Jump to content
Not connected, Your IP: 3.141.201.95

Does your ISP Throttle VPN  

87 members have voted

  1. 1. Do you experience slowdowns using AirVPN

    • No, only minor slowdown consistent with encryption overhead
      32
    • Somewhat, but speeds are still good and I am not concerned
      12
    • Yes, but it coould be a problem with my configuration
      16
    • Absolutely, I've tried everything and it must be throttling
      30


Recommended Posts

I believe my ISP is throttling OpenVPN.  I have been a very satisfied AirVPN customer and until recently got good speeds.  In the last month, since switching to Fibre, I have noticed that OpenVPN connections appear to be limited to 1 Mbps.

 

I have tried changing ports (53/UPD, 80/TCP, 443/UPD, 443/tcp) to no effect.  I normally run OpenVPN on my router, so to isolate the issue, tried my other router that gives me full 15 Meg unencrypted while running the AirVPN windows client.

 

In every case, the best I get is 1 Meg down and 10% of that up while encrypted.

 

The change seems to coincide with my ISP "resolving" evening congestion problems in my area.

 

The evidence seems strong that this is a throttling issue and not a configuration problem.

 

Is there a solution or am I condemned to take the slow lane?

 

Share this post


Link to post

Hello!

 

Before assuming that your ISP throttles OpenVPN please try a connection from your computer (disable OpenVPN on the router) to make a comparison test. What is your router model and which firmware runs on it? Can you post connection logs after a few minutes the router is connected? If the bandwidth remains consistent to 1 Mbit/s on all ports, this is a strong hint pointing to throttling. In this case you can obtain better performance with OpenVPN over SSH (assuming that your ISP does not throttle SSH as well).

 

Kind regards

Share this post


Link to post

Thanks.  I have tried a connection using the Windows client with my front-end router (which does not have OpenVPN)  and get the same result.  I am running DD-WRT on a cisco commodity router that is connected from it's WAN port to the LAN on my front end router.  Thing is, this setup was working fine, and then not.  I am not sure how to run over SSH.  Is there a clue-page?

Share this post


Link to post

As requested:

 


State Server: : Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: 10.7.4.74 Remote Address:

Status

Log Serverlog Clientlog 20130430 11:25:15 D TCPv4_CLIENT READ [22] from 108.59.8.147:80: P_ACK_V1 kid=0 [ 36 ]
20130430 11:25:15 D TCPv4_CLIENT READ [114] from 108.59.8.147:80: P_CONTROL_V1 kid=0 [ ] pid=45 DATA len=100
20130430 11:25:15 NOTE: --mute triggered...
20130430 11:25:15 2 variation(s) on previous 3 message(s) suppressed by --mute
20130430 11:25:15 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.7.0.1 comp-lzo no route 10.7.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.7.4.74 10.7.4.73'
20130430 11:25:15 OPTIONS IMPORT: timers and/or timeouts modified
20130430 11:25:15 OPTIONS IMPORT: LZO parms modified
20130430 11:25:15 NOTE: --mute triggered...
20130430 11:25:15 3 variation(s) on previous 3 message(s) suppressed by --mute
20130430 11:25:15 I TUN/TAP device tun1 opened
20130430 11:25:15 TUN/TAP TX queue length set to 100
20130430 11:25:15 I /sbin/ifconfig tun1 10.7.4.74 pointopoint 10.7.4.73 mtu 1500
20130430 11:25:15 /sbin/route add -net 108.59.8.147 netmask 255.255.255.255 gw 192.168.5.1
20130430 11:25:15 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.4.73
20130430 11:25:15 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.4.73
20130430 11:25:15 /sbin/route add -net 10.7.0.1 netmask 255.255.255.255 gw 10.7.4.73
20130430 11:25:15 I Initialization Sequence Completed
20130430 11:25:15 D TCPv4_CLIENT WRITE [22] to 108.59.8.147:80: P_ACK_V1 kid=0 [ 45 ]
20130430 11:25:15 D TCPv4_CLIENT WRITE [26] to 108.59.8.147:80: P_ACK_V1 kid=0 [ 46 47 ]
20130430 11:25:25 D TCPv4_CLIENT WRITE [69] to 108.59.8.147:80: P_DATA_V1 kid=0 DATA len=68
20130430 11:25:25 NOTE: --mute triggered...
20130430 11:26:29 59 variation(s) on previous 3 message(s) suppressed by --mute
20130430 11:26:29 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:26:29 D MANAGEMENT: CMD 'state'
20130430 11:26:29 MANAGEMENT: Client disconnected
20130430 11:26:29 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:26:29 D MANAGEMENT: CMD 'state'
20130430 11:26:29 MANAGEMENT: Client disconnected
20130430 11:26:29 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:26:29 D MANAGEMENT: CMD 'state'
20130430 11:26:29 MANAGEMENT: Client disconnected
20130430 11:26:29 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:26:29 D MANAGEMENT: CMD 'log 500'
20130430 11:26:29 MANAGEMENT: Client disconnected
20130430 11:26:30 D TCPv4_CLIENT READ [69] from 108.59.8.147:80: P_DATA_V1 kid=0 DATA len=68
20130430 11:26:39 D TCPv4_CLIENT WRITE [69] to 108.59.8.147:80: P_DATA_V1 kid=0 DATA len=68
20130430 11:26:40 D TCPv4_CLIENT READ [69] from 108.59.8.147:80: P_DATA_V1 kid=0 DATA len=68
20130430 11:26:49 NOTE: --mute triggered...
20130430 11:28:47 54 variation(s) on previous 3 message(s) suppressed by --mute
20130430 11:28:47 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:28:47 D MANAGEMENT: CMD 'state'
20130430 11:28:47 MANAGEMENT: Client disconnected
20130430 11:28:47 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:28:47 D MANAGEMENT: CMD 'state'
20130430 11:28:47 MANAGEMENT: Client disconnected
20130430 11:28:47 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:28:47 D MANAGEMENT: CMD 'state'
20130430 11:28:47 MANAGEMENT: Client disconnected
20130430 11:28:47 MANAGEMENT: Client connected from 127.0.0.1:5001
20130430 11:28:47 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00


Firmware: DD-WRT v24-sp2 (04/07/12) vpn-small
Time: 11:35:23 up 11:53, load average: 0.00, 0.01, 0.00
WAN IP: 192.168.5.50
 

Share this post


Link to post

Hello!

 

Thanks. Now, what happens with a connection from your computer (not from the router) to the same server, but toward port 53 UDP?

 

Kind regards

Share this post


Link to post

Hello!

 

Thanks. Now, what happens with a connection from your computer (not from the router) to the same server, but toward port 53 UDP?

 

Kind regards

Actually, I get a "failed to start" message from the client on UDP/53.  UPD/443 starts, but is 1Mps slow.

Share this post


Link to post

ok -- here (attached) is the log from UDP/53 using windows client (no vpn on router).  By the way, it would be better if we could cut and past logs so screenshots would not be required.

 

Regards and Thanks.

Share this post


Link to post

ok -- here (attached) is the log from UDP/53 using windows client (no vpn on router).  By the way, it would be better if we could cut and past logs so screenshots would not be required.

 

Regards and Thanks.

 

Hello!

 

In order to do so just click on "Copy to clipboard" and paste where appropriate.

 

The logs do not show any problem.

 

You might like to try OpenVPN over SSH to make a performance comparison which would tell whether your ISP throttles OpenVPN more or less than SSH.

 

Kind regards

Share this post


Link to post

the current ssh script distributed by airvpn is intended to be interactive.  Is there a way to amend the script so that rather than relying on user input for confirmaiton of a connection, it can test directly from the system if the tunnel is up?

Share this post


Link to post

Back from a weekend away, and not giving up on AirVPN yet.  I have read various reports around the internet that my ISP (Bell Canada) throttles agressively though they were supposed to have stopped  after being ordered by the Candian Radio and Television Commission not to.

 

What I have read is that they use deep packet inspection and if this is defeated by encryption they assume it is a torrent stream and throttle it unless it is on a standard VPN port.

 

Not sure this makes sense, but it is congruent with my experience.  Why doesn't AirVPN offer connections on standard VPN ports?  I'd love to test that out to see if I can stop this violent choking sensation.

 

As for VPN over SSH, I was able to get a SSH connection with a little bit of jiggery pokery, but never able to get OpenVPN to connect over it.  Has this been fully tested on Linux?

Share this post


Link to post

Back from a weekend away, and not giving up on AirVPN yet.  I have read various reports around the internet that my ISP (Bell Canada) throttles agressively though they were supposed to have stopped  after being ordered by the Candian Radio and Television Commission not to.

 

What I have read is that they use deep packet inspection and if this is defeated by encryption they assume it is a torrent stream and throttle it unless it is on a standard VPN port.

 

Not sure this makes sense, but it is congruent with my experience.  Why doesn't AirVPN offer connections on standard VPN ports?  I'd love to test that out to see if I can stop this violent choking sensation.

 

As for VPN over SSH, I was able to get a SSH connection with a little bit of jiggery pokery, but never able to get OpenVPN to connect over it.  Has this been fully tested on Linux?

 

Hello!

 

Three years ago an Air co-founder discarded the idea to make the OpenVPN servers listen to IANA-assigned port 1194 and convinced everybody else, because it was (is) one of the first ports that VPN-hostile ISPs block or shape.  After three years, was it a wise decision or not, in your opinion? We're looking forward to any feedback about it.

 

OpenVPN over SSH has been successfully tested on various distributions, with and without any desktop manager, which problems do you experience? Logs may help.

 

Kind regards

Share this post


Link to post


===============

 


07/05/2010  12:37 AM             5,372 aaw7boot.log
05/06/2013  07:42 PM               468 AirVPN_US-Sirius_SSH-22.bat
05/06/2013  07:42 PM             8,992 AirVPN_US-Sirius_SSH-22.ovpn
05/06/2013  07:42 PM             8,947 AirVPN_US-Sirius_TCP-443.ovpn
07/05/2010  12:34 AM    <DIR>          ATI
08/02/2009  06:59 PM        73,685,286 ATI.zip
08/16/2009  05:47 PM                 0 AUTOEXEC.BAT
               6 File(s)     73,709,065 bytes
               1 Dir(s)  45,611,954,176 bytes free
 

Here is the first command:


C:\>plink.exe -i sshtunnel.ppk -L 1412:127.0.0.1:2018 sshtunnel@108.59.8.147 -P
22 -N -T
Using username "sshtunnel".
 

Here is the second:

 

 

C:\>openvpn AirVPN_US-Sirius_SSH-22.ovpn
Mon May 06 19:49:20 2013 OpenVPN 2.3.0 i686-w64-mingw32 [sSL (OpenSSL)] [LZO] [P
KCS11] [eurephia] [iPv6] built on Jan  8 2013
Mon May 06 19:49:20 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Mon May 06 19:49:20 2013 Socket Buffers: R=[8192->8192] S=[64512->64512]
Mon May 06 19:49:20 2013 Attempting to establish TCP connection with [AF_INET]12
7.0.0.1:1412
Mon May 06 19:49:20 2013 TCP connection established with [AF_INET]127.0.0.1:1412

Mon May 06 19:49:20 2013 TCPv4_CLIENT link local: [undef]
Mon May 06 19:49:20 2013 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1412
Mon May 06 19:49:20 2013 TLS: Initial packet from [AF_INET]127.0.0.1:1412, sid=7
14542b7 18cc6e37
Mon May 06 19:49:21 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.or
g, CN=airvpn.org CA, emailAddress=info@airvpn.org
Mon May 06 19:49:21 2013 VERIFY OK: nsCertType=SERVER
Mon May 06 19:49:21 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.or
g, CN=server, emailAddress=info@airvpn.org
Mon May 06 19:49:22 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized
with 256 bit key
Mon May 06 19:49:22 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Mon May 06 19:49:22 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized
with 256 bit key
Mon May 06 19:49:22 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Mon May 06 19:49:22 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 2048 bit RSA
Mon May 06 19:49:22 2013 [server] Peer Connection Initiated with [AF_INET]127.0.
0.1:1412
Mon May 06 19:49:25 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon May 06 19:49:25 2013 AUTH: Received control message: AUTH_FAILED
Mon May 06 19:49:25 2013 SIGTERM[soft,auth-failure] received, process exiting

C:\>openvpn AirVPN_US-Sirius_SSH-22.ovpn
Mon May 06 19:55:54 2013 OpenVPN 2.3.0 i686-w64-mingw32 [sSL (OpenSSL)] [LZO] [P
KCS11] [eurephia] [iPv6] built on Jan  8 2013
Mon May 06 19:55:54 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Mon May 06 19:55:54 2013 Socket Buffers: R=[8192->8192] S=[64512->64512]
Mon May 06 19:55:54 2013 Attempting to establish TCP connection with [AF_INET]12
7.0.0.1:1412
Mon May 06 19:55:54 2013 TCP connection established with [AF_INET]127.0.0.1:1412

Mon May 06 19:55:54 2013 TCPv4_CLIENT link local: [undef]
Mon May 06 19:55:54 2013 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1412
Mon May 06 19:55:54 2013 TLS: Initial packet from [AF_INET]127.0.0.1:1412, sid=e
5907f77 b1e0a78a
Mon May 06 19:55:54 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.or
g, CN=airvpn.org CA, emailAddress=info@airvpn.org
Mon May 06 19:55:54 2013 VERIFY OK: nsCertType=SERVER
Mon May 06 19:55:54 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.or
g, CN=server, emailAddress=info@airvpn.org
Mon May 06 19:55:56 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized
with 256 bit key
Mon May 06 19:55:56 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Mon May 06 19:55:56 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized
with 256 bit key
Mon May 06 19:55:56 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Mon May 06 19:55:56 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 2048 bit RSA
Mon May 06 19:55:56 2013 [server] Peer Connection Initiated with [AF_INET]127.0.
0.1:1412
Mon May 06 19:55:58 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon May 06 19:55:59 2013 AUTH: Received control message: AUTH_FAILED
Mon May 06 19:55:59 2013 SIGTERM[soft,auth-failure] received, process exiting

C:\>

Share this post


Link to post

@airvpnclient

 

Hello!

 

As you can see from the logs it works just fine.

 

You get an AUTH_FAILED just because "airvpnclient" account is already connected to some of our servers (since hours before your message) and happily exchanging data. You can check your account status and the reason of the last failed connection attempt in your "Client Area" (login and click on "Client Area" in the upper menu).

 

Kind regards

Share this post


Link to post

Oops -- that's embarassing -- forgot to turn off my tunnelling router.

 

So, got it all up and running and .....

 

... No Joy ... :-(

 

what I get is a spikey connection at between 1 and 2 Mbps.  As soon as I disconnect from AIRVPN, my speeds go back to 15.

 

Bell Canada is very tricksy.

Share this post


Link to post

It is beginning to look a bit hopeless for us Bell Fibre users.  I have tried the SSH workaround and Ma Bell still seems to be able to throttle.  The only thing that I have heard suggested is that Bell may not throttle on standard VPN ports, but AirVPN is not available on these ports.  Any other suggestions?

Share this post


Link to post

I am considering a complaint to the Canadian Radio and Telecommunications Commission and would like to have others sign on.  I am waiting for advice from the The Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) (twitter @cippic) at the University of Ottawa.  I would like to crowd-source the data and have multiple signatories to the complaint but need to think on how to generate support.

Share this post


Link to post

Just for the record I get 600 Mb/s from my ISP and AirVPN's American servers seem to max out at about 60 to 70 Mb/s so the server's bandwidth or speeds shouldn't be an issue.

Share this post


Link to post

Just sent my third party ISP the following question:

 

 

If Bell is applying Internet Traffic Management Policies (ITMPs) they are to follow CRTC Guidance (see: http://www.crtc.gc.ca/eng/archive/2009/2009-657.htm)

This includes in the case where they throttle VPN generally for both their own retail customers and for wholesale customers like NCF that they need to give NCF prior notice and in any case inform you of the :

"91. For technical ITMPs applied to wholesale services that do not require prior Commission approval, the Commission considers that a description of the ITMPs in the tariffs of primary ISPs is the best means of providing information to secondary ISPs. Accordingly, primary ISPs are required, as a condition of providing service, to issue updated tariff pages describing such ITMPs. Primary ISPs are to issue revised tariff pages, sending copies to their wholesale customers, a minimum of 60 days prior to implementing the ITMP or implementing changes to the ITMP. "

Can you confirm whether the tarrif for wholesale Fibre services includes notification of VPN speed traffic management?

Share this post


Link to post

This is an extremely important issue that has to be dealt with by Air's engineers. If Bell can play games with not only their own VPN traffic, but also that which belongs to other providers, they can eventually kill all anonymous VPN traffic altogether. If push comes to shove at some point, they might just do that. They can just ask, "What do you have to hide?" right before dropping all unidentified VPN traffic.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...