Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??

    Scheduled Pinned Locked Moved OpenVPN
    19 Posts 5 Posters 3.9k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @cotton
      last edited by johnpoz

      @cotton I am with @Popolou are you sure they are throttling, do you have some links to others discussing this throttling on this isp.. If they were going to throttle it why not throttle to like 2mbps or 10mbps.. 60 is pretty high throttle to be honest. You sure just not a limitation of the vpn, or hardware, etc. Have you tried say from client through pfsense? Have you tried maybe the wireguard option that pia offers?

      I just don't get why an ISP would bother throttling such access? You pay for X amount of bandwdith, what does it matter if you use the bandwidth through a vpn or native.. The bandwidth is still being used, what does the ISP gain from throttling the connection?

      have you tried other pops that pia has - maybe its just a bad peering from your isp to get to whatever connection your using..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      C P 2 Replies Last reply Reply Quote 0
      • 1 Offline
        1OF1000Quadrillion @cotton
        last edited by

        @cotton - I have had a very similar experience lately. I was not sure who was to blame for it, me, my ISP or PIA

        Keep in mind, I like to tinker and not knowing what I am doing all the time, or not being sure about a configuration choice, sometimes I just assume or guess; that is my ADHD nightmare - sometimes : -).

        I had changed the settings more than a few times in trying to get faster speeds.

        I was using wire-guard at PIA's suggestion and it was not slow, but not as fast as I thought it should be either.
        (from ISP 150/30 and I was getting approx. 60Mbps down)
        After multiple configuration changes, I just set it reset everything to default in order to start over.

        Then I had a thought, well, PIA defaults the installation of their VPN client to use wire-guard, with a mid-range encryption, I always select the highest encryption I can get.

        Anyhow - I thought, if they are defaulting to wire-guard and their tech support recommends it as a troubleshooting step, then how many of their customers are using openVPN? (which I trust more, at this point in time.)

        So, I set it to openVPN protocols, default port, highest encryption I could get, and did my test.

        Voila! Back to normal's speeds. (approx. 142/27)
        I did checked wire-guard and it was also back to normal.

        I also noticed, and this could be imagination, although I noticed it with ExpressVPN to, that connecting via openVPN was not so much slower than wire-guard now either - wire-guard faster connection routine is supposed to be a big improvement and a GREAT reason to drop openVPN according to almost everyone I have ever heard discuss the two VPN protocols.

        When I connect using wire-guard its approx 2 seconds to completed connection.
        When I use openVPN its approx 3 seconds to completed connection.

        This is using the scientifically proven 1000-1, 1000-2,1000-3 method of course so take for what it is.

        If it helps I was not distracted at all for at least 4 seconds....

        If it were me, I'd just reset to default and test and if necessary, remove the PIA client, reset IP and so on and reinstall and test.

        Other than that, greater minds in this thread prevail.

        Cheers man - Hope you get it worked out soon.

        1 Reply Last reply Reply Quote 0
        • C Offline
          cotton @johnpoz
          last edited by

          @johnpoz

          I understand guys, I doubted myself for a while on this one as I just couldn't imaginge such restrictions in this day and age, but I am absolutely certain it's the ISP.
          I have Cat6 cabling throughout my house, and this PC is cabled into an Gig Ethernet switch which connects the my Netgate SG-3100. (I have tried connecting directly into the SG-3100 too to rule that out.)

          Testing using fast.com I get the following result by changing the Firewall RULESET ONLY. Everything else is the same, I'm literally routing the traffic for this PC out of a the WAN or VPN by changing the gateway on the rule, validating using a whats my IP service then re-running the speed test.

          Test 1 - Specific rule sending it straight to WAN
          Internet IP address 86.5.1x.xxx VMB UK
          460 Mbps
          760 Mbps
          520 Mbps

          Test 2 - Reintroduced rule sending it down the PIA NL OpenVpn Gateway in PFSense
          Internet IP address 181.214.206.247 PIA Netherlands
          7.7 Mbps
          5.7 Mbps
          10 Mbps

          THIS IS WHERE IT GETS INTERESTING

          Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
          Windows client setting using OpenVPN, UDP, AES-128-GCM
          Internet IP address is 89.149.24.177
          5.4 Mbps
          5.9 Mbps
          4.8 Mbps

          Sticking with the windows client and tweaking the settings:

          With Shadowsocks enabled in the Windows client = 11Mbps
          With PIA's own Socks5 proxy set in the app (proxy-nl.regions.cluster.piaservers.net [77.247.181.210]) - 4.3 Mbps
          DISCONNECT FROM THE VPN APP > Retest > 660 Mbps ๐Ÿ™„

          Absolutely doing my nut in. Any ideas great welcomed.

          P 2 Replies Last reply Reply Quote 0
          • P Offline
            Popolou @cotton
            last edited by

            @cotton Which is the VM box incidentally and are you running it in bridged mode?

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              cotton @Popolou
              last edited by

              @Popolou It's the Hub 5 and yes, running in bridged mode with a single Cat6 cable from the router into the SG-3100 WAN port.

              1 Reply Last reply Reply Quote 0
              • P Offline
                Popolou @cotton
                last edited by Popolou

                @cotton said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

                THIS IS WHERE IT GETS INTERESTING

                Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
                Windows client setting using OpenVPN, UDP, AES-128-GCM
                Internet IP address is 89.149.24.177
                5.4 Mbps
                5.9 Mbps
                4.8 Mbps

                Plug a laptop directly into the VM box and use PIA's client to connect to the VPN network over TCP 443. Worth to see if that makes a difference.

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  cotton @Popolou
                  last edited by

                  @Popolou Thanks for the suggestion, that's the same unfortunately.

                  A couple of questions:

                  1. Is there a way to configure an authenticated SOCKS5 proxy in the OpenVPN client config page? That way I can use the PIA SOCKS5 proxy to route traffic over

                  2. Is there any plans to allow "scramble obfuscate" to be used within the custom options of the OpenVPN client config page in PFSense?

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    Popolou @johnpoz
                    last edited by

                    @johnpoz said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

                    Have you tried maybe the wireguard option that pia offers?

                    Did you get a similar result?

                    C 1 Reply Last reply Reply Quote 0
                    • C Offline
                      cotton @Popolou
                      last edited by

                      @Popolou Ideally that's what I'm after doing from the PFSense box. From reading online PIA don't offer the option to export manual config files for Wireguard directly from the site and you need to do something from a Linux box to extract the Public & Private keys.

                      I'm useless with Linux so I'm currently trying every other way possible before attempting :)

                      P 1 Reply Last reply Reply Quote 0
                      • P Offline
                        Popolou @cotton
                        last edited by

                        @cotton Yes, i see here what you mean. It may come to that however.

                        You might want to try a test using their Windows client app as you did for Test 3 if in case it does indeed solve your issues first.

                        C 1 Reply Last reply Reply Quote 0
                        • C Offline
                          cotton @Popolou
                          last edited by

                          @Popolou Sorry I see what you mean, yes Wireguard is miles faster than OpenVPN when using the PIA app.

                          I connect to UK Manchester with OpenVPN UDP configured in the settings and I get 74 Mbps max. Connecting to the same region via Wireguard and small packets I can get 312 Mbps, and as a control test, with no VPN connected I get 762 Mbps.

                          So VMB still throttling the Wireguard traffic, but it's over four times faster than OpenVPN so seems like a sensible trade-off.

                          P 1 Reply Last reply Reply Quote 0
                          • P Offline
                            Popolou @cotton
                            last edited by

                            @cotton Yes, i'd agree with that. You may want to find a crash course in linux after all!

                            Curiously, that speed discrepancy between OVPN and WG would suggest something else at play here than throttling. What i mean to say is that those two speeds would more likely have been quite similar if there was an intention to restrict VPN use across the VM network.

                            C 1 Reply Last reply Reply Quote 0
                            • C Offline
                              cotton @Popolou
                              last edited by cotton

                              @Popolou Ok so I put my big boy pants on and installed Ubuntu on a Hyper-V VM. After following the instructions here (https://github.com/pia-foss/manual-connections) I was able to generate .conf files for PIA Southampton, London, Manchester and Amsterdam. From there I extracted the public and private keys to setup the tunnel in Wireguard on my Netgate device.

                              So far, Wireguard through Southampton is working an absolute treat for me. Still over four times as fast as when connecting to the same PIA region over OpenVPN.

                              P 1 Reply Last reply Reply Quote 0
                              • P Offline
                                Popolou @cotton
                                last edited by

                                @cotton "Great success"...if you know what i mean.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.