go558a83nk

sha1 is what you use with entry IP 1 and 2. sha512 (and tls encryption and authorization) is used for entry IP 3 and 4 configs.

I'd say that your stunnel isn't actually running or your openvpn setup is not pointing to the port at which stunnel is listening.

There's no need to manually set 10.4.0.1. Just tell set your VPN client settings to use the pushed DNS exclusively. It'll change it automatically upon connect. Use OpenNIC for the DNS settings in the WAN section. That'll allow you to resolve domains when the VPN isn't connected and for devices that don't go through the VPN if you use the policy routing option.

Yes, this is what I do for downloading big files. It's rare that I'm able to hit that 500+ mark from a single connection both because my ISP and intermediate networks just aren't "allowing" it, or because the VPN server isn't up to it. But when spread out it's much easier. That said, some endpoint servers won't allow you to multi wan and it won't help with bittorrent either.

I disagree, but I'm open to suggestions, please advice on the configuration I would need to max out my 500 Mbit connection with OpenVPN. I built a pfsense box with an AMD A6-7400K CPU back in 2015 for $121. Later I added an intel dual NIC for another $40 or so since the realtek NICs I was using weren't the best. It does 600mbit/s openvpn from a single server in a multi threaded download, if the network "allows" it.

It doesn't take much actually. An x86 processor with AES-NI in pfsense can do it if the network between you and the vpn server allows. Most of the time though the network will be the limiting factor, not the CPU.

I already explained it. It doesn't matter what openvpn service you use. It's an option that Merlin Asus firmware has for openvpn clients.

That network lock is for their own routers with their own software on it. But likely it's nothing more than a set of iptables rules which are nothing special. Use the very nice merlin firmware for asus routers and its policy routing with "kill switch" and you can use it with whatever VPN provider you like and don't have to pay extra for an express vpn branded router.

You're using the wrong entry IP. You're setting up to use tls-crypt so you need to use entry IP 3 or 4 and make sure you have a tls-crypt config for the proper tls key. For Triangulum that's 185.200.116.133 and 185.200.116.134. I'd also leave key direction at default, use AES-256-GCM, set comp-lzo yes though compression will be turned off via the push from the server, turn on UDP fast I/O, turn on explicit exit notify, and increase the send and receive buffers from default.

ha! No need to explain. I do the same thing in pfsense. I just have never heard of it being done in windows and I didn't know you could run multiple instances of wintun.

What is "side-by-side triple mode" ?

have you tested any other vpn?

I've seen different routes to servers in the same datacenter. Are you sure they're the same? When you're comparing mullvad vs Air are you using the same VPN protocol at the same port?

I wish I could help but I have no idea.

That stunnel.crt is actually a CA. But it's a good question I'd like to know the answer to as well.

PIA is pulling out of HK. If they do, then surely Air will.

Solid wifi performance does not equal solid openvpn performance. If you want good openvpn performance get the asus AC86 (eighty six) and install Merlin firmware. It's got an AES-NI CPU so it'll rock openvpn.

Could this be firefox using it's built in DNS over HTTPS?

I think you'll need to give some details on the way you use qbittorrent and AirVPN. Are you keeping AirVPN running 24/7 ? Are you using the network lock?

I know this. What I'm saying is that removing TCP doesn't make UDP faster but that's what you imply. People who complain about openvpn being slow have already tried UDP as that's the default protocol with AirVPN and every other VPN I've tried. They're typically only using TCP if their network requires it.

Saying that wireguard gained performance by eliminating TCP is like saying my car got faster because I removed low gears. Physically impossible and it's just silly. Wireguard is supposedly faster because of its modern protocol and the fast chacha20 data cipher and that's comparing UDP vs UDP.

You'll probably need to SSH into the router to paste the proper iptables according to the above guide. With stock asus you'll have to do this every reboot of the router. If you got merlin asus you may be able to automate this using scripts saved in jffs .

If you're connected to a server with plenty of bandwidth left and you get intermittent good speed then any speed fluctuation is your ISP. I see it too and it's all down to my ISP changing routes or something along the way being congested.

those are old settings. AES-256-GCM is faster. and SHA512 is for tls-crypt configs.

Where do you have the send and receive buffer at? Have you tried different ethernet cables to the pfense box?