OpenVPN traffic shaping



  • I'm currently having some problems with latency with my openvpn traffic due to it getting caught by my catch-all p2p queue. I can see the connection state as: 10.0.1.254:1194 <- [routerIP]:1194 <- [remoteVPNclient]:19192

    So my traffic shaper rule looks like this:
    Target: Outbound Queue 13 (qOthersUpH) / Inbound Queue 14 (qOthersDownH)
    In Interface: LAN
    Out Interface: WAN
    Protocol: TCP
    Source: Lan subnet
    Source Port Range: OpenVPN
    Destination: any
    Destination Port range: any
    Direction: any

    Are those settings correct? Have I missed something?



  • Anybody?



  • It's my understanding (having tried to do the same thing, search around here for my posts) that you cannot shape either the traffic inside of the tunnel, nor the tunnel itself (as part of the other traffic going out of the same interface).

    Someone please correct me if I'm wrong, but I believe this is the way it is currently.



  • can pfsense shape OpenVPN traffic, if the traffic isn't originating or destined for the built in openvpn server on the pfsense install?  I understand its not able to shape the built in vpn tun0 interface and built in openvpn server

    for example, I have some remote openvpn servers not running on pfsense or related to my pfsense install in any way, and on my lan behind my pfsense box, I have client machines which connect to the remote vpn servers.    I'm not using the openbsd implementation on pfsense for any of this, pfsense just routes the vpn traffic from lan to wan and vice versa, like a pass through.  since this Lan <–> Wan traffic is what the traffic shaper is made for, if I made the rules to shape all port 1194 traffic as high priority on pfsense, will this work ?



  • No, as pfSense only sees encrypted traffic passing through it. It can't determine what's inside this encrypted packages and therefore it can't shape. You only could give higher or lower priority for all that vpn traffic with the shaper but not on different traffic inside the tunnel.



  • @hoba:

    No, as pfSense only sees encrypted traffic passing through it. It can't determine what's inside this encrypted packages and therefore it can't shape. You only could give higher or lower priority for all that vpn traffic with the shaper but not on different traffic inside the tunnel.

    thanks for the reply.. I think I dont really need to shape -within- the tunnel traffic, I just want to ensure outbound/inbound TCP traffic on port 1194 (what I use for openvpn stuff) to have a higher priority than bulk traffic.  whatever happens inside the tunnels pfsense doesnt need to know about in my case, i think.. so the traffic shaper should be able to help me somewhat


Log in to reply