pfsense+ NordVPN slow speed

mathais

Hi, my upload speed is really slow with nordvpn (openvpn).
80mbps instead of 650mbps without vpn.
How can I improve that ?

Thanks helping me.

Gertjan

@mathais

Based on the info supplied [nordvpn - speed with 80 - speed without 650] I would go for the KIS solution :
Keep your money. Enjoy the speed. Done.

Ok, I get it, you saw some youtuber and said "Yeah, I believe what (s)he told me ...".
But you had not seen this yet. The thread starts with LAN/VLAN issues, and then the the real issue is discovered ....

Also, obvious : classic out of the box Internet traffic needs xxx CPU cycles to get the packets in and out. While doing mostly nothing, you reach 650 mbps.
OpenVPN needs thousands or tens of thousands of CPU cycles more "per packet". The processor power need is so huge, that they (Intel, AMD, etc) invented special CPU instructions that will accelerate the process a bit. Or special hardware 'cryptpo' chips are used.
So : what does the system you run pfSense on offer you ?
I mean, if your were using this one, I can tell you right away : you're doing fine.

Another way to test things : install the NordVPN app on your PC or phone. Connect locally, make sure you use the same ISP as pfSense does, and test again : what is the speed ?
Is it is still 80 Mbitsec , Call NordVPN and ...... well, no, just stop paying them and problem solved.

And I can go on like this. Not very helpful, I know, but I just inventing possible issues, and their answers ^^

Can you give details ?

mathais

@Gertjan said in pfsense+ NordVPN slow speed:

it, you saw some youtuber and sai

Hello, If I use the NordVPN application directly on my phone or on my computer, the speeds are excellent (800Mbps download and 600Mbps upload).
So the problem is with NordVPN.

I didn't use NordVPN because a YouTuber told me to... I use NordVPN to secure my network infrastructure.

Here are the characteristics of my machine:
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0

My network cards are:
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'

Gertjan

@mathais said in pfsense+ NordVPN slow speed:

Here are the characteristics of my machine:

....

This is what matters :

@mathais said in pfsense+ NordVPN slow speed:

the speeds are excellent (800Mbps download and 600Mbps upload)

I presume PC using cable over 1 Gbits/sec network - Wifi : why not, but 800 Mbits/sec wifi is .... wow
I also presume that when you used your "my phone or on my computer" that the traffic generated went through your router, pfSense.
If so, then its tend to be true that your pfSense is cables of passing traffic, but less in 'generating' it.
Still, if your 'phone' is capable of passing and generating 800 Mbits/sec, but not pfSense, then swap processors phone <> pfSense ;)

An unknown factor stays : what type of encryption is the phone app using ? And what is used by pfSense ? The first is always optimized, as we know who made the app. But is it the same 'encryption' as what you've set up with pfSense ?

@mathais said in pfsense+ NordVPN slow speed:

I didn't use NordVPN because a YouTuber told me to... I use NordVPN to secure my network infrastructure.

Yeah, that was what the guy told you.
If you have a globe somewhere (or a dish if your are more a flat earther) and draw two points on it.
Call them "Nord" and "Me".
Draw a line between them.
I guess we all agree on this : between "Nord" and "Me", the traffic is completely gibberish. No one can make anything out if it. And with no one I mean no human or computer on the planet.
I guess we're still ok with the fact that you do not use only the web site of Nord, but that you also visit other locations on the Internet. Draw ten spots on your globe, and draw 10 lines from spot called "Nord" to these ten spots. Are we ok then traffic between the spot "Nord" and these 10 spots is not encrypted (by the VPN) ?

So, consider : the fact that a part of the entire trip of your traffic uses a VPN has not much influence on the security of your network.
The overall security of your network is mostly determined by the users (the humans :) that use your network, for example : they can still download and execute that ransomware that takes down your network. It boils down to : what they load (get) from the Internet. The fact that the traffic is secured or double secured doesn't change a byte.

Double secured, as most of your traffic already secured : you are aware that all traffic between your phone or PC to and from the Internet is mostly already using https, or more generic : TLS = encrypted ? Using a VPN can make it saver for you, like yeah : lets encrypt the already encrypted traffic, thats more safe.
Your ISP can see where you go - it couldn't see what you are doing.

What a VPN adds : the '10' points you connect to don't see your WAN ISP, but the "Nord"'s IP.

Btw : I'm using a 4100.
I've never used Nord, I use, ones in a while, another one. xprssvpn, to not name the name.
The max speed I saw was about 380 Mbits/sec when I was using a very nearby VPN server, at 04 AM of course - forget about that speed around 8 PM, it more like 180 Mbits/sec.
Btw : on pfSense, with a OpenVPN client setup, the speed is a bit better. My phones uses 5G, and caps out at 600 Mbits/sec (I'm standing nearby the 5G antenna).
My pfSense ISP connection is 1 Gbits/sec advertised, the reality is more like 0,9 Gbits/sec. When th VPN is activated : I lose more then half.

Your pfSense CPU is a bit better then mine : I heavily suspect, without any proof, : Nord gives you what they have available for you.

mathais

What do you think about going to Torrent download sites and downloading Torrents without a VPN?
In France, we have HADOPI which tracks downloads.

So the VPN is useless?

Gertjan

@mathais said in pfsense+ NordVPN slow speed:

What do you think about going to Torrent download sites and downloading Torrents without a VPN?

No need to use a VPN to access a torrent access point, right ?
Also, downloading something from a torrent, and "secure my network infrastructure" is imho somewhat contradictory.

@mathais said in pfsense+ NordVPN slow speed:

In France, we have HADOPI which tracks downloads.
So the VPN is useless?

I know. I've dealt ones with them. Received a first warning, and I knew it was coming as I discovered earlier that a night auditor was using one of the PC's at work (hotel !) to download 'Disney' movies during his working hours, night time. He told me : "don't worry, I only download "VO" (original, English spoken language - no french subtitles) movies so no risk". Well ... he was wrong. I received a message from HADO and he was fired for this.
He still didn't got the message afterwards, and had the great pleasure to meeting the "Disney lawyers" in court. That didn't went well at all.

On the other hand : I do something that is considered totally insane : I share 'my' (work) internet connection with an entire hotel == a whole bunch of people unknown to me, also known as my "clients". They can do whatever they want with the connection I offer. If things go downhill, no problem, the owner (the one that subscribed to the internet connection" will do some jail time or has to pay the fine.
Great. Basically, you can share your internet connection with everybody as long as you agree to assume all consequences - no exceptions.
But I discovered something : during my 20+ year of internet sharing, and ten (hundreds) of hotel clients later, I never received another HADOPI message again.
I do use pfBockerng on my hotel's captive portal access to block the most obvious IP and DNSBL destinations. That seems to do the trick, I'm not sure. Maybe people stopped doing illicit things while using a public hotel network ?
Or : right after connecting to the portal : they active their VPN.