Interesting this comes up, we find ourselves in a similar situation
On 12/13/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> Mike wrote:
> > I have a box in the lan that sends packets through open vpn.
> > openvpn is running on the shorewall boxes on both endpoints.
> > The traffic is being classified, but clipping is occuring.
> > Does traffic have to be classifed on the openvpn interface as well?
>
> You must define shaping on the openvpn interface if you want to prioritize
> the traffic going through that interface. And you probably also want to
> give
> the open VPN traffic itself (usually UDP 1194) a boost on the external
> interface.
We're in a similar situation but with richer set of data which includes
video etc. First, it seems that OpenVPN is in a better position to "do the
right thing" given you've already paid the price for getting packets from
the kernel into user space. Perhaps OpenVPN doesn't support QoS (yet) so
the approach Tom suggests might be the only one available.... and is gonna
give better performance... of course, most of us are limited by our uplink
speeds so cpu typically isn't the real bottleneck.
A finer grained approach is to try something with the ToS... apparently (and
I'm just getting to this part of our buildout) OpenVPN will preserve ToS
settings with the "passtos" directive.... then, you should be able to use
Shorewall to use or set ToS... on the pre-tun0 side, set it if its not
right, and post vpn (port 1194) stream use it again to shape within the
broader set of rules for your "real "interface".
somewhere in here the discussion of OpenVPN's use of UDP / TCP to carry both
types of traffic will come up and I think things could get complicated...
-glenn
-Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services
> for just about anything Open Source.
>
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
--
Glenn H. Tarbox, PhD
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
