Jump to content
Not connected, Your IP: 3.234.244.18
AtariSoul

Extremely slow VPN with PFSense 2.4.4

Recommended Posts

Hello

I wondered if someone could help me fix my slow VPN, its driving me mad. I've been trying for weeks to work it out and I'm at the end of my tether :(

I have Virgin Media UK with 350MB package. When I try without VPN I'm getting anything from 100MBs to 400MBs. When enabled VPN I get < 10MBs. I understand ISP's throttle and shape VPN, but Virgin claim they don't.

I used the main pfsense 2.3 tutorial and applied the differences from other posts. Sometimes speeds are as expected, but quite often I get <10 MBs. I reboot everything and it might get up to speed for a minute or so, then drops back again. 

I have read web page after web page, tried various VPN servers, different custom settings, removed all custom settings, send/receive buffers....I just really don't know where to go next.

This screenshots show my setup. What kind of logs do I need to post to troubleshoot?

Thanks very much in advance

pfsense sys info.JPG

VPN Setup p1.JPG

VPN Setup p2.JPG

VPN Setup p3.JPG

VPN Setup p4.JPG

Share this post


Link to post

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order

Share this post


Link to post

Hello go558a83nk

Thanks for your help.

I have tried TCP but it made little difference. I use UDP normally.

I will try tls-crypt, I will follow your instructions I found in this thread and let you know how I get on.

Thanks

1 hour ago, go558a83nk said:

Have you tried TCP?  Or have you tried UDP with tls-crypt config?

Share this post


Link to post
17 minutes ago, metog said:

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order

Thanks metog I will try tls-crypt first and if that doesn't help I will try your suggestion.

Many Thanks

Share this post


Link to post
33 minutes ago, metog said:

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order



Many of your custom options are redundant since they are already set automatically or through GUI settings.

For example, having sndbuf and rcvbuf in the custom options and the send/receive buffer in the GUI set is setting the same options.  I don't know which ends up getting set - you'd have to look at your logs.

 

Share this post


Link to post
22 minutes ago, AtariSoul said:
Thanks metog I will try tls-crypt first and if that doesn't help I will try your suggestion.

Many Thanks

socket-flags TCP_NODELAY;
auth-nocache;
mlock;
key-direction 1;
tls-version-min 1.2;
key-method 2;
tls-timeout 2;
remote-cert-tls server;
mssfix 0;
tun-mtu 20000;
explicit-exit-notify 5;

That is what's in my custom options.

I find mssfix 0 works best for me.  And tun-mtu 20000 may seem crazy but it works for me.  I've read results of others testing and they find that for high speed openvpn setting a high tun-mtu value helps.

Also, test the GUI setting for buffer.  A higher buffer may help get you max speed but there's obviously something else going on that's clamping you way down.  I'm curious what tls-crypt does but I don't have high hopes.  I think something else is going on and I really don't have an answer because we're talking orders of magnitude difference.

What network cards are in your pfsense box and what are you network interfaces settings in system_advanced_network.php ?

Share this post


Link to post

Hello again :)

I have successfully configured OPENVPN to use tls-crypt UDP
1. Download from the advanced code generator and selecting UDP tls 1.2.
2. replaced the TLS key from the ovpn script
3. set key usage mode to 
authentication and encryption

4. changed auth digest algorithm from SHA1 to sha512

However, it made no difference to my speed, but at least I'm using a stronger algorithm now.

I changed the ports in case of blocking from 443, 1194, 41185 and back to 443, still < 10MBs

When I bypass VPN, speedtest peaks over 350MBs 
#SIGH#

I've attached my network page as requested.

Thanks very much
Graham

Networking.JPG

Share this post


Link to post

Good morning

Sorry I forgot to mention that I tried your custom settings, it made no difference.

go558a83nk , I noticed that you started a thread about WINTUN and the latest experimental Eddie is now compatible with it. I disconnected by pfSense PC and tried it. All my issues are gone. I will reconsider if I need pfsense, the only disadvange seems that I'm restricted to only 3 devices, but I can live with that after the months of trying to figure out why my pfsense is so slow. 

Thank you  go558a83nk and metog for your time
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...