Enhancement: Advanced OpenVPN configuration via GUI options

[ashceryth]

Hi,

It would be great if it would be possible to configure some more advanced settings for OpenVPN directly via options in the GUI rather than using the "Advanced configuration" field. I am thinking of GUI options reflecting the following OpenVPN config options:

• tls-version-min (e.g. allowing only TLS 1.2)
• tls-cipher
• tls-crypt (as an alternative to tls-auth)
• ncp-ciphers
• ecdh-curve
• compress (selection of the desired compression algorithm, e.g. lz4-v2)
• explicit-exit-notify 1 (when using UDP)

Is there anything planned? Also OpenVPN running as unpriviledged user would be superb :)

[fichtner]

I’ll work on this as time permits.

[imidoriya]

The client export also includes "--comp-lzo" which has been depreciated. The new method is "--compress [algorithm]".

[ky41083]

+1 for this. Please ;-)

Security wise, these are very good controls to have. Some do not have a good way of implementing using the free form advanced settings box. Good as in, fully included in config backups / restores, or OpenVPN client config exports.

[stultitiophobia]

Should the TLA-AUTH feature be replaced by TLS-CRYPT or be choosable as an alternative ?
i need this feature also very desperately, so i perhaps community could help on this (if desired) ?

[ky41083]

tls-auth and tls-crypt should coexist as selectable options. One does not deprecate the other. You can only use one of them at a time. If nothing else, they should both remain as options for backwards compatibility with pre-existing setups.

[fichtner]

@AdSchellevis maybe you have incentive to work on this earlier, for now I'll have to push to 19.7

[AdSchellevis]

@fichtner I have no plans for this at the moment, move further is certainly fine.

[Bytechanger]

Hello,
I also need tls-crypt option for more security.
At this time I run my openvpn-server on my raspberry!

[Keltere]

+1 on tls-crypt, without it it's really a pain

[galvanopus]

It would be nice to have this feature implemented.

Btw, there is a workaround:

1. Disable TLS authentication.
2. Paste the following into Advanced section:

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
key data here
-----END OpenVPN Static key V1-----
</tls-crypt>

[hugosxm]

Hi, we are planning to migrate all our pfsense boxes ( 30 boxes aprox. ) to opnsense because we found opnsense better but this "missing" ui feature for openvpn is quite annoying we have to say, would be really appreciated if this is done in the next release

Please think about those one too :

• UDP Fast I/O
• Send/Receive Buffer size selection
• Gateway creation both / IPV4 / IPV6
• tls key usage mode => auth / auth + encrypt
• inter client communication
• push compression

We can provide openvpn conf files to help

sorry for my english !

[FingerlessGlov3s]

Move NCP in to its own feature request, since this issue contains many features.
#4871

[khicks]

This is a big requirement for folks looking for a drop-in replacement for pfSense. Administrators of multi-user environments have already distributed OpenVPN configs, and having no option for tls-crypt means they're going to have to shoehorn it in or redistribute configs.

No GUI option for tls-crypt would be acceptable if the Advanced config field wasn't being deprecated. Without it, administrators wanting improved security will have to dig into the file system, which is far from ideal. I really hope that the OpenVPN GUI configuration tool will have all of the common options before the Advanced field gets taken away.

[stultitiophobia]

I approached this problem with this workaround so far:
https://github.com/trendchiller/OPNsense/commit/5f044ce6bc8d31f557e47f9189475409628a3849
The goal was backward compatibility and improved security.
I wanted to commit when the exporters were ready, but so I'll stop work until we have a status ;-)

[beren12]

This is a big requirement for folks looking for a drop-in replacement for pfSense. Administrators of multi-user environments have already distributed OpenVPN configs, and having no option for tls-crypt means they're going to have to shoehorn it in or redistribute configs.

No GUI option for tls-crypt would be acceptable if the Advanced config field wasn't being deprecated. Without it, administrators wanting improved security will have to dig into the file system, which is far from ideal. I really hope that the OpenVPN GUI configuration tool will have all of the common options before the Advanced field gets taken away.

The problem is advanced options will never be 100% covered from the GUI, and it's far far better security to see the advanced config then to have it hidden in a file nobody ever knows to check.

The advanced options should be available some way even if it's hidden by default.

I agree the goal should be to cover almost all options from the GUI, but that doesn't mean advanced should ever go away. Right now I use it for persistent IP leases which would be nice to have set from the GUI but how many other people care about that option?

[stultitiophobia]

perhaps it could be an idea to habe a checkbox in system-settings to "enable. advances settings" which "unhides" the advanced config boxes ?
so they could be hidden by default and enabled by users which are experienced ?

[ITJamie]

right now the ovpn file type export option has a bug. it comes down as filename.ovpn.txt on ios/safari due to the headers. this means its not easy to import into openvpn apps on ios.

some quick searching appears that the headers need to be more specific to the filetype during the download. eg

    'Content-Type' => 'text/ovpn',
    'Content-Length' => filesize(storage_path('file.ovpn')),
    'Content-Disposition' => 'attachment; filename="'.$formname->name.'.ovpn"'

[AdSchellevis]

better open new issues after 23.7 is released aiming the new Instances option