From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Matt Taggart <matt@lackof.org>, bloat@lists.bufferbloat.net
Subject: Re: [Bloat] configuration on an OpenVPN server
Date: Thu, 19 Nov 2020 14:33:17 +0100 [thread overview]
Message-ID: <87wnyhsc82.fsf@toke.dk> (raw)
In-Reply-To: <7331bef1-0780-6ff1-26ab-39026f3fffa8@lackof.org>
Matt Taggart <matt@lackof.org> writes:
> Hi,
>
> I would like to configure SQM on an OpenVPN server and I am thinking
> about how to do this. I have already setup piece_of_cake on the upstream
> connection(in this case 900Mbit down/250Mbit up). I think that by itself
> should do a decent job of keeping things fair between all the VPN
> clients: they are assigned private IPs and triple-isolate should do the
> right thing.
>
> But OpenVPN creates a tun device for that traffic and I could
> potentially do more to manage the VPN traffic separately from the server
> host traffic. One thing that occurred to me is that due to asymmetric
> upload/download the host has, and the fact that the VPN traffic has to
> go to/from the client, maybe the download rate of the tun device will
> never exceed the upload rate of the host (since we need to retransmit
> that data to the clients) and vice versa for the upload? So to force
> myself to be a bottleneck should I have qdiscs on the tun device
> limiting to ~240Mbit in each direction?
>
> Hopefully that is clear. Let me know if it's not. Also anything else I
> should consider in this situation?
I think what you're saying is that all the VPN traffic goes back out the
same link, right? I.e., there are no other links on that server (to a
LAN or something) that the traffic can go out?
In that case, yeah, the ingress traffic should mostly be limited by the
egress since it all needs to be forwarded anyway (assuming the clients
are not accessing any services on the host itself either). I run a
similar setup for a tor bridge, and I just have this on the egress:
qdisc cake 8006: dev eth0 root refcnt 2 bandwidth 100Mbit besteffort flows nonat nowash no-ack-filter no-split-gso rtt 100.0ms raw overhead 0
This keeps both ingress and egress traffic pretty much exactly at a
steady 100 Mbps (which means it eats up about 1 terabyte of data a day
:)).
One additional wrinkle you may get with OpenVPN is that the VPN driver
itself can suffer from bufferbloat. So when you shape the underlying
link, packets will queue in the tun device first, adding delay. You
could maybe fix this by shaping the tun device as well, but it's not
obvious what bandwidth to shape at, since that will depend on the
ingress/egress distribution of your clients. And I'm no even sure
traffic going from one VPN client to another will pass through the tun
device...
-Toke
prev parent reply other threads:[~2020-11-19 13:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 2:49 Matt Taggart
2020-11-19 8:27 ` Michael Richardson
2020-11-19 13:33 ` Toke Høiland-Jørgensen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnyhsc82.fsf@toke.dk \
--to=toke@toke.dk \
--cc=bloat@lists.bufferbloat.net \
--cc=matt@lackof.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox