Degraded OpenVPN connectivity to NordVPN after upgrade 2.4.5 to 2.5.2

meridium

Hi All,

I have recently updated my pfSense environment from version 2.4.5 to 2.5.2. Since then I am experiencing issues with OpenVPN. I am using OpenVPN as a client on the pfsense environment to route (almost) all traffic via NordVPN.

My pfsense environment is a VM on Proxmox 5.3-8.

Due to the upgrade from 2.4.5 to 2.5.2, I had to make some minor changes to the OpenVPN client, as suggested by NordVPN. I had to change the 'Fallback Data Encryption Algorithm' to AES-256-CBC and 'Allow Compression' to 'Refuse any non-stub compression (Most Secure)'. Otherwise the OpenVPN client would not work.

Before the upgrade to 2.5.2, I first cloned the pfsense v2.4.5 environment. When I shutdown the pfsense 2.5.2 environment and start the pfsense 2.4.5 environment, I am experiencing no issues with the OpenVPN client.

The issue I experience is degraded OpenVPN connectivity. Sites downloading slowly. Downloading Android updates is slowly on phones and tablets.
In the OpenVPN system log I see the following messages (verbosity level 5): "Authenticate/Decrypt packet error: bad packet ID" and "PID_ERR large diff [77] [SSL-0]".

Any suggestions would be greatly appreciated, what the cause could be or where to start investigating.

Regards,

Meridium

PS: When I change the protocol from UDP to TCP, the degradation of the OpenVPN connectivity is gone. However, I do not want to change the protocol from UDP to TCP. And should not be needed, as OpenVPN connectivity works fine on UDP on pfsense 2.4.5.

DaddyGo

@meridium said in Degraded OpenVPN connectivity to NordVPN after upgrade 2.4.5 to 2.5.2:

Any suggestions would be greatly appreciated, what the cause could be or where to start investigating.

Hi,

This will be something rather different, ...... than to switch 2.5.2
Watch this, pls.:

So, for me, NordVPN works perfectly with all versions of pfS

meridium

@daddygo said in Degraded OpenVPN connectivity to NordVPN after upgrade 2.4.5 to 2.5.2:

Hi @DaddyGo,

Thanks for the reply. Good to know that your NordVPN client is working just fine on pfSense 2.5.2.

Just stopped my 2.5.2 pfsense and started my 2.4.5 pfsense. Will have a look at how the graph looks tomorrow. After that do the same for 2.5.2. Did not check that before.

jfassad

this could be related to https://forum.netgate.com/topic/163647/openvpn-voip-interrupts-after-pfsense-2-5-1-release-installed/2?loggedin=true

meridium

@jfassad Thx for the heads up. Will have a look a the other topic.

meridium

@jfassad I see in the other topic, probable cause and a work-around has been provided. But specific for OpenVPN servers on pfsense. My issue is with OpenVPN clients connecting to a VPN service on pfsense. So still looking for cause and a solution.

meridium

@daddygo Here some graphs/data from both 2.5.2 and 2.4.5. When comparing the graphs/data, I get the impression that 2.4.5 is having more packet loss than 2.5.2. Though I am experiencing the issues with 2.5.2...

2.5.2

2.4.5

So these graphs/data do not point me into a direction as where the cause could be. Or am I overlooking something?

DaddyGo

@meridium said in Degraded OpenVPN connectivity to NordVPN after upgrade 2.4.5 to 2.5.2:

Or am I overlooking something?

Hi,

Sorry for my late.... :)

Yes, :-)
These measurements may not be relevant because they vary from moment to moment. (ISP load, the neighbour's dog, etc.)

Other people would be very happy with your results (6 / 14 ms and 7.5 / 15.4), so let it go, because everything is perfect.

BTW:
These differences depend mostly on the load on the network (I think of everything here), check between 3 and 5 at night or during peak hours.

+++edit:
do not insist on numbers so rigidly

meridium

@daddygo said in Degraded OpenVPN connectivity to NordVPN after upgrade 2.4.5 to 2.5.2:

Other people would be very happy with your results (6 / 14 ms and 7.5 / 15.4), so let it go, because everything is perfect.

BTW:
These differences depend mostly on the load on the network (I think of everything here), check between 3 and 5 at night or during peak hours.

+++edit:
do not insist on numbers so rigidly

Hi,

I think my last response got interpret in a way I did not intended it to.

My last email with the graphs/data, was not about showing how the numbers support my experience that 2.5.2 in my situation has degraded OpenVPN connectivity. But was in response to your email on September 24th. In that email you showed your graphs/data and stated that OpenVPN works just fine for you on 2.5.2. The intention of my last email with the graphs/data, was exactly to demonstrate that these graphs/data do not show what I am experiencing in OpenVPN degradation and therefore not helpful in investigating my issue with OpenVPN. Indeed when looking at the graphs/data for 2.4.5 and 2.5.2 and comparing them, there is little difference and one could think there is no issue. However, I still am having an issue with OpenVPN on 2.5.2.

That is why I ended my last response with 'So these graphs/data do not point me into a direction as where the cause could be. Or am I overlooking something?'.

So if you have other suggestions as in how to investigate, please share your thoughts on this.

Thank you so far!