OpenVPN ToS Tagging
Question about the check box for this option:
"Set the TOS IP header value of tunnel packets to match the encapsulated packet value."
Does that ToS value then make it to the outside of the OpenVPN encapsulation such that I could build a QoS policy matching the ToS tag?
Yes. If the inner packet (for example, VoIP inside the VPN) has TOS/DSCP set, using that option will copy the TOS bits to the outer VPN packet where it could be matched for QoS anywhere along the path.
There is some slight information disclosure (someone could infer that it's VoIP or video from the TOS header) so it's off by default
Thanks Jim. I've seen many a bandwidth provider (Comcast primarily) actually strip tagging once the packet reaches their network, so this would simply accomplish ensuring that the PFSense is forwarding VOIP packets before others, whether inside a tunnel or not. Actually, this is good news for VPN tunnel QOS, as I've seen several postings on here arguing that QOS within a tunnel doesn't work. While that is technically correct, this feature at least allows for QOS on specific traffic, whether its inside a tunnel or not.