Packet loss when download and TCP connection error

Gertjan

@mavenhalo

Why alternate between UDP and TCP ?
Why not : make one works.
Then, when done, make the other work (create a new instance)

Your logs look fine.
But mtu values bigger then 1500 .... are you sure ?

Packets leaving your native WAN interface are probably a bit lower as 1500. So, encapsulated packets like the ones send to a VPN server must be smaller.

General advise : you NordVPN is probably not using OpenVPN 2.5.4, but another version. It could even be the older 2.4.x series.
This means you have to visit the official OpenVPN documentation, and see what you have to chose : "comp-lzo" did change in the newer 2.5.x series.

mavenhalo

@gertjan

I have packets loss with UDP and can't find the solution so I try also in TCP until one of them works.

I didn't set a MTU value bigger than 1500. I set 1500 on the OpenVPN client like the value which is in the document of NordVPN for pfSense 2.4.5.
I set also 1500 directly on the OpenVPN interface.
So I don't understand why there is a MTU of 1656 in the log ?

My custom options are :

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

Gertjan

@mavenhalo said in Packet loss when download and TCP connection error:

tls-client;

When using a VPN 'thing', always double check the settings.
Have a look here /var/etc/openvpn/clientx/ where x can be 1,2, etc.
You find several files, and among them the famous config.opvn

Open the file, and check the content.
You will probably find a first "tls-client", as you are setting up a OpenVPN client so the next tls-client line (is part of your custom config) isn't needed.
While you see the file, check other options for doubles and other awkward stuff.

Remember : this is OpenVPN. Using a GUI is nice, but it always boils down to 'a config file'.

Btw : I'm not using Nord, but Express.
My custom settinsg are :

remote-random;
pull;
comp-lzo;
verify-x509-name Server name-prefix;
remote-cert-tls server;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;

Double check the usage of :
tun-mtu-extra 32; <= never saw this one before
persist-key; <= probably also already included - so remove them from your custom config
persist-tun; <= idem
reneg-sec 0;

If the Nord instruction are for a pfSense 2.4.5, then keep in mind that these are valid for an (very) old OpenVPN version, as said, an earlier 2.4.x.
Try finding instructions for a more recent pfSense version (using OpenVPN 2.5.4).

I'm a bit perplex about your mtu values. They seem 'not logic' to me.

Cool_Corona

How big is your bandwith and is the download using all of the bandwith??

mavenhalo

I will check my config file.

My bandwith is about 400Mb/s down and 300Mb/s up.
Through the VPN, I notice a bandwith of 200Mb/s down and 120Mb/s up.

mavenhalo

@gertjan

I have check the config file.
I found only these duplicate lines that I have removed from my custom options :

tls-client;
persist-key;
persist-tun;

I tried to remove tun-mtu-extra, same behavior.

Can the problem comes from something else than the OpenVPN configuration ?

Gertjan

@mavenhalo said in Packet loss when download and TCP connection error:

Can the problem comes from something else than the OpenVPN configuration ?

The problem is : a conflicting configuration between VPN server (Nord) and the client - pfSense.
As said, I'm not using Nord myself, but I have a working Express ( not sure - read on ) OpenVPN client setup.

When I start mine, I can't really use it, as I did not complete the routing part.
But, I can use the active OpenVPN client interface to ping with it :

The 330 ms delay is due to the fact that I'm using a VPN server from "usa-sanfrancisco-ca-version-2.expressnetw.com" which is not really in my neighbourhood ;)

edit :

nordvpn with pfSense

Forget about the links that mention 2.4.5 (ancient, dangerous ....) or even 2.5.0 (also old) or even 2.5.2.

Look for specific pfSense 2.6.0, use no other ones.

[Rambling : start]

If their is no info, then it might be the case that the OpenVPN version that Nord uses isn't the stock OpenVPN ( from here ) as that is the place where pfSEnse got it from.
Nord can have their own 'adapted' build as they only need to make it work with their own 'App', the one you install on your PC or Mac or Phone.
I didn't checked their support sites, but, if you can make it work with your 'router', then great for you. If not, they don't care, as that isn't their goal.
Their goals is are : Make money. Spend less on support. Tell support that they should tell the customers : install the App. For the rest, you are on your own aka non supported.

By now you start to understand that you can't chose a VPN by watching a Youtube video, and that there is more then 'price'.
(Your) questions like : "you support my router ," should be number one.

[Rambling : stop]

Still, I think OpenVPN is possible.

Btw : Nord supports Wiregaurd ? Never used that one myself, but give it a go, as it is waaaaaay simpler to set up.

Also : you have seen [https://techshielder.com/how-to-setup-and-use-nordvpn-on-pfsense](link url) I presume.

but you already saw that half of this :

is a bit BS.

So, I tend to ask myself : what about the rest ? ;)

Btw : https://techshielder.com/how-to-setup-and-use-nordvpn-on-pfsense looks nice, but there are NO intermediate tests, like : when done this, test this, and it should work.
So you can't know what went wrong where.
And because you and I don't know shit about VPN anyway (I'm pretty for myself), we could also typing pure Chinese characters from a web page, we're lost.

Here is one for free :
When you reach step 12, do the ping test first as I've shown above.
You will know if the tunnel is up (not usable for traffic, but up) - see my example.

Also : who is 103.86.96.100 ? is it safe ?

Isn't the default resolving not just fine ? Just route all resolver traffic over the VPN connection, and done.
IMHO : Don't mess with DNS, the out of the box DNS works fine, things go often downhill when people start to enter their own DNS choices (and then its pfSense's fault of course).

edit : sorry, no mega helpful here.

mavenhalo

There is something I don't understand.

When I download from my server, I see loss on the VPN gateway in pfSense.
But, is it packets loss from the data I download, or a saturation (bandwith, CPU, etc...) of pfSense with a consequence in the monitoring of the gateway ?

How can I know if my transfer of data had lost packets ?

ps : I have a Qotom with a core i5-4210U and 8GB

Gertjan

@mavenhalo said in Packet loss when download and TCP connection error:

How can I know if my transfer of data had lost packets ?

When you use your VPN, start a ping like this :

ping www.google.com -t

Now, do a download test with a navigator, or start downloading something big, from a source that as 'infinite' output. Try to install the WorldofTanks game from wargaming.
You will most probably see packet and thus ping packet loss.

One thing that you can't really test : the output of your VPN server, your VPN ISP, they all say they give you 'a lot'. But they actually share the outgoing bandwidth among all connected clients. And ones the pipe is full, everything gets throttled.
Also : the VPN is most probably UDP, and that traffic can get discared : packets (and pings) get lost. Traffic will retransmitted and re assembled to the correct info of course.

Cool_Corona

When you fill your pipe on the VPN with a DL then packetloss will occur.

Everything else is getting throttled.

Also a normal DL on the connection that fills the pipe will see packetloss.

Thats why people tend to use bandwidth limiters for the services so this doesnt occur.