Traffic Shaping with OpenVPN
-
anyone care to assist?
bump
-
All you can really do is shape the OpenVPN tunnel in relation to other traffic. You can only do this in one direction - outbound.
You would identify the traffic on the client with connections on WAN OUT to server on UDP/1194. This would put traffic into a queue to shape from client to server.
You woule identify the traffic on the server with connection on WAN IN from client to UDP/1194. This would put traffic into a queue to shape from server to client.
Default OpenVPN ports used in this example.
-
I appreciate your help, but is there another forum member who might be able to help me a little bit further? possibly with more specific instructions?
I guess my question at the remote site is "if SOURCE interface X, guarantee up to 20mbs via wan. otherwise provide full bandwidth (25mbs) to all users"
and my question at the central office is "provide this OpenVPN tap connection guarantee up to 20mbs via wan,otherwise provide full bandwidth (50mbs) to all users"
I have a rudimentary understanding of HFSC so I can help with that, but I am very inexperienced with firewall rules and OpenVPN.
If you want to use 2-part service curve (decoupled bandwidth & delay) you, or myself, will need to know the packet size for a particular traffic type to determine the burst duration.
If just want linear service curves then use link-share and upper-limit.
It is late and I am having trouble finding motivation, but I am willing to help… :)
-
All you can really do is shape the OpenVPN tunnel in relation to other traffic. You can only do this in one direction - outbound.
That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.
I understand if we have a 50mb connection into dividing it into different ques with different priorities. Attached is what i am trying right now, but it doesnt seem to still be the right configs.
can you take a look and tell me if what i have so far LOOKS like i am on the right track? And if you could give me some advise on what else i should look at and configure so i can investigate those next steps.
-
That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.
You can shape both directions, you just have to shape sending at each end.
-
How does shaping the remote client side (which is downloading the iptv streams) prevent someone from performing a large download on the central server side (which is uploading the iptv streams) causing the circuit to have over subscription issues? Am i misunderstanding this or What am i missing?
-
You're misunderstanding. I am talking about shaping the tunnel.
You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues. What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.
OpenVPN traffic is different from other traffic. You cannot shape the state of the received traffic all the way through to LAN because:
On the WAN side all pfSense sees is an OpenVPN tunnel - it cannot see inside it. The only state on WAN that exists is the connection to the other VPN server itself.
pfSense will allow you do set queues on the OpenVPN assigned interface itself, but doing so eventually makes my OpenVPN process spin at 100% CPU.
I'm probably making this more difficult than it needs to be but shaping OpenVPN traffic is really complicated due to the fact that there are never states from LAN to WAN and WAN to LAN. Even if you do try to shape on the OpenVPN interface, you're now running a shaper inside a shaper and adding yet more complexity.
-
You're misunderstanding. I am talking about shaping the tunnel.
You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues. What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.
Okay. I know i dont need to shape within the tunnel. I just want to give the vpn tunnel on both the client and server side a higher priority. So lets simplify my original question, lets forget the specific bandwith numbers.
If i have an openvpn connection between two sites, how do i give that vpn connection higher priority on the outside (wan) interface then all other (default que) traffic for both upload and down over-subscription ? I guess my question is even more specifically now, how do i setup a traffic shaper rule for both upload (outgoing) and download (incoming) on the wan interface?
-
You don't shape download on WAN. That's what I've been trying to tell you. And you can't set a queue on LAN to shape downloads either.
Assumes the following: OpenVPN Server running on UDP 1196
On the server (This rule will shape traffic from server to client):
Create a floating rule on interface WAN in Match IPv4 UDP source any dest WAN address destport 1196 set queue qVPN
On the client (this rule will shape traffic from client to server):
Create a floating rule on interface WAN out Match IPv4 UDP source any dest VPN Host destport 1196 set queue qVPN
 -
You might have some luck placing rules like this on your OpenVPN assigned interface or OpenVPN tab. This will govern connections coming from the remote site into your firewall over OpenVPN. There should be queues matching these names on LAN.
Similar rules can be set on the LAN interface for traffic from LAN net to the remote OpenVPN network(s).
 -
You could also try to make a tunnel specifically for the IPTV traffic –- Then you could shape traffic based upon which tunnel the traffic was received from.
