NethServer · gsanchietti · Nov 25, 2025 · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025
diff --git a/build-images.sh b/build-images.sh
@@ -9,7 +9,7 @@ images=()
 repobase="${REPOBASE:-ghcr.io/nethserver}"
 # Configure the image name
 reponame="nethsecurity-controller"
-controller_version="2.1.1"
+controller_version="2.2.0"
 promtail_image="docker.io/grafana/promtail:3.6.1"
 loki_image="docker.io/grafana/loki:2.9.17"
 prometheus_image="docker.io/prom/prometheus:v3.7.3"

diff --git a/imageroot/actions/configure-module/20configure b/imageroot/actions/configure-module/20configure
@@ -101,6 +101,8 @@ set_route_data = {
 if 'lets_encrypt' in request:
     set_route_data['lets_encrypt'] = request['lets_encrypt']
 
+agent.set_route(set_route_data)
+
 config["allowed_ips"] = request.get("allowed_ips", [])
 
 # Save configuration to JSON for later user and backup
@@ -131,6 +133,11 @@ with open('config.env', 'w') as env:
     if 'maxmind_license' in request:
         env.write(f'MAXMIND_LICENSE={request["maxmind_license"]}\n')
     env.write(f'RETENTION_DAYS={metrics_retention_days}\n')
+    # OpenVPN MTU and MSSFIX settings
+    tun_mtu = request.get('tun_mtu', 1500)
+    mssfix = request.get('mssfix', 1450)
+    env.write(f'OVPN_TUN_MTU={tun_mtu}\n')
+    env.write(f'OVPN_MSSFIX={mssfix}\n')
 
 server_address = request["ovpn_network"].removesuffix('.0') + '.1'
 with open('promtail.env', 'w') as promtail:

diff --git a/imageroot/actions/configure-module/validate-input.json b/imageroot/actions/configure-module/validate-input.json
@@ -14,7 +14,11 @@
             "loki_retention": 180,
             "prometheus_retention": 15,
             "maxmind_license": "1234567890",
-            "allowed_ips": ["1.2.3.0/24"]
+            "allowed_ips": [
+                "1.2.3.0/24"
+            ],
+            "tun_mtu": 1500,
+            "mssfix": 1450
         }
     ],
     "type": "object",
@@ -75,9 +79,21 @@
             "description": "List of allowed IPs for the controller",
             "items": {
                 "type": "string",
-               "format": "cidr"
+                "format": "cidr"
             },
             "minItems": 0
+        },
+        "tun_mtu": {
+            "type": "integer",
+            "description": "OpenVPN TUN interface MTU size, default is 1500",
+            "minimum": 576,
+            "default": 1500
+        },
+        "mssfix": {
+            "type": "integer",
+            "description": "OpenVPN MSSFIX value, default is 1450",
+            "minimum": 0,
+            "default": 1450
         }
     }
 }
diff --git a/imageroot/actions/get-configuration/20read b/imageroot/actions/get-configuration/20read
@@ -30,7 +30,7 @@ else:
     foctet=random.randrange(16,31)
     soctet=random.randrange(1,254)
 
-    config = {'host': '', 'lets_encrypt': False, 'ovpn_network': f'172.{foctet}.{soctet}.0', 'ovpn_netmask': '255.255.255.0', 'ovpn_cn': 'nethsec', 'api_user': 'admin', 'api_password': '', 'loki_retention': 180, 'prometheus_retention': 15, 'vpn_port': '', 'allowed_ips': []}
+    config = {'host': '', 'lets_encrypt': False, 'ovpn_network': f'172.{foctet}.{soctet}.0', 'ovpn_netmask': '255.255.255.0', 'ovpn_cn': 'nethsec', 'api_user': 'admin', 'api_password': '', 'loki_retention': 180, 'prometheus_retention': 15, 'vpn_port': '', 'allowed_ips': [], 'tun_mtu': 1500, 'mssfix': 1450}
 
     characters = list(string.ascii_letters + string.digits + "!@#%^+_")
     random.shuffle(characters)

diff --git a/imageroot/actions/get-configuration/validate-output.json b/imageroot/actions/get-configuration/validate-output.json
@@ -14,7 +14,11 @@
             "ovpn_cn": "nethsec",
             "loki_retention": 180,
             "maxmind_license": "1234567890",
-            "allowed_ips": ["1.2.3.0/24"]
+            "allowed_ips": [
+                "1.2.3.0/24"
+            ],
+            "tun_mtu": 1500,
+            "mssfix": 1450
         }
     ],
     "type": "object"

diff --git a/ui/public/i18n/en/translation.json b/ui/public/i18n/en/translation.json
@@ -58,9 +58,16 @@
     "vpn_port_description": "Units will connect to controller using a VPN connection. Make sure the units can reach the controller on UDP port {port}",
     "maxmind_license": "MaxMind license key",
     "maxmind_license_helper": "The license key is required to use the MaxMind GeoIP2 database",
+    "maxmind_license_tooltip": "Enable IP geolocations inside Grafana dashboards",
     "allowed_ips": "Allowed IPs",
     "allowed_ips_helper": "One IPv4 or CIDR per line. Leave empty to allow all IPs",
-    "allowed_ips_tooltip": "Required unit version: 8.6 or above. This field is used to restrict the access to the controller. When the access is restriced, units will contact the public register endpoint, then all traffic will go through the VPN."
+    "allowed_ips_tooltip": "Required unit version: 8.6 or above. This field is used to restrict the access to the controller. When the access is restricted, units will contact the public register endpoint, then all traffic will go through the VPN.",
+    "tun_mtu": "TUN MTU",
+    "tun_mtu_helper": "Maximum Transmission Unit for the VPN TUN interface",
+    "tun_mtu_tooltip": "Lower this value if you experience connectivity issues with units",
+    "mssfix": "MSS Fix",
+    "mssfix_helper": "Maximum Segment Size fix for the VPN connections",
+    "mssfix_tooltip": "Change only if you have troubles connecting to units"
   },
   "about": {
     "title": "About"
@@ -100,6 +107,8 @@
     "loki_retention_min": "Logs retention must be greater than 1 day",
     "invalid_network": "Invalid network, it mus be a class C network like 192.168.200.0",
     "invalid_netmask": "Invalid netmask, it must be a valid netmask like 255.255.255.0",
-    "invalid_allowed_ips": "Invalid allowed IPs, each entry must be a and IP or CIDR network."
+    "invalid_allowed_ips": "Invalid allowed IPs, each entry must be a and IP or CIDR network.",
+    "tun_mtu_min": "TUN MTU must be at least 576",
+    "mssfix_min": "MSS Fix must be at least 0"
   }
 }
diff --git a/ui/public/i18n/es/translation.json b/ui/public/i18n/es/translation.json
@@ -12,7 +12,9 @@
         "404": "Recurso no encontrado",
         "invalid_user": "Nombre de usuario no válido: debe contener sólo letras y números",
         "network_error": "Error de red",
-        "validation_error": "Error de validación"
+        "validation_error": "Error de validación",
+        "tun_mtu_min": "TUN MTU debe ser al menos 576",
+        "mssfix_min": "MSS Fix debe ser al menos 0"
     },
     "settings": {
         "user": "Usuario administrador",

diff --git a/ui/public/i18n/it/translation.json b/ui/public/i18n/it/translation.json
@@ -12,7 +12,9 @@
         "403": "Operazione non autorizzata",
         "invalid_cn": "Nome controller non valido: deve contenere solo lettere e numeri",
         "invalid_user": "Nome utente non valido: deve contenere solo lettere e numeri",
-        "invalid_host": "Nome host non valido: deve essere un FQDN valido"
+        "invalid_host": "Nome host non valido: deve essere un FQDN valido",
+        "tun_mtu_min": "TUN MTU deve essere almeno 576",
+        "mssfix_min": "MSS Fix deve essere almeno 0"
     },
     "settings": {
         "title": "Impostazioni",

diff --git a/ui/src/views/Settings.vue b/ui/src/views/Settings.vue
@@ -206,6 +206,23 @@
                       :passwordHideLabel="$t('password.hide_password')"
                       :passwordShowLabel="$t('password.show_password')"
                     >
+                      <template #tooltip>{{
+                        $t("settings.maxmind_license_tooltip")
+                      }}</template>
+                    </NsTextInput>
+                    <NsTextInput v-model.trim="tun_mtu" ref="tun_mtu"
+                      :invalid-message="$t(error.tun_mtu)" type="number" :label="$t('settings.tun_mtu')"
+                      :helper-text="$t('settings.tun_mtu_helper')" :disabled="stillLoading">
+                      <template #tooltip>{{
+                          $t("settings.tun_mtu_tooltip")
+                        }}</template>
+                    </NsTextInput>
+                    <NsTextInput v-model.trim="mssfix" ref="mssfix"
+                      :invalid-message="$t(error.mssfix)" type="number" :label="$t('settings.mssfix')"
+                      :helper-text="$t('settings.mssfix_helper')" :disabled="stillLoading">
+                      <template #tooltip>{{
+                          $t("settings.mssfix_tooltip")
+                        }}</template>
                     </NsTextInput>
                   </div>
                   <div class="mg-top-xxlg">
@@ -231,7 +248,7 @@
                       ref="allowed_ips"
                       :invalid-message="$t(error.allowed_ips)"
                       :helper-text="$t('settings.allowed_ips_helper')"
-                      :disabled="loading.configureModule"
+                      :disabled="stillLoading"
                       :rows="4"
                     >
                       ></cv-text-area
@@ -335,6 +352,8 @@ export default {
       loki_retention: "180",
       prometheus_retention: "15",
       maxmind_license: "",
+      tun_mtu: 1500,
+      mssfix: 1450,
       passwordPlaceholder: "",
       allowed_ips: "",
       loading: {
@@ -355,8 +374,9 @@ export default {
         loki_retention: "",
         prometheus_retention: "",
         maxmind_license: "",
-        allowed_ips: "",
-        getStatus: "",
+        tun_mtu: "",
+        mssfix: "",
+        allowed_ips: ""
       },
     };
   },
@@ -493,6 +513,8 @@ export default {
       this.loki_retention = config.loki_retention.toString();
       this.prometheus_retention = config.prometheus_retention.toString();
       this.maxmind_license = config.maxmind_license;
+      this.tun_mtu = config.tun_mtu;
+      this.mssfix = config.mssfix;
       this.vpn_port = config.vpn_port;
       this.allowed_ips = config.allowed_ips.join("\n");
       this.focusElement("host");
@@ -501,15 +523,7 @@ export default {
       this.clearErrors(this);
       this.validationErrorDetails = [];
       let isValidationOk = true;
-      let fields = [
-        "host",
-        "cn",
-        "network",
-        "netmask",
-        "user",
-        "loki_retention",
-        "prometheus_retention",
-      ];
+      let fields = ["host", "cn", "network", "netmask", "user", "loki_retention", "prometheus_retention", "tun_mtu", "mssfix"];
 
       // On first config the password must be non-empty
       if (this.firstConfig) {
@@ -574,6 +588,20 @@ export default {
         isValidationOk = false;
       }
 
+      // validate tun_mtu: minimum 576
+      if (isNaN(parseInt(this.tun_mtu)) || parseInt(this.tun_mtu) < 576) {
+        this.error.tun_mtu = this.$t("error.tun_mtu_min");
+        this.focusElement("tun_mtu");
+        isValidationOk = false;
+      }
+
+      // validate mssfix: minimum 0
+      if (isNaN(parseInt(this.mssfix)) || parseInt(this.mssfix) < 0) {
+        this.error.mssfix = this.$t("error.mssfix_min");
+        this.focusElement("mssfix");
+        isValidationOk = false;
+      }
+
       // validate network
       const network_re = new RegExp(
         /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.0$/
@@ -674,6 +702,8 @@ export default {
         loki_retention: parseInt(this.loki_retention),
         prometheus_retention: parseInt(this.prometheus_retention),
         maxmind_license: this.maxmind_license,
+        tun_mtu: parseInt(this.tun_mtu),
+        mssfix: parseInt(this.mssfix),
         allowed_ips: this.allowed_ips
           .split("\n")
           .map((ip) => ip.trim())