How much traffic should there be on the TUN interface when the VPN is up?

Hey folks,

happy OWRT and now LEDE user here and I have a question.

I successfully installed and configured OpenVPN on my router, which is a WRT1200AC which more or less the following script (that could help someone at some point maybe):

opkg update
opkg install libustream-openssl openvpn-openssl luci-app-openvpn

uci set openvpn.expressvpn=openvpn
uci set openvpn.expressvpn.enabled='1'
uci set openvpn.expressvpn.config='/etc/openvpn/my_expressvpn_switzerland_udp.ovpn'
uci commit openvpn

uci set network.expressvpntun=interface
uci set network.expressvpntun.proto='none'
uci set network.expressvpntun.ifname='tun0'
uci commit network

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='expressvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns=''
uci add_list network.wan.dns=''
uci commit

/etc/init.d/openvpn start

So far, everything seems to work - if I check my routes via traceroute I see nothing suspicious and checking my IP and DNS addresses via the various tools on the internet works out fine.

But I see that the traffic on my TUN interface is much lower than on my WAN interface. I know that it has to and should be lower but by how much? I understood that my traffic would first go to my TUN interface which is in the private network of the OpenVPN server. My LAN traffic is naturally higher since I have files coming in and going out of my router but should the WAN traffic not be naturally just about the same as the TUN traffic?

I would be grateful if someone could give me a couple of hints there.

I am just a curious bystander in this conversation and I don't have openvpn. You should consider adding the script to the wiki or something.

Also whenever I run into a network puzzle I break out pencil and paper. Matter of fact I just did today and solved a small issue I had in calculating bandwidth. I just wrote out pseudo code basically. In you case you might just want to start rough drawing of your traffic flow. Sometimes the answer will jump out. Sometimes not.

Yes, I did as well and I made sure with own up and down scripts that all the things I was concerned about should be fixed. It's not perfect yet but I learn a lot about networking in this way.

This really depends on a lot of factors:

  • The VPN provider
  • Do they run a HTTP cache server
  • Are you mostly downloading using ASCII/text, binary or encrypted data (i.e. HTTPS)?

OpenVPN performs compression. I'm not familiar with exact statistics with it; but other softwares that easily note compression ratios can be as high as 60% when compression is enabled.

Yes, I figured. It was a little difficult to track since I also had traffic on LAN alone for example or from the router to WAN.
I removed the forward between LAN and WAN and tracked the traffic with iftop. It seems to be fine...