You can use the directives client-connect <cmd>
and client-disconnect <cmd>
.
An environment variable $common_name
is passed to the script specified at <cmd>
and can be evaluated to use specific tc
settings on that particular client as follows:
#!/bin/bash
if [ "$common_name" == "client1" ]; then
downrate=100mbit
uprate=100mbit
elif [ "$common_name" == "client2" ]; then
downrate=10mbit
uprate=10mbit
else
downrate=10kbit
uprate=10kbit
fi
tc qdisc add dev "$dev" root handle 1: htb
tc qdisc add dev "$dev" handle ffff: ingress
# Limit traffic from VPN server to client
tc class add dev "$dev" parent 1: classid 1:1 htb rate "$downrate"
tc filter add dev "$dev" parent 1:0 protocol ip prio 1 \
u32 match ip dst "$ifconfig_pool_remote_ip"/32 flowid 1:1
# Limit traffic from client to VPN server
tc filter add dev "$dev" parent ffff:0 protocol ip prio 1 \
u32 match ip src "$ifconfig_pool_remote_ip"/32 \
police rate "$uprate" burst 80k drop flowid :1
The following environment variables are relevant:
$common_name
: containing the client CN-name
$ifconfig_pool_remote_ip
: containing the client remote vpn IP
$dev
: containing the tun interface
A detailed setup can be found in this answer.