[RESULTS] Potential build for pfSense + VPN on CLink Gigabit

naporeon

@Pippin:

4 ms ping? VPN?

I was surprised by that myself. Speedtest could very well be lying, but PIA does have a Seattle connection point.

naporeon

@pfBasic:

That is really great OpenVPN throughput! How is your client configured?

Yeah, I'm very happy with it. Not to mention surprised.

pfSense is just totally vanilla. For OpenVPN configuration, I am so far using the stock pfSense configuration provided by PIA.

I will be tinkering to add a couple functions soon, but there do not appear to be any DNS leaks thus far, so I'll probably just get to that later this week.

pfBasic

The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.

This way all of your DNS requests go straight through the Root Servers but via your VPN.

naporeon

@pfBasic:

The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.

This way all of your DNS requests go straight through the Root Servers but via your VPN.

Sounds good! Also, I realize only a total scrub would ask this, but that would also mean that I'd effectively lose internet connectivity if the VPN is down, right?

I ask because that is desirable to me.

pfBasic

Yes you would lose anything that needed DNS, but if you are routing all of your traffic to the VPN except for DNS and the VPN went down, you would still lose internet even though the DNS query would go through because you couldn't get anything through port 80, 443, 123, etc.

A good way to get some mitigation from a VPN client goin down is to use different servers in your gateway group. (Or put your WAN in the group in a lower tier, but you want a VPN killswitch so don't). I think you mentioned that you are using PIA? If so you get up to five clients through them so just group two of their servers together.

I use two of their servers in a group and sometimes I'll see a lot of packet loss on one but the other will be working well. It has worked very reliably for me.

lra

@naporeon:

@Pippin:

4 ms ping? VPN?

I was surprised by that myself. Speedtest could very well be lying, but PIA does have a Seattle connection point.

Possibly the LZO compression of OpenVPN is giving misleading results for speed tests that don't have randomized content.

If you can disable LZO compression for the speed test that would be interesting.

pfBasic

Actually, I would say leave LZO on just the you normally have it.

Then do your best to max out your bandwidth, Steam downloads usually have great bandwidth and they have free titles (DOTA 2 is pretty big and free so it will run for long enough to see it on RRDs).
You have a pretty beefy connection so you might also stream a bunch of UHD youtube videos, I think you can search for even 5k and 8k content that will really suck down some bandwidth!

Anyawys, after you max out the connection for 5-10 minutes,

go to Status / Monitoring and set it up like so:

System > Processor on one side
Traffic > WAN on the other side
1 Hour, 1 Minute, Line, On, Never
De-select everything on the graph except:
user util
nice util
system util
interrupt
inpass total
outpass total

Screenshot the graph and data summary with your mouse hovering over a point on the graph where your bandwidth is maxed out to display the stats you selected and post it up here.

That will give no bullshit real world VPN throughput:CPU usage data (assuming you are piping all of your traffic out through a VPN client as you stated).

I know that's all a very specific request, but it would be greatly appreciated!

Finger79

@naporeon:

I am so far using the stock pfSense configuration provided by PIA.

I think the stock PIA settings are to use Blowfish-128, SHA1 MAC, and RSA-2048.  The most concerning of these is the SHA1 MAC.  I'd personally use AES-128-CBC, SHA256 MAC, and RSA-2048 and see if performance is the same.  And the i3's AES-NI may possibly help out if you switch from Blowfish to AES.

Pippin

The most concerning would be Blowfish because of SWEET32 attack, not SHA1.
https://community.openvpn.net/openvpn/wiki/SWEET32
https://sweet32.info/

Also read this:
https://sourceforge.net/p/openvpn/mailman/message/35699685/

Finger79

@Pippin, interesting info.  Thanks for the reading.