Core: Enhancement: Advanced OpenVPN configuration via GUI options

Created on 3 Jan 2018  路  11Comments  路  Source: opnsense/core

Hi,

It would be great if it would be possible to configure some more advanced settings for OpenVPN directly via options in the GUI rather than using the "Advanced configuration" field. I am thinking of GUI options reflecting the following OpenVPN config options:

  • tls-version-min (e.g. allowing only TLS 1.2)
  • tls-cipher
  • tls-crypt (as an alternative to tls-auth)
  • ncp-ciphers
  • ecdh-curve
  • compress (selection of the desired compression algorithm, e.g. lz4-v2)
  • explicit-exit-notify 1 (when using UDP)

Is there anything planned? Also OpenVPN running as unpriviledged user would be superb :)

feature
Source
picture ashceryth
👍11

Most helpful comment

It would be nice to have this feature implemented.

Btw, there is a workaround:

  1. Disable TLS authentication.
  2. Paste the following into Advanced section:
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
key data here
-----END OpenVPN Static key V1-----
</tls-crypt>
picture galvanopus on 16 May 2020
3

All 11 comments

I鈥檒l work on this as time permits.

fichtner picture fichtner on 20 Oct 2018

The client export also includes "--comp-lzo" which has been depreciated. The new method is "--compress [algorithm]".

imidoriya picture imidoriya on 3 Dec 2018

+1 for this. Please ;-)

Security wise, these are very good controls to have. Some do not have a good way of implementing using the free form advanced settings box. Good as in, fully included in config backups / restores, or OpenVPN client config exports.

ky41083 picture ky41083 on 20 Dec 2018

Should the TLA-AUTH feature be replaced by TLS-CRYPT or be choosable as an alternative ?
i need this feature also very desperately, so i perhaps community could help on this (if desired) ?

trendchiller picture trendchiller on 6 Jan 2019

tls-auth and tls-crypt should coexist as selectable options. One does not deprecate the other. You can only use one of them at a time. If nothing else, they should both remain as options for backwards compatibility with pre-existing setups.

ky41083 picture ky41083 on 7 Jan 2019

@AdSchellevis maybe you have incentive to work on this earlier, for now I'll have to push to 19.7

fichtner picture fichtner on 20 Jan 2019

@fichtner I have no plans for this at the moment, move further is certainly fine.

AdSchellevis picture AdSchellevis on 20 Jan 2019

Hello,
I also need tls-crypt option for more security.
At this time I run my openvpn-server on my raspberry!

Bytechanger picture Bytechanger on 22 May 2019

+1 on tls-crypt, without it it's really a pain

Keltere picture Keltere on 13 Jun 2019

It would be nice to have this feature implemented.

Btw, there is a workaround:

  1. Disable TLS authentication.
  2. Paste the following into Advanced section:
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
key data here
-----END OpenVPN Static key V1-----
</tls-crypt>
galvanopus picture galvanopus on 16 May 2020
3

Hi, we are planning to migrate all our pfsense boxes ( 30 boxes aprox. ) to opnsense because we found opnsense better but this "missing" ui feature for openvpn is quite annoying we have to say, would be really appreciated if this is done in the next release

Please think about those one too :

  • UDP Fast I/O
  • Send/Receive Buffer size selection
  • Gateway creation both / IPV4 / IPV6
  • tls key usage mode => auth / auth + encrypt
  • inter client communication
  • push compression

We can provide openvpn conf files to help

sorry for my english !

hugosxm picture hugosxm on 25 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

linuxmail picture linuxmail  路  4Comments
Stephanowicz picture Stephanowicz  路  6Comments
StrikerTwo picture StrikerTwo  路  8Comments
tkald picture tkald  路  5Comments
icedream picture icedream  路  4Comments