Step 1:Configure openvpn for the bandwidth control.

In this case we will use below number for the private ip.

Ikev2=24 #eth0 
tcp1194=23 #tun3
tcp443=22 #tun4
udp1194=21 #tun0
udp4096=25 #tun1
udp80=20 #tun2
pptp=111
l2tp=30
main=eth0

In openvpn case because of openvpn have the  tun+ tunnel interface for each port.

we have to do it in other ways, just a slightly different compare with ikev2

in this case we going to demonstrate the udp1194 openvpn default port.

add below command to define the tun0 interface.

tc qdisc add dev tun0 root handle 1: htb

and how do i control that udp1194 is under tun0, we can just configure on /etc/openvpn/server.conf

dev tun

and we specific the tun interface number like this

dev tun0

so that after the openvpn restart we can actually confirm that udp1194 port is listening on tun0 interface, and to make sure we are accurate controlling the right interface.

Step2: Set the marking with iptables based on the unique private ip address

udp1194=21

iptables -I FORWARD -s 10.$udp1194.$udp1194.1 -j MARK --set-mark 11
iptables -I FORWARD -d 10.$udp1194.$udp1194.1 -j MARK --set-mark 11

Step3: Define all the rules and setup the filtering.

Define the classid for interface eth0 and tun0, why we still need to setup the rules for eth0?

because of tun0 only can control the user upload speed, we still need control the download speed for the user, so we have to use eth0.
eth0

tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1mbit ceil 1mbit
tc qdisc add dev eth0 parent 1:11 sfq perturb 10
tc filter add dev eth0 protocol ip parent 1: prio 1 handle 11 fw flowid 1:11

tun0

tc class add dev tun0 parent 1:1 classid 1:11 htb rate 1mbit ceil 1mbit
tc qdisc add dev tun0 parent 1:11 sfq perturb 10
tc filter add dev tun0 protocol ip parent 1: prio 1 handle 11 fw flowid 1:11

That the only thing we have to do.

if u want to filter all the user on the server based on openvpn.

we have a scripts below to let you actually setup a set of rules to filtering the user speed.

#/bin/bash 

udp1194=21 #tun0
echo tc qdisc del dev $main root >>tcrules
echo tc qdisc del dev tun0 root >>tcrules
echo tc qdisc add dev $main root handle 1: htb >>tcrules
echo tc qdisc add dev tun0 root handle 1: htb >>tcrules
for i in {1..254}
do
##udp1194
echo iptables -I FORWARD -s 10.$udp1194.$id.$i -j MARK --set-mark 1$i >> mark
echo iptables -I FORWARD -d 10.$udp1194.$id.$i -j MARK --set-mark 1$i >> mark
echo tc class add dev eth0 parent 1:1 classid 1:1$i htb rate 1mbit ceil 1mbit >> tcrules
echo tc qdisc add dev eth0 parent 1:1$i sfq perturb 10 >> tcrules
echo tc filter add dev eth0 protocol ip parent 1: prio 1 handle 1$i fw flowid 1:1$i >> tcrules
echo tc class add dev tun0 parent 1:1 classid 1:1$i htb rate 1mbit ceil 1mbit >> tcrules
echo tc qdisc add dev tun0 parent 1:1$i sfq perturb 10 >> tcrules
echo tc filter add dev tun0 protocol ip parent 1: prio 1 handle 1$i fw flowid 1:1$i >> tcrules
done

put all this in the scripts, and chmod 755 to make the scripts executable , and bash scriptsname.

and u will see it will generate 2 scripts in the current location which is mark and tcrules. Just run it and can verify the result for marking by

iptables-save |grep mark

it will show the below result as per your configuration.

-A FORWARD -s 10.21.21.49/32 -j MARK –set-xmark 0x2ed/0xffffffff
-A FORWARD -d 10.21.21.49/32 -j MARK –set-xmark 0x1c1/0xffffffff

and use below command to actually show the class and qdisc that you set earlier for tc.

tc -s -d class show dev eth0
tc -s -d qdisc show dev eth0
tc -s -d class show dev tun0
tc -s -d qdisc show dev tun0

If this article help, just share it to your friends.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *