[SOLVED] Slow PIA VPN connection on pfsense 2.4b

Runenaldo

So am I doing something wrong with the install?

Downloading the latest memstick image from here https://snapshots.pfsense.org/amd64/pfSense_master/installer/?C=M;O=D unpacking it, then using Win32DiskImager to make the bootable usb stick. Booting it up and following your guide https://forum.pfsense.org/index.php?action=thankyoupostlist;topic=126597.0;msg=699155 and choosing 2 disk mirror.

pfBasic

I don't think so, there have been multiple users reporting reboot issues. I've never encountered it though so I don't really know how to help except pointing you to these.

https://forum.pfsense.org/index.php?topic=128577.msg712180#msg712180

https://forum.pfsense.org/index.php?topic=126520.msg698661#msg698661

Runenaldo

@pfBasic:

I don't think so, there have been multiple users reporting reboot issues. I've never encountered it though so I don't really know how to help except pointing you to these.

https://forum.pfsense.org/index.php?topic=128577.msg712180#msg712180

https://forum.pfsense.org/index.php?topic=126520.msg698661#msg698661

Thanks, its good to know I'm not the only one.

Will try to install pfsense 2.4 to my SSD instead, hopefully it will work and then when a fix has been implemented I will go back to the sticks.

pfBasic

Honestly if you have an SSD laying around you are better off using that.

In my ZFS Guide I do mention installs to USB sticks, but not because they are better. I mention it because it is a cost saving feature that might enable someone to afford it that otherwise couldn't. There are other reasons to install to USB, but generally speaking if you have an SSD definitely use the SSD.

USB drive installs need you to adjust things to make them last that you wouldn't ever have to worry about with an SSD.

The only advantage they have over SSDs is price, and how common they are (just about anyone can pull an SSD out of a drawer and install pfSense to their machine.

Runenaldo

@pfBasic:

Honestly if you have an SSD laying around you are better off using that.

In my ZFS Guide I do mention installs to USB sticks, but not because they are better. I mention it because it is a cost saving feature that might enable someone to afford it that otherwise couldn't. There are other reasons to install to USB, but generally speaking if you have an SSD definitely use the SSD.

USB drive installs need you to adjust things to make them last that you wouldn't ever have to worry about with an SSD.

The only advantage they have over SSDs is price, and how common they are (just about anyone can pull an SSD out of a drawer and install pfSense to their machine.

Ja I totally understand, was just hoping to save the SSD for other projects. Its a bit overkill to have a 256gb disk in a router system IMO  ;D
and as I said in my former post, I will properbly go back to the USB's if I hear news that the issue is fixed.

Runenaldo

Oh btw how would you configure the install with an SSD? how big of a swap size, if any?

pfBasic

I don't think the boot issue is USB specific, others have reported the issue on SSD/HDD.

Swap is normally double your RAM, I believe that's the default setting.

Defaults will work great.

Runenaldo

@pfBasic:

I don't think the boot issue is USB specific, others have reported the issue on SSD/HDD.

Swap is normally double your RAM, I believe that's the default setting.

Defaults will work great.

hmm, for me the change to SSD worked, it rebooted straight away, with no issues.

In that case, I will need to add some more swap.

Will test VPN tommorrow.

Runenaldo

So got OpenVPN configured this morning and with the standard settings, its slow as usual 5/10-30mbit.

With my added settings I'm hitting a max of 84mbps.

I switched to pfsense monitor for reference as it seems Speedtest.net is all over the place..
I tried to set it up as you described it in another thread. https://forum.pfsense.org/index.php?topic=128230.15

@pfBasic:

Then do your best to max out your bandwidth, Steam downloads usually have great bandwidth and they have free titles (DOTA 2 is pretty big and free so it will run for long enough to see it on RRDs).
You have a pretty beefy connection so you might also stream a bunch of UHD youtube videos, I think you can search for even 5k and 8k content that will really suck down some bandwidth!

Anyawys, after you max out the connection for 5-10 minutes,

go to Status / Monitoring and set it up like so:

System > Processor on one side
Traffic > WAN on the other side
1 Hour, 1 Minute, Line, On, Never
De-select everything on the graph except:
user util
nice util
system util
interrupt
inpass total
outpass total

Screenshot the graph and data summary with your mouse hovering over a point on the graph where your bandwidth is maxed out to display the stats you selected and post it up here.

That will give no bullshit real world VPN throughput:CPU usage data (assuming you are piping all of your traffic out through a VPN client as you stated).

I know that's all a very specific request, but it would be greatly appreciated!

I'm thinking its pretty good, though it sucks I know it could be a bit better.
Should I maybe give up and try running two OpenVPN clients? or is there still more I can tinker with?


pfBasic

I don't know if I've asked this already but what NIC are you using?

The CPU is obviously working just fine at ~17% for 86Mbps VPN throughout.

With this being a clean install it should be maxing your connection.

Runenaldo

@pfBasic:

I don't know if I've asked this already but what NIC are you using?

The CPU is obviously working just fine at ~17% for 86Mbps VPN throughout.

With this being a clean install it should be maxing your connection.

I'ts running an IBM intel i340-T4 quad

Maybe its totally obvious and I just dont see it, but where do you see the 17% CPU usage?
EDIT: Found it, adding the % together  ::)

btw I got this magnificent reply from PIA support, which really answered all my technical questions in which I specifically told them that I could get 100/100 on my pc client and that my router was suppose to handle well beyond 100mbit…

Thanks for getting back to us.

You can expect to see at least a 10-15%* speed drop from the results you get when testing "disconnected" to our servers on our network page here: https://www.privateinternetaccess.com/pages/network/

• Typically it will be drop between 15-50% for computers and 25-75% (or more, depending on the router's capability) drop for routers.
• The higher encryption that you use, the more overhead that would be added slowing the connection. This can certainly be worsened by connecting to gateways that have additional routing latency or have a lot of traffic on them at the time.
• Our servers also have a 1 gigabit connection (for each server) shared among the customers connecting to the server. That in mind, we wouldn't normally expect you to reach higher than 50-100mbps.

We apologize for the inconvenience.

Let us know if you have anymore questions.

pfBasic

Yeah that's just a canned response.

I really have no idea why you aren't getting line speeds. You should be from what I can tell.

Maybe someone else can chime in here?

All I can siggest is playing around with the settings?

Maybe try LZ4v2, try no compression, try disabling NCP? Really idk though. I've run almost an identical setup on a J3355 and got line speeds at 150/10 no problems, no adding custom options.

Runenaldo

@pfBasic:

I really have no idea why you aren't getting line speeds. You should be from what I can tell.

No worries, I'm just glad you want to try and help.
and we did fix one issue with the installer  :D

@pfBasic:

All I can siggest is playing around with the settings?

Maybe try LZ4v2, try no compression, try disabling NCP? Really idk though. I've run almost an identical setup on a J3355 and got line speeds at 150/10 no problems, no adding custom options.

I tried different compressions and disabling NCP, without much difference although for the worse.


Runenaldo

Could you explain me how to setup two VPN's as one? or do you have a link to a guide?

Just want to try it out and see if that gets me closer to the 100 mark.  :)

isolatedvirus

@Runenaldo:

Could you explain me how to setup two VPN's as one? or do you have a link to a guide?

Just want to try it out and see if that gets me closer to the 100 mark.  :)

What hardware is your pfsense box running on?

What PIA setup guide are you using, and are you connecting to the "strong crypto" gateways or the standard PIA gateways with less encryption?

Its entirely possible that your CPU can't process the encryption faster than 75mbps on the throughput. This explains why you see full line rates when running it on a PC, and slower rates when its running on pfsense.

If you're connecting to the stronger encryption gateways, the only thing you can do to improve your throughput is to start connecting to the default (lower encryption) ones.

Runenaldo

@isolatedvirus:

What hardware is your pfsense box running on?

Asrock J3455-ITX
2x4gb Hyperx DDR3L 1866MHz
256gb SSD

According to the synthetic benchmarks I have done, it should be able to handle up to 280mbps over VPN.

@isolatedvirus:

What PIA setup guide are you using, and are you connecting to the "strong crypto" gateways or the standard PIA gateways with less encryption?

If you're connecting to the stronger encryption gateways, the only thing you can do to improve your throughput is to start connecting to the default (lower encryption) ones.

Its the standard pfsense guide, with 128bit encryption found on their website here: https://www.privateinternetaccess.com/pages/client-support/pfsense

It gives me roughly 5mbps download.

I have then added:

fast-io
sndbuf 524288
rcvbuf 524288

which improves that figure to 86mbps

pfBasic

J3455 can definitely do a lot more then ~80Mbps.

Here are some instructions for gateway groups with VPN:
https://forum.pfsense.org/index.php?topic=115992.msg652957#msg652957

Runenaldo

So after a lot of trial and error, it seems I have gotten two vpn clients up and running in a gateway group.

The speeds are finally at maximum! But the latency seems to have gone up and so webpages seems to be loading slower than before. Is this a trade off with this configuration?

https://ipleak.net/ seems fast and reports my ip and dns servers to be the correct for my VPN choice, with no exceptions.

But I'm a little worried that I'm maybe running traffic around the VPN with these speed and the low CPU usage..?

I made a lot of back and forth settings changes and think I might be better of restoring from a backup and trying again tomorrow.

EDIT
It seems I have the same problems with everything showing up offline as pigbait on page 2.
Also bretthoward sums up pretty much what I'm experiencing on the same page as well.


isolatedvirus

@Runenaldo:

So after a lot of trial and error, it seems I have gotten two vpn clients up and running in a gateway group.

The speeds are finally at maximum! But the latency seems to have gone up and so webpages seems to be loading slower than before. Is this a trade off with this configuration?

https://ipleak.net/ seems fast and reports my ip and dns servers to be the correct for my VPN choice, with no exceptions.

But I'm a little worried that I'm maybe running traffic around the VPN with these speed and the low CPU usage..?

I made a lot of back and forth settings changes and think I might be better of restoring from a backup and trying again tomorrow.

EDIT

It seems I have the same problems with everything showing up offline as pigbait on page 2.
Also bretthoward sums up pretty much what I'm experiencing on the same page as well.

you can verify if traffic isnt being passed thorugh the VPN setup by going to diagnostic -> packet capture -> wan and leave the default options. Launch the packet cap, then do a bunch of broswing/speed tests. I'd recommend keeping the capture UNDER 5 SECONDS, otherwise youre going to be reading through a LARGE packet cap log.

Once you think youve generated enough traffic, stop the packet cap and read through the connections. If you see anything exiting your wan interface and headed to hosts other than your VPN provider, you've got a routing leak.

Its worth mentioning since I'm unaware of how your setup is configured, that a multi wan (in this case its multi WAN, because youve got multiple VPN gateways traffic can exit) setup can cause havoc on session tracking for websites if youre set to round robin. You'll want traffic headed to websites to always leave through the same gateway, therefor its always returning via the same route.

Since your procs can handle line speeds, its likely your speed issue is due to the gateway youre heading to. PIA aggregates i think 10 users per IP (which their servers have a 1gbps connection, so 100mbps per user in a perfect world), so you might just be on a node that has heavy traffic.

pfBasic

PIA doesn't have a 100Mbps per user cap.

It's common to get much more than that. The highest I think I've seen reported on here was in the 600Mbps range on a single instance.

Using gateway groups as is works just fine, you don't need to do anything funky with your website traffic or session tracking at all.  You're unnecessarily overcomplicating it.

Looking for anything going to !PIA_IP on pcap will only work if you are routing all of your traffic to the VPN, most people do not do this because many services don't work over VPN.