rate limit torrents/p2p
Ever since riseup deployed the vpn we have endpoints that are saturated by torrent traffic. We have continued to add endpoints(19 so far!), but it seems no matter how many we add they get filled. These endpoints being saturated probably means a worse user experience (but we also don't have a good way of measuring that currently).
Looking at the connection tracking numbers, our endpoints have between 20k-76k entries, while connected users varies from 150-900. These endpoints could support more users and provide more bandwidth per user if the few users torrenting weren't using all the bandwidth. I don't think we need to flat out ban torrents, but I would like it if we could rate limit by client somehow. I did a little research on approaches to this:
- Some use DPI to try to id this type of traffic and then setup firewall rules to block/shape that traffic. But the main solutions I found for this are all old iptables classifier things like ipp2p, L7-filter, opendpi that are abandoned upstream. This would limit only the problematic traffic which is nice.
- Some people used hooks in openvpn to run scripts on each client connecting/disconnecting to setup
tc
shaping. example. This would limit all traffic per client. - openvpn itself has a
--shaper
option, however this requires that openvpn but running inp2p
mode and we currently usesubnet
. Also this only limits outbound traffic, inbound would need to be limited on the client which we don't always control (but many people use the client as is, might still work). So this means (if the client isn't also shaping) someone torrenting might have slow downloads, but their seeding would not be limited. This still might be enough if it gets them to stop torrenting over the vpn. This would also limit all traffic per client.
I suspect all we really need to do it get the worst abusers to move somewhere else and things will get a lot better for everyone else.