Not with ingress shaping - you can't see into the VPN flow before it's decrypted, naturally. You can shape it as a single flow just fine, though, so this may not be such a big deal on ingress as the flow prioritisation has less effect when it's downstream of the bottleneck...
@moeller0 I am trying to help someone using Asus Merlin get cake to work properly in the context of a WireGuard setup - see here:
Looks like he now has 'flows nonat' + diffserv3. Will the latter kill the desired flow differentiation despite encryption? What effect will diffserv3 have when 'flows' is set? Can diffserv3 and this flow differentiation work together somehow?
I do not know... but it should be easy to try this out, place two speedtests into the wireguard tunnel and run one speedtest without the VPN, if all three give roughly equal rates I would argue things work as desired...
As far as I can tell diffserv should just works with flows... essentially diffservX will create X complete hash tables with 1024 bins each, the dscp then is used to address one of these hash tables, inside each hash table then the desired isolation mode is applied. This should work independently of what isolation mode you request...
1 Like