[SOLVED] Slow PIA VPN connection on pfsense 2.4b

pfBasic

On your LAN & WLAN, if oyu want all of your traffic to go through the Gatewat group, you need to specify the gateway group as the only gateway.

The way those are written, nothing will go out of your gateway group except your OpenVPN server.

Runenaldo

@pfBasic:

On your LAN & WLAN, if oyu want all of your traffic to go through the Gatewat group, you need to specify the gateway group as the only gateway.

The way those are written, nothing will go out of your gateway group except your OpenVPN server.

Ok, I thought that was fine as the NAT i specified was the OpenVPN.

but I've changed it now.
EDIT
Just to clarify, what I've change is what you said. haven't changed anything in NAT rules.

download speed is on pair with running over my pc client now, but latencies are still high.


pfBasic

OK, great! Can you get full speed with just one VPN client now that your rules are set up correctly? Try just changing one of the VPNs in the gateway group to never.

High latency is a fact of life when you are routing all of your traffic via a VPN.

To pick the best VPN server for you check out this list. https://www.privateinternetaccess.com/pages/network/

Closer is generally better latency but not always.

I would expand out from your closest server and test them out on pfSense to see which one is the best for you.

Also, VPN servers performance will vary over time. If there are a lot of users on it you will notice. So, when using a gateway group, it is probably to your advantage to pick the two best servers for you, and put one of them in each of your clients so that if one network goes down or gets shitty. You will seamlessly be using a different server. This is what gateway grouping is usually used for.

The OpenVPN gateway group is just a hack to get around the fact that OpenVPN is single threaded.

Runenaldo

I got full speed again with one VPN set to never (see picture bellow)
But it seems that pfsense ignored it completely and still used both VPN's


pfBasic

Sorry, set your gateway group back to the way you had it, just change the LAN firewall rule from your gateway group to one of your VPN clients and try again.

Runenaldo

@pfBasic:

Sorry, set your gateway group back to the way you had it, just change the LAN firewall rule from your gateway group to one of your VPN clients and try again.

Not quite, I would say its the same as before bandwidth wise, running with only one VPN.. Also it seems that pfsense refrains from using my VPN2 connection at in the beginning as the monitor reported no bw. but somehow it kicks in midway in the Ubuntu download and starts using it anyway..

The picture dosn't show the beginning of the download, but the VPN2 connection was completely dead, nothing was going in or out.


pfBasic

You mean it's still using the other VPN connection even when you change the firewall rule to one VPN insteadof the gateway group? You might need to reset the state table (diagnostics/states) and restart the VPN service (Status/OpenVPN).

Have you tried trouble shooting different VPN servers? Try some that have a lot of throughput even if they are far away from you.
us-east.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-california.privateinternetaccess.com
uk-london.privateinternetaccess.com

It is really strange that you can't hit line speeds on a single instance.

Runenaldo

@pfBasic:

You mean it's still using the other VPN connection even when you change the firewall rule to one VPN insteadof the gateway group? You might need to reset the state table (diagnostics/states) and restart the VPN service (Status/OpenVPN).

Yup! but only in the end of the download.

@pfBasic:

Have you tried trouble shooting different VPN servers? Try some that have a lot of throughput even if they are far away from you.
us-east.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-california.privateinternetaccess.com
uk-london.privateinternetaccess.com

It is really strange that you can't hit line speeds on a single instance.

No not yet, but I'm currently using the NL server, which has the highest throughput in Europe and also always have worked flawlessly on my pc client. I can however of course try the others.


pfBasic

weird, easiest thing is just ot reboot the whole router and try again.

Runenaldo

@pfBasic:

weird, easiest thing is just ot reboot the whole router and try again.

Tried, almost the same result.


pfBasic

Try disabling the other VPN client

Runenaldo

@pfBasic:

Try disabling the other VPN client

Close but no cigar.

and I'm leaking my ISP IP DNS


pfBasic

So everything is working except you have a DNS leak?

Runenaldo

@pfBasic:

So everything is working except you have a DNS leak?

Yes when running with one VPN server shut down.

isolatedvirus

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

Runenaldo

@isolatedvirus:

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

ok I'll have to search around for a better server. I am running DNS ressolver, so will have to look more into that.


isolatedvirus

@Runenaldo:

@isolatedvirus:

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

ok I'll have to search around for a better server. I am running DNS ressolver, so will have to look more into that.

Your current gateway group has both gateways set as tier 1, which will load balance outbound traffic on those gateways. If youre trying to test throughput, the easiest way would be to disconnect one of the gateways at a time. This will guarantee you wont see random load balancing happening in the middle of a test.

your firewall rules will route ALL traffic over the VPN. This will include traffic from your openvpn clients and wifi that might be headed to your LAN.
You also have an error in your openvpn firewall rule, youre only routing UDP traffic over the PIA VPN.

You might want to add a rule above the VPN gateway rules that allows traffic headed to your LAN nets to pass. If you create an ALIAS that includes all of your local subnets, you can accomplish this in a single rule. Please see my current config as an example:
https://snag.gy/cGyrFU.jpg

Edit:
Please excuse the crappy mspaint job on that screenshot. Local 2 would be my neighbor's subnets.

Edit - v2:
By disconnect the gateway, i mean  by going to Status -> OpenVPN and stopping one of the clients at a time. I thought my wording was ambiguous and needed clarification.

Walk through of my rules from PIAVPN section down:
-all sources headed to sites listed in URL TUNNEL BYPASS will route direct through WAN (certain sites dont like PIA VPN IP addresses, so you'll have to route them out normally)
-second rule forces traffic that isnt destined for local subnets over the PIA VPN.
in the LAN section:
-traffic headed to my neighbor gets routed to the gateway on his side
-allow all outbound traffic from LAN via WAN gateway. (Hosts that are a member of my TUNNEL BYPASS alias get routed by this rule due to inverse matching on PIA Section rule 2)

This allows traffic to flow between my openvpn clients to lan and vice versa.

Edit - v3:
Here is a screenshot of my openvpn firewall routing rules:
https://snag.gy/Kc2hOD.jpg

pfBasic

all you have to do to plug your DNS leak with the resolver is select your PIA interface as your only outbound interface.

isolatedvirus

@pfBasic:

all you have to do to plug your DNS leak with the resolver is select your PIA interface as your only outbound interface.

changing the pia vpn gateway to the default gateway accomplishes this.

https://snag.gy/QoWkB9.jpg

Runenaldo

@isolatedvirus:

Your current gateway group has both gateways set as tier 1, which will load balance outbound traffic on those gateways. If youre trying to test throughput, the easiest way would be to disconnect one of the gateways at a time. This will guarantee you wont see random load balancing happening in the middle of a test.

This is what I've been trying to do for the last page and a half with pfbasic. The pictures i attached by your request was for the normal setup. Just to clarify  :)

@isolatedvirus:

your firewall rules will route ALL traffic over the VPN. This will include traffic from your openvpn clients and wifi that might be headed to your LAN.
You also have an error in your openvpn firewall rule, youre only routing UDP traffic over the PIA VPN.

You might want to add a rule above the VPN gateway rules that allows traffic headed to your LAN nets to pass. If you create an ALIAS that includes all of your local subnets, you can accomplish this in a single rule. Please see my current config as an example:
https://snag.gy/cGyrFU.jpg

Edit:
Please excuse the crappy mspaint job on that screenshot. Local 2 would be my neighbor's subnets.

Edit - v2:
By disconnect the gateway, i mean  by going to Status -> OpenVPN and stopping one of the clients at a time. I thought my wording was ambiguous and needed clarification.

Walk through of my rules from PIAVPN section down:
-all sources headed to sites listed in URL TUNNEL BYPASS will route direct through WAN (certain sites dont like PIA VPN IP addresses, so you'll have to route them out normally)
-second rule forces traffic that isnt destined for local subnets over the PIA VPN.
in the LAN section:
-traffic headed to my neighbor gets routed to the gateway on his side
-allow all outbound traffic from LAN via WAN gateway. (Hosts that are a member of my TUNNEL BYPASS alias get routed by this rule due to inverse matching on PIA Section rule 2)

This allows traffic to flow between my openvpn clients to lan and vice versa.

Edit - v3:
Here is a screenshot of my openvpn firewall routing rules:
https://snag.gy/Kc2hOD.jpg

Thank you, will try this when i get home.