Gateway Group Issues with NordVPN



  • I have a SG-4860 running 2.3.2-RELEASE-p1 and a 300 Mbps connection. NordVPN is my VPN provider and their instructions on OpenVPN is here: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/ but they don't cover multiple tunnels. Full disclosure I'm generally somewhat technical, but new to pfSense and working with VPNs!

    I've already successfully connected to NordVPN with a single VPN client, although it's a bit lower than I expected with throughput between 25-35 Mbps. I've tried all 4 of the clients I created (see below) and they all range 10-40 Mbps.

    Broadly my goal is to maximize throughput while connected to OpenVPN. I've read one way to achieve this is have multiple tunnels connect via a Gateway Group in order to get increased throughput (for some activities than can utilize multiple connections). Since OpenVPN is single threaded, running 4 tunnels should take advantage of each core on the SG-4860 (Quad Core Intel Atom C2558 2.4 GHz).

    Basically, I'm seeing slower speed when I try and run this gateway group on the LAN firewall rule. However, it's difficult to find a reliable speed test because they seem to be all over the place. fast.com is probably blocking, speedtest.net shows speeds higher than my connection speed

    Any insights on how to do this properly would be very much so appreciated.

    Here is my pfSense configuration:

    CAs
    System > CAs > I've set up 4 CAs one each pointing to a NordVPN server (us534.nordvpn.com, us535.nordvpn.com, us536.nordvpn.com, us537.nordvpn.com).

    VPN Clients
    I've set up 4 corresponding VPN clients. Detail below - lots of settings omitted if blank.

    • Server mode: Peer to Peer (SSL/TLS)

    • Protocol: UDP

    • Device Mode: tun

    • Interface: WAN

    • Server host or address: us534.nordvpn.com

    • Server port: 1194

    • Proxy Auth. - Extra options: none

    • Server hostname resolution: checked

    • Compression: Enabled with Adaptive Compression

    • Disable IPv6: checked

    • Don't pull routes: checked

    Interfaces
    All interfaces shown are enabled.

    Firewall / NAT / Outbound
    Went with Hybrid Outbound and created a rule for each interface.

    System / Routing / Gateway Groups
    Kept them all tier 1.

    Firewall / Rules / LAN
    Created a rule for LAN that uses the NORDVPN gateway group.

    Update
    I've used this site to do speed test: https://web1.cachefly.net/speedtest/index.html
    While measuring LAN in pfSense I see speeds that are actually hard to believe. If the pfSense chart accurate? Are my firewall rules somehow not routing everything through VPN? (DNSleaktest does not reveal my ISP so I believe I'm behind VPN).