Shaping OpenVPN interface



  • I did a quick search, but couldn't find what I was looking for.

    I'm curious how to shape traffic going over the OpenVPN interface. My problem is that I have VoIP traffic going over the VPN interface, and I'm getting jitter and loss in my conversations.

    Can someone walk me through this?

    I have dual WAN interfaces, but the VPN traffic comes over the WAN interface.



  • youre can't shape ptpp,ipsec and openvpn



  • Well I know you can't do it through the wizard, but I noticed you can manually change things after the wizard has done its thing.



  • The problem is that the shaper always works outbound and the traffic is leaving is only seen as encrypted traffic so it can't be shaped anymore.



  • @Helix26404:

    I did a quick search, but couldn't find what I was looking for.

    I'm curious how to shape traffic going over the OpenVPN interface. My problem is that I have VoIP traffic going over the VPN interface, and I'm getting jitter and loss in my conversations.

    Can someone walk me through this?

    I have dual WAN interfaces, but the VPN traffic comes over the WAN interface.

    Not sure with OpenVPN which actually uses the TUN interface.  For IPSec, jeroen is correct, we can't shape traffic inside the tunnel.  Regardless what this really means for you is mult-wan shaping….I don't expect to see code for that any time soon, the multi-lan shaping is giving me a headache as it is.

    --Bill



  • Hmm. Tell me if my logic is correct: if the WAN interface is shaped properly, and the traffic flows over the VPN (which goes out the WAN interface), will that traffic be shaped?



  • Could you shape all of the VPN traffic over the rest of the Internet traffic?

    This would get you part way to where you want to be.



  • @Helix26404:

    Hmm. Tell me if my logic is correct: if the WAN interface is shaped properly, and the traffic flows over the VPN (which goes out the WAN interface), will that traffic be shaped?

    It will be shaped as part of one class.  Although, since the tunnel originates from the pfSense box and our shaper setup classifies traffic as it enters the LAN interface so it can be appropriately shaped going out the WAN, what you'll likely see is the VPN traffic hitting the default class on the way out.  This would apply to both the traffic outbound from your network, but also the traffic inbound to your network.  At some point, I'd love to see the layer 7 changes I was working on completed so we can dynamically move traffic to appropriate queues.  But until that's done, I don't expect we'll be able to shape VPN traffic of any kind properly.

    –Bill


Locked