Applying a QoS Policy to Constrain Bandwidth Usage

When using VPN over TCP, or when you wish to constrain the bandwidth usage of the VPN tunnel, it is recommended to set up a QoS policy on the VyOS machines on both sides  on-premises and in GCP.

Connect to each VyOS machine and apply the following configuration.

  • Bandwidth Limit:
    • For the VyOS on-premises, replace 100Mbit in the reference policy below with the uplink bandwidth you wish to constrain the VPN tunnel to, in context of your internet link.
    • For the VyOS in GCP, replace 100Mbit with the downlink bandwidth you wish to constrain the return path of the VPN to, in context of your internet link.
    • Example Scenario: You have an asymmetric internet connection on-premises, with 50Mbit/sec uplink and 100Mbit/sec downlink and you want to constrain the uplink allocation for the VPN to be max 40Mbit and downlink to be max 50Mbit. In the VyOS on-premises you replace the 100Mbit value with 40Mbit, and in the VyOS in GCP you replace the 100Mbit value with 50Mbit.
  • Velostrata Secure Datapath Limit:
    • Within the bandwidth allocated to the VPN tunnel, you now have control on how much you would allocate for the Velostrata security Datapath channel. It is important to leave enough room for other application traffic and other control traffic. In the example below the split during congestion periods is 40% to Velostrata Datapath channel (class 100) and 60% for other traffic (default class). Each traffic class can burst higher when there is no congestion conflict.
    • Replace the 40% and 60% values respectively with your preference. Make sure to allocate a minimum of 20Mbit/sec for the Velostrata channel in either direction during congestion periods, and preferably higher when running in production.
config
set traffic-policy shaper WAN-OUT bandwidth '100Mbit'
set traffic-policy shaper WAN-OUT class 100 bandwidth '40%'
set traffic-policy shaper WAN-OUT class 100 burst '2kb'
set traffic-policy shaper WAN-OUT class 100 ceiling '90%'
set traffic-policy shaper WAN-OUT class 100 description 'VELOS'
set traffic-policy shaper WAN-OUT class 100 match VELOS ip protocol tcp 
set traffic-policy shaper WAN-OUT class 100 match VELOS ip destination port '9111'
set traffic-policy shaper WAN-OUT class 100 queue-type 'drop-tail'
set traffic-policy shaper WAN-OUT default bandwidth '60%'
set traffic-policy shaper WAN-OUT default burst '2kb'
set traffic-policy shaper WAN-OUT default ceiling '100%'
set traffic-policy shaper WAN-OUT default queue-type 'fair-queue'
set interfaces openvpn vtun0 traffic-policy out 'WAN-OUT'
commit
save
exit