Just a quick question about QOS

[Skeptical.me]

Does QOS still operate when using one of the OpenVPN VPN Clients?


(ASUS RT-AC87U WRT-Merlin Firmware 584.5)

 

[skeal]

Does QOS still operate when using one of the OpenVPN VPN Clients?


(ASUS RT-AC87U WRT-Merlin Firmware 584.5)

Yes. I would suggest using FReshJR_QOS on adaptive QOS. This is by far the most granular control within reason for ovpn with QOS users.

 

[FreshJR]

Does QOS still operate when using one of the OpenVPN VPN Clients?


(ASUS RT-AC87U WRT-Merlin Firmware 584.5)

Not really,

With the router acting like an OpenVPN server the following happens:

Out of the box 25% of traffic is accounted for. (Partial WAN UPLOAD traffic detection)
It is possible to get 50% of traffic accounted for with a custom rule. (Full WAN UPLOAD traffic detection).

Eg with a VPN, traffic flows like this

Download traffic
 -router downloads file
 -router uploads file to VPN client      (I can make custom QOS rule to detect this)

Upload Traffic
  -router downloads file from VPN client
  -router uploads the file                (detected by QOS as part of default configuration)

As you can see, the entire portion "WAN download" is not accounted for when using the VPN server.

It should be possible to get "WAN download" working but the setup is beyond my knowledge.

 

[skeal]

@FreshJR

Download traffic
 -router downloads file
 -router uploads file to VPN client      (I can make custom QOS rule to detect this)

What custom rule are you thinking of here?

 

[FreshJR]

@FreshJR

Download traffic
 -router downloads file
 -router uploads file to VPN client      (I can make custom QOS rule to detect this)

What custom rule are you thinking of here?

Currently the upload portion you quoted is completely whitelisted from upload QOS traffic (it shouldn't be).

Since that upload traffic is already present and transversing the eth0 interface, the data just has to be marked so QOS will start accounting for it on the upload portion instead of it being zero-rated.

As for download traffic, the traffic control qos system functions something like this (for non VPN traffic).

Download traffic comes in on eth0 from WAN
Download traffic gets forwarded to br0
Download traffic gets QOS'd as it leaves br0 towards LAN device
LAN --> LAN traffic leaving br0 is whitelisted

--

Upload traffic gets QOS'd as it leaves from eth0 and pushed onto WAN.

--

The issue with VPN traffic is that ALL data transfer is between eth0 & tun21.
(The traffic never touches br0 so it cannot hit the br0 limiter)


It is easy to segregate download VPN traffic from the remainder all other traffic on eth0.

The hard part ?impossible? part is that I do not know how to do is send the segregated traffic onto the "br0" interface and then forward it back onto the "eth0" interface. This redundant step needs to be done, so it can be part of the br0 bandwidth limiter.

--

So back to my original answer.
Currently QOS + VPN traffic is mostly broken out of the box. (75% broken)
It can be made slightly better, but will remain 50% broken.

ASUS should really fix it ... grumble .. grumble ...
It literally is their job. Doesn't have to be identified, just NOT whitelisted.

Whitelisting WAN traffic breaks QOS performance completely.

 

[Skeptical.me]

Currently the upload portion you quoted is completely whitelisted from upload QOS traffic (it shouldn't be).

Since that upload traffic is already present and transversing the eth0 interface, the data just has to be marked so QOS will start accounting for it on the upload portion instead of it being zero-rated.

As for download traffic, the traffic control qos system functions something like this (for non VPN traffic).

Download traffic comes in on eth0 from WAN
Download traffic gets forwarded to br0
Download traffic gets QOS'd as it leaves br0 towards LAN device
LAN --> LAN traffic leaving br0 is whitelisted

--

Upload traffic gets QOS'd as it leaves from eth0 and pushed onto WAN.

--

The issue with VPN traffic is that ALL data transfer is between eth0 & tun21.
(The traffic never touches br0 so it cannot hit the br0 limiter)


It is easy to segregate download VPN traffic from the remainder all other traffic on eth0.

The hard part ?impossible? part is that I do not know how to do is send the segregated traffic onto the "br0" interface and then forward it back onto the "eth0" interface. This redundant step needs to be done, so it can be part of the br0 bandwidth limiter.

--

So back to my original answer.
Currently QOS + VPN traffic is mostly broken out of the box. (75% broken)
It can be made slightly better, but will remain 50% broken.

ASUS should really fix it ... grumble .. grumble ...
It literally is their job. Doesn't have to be identified, just NOT whitelisted.

Whitelisting WAN traffic breaks QOS performance completely.

I thought that was the case, as when I'm streaming video (which is priority 1) and downloading large files over usenet the video will buffer. However, without the VPN client on QOS appears to work fine. Thanks for answering the question.


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

Yes. I would suggest using FReshJR_QOS on adaptive QOS. This is by far the most granular control within reason for ovpn with QOS users.

I'll take a look at this FReshJR_QOS, cheers


Sent from my iPhone using Tapatalk Pro

 

[FreshJR]

I'll take a look at this FReshJR_QOS, cheers


Sent from my iPhone using Tapatalk Pro

The script won’t fix the VPNServer data from being not detected by QOS.

Once again,

Upload traffic can be properlly accounted via the script and an additional custom rule.

Download traffic will not be properly accounted for no matter what, due it never touching the bro interface.

 

[Skeptical.me]

The script won’t fix the VPNServer data from being not detected by QOS.

Once again,

Upload traffic can be properlly accounted via the script and an additional custom rule.

Download traffic will not be properly accounted for no matter what, due it never touching the bro interface.

Ok, got it.

That's a shame.

I understood your post I replied to first, the second reply I actually thought that was from another user and I was replying just to be polite (I don't usually use this Tapatalk App, I don't think I like it.)


Sent from my iPhone using Tapatalk Pro

 

[FreshJR]

I understood your post I replied to first

After rereading your use case, it seems I misunderstood your question.

My reply was towards following VPN configuration:

1) The router can act as a VPN server.
This means if when you are using public WiFi, to keep your data private, you can tunnel into your own VPN server by having the router act as a VPN provider instead of paying for a privately hosted VPN. As an additional bonus you can also access local devices on your home network as if you never left WiFi.

I think your use VPN as follows.

2) You have LAN client connect to the router like normal, but you have set up the router to tunnel all the LAN clients traffic through a private VPN instead of directly through your ISP.

For configuration (2) it might be possible to get VPN traffic fully accounted on both upload and download.

Unfortunately for me, I use the setup defined in configuration (1).

I do not subscribe to a private VPN so I cannot see how the underlying ASUS configuration is actually implemented for configuration (2) and potentially develop rules.

 

[Skeptical.me]

After rereading your use case, it seems I misunderstood your question.

My reply was towards following VPN configuration:

1) The router can act as a VPN server.
This means if when you are using public WiFi, you can tunnel into your own VPN server by having the router act as a provider instead of paying for a privately hosted VPN. That or if you are on LTE, you can still access local devices on your home networking.

I think your use VPN question was as follows.

2) You a LAN client connect to the router. You have set the router to tunnel all the LAN clients traffic through encrypted through a private VPN instead of open to your ISP.

For configuration (2) it might be possible to get VPN traffic fully accounted on both upload and download.

Unfortunately for me, I use the setup defined in configuration (1).

I do not subscribe to a private VPN so I cannot develop and rules or see how the underlying ASUS configuration is actually implemented.

Yeah, when you wrote "VPN server" in your earlier post I thought you may have misunderstood. However, QOS definitely isn't working with configuration (1). It's not a big deal, its just annoying at times. Thanks for your time.


Sent from my iPhone using Tapatalk Pro

 

[FreshJR]

Yeah, when you wrote "VPN server" in your earlier post I thought you may have misunderstood. However, QOS definitely isn't working with configuration (1). It's not a big deal, its just annoying at times. Thanks for your time.


Sent from my iPhone using Tapatalk Pro

I developed custom rules to make QOS work properly when the router acts as a VPN client.

Enjoy!

 

[skeal]

I developed custom rules to make QOS work properly when the router acts as a VPN client.

Enjoy!

Sorry Fresh where do I find the custom rules? Am I missing something? I use a ovpn client for streaming full time.

 

[FreshJR]

Sorry Fresh where do I find the custom rules? Am I missing something? I use a ovpn client for streaming full time.

https://www.snbforums.com/threads/r...-and-inner-workings.36836/page-78#post-412034

Keep in mind I couldn't test performance properly since the freeVPN server I was using was limited to ~1mbps.

I could barely discern if traffic is being whitelisted (due to background traffic) or simply occurring such small quantities.

 

[Skeptical.me]

I developed custom rules to make QOS work properly when the router acts as a VPN client.

Enjoy!

Great, thank you. Thanks for taking the time to address the issue, I appreciate it. I will test it, thanks again.