[SOLVED] Slow PIA VPN connection on pfsense 2.4b

Runenaldo

@pfBasic:

Try disabling the other VPN client

Close but no cigar.

and I'm leaking my ISP IP DNS


pfBasic

So everything is working except you have a DNS leak?

Runenaldo

@pfBasic:

So everything is working except you have a DNS leak?

Yes when running with one VPN server shut down.

isolatedvirus

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

Runenaldo

@isolatedvirus:

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

ok I'll have to search around for a better server. I am running DNS ressolver, so will have to look more into that.


isolatedvirus

@Runenaldo:

@isolatedvirus:

can you post your gateway groups, firewall rules, and nat rules please?

As mentioned before, your latency increasing will be a tradeoff and the only thing you can try to bring it down is other VPN servers.

DNS leaking is usually because you have your DNS being run by PFSense. PFSense in resolver mode will leak your WAN address unless you change your default gateway to the PIA VPN. PFSense set to forward will leak your upstream DNS servers (such as google or open dns if youre using those) regardless of default gateway configuration, unless youre forwarding to another internal DNS server and that server is being routed over the VPN.

ok I'll have to search around for a better server. I am running DNS ressolver, so will have to look more into that.

Your current gateway group has both gateways set as tier 1, which will load balance outbound traffic on those gateways. If youre trying to test throughput, the easiest way would be to disconnect one of the gateways at a time. This will guarantee you wont see random load balancing happening in the middle of a test.

your firewall rules will route ALL traffic over the VPN. This will include traffic from your openvpn clients and wifi that might be headed to your LAN.
You also have an error in your openvpn firewall rule, youre only routing UDP traffic over the PIA VPN.

You might want to add a rule above the VPN gateway rules that allows traffic headed to your LAN nets to pass. If you create an ALIAS that includes all of your local subnets, you can accomplish this in a single rule. Please see my current config as an example:
https://snag.gy/cGyrFU.jpg

Edit:
Please excuse the crappy mspaint job on that screenshot. Local 2 would be my neighbor's subnets.

Edit - v2:
By disconnect the gateway, i mean  by going to Status -> OpenVPN and stopping one of the clients at a time. I thought my wording was ambiguous and needed clarification.

Walk through of my rules from PIAVPN section down:
-all sources headed to sites listed in URL TUNNEL BYPASS will route direct through WAN (certain sites dont like PIA VPN IP addresses, so you'll have to route them out normally)
-second rule forces traffic that isnt destined for local subnets over the PIA VPN.
in the LAN section:
-traffic headed to my neighbor gets routed to the gateway on his side
-allow all outbound traffic from LAN via WAN gateway. (Hosts that are a member of my TUNNEL BYPASS alias get routed by this rule due to inverse matching on PIA Section rule 2)

This allows traffic to flow between my openvpn clients to lan and vice versa.

Edit - v3:
Here is a screenshot of my openvpn firewall routing rules:
https://snag.gy/Kc2hOD.jpg

pfBasic

all you have to do to plug your DNS leak with the resolver is select your PIA interface as your only outbound interface.

isolatedvirus

@pfBasic:

all you have to do to plug your DNS leak with the resolver is select your PIA interface as your only outbound interface.

changing the pia vpn gateway to the default gateway accomplishes this.

https://snag.gy/QoWkB9.jpg

Runenaldo

@isolatedvirus:

Your current gateway group has both gateways set as tier 1, which will load balance outbound traffic on those gateways. If youre trying to test throughput, the easiest way would be to disconnect one of the gateways at a time. This will guarantee you wont see random load balancing happening in the middle of a test.

This is what I've been trying to do for the last page and a half with pfbasic. The pictures i attached by your request was for the normal setup. Just to clarify  :)

@isolatedvirus:

your firewall rules will route ALL traffic over the VPN. This will include traffic from your openvpn clients and wifi that might be headed to your LAN.
You also have an error in your openvpn firewall rule, youre only routing UDP traffic over the PIA VPN.

You might want to add a rule above the VPN gateway rules that allows traffic headed to your LAN nets to pass. If you create an ALIAS that includes all of your local subnets, you can accomplish this in a single rule. Please see my current config as an example:
https://snag.gy/cGyrFU.jpg

Edit:
Please excuse the crappy mspaint job on that screenshot. Local 2 would be my neighbor's subnets.

Edit - v2:
By disconnect the gateway, i mean  by going to Status -> OpenVPN and stopping one of the clients at a time. I thought my wording was ambiguous and needed clarification.

Walk through of my rules from PIAVPN section down:
-all sources headed to sites listed in URL TUNNEL BYPASS will route direct through WAN (certain sites dont like PIA VPN IP addresses, so you'll have to route them out normally)
-second rule forces traffic that isnt destined for local subnets over the PIA VPN.
in the LAN section:
-traffic headed to my neighbor gets routed to the gateway on his side
-allow all outbound traffic from LAN via WAN gateway. (Hosts that are a member of my TUNNEL BYPASS alias get routed by this rule due to inverse matching on PIA Section rule 2)

This allows traffic to flow between my openvpn clients to lan and vice versa.

Edit - v3:
Here is a screenshot of my openvpn firewall routing rules:
https://snag.gy/Kc2hOD.jpg

Thank you, will try this when i get home.

Runenaldo

Thank you for that detailed description.  I do have few questions for you isolatedvirus anyways, since I'm a total noob in these things..  :-[

When I try to make the first FW rule you have directly under your anti-lockout rule, it puts it into my OpenVPN FW rules page. what am I doing wrong?
Is your "Internet_Gateway_Group" your VPNGG?
What are your "Tunnel_failover_Group" directing to?
In the FW rule to bypass certain websites, what action have you set it to?
What is in your "! Tunnel bypass" alias?
Your "LOCAL Subnets" alias is it done with all specific IP's on the local network or can it be done with ranges? ie. all who gains acces to my AP on the WLAN interface. Or even simpler, just type in my LAN and WLAN IP's?

I have gotten the URL_Bypass rule to work, somewhat. By setting the gateway to WAN. I included www.ipmonkey.com to check if the connection was going around my VPN and it seems to do so, but one webpage I included (a local broadcasting company, who has geolock on some of their videos) still says I'm not in the approved country and therefore denied to watch the video.

isolatedvirus

@Runenaldo:

This is what I've been trying to do for the last page and a half with pfbasic. The pictures i attached by your request was for the normal setup. Just to clarify  :)

I know you were setting up load balancing but i saw you were having issues testing throughput over each individual link. Theres nothing wrong with marking a gateway as down then testing, i just do it differently and wanted to provide another option for your 'arsenal' if you will :)

When I try to make the first FW rule you have directly under your anti-lockout rule, it puts it into my OpenVPN FW rules page. what am I doing wrong?
When youre creating the rule you have the interface set as your openvpn interface.

Is your "Internet_Gateway_Group" your VPNGG?
No. I have a fiber line ran to my neighbor, and if my internet goes out my traffic routes over his WAN and vice versa. "Internet Gateway Group" for me is just my WAN set as tier 1, and my neighbor's set as Tier 2.

What are your "Tunnel_failover_Group" directing to?
"Tunnel failover group" for me is set as: PIA VPN Gateway - Tier 1, WAN - Tier 2, Neighbor's WAN - Tier 3. I have it set like this so should my PIA VPN drop, all outbound traffic isnt stopped.

In the FW rule to bypass certain websites, what action have you set it to?
Pass

What is in your "! Tunnel bypass" alias?
"Tunnel Bypass" is an alias group with gaming consoles in it. Its anything that i never want to go over the VPN. the "!" in the rule denotes inverse matching, meaning 'not a member of the tunnel bypass group'. The actual group name has nothing to do with inverse matching, and doesnt have an exclamation point in it. Thats purely there to show the inverse matching on the rule.

Your "LOCAL Subnets" alias is it done with all specific IP's on the local network or can it be done with ranges? ie. all who gains acces to my AP on the WLAN interface. Or even simpler, just type in my LAN and WLAN IP's?
I have my local subnets set as a CIDR range. So youd put 10.0.0.0/24, 10.0.100.0/24, etc. Depending on the actual subnet IP's.

I have gotten the URL_Bypass rule to work, somewhat. By setting the gateway to WAN. I included www.ipmonkey.com to check if the connection was going around my VPN and it seems to do so, but one webpage I included (a local broadcasting company, who has geolock on some of their videos) still says I'm not in the approved country and therefore denied to watch the video.
You've got the rule set up correctly, but you might have the rule order wrong then. Since its first match, youd want the rule for bypass above the rule for the VPNGG that you have.

Sorry for the late response, I was working on my truck and didnt realize the time lol.

Edit:
A good way to test the URL bypass is to add any of the "Whats my ip address" websites to the bypass group. That way you can debug the routing/firewall rules quickly by just going to a website and seeing which IP shows up.

Runenaldo

@isolatedvirus:

I know you were setting up load balancing but i saw you were having issues testing throughput over each individual link. Theres nothing wrong with marking a gateway as down then testing, i just do it differently and wanted to provide another option for your 'arsenal' if you will :)

:D

@isolatedvirus:

Sorry for the late response, I was working on my truck and didnt realize the time lol.

No worries.

@isolatedvirus:

I have my local subnets set as a CIDR range. So youd put 10.0.0.0/24, 10.0.100.0/24, etc. Depending on the actual subnet IP's.

I tried this, but it makes the ip list wierd and i think this broke the rest of the setup.

@isolatedvirus:

I have gotten the URL_Bypass rule to work, somewhat. By setting the gateway to WAN. I included www.ipmonkey.com to check if the connection was going around my VPN and it seems to do so, but one webpage I included (a local broadcasting company, who has geolock on some of their videos) still says I'm not in the approved country and therefore denied to watch the video.
You've got the rule set up correctly, but you might have the rule order wrong then. Since its first match, youd want the rule for bypass above the rule for the VPNGG that you have.

After I made the LOCAL subnet and new WAN GG it pushes me over VPN.

@isolatedvirus:

Edit:
A good way to test the URL bypass is to add any of the "Whats my ip address" websites to the bypass group. That way you can debug the routing/firewall rules quickly by just going to a website and seeing which IP shows up.

This I did, and it now shows my VPN IP.

So I reverted back to a backup of a clean simple install with WLAN so I could get everything set up as you have, but it doesn't seem to be working quite right. I have tried to comment above on what I've found.

Sorry for the short reply, but I only got 2 hours of tinkering done and am now off to bed. can of course elaborate on it tomorrow if you need more info.

I have attached photos of what I made.
On the Local subnet i put in 192.168.1.1-192.168.1.245 /24 (as an example), but instead of listing every ip ending with  1 to 245 it makes these jumps as you see on the picture and also it sets the subnet, this also applies to the WLAN.


isolatedvirus

your Internet_GG group is the PIA VPN gateways. so youre routing all traffic through the VPN, and nothing is bypassing it.

On your openvpn interface, youll want a rule to allow all traffic and dont set a gateway. this will allow traffic headed to local subnets to be routed correctly.

I figured id offer a remote screen share session over skype or something else. I'll be able to see the config live and fix any issues you have. The only thing I'd ask is since we'd be troubleshooting over voice and screen share that you post screenshots of what we had to do so there's something in the forums for other users to view in case they're in a similar situation.

Runenaldo

@isolatedvirus:

I figured id offer a remote screen share session over skype or something else. I'll be able to see the config live and fix any issues you have. The only thing I'd ask is since we'd be troubleshooting over voice and screen share that you post screenshots of what we had to do so there's something in the forums for other users to view in case they're in a similar situation.

That is very generous of you and I will gladly accept your offter! I will definitely post screenshots of the whole setup when we're done.
my time zone is GMT+1 so right now its 7 am, I'm leaving for university in 5 mins and will be back in roughly 6½ hours. at 1.30 pm If you at any time after that point have time please reply and we will set something up.

If there is any program you prefer we use, we use that program. I have only used Teamviewer before.

isolatedvirus

I'm in EDT (-4 UTC). I'd prefer to use skype so we can do a voice call + screen share. Much easier to answer questions that way lol. I'll PM you my info.

Runenaldo

So the problem was solved. After a TeamViewer session yesterday going over my settings with isolatedvirus, in the end he suggested that I tried pfsense 2.3.3 stable.
And voila it all works now.

We both agreed that my latency was way to high, waiting for certain websites to start loading after 10-15 seconds. Also my RTT to the PIA servers was high for the distance I had to the servers. We saw RTT around 50 spiking to 130 ms
This has also been fixed, by going back to 2.3.3

Thank you PfBasic for your patience and many replies.
And thank you isolatedvirus for spending so much time yesterday going trough everything and in the end suggesting to revert back to 2.3.3  :)

Turns out that I also dont need to modify the OpenVPN custom options with the following anymore.

fast-io;
sndbuf 524288;
rcvbuf 524288

EDIT
Haven't tested running only one VPN client, but I'm guessing that it will also work. If you want, I could test it out.


pfBasic

I'm glad you got it working!

You should post a thread in the 2.4.0 subforum with a link to your last post in this thread since it seems to be an issue in the BETA build.

https://forum.pfsense.org/index.php?topic=129193.msg714283#msg714283

Runenaldo

@pfBasic:

I'm glad you got it working!

You should post a thread in the 2.4.0 subforum with a link to your last post in this thread since it seems to be an issue in the BETA build.

https://forum.pfsense.org/index.php?topic=129193.msg714283#msg714283

Sorry for the late reply, it has been a bit hectic lately.
I have just now posted on the 2.4 subforum, hope it can help out.

I have also gone back and are now running with only one VPN client and it seems to work as good as running two clients. Cant decide if want one or two clients, will have to tinker a bit more.
Next step Suricata. I seem to have some trouble with it shutting my VPN client down no matter how many alert/blocks I suppress, but that is for another subforum.  :)

Bellow is a pic running with PIA standard setup (one client) and no packages on 2.3.3/2.3.4.


gtj

@Runenaldo:

So the problem was solved. After a TeamViewer session yesterday going over my settings with isolatedvirus, in the end he suggested that I tried pfsense 2.3.3 stable.
And voila it all works now.

We both agreed that my latency was way to high, waiting for certain websites to start loading after 10-15 seconds. Also my RTT to the PIA servers was high for the distance I had to the servers. We saw RTT around 50 spiking to 130 ms
This has also been fixed, by going back to 2.3.3

Thank you PfBasic for your patience and many replies.
And thank you isolatedvirus for spending so much time yesterday going trough everything and in the end suggesting to revert back to 2.3.3  :)

Turns out that I also dont need to modify the OpenVPN custom options with the following anymore.

fast-io;
sndbuf 524288;
rcvbuf 524288

EDIT
Haven't tested running only one VPN client, but I'm guessing that it will also work. If you want, I could test it out.

May I ask if you are still on 2.3.3? I have latency issues on 2.4.1

Runenaldo

@gtj:

May I ask if you are still on 2.3.3? I have latency issues on 2.4.1

Funny! I was going to ask this question myself, because after getting 2.4.1 running and also 2.4.2 I have had latencies in the 20-80ms range.. on 2.3.4 it was 1-10ms