Quota and restrictions not working when using OpenVPN

[symv]

Hi there,

I just installed Gargoyle 1.10.0 on my TP-Link TL-WDR3600 and configured it to act as a OpenVPN client so all my traffic is routed through the VPN. Unfortunately, when OpenVPN is running, either the restrictions nor the quota setting are working at all. When I disable the OpenVPN service, everything is working great.

Is there any chance to get this problem fixed?
Cheers
symv

[ispyisail]

Can you give us more details so I can check

[symv]

Hi,

don't know what kind of details would help you, please let me know. I was using IPredator-VPN-Service which I had to config manually.

It would be interesting to know if anybody managed to use restrictions and quotas while using the router as VPN-Client.

Greetings

[twf85]

I am currently testing a Linksys WRT1200AC v1 (believe it to be Caiman, as I am showing 503.2MB of RAM) while I wait for a WRT3200ACM to be delivered, and enabling the VPN client breaks my Quotas. Haven't tested Restrictions.

After poking around, I believe that the problem has something to do with how the BWMonitor records traffic for hosts/groups. Gargoyle is only recording total bandwidth for the VPN Client / Router, which appears to result in the loss of what host on the network is responsible for the traffic.

After VPN is turned ON, no other hosts being tracked by the BWMonitor:



Adjusting the time range, you can see the other hosts that were being tracked before the VPN was turned ON:



EDITS

Nevermind.. I think because the VPN client is handling routing (via TUN), that's why Gargoyle can't see what is going where. If that's the case, global quotas and restrictions should still be effective.

@ispyisail
Here is my config, if that helps:

Code: Select all

client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
keysize aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
comp-lzo no
sndbuf 393216
rcvbuf 393216
verb 1
reneg-sec 0
auth-user-pass '/etc/openvpn/auth.txt'
crl-verify '/etc/openvpn/crl.rsa.2048.pem'
ca    /etc/openvpn/grouter_client_RANDOM_ca.crt
cert  /etc/openvpn/grouter_client_RANDOM.crt
key   /etc/openvpn/grouter_client_RANDOM.key

If I'm correct about what is causing the router to "lose" track of what bandwidth belongs to each client then, as far as I know, that only leaves two options:

• Do not run VPN client on router. Run from each host that requires secure connection, when necessary.
• Install a second router in between the Internet and the Gargoyle router that is configured for Quotas/Restrictions.
  • If you are using a metered Internet connection, you will probably want Gargoyle running on the VPN-router to capture the excess bandwidth.
    • I see no reason why you couldn't put each of the routers on different subnets to make this work, but I haven't tried it yet.
    • I'm not that familiar with how uPnP / PAT works, but I imagine you'd be crippling any Port Forwarding you had to do. I suppose you could simply forward every port on the VPN-router, but that doesn't sound safe at all.

I'm currently running VPN clients on network devices when / if I need to. It isn't the elegant all-in-one solution I hoped for, but oh well

If you are new to using VPNs, be aware that you will have to setup some workarounds via the command line to prevent sites like Netflix from blocking your access when using a service like PrivateInternetAccess (PIA).