Quota and restrictions not working when using OpenVPN

Report issues relating to bandwith monitoring, bandwidth quotas or QoS in this forum.

Moderator: Moderators

Post Reply
symv
Posts: 2
Joined: Wed Nov 01, 2017 3:14 pm

Quota and restrictions not working when using OpenVPN

Post by symv »

Hi there,

I just installed Gargoyle 1.10.0 on my TP-Link TL-WDR3600 and configured it to act as a OpenVPN client so all my traffic is routed through the VPN. Unfortunately, when OpenVPN is running, either the restrictions nor the quota setting are working at all. When I disable the OpenVPN service, everything is working great.

Is there any chance to get this problem fixed?
Cheers
symv

ispyisail
Moderator
Posts: 5194
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Quota and restrictions not working when using OpenVPN

Post by ispyisail »

Can you give us more details so I can check

symv
Posts: 2
Joined: Wed Nov 01, 2017 3:14 pm

Re: Quota and restrictions not working when using OpenVPN

Post by symv »

Hi,

don't know what kind of details would help you, please let me know. I was using IPredator-VPN-Service which I had to config manually.

It would be interesting to know if anybody managed to use restrictions and quotas while using the router as VPN-Client.

Greetings

User avatar
twf85
Posts: 20
Joined: Tue Nov 14, 2017 3:59 pm

Re: Quota and restrictions not working when using OpenVPN

Post by twf85 »

I am currently testing a Linksys WRT1200AC v1 (believe it to be Caiman, as I am showing 503.2MB of RAM) while I wait for a WRT3200ACM to be delivered, and enabling the VPN client breaks my Quotas. Haven't tested Restrictions.

After poking around, I believe that the problem has something to do with how the BWMonitor records traffic for hosts/groups. Gargoyle is only recording total bandwidth for the VPN Client / Router, which appears to result in the loss of what host on the network is responsible for the traffic.

After VPN is turned ON, no other hosts being tracked by the BWMonitor:

Image

Adjusting the time range, you can see the other hosts that were being tracked before the VPN was turned ON:

Image

EDITS

Nevermind.. I think because the VPN client is handling routing (via TUN), that's why Gargoyle can't see what is going where. If that's the case, global quotas and restrictions should still be effective.

@ispyisail
Here is my config, if that helps:

Code: Select all

client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
keysize aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
comp-lzo no
sndbuf 393216
rcvbuf 393216
verb 1
reneg-sec 0
auth-user-pass '/etc/openvpn/auth.txt'
crl-verify '/etc/openvpn/crl.rsa.2048.pem'
ca    /etc/openvpn/grouter_client_RANDOM_ca.crt
cert  /etc/openvpn/grouter_client_RANDOM.crt
key   /etc/openvpn/grouter_client_RANDOM.key

If I'm correct about what is causing the router to "lose" track of what bandwidth belongs to each client then, as far as I know, that only leaves two options:
  • Do not run VPN client on router. Run from each host that requires secure connection, when necessary.
  • Install a second router in between the Internet and the Gargoyle router that is configured for Quotas/Restrictions.
    • If you are using a metered Internet connection, you will probably want Gargoyle running on the VPN-router to capture the excess bandwidth.
      • I see no reason why you couldn't put each of the routers on different subnets to make this work, but I haven't tried it yet.
      • I'm not that familiar with how uPnP / PAT works, but I imagine you'd be crippling any Port Forwarding you had to do. I suppose you could simply forward every port on the VPN-router, but that doesn't sound safe at all.
I'm currently running VPN clients on network devices when / if I need to. It isn't the elegant all-in-one solution I hoped for, but oh well :lol:

If you are new to using VPNs, be aware that you will have to setup some workarounds via the command line to prevent sites like Netflix from blocking your access when using a service like PrivateInternetAccess (PIA).

Post Reply