From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: VPN Graphs
Date: Wed, 01 Apr 2020 09:34:41 +0100
Message-ID: <38C20EE9-CFD4-4CF4-A425-EAE15CADB25F@ipfire.org>
In-Reply-To: <AE2496A1-AF38-4964-97D1-0442DE2EF1DF@rymes.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1128232751279236908=="
List-Id: <development.lists.ipfire.org>

--===============1128232751279236908==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hey Tom,

> On 31 Mar 2020, at 21:36, Tom Rymes <trymes(a)rymes.com> wrote:
>=20
> I noticed that graphs for OpenVPN connections have been added to the WUI, a=
nd with all of the added VPN usage in the last weeks, it sure would be nice t=
o have similar graphs for IPsec Roadwarriors and Net-to-Net connections. I=E2=
=80=99m not certain if the nature of IPSec will prevent that from being possi=
ble, but it sure would be nice.

I agree. I would like those, too.

However, we currently have no efficient way to collect this data.

Running iftop or any other user-space process counting packets is heavily ine=
fficient.

OpenVPN is being realised by having an interface where we can simply read pac=
ket counters from the kernel. We could in theory do this for IPsec tunnels th=
at use VTI or GRE. But I would not feel comfortable adding that without the r=
egular tunnels, because that is the vast majority.

Best,
-Michael

> Tom
>=20
> PS: In the meantime, and in the event it might be handy for anyone in a sim=
ilar situation, I have been using the following commands for =E2=80=98iftop=
=E2=80=99 to get a handle on any VPN users that are hogging bandwidth:
>=20
> iftop -i red0 -nP
>=20
> iftop -n -i green0 -F x.x.x.x/y (place in a subnet you want to restrict res=
ults to, I use the IPSec RoadWarrior address block).
>=20
>=20


--===============1128232751279236908==--