queue.c
++NSTXD_SRCS = nstxd.c nstx_encode.c nstx_pstack.c nstx_dns.c nstx_tuntap.c nstx_queue.c nstx_util.c
+ NSTXD_OBJS = ${NSTXD_SRCS:.c=.o}
+ 
+-NSTXCD_SRCS = nstxcd.c nstx_encode.c nstx_pstack.c nstx_dns.c nstx_tuntap.o nstx_queue.c
++NSTXCD_SRCS = nstxcd.c nstx_encode.c nstx_pstack.c nstx_dns.c nstx_tuntap.o nstx_queue.c nstx_util.c
+ NSTXCD_OBJS = ${NSTXCD_SRCS:.c=.o}
+ 
+ PROGS = nstxd nstxcd
+diff -ru nstx-1.1-beta6.tuntap/nstx_util.c nstx-1.1-beta6/nstx_util.c
+--- nstx-1.1-beta6.tuntap/nstx_util.c	2004-06-27 21:43:34.000000000 +0000
++++ nstx-1.1-beta6/nstx_util.c	2009-03-16 23:28:37.000000000 +0000
+@@ -27,6 +27,10 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
++#include <net/if.h>
++#include <sys/ioctl.h>
++#include <arpa/inet.h>
++#include <errno.h>
+ 
+ #include "nstxfun.h"
+ 
+@@ -48,6 +52,48 @@
+    close(fd);
+ }
+ 
++static int iface_addr(const char * name, in_addr_t * result) {
++    int r, s;
++    struct ifreq ifr;
++    struct sockaddr_in * sin;
++    
++    s = socket(AF_INET, SOCK_DGRAM, 0);
++
++    if (s < 0) {
++        perror("socket");
++        return s;
++    }
++
++    strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
++    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = 0;
++
++    r = ioctl(s, SIOCGIFADDR, &ifr);
++
++    if (r < 0) {
++        perror("ioctl(SIOCGIFADDR)");
++        return r;
++    }
++
++    sin = (struct sockaddr_in *)&ifr.ifr_addr;
++    *result = sin->sin_addr.s_addr;
++
++    if (*result == INADDR_ANY || *result == INADDR_NONE) {
++        fprintf(stderr, "interface %s has no assigned address\n", name);
++        return -EINVAL;
++    }
++
++    return 0;
++}
++
++int addr_convert(const char * s, in_addr_t * result) {
++    *result = inet_addr(s);
++
++    if (*result != INADDR_NONE)
++        return 0;
++
++    return iface_addr(s, result);
++}
++
+ #ifdef WITH_PKTDUMP
+ void
+ pktdump (const char *prefix, unsigned short id, const char *data,
+diff -ru nstx-1.1-beta6.tuntap/nstxd.8 nstx-1.1-beta6/nstxd.8
+--- nstx-1.1-beta6.tuntap/nstxd.8	2009-03-16 23:23:46.000000000 +0000
++++ nstx-1.1-beta6/nstxd.8	2009-03-16 23:29:59.000000000 +0000
+@@ -22,8 +22,8 @@
+ Tun mode (default)
+ .IP \-T
+ Tap mode
+-.IP \-i ipaddr
+-Bind to this IP address rather than every available address
++.IP \-i ipaddr|interface
++Bind to this IP address or interface rather than every available address
+ .IP \-C dir
+ Chroot to this directory on startup
+ .IP \-D
+diff -ru nstx-1.1-beta6.tuntap/nstxd.c nstx-1.1-beta6/nstxd.c
+--- nstx-1.1-beta6.tuntap/nstxd.c	2009-03-16 23:23:46.000000000 +0000
++++ nstx-1.1-beta6/nstxd.c	2009-03-16 23:32:45.000000000 +0000
+@@ -61,7 +61,7 @@
+ 	    "\t-t (tun mode, default)\n"
+ 	    "\t-T (tap mode)\n"
+ #endif
+-	    "\t-i ip.to.bi.nd (bind to port 53 on this IP only)\n"
++	    "\t-i ip|interface (bind to port 53 on this IP/interface only)\n"
+ 	    "\t-C dir (chroot() to this directory after initialization)\n"
+ 	    "\t-D (call daemon(3) to detach from terminal)\n"
+ 	    "\t-g (enable debug messages)\n"
+@@ -80,14 +80,15 @@
+    int		 daemonize = 0;
+    int		 logmask = LOG_UPTO(LOG_INFO);
+    int tun = 1;
++   int r;
+    
+    while ((ch = getopt(argc, argv, "gDC:u:hd:I:i:tT")) != -1) {
+ 	switch(ch) {
+ 	case 'i':
+-		bindto = inet_addr(optarg);
+-		if (bindto == INADDR_NONE) {
+-			fprintf(stderr, "`%s' is not an IP-address\n",
+-			    optarg);
++        r = addr_convert(optarg, &bindto);
++        if (r < 0) {
++            fprintf(stderr, "couldn't use interface %s: %s\n", optarg,
++                    strerror(-r));
+ 			exit(EX_USAGE);
+ 		}
+ 		break;
+diff -ru nstx-1.1-beta6.tuntap/nstxfun.h nstx-1.1-beta6/nstxfun.h
+--- nstx-1.1-beta6.tuntap/nstxfun.h	2009-03-16 23:23:46.000000000 +0000
++++ nstx-1.1-beta6/nstxfun.h	2009-03-16 23:28:37.000000000 +0000
+@@ -102,4 +102,6 @@
+ void pktdump (const char *, unsigned short, const char *, size_t, int);
+ #endif
+ 
++int addr_convert(const char *, in_addr_t *);
++
+ #endif /* _NSTXHDR_H */
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_02-warn-on-frag.patch b/net-vpn/nstx/files/nstx-1.1_beta6_02-warn-on-frag.patch
new file mode 100644
index 000000000000..251ad583150b
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_02-warn-on-frag.patch
@@ -0,0 +1,22 @@
+Only in nstx-1.1-beta6.orig/: nstx_dns.o
+Only in nstx-1.1-beta6.orig/: nstx_encode.o
+Only in nstx-1.1-beta6.orig/: nstx_pstack.o
+diff -ru nstx-1.1-beta6.orig/nstx_tuntap.c nstx-1.1-beta6/nstx_tuntap.c
+--- nstx-1.1-beta6.orig/nstx_tuntap.c	2009-03-16 23:56:02.000000000 +0000
++++ nstx-1.1-beta6/nstx_tuntap.c	2009-03-17 00:06:00.000000000 +0000
+@@ -274,7 +274,13 @@
+ sendtun(const char *data, size_t len)
+ {
+ //   printf("Sent len %d, csum %d\n", len, checksum(data, len));
+-   write(tfd, data, len);
++   size_t w = write(tfd, data, len);
++
++   if (w < len) {
++       fprintf(stderr, "packet was descrutively fragmented! (len=%zd, "
++           "wrote=%zd)\n",
++           len, w);
++   }
+ }
+ 
+ void
+Only in nstx-1.1-beta6.orig/: nstxd.o
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_03-delete-dwrite.patch b/net-vpn/nstx/files/nstx-1.1_beta6_03-delete-dwrite.patch
new file mode 100644
index 000000000000..e943fa106b73
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_03-delete-dwrite.patch
@@ -0,0 +1,18 @@
+diff -ru nstx-1.1-beta6.orig/nstx_util.c nstx-1.1-beta6/nstx_util.c
+--- nstx-1.1-beta6.orig/nstx_util.c	2009-03-17 00:08:18.000000000 +0000
++++ nstx-1.1-beta6/nstx_util.c	2009-03-17 00:08:37.000000000 +0000
+@@ -44,14 +44,6 @@
+    return x;
+ }
+ 
+-void dwrite (char *path, char *buf, int len) {
+-   int fd;
+-   
+-   fd = open(path, O_RDWR|O_CREAT|O_TRUNC, 0600);
+-   write(fd, buf, len);
+-   close(fd);
+-}
+-
+ static int iface_addr(const char * name, in_addr_t * result) {
+     int r, s;
+     struct ifreq ifr;
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_04-delete-werror.patch b/net-vpn/nstx/files/nstx-1.1_beta6_04-delete-werror.patch
new file mode 100644
index 000000000000..35f7d0199b9d
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_04-delete-werror.patch
@@ -0,0 +1,9 @@
+diff -ru nstx-1.1-beta6.orig/Makefile nstx-1.1-beta6/Makefile
+--- nstx-1.1-beta6.orig/Makefile	2009-03-17 03:29:43.000000000 +0000
++++ nstx-1.1-beta6/Makefile	2009-03-17 03:29:53.000000000 +0000
+@@ -1,4 +1,4 @@
+-CFLAGS += -ggdb -Wall -Werror -Wsign-compare 
++CFLAGS += -ggdb -Wall -Wsign-compare 
+ 
+ NSTXD_SRCS = nstxd.c nstx_encode.c nstx_pstack.c nstx_dns.c nstx_tuntap.c nstx_queue.c nstx_util.c
+ NSTXD_OBJS = ${NSTXD_SRCS:.c=.o}
diff --git a/net-vpn/nstx/files/nstx-1.1_beta6_05-respect-ldflags.patch b/net-vpn/nstx/files/nstx-1.1_beta6_05-respect-ldflags.patch
new file mode 100644
index 000000000000..47edb029edb9
--- /dev/null
+++ b/net-vpn/nstx/files/nstx-1.1_beta6_05-respect-ldflags.patch
@@ -0,0 +1,19 @@
+Respects LDFLAGS
+
+http://bugs.gentoo.org/show_bug.cgi?id=323919
+
+--- nstx-1.1-beta6/Makefile
++++ nstx-1.1-beta6/Makefile
+@@ -11,10 +11,10 @@
+ all: $(PROGS)
+ 
+ nstxd: $(NSTXD_OBJS)
+-	$(CC) $(CFLAGS) -o nstxd $(NSTXD_OBJS)
++	$(CC) $(CFLAGS) $(LDFLAGS) -o nstxd $(NSTXD_OBJS)
+ 
+ nstxcd: $(NSTXCD_OBJS)
+-	$(CC) $(CFLAGS) -o nstxcd $(NSTXCD_OBJS)
++	$(CC) $(CFLAGS) $(LDFLAGS) -o nstxcd $(NSTXCD_OBJS)
+ 
+ clean:
+ 	rm -f *.o $(PROGS) Makefile.bak *~ core
diff --git a/net-vpn/nstx/files/nstxcd.conf b/net-vpn/nstx/files/nstxcd.conf
new file mode 100644
index 000000000000..a04b9d09571e
--- /dev/null
+++ b/net-vpn/nstx/files/nstxcd.conf
@@ -0,0 +1,46 @@
+# /etc/conf.d/nstxcd: config file for /etc/init.d/nstxcd
+
+# DOMAIN is the DNS domain which will be the base for NSTX tunneling. You must
+# set up this domain such that its nameserver points to this machine. For
+# example, if your tunnel domain is "tunnelhere.example.com", the nameserver for
+# example.com should have the following record:
+#
+# tunnelhere.example.com    IN  NS  this.machine.example.com
+#DOMAIN="tunnelhere.example.com"
+
+# Set to "TUN" for TUN (IP/layer-3) mode, or "TAP" for TAP (ethernet/layer-2)
+# mode. You must use the same mode your server is using, or you will send and
+# receive only garbage.
+MODE="TUN"
+
+# This will be the virtual TUN/TAP interface created by nstxcd. If unset,
+# defaults to tun0 or tap0. Note that no IP configuration will be supplied by
+# nstxd -- you must do this yourself using net scripts.
+#TUNTAP_INTERFACE=tun53
+
+# The DNS server where nstxcd will send queries. This is not necessarily the
+# same server as the one where the nstxd server is running. What constitutes a
+# good choice here depends on your situation: if you can send DNS queries to an
+# arbitrary address on the Internet, you could simply point straight to the
+# instance of nstxd, if you know its IP address. If you don't, you might use a
+# public DNS server, like one of the ones hosted by Level3 (4.2.2.1-4.2.2.6),
+# although it is almost certainly better to set up your nstxd server instance
+# with dynamic DNS so you can always find it.
+#
+# If you are constrained to sending DNS queries to a DHCP-provided server on
+# your local LAN, your only choice is to point to that server. This will always
+# work, but may yield limited performance relative to directly talking to nstxd
+# or talking via a high-performance DNS server.
+#
+# If you leave DNS_SERVER unset, the init script will select the first
+# nameserver from resolv.conf. This is the most fault-tolerant configuration.
+#DNS_SERVER=""
+
+# This option contains a space-separated list of interfaces that should be up
+# before we start. It's convenient to put your DHCP-facing address in here, so
+# autodetection of DNS_SERVER from resolv.conf will work.
+#NEED_INTERFACES=""
+
+# Other miscellaneous options to pass to nstxcd (man 7 nstxcd for details)
+#NSTXCD_OPTS=""
+
diff --git a/net-vpn/nstx/files/nstxcd.init b/net-vpn/nstx/files/nstxcd.init
new file mode 100644
index 000000000000..444358970731
--- /dev/null
+++ b/net-vpn/nstx/files/nstxcd.init
@@ -0,0 +1,103 @@
+#!/sbin/openrc-run
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# (Written  by Phillip Berndt <phillip.berndt at gmail dot com>)
+# (Modified by Steven Brudenell <steven dot brudenell at gmail>)
+
+depend() {
+    local iface
+
+    for iface in ${NEED_INTERFACES} ; do
+        need net.${iface}
+    done
+
+    # If the user set TUNTAP_INTERFACE, they probably have a net script
+    # configuring that interface. nstxcd is responsible for actually creating
+    # the stupid thing, so we need to run before the config.
+    if [ ! -z ${TUNTAP_INTERFACE} ] ; then
+        if [ -x /etc/init.d/net.${TUNTAP_INTERFACE} ] ; then 
+            before net.${TUNTAP_INTERFACE}
+        fi
+    fi
+}
+
+loadtun() {
+	if [ ! -e /dev/net/tun ]
+	then
+		ebegin "Loading TUN/TAP kernel module"
+		modprobe -q tun
+		eend $?
+	fi
+
+	if [ ! -e /dev/net/tun ]
+	then
+		eend 1 "Failed to load TUN driver! (did you compile your kernel with TUN/TAP support?)"
+		return 1
+	fi
+
+	return 0
+}
+
+checkconfig() {
+	if [ -z "${DOMAIN}" ] ; then
+        eerror "DOMAIN must be set"
+        return 1
+    fi
+
+    [ -z "${TUNTAP_INTERFACE}" ] || NSTXCD_OPTS="${NSTXCD_OPTS} -I ${TUNTAP_INTERFACE}"
+    [ -z "${TUNTAP_DEVICE}" ]    || NSTXCD_OPTS="${NSTXCD_OPTS} -d ${TUNTAP_DEVICE}"
+
+    case "${MODE}" in
+    TUN)
+        NSTXCD_OPTS="${NSTXCD_OPTS} -t"
+        ;;
+    TAP)
+        NSTXCD_OPTS="${NSTXCD_OPTS} -T"
+        ;;
+    *)
+        eerror "MODE must be either TUN or TAP"
+        return 1
+        ;;
+    esac
+
+    if [ -z "${DNS_SERVER}" ] ; then
+        DNS_SERVER=`awk '/^nameserver/{ print $2; exit; }' /etc/resolv.conf`
+
+        if [ -z "${DNS_SERVER}" ] ; then
+            eerror "DNS_SERVER not set, and couldn't determine a nameserver from /etc/resolv.conf"
+            return 1
+        fi
+		export DNS_SERVER
+    fi
+
+    return 0
+}
+
+start() {
+    checkconfig || return 1
+
+    loadtun || return 1
+
+	ebegin "Starting nstxcd"
+
+	start-stop-daemon \
+        --start \
+        --background \
+        --make-pidfile \
+        --exec /usr/sbin/nstxcd \
+        --pidfile "/var/run/nstxcd.pid" \
+        -- ${NSTXCD_OPTS} ${DOMAIN} ${DNS_SERVER}
+
+    eend $?
+}
+
+stop() {
+	ebegin "Stopping nstxcd"
+
+	start-stop-daemon \
+        --stop \
+        --exec /usr/sbin/nstxcd \
+        --pidfile "/var/run/nstxcd.pid"
+
+	eend $?
+}
diff --git a/net-vpn/nstx/files/nstxd.conf b/net-vpn/nstx/files/nstxd.conf
new file mode 100644
index 000000000000..4d3365a7142d
--- /dev/null
+++ b/net-vpn/nstx/files/nstxd.conf
@@ -0,0 +1,35 @@
+# /etc/conf.d/nstxd: config file for /etc/init.d/nstxd
+
+# DOMAIN is the DNS domain which will be the base for NSTX tunneling. You must
+# set up this domain such that its nameserver points to this machine. For
+# example, if your tunnel domain is "tunnelhere.example.com", the nameserver for
+# example.com should have the following record:
+#
+# tunnelhere.example.com    IN  NS  this.machine.example.com
+#DOMAIN="tunnelhere.example.com"
+
+# Set to "TUN" for TUN (IP/layer-3) mode, or "TAP" for TAP (ethernet/layer-2)
+# mode. Your clients must run in the same mode, or you will send and receive
+# only garbage.
+MODE="TUN"
+
+# This will be the virtual TUN/TAP interface created by nstxd. If unset,
+# defaults to tun0 or tap0. Note that no IP configuration will be supplied by
+# nstxd -- you must do this yourself using net scripts.
+#TUNTAP_INTERFACE=tun53
+
+# Interface to bind to, instead of binding to all available interfaces. You can
+# supply either an interface name or IP address here. Useful if you run an
+# internal DNS server but want to run NSTX on your external interface. Note that
+# nstxd always binds to port 53.
+#BIND_INTERFACE=eth1
+#BIND_INTERFACE=1.2.3.4
+
+# Chroot to this directory after startup
+#CHROOT=/dev/null
+
+# Drop privileges to this user after startup
+#NSTXD_USER=nstxd
+
+# Other miscellaneous options to pass to nstxd (man 7 nstxd for details)
+#NSTXD_OPTS=""
diff --git a/net-vpn/nstx/files/nstxd.init b/net-vpn/nstx/files/nstxd.init
new file mode 100644
index 000000000000..2bf2a4133251
--- /dev/null
+++ b/net-vpn/nstx/files/nstxd.init
@@ -0,0 +1,94 @@
+#!/sbin/openrc-run
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# (Written  by Phillip Berndt <phillip.berndt at gmail dot com>)
+# (Modified by Steven Brudenell <steven dot brudenell at gmail>)
+
+depend() {
+    if [ ! -z "${BIND_INTERFACE}" ] ; then
+        if [ -x /etc/init.d/net.${BIND_INTERFACE} ] ; then
+            need net.${BIND_INTERFACE}
+        fi
+    fi
+
+    # If the user set TUNTAP_INTERFACE, they probably have a net script
+    # configuring that interface. nstxcd is responsible for actually creating
+    # the stupid thing, so we need to run before the config.
+    if [ ! -z "${TUNTAP_INTERFACE}" ] ; then
+        if [ -x /etc/init.d/net.${TUNTAP_INTERFACE} ] ; then
+            before net.${TUNTAP_INTERFACE}
+        fi
+    fi
+}
+
+loadtun() {
+	if [ ! -e /dev/net/tun ]
+	then
+		ebegin "Loading TUN/TAP kernel module"
+		modprobe -q tun
+		eend $?
+	fi
+
+	if [ ! -e /dev/net/tun ]
+	then
+		eend 1 "Failed to load TUN driver! (did you compile your kernel with TUN/TAP support?)"
+		return 1
+	fi
+
+	return 0
+}
+
+checkconfig() {
+	if [ -z "${DOMAIN}" ] ; then
+        eerror "DOMAIN must be set"
+        return 1
+    fi
+
+    [ -z "${TUNTAP_INTERFACE}" ] || NSTXD_OPTS="${NSTXD_OPTS} -I ${TUNTAP_INTERFACE}"
+    [ -z "${TUNTAP_DEVICE}" ]    || NSTXD_OPTS="${NSTXD_OPTS} -d ${TUNTAP_DEVICE}"
+    [ -z "${BIND_INTERFACE}" ]   || NSTXD_OPTS="${NSTXD_OPTS} -i ${BIND_INTERFACE}"
+    [ -z "${CHROOT}" ]           || NSTXD_OPTS="${NSTXD_OPTS} -C ${CHROOT}"
+    [ -z "${NSTXD_USER}" ]       || NSTXD_OPTS="${NSTXD_OPTS} -u ${NSTXD_USER}"
+
+    case "${MODE}" in
+    TUN)
+        NSTXD_OPTS="${NSTXD_OPTS} -t"
+        ;;
+    TAP)
+        NSTXD_OPTS="${NSTXD_OPTS} -T"
+        ;;
+    *)
+        eerror "MODE must be either TUN or TAP"
+        return 1
+        ;;
+    esac
+}
+
+start() {
+    checkconfig || return 1
+
+    loadtun || return 1
+
+	ebegin "Starting nstxd"
+
+	start-stop-daemon \
+        --start \
+        --background \
+        --make-pidfile \
+        --exec /usr/sbin/nstxd \
+        --pidfile "/var/run/nstxd.pid" \
+        -- ${NSTXD_OPTS} ${DOMAIN}
+
+    eend $?
+}
+
+stop() {
+	ebegin "Stopping nstxd"
+
+	start-stop-daemon \
+        --stop \
+        --exec /usr/sbin/nstxd \
+        --pidfile "/var/run/nstxd.pid"
+
+	eend $?
+}
diff --git a/net-vpn/nstx/metadata.xml b/net-vpn/nstx/metadata.xml
new file mode 100644
index 000000000000..79d462e85571
--- /dev/null
+++ b/net-vpn/nstx/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="person">
+  <email>robbat2@gentoo.org</email>
+</maintainer>
+</pkgmetadata>
diff --git a/net-vpn/nstx/nstx-1.1_beta6-r3.ebuild b/net-vpn/nstx/nstx-1.1_beta6-r3.ebuild
new file mode 100644
index 000000000000..05ca76aca0d5
--- /dev/null
+++ b/net-vpn/nstx/nstx-1.1_beta6-r3.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+inherit versionator toolchain-funcs eutils linux-info
+
+MY_PV=$(replace_version_separator 2 - "${PV}")
+MY_P="${PN}-${MY_PV}"
+DEBIAN_PV="5"
+DEBIAN_A="${PN}_${MY_PV}-${DEBIAN_PV}.diff.gz"
+
+DESCRIPTION="IP over DNS tunnel"
+SRC_URI="http://dereference.de/nstx/${MY_P}.tgz
+		mirror://debian/pool/main/${PN:0:1}/${PN}/${DEBIAN_A}"
+HOMEPAGE="http://dereference.de/nstx/"
+DEPEND="virtual/os-headers"
+KEYWORDS="amd64 x86"
+IUSE=""
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/${MY_P}"
+
+CONFIG_CHECK="~TUN"
+
+src_unpack() {
+	unpack "${MY_P}.tgz"
+	epatch "${DISTDIR}"/${DEBIAN_A} \
+		"${FILESDIR}"/${PN}-1.1_beta6_00-linux-tuntap.patch \
+		"${FILESDIR}"/${PN}-1.1_beta6_01-bind-interface-name.patch \
+		"${FILESDIR}"/${PN}-1.1_beta6_02-warn-on-frag.patch \
+		"${FILESDIR}"/${PN}-1.1_beta6_03-delete-dwrite.patch \
+		"${FILESDIR}"/${PN}-1.1_beta6_04-delete-werror.patch \
+		"${FILESDIR}"/${PN}-1.1_beta6_05-respect-ldflags.patch
+}
+
+src_compile() {
+	emake CC="$(tc-getCC)" || die
+}
+
+src_install() {
+	into /usr
+	dosbin nstxcd nstxd || die
+	dodoc README Changelog || die
+	doman *.8 || die
+
+	newinitd "${FILESDIR}"/nstxd.init nstxd
+	newconfd "${FILESDIR}"/nstxd.conf nstxd
+	newinitd "${FILESDIR}"/nstxcd.init nstxcd
+	newconfd "${FILESDIR}"/nstxcd.conf nstxcd
+}
+
+pkg_postinst() {
+	einfo "Please read the documentation provided in"
+	einfo "  `find /usr/share/doc/${PF}/ -name 'README*'`"
+}
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 000000000000..8ff6c084d0f2
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,5 @@
+DIST tor-0.2.8.12.tar.gz 5331785 SHA256 b35748f2839cf8ce9910b677ea873463495ac88689244c007ed038f6887f4aaf SHA512 b0cfa34914208bbb28f74178a87ece2a320a44606a94c35de715548fc5a3517cd3d9bf27512d9efe2f1c4685620a62ed591927f828e72fe5ac0a1fffa543eb26 WHIRLPOOL 342db1479f7c03ac3569b8b3bd86ca315fa7eb23dbb0e22d6f4490d399175b70cd398fc140eb42609b3c9656083ac99a7b6ce8d1eaa30530b6e4a3c20a1177ce
+DIST tor-0.2.9.10.tar.gz 5557586 SHA256 d611283e1fb284b5f884f8c07e7d3151016851848304f56cfdf3be2a88bd1341 SHA512 c18c4faf18406f04165136f0d70e6bc2896f3f02770beadaab5e7a99441d71b897ae3a14a046eaec99a1bd6d8ad7758b28f7d652588842b77621cdc95d4fb7e1 WHIRLPOOL 8a12ab4bd148c6cf57e4e21ae29ccff46b9f687a1646f4453b0ba312b97b78d0c2a428f3178f47e58ec012eb2edce53efff4e07d7f0418d7ccc4ded3856a84a0
+DIST tor-0.2.9.9.tar.gz 5534005 SHA256 33325d2b250fd047ba2ddc5d11c2190c4e2951f4b03ec48ebd8bf0666e990d43 SHA512 cbe7e1f3e503b945f150916b7147cf23d1c32c3660e15aecfe5e2f2baac3a241de665e6ce4e81b81229933eba7f02d4a86e8deeabf2378d40fa83a7036928c9b WHIRLPOOL 9fc83693ea3b0519354a6d1fde83d090b66a9738f67abd7be2f9c3a36e95df92968b6da6c8cecd97ad352c70aac62817a86efae2dd42129934c2e6b38577439c
+DIST tor-0.3.0.3-alpha.tar.gz 5738504 SHA256 739adb4a7ae1eb12582a667d56f7e8348123b1e00fe9d8a6159776df6dba7a87 SHA512 312b18599749252f8e66cc334481dfc8655f76717f02d3ecdcd7d278d43bc9e60e8464ab76d1a150adbb6a5468c1a03fff0db51f67ce12b9132bc772463a3849 WHIRLPOOL 2853eb585e608e098aee30fea7bf0f0c8175bc4ed1ad86a2511fc85a75bec2e8571dcf3a017986a73ceededff312c90650c83d44f7224e2de9d829f8d675c6e5
+DIST tor-0.3.0.4-rc.tar.gz 5757770 SHA256 32a7c0b322c61e15ce770f43715682f8b0be47844478387ddf8444cdf7c2f46f SHA512 21b335a973c9958c6c832ca171ac5e94c78379e365e4564289a623f264f8daab30be874a083ca3867364a6008c3b447080fad940dbbbda73f0cd3bb0dbf17d08 WHIRLPOOL af587ad1ce0c8fdac8eab65a9b7fb354abab700d967bddee9f2f647ffe7d630a5fd4cd0bb8f564ef62ccc2b482d87b83fe5f061da698504836ba997690417a10
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
new file mode 100644
index 000000000000..35214ac6fbb5
--- /dev/null
+++ b/net-vpn/tor/files/README.gentoo
@@ -0,0 +1,8 @@
+We created a configuration file for tor, /etc/tor/torrc, but you can
+change it according to your needs.  Use the torrc.sample that is in
+that directory as a guide.  Also, to have privoxy work with tor
+just add the following line
+
+forward-socks4a / localhost:9050 .
+
+to /etc/privoxy/config.  Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
new file mode 100644
index 000000000000..92eb03bb18ea
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
@@ -0,0 +1,31 @@
+diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
+--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in	2015-10-19 11:12:53.000000000 -0400
++++ tor-0.2.7.4-rc/src/config/torrc.sample.in	2015-10-21 21:18:49.151973113 -0400
+@@ -12,6 +12,11 @@
+ ## Tor will look for this file in various places based on your platform:
+ ## https://www.torproject.org/docs/faq#torrc
+ 
++## Default username and group the server will run as
++User tor
++
++PIDFile /var/run/tor/tor.pid
++
+ ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+ ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+ ## as a relay, and not make any local application connections yourself.
+@@ -42,6 +47,7 @@
+ #Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
++Log warn syslog
+ 
+ ## Uncomment this to start the process in the background... or use
+ ## --runasdaemon 1 on the command line. This is ignored on Windows;
+@@ -51,6 +57,7 @@
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+ #DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory   /var/lib/tor/data
+ 
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor.conf b/net-vpn/tor/files/tor.conf
new file mode 100644
index 000000000000..188c041e5442
--- /dev/null
+++ b/net-vpn/tor/files/tor.conf
@@ -0,0 +1 @@
+d       /var/run/tor        0775    tor     tor     -       -
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
new file mode 100644
index 000000000000..4195bf3237b2
--- /dev/null
+++ b/net-vpn/tor/files/tor.confd
@@ -0,0 +1,3 @@
+#
+# Set the file limit
+rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r8 b/net-vpn/tor/files/tor.initd-r8
new file mode 100644
index 000000000000..de9b66eb555b
--- /dev/null
+++ b/net-vpn/tor/files/tor.initd-r8
@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command=/usr/bin/tor
+pidfile=/var/run/tor/tor.pid
+command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
+retry=${GRACEFUL_TIMEOUT:-60}
+stopsig=INT
+command_progress=yes
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file"
+description_reload="Reload the configuration"
+
+checkconfig() {
+	${command} --verify-config --hush > /dev/null 2>&1
+	if [ $? -ne 0 ] ; then
+		eerror "Tor configuration (/etc/tor/torrc) is not valid."
+		eerror "Example is in /etc/tor/torrc.sample"
+		return 1
+	fi
+}
+
+start_pre() {
+	checkconfig || return 1
+	checkpath -d -m 0755 -o tor:tor /var/run/tor
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading Tor configuration"
+	start-stop-daemon -s HUP --pidfile ${pidfile}
+	eend $?
+}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
new file mode 100644
index 000000000000..8fcc6740ed91
--- /dev/null
+++ b/net-vpn/tor/files/tor.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=The Onion Router
+
+[Service]
+ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
+ExecStart=/usr/bin/tor --RunAsDaemon 0 -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGINT
+TimeoutStopSec=32
+LimitNOFILE=30000
+
+# Hardening options:
+CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+PrivateTmp = yes
+PrivateDevices = yes
+ProtectHome = yes
+ProtectSystem = full
+NoNewPrivileges = yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r1 b/net-vpn/tor/files/torrc-r1
new file mode 100644
index 000000000000..322a794aa1d5
--- /dev/null
+++ b/net-vpn/tor/files/torrc-r1
@@ -0,0 +1,7 @@
+#
+# Minimal torrc so tor will work out of the box
+#
+User tor
+PIDFile /var/run/tor/tor.pid
+Log notice syslog
+DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
new file mode 100644
index 000000000000..80fbc720fea8
--- /dev/null
+++ b/net-vpn/tor/metadata.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>blueness@gentoo.org</email>
+		<name>Anthony G. Basile</name>
+	</maintainer>
+	<use>
+		<flag name="bufferevents">Use libevent's buffered IO implementation (unstable, buggy)</flag>
+		<flag name="stats">Enable tracking of how much of each kind of resource we download</flag>
+		<flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
+		<flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
+		<flag name="transparent-proxy">Enable transparent proxying</flag>
+		<flag name="web">Build a tor2web service instead of a tor client</flag>
+	</use>
+</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.2.8.12.ebuild b/net-vpn/tor/tor-0.2.8.12.ebuild
new file mode 100644
index 000000000000..0b5f4d0f361d
--- /dev/null
+++ b/net-vpn/tor/tor-0.2.8.12.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils flag-o-matic readme.gentoo-r1 systemd versionator user
+
+MY_PV="$(replace_version_separator 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="http://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc ppc64 sparc x86 ~ppc-macos"
+IUSE="-bufferevents libressl scrypt seccomp selinux stats systemd tor-hardening transparent-proxy test web"
+
+DEPEND="
+	app-text/asciidoc
+	dev-libs/libevent
+	sys-libs/zlib
+	bufferevents? ( dev-libs/libevent[ssl] )
+	!libressl? ( dev-libs/openssl:0=[-bindist] )
+	libressl? ( dev-libs/libressl:0= )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+pkg_setup() {
+	enewgroup tor
+	enewuser tor -1 -1 /var/lib/tor tor
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+	epatch_user
+}
+
+src_configure() {
+	# Upstream isn't sure of all the user provided CFLAGS that
+	# will break tor, but does recommend against -fstrict-aliasing.
+	# We'll filter-flags them here as we encounter them.
+	filter-flags -fstrict-aliasing
+
+	econf \
+		--enable-system-torrc \
+		--enable-asciidoc \
+		--docdir="${EPREFIX}"/usr/share/doc/${PF} \
+		$(use_enable stats instrument-downloads) \
+		$(use_enable bufferevents) \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable transparent-proxy transparent) \
+		$(use_enable web tor2web-mode) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage)
+}
+
+src_install() {
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r8 tor
+	systemd_dounit "${FILESDIR}/${PN}.service"
+	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
+
+	emake DESTDIR="${D}" install
+
+	keepdir /var/lib/tor
+
+	dodoc -r README ChangeLog ReleaseNotes doc/HACKING
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r1 torrc
+}
diff --git a/net-vpn/tor/tor-0.2.9.10.ebuild b/net-vpn/tor/tor-0.2.9.10.ebuild
new file mode 100644
index 000000000000..035d07ef861f
--- /dev/null
+++ b/net-vpn/tor/tor-0.2.9.10.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic readme.gentoo-r1 systemd versionator user
+
+MY_PV="$(replace_version_separator 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="http://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~mips ~ppc ~ppc64 ~sparc ~x86 ~ppc-macos"
+IUSE="libressl scrypt seccomp selinux systemd tor-hardening test web"
+
+DEPEND="
+	app-text/asciidoc
+	dev-libs/libevent[ssl]
+	sys-libs/zlib
+	!libressl? ( dev-libs/openssl:0=[-bindist] )
+	libressl? ( dev-libs/libressl:0= )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+pkg_setup() {
+	enewgroup tor
+	enewuser tor -1 -1 /var/lib/tor tor
+}
+
+src_prepare() {
+	eapply "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+	eapply_user
+}
+
+src_configure() {
+	# Upstream isn't sure of all the user provided CFLAGS that
+	# will break tor, but does recommend against -fstrict-aliasing.
+	# We'll filter-flags them here as we encounter them.
+	filter-flags -fstrict-aliasing
+
+	econf \
+		--enable-system-torrc \
+		--enable-asciidoc \
+		--docdir="${EPREFIX}"/usr/share/doc/${PF} \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable web tor2web-mode) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage)
+}
+
+src_install() {
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r8 tor
+	systemd_dounit "${FILESDIR}/${PN}.service"
+	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
+
+	emake DESTDIR="${D}" install
+
+	keepdir /var/lib/tor
+
+	dodoc -r README ChangeLog ReleaseNotes doc/HACKING
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r1 torrc
+}
diff --git a/net-vpn/tor/tor-0.2.9.9.ebuild b/net-vpn/tor/tor-0.2.9.9.ebuild
new file mode 100644
index 000000000000..035d07ef861f
--- /dev/null
+++ b/net-vpn/tor/tor-0.2.9.9.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic readme.gentoo-r1 systemd versionator user
+
+MY_PV="$(replace_version_separator 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="http://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~mips ~ppc ~ppc64 ~sparc ~x86 ~ppc-macos"
+IUSE="libressl scrypt seccomp selinux systemd tor-hardening test web"
+
+DEPEND="
+	app-text/asciidoc
+	dev-libs/libevent[ssl]
+	sys-libs/zlib
+	!libressl? ( dev-libs/openssl:0=[-bindist] )
+	libressl? ( dev-libs/libressl:0= )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+pkg_setup() {
+	enewgroup tor
+	enewuser tor -1 -1 /var/lib/tor tor
+}
+
+src_prepare() {
+	eapply "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+	eapply_user
+}
+
+src_configure() {
+	# Upstream isn't sure of all the user provided CFLAGS that
+	# will break tor, but does recommend against -fstrict-aliasing.
+	# We'll filter-flags them here as we encounter them.
+	filter-flags -fstrict-aliasing
+
+	econf \
+		--enable-system-torrc \
+		--enable-asciidoc \
+		--docdir="${EPREFIX}"/usr/share/doc/${PF} \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable web tor2web-mode) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage)
+}
+
+src_install() {
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r8 tor
+	systemd_dounit "${FILESDIR}/${PN}.service"
+	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
+
+	emake DESTDIR="${D}" install
+
+	keepdir /var/lib/tor
+
+	dodoc -r README ChangeLog ReleaseNotes doc/HACKING
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r1 torrc
+}
diff --git a/net-vpn/tor/tor-0.3.0.3_alpha.ebuild b/net-vpn/tor/tor-0.3.0.3_alpha.ebuild
new file mode 100644
index 000000000000..b103e82a8aed
--- /dev/null
+++ b/net-vpn/tor/tor-0.3.0.3_alpha.ebuild
@@ -0,0 +1,74 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic readme.gentoo-r1 systemd versionator user
+
+MY_PV="$(replace_version_separator 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="http://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~mips ~ppc ~ppc64 ~sparc ~x86 ~ppc-macos"
+IUSE="libressl scrypt seccomp selinux systemd tor-hardening test web"
+
+DEPEND="
+	app-text/asciidoc
+	dev-libs/libevent[ssl]
+	sys-libs/zlib
+	!libressl? ( dev-libs/openssl:0=[-bindist] )
+	libressl? ( dev-libs/libressl:0= )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+)
+
+DOCS=( README ChangeLog ReleaseNotes doc/HACKING )
+
+pkg_setup() {
+	enewgroup tor
+	enewuser tor -1 -1 /var/lib/tor tor
+}
+
+src_configure() {
+	econf \
+		--localstatedir="${EPREFIX}/var" \
+		--enable-system-torrc \
+		--enable-asciidoc \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable web tor2web-mode) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage)
+}
+
+src_install() {
+	default
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r8 tor
+	systemd_dounit contrib/dist/tor.service
+
+	keepdir /var/lib/tor
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r1 torrc
+}
diff --git a/net-vpn/tor/tor-0.3.0.4_rc.ebuild b/net-vpn/tor/tor-0.3.0.4_rc.ebuild
new file mode 100644
index 000000000000..b103e82a8aed
--- /dev/null
+++ b/net-vpn/tor/tor-0.3.0.4_rc.ebuild
@@ -0,0 +1,74 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic readme.gentoo-r1 systemd versionator user
+
+MY_PV="$(replace_version_separator 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="http://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~mips ~ppc ~ppc64 ~sparc ~x86 ~ppc-macos"
+IUSE="libressl scrypt seccomp selinux systemd tor-hardening test web"
+
+DEPEND="
+	app-text/asciidoc
+	dev-libs/libevent[ssl]
+	sys-libs/zlib
+	!libressl? ( dev-libs/openssl:0=[-bindist] )
+	libressl? ( dev-libs/libressl:0= )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd )"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+)
+
+DOCS=( README ChangeLog ReleaseNotes doc/HACKING )
+
+pkg_setup() {
+	enewgroup tor
+	enewuser tor -1 -1 /var/lib/tor tor
+}
+
+src_configure() {
+	econf \
+		--localstatedir="${EPREFIX}/var" \
+		--enable-system-torrc \
+		--enable-asciidoc \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable web tor2web-mode) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage)
+}
+
+src_install() {
+	default
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r8 tor
+	systemd_dounit contrib/dist/tor.service
+
+	keepdir /var/lib/tor
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r1 torrc
+}
diff --git a/net-vpn/vtun/Manifest b/net-vpn/vtun/Manifest
new file mode 100644
index 000000000000..3ef73fee68db
--- /dev/null
+++ b/net-vpn/vtun/Manifest
@@ -0,0 +1 @@
+DIST vtun-3.0.3.tar.gz 130051 SHA256 69dcbe4f8c5ce7d91b4150a6309e536d03b61841169746ca5788413ac7edb9cb SHA512 5fa789d08b556f97492b89515a89c2322c4b0a8fa95bd1035f5ed19061b3654a6a36a9911792096ac872ae9ae5451848cab87d0343dc0ffc064affea1f7d0d54 WHIRLPOOL 8939c132622d4833a8780003548850103c8f35cabd25b38198a254200a80747b57edba327b4ab91b6af954542d2605a5f2d9dda42a64218a5e0a586fe5705475
diff --git a/net-vpn/vtun/files/vtun-3.0.2-remove-config-presence-check.patch b/net-vpn/vtun/files/vtun-3.0.2-remove-config-presence-check.patch
new file mode 100644
index 000000000000..15b3bf273c34
--- /dev/null
+++ b/net-vpn/vtun/files/vtun-3.0.2-remove-config-presence-check.patch
@@ -0,0 +1,13 @@
+--- Makefile.in.orig	2012-06-11 23:31:11.416075337 +0400
++++ Makefile.in	2012-06-11 23:31:21.247324839 +0400
+@@ -86,9 +86,7 @@
+ 
+ install_config: 
+ 	$(INSTALL) -d -m 755 $(INSTALL_OWNER) $(DESTDIR)$(ETC_DIR)
+-	if [ ! -f $(ETC_DIR)/vtund.conf ]; then \
+-	  $(INSTALL) -m 600 $(INSTALL_OWNER) vtund.conf $(DESTDIR)$(ETC_DIR); \
+-	fi
++	$(INSTALL) -m 600 $(INSTALL_OWNER) vtund.conf $(DESTDIR)$(ETC_DIR); \
+ 
+ install: vtund install_config install_man
+ 	$(INSTALL) -d -m 755 $(INSTALL_OWNER) $(DESTDIR)$(VAR_DIR)/run
diff --git a/net-vpn/vtun/files/vtun-3.0.3-gcc5.patch b/net-vpn/vtun/files/vtun-3.0.3-gcc5.patch
new file mode 100644
index 000000000000..99c6531d7268
--- /dev/null
+++ b/net-vpn/vtun/files/vtun-3.0.3-gcc5.patch
@@ -0,0 +1,13 @@
+Index: vtun-3.0.3/cfg_file.y
+===================================================================
+--- vtun-3.0.3.orig/cfg_file.y
++++ vtun-3.0.3/cfg_file.y
+@@ -624,7 +624,7 @@ int clear_nat_hack_client(void *d, void
+ }
+
+ /* Clear the VTUN_NAT_HACK flag which are not relevant to the current operation mode */
+-inline void clear_nat_hack_flags(int svr)
++extern inline void clear_nat_hack_flags(int svr)
+ {
+ 	if (svr)
+ 		llist_trav(&host_list,clear_nat_hack_server,NULL);
diff --git a/net-vpn/vtun/files/vtun-3.0.3-includes.patch b/net-vpn/vtun/files/vtun-3.0.3-includes.patch
new file mode 100644
index 000000000000..cd7cf6a2a2ee
--- /dev/null
+++ b/net-vpn/vtun/files/vtun-3.0.3-includes.patch
@@ -0,0 +1,62 @@
+--- a/lfd_encrypt.c	2008-01-07 23:35:32.000000000 +0100
++++ b/lfd_encrypt.c	2010-09-18 04:53:31.000000000 +0200
+@@ -44,6 +44,7 @@
+ #include <strings.h>
+ #include <string.h>
+ #include <time.h>
++#include <arpa/inet.h> /* htonl() */
+ 
+ #include "vtun.h"
+ #include "linkfd.h"
+--- a/lib.c	2008-01-07 23:35:40.000000000 +0100
++++ b/lib.c	2010-09-18 04:52:51.000000000 +0200
+@@ -34,6 +34,7 @@
+ #include <sys/wait.h>
+ #include <syslog.h>
+ #include <errno.h>
++#include <time.h> /* nanosleep() */
+ 
+ #include "vtun.h"
+ #include "linkfd.h"
+--- a/lib.h	2008-01-07 23:35:41.000000000 +0100
++++ b/lib.h	2010-09-18 04:56:50.000000000 +0200
+@@ -26,6 +26,7 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <errno.h>
++#include <unistd.h> /* read(), write() */
+ 
+ #ifdef HAVE_LIBUTIL_H
+ #include <libutil.h>
+--- a/vtun.h	2008-01-07 23:36:07.000000000 +0100
++++ b/vtun.h	2010-09-18 04:56:08.000000000 +0200
+@@ -232,5 +232,9 @@
+ int  read_config(char *file);
+ struct vtun_host * find_host(char *host);
+ inline void clear_nat_hack_flags(int svr);
++int send_msg(int len, char *in, char **out);
++int send_ib_mesg(int *len, char **in);
++int recv_msg(int len, char *in, char **out);
++int recv_ib_mesg(int *len, char **in);
+ 
+ #endif
+--- a/lock.c	2008-01-07 23:35:50.000000000 +0100
++++ b/lock.c	2010-09-18 05:01:21.000000000 +0200
+@@ -32,6 +32,7 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <errno.h>
++#include <time.h> /* nanosleep() */
+ 
+ #include "vtun.h"
+ #include "linkfd.h"
+--- a/lfd_shaper.c	2008-01-07 23:35:36.000000000 +0100
++++ b/lfd_shaper.c	2010-09-18 05:07:12.000000000 +0200
+@@ -27,6 +27,7 @@
+ #include <stdlib.h>
+ #include <sys/time.h>
+ #include <syslog.h>
++#include <time.h> /* nanosleep() */
+ 
+ #include "vtun.h"
+ #include "linkfd.h"
diff --git a/net-vpn/vtun/files/vtun.rc b/net-vpn/vtun/files/vtun.rc
new file mode 100644
index 000000000000..7ef322985043
--- /dev/null
+++ b/net-vpn/vtun/files/vtun.rc
@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need net
+}
+
+start() {
+	IFS=$'\n'
+	for line in `grep -v '^[[:space:]]*#' /etc/vtund-start.conf | grep -v '^[[:space:]]*$'`
+	do
+		echo $line | 
+			(IFS=" "
+			 read host server args
+			 if [ "$host" = "--server--" ]; then
+				 ebegin "Starting vtund server"
+				 /usr/sbin/vtund -s -P $server $args
+				 eend $?
+			 else
+				 ebegin "Starting vtund client $host to $server"
+				 /usr/sbin/vtund $args -- $host $server
+				 eend $?
+			 fi)
+	done
+}
+
+stop() {
+	ebegin "Stopping all vtund servers and clients"
+	killall vtund
+	eend $?
+}
diff --git a/net-vpn/vtun/files/vtund-start.conf b/net-vpn/vtun/files/vtund-start.conf
new file mode 100644
index 000000000000..01de38322f48
--- /dev/null
+++ b/net-vpn/vtun/files/vtund-start.conf
@@ -0,0 +1,33 @@
+### this file defines whether vtund is run as a client or a server
+###
+### format is "[host] [server] <args>" or "--server-- [portnumber] <args>".
+###
+### [host] is the hostname to use as a client
+###
+### [server] is the server to connect to
+###
+### [args] is optional for both server and client and contains any additional
+### command line args for that instance of vtund.  not needed by most people.
+###
+### --server-- is the literal string '--server--'. nothing more, nothing less.
+###
+### [portnumber] is the port number to run the server on.
+### 
+###
+### you can have more than one client "host server" line if required,
+### and in theory, it should be possible to run as both a client and a
+### server simultaneously, but i haven't tested that.
+
+
+### examples:
+
+### to run as a client using hostname 'viper'.
+#viper vtun-server.somewhere.com.au
+
+### to run a persistent client connection using hostname 'viper'
+### connecting to a server on port 6000 and using /etc/vtun.viper.conf
+### as the config file.
+#viper vtun-server.somewhere.com.au -f /etc/vtun.viper.conf -s -P 6000
+
+### to run vtund as a server on port 5000, uncomment the following line:
+#--server-- 5000
diff --git a/net-vpn/vtun/metadata.xml b/net-vpn/vtun/metadata.xml
new file mode 100644
index 000000000000..6c796b6d02c5
--- /dev/null
+++ b/net-vpn/vtun/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>pinkbyte@gentoo.org</email>
+		<name>Sergey Popov</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="sourceforge">vtun</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/net-vpn/vtun/vtun-3.0.3.ebuild b/net-vpn/vtun/vtun-3.0.3.ebuild
new file mode 100644
index 000000000000..153cff659a9f
--- /dev/null
+++ b/net-vpn/vtun/vtun-3.0.3.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit eutils linux-info
+
+DESCRIPTION="Create tunnels over TCP/IP networks with shaping, encryption, and compression"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+HOMEPAGE="http://vtun.sourceforge.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 ppc ~sparc x86"
+IUSE="lzo socks5 ssl zlib"
+
+RDEPEND="ssl? ( dev-libs/openssl:0 )
+	lzo? ( dev-libs/lzo:2 )
+	zlib? ( sys-libs/zlib )
+	socks5? ( net-proxy/dante )"
+DEPEND="${RDEPEND}
+	sys-devel/bison"
+
+DOCS="ChangeLog Credits FAQ README README.Setup README.Shaper TODO"
+
+CONFIG_CHECK="~TUN"
+
+src_prepare() {
+	sed -i Makefile.in \
+		-e '/^LDFLAGS/s|=|+=|g' \
+		|| die "sed Makefile"
+	epatch "${FILESDIR}"/${P}-includes.patch
+	# remove unneeded checking for /etc/vtund.conf
+	epatch "${FILESDIR}"/${PN}-3.0.2-remove-config-presence-check.patch
+	# GCC 5 compatibility, patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778164
+	epatch "${FILESDIR}"/${P}-gcc5.patch
+	# portage takes care about striping binaries itself
+	sed -i 's:$(BIN_DIR)/strip $(DESTDIR)$(SBIN_DIR)/vtund::' Makefile.in || die
+
+	epatch_user
+}
+
+src_configure() {
+	econf \
+		$(use_enable ssl) \
+		$(use_enable zlib) \
+		$(use_enable lzo) \
+		$(use_enable socks5 socks) \
+		--enable-shaper
+}
+
+src_install() {
+	default
+	newinitd "${FILESDIR}"/vtun.rc vtun
+	insinto etc
+	doins "${FILESDIR}"/vtund-start.conf
+}