Limiting usable bandwidth effeciently with openvpn



  • Hey guys… We have a site to site OpenVPN connection between our main office and a colocation. Because of our bandwidth restrictions, we sort of need to have a hard cap on what our usable bandwidth as it is 20$ a Mbps over we go past our agreement. (Traffic Shaping didn't work correctly once and we had 900$ in overage for a month.)

    Currently, I'm limiting bandwidth using Traffic Shaping. With this method I'm able to limit wan traffic at our colocation down to within about 500Kbps of our cap, but I've noticed that there is a huge disparity in usable speed going through the tunnel. We have 20Mbps and seem to get between 6 and 12 Mbps flowing from the LAN port on the pfsense router at the colo even though we are pretty much at 20Mbps on the wan Constantly... I assume that this is because the vpn client side is resending packets because it's not getting timely responses or something like that.

    The colo firewall is the server our main firewall at the office is the Client. We are sending backups through from our main office to our off-site location..

    What would you guys recommend to actually create a hard limit in a way that won't kill performance of our vpn tunnel when we send large amounts of data from our main office (client) to our offsite location(server)? I did set an bandwidth limit on the client side settings for my vpn tunnel but it randomly stopped working after about a day and that's when we had the 900$ in overage fees.. :( When it was working though it seemed to do the business perfectly...



  • If the issue is outgoing bandwidth, just enable traffic shaping on the WAN and set your bandwidth. This will keep all egress honoring the limit. I would also recommend using Codel in some fashion. Either by using the Codel scheduler or using HFSC, then enabling Codel on the child queues.



  • Do you mean enable traffic shaping on the Wan of the Client side(main office)? Or the Off-Site(server) side? I have traffic shaping enabled on the wan of the Server Side and that is definitely capping the bandwidth, but it seems to be super inefficient. :/ I'm getting 20mbps worth of traffic on the wan and only about 10mpbs actually going through the tunnel.