Page 1 of 1

Keepalives and TOS

Posted: Wed Oct 30, 2019 11:54 am
by wanting2learn
First off sorry if this is asked else where in this forum.

You can configure keepalives for connections to detect when it drops. I understand that, but i've looked at the TCPdump of a UDP set up and can't see any tos set on any packets. I understand the passtos option but i'm wondering if there is a way to enable tos on the keepalive packet and if not can I add to the wish list.

My example would be on say a DSL or cellular connection where the bandwidth is limited and you have both openvpn traffic and other traffic, given that the underlying connection may end up queuing traffic I wish to be able to apply QoS to the keepalive packets to get out first to prevent congestion from generating a openvpn connection restart. QoS on the remote openvpn server IP will prioritise all openvpn traffic I'm looking to make sure the keepalive packet sits at the top of the queue.

Re: Keepalives and TOS

Posted: Wed Oct 30, 2019 1:08 pm
by TinCanTech
If you read --keepalive in the manual you will realise that TOS is not required for it.

Also, it is unlikely the developers will want to support yet another option for your use case.

Re: Keepalives and TOS

Posted: Wed Oct 30, 2019 2:34 pm
by wanting2learn
"If you read --keepalive in the manual you will realise that TOS is not required for it."

How would TOS not be required? Packets queuing on an interface of a router without a TOS will be treated as default unless you have a QoS policy based on server IP or port which would catch all openvpn vpn traffic. Keepalive packets would be treated the same as all other vpn packets.

Don't mind at all if the devs don't want to develop it but I would like to have a better understanding of how keepalive works.

Re: Keepalives and TOS

Posted: Wed Oct 30, 2019 3:56 pm
by TinCanTech
If you read about --ping perhaps you will understand, I had hoped you would do that for yourself ...

Re: Keepalives and TOS

Posted: Thu Oct 31, 2019 12:50 pm
by wanting2learn
–ping n
Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify –ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets). When used in one of OpenVPN’s secure modes (where –secret, –tls-server, or –tls-client is specified), the ping packet will be cryptographically secure.This option has two intended uses:
(1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out.

(2) To provide a basis for the remote to test the existence of its peer using the –ping-exit option.

Has no mention about how you would differentiate an openvpn packet with a keepalive in it or standard traffic, to move it into a higher queue on a router or firewall. All it would simply do is keep the firewall state open which isn't what i'm asking about.