[SOLVED] Slow PIA VPN connection on pfsense 2.4b

isolatedvirus

your Internet_GG group is the PIA VPN gateways. so youre routing all traffic through the VPN, and nothing is bypassing it.

On your openvpn interface, youll want a rule to allow all traffic and dont set a gateway. this will allow traffic headed to local subnets to be routed correctly.

I figured id offer a remote screen share session over skype or something else. I'll be able to see the config live and fix any issues you have. The only thing I'd ask is since we'd be troubleshooting over voice and screen share that you post screenshots of what we had to do so there's something in the forums for other users to view in case they're in a similar situation.

Runenaldo

@isolatedvirus:

I figured id offer a remote screen share session over skype or something else. I'll be able to see the config live and fix any issues you have. The only thing I'd ask is since we'd be troubleshooting over voice and screen share that you post screenshots of what we had to do so there's something in the forums for other users to view in case they're in a similar situation.

That is very generous of you and I will gladly accept your offter! I will definitely post screenshots of the whole setup when we're done.
my time zone is GMT+1 so right now its 7 am, I'm leaving for university in 5 mins and will be back in roughly 6½ hours. at 1.30 pm If you at any time after that point have time please reply and we will set something up.

If there is any program you prefer we use, we use that program. I have only used Teamviewer before.

isolatedvirus

I'm in EDT (-4 UTC). I'd prefer to use skype so we can do a voice call + screen share. Much easier to answer questions that way lol. I'll PM you my info.

Runenaldo

So the problem was solved. After a TeamViewer session yesterday going over my settings with isolatedvirus, in the end he suggested that I tried pfsense 2.3.3 stable.
And voila it all works now.

We both agreed that my latency was way to high, waiting for certain websites to start loading after 10-15 seconds. Also my RTT to the PIA servers was high for the distance I had to the servers. We saw RTT around 50 spiking to 130 ms
This has also been fixed, by going back to 2.3.3

Thank you PfBasic for your patience and many replies.
And thank you isolatedvirus for spending so much time yesterday going trough everything and in the end suggesting to revert back to 2.3.3  :)

Turns out that I also dont need to modify the OpenVPN custom options with the following anymore.

fast-io;
sndbuf 524288;
rcvbuf 524288

EDIT
Haven't tested running only one VPN client, but I'm guessing that it will also work. If you want, I could test it out.


pfBasic

I'm glad you got it working!

You should post a thread in the 2.4.0 subforum with a link to your last post in this thread since it seems to be an issue in the BETA build.

https://forum.pfsense.org/index.php?topic=129193.msg714283#msg714283

Runenaldo

@pfBasic:

I'm glad you got it working!

You should post a thread in the 2.4.0 subforum with a link to your last post in this thread since it seems to be an issue in the BETA build.

https://forum.pfsense.org/index.php?topic=129193.msg714283#msg714283

Sorry for the late reply, it has been a bit hectic lately.
I have just now posted on the 2.4 subforum, hope it can help out.

I have also gone back and are now running with only one VPN client and it seems to work as good as running two clients. Cant decide if want one or two clients, will have to tinker a bit more.
Next step Suricata. I seem to have some trouble with it shutting my VPN client down no matter how many alert/blocks I suppress, but that is for another subforum.  :)

Bellow is a pic running with PIA standard setup (one client) and no packages on 2.3.3/2.3.4.


gtj

@Runenaldo:

So the problem was solved. After a TeamViewer session yesterday going over my settings with isolatedvirus, in the end he suggested that I tried pfsense 2.3.3 stable.
And voila it all works now.

We both agreed that my latency was way to high, waiting for certain websites to start loading after 10-15 seconds. Also my RTT to the PIA servers was high for the distance I had to the servers. We saw RTT around 50 spiking to 130 ms
This has also been fixed, by going back to 2.3.3

Thank you PfBasic for your patience and many replies.
And thank you isolatedvirus for spending so much time yesterday going trough everything and in the end suggesting to revert back to 2.3.3  :)

Turns out that I also dont need to modify the OpenVPN custom options with the following anymore.

fast-io;
sndbuf 524288;
rcvbuf 524288

EDIT
Haven't tested running only one VPN client, but I'm guessing that it will also work. If you want, I could test it out.

May I ask if you are still on 2.3.3? I have latency issues on 2.4.1

Runenaldo

@gtj:

May I ask if you are still on 2.3.3? I have latency issues on 2.4.1

Funny! I was going to ask this question myself, because after getting 2.4.1 running and also 2.4.2 I have had latencies in the 20-80ms range.. on 2.3.4 it was 1-10ms

gtj

@Runenaldo:

@gtj:

May I ask if you are still on 2.3.3? I have latency issues on 2.4.1

Funny! I was going to ask this question myself, because after getting 2.4.1 running and also 2.4.2 I have had latencies in the 20-80ms range.. on 2.3.4 it was 1-10ms

I'm so relieved I'm not alone in this!
I'm new to this and had started to have second thoughts about my hardware's capacity (APU2C4). However, it does not utilize more than 10% of CPU and it's always running cool. I have also checked the AES-IN option.

On another note, up until last week I was running a PIA router based on an arm-based UBUNTU box which is less powerful than my current build and had not had any latency issues.

Do you think we should try to install 2.3.3?
On 2.4.1 there are also changes in the menus and the instructions provided by PIA are not all valid. I had to hard-guess a few of those settings as they are not the same with the provided documentation.

I tried to install 2.3.5 but faced a problem with update menu tags resulting in options such as 128 encryption not being selectable. Therefore, I had to force a serial console upgrade.

I'm now considering trying ''pfSense-CE-memstick-serial-2.3.3-RELEASE-amd64'' from https://atxfiles.pfsense.org/mirror/downloads/old/

Any thoughts?

Runenaldo

@gtj:

I'm so relieved I'm not alone in this!
I'm new to this and had started to have second thoughts about my hardware's capacity (APU2C4). However, it does not utilize more than 10% of CPU and it's always running cool. I have also checked the AES-IN option.

On another note, up until last week I was running a PIA router based on an arm-based UBUNTU box which is less powerful than my current build and had not had any latency issues.

Do you think we should try to install 2.3.3?
On 2.4.1 there are also changes in the menus and the instructions provided by PIA are not all valid. I had to hard-guess a few of those settings as they are not the same with the provided documentation.

I tried to install 2.3.5 but faced a problem with update menu tags resulting in options such as 128 encryption not being selectable. Therefore, I had to force a serial console upgrade.

I'm now considering trying ''pfSense-CE-memstick-serial-2.3.3-RELEASE-amd64'' from https://atxfiles.pfsense.org/mirror/downloads/old/

Any thoughts?

Thank you for the link! Have been searching all over for the older pfsense images after the whole J3455 not installing on 2.4.x issue.

I would say try v. 2.3.4 it was the last version i ran without issue before going to 2.4.1

gtj

@Runenaldo:

@gtj:

I'm so relieved I'm not alone in this!
I'm new to this and had started to have second thoughts about my hardware's capacity (APU2C4). However, it does not utilize more than 10% of CPU and it's always running cool. I have also checked the AES-IN option.

On another note, up until last week I was running a PIA router based on an arm-based UBUNTU box which is less powerful than my current build and had not had any latency issues.

Do you think we should try to install 2.3.3?
On 2.4.1 there are also changes in the menus and the instructions provided by PIA are not all valid. I had to hard-guess a few of those settings as they are not the same with the provided documentation.

I tried to install 2.3.5 but faced a problem with update menu tags resulting in options such as 128 encryption not being selectable. Therefore, I had to force a serial console upgrade.

I'm now considering trying ''pfSense-CE-memstick-serial-2.3.3-RELEASE-amd64'' from https://atxfiles.pfsense.org/mirror/downloads/old/

Any thoughts?

Thank you for the link! Have been searching all over for the older pfsense images after the whole J3455 not installing on 2.4.x issue.

I would say try v. 2.3.4 it was the last version i ran without issue before going to 2.4.1

You are very welcome.
I hope we'll both get this sorted.
I'm going to try  2.3.4 first thing as soon as I get home!

Runenaldo

Did it work out for you with 2.3.4, or did you get another image to work?