PFSense and PIA - Slow download speed
-
Hi there!
I've tried my hardest the couple of hours making PIA work OK with my pfsense 2.3.1 box, but I'm getting nowhere.
So the issue is that when following the PIA guide on https://www.privateinternetaccess.com/pages/client-support/pfsense , I get speeds about 30-40mbit/s down.
The things is that my internet connection is 250/100mbit/s and by using the custom PIA client on my windows machine, I almost get full speeds through the VPN.
So I don't think the fault lies with PIA, but either with the configuration or possibly the Openvpn client in pfsense?
I've read about some other people having similar issues as me, but no solution was found.I've noticed a slight bump in download speed(30-50mbit/s increase) when using the following advanced parameters:
sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";The pfsense machine is virtualised in ESXI with 2 vcpu and 2GB ram.
The hardware monitoring barely moves when trying to measure speeds so I do not think the hardware is the issue.
I've also tried Pfsense versions 2.1.5 and 2.2, as well as using different PIA servers without any success.Does anyone here have this setup working with decent speeds?
I've attached my openvpn client config.- I manually route my LAN network to the PIA client interface.
Would appreciate any help I can get!
Regards,
Daniel
-
Well, you pretty lucky, because I'm struggling with slow OpenVPN in ESX with 40 mb/s max.
You could try this:
1. Disable hardware checksums on network adapters (advanced -> networking)
2. Add 'fragment 0' to advanced configuration
3. Add 'mssfix 0' to advanced configuration
You could not try 'tun-mtu' because it should be adjusted on both ends, and as I understood, you don't control 'other end'. -
Hi there!
I've tried my hardest the couple of hours making PIA work OK with my pfsense 2.3.1 box, but I'm getting nowhere.
So the issue is that when following the PIA guide on https://www.privateinternetaccess.com/pages/client-support/pfsense , I get speeds about 30-40mbit/s down.
The things is that my internet connection is 250/100mbit/s and by using the custom PIA client on my windows machine, I almost get full speeds through the VPN.
So I don't think the fault lies with PIA, but either with the configuration or possibly the Openvpn client in pfsense?
I've read about some other people having similar issues as me, but no solution was found.I've noticed a slight bump in download speed(30-50mbit/s increase) when using the following advanced parameters:
sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";The pfsense machine is virtualised in ESXI with 2 vcpu and 2GB ram.
The hardware monitoring barely moves when trying to measure speeds so I do not think the hardware is the issue.
I've also tried Pfsense versions 2.1.5 and 2.2, as well as using different PIA servers without any success.Does anyone here have this setup working with decent speeds?
I've attached my openvpn client config.- I manually route my LAN network to the PIA client interface.
Would appreciate any help I can get!
Regards,
DanielHave you been having any issues with the service DNS resolver stopping as soon as you start the PIA Client VPN?
Thanks
-
Here my configuration, my custom options and the speed that I reach
explicit-exit-notify 2;
ifconfig-nowarn;
tls-client;
persist-key;
persist-tun;
persist-remote-ip;
remote-cert-tls server;
auth-nocache;
keysize 256;
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
fast-io;
sndbuf 524288;
rcvbuf 524288
-
Here my configuration, my custom options and the speed that I reach
explicit-exit-notify 2;
ifconfig-nowarn;
tls-client;
persist-key;
persist-tun;
persist-remote-ip;
remote-cert-tls server;
auth-nocache;
keysize 256;
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
fast-io;
sndbuf 524288;
rcvbuf 524288Thanks. This helped me a lot. It helped me further once I enabled the hardware acceleration. I am also able to use the compression with adaptation.
Th problems why it was working all fine and all of a sudden it started to slow down, and requiring this extensive adjustment just to achieve previous performance? What has caused these changes, ISP, PIA or pfsense?
-
Glad to hear.
I honestly don't know the reasons, I've never had problems with speed.
About compression, its activation did not give me any advantage so I preferred to turn it off.
The hardware acceleration is set in System-> Advanced-> Miscellaneous.
If set also in the VPN Client settings, after a while the connection drops, and not only with PIA but also with IPVanish and PureVPN. -
Looking for the hardware acceleration option under System - Advanced - Miscellaneous on version 2.3.2 Development and don't find it. I do see an option for Cryptographic Hardware. Is that what you're referring to? Are you suggesting turning that option ON has a positive impact? TIA
-
Looking for the hardware acceleration option under System - Advanced - Miscellaneous on version 2.3.2 Development and don't find it. I do see an option for Cryptographic Hardware. Is that what you're referring to? Are you suggesting turning that option ON has a positive impact? TIA
You're right, I referred to that one.
I read somewhere here that if the CPU supports the AES-NI instructions then that option should be enabled, but actually I don't know how much big its impact is. -
I had set up my ASUS router so that all my internet access was running through PIA VPN via openvpn
I've been looking for a way to setup my pfsense firewall the same way (no client apps) - so that any device connected in my home will be running under PIA.
I can only find information on setting up openvpn clients - which isn't what I want.
Is there a way to configure PIA via openvpn on PFSENSE.
OH- would be GREAT if I could do 2 other things:
- have an easy way to toggle on/off from my UI - so I can turn off to watch Netflix
- or better yet - can I somehow route NetFlix traffic so it isn't going through VPN? (stupid Netflix)
-
I had set up my ASUS router so that all my internet access was running through PIA VPN via openvpn
I've been looking for a way to setup my pfsense firewall the same way (no client apps) - so that any device connected in my home will be running under PIA.
I can only find information on setting up openvpn clients - which isn't what I want.
Is there a way to configure PIA via openvpn on PFSENSE.
OH- would be GREAT if I could do 2 other things:
- have an easy way to toggle on/off from my UI - so I can turn off to watch Netflix
- or better yet - can I somehow route NetFlix traffic so it isn't going through VPN? (stupid Netflix)
Oh you can do all of this if you really wanted ;-P Look at the link the original poster made and follow that. I have additional setup host based routing through each VPN tunnel i have setup. Currently have 3 different VPN tunnels. 2 through PIA and 1 through ipvanish. I'm eventually just going to move completely to PIA though. Most of my traffic goes out through the default route via my ISP. I have other traffic going out through my VPN tunnels depending on which IP i am coming from. I have one subnet routing entirely through PIA as well.
You could tech break it down even further and send certain traffic going to a specific destination and coming from a specific host and route that through you PIA VPN. IT all depends on what you eventually want to do… You really need to get the VPN setup first. I can help you after that if you want though.
-
Geez - that actually seemed to work!!! (I'm not sure exactly what it is I did - I need to study it a little more)
Here's what my NAT OUtbound looks like now (I had quite a few interfaces) (attached)… I did confirm that I"m running under a different IP now... and I'm still getting throughput.
So - how to toggle on/off and setup so NetFlix isn't blocked?
Thanks much for all the help... doh that I didn't see that setup in the first message... seemed a little intimidating - but actually not bad to do - as I said I need to get a better basic understanding of what I just did!
 -
Quick note:
I was running PIA on my ASUS RTN66U router prior to getting PFSENSE on my ITX Celeron box.
The speed/performance with OPENVPN is great. Barely noticeable - whereas on the ASUS RTN66U - was considerably slower throughput.
-
Glad to hear.
I honestly don't know the reasons, I've never had problems with speed.
About compression, its activation did not give me any advantage so I preferred to turn it off.
The hardware acceleration is set in System-> Advanced-> Miscellaneous.
If set also in the VPN Client settings, after a while the connection drops, and not only with PIA but also with IPVanish and PureVPN.Hey @mauroman
I am having this problem with sustain connection. It seems to drop very frequently. When I try to use speedtest.net, I often noticed interruptions in the process of testing.here is the warning part of the log:
Jul 8 18:07:42 openvpn 45458 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542' Jul 8 18:07:42 openvpn 45458 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' Jul 8 18:07:42 openvpn 45458 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Jul 8 18:07:42 openvpn 45458 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'any idea?
Second, how should I setup the custom config if want to try the AES128?
thanks
-
Jul 8 18:07:42 openvpn 45458 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542' Jul 8 18:07:42 openvpn 45458 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' Jul 8 18:07:42 openvpn 45458 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Jul 8 18:07:42 openvpn 45458 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'any idea?
If you read what the snippet from the log states.
You have mismatched config/parameters.
Look at local (you the client) and remote (the server PIA).Make them match or maybe better, download your config from PIA…..
Second, how should I setup the custom config if want to try the AES128?
Client needs matching config with server, you cannot just change it on one side (or at least not all).
-
here is the warning part of the log:
Jul 8 18:07:42 openvpn 45458 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' Jul 8 18:07:42 openvpn 45458 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Jul 8 18:07:42 openvpn 45458 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'any idea?
Please check https://forum.pfsense.org/index.php?topic=103934.msg634831
-
Ciao @tigs
in my log there are no warnings, so I think it depends on the server's configuration which you are connected to.
Not all their servers seem configured in the same way. Sometimes a service that is available from a server is not available from another one.
As you can see in my first screenshot I'm using sweden.privateinternetaccess.com. You could try using a different server, or you should match your configuration parameters to the chosen server.
About the dropping, if you have bandwidth enough you may try to disable the compression. Maybe this can help the connection's stability. -
Firstly, really appreciate the OP and guide and all of the helpful input on this. I see multiple posts in other threads about slow throughput on PIA. As my signature states, I"m running hardware that should breeze through this. The best throughput I am able to get is 3.5mbps down, 3.3mbps up. I've tried multiple endpoints, too. I'm in Denver - us-west is the closest, then us-midwest, and I've tried us-east, others. None of them make a difference in throughput.
I used the tutorial here to set everything up: https://forum.pfsense.org/index.php?topic=76015.0 and the tweaks in this thread to attempt to improve throughput without resolution. Everything else seems to work.
So now I'm wondering if Comcast has introduced throttling on any VPN endpoints. You see, I've tried SlickVPN and PureVPN as well. Slick because they have an endpoint in Denver and Pure because they have feedback as being very fast. None of the three VPN services get above 3.5mbps. Anyone have experience with throughput issues on Comcast? TIA
-
I'm using Comcast Cable - and not seeing and governing of speeds while I'm on VPN.
The only issue I have is NetFlix
-
Firstly, really appreciate the OP and guide and all of the helpful input on this. I see multiple posts in other threads about slow throughput on PIA. As my signature states, I"m running hardware that should breeze through this. The best throughput I am able to get is 3.5mbps down, 3.3mbps up. I've tried multiple endpoints, too. I'm in Denver - us-west is the closest, then us-midwest, and I've tried us-east, others. None of them make a difference in throughput.
I used the tutorial here to set everything up: https://forum.pfsense.org/index.php?topic=76015.0 and the tweaks in this thread to attempt to improve throughput without resolution. Everything else seems to work.
So now I'm wondering if Comcast has introduced throttling on any VPN endpoints. You see, I've tried SlickVPN and PureVPN as well. Slick because they have an endpoint in Denver and Pure because they have feedback as being very fast. None of the three VPN services get above 3.5mbps. Anyone have experience with throughput issues on Comcast? TIA
And it would be helpful to also state that without OpenVPN in place I'm getting 120 down, 12 up.
I'm using Comcast Cable - and not seeing and governing of speeds while I'm on VPN.
The only issue I have is NetFlixYes, have that too, but not a problem if I can only get 3.5 down - Netflix wouldn't be bearable.
-
Here my configuration, my custom options and the speed that I reach
explicit-exit-notify 2;
ifconfig-nowarn;
tls-client;
persist-key;
persist-tun;
persist-remote-ip;
remote-cert-tls server;
auth-nocache;
keysize 256;
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
fast-io;
sndbuf 524288;
rcvbuf 524288Thank you so much mauroman33! I've been pulling my hair out for the last 20 hours why pia vpn as client in pfsense always capped at 40mbps, while only utilizing 7% cpu load (openvpn process) on 2 cores @ 3.5GHz each.
I thought my pfsense box was not configured right, since a vm guest getting an ip assigned from pfsense was pulling 145mbps with the pia vpn client running on it.
I then proceeded to start from scratch by installing pfsense and directly setup pia in pfsense, tested it again with speedtest.net and again 40mbps.
Then I've googled a lot today and found many useless posts and outright wrong advice and even more posts where it was never resolved and the threads died. Then I found this thread, quickly scanned over it and found your post.
I've tried the above custom options for my pia client and it actually works! From 40mpbs to 142mbps (and only 20% load on openvpn).How do you know about those openvpn options? Did you read their entire man? Very nice, thank you so much again :-)
I'm still left with 2 pfsense issues, which many other people also experience [and which also unresolved]
- Very slow webgui after the first hour, which will only get worse and never get better (I've tried Chrome and it's totally useless, since pages will never load; I'm on Edge now and it works as of now)
I did found a working solution for this though by trial and error and I haven't read it anywhere else. I've put the var on ramdisk with 256mb and browsing the webgui is now instant [for the time being]. This makes me believe the requests from chrome (or webbrowsers in general, if this applies to Edge as well, we will see, it's working now) are cached in pfsense (rather than the browser, since deleting the browser cache didn't help at all);
- cpu resource usage in pfsense != cpu resource usage in vm host (hyper-v). I.e., 100% load in pfsense (watched on console via shell with cmd 'tops') is only 7% tops in hyper-v. I've allocated 2/6 cores to pfsense with 100% reserve and limit, so you'd expect a a max 33% on the host, but nope. Vt-d and virtualizations are ofourse enabled in bios.
I've also spent a lot of time digging through posts, which people also never resolved and I'm too lazy to make a new thread for it. It's no priority [yet] and always have a lack of time at my hands, so be it for now.
Greetings!
