[SOLVED] Slow PIA VPN connection on pfsense 2.4b
-
PIA doesn't have a 100Mbps per user cap.
It's common to get much more than that. The highest I think I've seen reported on here was in the 600Mbps range on a single instance.
Using gateway groups as is works just fine, you don't need to do anything funky with your website traffic or session tracking at all. You're unnecessarily overcomplicating it.
Looking for anything going to !PIA_IP on pcap will only work if you are routing all of your traffic to the VPN, most people do not do this because many services don't work over VPN.
you CAN get more than 100, i just pulled 153mbps. but PIA themselves say if youre running slow to try another gateway. If hes experiencing slow throughput (since his CPUs can handle the speed) the issue would be on the receiving end's network. I'm just identifying possible bottlenecks, which the gateway group providing better throughput also points to the bottleneck being the VPN gateway hes using.
I personally push all traffic over PIA, and exclude based on destination (craigslist for one, doesnt like PIA and blocks their IPs) and also based on source host (I dont want to tunnel my gaming traffic from PS4's for latency reasons). My main concern is protecting user traffic from ISP logging due to congress's recent decision in the US.
The reason i mention multi wan session tracking is because of how the gateway handles the traffic (depending on PBR, and gateway configuration). I'm not saying there IS an issue, im just providing relevant 'possible issue' information so the OP is aware. If OP starts to experience issues, he'll know where to start looking. Just wanted to clarify where i was coming from so there wasn't a misunderstanding. :)
-
you can verify if traffic isnt being passed thorugh the VPN setup by going to diagnostic -> packet capture -> wan and leave the default options. Launch the packet cap, then do a bunch of broswing/speed tests. I'd recommend keeping the capture UNDER 5 SECONDS, otherwise youre going to be reading through a LARGE packet cap log.
Once you think youve generated enough traffic, stop the packet cap and read through the connections. If you see anything exiting your wan interface and headed to hosts other than your VPN provider, you've got a routing leak.
Running Packet capture confirms my suspicion, the traffic is about 50/50 split between VPN and ISP.
I will revert back and try from scratch.
Also in the pictures I have attached. Shouldn't the VPN gateways be online?
![Gateway offline.JPG](/public/imported_attachments/1/Gateway offline.JPG)
![Gateway offline.JPG_thumb](/public/imported_attachments/1/Gateway offline.JPG_thumb)
![Interfaces up.JPG](/public/imported_attachments/1/Interfaces up.JPG)
![Interfaces up.JPG_thumb](/public/imported_attachments/1/Interfaces up.JPG_thumb) -
You can add a different monitor IPs to your VPN gateways to check if they're up. Try 8.8.8.8 & 8.8.4.4 or something like that.
Can you post a screenshot of your gateway group settings?
-
You can add a different monitor IPs to your VPN gateways to check if they're up. Try 8.8.8.8 & 8.8.4.4 or something like that.
Can you post a screenshot of your gateway group settings?
It seems they have allready got monitor IP's set automatically. should I still switch them to your IP's?
-
Those are just google's public DNS servers, give it a shot. Sometimes switching them lets the monitor function work.
Your gateway is configured correctly. What are your firewall rules? If traffic is going out the wAN and you have gateway and firewall rules configured correctly then something is very wrong.
My guess is that you simply have some traffic that is allowed to go out the WAN and some going through the gateway group which is why the pcap is showing the WAN.
-
Those are just google's public DNS servers, give it a shot. Sometimes switching them lets the monitor function work.
That got them online! Thank you ;D
Your gateway is configured correctly. What are your firewall rules? If traffic is going out the wAN and you have gateway and firewall rules configured correctly then something is very wrong.
My guess is that you simply have some traffic that is allowed to go out the WAN and some going through the gateway group which is why the pcap is showing the WAN.
This is where it got really confusing for me and I started the whole "trial and error thing" and I may have ended up with a lot of unnecessary rules or in worst case, wrong rules.
I have attached pictures of all the rule pages I made changes or added new rules.
During this I realized that I had set the LAN rule adress to WLAN net instead of the intended WAN net, so I changed this.
I have set the OpenVPN rule to any, is this correct?
Also I was unsure of which protocol to use for all these rules..
EDIT
I was wondering if its normal to leak your internal network IP and another long IPv6? address? As seen in the last picture.![FW rule LAN 02.JPG](/public/imported_attachments/1/FW rule LAN 02.JPG)
![FW rule LAN 02.JPG_thumb](/public/imported_attachments/1/FW rule LAN 02.JPG_thumb)
![FW rule PIAVPN1.JPG](/public/imported_attachments/1/FW rule PIAVPN1.JPG)
![FW rule PIAVPN1.JPG_thumb](/public/imported_attachments/1/FW rule PIAVPN1.JPG_thumb)
![FW rule PIAVPN2.JPG](/public/imported_attachments/1/FW rule PIAVPN2.JPG)
![FW rule PIAVPN2.JPG_thumb](/public/imported_attachments/1/FW rule PIAVPN2.JPG_thumb)
![FW rule OpenVPN.JPG](/public/imported_attachments/1/FW rule OpenVPN.JPG)
![FW rule OpenVPN.JPG_thumb](/public/imported_attachments/1/FW rule OpenVPN.JPG_thumb)
![FW NAT OUTBOUND.JPG](/public/imported_attachments/1/FW NAT OUTBOUND.JPG)
![FW NAT OUTBOUND.JPG_thumb](/public/imported_attachments/1/FW NAT OUTBOUND.JPG_thumb)
-
Don't have time to read all right now but change WAN net to LAN net on your gateway group rule in the first screen shot.
I'll try to check out rest later. -
Don't have time to read all right now but change WAN net to LAN net on your gateway group rule in the first screen shot.
I'll try to check out rest later.Will do.
No problem. Thank you for taking your time to help, its very appreciated. :)
EDIT
After setting it to LAN net and switching one VPN clints server (apparently the closest one to me is congested), I'm now running at full speed 106mbitBut again I'm seeing less CPU usage than running with with a single VPN.
I found this guide https://nguvu.org/pfsense/pfsense-multi-vpn-wan/
Is it any good?
He's doing a lot of things I haven't done fx. the way he set up the FW rules to block and log all IP traffic.![Steam VPNGG LAN net.JPG_thumb](/public/imported_attachments/1/Steam VPNGG LAN net.JPG_thumb)
![Steam VPNGG LAN net.JPG](/public/imported_attachments/1/Steam VPNGG LAN net.JPG) -
Tried pinging a few websites to test my latency and found that 99% of the time the first ping fails and then the rest comes through and if I then ping the same page again they all go through.
It fits with how every homepage I open hangs for 2-12 seconds and then loads.
![Ping VPNGG.jpg](/public/imported_attachments/1/Ping VPNGG.jpg)
![Ping VPNGG.jpg_thumb](/public/imported_attachments/1/Ping VPNGG.jpg_thumb) -
Delete the second allow any rule on your LAN to any Gateway
Delete all rules on PIAVPN1&2 interfaces
Then repost your rules.
-
Delete the second allow any rule on your LAN to any Gateway
Delete all rules on PIAVPN1&2 interfaces
Then repost your rules.
There you go.
![FW rule WAN.JPG](/public/imported_attachments/1/FW rule WAN.JPG)
![FW rule WAN.JPG_thumb](/public/imported_attachments/1/FW rule WAN.JPG_thumb)
![FW rule LAN new.JPG](/public/imported_attachments/1/FW rule LAN new.JPG)
![FW rule LAN new.JPG_thumb](/public/imported_attachments/1/FW rule LAN new.JPG_thumb)
![FW rule WLAN.JPG](/public/imported_attachments/1/FW rule WLAN.JPG)
![FW rule WLAN.JPG_thumb](/public/imported_attachments/1/FW rule WLAN.JPG_thumb)
![FW rule PIA1_WAN.JPG](/public/imported_attachments/1/FW rule PIA1_WAN.JPG)
![FW rule PIA1_WAN.JPG_thumb](/public/imported_attachments/1/FW rule PIA1_WAN.JPG_thumb)
![FW rule PIA2_WAN.JPG](/public/imported_attachments/1/FW rule PIA2_WAN.JPG)
![FW rule PIA2_WAN.JPG_thumb](/public/imported_attachments/1/FW rule PIA2_WAN.JPG_thumb)
![FW rule OpenVPN.JPG](/public/imported_attachments/1/FW rule OpenVPN.JPG)
![FW rule OpenVPN.JPG_thumb](/public/imported_attachments/1/FW rule OpenVPN.JPG_thumb) -
On your LAN & WLAN, if oyu want all of your traffic to go through the Gatewat group, you need to specify the gateway group as the only gateway.
The way those are written, nothing will go out of your gateway group except your OpenVPN server.
-
On your LAN & WLAN, if oyu want all of your traffic to go through the Gatewat group, you need to specify the gateway group as the only gateway.
The way those are written, nothing will go out of your gateway group except your OpenVPN server.
Ok, I thought that was fine as the NAT i specified was the OpenVPN.
but I've changed it now.
EDIT
Just to clarify, what I've change is what you said. haven't changed anything in NAT rules.download speed is on pair with running over my pc client now, but latencies are still high.
![FW rule LAN to GG.JPG](/public/imported_attachments/1/FW rule LAN to GG.JPG)
![FW rule LAN to GG.JPG_thumb](/public/imported_attachments/1/FW rule LAN to GG.JPG_thumb)
![FW rule WLAN to GG.JPG](/public/imported_attachments/1/FW rule WLAN to GG.JPG)
![FW rule WLAN to GG.JPG_thumb](/public/imported_attachments/1/FW rule WLAN to GG.JPG_thumb) -
OK, great! Can you get full speed with just one VPN client now that your rules are set up correctly? Try just changing one of the VPNs in the gateway group to never.
High latency is a fact of life when you are routing all of your traffic via a VPN.
To pick the best VPN server for you check out this list. https://www.privateinternetaccess.com/pages/network/
Closer is generally better latency but not always.
I would expand out from your closest server and test them out on pfSense to see which one is the best for you.
Also, VPN servers performance will vary over time. If there are a lot of users on it you will notice. So, when using a gateway group, it is probably to your advantage to pick the two best servers for you, and put one of them in each of your clients so that if one network goes down or gets shitty. You will seamlessly be using a different server. This is what gateway grouping is usually used for.
The OpenVPN gateway group is just a hack to get around the fact that OpenVPN is single threaded.
-
I got full speed again with one VPN set to never (see picture bellow)
But it seems that pfsense ignored it completely and still used both VPN's![GG group VPN2 NEVER.JPG](/public/imported_attachments/1/GG group VPN2 NEVER.JPG)
![GG group VPN2 NEVER.JPG_thumb](/public/imported_attachments/1/GG group VPN2 NEVER.JPG_thumb)
![Bandwidth monitor with VPN2 disabled.JPG](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled.JPG)
![Bandwidth monitor with VPN2 disabled.JPG_thumb](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled.JPG_thumb) -
Sorry, set your gateway group back to the way you had it, just change the LAN firewall rule from your gateway group to one of your VPN clients and try again.
-
Sorry, set your gateway group back to the way you had it, just change the LAN firewall rule from your gateway group to one of your VPN clients and try again.
Not quite, I would say its the same as before bandwidth wise, running with only one VPN.. Also it seems that pfsense refrains from using my VPN2 connection at in the beginning as the monitor reported no bw. but somehow it kicks in midway in the Ubuntu download and starts using it anyway..
The picture dosn't show the beginning of the download, but the VPN2 connection was completely dead, nothing was going in or out.
![Bandwidth monitor with VPN2 disabled 2nd try.JPG](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled 2nd try.JPG)
![Bandwidth monitor with VPN2 disabled 2nd try.JPG_thumb](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled 2nd try.JPG_thumb) -
You mean it's still using the other VPN connection even when you change the firewall rule to one VPN insteadof the gateway group? You might need to reset the state table (diagnostics/states) and restart the VPN service (Status/OpenVPN).
Have you tried trouble shooting different VPN servers? Try some that have a lot of throughput even if they are far away from you.
us-east.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-california.privateinternetaccess.com
uk-london.privateinternetaccess.comIt is really strange that you can't hit line speeds on a single instance.
-
You mean it's still using the other VPN connection even when you change the firewall rule to one VPN insteadof the gateway group? You might need to reset the state table (diagnostics/states) and restart the VPN service (Status/OpenVPN).
Yup! but only in the end of the download.
Have you tried trouble shooting different VPN servers? Try some that have a lot of throughput even if they are far away from you.
us-east.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-california.privateinternetaccess.com
uk-london.privateinternetaccess.comIt is really strange that you can't hit line speeds on a single instance.
No not yet, but I'm currently using the NL server, which has the highest throughput in Europe and also always have worked flawlessly on my pc client. I can however of course try the others.
![FW rule LAN one VPN.JPG](/public/imported_attachments/1/FW rule LAN one VPN.JPG)
![FW rule LAN one VPN.JPG_thumb](/public/imported_attachments/1/FW rule LAN one VPN.JPG_thumb)
![Bandwidth monitor with VPN2 disabled beginning 3nd try.JPG](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled beginning 3nd try.JPG)
![Bandwidth monitor with VPN2 disabled beginning 3nd try.JPG_thumb](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled beginning 3nd try.JPG_thumb)
![Bandwidth monitor with VPN2 disabled endning 3nd try.JPG](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled endning 3nd try.JPG)
![Bandwidth monitor with VPN2 disabled endning 3nd try.JPG_thumb](/public/imported_attachments/1/Bandwidth monitor with VPN2 disabled endning 3nd try.JPG_thumb) -
weird, easiest thing is just ot reboot the whole router and try again.