[DEV REQUESTED] Add QoS for OpenVPN tunnels

Discussion in 'Tomato Firmware' started by irouy, Sep 9, 2013.

  1. irouy

    irouy Serious Server Member

    Copy the script from /etc/qos to /tmp/qos-tunXX and edit it so that the WAN_DEV is replaced by tunXX instead of vlan2 and IMQ_DEV is replaced by imq1 instead of imq0. Remember to verify which interface you are using for your VPN setup. tun11 and tun12 are used for client 1 and 2. tun21 and 22 are used for server 1 and 2.

    We would be able to autogenerate this by using sed which is included in the default build. On my setup this is what I have in my firewall script:
    cp /etc/qos /tmp/qos-tun11
    sed -i 's/vlan2/tun11/g' /tmp/qos-tun11
    sed -i 's/imq0/imq1/g' /tmp/qos-tun11
    chmod +x /tmp/qos-tun11
    iptables -t mangle -A FORWARD -o tun11 -j QOSO
    iptables -t mangle -A OUTPUT -o tun11 -j QOSO
    iptables -t mangle -A PREROUTING -i tun11 -j CONNMARK --restore-mark --mask 0xff
    iptables -t mangle -A PREROUTING -i tun11 -j IMQ --todev 1
    ifconfig imq1 up
    [edit] Oops. Forgot to bring the interface up :eek:) [/edit]

    Hi all,

    Would it be possible to hack in support for QoS over OpenVPN connections?

    Atm only traffic going out of the WAN interface is passing through the QoS que. It would be nice if also OpenVPN traffic could be processed by the QoS system.

    Do you think this is a hardcoded thing (ie need to recompile) of could this be solved by configuration?

    All the VPN traffic is shown seperately under the QoS but is never processed by the rules. Therefore all VPN traffic is labelled as Unclassified.
    Last edited: Feb 4, 2014
    Holy_Hunter likes this.
  2. irouy

    irouy Serious Server Member

    reserved for future use
    Last edited: Jan 3, 2014
  3. Porter

    Porter LI Guru Member

    I'm not very familiar with VPN. But I guess QoS would work just the same with it, only with different interfaces. There is one prerequesite: you will have to find a way to classify your VPN connection in the highest class because if it doesn't always get bandwidth when it needs it, QoS inside this vpn-connection is worthless. Classifying might just depend on finding the right protocol and making a new filter with it.

    The scripts that control Tomato's QoS-system are in /etc/qos and /etc/iptables. You would probably have to modify them a bit, as in bandwidth and interface (VPN-interface and imq1).
  4. irouy

    irouy Serious Server Member

    Thanks a lot Porter. I'm looking into it right now.

    It seems I have to setup a new que and attach the tun interface to this que.
    If anyone has any experience on setting this up (and maybe a working script) I would be happy if you shared it.

    At least I know what to do tonight :)
  5. Porter

    Porter LI Guru Member

    Queues are attached to interfaces, not the other way around. ;)

    And as I've said you don't need to dive into QoS internals. You'll just have to roughly understand how those two scripts work.

    This is just what I came up with after a bit of thinking. You might have to do some more:

    1. Think about enabling JFFS, so you have persistent storage for your scripts that will survive a reboot.

    2. Use the Tomato GUI as a script generator for your VPN interface. Depending on how poerful your router is, think about disabling the L7 filters. I'd recommend using a lower bandwidth than the one you are using for your normal ppp0. After you've changed it to the lower values, click save and copy the two scripts under /etc to /jffs/. You could also c&p them into the script section, but that might be a bit messy.

    3. Change the interfaces in the scripts _and_ remove all the non-QoS-stuff from /etc/iptables. I think the iptables script might need to be called in a special way, because it's not a pure shell script. This script most likely needs to be run by iptables. Concern the man-pages for help (restore settings or something like that). Tomato uses vi. I'm not entirely sure if you'll have to change something else.

    4. If you didn't copy the scripts into the script section, you should now place calls into the WAN Up script-section.
    irouy likes this.
  6. irouy

    irouy Serious Server Member


    I've copied the scripts from /etc{qos,qoslimit} to /cifs1/{qos-tun11.sh,qoslimit} and edited them so that the WAN_DEV is replaced by tun11 instead of vlan2 and IMQ_DEV is replaced by imq1 instead of imq0. (In qoslimit I only replaced vlan2 with tun11)

    I then added following to my firewall script:

    iptables -t mangle -A FORWARD -o tun11 -j QOSO
    iptables -t mangle -A OUTPUT -o tun11 -j QOSO
    iptables -t mangle -A PREROUTING -i tun11 -j CONNMARK --restore-mark --mask 0xff
    iptables -t mangle -A PREROUTING -i tun11 -j IMQ --todev 1
    And voila it works!

    I will add this to my first setup script so this is done automatically when I install a new customer device :)

    Thanks a lot for guiding me in the right direction.

    Do you think this should be added by default in one of the builds? I think it would be nice if you could check QoS in the VPN gui... But maybe that's just me?
    Last edited: Sep 11, 2013
  7. lancethepants

    lancethepants Network Guru Member

    Not only would this be awesome for VPNs, but for those of us using a tunnel broker for IPv6. Would be cool to have that traffic prioritized correctly with the rest of it too.
    irouy likes this.
  8. rs232

    rs232 Network Guru Member

    I'm glad somebody finally found a solution to this!

    p.s. I suppose the QoS GUI could be changed to define different rules for vlan2 / tunXX
    _wb_ and irouy like this.
  9. noyp

    noyp Network Guru Member

    hi irouy,
    if i have a site to site vpn, should i enable this script on both server and client?

  10. irouy

    irouy Serious Server Member

    noyp, you should run the scripts both on the server and the client. Make sure you use the correct device names as these change depending if you run them on client or server.

  11. _wb_

    _wb_ Networkin' Nut Member

    Is there any reason you changed imq1 instead of imq0 for /etc/qos?
    I tried this solution on Shibby patch 115 but the ingress graph shows nothing but if I change to imq0 i get P2P/Bulk and some WWW. Nothing else. Any ideas?

    Note: I am using selective VPN so that only 1 internal IP uses the VPN for now. (@quidagis Route only specific ports through VPN (openvpn) )
  12. irouy

    irouy Serious Server Member

    From reading this I figured that i needed to setup a new qdisc. Especially because this page clearly notes that:
    Please note that I'm just a noob in this and making this up as I go :)

    What I would really like is to have one of the devs look into this and advice on a proper setup for VPN QoS. I would then be willing to assist them into implementing this into the WBM of tomato as I feel that this is something that would be usefull to a lot of users.
  13. Holy_Hunter

    Holy_Hunter Networkin' Nut Member

    +1 for this great idea !
    lets hope for the best...
  14. cloneman

    cloneman Addicted to LI Member

    Is this to prioritize/process the entire VPN traffic as one unit, or to apply QoS rules to individual connections inside the VPN?
  15. bobby22

    bobby22 Network Newbie Member

    Searched for qos and VPN and found this post. I enabled QOS in my tomato and openVPN using PIA and I get 1000ms ping and 0.3Mbps download speed test. What the above poster asked, will this prioritize traffic for each device connected? Everything is through the VPN, but I want things like VOIP, browsing to have priority over people downloading.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice