OpenVPN Instances - Buffer Size / TLS Version Minimum / NetBIOS

[ky41083]

Hello! Posting first before submitting a feature request... Looking at migrating my OpenVPN servers over from legacy to Instances. I'm noticing a few advanced options I use are missing and curious if anyone else feels they should be included.

Buffer size: I always set sndbuf + rcvbuf as well as push them to the client. This is extremely important for mitigating bandwidth bottlenecks, especially on faster and/or higher latency connections. Would it make sense to request an option for each with a text box where the value can be entered in bytes, with an accompanying checkbox to push the custom value to clients? Essentially achieve an affect similar to:

sndbuf 2097152
push "sndbuf 2097152"
rcvbuf 2097152
push "rcvbuf 2097152"

TLS Version Minimum: The option I use to meet compliancy policy requirements & prevent TLS downgrade attacks. Would it make sense for this to be a drop down option w/ 1.2, 1.3, and Highest as options? This would achieve something similar to the following:

# Use 1.2
tls-version-min 1.2
# Use 1.3
tls-version-min 1.3
# Use Highest Supported
tls-version-min 0.0 or-highest

Disable NetBIOS: And last, the push options list would be a good place for this. Disable NetBIOS name lookups to cut down on VPN traffic. Maybe called "push disable-nbt". This would achieve the following:

push "dhcp-option DISABLE-NBT"


I request your feedback on the above. Thank you!

[ky41083]

Submitted

https://github.com/opnsense/core/issues/7929
https://github.com/opnsense/core/issues/7930
https://github.com/opnsense/core/issues/7931