go558a83nk

gigabit fiber with latency to server at around 7ms, low server use, ISP and other transit cooperates, I can achieve 800+ Mbit/s with wireguard on pfsense. I've seen openvpn manage about 600mbit/s but it's much more rare in my experience.

I didn't know any VPN providers also have public DNS servers. Which ones do?

Using something like TCP 443 is slower than 5mbps? Do you have another choice of ISP?

If you're using merlin asus and set the openvpn config in policy routing mode there's an option to not allow traffic if the VPN goes down. I'd use policy routing mode, set the DNS option in the openvpn config to exclusive and not put AirDNS in the WAN settings.

*if* you're using IP address in the VPN server field instead of a domain then putting 10.4.0.1 in the WAN DNS setting might be OK. Because there's no domain to resolve the router doesn't need to reach 10.4.0.1 prior to connection.

for Asus merlin set WAN DNS to something other than the VPN DNS (10.4.0.1) and in the openvpn configuration set the DNS setting to exclusive. Then it'll switch to VPN DNS when the VPN connects. 10.4.0.1 won't work unless you're connected to VPN because 10.4.0.1 is only accessible through the VPN not from public.

See threads like this one for help.

The one (?) valid problem I've seen with m247 is evidence (in this forum) that some of their servers aren't actually where they say they are.

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth. tls-auth entry points use sha1. tls-crypt entry points use sha512 and tls encryption+auth. so, keep an eye on which config you make. details matter.

Really thrilled with the wireguard speed. That's me on Mensa. https://i.gyazo.com/277f20acfb21cea8c41a8db164713063.png

No, that's not being hostile. That's a gentle reprimand for believing *torguards marketing* because it seemed to me you were saying that you didn't get the speed torguard advertised. Now I see that you do get better speeds with them. By the way, I run pfsense too and have run wireguard on it since it became publicly available a couple weeks ago. Somewhere on the forum here you'll also see some posts of mine with a speedtest using wireguard. At the time I was told it was a new record. So, that's why I encouraged you to try it. With openvpn Air found that the 10gbit/s servers weren't as efficient as several 1gbit/s servers. I've seen a post detailing their findings. But wireguard may change that paradigm. Since wireguard is more efficient with CPU usage, and many people will have systems that can saturate 1gbit/s home internet using wireguard, VPN providers may have to trend towards 10gbit/s servers to meet the demand for speed. But I'm no network engineer so what do I know.... And even if VPN servers do get more speed capability it still depends on what ISP/transit/peerage actually allows. edit: your brother getting gig VPN to your homemade server is a great example of what I mean by ISP/transit/peerage allowance. Since you're both on the same ISP there's no bottleneck. But transiting outside your ISP likely leads to bottlenecks more or less depending on which networks are traversed. edit2: why aren't you running VPN on the pfsense box itself? and, with wireguard in eddie can you manipulate mtu and mss? if so, try 1420 for both or tune them for your network. sometimes that's a problem with wireguard.

why on earth do you think you'll magically get better speed with any VPN because they flip a switch for you or say the right words in marketing (torguard)? speed is heavily dependent upon protocol and what the network route allows. try wireguard in that case. Here with air there are a couple servers that are 10gbit/s. have you tested those to prove to yourself that it's not a server load issue that won't be fixed by a dedicated server?

I'm not following. UDP ports are blocked by an institution level firewall, and I have never been able to obfuscate it using UDP tunnels with any VPN service provider - I've tried several besides AirVPN in the past. I get almost no throughput on UDP with OpenVPN or Wireguard. This has always been the case. With Eddie I have to use TCP server entry points or I can't establish a connection to anything. It sounds like your ISP or something on your network is harsh to UDP traffic if TCP VPN tunnels are faster.

I opened UDP port 1637 on the router that's behind a W10 machine, and WG worked fine through Eddie. I'm not sure if that port needs to be open or not on your end - worth a shot if nothing else works. don't open a port on your router for eddie. it's not needed for anything if everything's going through the VPN tunnel.

you might want to just use wireguard on pfsense. No doubt it'll be faster for you. This is the video I used to help me setup wireguard. https://www.youtube.com/watch?v=wYe7FzZ_0X8

you're welcome. did you get it working?

You need to create another "device" which will allow you to generate configs with a different tunnel IP address. https://airvpn.org/devices/ As far as changing the /10 to /32 I do that in the interface settings of the wireguard tunnel. First I setup tunnel and peer for wireguard handshake, then setup interface and gateway for that wireguard tunnel.

re my above post. I changed the tunnel addresses from /10 to /32 and it works. however, I was pulling my hair out trying to figure out why my second tunnel wasn't working even after the tunnel addresses didn't overlap. server was Chameleon. turns out when I tried to use Leo instead it works. So perhaps something is wrong with Chameleon wireguard?

I want to add a second wireguard tunnel/peer setup on my pfsense box, using a different device as setup in my AirVPN account. The different device gives me a different, unique interface address for wireguard configs. However, it still overlaps in network address space with the other address for my other "device" so pfsense doesn't allow me to add it. (The /10 address is a very large address range!) Is there any solution to this so that I can have multiple wireguard tunnels running?

I see in my email that you asked about port forwarding. It should work but you'll have to mess with iptables or something on your router. Can't use the router GUI. Or if you had iptables working for openvpn you'll have to change the rules for wireguard.

I got this with the new wireguard implementation. https://www.speedtest.net/result/12249912075.png

I got this on my pfsense box just now . Very nice. . May have even been a little limited by my traffic shaper https://www.speedtest.net/result/12249912075.png

That CPU does have AES-NI which is important for good speeds with openvpn. But running it in a VM may keep AES-NI from getting used? I don't know. You could try to use the chacha20 data cipher option that AirVPN supports if your client supports it. It's usually faster on weaker devices.

It's probably a bottleneck on your CPU but without knowing what the CPU is in the device I can't say for sure.

does check.airservers.org only resolve if we're using AirDNS?