Slooooooooooow connectivity

BuiltOnSelfSuccess

Hello Community!

I've been using pfSense for years now but I'm really stuck and would appreciate your valuable input in helping resolve an issue that I have had for the past few weeks. Troubleshooting using some of the recommendations in various threads on here unfortunately has not resolved the issue for me.
I have been running OpenVPN on pfSense for a few years following the setup guide from my VPN provider. However over the past few weeks I noticed that my download speeds seemed to have dropped from 200mb to around 60mb. I suspected that it was down to all the people now working remotely and "clogging up the pipes" but this seemed to have dropped further to around 30mb. I can connect directly to my router to bypass the VPN and can achieve over 200mb throughput on my 200mb line.

I got researching and it seemed that there was another setup guide to compliment the one provided by my VPN provider with a few updated sections: https://nguvu.org/pfsense/pfsense-baseline-setup/ so off I went and updated my OpenVPN settings to match the settings in the guide. This is where I get the Doh! moment, I now achieve download speeds of around 10mb, sometimes less!

CPU
Intel(R) Celeron(R) CPU N3160 @ 1.60GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
usage seems to sit between 10 and 20%

and memory usage at around 17%

The things I've tried:
Changing "Auth digest algorithm" from SHA512 to SHA256

Adding AES-256-CBC to the existing AES-256-GCM NCP Algorithms

In the openvpn configuration hardware crypto option I have changed it to BSD cryptodev engine based on a comment I read: There is no AES-NI option there because as long as AES-NI is enabled on the system openvpn uses it automatically.

I currently have the same "Custom options" from the updated guide:
client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

I have also tried:
sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

and

socket-flags TCP_NODELAY; auth-nocache; mlock; key-direction 1; tls-version-min 1.2; key-method 2; tls-timeout 2; remote-cert-tls server; mssfix 0; tun-mtu 20000; explicit-exit-notify 5; persist-key; persist-tun; prng sha256 64;

Each time I change the settings I test the speed to see if there is any difference but overall not much.
I'm using Speedtest.net and https://sourceforge.net/speedtest/ to test speeds.

I've also got Snort, Service Watchdog and pfBlockerNG-devel running.
The Gateway status shows Online with 0.0% loss.
All interfaces are up.

Any help or guidance would be greatly appreciated!

BuiltOnSelfSuccess

I've now also tried the recommendations here: https://docs.netgate.com/pfsense/en/latest/interfaces/low-throughput-troubleshooting.html#vpn-mtu-issues

I disabled pfBlockerNG

I disabled Snort

Still I'm stuck with 10mb download speed and 20mb upload on a 200/20 line.....

Gertjan

@BuiltOnSelfSuccess said in Slooooooooooow connectivity:

my VPN provider

All tests should be done without any other factor that might influence measurement.
So exclude any VPN usage.
Just you,, WAN and LAN.

Cool_Corona

Its the speed from your endpoint on the VPN thats dropping???

BuiltOnSelfSuccess

@Cool_Corona - how would I check\validate this please? Any idea?

Gertjan

@Cool_Corona said in Slooooooooooow connectivity:

Its the speed from your endpoint on the VPN that's dropping???

Except for some special cases, they, the VPN suppliers, always offer best-effort system.
A VPN endpoint has a fixed size 'pipe' to the net, and if x users are connected to it, the bandwidth for the x users will "pipe size" / x.
And at that moment that endpoint makes a lot of money for the VPN suppliers, which is, after all, their one and only goal.

A fixed size xxx Mbits contract could exist, and has will never be a mere ten dollar a month service.

BuiltOnSelfSuccess

@Gertjan said in Slooooooooooow connectivity:

@Cool_Corona said in Slooooooooooow connectivity:

Its the speed from your endpoint on the VPN that's dropping???

Except for some special cases, they, the VPN suppliers, always offer best-effort system.
A VPN endpoint has a fixed size 'pipe' to the net, and if x users are connected to it, the bandwidth for the x users will "pipe size" / x.
And at that moment that endpoint makes a lot of money for the VPN suppliers, which is, after all, their one and only goal.

A fixed size xxx Mbits contract could exist, and has will never be a mere ten dollar a month service.

I'm able to view the load on the VPN endpoint which has lots of capacity. MY VPN provider does not impose any bandwidth restrictions.
I'm certain the issue exists with something in my configuration but have exhausted my very limited knowledge...

BuiltOnSelfSuccess

In the end all I did was change to a different server with a different entry IP, I get over 200mb throughput now.

Thank you for the replies.

Gertjan

So, change the server did the trick.

@BuiltOnSelfSuccess said in Slooooooooooow connectivity:

MY VPN provider does not impose any bandwidth restrictions.

Are your still certain ? "impose" = willingly applying bandwidth restrictions is one thing. If a server is very popular, bandwidth will go down. It could even be de POP just before there server, something they do not control ...