Jump to content
Not connected, Your IP: 18.208.172.3
Sign in to follow this  
65tiklak

Network Lock eats my bandwith

Recommended Posts

Posted ... (edited)

I have been a NordVPN-customer for a while now - signed a long contract before I discovered that there's no chance for port-forwarding. Since I'm quite unhappy with the situation I was looking for another VPN-service without such limitations and became a AirVPN-customer.

I am using the VPN connection on my Raspberry Pi 4 4GB on Raspbian. I am using the official NordVPN client for Linux and so I do with 'Eddie' right now. Setting up AirVPN was quite easy, the client is comfortable, so I jumped in and used it for a couple of hours. But then I was wondering that it felt quite slow to put my holiday photos to the cloud. So I went to speedtest.net and made the test
a) without a VPN connection
b) with a connection to NordVPN
c) with a connection to AirVPN

The results?
a) 52/40MBit
b) 26/35MBit
c) 26/17MBit

So I started to search the internet for various ideas of what is going on here. There was one guy who fixed his issues by trying several proctocols & ports, so I did. UDP, TCP, SSL, SSH, various ports, different servers from all kind of funny countries from 22-250ms ping - I've seen a difference sometimes, but no results that made me happy at all. Another guy was told that his Raspberry Pi is the bottle neck in this case and it isn't possible to get better OpenVPN results on the tiny device. Mh. I would try to live with the explanation, but yet I can not because a) I can see that it's no deal at all because of the still-active NordVPN-subscription and b) I don't really have an idea how to spend my time in Corona-week #2 but to try it again and again.
So for hours of almost getting crazy and throw the little innocent Pi out of the window I've tried to find a reason for the issue again and again and again and again and *BAM* as you expected - I found a way to fix the speed issues. But the way to fix it isn't nice at all: I switched off the Network Lock that should prevent to leak my IP. So I connected to the same server again - aaaand *surprise*, see what happend here! Looks crazy? Maybe the neighbour or someone on the same VPN-server just ended his Ultra-super-dooper-HD-Disney+-stream? Nada! I've tried it again with the Network Lock turned on. Same server, same IP, almost same ping, here's the result. Shitty!
Still all this seemed to strange to me to believe at all. So I whitelisted another AirVPN-server with a lower ping. What happend? You guess the result? Network Lock off, Network Lock on.

To be honest, I'm really not into this iptables-network-stuff at all to understand what's going on here. But what I can say: The NordVPN killswitch does what it should as well, too. It's a UDP connection on port 443, the same that I tried with AirVPN. But something seems to be different that doesn't knock down my bandwith.

So: Anyone with an idea how to get out of the situation?

Sorry for my bad English. And, ehm, oops, this should've been placed in the 'Troubleshooting and Problems'-section - I can't move it anymore.

Edited ... by 65tiklak
Wrong section.

Share this post


Link to post
@65tiklak

Hello and welcome aboard!

Eddie's Network Lock enforces something like 1000 iptables rules and 1000 ip6tables rules, so in theory it might actually slow down a Raspberry. However the screenshots you report show no performance difference between Network Lock on and off, so your conclusions are incorrect according to your very own experimental data set.

In the first example of yours, you even have slightly higher performance with Network Lock on.

By the way it's not a big deal because the "problem" (if it was a problem) has been completely resolved by Hummingbird, which enforces only few rules, only the strictly necessary ones. It's like 30 rules, and there's no way that 30 iptables rules can measurably slow down Linux throughput in Raspberry.

Your comparison with NordVPN is also not very relevant if you don't specify the cipher and the VPN protocol you have used. We allow, like NordVPN, weaker ciphers, but by default our servers propose the strongest available cipher, so you need to explicitly force the weaker cipher. Additionally we do not support insecure protocols like PPTP, which NordVPN still supports as far as we know.

On top of that Hummingbird lets you connect with CHACHA20-POLY1305 cipher which will give a non AES-NI supporting system (like a Raspberry) a performance boost. Hummingbird is available both for Raspbian 32 and Ubuntu 19 for ARM 64 bit (and should be also compatible with any other ARM 64 bit Linux distribution). Hummingbird also calls OpenVPN3-AirVPN library, which is remarkably faster than OpenVPN 2 binary. Test it and let us know.

Any Network Lock not enforced via firewall rules is garbage. Do not trust such kill switches because they will not prevent leaks when a process binds to the physical network interface and when the "switch killer" process halts unexpectedly.

Please see here to download and install Hummingbird:
https://airvpn.org/hummingbird/readme/

Kind regards
 

Share this post


Link to post
Posted ... (edited)

Thanks for the warm welcome and your extensive support!
You see no performance difference between Network Lock on and off? Please have a look at the upload performance: 32 (on) vs 17 MBit (off) upload on server 1, 35 vs 20 MBit upload on server 2. Looks massive to me!

It wasn't my intention to compare the performance between NordVPN and AirVPN at all - because as long as I do not use the Network Lock, I can use both with good performances. It was only about the bandwith-drop and the question how they handle it. The possible performance drop due to thousands of table rules sounds reasonable to me.

Before I am going to try to use Hummingbird, I tried to set up the ufw-firewall on my own. As I am not a professional in network/firewall questions I'd be thankful if someone could have a look at my shell script and if it's okay to go live with, because I have not found another example with Port Forwarding enabled:

# Defaults
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing

# LAN
sudo ufw allow from 192.168.1.0/24 to any port 21 # FTP
sudo ufw allow from 192.168.1.0/24 to any port 22 # SSH
sudo ufw allow out to 192.168.1.0/24

# AirVPN Server 1
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp
# AirVPN Server 2
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp
# AirVPN Server 3
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp
# AirVPN Server 4
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp
# AirVPN Server 5
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp
# AirVPN Server 6
sudo ufw allow out to xxx.xxx.xxx.xxx port 443 proto udp

#Tunnel
sudo ufw allow out on tun0
sudo ufw allow in on tun0 to any port xxxx # FTP
sudo ufw allow in on tun0 to any port xxxx # Torrent TCP/µTP
sudo ufw allow in on tun0 to any port xxxx # Web Interface
sudo ufw enable

Edited ... by 65tiklak

Share this post


Link to post
@65tiklak

If you enforce Network Lock you should disable UFW. It is an iptables frontend which adds custom chains that may interfere.

About the outcome of your tests, you therefore imply that the iptables rules mainly impair upload speed, and not download speed. It's a reasonable assumption, yes, because Eddie overwhelms the OUTPUT chain of the filter table. Use Hummingbird and make a new comparison please, for a potential confirmation of your assumption (with Network Lock on) as Hummingbird enforces only 19 rules on OUTPUT, instead of the 1000 rules enforced by Eddie.

If you wish to reproduce Network Lock through UFW, just look at the rules enforced by Hummingbird, make sure to delete any UFW custom chain, and set your own. However using directly iptables (or nftables if you have a system supporting it) is probably a better solution, but it's up to your taste at the end of the day.

Please keep us posted at your convenience after you have tested Hummingbird, even with CHACHA20-POLY1305.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...