Discussion:
[strongSwan] How to limit IKEv2 traffic per user?
Houman
2018-11-10 11:17:36 UTC
Permalink
Hello,

I have attempted to limit the VPN speed to 10Mbit per user. But when I do
a DSL speed test with two devices simultaneously, it seems that the total
traffic is limited to 10Mbit/s instead rather than each device having
10Mbit/s on their own.

ETH0ORSIMILAR="eth0"
SERVER_LIMIT="10mbit"

tc qdisc del dev $ETH0ORSIMILAR root
tc qdisc add dev $ETH0ORSIMILAR root handle 1: htb
iptables -I FORWARD -s 10.10.10.0/24 -j MARK --set-mark 51
iptables -I FORWARD -d 10.10.10.0/24 -j MARK --set-mark 51
tc class add dev $ETH0ORSIMILAR parent 1:1 classid 1:51 htb rate
$SERVER_LIMIT ceil $SERVER_LIMIT
tc qdisc add dev $ETH0ORSIMILAR parent 1:51 sfq perturb 10
tc filter add dev $ETH0ORSIMILAR protocol ip parent 1: prio 1 handle 51 fw
flowid 1:51

I had followed this tutorial to achieve this:
https://linuxscriptshub.com/bandwidth-control-on-ikev2-with-tc-and-iptables/

I'm essentially marking 10.10.10.0/24 vpn ip pool with number 51. After the
marking, based on the single private IP address with iptables, I'd do the
bandwidth limiting based on the marking id 51.

Is this correct how I have done it?

further iptables settings:
VPNIPPOOL="10.10.10.0/24"

# accept anything on the loopback interface
iptables -A INPUT -i lo -j ACCEPT

# drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# rate-limit repeated new requests from same IP to any ports
iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --set
iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --update
--seconds 60 --hitcount 12 -j DROP

# accept IPSec/NAT-T for VPN (ESP not needed with forceencaps, as ESP goes
inside UDP)
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# forward VPN traffic anywhere
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s
$VPNIPPOOL -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d
$VPNIPPOOL -j ACCEPT

# reduce MTU/MSS values for dumb VPN clients
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s
$VPNIPPOOL -o $ETH0ORSIMILAR -p tcp -m tcp --tcp-flags SYN,RST SYN -m
tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# masquerade VPN traffic over eth0 etc.
iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -m policy
--pol ipsec --dir out -j ACCEPT # exempt IPsec traffic from masquerading
iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -j MASQUERADE

ipsec config:
config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=@${VPNHOST}
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never

Many Thanks,
Houman
Mirko Parthey
2018-11-16 20:56:59 UTC
Permalink
I have attempted to limit the VPN speed to 10Mbit per user.  But when I do a
DSL speed test with two devices simultaneously, it seems that the total traffic
is limited to 10Mbit/s instead rather than each device having 10Mbit/s on their
own.
ETH0ORSIMILAR="eth0"
SERVER_LIMIT="10mbit"
tc qdisc del dev $ETH0ORSIMILAR root
tc qdisc add dev $ETH0ORSIMILAR root handle 1: htb
iptables -I FORWARD -s 10.10.10.0/24 -j MARK --set-mark 51
iptables -I FORWARD -d 10.10.10.0/24 -j MARK --set-mark 51
tc class add dev $ETH0ORSIMILAR parent 1:1 classid 1:51 htb rate $SERVER_LIMIT
ceil $SERVER_LIMIT
tc qdisc add dev $ETH0ORSIMILAR parent 1:51 sfq perturb 10
tc filter add dev $ETH0ORSIMILAR protocol ip parent 1: prio 1 handle 51 fw
flowid 1:51
I had followed this tutorial to achieve this: https://linuxscriptshub.com/
bandwidth-control-on-ikev2-with-tc-and-iptables/
Please note, in the tutorial you mentioned, there is a for loop in step 5.
At the least, each device needs a bandwith limiting class of its own.

The LARTC mailing list might be a better place for this discussion:
http://vger.kernel.org/vger-lists.html#lartc

Regards,
Mirko

Loading...