NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2008-01

Re: Using PF to QoS on tun interface

From: johan beisser (jbcaustic.org)
Date: Wed Jan 02 2008 - 13:30:05 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 2, 2008, at 10:17 AM, Nick Golder wrote:

> I inherited a system that is attempting (poorly) to QoS traffic going
> across a tun interface (which is being used by OpenVPN). Examples,
> books, and ML suggest to tag on the internal interface ingress traffic
> and QoS on the external interface egress traffic.

Treat the tun interface as a "normal" one. I recently had the same
issue, and simply adapted TCP ACK priority to the interface, and found
that worked fine. I'm currently testing a smaller MTU to help with
fragmentation.

Scrub, by the way, also seems to work quite well.

> Since the traffic that I want to QoS doesn't really have an egress
> interface to QoS on, I am trying to figure out a way to properly QoS
> the traffic.
>
> Here is a quick map on the traffic:
>
> rl0 <--> tun0 <--> OpenVPN <--> rl1 <--> Internet

i think you're missing a tunneling interface somewhere.

> The traffic I want to QoS on is ingress on rl0 which in turn is also
> ingress on tun0. By the time it hits rl1, it is OpenVPN traffic.

Could you explain this again?

I've been doing foolish interface setup for a while now. My own
"privacy VPN" I have running to a co-located box looks a bit like this:

[internet] <--> [external interface] <--> [tun0] <--> [openvpn] <-->
[external interface]

I also have a LAN to colo box setup, using openvpn on a different port.

> Any recommendations on how to handle this?

Treat tun0 as a normal altq interface. So far, there's not been any
"real" issues with it co-existing with my normal altq rules for non-
VPN traffic on the router. The one thing I've not had is a "interface
speed conflict", since I arbitrarily reduced the bandwidth to somewhat
less than my external interface.

For my soekris LAN gateway:

altq on tun0 priq bandwidth 400Kb queue { vpn_tcp_ack, vpn_def,
vpn_null }
queue vpn_tcp_ack priority 7
queue vpn_def priority 1 priq(default)
queue vpn_null priority 0

pass out quick on tun0 proto tcp from ($int_if:network) to any \
queue (vpn_def, vpn_tcp_ack)
pass out quick on tun0 proto { udp icmp } from ($int_if:network) to
any \
queue vpn_def

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]