QOS and OpenVPN

Discussion in 'Tomato Firmware' started by lovingHDTV, Sep 6, 2014.

  1. lovingHDTV

    lovingHDTV Network Guru Member

    I've a E3000 router and just flashed Shibby's 121 build for get OpenVPN. I got it up and working with my VPN supplier, but noticed that when I have VPN on, QOS shows everything as unclassified, making it a non-starter. I need my QOS to work.

    I read this post:

    that discusses why things aren't working and I tried the firewall script provided, but it didn't work for me. It seems that it broke all the incoming data.

    Is there a build out there that allows you to run QOS and OpenVPN at the same time?

  2. paped

    paped LI Guru Member

    My QoS seems to work with OpenVPN, I just have a QoS rule for UDP port 1194 set to the "express" QoS class and when connected it shows the OpenVPN port in the QoS details as connected at the correct "express" class.
  3. Porter

    Porter LI Guru Member

    The post you are referring to is about making QoS work _inside_ a VPN tunnel, as opposed to what you are doing, which is classifiying the VPN connection itself.

    That being said, I think @paped gave you the right idea on how to improve your VPN connection with QoS.
  4. paped

    paped LI Guru Member

    Sorry - Must admit I have never thought of QoS within the VPN tunnel, as I have always looked at it that the VPN is the network service effectively, so by bumping the priority of the VPN service up anything going through the VPN is also increased. Obviously if you are trying to fit for example a voice and data stream through the VPN doing it my way both would have increased QoS priority over the WAN connection via the VPN QoS setting but within the VPN tunnel they would be equal.

    Just a thought (but I'm not a Tomato application expert here just a network person...) where the QoS in Tomato is applied I believe will be after the data has entered the VPN tunnel so could this be that you almost need to run another separate instance of the QoS application in front of the VPN just for VPN traffic? As the data would effectively need to be prioritised on the Tomato router and almost traffic shaped at that point against the bandwidth available in the VPN connection (which could be variable in nature as the VPN is an application itself fighting all the other applications for bandwidth). As once in the tunnel it's encrypted so cannot really be manipulated further until it reaches the other end of the tunnel and the packet types can be seen and understood at a routing level again. As between the 2 peers all the network will see is the UDP/TCP packets for the VPN itself e.g. standard port UDP 1194 for OpenVPN traffic but that could be transmitting for example http port 80 traffic that only the VPN peers and the "secure networks" beyond them would know about. Here in may be the problem though as you would almost need to use my suggestion above to guarantee/police a segment of WAN bandwidth (I believe it would be the minimum QoS figure on the left hand QoS column) for VPN only, hence you would loose this to other network services effectively, then use the second QoS instance to shape the VPN traffic within to tunnel to the guaranteed/policed size that the VPN service is allocated to?

    Also though remember that whatever we do by QoS/traffic shaping on our routers it would not be a formally honoured QoS across the internet as there is no QoS as such across this domain. All our routers are really doing in QoS is trying to send and receive what we deem as priority traffic quicker, while de-prioritising and slowing what we deem as lower priority traffic at our router to use the WAN bandwidth more efficiently, so the above could still be really problematic.
    Last edited: Sep 18, 2014
  5. Porter

    Porter LI Guru Member

    You are right, QoS inside the VPN tunnel only makes sense if you can guarantee bandwidth to it bei using the left side bandwidth column. Although it's untrue that you are loosing bandwidth that is guaranteed to other services. If this guaranteed bandwidth isn't use by a service, other services (aka classes) can use it.
  6. lovingHDTV

    lovingHDTV Network Guru Member

    The post I linked to was trying to accomplish this. Basically prioritizing the data as it enter the VPN pipe (tun11 interface) instead of the WAN0 interface. I was hoping that someone else had tried or something similar, but it doesn't seem so. I really didn't want to have to run VPN software on every computer. Doesn't seem that I can do this with this particular setup.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice