Setting QoS on OpenWrt for VPN

Hi Group

Im setting up OpenWRT at a number of sites that have a Wireguard VPN to a Voice Server.
Local IP Phones connect to the Voice Server via the VPN only and all other traffic exits the main WAN connection.

The problem I have (although not tested) is that I want to set up QoS on the WAN for the VPN traffic which if I just use standard SQM wont be queued properly as the VPN traffic would have a DSCP of 0.

So the question is:

  1. Can I tune SQM to prioritise the VPN traffic or
  2. Can I set the DSCP of Wireguard packets so they will queue correctly on egress

Thanks all.

Mike

Why not simply test it first? I also believe that using cake's per-internal-host-IP isolation might help a bit, as it would in a ll likelihood consider all VPN traffic to belong to its own internal host IP and at least should guarantee more bandwidth than by the default per-flow fairness.

But all of this is also possible, for egress that should be relatively simple, for ingress it might be a bit harder. I have not done that myself though, so I have no directs hands-on howto available.

What he said. Cake is designed to handle most situations without config, thouge some of the possible tweaks can help this situation, see the more advanced sections of the docs on the OpenWrt site.

And, to the rest of your questions, there is a wealth (well maybe too much wealth!) of info on the prioritizing of packets in this thread: https://forum.openwrt.org/t/ultimate-sqm-settings-layer-cake-dscp-marks/25832

There's so much in that one, though, that it would be a Good Thing(tm) if a few of the knowledgeable folks goes thru it and mines out stuff into a nice instruction page on the various topics and methods...

1 Like

I somehow get it working, combining br-lan and wireguard traffic. Local traffic (lan to lan, lan to vpn) is escaped from speed limit.

VPN_IFACE=wg
BRIDGE_IFACE=br-lan
UL_BW_LIMIT = 10
DL_BW_LIMIT = 100

# -----ifb-----#
for DEV in ifbwanin ifbwanout; do
    [ -z "$(ip link show | grep ${DEV})" ] && ip link add ${DEV} numtxqueues 4 numrxqueues 4 type ifb
    ip link set ${DEV} up
    tc qdi del dev ${DEV} root 2>/dev/null
done
for DEV in ${VPN_IFACE} ${BRIDGE_IFACE}; do
    # For upload traffic (VPN iface inbound traffic == WAN outbound traffic)
    tc qdisc del dev $DEV root 2>/dev/null
    tc qdisc del dev $DEV ingress 2>/dev/null
    tc qdisc add dev $DEV handle ffff: ingress
    tc filter add dev $DEV parent ffff: protocol all u32 \
        match u32 0 0 flowid 1:1 \
        action ctinfo dscp 0xfc000000 0x01000000 \
        action mirred egress redirect dev ifbwanout
    # For download traffic
    tc qdi replace dev $DEV root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
    tc filter add dev $DEV parent 1: protocol all u32 \
        match u32 0 0 flowid 1:1 \
        action ctinfo dscp 0xfc000000 0x01000000 \
        action mirred egress redirect dev ifbwanin
done

# -----tc----- #
tc qdi replace dev ifbwanin root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
	tc qdi replace dev ifbwanin parent 1:1 cake diffserv4 nat ingress bandwidth ${DL_BW_LIMIT}mbit
	tc qdi replace dev ifbwanin parent 1:2 fq_codel # escape local traffic
        tc filter add dev ifbwanin protocol ip parent 1:0 prio 10 u32 match ip src 192.168.0.0/16 flowid 1:2
        tc filter add dev ifbwanin protocol ip parent 1:0 prio 11 u32 match ip src 10.8.0.0/16 flowid 1:2
        # tc filter add dev ifbwanin protocol ipv6 parent 1:0 prio 13 u32 match ip6 src ::/0 flowid 1:2
tc qdi replace dev ifbwanout root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
	tc qdi replace dev ifbwanout parent 1:1 cake diffserv4 nat ack-filter bandwidth ${UL_BW_LIMIT}mbit
	tc qdi replace dev ifbwanout parent 1:2 fq_codel # escape local traffic
        tc filter add dev ifbwanout protocol ip parent 1:0 prio 10 u32 match ip dst 192.168.0.0/16 flowid 1:2
        tc filter add dev ifbwanout protocol ip parent 1:0 prio 11 u32 match ip dst 10.8.0.0/16 flowid 1:2
        # tc filter add dev ifbwanout protocol ipv6 parent 1:0 prio 13 u32 match ip6 src ::/0 flowid 1:2