Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??
-
Hello,
I'm using PIA and OpenVPN on my PFSense Firewall to connect through Virgin Media in the UK.
Virgin Media are throttling the VPN connection which means I'm rarely able to get over 60 Mbps over VPN, despite getting over 450 Mbps off VPN on my Netgate SG-3100. I have tried the various Openvpn ports supported by PIA (UDP ports 1197, 1198; TCP ports 501, 502) to try and obfuscate the traffic but all operate less than 60Mbps.
I wanted to try the PIA Socks5 Proxy however I can't get it to connect at all. I've tried the setting attached in the screenshot, with both basic and ntlm auth, and a variety of IP's which are returned in an nslookup of proxy-nl.regions.cluster.piaservers.net.
I have the following config added in the custom options section of the OpenVPN config page.
socks-proxy 77.247.xxx.xxx 1080 /tmp/sockspass1.txt
socks-proxy-retry
proto tcp-clientHowever I get the following errors in the OpenVPN log
Jan 5 13:17:20 openvpn 75134 TCP connection established with [AF_INET]77.247.xxx.xxx:1080
Jan 5 13:17:20 openvpn 75134 recv_socks_reply: Socks proxy returned bad reply
Jan 5 13:17:20 openvpn 75134 SIGUSR1[soft,socks-error] received, process restarting
Jan 5 13:19:12 openvpn 75134 SIGTERM[hard,init_instance] received, process exitingIs there anything else I'm missing?
And, is there a better way of evading the vpn identification from Virgin Media on PFSense that you're aware of? -
Have you tried TCP to a commonly used browser port, such as 80 or 443?
It's unbelievable that an ISP would throttle a VPN in this day & age.
-
@JKnott Private Internet Access only use TCP 501 or 502 for OpenVPN unfortunately
I agree with you comment, it's a little odd that they would throttle so much nowadays when I'm paying for a gig connection, however from reading online they seem notorious for it.
-
Maybe it's time to look for another ISP. The only throttling I have to worry about is on my cell phone, when I go past 90 GB. I have never even come close to that amount.
-
@cotton I don't have a direct solution to your issue but are you sure they are throttling it? I have a box on a VM 'fibre' connection routed via WG to a VPS which easily manages over a 100MBps on transfers. Their first level support is notoriously shite so you may need to get to their advanced teams, if you haven't had any luck so far.
-
@cotton I am with @Popolou are you sure they are throttling, do you have some links to others discussing this throttling on this isp.. If they were going to throttle it why not throttle to like 2mbps or 10mbps.. 60 is pretty high throttle to be honest. You sure just not a limitation of the vpn, or hardware, etc. Have you tried say from client through pfsense? Have you tried maybe the wireguard option that pia offers?
I just don't get why an ISP would bother throttling such access? You pay for X amount of bandwdith, what does it matter if you use the bandwidth through a vpn or native.. The bandwidth is still being used, what does the ISP gain from throttling the connection?
have you tried other pops that pia has - maybe its just a bad peering from your isp to get to whatever connection your using..
-
@cotton - I have had a very similar experience lately. I was not sure who was to blame for it, me, my ISP or PIA
Keep in mind, I like to tinker and not knowing what I am doing all the time, or not being sure about a configuration choice, sometimes I just assume or guess; that is my ADHD nightmare - sometimes : -).
I had changed the settings more than a few times in trying to get faster speeds.
I was using wire-guard at PIA's suggestion and it was not slow, but not as fast as I thought it should be either.
(from ISP 150/30 and I was getting approx. 60Mbps down)
After multiple configuration changes, I just set it reset everything to default in order to start over.Then I had a thought, well, PIA defaults the installation of their VPN client to use wire-guard, with a mid-range encryption, I always select the highest encryption I can get.
Anyhow - I thought, if they are defaulting to wire-guard and their tech support recommends it as a troubleshooting step, then how many of their customers are using openVPN? (which I trust more, at this point in time.)
So, I set it to openVPN protocols, default port, highest encryption I could get, and did my test.
Voila! Back to normal's speeds. (approx. 142/27)
I did checked wire-guard and it was also back to normal.I also noticed, and this could be imagination, although I noticed it with ExpressVPN to, that connecting via openVPN was not so much slower than wire-guard now either - wire-guard faster connection routine is supposed to be a big improvement and a GREAT reason to drop openVPN according to almost everyone I have ever heard discuss the two VPN protocols.
When I connect using wire-guard its approx 2 seconds to completed connection.
When I use openVPN its approx 3 seconds to completed connection.This is using the scientifically proven 1000-1, 1000-2,1000-3 method of course so take for what it is.
If it helps I was not distracted at all for at least 4 seconds....
If it were me, I'd just reset to default and test and if necessary, remove the PIA client, reset IP and so on and reinstall and test.
Other than that, greater minds in this thread prevail.
Cheers man - Hope you get it worked out soon.
-
I understand guys, I doubted myself for a while on this one as I just couldn't imaginge such restrictions in this day and age, but I am absolutely certain it's the ISP.
I have Cat6 cabling throughout my house, and this PC is cabled into an Gig Ethernet switch which connects the my Netgate SG-3100. (I have tried connecting directly into the SG-3100 too to rule that out.)Testing using fast.com I get the following result by changing the Firewall RULESET ONLY. Everything else is the same, I'm literally routing the traffic for this PC out of a the WAN or VPN by changing the gateway on the rule, validating using a whats my IP service then re-running the speed test.
Test 1 - Specific rule sending it straight to WAN
Internet IP address 86.5.1x.xxx VMB UK
460 Mbps
760 Mbps
520 MbpsTest 2 - Reintroduced rule sending it down the PIA NL OpenVpn Gateway in PFSense
Internet IP address 181.214.206.247 PIA Netherlands
7.7 Mbps
5.7 Mbps
10 MbpsTHIS IS WHERE IT GETS INTERESTING
Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
Windows client setting using OpenVPN, UDP, AES-128-GCM
Internet IP address is 89.149.24.177
5.4 Mbps
5.9 Mbps
4.8 MbpsSticking with the windows client and tweaking the settings:
With Shadowsocks enabled in the Windows client = 11Mbps
With PIA's own Socks5 proxy set in the app (proxy-nl.regions.cluster.piaservers.net [77.247.181.210]) - 4.3 Mbps
DISCONNECT FROM THE VPN APP > Retest > 660 Mbps
Absolutely doing my nut in. Any ideas great welcomed.
-
@cotton Which is the VM box incidentally and are you running it in bridged mode?
-
@Popolou It's the Hub 5 and yes, running in bridged mode with a single Cat6 cable from the router into the SG-3100 WAN port.
-
@cotton said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:
THIS IS WHERE IT GETS INTERESTING
Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
Windows client setting using OpenVPN, UDP, AES-128-GCM
Internet IP address is 89.149.24.177
5.4 Mbps
5.9 Mbps
4.8 MbpsPlug a laptop directly into the VM box and use PIA's client to connect to the VPN network over TCP 443. Worth to see if that makes a difference.
-
@Popolou Thanks for the suggestion, that's the same unfortunately.
A couple of questions:
-
Is there a way to configure an authenticated SOCKS5 proxy in the OpenVPN client config page? That way I can use the PIA SOCKS5 proxy to route traffic over
-
Is there any plans to allow "scramble obfuscate" to be used within the custom options of the OpenVPN client config page in PFSense?
-
-
@johnpoz said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:
Have you tried maybe the wireguard option that pia offers?
Did you get a similar result?
-
@Popolou Ideally that's what I'm after doing from the PFSense box. From reading online PIA don't offer the option to export manual config files for Wireguard directly from the site and you need to do something from a Linux box to extract the Public & Private keys.
I'm useless with Linux so I'm currently trying every other way possible before attempting :)
-
-
@Popolou Sorry I see what you mean, yes Wireguard is miles faster than OpenVPN when using the PIA app.
I connect to UK Manchester with OpenVPN UDP configured in the settings and I get 74 Mbps max. Connecting to the same region via Wireguard and small packets I can get 312 Mbps, and as a control test, with no VPN connected I get 762 Mbps.
So VMB still throttling the Wireguard traffic, but it's over four times faster than OpenVPN so seems like a sensible trade-off.
-
@cotton Yes, i'd agree with that. You may want to find a crash course in linux after all!
Curiously, that speed discrepancy between OVPN and WG would suggest something else at play here than throttling. What i mean to say is that those two speeds would more likely have been quite similar if there was an intention to restrict VPN use across the VM network.
-
@Popolou Ok so I put my big boy pants on and installed Ubuntu on a Hyper-V VM. After following the instructions here (https://github.com/pia-foss/manual-connections) I was able to generate .conf files for PIA Southampton, London, Manchester and Amsterdam. From there I extracted the public and private keys to setup the tunnel in Wireguard on my Netgate device.
So far, Wireguard through Southampton is working an absolute treat for me. Still over four times as fast as when connecting to the same PIA region over OpenVPN.
-
@cotton "Great success"...if you know what i mean.
