OpenVPN and Traffic Shaping per client

Hi,

I've just successfully installed and configured a peer-to-peer static
openvpn tunnel between two servers.

Here is the setup:

[subnet 192.168.1.0/24]--routed to VPN Server--- [single public/valid
address]---->tunnel[10.1.0.1]---<>{INTERNET}<>---remote tunnel--
>[10.1.0.2]---remote server network--->[single public/valid address]--
>[VoIP gateways using subnet 192.168.1.0/24].

So basically the remote VoIP Gateways are using the subnet from office
192.168.1.0/24 via the Internet tunnel. I use the 192.168.1.1 on the
remote server as its secondary eth0:1 address and use it on VoIP
Gateways as the gateway address and give them an IP manually from the
192168.1.0/24 subnet (not using DHCP).

Okay i hope you've got the setup and now to the main question:

- I like to setup bandwidth limit for each VoIP gateway connected on
the 192.168.1.0/24 subnet (or for each tunnel interface).
- The limit is different per gateway. One could be 128k, the other
256k or even 1 Mb.
- I cannot compromise on the VoIP traffic and affect its quality due
to the traffic shaping under this tunnel. Just want to simply cap the
bandwidth so that a gateway cannot pull more than allocated bandwidth.

I've already looked at the shaper option of OpenVPN but testing it
with a simple ping caused delays and packet loss so i presume it'll be
even worst running real traffic on it. I've been told by a friend that
perhaps i could set it up with the help of linux's TC but i've never
worked with TC and i doubt i can learn it quick enough to apply such
QoS methods on office server with fine tune quality for voip.

Can anyone assist? Point me to a right direction or help me with tc
perhaps?

Your help is greatly appreciated and thank you in advance for your
time :)

Hamed

Diaphragm <diaphragm53@googlemail.com> wrote:
> I've been told by a friend that perhaps i could set it up with the
> help of linux's TC but i've never worked with TC and i doubt i can
> learn it quick enough to apply such QoS methods on office server with
> fine tune quality for voip.

I've been playing with the example script here,
http://www.tldp.org/HOWTO/ADSL-Bandw...mentation.html.
I tweaked it a little (mainly available bandwidth), and stripped out
the inbound shaping as I don't have the inbound shaper module to hand.
I'm comfortable with iptables, so I used that to mark all the relevant
packets/conversations.

The relevant tweaks are as follows:

# Add leaf classes...
#
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[$RATEUP/2]kbit ceil ${RATEUP}kbit prio 0
tc class add dev $DEV parent 1:1 classid 1:21 htb rate $[$RATEUP/2/6]kbit ceil $ {RATEUP}kbit prio 1
tc class add dev $DEV parent 1:1 classid 1:22 htb rate $[$RATEUP/2/6]kbit ceil $ {RATEUP}kbit prio 2
tc class add dev $DEV parent 1:1 classid 1:23 htb rate $[$RATEUP/2/6]kbit ceil $ {RATEUP}kbit prio 3
tc class add dev $DEV parent 1:1 classid 1:24 htb rate $[$RATEUP/2/6]kbit ceil $ {RATEUP}kbit prio 4
tc class add dev $DEV parent 1:1 classid 1:25 htb rate $[$RATEUP/2/6]kbit ceil $ {RATEUP}kbit prio 5
tc class add dev $DEV parent 1:1 classid 1:26 htb rate $[$RATEUP/20]kbit ceil ${ RATEUP}kbit prio 6


# Add fwmark entries to prioritise traffic (20 is highest, 26 is lowest)...
#
priority() {
_CHAIN="MYSHAPER-$1"; shift
_MARK="$1"; shift
iptables -t mangle -A "$_CHAIN" "$@" -j MARK --set-mark "$_MARK"
}

priority OUT 20 -p udp -m udp --dport 5060:5062 # VoIP
priority OUT 20 -p udp -m udp --dport 8000:8005 #
priority OUT 20 --src mynah.roaima.co.uk # Linksys SPA3102

priority OUT 21 -p icmp # ICMP (ping)
priority OUT 21 -p udp --dport 53 # DNS (small packets)
priority OUT 21 -p tcp -m length --length :64 # Small packets (probably ACKs)

priority OUT 22 -p tcp --dport ssh # SSH
priority OUT 22 -p tcp --dport telnet # Telnet (ugh)
priority OUT 22 -p tcp --dport http # HTTP
priority OUT 22 -p tcp --dport login # Rlogin (ugh)
priority OUT 22 -p tcp --dport https # HTTP/SSL

priority OUT 23 -p tcp --sport 0:1024 # Default for low port traffic
priority OUT 23 -p tcp --dport 0:1024 # Ditto

priority OUT 23 -p tcp --dport 1194 # OpenVPN (unknown payload)
priority OUT 23 -p udp --dport 1194 # Ditto
priority OUT 23 -p tcp --dport 5000:5007 # Ditto
priority OUT 23 -p udp --dport 5000:5007 # Ditto

priority OUT 25 -p tcp --dport ftp-data # FTP
priority OUT 25 -p tcp --dport smtp # SMTP
priority OUT 25 -p tcp --dport smtps # SMTP
priority OUT 25 -p tcp --dport pop3 # POP3
priority OUT 25 -p tcp --dport pop3s # POP3

priority OUT 26 -p tcp -m multiport --ports 49257:49258 # BitTorrent
priority OUT 26 -p udp -m multiport --ports 49257:49258 # BitTorrent
priority OUT 26 -m ipp2p --ipp2p # BitTorrent and other P2P


The whole file is available at
http://www.roaima.co.uk/stuff/20080509/lartc-qos.sh should you want it.
But you WILL need to adjust it for your own requirements. I've not
configured anything past line 244 relating to the inbound shaping.

Chris