Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??

    Scheduled Pinned Locked Moved OpenVPN
    19 Posts 5 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cotton
      last edited by

      Hello,

      I'm using PIA and OpenVPN on my PFSense Firewall to connect through Virgin Media in the UK.

      Virgin Media are throttling the VPN connection which means I'm rarely able to get over 60 Mbps over VPN, despite getting over 450 Mbps off VPN on my Netgate SG-3100. I have tried the various Openvpn ports supported by PIA (UDP ports 1197, 1198; TCP ports 501, 502) to try and obfuscate the traffic but all operate less than 60Mbps.

      I wanted to try the PIA Socks5 Proxy however I can't get it to connect at all. I've tried the setting attached in the screenshot, with both basic and ntlm auth, and a variety of IP's which are returned in an nslookup of proxy-nl.regions.cluster.piaservers.net.

      I have the following config added in the custom options section of the OpenVPN config page.

      socks-proxy 77.247.xxx.xxx 1080 /tmp/sockspass1.txt
      socks-proxy-retry
      proto tcp-client

      However I get the following errors in the OpenVPN log

      Jan 5 13:17:20 openvpn 75134 TCP connection established with [AF_INET]77.247.xxx.xxx:1080
      Jan 5 13:17:20 openvpn 75134 recv_socks_reply: Socks proxy returned bad reply
      Jan 5 13:17:20 openvpn 75134 SIGUSR1[soft,socks-error] received, process restarting
      Jan 5 13:19:12 openvpn 75134 SIGTERM[hard,init_instance] received, process exiting

      Is there anything else I'm missing?
      And, is there a better way of evading the vpn identification from Virgin Media on PFSense that you're aware of?

      JKnottJ P johnpozJ 1 4 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @cotton
        last edited by

        @cotton

        Have you tried TCP to a commonly used browser port, such as 80 or 443?

        It's unbelievable that an ISP would throttle a VPN in this day & age.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        C 1 Reply Last reply Reply Quote 0
        • C
          cotton @JKnott
          last edited by

          @JKnott Private Internet Access only use TCP 501 or 502 for OpenVPN unfortunately

          I agree with you comment, it's a little odd that they would throttle so much nowadays when I'm paying for a gig connection, however from reading online they seem notorious for it.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @cotton
            last edited by

            @cotton

            Maybe it's time to look for another ISP. The only throttling I have to worry about is on my cell phone, when I go past 90 GB. I have never even come close to that amount.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • P
              Popolou @cotton
              last edited by

              @cotton I don't have a direct solution to your issue but are you sure they are throttling it? I have a box on a VM 'fibre' connection routed via WG to a VPS which easily manages over a 100MBps on transfers. Their first level support is notoriously shite so you may need to get to their advanced teams, if you haven't had any luck so far.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @cotton
                last edited by johnpoz

                @cotton I am with @Popolou are you sure they are throttling, do you have some links to others discussing this throttling on this isp.. If they were going to throttle it why not throttle to like 2mbps or 10mbps.. 60 is pretty high throttle to be honest. You sure just not a limitation of the vpn, or hardware, etc. Have you tried say from client through pfsense? Have you tried maybe the wireguard option that pia offers?

                I just don't get why an ISP would bother throttling such access? You pay for X amount of bandwdith, what does it matter if you use the bandwidth through a vpn or native.. The bandwidth is still being used, what does the ISP gain from throttling the connection?

                have you tried other pops that pia has - maybe its just a bad peering from your isp to get to whatever connection your using..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                C P 2 Replies Last reply Reply Quote 0
                • 1
                  1OF1000Quadrillion @cotton
                  last edited by

                  @cotton - I have had a very similar experience lately. I was not sure who was to blame for it, me, my ISP or PIA

                  Keep in mind, I like to tinker and not knowing what I am doing all the time, or not being sure about a configuration choice, sometimes I just assume or guess; that is my ADHD nightmare - sometimes : -).

                  I had changed the settings more than a few times in trying to get faster speeds.

                  I was using wire-guard at PIA's suggestion and it was not slow, but not as fast as I thought it should be either.
                  (from ISP 150/30 and I was getting approx. 60Mbps down)
                  After multiple configuration changes, I just set it reset everything to default in order to start over.

                  Then I had a thought, well, PIA defaults the installation of their VPN client to use wire-guard, with a mid-range encryption, I always select the highest encryption I can get.

                  Anyhow - I thought, if they are defaulting to wire-guard and their tech support recommends it as a troubleshooting step, then how many of their customers are using openVPN? (which I trust more, at this point in time.)

                  So, I set it to openVPN protocols, default port, highest encryption I could get, and did my test.

                  Voila! Back to normal's speeds. (approx. 142/27)
                  I did checked wire-guard and it was also back to normal.

                  I also noticed, and this could be imagination, although I noticed it with ExpressVPN to, that connecting via openVPN was not so much slower than wire-guard now either - wire-guard faster connection routine is supposed to be a big improvement and a GREAT reason to drop openVPN according to almost everyone I have ever heard discuss the two VPN protocols.

                  When I connect using wire-guard its approx 2 seconds to completed connection.
                  When I use openVPN its approx 3 seconds to completed connection.

                  This is using the scientifically proven 1000-1, 1000-2,1000-3 method of course so take for what it is.

                  If it helps I was not distracted at all for at least 4 seconds....

                  If it were me, I'd just reset to default and test and if necessary, remove the PIA client, reset IP and so on and reinstall and test.

                  Other than that, greater minds in this thread prevail.

                  Cheers man - Hope you get it worked out soon.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cotton @johnpoz
                    last edited by

                    @johnpoz

                    I understand guys, I doubted myself for a while on this one as I just couldn't imaginge such restrictions in this day and age, but I am absolutely certain it's the ISP.
                    I have Cat6 cabling throughout my house, and this PC is cabled into an Gig Ethernet switch which connects the my Netgate SG-3100. (I have tried connecting directly into the SG-3100 too to rule that out.)

                    Testing using fast.com I get the following result by changing the Firewall RULESET ONLY. Everything else is the same, I'm literally routing the traffic for this PC out of a the WAN or VPN by changing the gateway on the rule, validating using a whats my IP service then re-running the speed test.

                    Test 1 - Specific rule sending it straight to WAN
                    Internet IP address 86.5.1x.xxx VMB UK
                    460 Mbps
                    760 Mbps
                    520 Mbps

                    Test 2 - Reintroduced rule sending it down the PIA NL OpenVpn Gateway in PFSense
                    Internet IP address 181.214.206.247 PIA Netherlands
                    7.7 Mbps
                    5.7 Mbps
                    10 Mbps

                    THIS IS WHERE IT GETS INTERESTING

                    Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
                    Windows client setting using OpenVPN, UDP, AES-128-GCM
                    Internet IP address is 89.149.24.177
                    5.4 Mbps
                    5.9 Mbps
                    4.8 Mbps

                    Sticking with the windows client and tweaking the settings:

                    With Shadowsocks enabled in the Windows client = 11Mbps
                    With PIA's own Socks5 proxy set in the app (proxy-nl.regions.cluster.piaservers.net [77.247.181.210]) - 4.3 Mbps
                    DISCONNECT FROM THE VPN APP > Retest > 660 Mbps 🙄

                    Absolutely doing my nut in. Any ideas great welcomed.

                    P 2 Replies Last reply Reply Quote 0
                    • P
                      Popolou @cotton
                      last edited by

                      @cotton Which is the VM box incidentally and are you running it in bridged mode?

                      C 1 Reply Last reply Reply Quote 0
                      • C
                        cotton @Popolou
                        last edited by

                        @Popolou It's the Hub 5 and yes, running in bridged mode with a single Cat6 cable from the router into the SG-3100 WAN port.

                        1 Reply Last reply Reply Quote 0
                        • P
                          Popolou @cotton
                          last edited by Popolou

                          @cotton said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

                          THIS IS WHERE IT GETS INTERESTING

                          Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
                          Windows client setting using OpenVPN, UDP, AES-128-GCM
                          Internet IP address is 89.149.24.177
                          5.4 Mbps
                          5.9 Mbps
                          4.8 Mbps

                          Plug a laptop directly into the VM box and use PIA's client to connect to the VPN network over TCP 443. Worth to see if that makes a difference.

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            cotton @Popolou
                            last edited by

                            @Popolou Thanks for the suggestion, that's the same unfortunately.

                            A couple of questions:

                            1. Is there a way to configure an authenticated SOCKS5 proxy in the OpenVPN client config page? That way I can use the PIA SOCKS5 proxy to route traffic over

                            2. Is there any plans to allow "scramble obfuscate" to be used within the custom options of the OpenVPN client config page in PFSense?

                            1 Reply Last reply Reply Quote 0
                            • P
                              Popolou @johnpoz
                              last edited by

                              @johnpoz said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

                              Have you tried maybe the wireguard option that pia offers?

                              Did you get a similar result?

                              C 1 Reply Last reply Reply Quote 0
                              • C
                                cotton @Popolou
                                last edited by

                                @Popolou Ideally that's what I'm after doing from the PFSense box. From reading online PIA don't offer the option to export manual config files for Wireguard directly from the site and you need to do something from a Linux box to extract the Public & Private keys.

                                I'm useless with Linux so I'm currently trying every other way possible before attempting :)

                                P 1 Reply Last reply Reply Quote 0
                                • P
                                  Popolou @cotton
                                  last edited by

                                  @cotton Yes, i see here what you mean. It may come to that however.

                                  You might want to try a test using their Windows client app as you did for Test 3 if in case it does indeed solve your issues first.

                                  C 1 Reply Last reply Reply Quote 0
                                  • C
                                    cotton @Popolou
                                    last edited by

                                    @Popolou Sorry I see what you mean, yes Wireguard is miles faster than OpenVPN when using the PIA app.

                                    I connect to UK Manchester with OpenVPN UDP configured in the settings and I get 74 Mbps max. Connecting to the same region via Wireguard and small packets I can get 312 Mbps, and as a control test, with no VPN connected I get 762 Mbps.

                                    So VMB still throttling the Wireguard traffic, but it's over four times faster than OpenVPN so seems like a sensible trade-off.

                                    P 1 Reply Last reply Reply Quote 0
                                    • P
                                      Popolou @cotton
                                      last edited by

                                      @cotton Yes, i'd agree with that. You may want to find a crash course in linux after all!

                                      Curiously, that speed discrepancy between OVPN and WG would suggest something else at play here than throttling. What i mean to say is that those two speeds would more likely have been quite similar if there was an intention to restrict VPN use across the VM network.

                                      C 1 Reply Last reply Reply Quote 0
                                      • C
                                        cotton @Popolou
                                        last edited by cotton

                                        @Popolou Ok so I put my big boy pants on and installed Ubuntu on a Hyper-V VM. After following the instructions here (https://github.com/pia-foss/manual-connections) I was able to generate .conf files for PIA Southampton, London, Manchester and Amsterdam. From there I extracted the public and private keys to setup the tunnel in Wireguard on my Netgate device.

                                        So far, Wireguard through Southampton is working an absolute treat for me. Still over four times as fast as when connecting to the same PIA region over OpenVPN.

                                        P 1 Reply Last reply Reply Quote 0
                                        • P
                                          Popolou @cotton
                                          last edited by

                                          @cotton "Great success"...if you know what i mean.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.