Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??

cotton

@johnpoz

I understand guys, I doubted myself for a while on this one as I just couldn't imaginge such restrictions in this day and age, but I am absolutely certain it's the ISP.
I have Cat6 cabling throughout my house, and this PC is cabled into an Gig Ethernet switch which connects the my Netgate SG-3100. (I have tried connecting directly into the SG-3100 too to rule that out.)

Testing using fast.com I get the following result by changing the Firewall RULESET ONLY. Everything else is the same, I'm literally routing the traffic for this PC out of a the WAN or VPN by changing the gateway on the rule, validating using a whats my IP service then re-running the speed test.

Test 1 - Specific rule sending it straight to WAN
Internet IP address 86.5.1x.xxx VMB UK
460 Mbps
760 Mbps
520 Mbps

Test 2 - Reintroduced rule sending it down the PIA NL OpenVpn Gateway in PFSense
Internet IP address 181.214.206.247 PIA Netherlands
7.7 Mbps
5.7 Mbps
10 Mbps

THIS IS WHERE IT GETS INTERESTING

Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
Windows client setting using OpenVPN, UDP, AES-128-GCM
Internet IP address is 89.149.24.177
5.4 Mbps
5.9 Mbps
4.8 Mbps

Sticking with the windows client and tweaking the settings:

With Shadowsocks enabled in the Windows client = 11Mbps
With PIA's own Socks5 proxy set in the app (proxy-nl.regions.cluster.piaservers.net [77.247.181.210]) - 4.3 Mbps
DISCONNECT FROM THE VPN APP > Retest > 660 Mbps

Absolutely doing my nut in. Any ideas great welcomed.

Popolou

@cotton Which is the VM box incidentally and are you running it in bridged mode?

cotton

@Popolou It's the Hub 5 and yes, running in bridged mode with a single Cat6 cable from the router into the SG-3100 WAN port.

Popolou

@cotton said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

THIS IS WHERE IT GETS INTERESTING

Test 3 I went back to the rule routing traffic straight out the WAN and connected to the PIA Netherlands VPN thorugh the Windows Client.
Windows client setting using OpenVPN, UDP, AES-128-GCM
Internet IP address is 89.149.24.177
5.4 Mbps
5.9 Mbps
4.8 Mbps

Plug a laptop directly into the VM box and use PIA's client to connect to the VPN network over TCP 443. Worth to see if that makes a difference.

cotton

@Popolou Thanks for the suggestion, that's the same unfortunately.

A couple of questions:

1. Is there a way to configure an authenticated SOCKS5 proxy in the OpenVPN client config page? That way I can use the PIA SOCKS5 proxy to route traffic over

2. Is there any plans to allow "scramble obfuscate" to be used within the custom options of the OpenVPN client config page in PFSense?

Popolou

@johnpoz said in Looking for ways to obfuscate OpenVPN traffic from PFSense to Private Internet Access to avoid throttling - Socks5 Proxy the way??:

Have you tried maybe the wireguard option that pia offers?

Did you get a similar result?

cotton

@Popolou Ideally that's what I'm after doing from the PFSense box. From reading online PIA don't offer the option to export manual config files for Wireguard directly from the site and you need to do something from a Linux box to extract the Public & Private keys.

I'm useless with Linux so I'm currently trying every other way possible before attempting :)

Popolou

@cotton Yes, i see here what you mean. It may come to that however.

You might want to try a test using their Windows client app as you did for Test 3 if in case it does indeed solve your issues first.

cotton

@Popolou Sorry I see what you mean, yes Wireguard is miles faster than OpenVPN when using the PIA app.

I connect to UK Manchester with OpenVPN UDP configured in the settings and I get 74 Mbps max. Connecting to the same region via Wireguard and small packets I can get 312 Mbps, and as a control test, with no VPN connected I get 762 Mbps.

So VMB still throttling the Wireguard traffic, but it's over four times faster than OpenVPN so seems like a sensible trade-off.

Popolou

@cotton Yes, i'd agree with that. You may want to find a crash course in linux after all!

Curiously, that speed discrepancy between OVPN and WG would suggest something else at play here than throttling. What i mean to say is that those two speeds would more likely have been quite similar if there was an intention to restrict VPN use across the VM network.

cotton

@Popolou Ok so I put my big boy pants on and installed Ubuntu on a Hyper-V VM. After following the instructions here (https://github.com/pia-foss/manual-connections) I was able to generate .conf files for PIA Southampton, London, Manchester and Amsterdam. From there I extracted the public and private keys to setup the tunnel in Wireguard on my Netgate device.

So far, Wireguard through Southampton is working an absolute treat for me. Still over four times as fast as when connecting to the same PIA region over OpenVPN.

Popolou

@cotton "Great success"...if you know what i mean.