How to use OpenWrt, SQM, and VPN on multiple connected routers?

I just found your vpnbypass and vpn-policy-routing. But I wouldn't be able to install it in the next few days. Kudos on developing such a useful package.

I have also seen people suggesting creating multiple interfaces and using VPN on one but not the other.

As I mentioned earlier, I'm a novice OpenWrt user and it takes some time for me to digest those suggestions.

Yes, to control WAN side bufferboat that is the best solution.

Note that if you use wireguard you probably should consolidate everything into one router, wireguard running on the same host as cake can tell cake about the true flow identity of each packet, allowing cake to treat tunneled packets as if they come from individual flows instead of treating the complete tunnel with all its content as a single flow.
If you stick to the dual router set-up, I would recommend to configure the primary router's SQM at least for per-IP-fairness (to guarantee at least some level of service for the tunnel traffic).

3 Likes

Thank you, this is very helpful.

Great, I'm in the process of installing WireGuard and SQM. Is there any configuration I should set for cake to be able to achieve what you explained?

Additionally, because I haven't found an easy solution for having and not having VPN on the same router, I was thinking of enabling WG on one band, e.g. 5.0GHZ, and disabling it on the other. Would your proposed solution still work in this case?

I believe that this is a no configuration required thing, maybe @tohojo could give a more authoritative response? Toke, could I ask, does wireguard on an openwrt router need any tweaks or configuration to transmit the packet hash to cake?

Not the most automatic solution, but clearly a simple solution (that allows disambiguation by just naming the SSIDs appropriately). I actually like that a lot.

Yes, SQM on wan should still work, and also the passing of the packet hash. BUT I have no first-hand experience in this, so I could well be "out to lunch" here.

2 Likes

Depending on your needs you may not even need a separate package, @vgaetera and @trendy seem to be ones of the most helpful/knowledgeable networking/vpn experts on the forum, they may provide better advise than my suggestion to use vpn-policy-routing package. Definitely easier to use VPR if you want selective routing based on domain names, but if you only want to have a single computer on the network to be behind VPN you don't really need a separate package for that.

Welcome to the forum and good luck!

4 Likes

Thank you all for your replies.

Yes, especially in countries with all kinds of firewalls and restrictions, it's a lot more important to get the configurations right. The VPN adds a lot to the latency and I'm hoping SQM would ameliorate the issue to some extent.
In such situations, almost all devices are behind the VPN most of the time but need to disconnect from it from time to time.

SQM cannot do miracles; if you decide to use vpn, then you are adding some more hops between your router and the server you connect to. Consequently you increase the latency in a way that SQM, or anything else, is unable to help.

My advice is that for a handful of devices always connected to vpn, a set of rules/routes for each internet connection is enough. Otherwise for more complicated scenarios and easier on/off toggle, vpn-pbr is the way.

2 Likes

Thank you all for your comments. They've kept me thinking, reading, and learning.

Based on your suggestions, I've decided to use a single router. Now, the solution that seems to be easily implementable for me is:

  1. Pass all default LAN traffic to a WireGuard zone
  2. Create guest SSIDs and pass their traffic to the WAN zone

What I initially had in mind for this was to follow Mullvad's tutorial for setting up WG on the router to achieve 1. Then, I could create the guest SSIDs according to this and pass their traffic to the WAN zone.
However, it looks like this solution requires Masquerading and MSS Clamping to be turned on for both zones. After doing that, I completely lose my internet connection.

There seems to be a relatively recent tutorial that achieves similar goals (i.e. VPN on the guest network instead of the main network). However, it defines a custom guest network routing (and routing table?), which I'm neither familiar with nor can get to work on my router even when I follow all the steps.

Is this custom network routing necessary?
Can I somehow enable Masquerading and MSS Clamping on both WAN and VPN WAN?

Yes, it is. You want to have two different gateways depending on the source.

They are enabled by default.

2 Likes

They are enabled by default.

Thank you. Can they be enabled on both WAN and the VPN WAN?

Sure, you can either add the vpn interface to the wan firewall zone, which has them already. Or create a new zone in firewall for the vpn and enable masquerade and mss clamping.

2 Likes

You need to disable NAT mode and host modes. So when configuring use flows nonat and make sure you don't have any of dual-srchost/dual-dsthost/triple-isolate.

3 Likes

Thanks! One more question, will this also work for incoming packets? I would guess not, since they will be queued/marked/dropped before being decrypted and hence before and identifier becomes available?

1 Like

moeller0 via OpenWrt Forum mail@forum.openwrt.org writes:

Thanks! One more question, will this also work for incoming packets? I
would guess not, since they will be queued/marked/dropped before being
decrypted and hence before and identifier becomes available?

Yup, exactly :slight_smile:

2 Likes

@maximusc that would indicate that things are slightly less rosy than I painted them....

1 Like

Thank you all for your helpful responses. Here is a summary of some of the responses, what I have done so far, and what is still left. I will share my experience here in case someone is interested in having two connections, one with a VPN and another one without a VPN.

  1. You don't necessarily need to have two routers to set up a with-VPN and a no-VPN connection (thanks to stangri for bringing this to my attention). You can simply set up something like the guest network explained here to have both options on the same router (there are other ways of achieving this goal but I found the one I shared the most understandable and easy to implement). In my case, I used the 2.4GHz radio for the no-VPN connection and the 5.0GHz radio for the with-VPN connection.

  2. You can use SQM even when you have set up a VPN connection, e.g. one based on WireGuard (according to moeller0 and tohojo's responses). I assume you can do that by

but I haven't done that yet. If you use WireGuard, you probably need to add 60 to the per packet overhead according to this post.

  1. Because you now have a with-VPN and a no-VPN connection, you probably need to have something like two SQM instances. This is something I'm still struggling with but this post and this post seem to have some good pointers on how this can be handled. Although I'm not sure if the solutions explained in these posts are compatible with tohojo's configurations summarized in 2.

Is there absolutely no elegant way to make it work for download as well? I imagine there might be some trickery to manage that, no?

Not with ingress shaping - you can't see into the VPN flow before it's decrypted, naturally. You can shape it as a single flow just fine, though, so this may not be such a big deal on ingress as the flow prioritisation has less effect when it's downstream of the bottleneck...

@moeller0 I am trying to help someone using Asus Merlin get cake to work properly in the context of a WireGuard setup - see here:

Looks like he now has 'flows nonat' + diffserv3. Will the latter kill the desired flow differentiation despite encryption? What effect will diffserv3 have when 'flows' is set? Can diffserv3 and this flow differentiation work together somehow?

I do not know... but it should be easy to try this out, place two speedtests into the wireguard tunnel and run one speedtest without the VPN, if all three give roughly equal rates I would argue things work as desired...

As far as I can tell diffserv should just works with flows... essentially diffservX will create X complete hash tables with 1024 bins each, the dscp then is used to address one of these hash tables, inside each hash table then the desired isolation mode is applied. This should work independently of what isolation mode you request...

1 Like