PIA OpenVPN ridiculously slow since upgrade to 2.4.2
I recently upgraded from 2.3.4 to 2.4.2, and since upgrading my VPN speeds have dropped to unusable levels. My service from comcast is 300Mbps, and without the VPN typically tests between 300 and 350Mbps. I have tried 6 different test sites, and now with the VPN active are typically between 3 and 5 Mbps. One site is even below 1 Mbps. I also tried downloading some large test files from two different sites, and these also poked along at less than 1 Mbps. Fast.com was an exception, still testing above 300 Mbps, but this is likely because I have whitelisted many netflix servers since they don't work through the VPN. As a control, I have included speedtest,net on my whitelist. When I run a test on speedtest, it reports my true comcast IP address, but still tests around 5 Mbps. Also strange, the upload speed for all sites that report it, is typically 3-4 times the download speed.
This does not appear to be CPU related. Watching the dashboard during the tests, my CPU never went above 5%. Maybe it should have gone higher, but it certainly did not max out. I have also tried several different PIA servers, but the results are about the same for all of them. It also doesn't seem to the test protocol for the test sites. If I whitelist my PC, all of these sites will test much higher. Most are 250+, but there is one between 70 and 80. This one I do chalk up to the site.
My motherboard is an Asrock J4205-ITX with a J4205 pentium CPU. This CPU is a quad core, 1.5 GHz, and I'm running it with 8GB of RAM. This should be way more horsepower than needed for pfsense. I did have some trouble getting the board to boot under 2.4.0. Fortunately I found a post in the forum from someone with the same board that fixed the boot issue. The fix required me to add the following to /boot/loader.conf.local.
I'll be honest, I don't know what this does, but it did fix my boot issue. Could this be screwing with my VPN?
My boot issue seemed to be related to all Apollo Lake series processors. Could there be other issues related to these processors?
Are there known VPN issues with pfsense 2.4.2?
If I can't fix this, I'll have to stop using my VPN.
Any help will be appreciated.
Which guide did you follow to set it up
Can you post your general configuration
follow this guide and use strong encryption: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1
here are my custom options:
pull-filter ignore "auth-token"
I used the setup guide that you referenced. I did not actually set up from scratch since the VPN was already setup in 2.3.5. I followed the guide and updated settings as needed. There were some settings I had to change. I don't know if these are new since I first set up the VPN, or settings that were never right in the first place. If they were wrong before, they didn't seem to affect performance as the VPN was working well enough.
The changes I made were to Encryption Algorithm, NCP Algorithms, and Hardware Crypto. I changed them from what they were, to what the current setup guide suggests. There were a few settings at the top that the guide does not address such as Server mode, Protocol, and Device mode. These I left as they were, assuming they were right from before.
I'd be happy share my setup. I couldn't find an option export or download settings. So I printed the settings page to a PDF that I've attached. The PDF is zipped due to forum upload file type restrictions. Please let me know if there is a better way. Also please advise if there other relevant settings. My NAT rules are pretty straightforward. Everything goes to the VPN except for two rules to pass traffic as needed. Both use aliases, one based on my local IP addresses, the other the website domain that I'm accessing. I'm not running any other packages at this time.
[VPN_ OpenVPN_ Clients_ PDF.zip](/public/imported_attachments/1/VPN_ OpenVPN_ Clients_ PDF.zip)
page 4. change to LZO compression - compress lzo, equivalent to comp-lzo yes
page 5 enabled UDP fast write I/O operations
i would save your current configuration under diagnostic - backup and restore. and try the strong vpn. i will attach my speeds to the Atlanta server
UPDATE. well that was short lived. my download speed is now 45Mb down according to the same test!
That may have helped a little. My verizon test increased 5X, but that's not saying much when the earlier tests were below 1Mbps. Unfortunately the tests that make sense; Verizon, Speed Test, and Speed of Me, are still only showing download speeds between 4 and 7.5Mbps. Then there are the tests that make no sense.
Speedtest is currently whitelisted so that it does not use my VPN. I did this because I wanted a non-VPN test for comparison. Therefore it is no surprise that it displays my comcast IP address. What is a surprise is that it only downloaded at 5.06Mbps. I'm guessing I've whitelisted the speedtest.net domain, but the actual test is routed through a different domain.
On the other hand, Speakeasy shows my VPN IP address, but tested at 355Mbps, which seems to indicate it is not going through the VPN.
All these tests were made just seconds apart with no change to my PC. I just did one, switched to the next tab, and so on. These results have me scratching my head.
I've got another drive laying around. I'm thinking about installing 2.3.5 just to see if the issue is unique to 2.4.2.
![IP Chicken.png](/public/imported_attachments/1/IP Chicken.png)
![IP Chicken.png_thumb](/public/imported_attachments/1/IP Chicken.png_thumb)
![Verizon Broadband Internet Speed Test.png](/public/imported_attachments/1/Verizon Broadband Internet Speed Test.png)
![Verizon Broadband Internet Speed Test.png_thumb](/public/imported_attachments/1/Verizon Broadband Internet Speed Test.png_thumb)
![Speed Test Free Internet Speed Test – HTML5.png](/public/imported_attachments/1/Speed Test Free Internet Speed Test – HTML5.png)
![Speed Test Free Internet Speed Test – HTML5.png_thumb](/public/imported_attachments/1/Speed Test Free Internet Speed Test – HTML5.png_thumb)
![SpeedOf Me Non Flash Java Broadband Speed Test.png](/public/imported_attachments/1/SpeedOf Me Non Flash Java Broadband Speed Test.png)
![SpeedOf Me Non Flash Java Broadband Speed Test.png_thumb](/public/imported_attachments/1/SpeedOf Me Non Flash Java Broadband Speed Test.png_thumb)
![Speedtest by Ookla.png](/public/imported_attachments/1/Speedtest by Ookla.png)
![Speedtest by Ookla.png_thumb](/public/imported_attachments/1/Speedtest by Ookla.png_thumb)
![Speakeasy Internet Speed Test MegaPath.png](/public/imported_attachments/1/Speakeasy Internet Speed Test MegaPath.png)
![Speakeasy Internet Speed Test MegaPath.png_thumb](/public/imported_attachments/1/Speakeasy Internet Speed Test MegaPath.png_thumb)
not sure if you read my post after i edited it but my speeds on atlanta went down to 40Mb shortly afterwards. i rarely use that server.
i would suggest trying another server until you find one more consistent
I wish it was that easy. I've actually tried 5 or 6 different PIA servers with similar results from all of them. In the past I typically used their east coast or midwest servers. When my speeds plummeted after the upgrade I tried both of them plus new york, texas, and atlanta. Atlanta wasn't my preferred server, just the last one I tried.
Confirmed that i do have a spare 2.5" drive that I can use for a clean 2.3.5 install. I'm going to try that today. If I do and speeds return to normal with the same settings then I'll know for sure it is a problem with 2.4.2.
Installed 2.3.5. Restored backup. Ran the same battery of speed tests. Instant improvement!
Speed's are still nothing like my non-vpn, but that's as expected. I got 50-80 Mbps on all the test sites that should be VPN. Ironically, speedtest.net which the other day was showing my comcast IP but testing super slow, is now showing my vpn IP, but testing at 276 Mbps. Oh well, at least I'm getting workable speeds through the vpn.
Definitely are some different settings for OpenVPN in 2.4.2 vs 2.3.5. Even though I set them per the guides, apparently something wasn't agreeing with my system.
I think I'll stick with 2.3.5 until I see a real reason to upgrade.