8

I have a StrongSwan (IKEv2) server setup and would like to limit each VPN connection to 512kb/s.

After researching I came across tc in Ubuntu. I don't quite understand it and am fighting through the manual pages.

DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV handle 1: root htb default 11
tc qdisc add dev $DEV parent 1:11 handle 11: sfq perturb 60

I think this means that reroute the unclassified traffic to ID 11, which in turn will be evened out every 60 seconds. sqf also guarantees fairness in equal flow of data among requests.

Interval in seconds for queue algorithm perturbation. Defaults to 0, which means that no perturbation occurs. Do not set too low for each perturbation may cause some packet reordering or losses. Advised value: 60 This value has no effect when external flow classification is used. Its better to increase divisor value to lower risk of hash collisions.

I'm not too sure about these two. It seems to me that the primary connections would be limited to 512kbps and the unclassified to 128kbps. But I'm unsure.

tc class add dev $DEV parent 1: classid 1:1 htb rate 512kbps
tc class add dev $DEV parent 1:1 classid 1:11 htb rate 128kbps

The worst part is that I'm unsure if each VPN connection falls under these rules above as well, or are the rules only affecting scp etc.

Thanks for advice

Houman
  • 1,735

1 Answers1

1

You can rate-limit using iptables for this task.

iptables -A INPUT -i $vpnIface -p udp —-dport 500 -m state --state RELATED,ESTABLISHED -m limit --limit $lim/s --limit-burst $lb -j ACCEPT

You’ll want to add for other ipsec ports like ESP 50 and UDP 4500 as well. Or just the data transmission ports. Or you can limit at other points in iptables depending on port, source IP and other factors. This above is example of per-connection limiting which is what I believe you want (each VPN tunnel client gets a particular bandwidth limit).

Note that this will not protect against DoS attacks, it will just provided a fairer experience to authorised users.

Robert Glonek
  • 160