2

I am setting up a VPN server using OpenVPN. The authentication method is the certificate one (different certs for client and server). The VPS has 1TB of traffic monthly.

I plan allowing up to 4 clients per one server. So I'd like to restrict the client using more than 250GB per month.

I thought I might have restricted the amount of traffic coming from one IP, but this idea wouldn't solve the problem - clients may login from either their phone, PC, or tablet.

Ideally, I expect a statement in the .ovpn client file which would be able to control the amount of traffic coming from one client. I haven't found it, though.

How to setup the restriction? Thanks.

user6232516
  • 21
  • 1
  • 1
  • 4

3 Answers3

2

I'm a bit late to the party, but you can use the client-config-dir option to assign each client conf a local IP address. Then you can use Linux's Traffic Control (tc) to limit the bandwidth for each IP (and thus for each client). Would that work for you ?

MadWard
  • 131
  • 5
  • I guess it will, it's worth trying. – user6232516 Jun 07 '16 at 08:55
  • I wanted to explain in my answer but it's actually pretty long, you'll have to work around Client-Config-Dir, splitting your subnet in several /30 subnets and toy around Traffic Control. Bump me if you struggle too much. – MadWard Jun 07 '16 at 09:17
  • @MadWard, actually if he uses the option "topology subnet" there will be no /30 subnets problem – RDP May 31 '17 at 12:57
0

Per OpenVPN 2.0.x:

--shaper n Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. OpenVPN uses the following algorithm to implement traffic shaping: Given a shaper rate of n bytes per second, after a datagram write of b bytes is queued on the TCP/UDP port, wait a minimum of (b / n) seconds before queuing the next write.

It should be noted that OpenVPN supports multiple tunnels between the same two peers, allowing you to construct full-speed and reduced bandwidth tunnels at the same time, routing low-priority data such as off-site backups over the reduced bandwidth tunnel, and other data over the full-speed tunnel.

Also note that for low bandwidth tunnels (under 1000 bytes per second), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel.

OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec.

alexus
  • 12,342
  • 27
  • 115
  • 173
  • 1
    I don't need bandwidth (speed) limit, I need traffic limit. Like how many GB of data can be transferred in a period of time, here one month. Any option for that? – user6232516 May 03 '16 at 19:43
  • @user6232516 - take your traffic limit quota and divide it equity between 30 day span, your user won't be able to go over certain traffic speed, but that will insures that user also won't go over your traffic limit quota as well. – alexus May 03 '16 at 19:53
  • If I divide the traffic using the math way, I get the speed around .09 MB/s which is awful. Just to ensure I've got you right - is this the method you meant? – user6232516 May 03 '16 at 20:03
0

You can use the iptables quota match extension as shown with a good example in this answer to limit the traffic volume of a specific IP address.

Community
  • 1
rda
  • 1,887
  • 1
  • 12
  • 20