Re: VPN Graphs

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1313 bytes --]

Hey Tom,

> On 31 Mar 2020, at 21:36, Tom Rymes <trymes(a)rymes.com> wrote:
> 
> I noticed that graphs for OpenVPN connections have been added to the WUI, and with all of the added VPN usage in the last weeks, it sure would be nice to have similar graphs for IPsec Roadwarriors and Net-to-Net connections. I’m not certain if the nature of IPSec will prevent that from being possible, but it sure would be nice.

I agree. I would like those, too.

However, we currently have no efficient way to collect this data.

Running iftop or any other user-space process counting packets is heavily inefficient.

OpenVPN is being realised by having an interface where we can simply read packet counters from the kernel. We could in theory do this for IPsec tunnels that use VTI or GRE. But I would not feel comfortable adding that without the regular tunnels, because that is the vast majority.

Best,
-Michael

> Tom
> 
> PS: In the meantime, and in the event it might be handy for anyone in a similar situation, I have been using the following commands for ‘iftop’ to get a handle on any VPN users that are hogging bandwidth:
> 
> iftop -i red0 -nP
> 
> iftop -n -i green0 -F x.x.x.x/y (place in a subnet you want to restrict results to, I use the IPSec RoadWarrior address block).
> 
>