Extremely slow VPN with PFSense 2.4.4

[AtariSoul 0]

Hello

I wondered if someone could help me fix my slow VPN, its driving me mad. I've been trying for weeks to work it out and I'm at the end of my tether

I have Virgin Media UK with 350MB package. When I try without VPN I'm getting anything from 100MBs to 400MBs. When enabled VPN I get < 10MBs. I understand ISP's throttle and shape VPN, but Virgin claim they don't.

I used the main pfsense 2.3 tutorial and applied the differences from other posts. Sometimes speeds are as expected, but quite often I get <10 MBs. I reboot everything and it might get up to speed for a minute or so, then drops back again. 

I have read web page after web page, tried various VPN servers, different custom settings, removed all custom settings, send/receive buffers....I just really don't know where to go next.

This screenshots show my setup. What kind of logs do I need to post to troubleshoot?

Thanks very much in advance

[go558a83nk 364]

Have you tried TCP?  Or have you tried UDP with tls-crypt config?

[metog 0]

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order

[AtariSoul 0]

Hello go558a83nk

Thanks for your help.

I have tried TCP but it made little difference. I use UDP normally.

I will try tls-crypt, I will follow your instructions I found in this thread and let you know how I get on.

Thanks

1 hour ago, go558a83nk said:

Have you tried TCP?  Or have you tried UDP with tls-crypt config?

[AtariSoul 0]

17 minutes ago, metog said:

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order

Thanks metog I will try tls-crypt first and if that doesn't help I will try your suggestion.

Many Thanks

[go558a83nk 364]

33 minutes ago, metog said:

A couple difference between my config that you might try:

Custom options:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Send/Receive Buffer: 
2.00 MiB

NCP Algo:
AES-256-GCM
AES-256-CBC
^ mine are just in different order

Many of your custom options are redundant since they are already set automatically or through GUI settings.

For example, having sndbuf and rcvbuf in the custom options and the send/receive buffer in the GUI set is setting the same options.  I don't know which ends up getting set - you'd have to look at your logs.

 

[go558a83nk 364]

22 minutes ago, AtariSoul said:

Thanks metog I will try tls-crypt first and if that doesn't help I will try your suggestion.

Many Thanks

socket-flags TCP_NODELAY;
auth-nocache;
mlock;
key-direction 1;
tls-version-min 1.2;
key-method 2;
tls-timeout 2;
remote-cert-tls server;
mssfix 0;
tun-mtu 20000;
explicit-exit-notify 5;

That is what's in my custom options.

I find mssfix 0 works best for me.  And tun-mtu 20000 may seem crazy but it works for me.  I've read results of others testing and they find that for high speed openvpn setting a high tun-mtu value helps.

Also, test the GUI setting for buffer.  A higher buffer may help get you max speed but there's obviously something else going on that's clamping you way down.  I'm curious what tls-crypt does but I don't have high hopes.  I think something else is going on and I really don't have an answer because we're talking orders of magnitude difference.

What network cards are in your pfsense box and what are you network interfaces settings in system_advanced_network.php ?

[AtariSoul 0]

Hello again

I have successfully configured OPENVPN to use tls-crypt UDP
1. Download from the advanced code generator and selecting UDP tls 1.2.
2. replaced the TLS key from the ovpn script
3. set key usage mode to authentication and encryption

4. changed auth digest algorithm from SHA1 to sha512

However, it made no difference to my speed, but at least I'm using a stronger algorithm now.

I changed the ports in case of blocking from 443, 1194, 41185 and back to 443, still < 10MBs

When I bypass VPN, speedtest peaks over 350MBs 
#SIGH#

I've attached my network page as requested.

Thanks very much
Graham

[go558a83nk 364]

but what network cards?

Also, any testing of the other options such as mssfix and tun-mtu?

[AtariSoul 0]

Good morning

Sorry I forgot to mention that I tried your custom settings, it made no difference.

go558a83nk , I noticed that you started a thread about WINTUN and the latest experimental Eddie is now compatible with it. I disconnected by pfSense PC and tried it. All my issues are gone. I will reconsider if I need pfsense, the only disadvange seems that I'm restricted to only 3 devices, but I can live with that after the months of trying to figure out why my pfsense is so slow. 

Thank you  go558a83nk and metog for your time
 

[lordlukan 3]

Hardware Crypto. Change from BSD crypto dev engine to AES-NI as your hardware supports it

[go558a83nk 364]

Mine pfsense setup is very fast

What I have is in System>Advanced>Miscellaneous>Cryptographic Hardware AES-NI and BSD Crypto Device is Chosen.  You must reboot after changes to this setting.

Then in the openvpn configuration hardware crypto option I have BSD cryptodev engine selected.  There is no AES-NI option there because as long as AES-NI is enabled on the system openvpn uses it automatically. 

[DINUs 0]

@go558a83nk : Can you provide the full details of your configuration of your openvpn with pfsense,
My down and upload speed is very low, i have 44mpbs down and 10 up load speed, when i connect to vpn i am getting 4mpbs down and 1 mpbs upload speed.
I have done all settings as in all all forum and support, nothing have helped me..
if you advise me how to proceed further really helpful..
Thanks
Dinu

[BuiltOnSelfSuccess 1]

On 3/26/2020 at 9:08 PM, AtariSoul said:

Hello again

I have successfully configured OPENVPN to use tls-crypt UDP
1. Download from the advanced code generator and selecting UDP tls 1.2.
2. replaced the TLS key from the ovpn script
3. set key usage mode to authentication and encryption

4. changed auth digest algorithm from SHA1 to sha512

However, it made no difference to my speed, but at least I'm using a stronger algorithm now.

I changed the ports in case of blocking from 443, 1194, 41185 and back to 443, still < 10MBs

When I bypass VPN, speedtest peaks over 350MBs 
#SIGH#

I've attached my network page as requested.

Thanks very much
Graham

Hi AtariSoul,

Did you manage to fix your speed issues? I'm losing the will to live with all the options and configuration changes I've made with my setup so far. I just can't get to the bottom of it.
 

[BuiltOnSelfSuccess 1]

On 6/15/2020 at 12:44 PM, BuiltOnSelfSuccess said:

Hi AtariSoul,

Did you manage to fix your speed issues? I'm losing the will to live with all the options and configuration changes I've made with my setup so far. I just can't get to the bottom of it.
 

Absolutely no changes made, my speed is mainly sat just under 20mbps but then I randomly get higher speeds, today I even managed to hit 207.80mbps on my 200mbps line!
Anyone with any ideas to help me maintain consistently high speeds?

[AtariSoul 0]

On 6/15/2020 at 12:44 PM, BuiltOnSelfSuccess said:

Hi AtariSoul,

Did you manage to fix your speed issues? I'm losing the will to live with all the options and configuration changes I've made with my setup so far. I just can't get to the bottom of it.
 

Hello BuiltOnSelfSuccess

No I didn't fix it. You sound like me, it was taking over my life for months on end. And the wife saying "Internet not working again, are you messing about on that internet thing again" every time was the straw that broke the camel's back ! 

So I gave up and I am now using Eddie. I have it set up to lock the internet when VPN goes down. For qBittorrent I set it under the advanced settings to only use the VPN network connection.

Good luck

[Lee47 23]

On 6/17/2020 at 2:18 AM, AtariSoul said:

Hello BuiltOnSelfSuccess

No I didn't fix it. You sound like me, it was taking over my life for months on end. And the wife saying "Internet not working again, are you messing about on that internet thing again" every time was the straw that broke the camel's back ! 

So I gave up and I am now using Eddie. I have it set up to lock the internet when VPN goes down. For qBittorrent I set it under the advanced settings to only use the VPN network connection.

Good luck

Do you get full speed with eddie while using qbittorent/torrents?

I say this since I have virgin media and when torrenting have an issue with the speed basically dropping by 80-90%(solved by using a different VPN and unsafe Wireguard). Remember with your torrent app you should have utp disabled and TCP enabled only, port forwarding set up correctly,upnp disabled and tweak your download and upload ratio etc (try 1 download/3 upload then increase).

If you are getting no speed issues with eddie then ignore the above



I did not notice any major speed drops when I used pfsense and pfsense_fans original guide (out dated) but I did use some of nguvu guides updated openvpn page settings here:

https://nguvu.org/pfsense/pfsense-baseline-setup/


Naturally with torrents I still had the same issue (openvpn issue), but also found virgin media do still have another type of throttling effect it's called high utilization, which is similar they simply cut your speeds by 50-90% during peak times only UK customer support know it exist if they transfer you to the indian call centre they just do the reset help desk which doesn't do much. You would know if you're in a high utilization area if you're in an older VM area post code (ie had it for 20-30 years+) or BT does not have fibre optic in your street so the entire rest of your street are hogging the VM bandwidth causing high utilization.

Test during mornings, afternoons but after 4pm-11:59pm that issue can pop up I found. Also try different UK airvpn servers there are a couple that give half the speed so try one's in manchester or london etc

If the above does not apply to ignore it again, I found the easiest way or more newbie friendly way was just to ditch pfsense and get the Asus 86u router (dual core 1.8ghz with AES), once merlin firmwares installed, takes 15-20 mins to set up airvpn and add your devices connected to the airvpn network (I have about 6) and you can set which device you want to use Airvpn or Clearnet ie VM cable box to clearnet or main desktop pc to airvpn, mobile phone to airvpn etc, max out my speeds easily with Virgin.

Not saying you need to do the above but sometimes you gotta switch things up.




 

[BuiltOnSelfSuccess 1]

On 6/25/2020 at 8:49 PM, Lee47 said:

Do you get full speed with eddie while using qbittorent/torrents?

I say this since I have virgin media and when torrenting have an issue with the speed basically dropping by 80-90%(solved by using a different VPN and unsafe Wireguard). Remember with your torrent app you should have utp disabled and TCP enabled only, port forwarding set up correctly,upnp disabled and tweak your download and upload ratio etc (try 1 download/3 upload then increase).

If you are getting no speed issues with eddie then ignore the above



I did not notice any major speed drops when I used pfsense and pfsense_fans original guide (out dated) but I did use some of nguvu guides updated openvpn page settings here:

https://nguvu.org/pfsense/pfsense-baseline-setup/


Naturally with torrents I still had the same issue (openvpn issue), but also found virgin media do still have another type of throttling effect it's called high utilization, which is similar they simply cut your speeds by 50-90% during peak times only UK customer support know it exist if they transfer you to the indian call centre they just do the reset help desk which doesn't do much. You would know if you're in a high utilization area if you're in an older VM area post code (ie had it for 20-30 years+) or BT does not have fibre optic in your street so the entire rest of your street are hogging the VM bandwidth causing high utilization.

Test during mornings, afternoons but after 4pm-11:59pm that issue can pop up I found. Also try different UK airvpn servers there are a couple that give half the speed so try one's in manchester or london etc

If the above does not apply to ignore it again, I found the easiest way or more newbie friendly way was just to ditch pfsense and get the Asus 86u router (dual core 1.8ghz with AES), once merlin firmwares installed, takes 15-20 mins to set up airvpn and add your devices connected to the airvpn network (I have about 6) and you can set which device you want to use Airvpn or Clearnet ie VM cable box to clearnet or main desktop pc to airvpn, mobile phone to airvpn etc, max out my speeds easily with Virgin.

Not saying you need to do the above but sometimes you gotta switch things up.




 

I don't do any torrenting, my issue with speed is purely just with normal day to day use

I've managed to make progress as I've been getting some fantastic mentoring.

I have an Asus RT-3200 with Asuswrt-Merlin firmware just as a wireless AP as it's processing power couldn't handle my VPN speeds. This is being taken out of my setup and being replaced by a Ruckus R710 AP, together with a Cisco SG300-10PP switch as per the advice I received so some hardware changes were required on my part.
I was also advised to make use of VLANs hence the Cisco managed switch this meant that I had to get an additional nic installed into my Jetway JBC313 which runs pfSense, this was challenging but I managed to overcome the issue albeit not within the casing.
My pfSense setup and Cisco switch configuration now matches the brilliant guides produced on https://nguvu.org.

I've yet to receive my Ruckus AP but will see how things work out and post back the results.

[AtariSoul 0]

Hello All 😁

I checked out https://nguvu.org and they certainly have updated their instructions it looks excellent now in greater detail. I wish this update was available earlier as I might have tried this first before givinging up !

I do get good speeds using qBittorrent and yes I agree Virgin do traffic shaping even though they say they don't.

I tried various settings when using Eddie and I got better speeds using UDP Port 2018. I don't think speed test helps when testing VPN as it tries to find the nearest server to your VPN location. Interestingly Virgin disappears from the list of servers to test when using VPN.

I use NewsHosting UseNet and thats how I test my speed as the downloads are at full bandwidth, whereas torrents are only as fast as the peers you're downloading from.

Eddie is great, the only annoying thing is you have to remember to close it down before rebooting etc. I did set it to force close when logging off, but it can leave your PC's network adapter in a locked state which is worse to fix than forgetting to close it down.

All the best

[BuiltOnSelfSuccess 1]

On 6/28/2020 at 8:57 AM, BuiltOnSelfSuccess said:

I don't do any torrenting, my issue with speed is purely just with normal day to day use

I've managed to make progress as I've been getting some fantastic mentoring.

I have an Asus RT-3200 with Asuswrt-Merlin firmware just as a wireless AP as it's processing power couldn't handle my VPN speeds. This is being taken out of my setup and being replaced by a Ruckus R710 AP, together with a Cisco SG300-10PP switch as per the advice I received so some hardware changes were required on my part.
I was also advised to make use of VLANs hence the Cisco managed switch this meant that I had to get an additional nic installed into my Jetway JBC313 which runs pfSense, this was challenging but I managed to overcome the issue albeit not within the casing.
My pfSense setup and Cisco switch configuration now matches the brilliant guides produced on https://nguvu.org.

I've yet to receive my Ruckus AP but will see how things work out and post back the results.

It would seem that as well as implementing the baseline configuration, it was suggested that I also implement multi VPN: https://nguvu.org/pfsense/pfsense-multi-vpn-wan/
I'm now (80% of the time) seeing speeds over 180mbps and on some occasions close to 200mbps, a vast improvement on my previous 20mbps speed!