Bypass ISP VPN Throttling

py

Running pfsense 2.4.5-p1 as a VPN client. Testing has indicated that my ISP is throttling my OpenVPN traffic.

Connected directly to the modem using my desktop and bypassing the pfsense box, speed tests average about 900 Mbs without VPN, and about 130 Mbs with OpenVPN, which is a bit more than I get when connected to the VPN through the pfsense box, (understandable).

Still connected directly to the modem and using obfuscation I can get up to 270 Mbs with Stunnel and average about 250 Mbs with SSH. These were the fastest obfuscation protocols supported by my VPN provider. The box running pfsense should be able to handle those speeds.

I have little idea how to implement either Stunnel or SSH with my VPN configuration in pfsense and I am looking for help in doing so from the experts. I have multiple OpenVPN clients running as part of a Gateway Group for failover purposes, so any implementation would need to work with multiple instances.

Any and all help invited and appreciated.

Rico

Did you play with TLS Encryption and Authentication and/or using TCP port 443?
However...I'd jangle my ISP nerves all day long if they throttle my VPN or any other stuff.

-Rico

py

@Rico Yep, just got finished with that. Went back and forth a couple of times to make sure, and no change. I'm leaving "TLS Encryption and Authentication" enabled and local port on 443 for the primary VPN connection. (If it matters, pfsense won't allow the same local port to be used on more than one VPN connection, which is why 443 is only used on the primary.)

Rico

Some more Ports you can try.
563, 853, 989, 990, 992, 993, 995, 5061, 6514, 6619

-Rico

py

Thanks Rico, I tired about half of those but no luck. I understand they probably use "Deep Packet Inspection" to identify VPN protocols and throttle only those, no matter what ports are being used, and that seems likely what's happening here.

Sooo, that takes me back to using either stunnel or SSH. Reviewing my speed tests, I realized that obfsproxy3 was almost as fast as stunnel and SSH, so that's another option.

Is there no way to implement any of these with OVPN in pfsense?

Thanks,

parry

I found the solution as to how to bypass a vpn on the protonvpn [this is a real nologs vpn based in Switzerland] ln this page protonvpn.com/support/pfsense-vpn-setup/

Basically the idea is to go to the specific vlan , or if you have a single LAN and want to exclude an IP range or host from the vpn you create a rule in Firewall-->Rules for the VLAN/LAN and identify the interface (LAN or a specific VLAN) identify the source (host, alias, interface[vlan] etc.) go to Advanced and change the Gateway to WAN. Then go to Firewall-->NAT--Outbound and switch mode to auto save/apply and go back to Manual. It works. I tried setting my vlan to access the WAN directly, but that got me no connection outside my VLAN. I suspect that is because [ its somewhere in this massive trail of notes] that the settings for OpenVPN say something like "pull all connections" or something similar. Which seems to direct everything to the VPN. Anyway, although I am not connected to ProtonVPN in any way, I would recommend them for their veracity, clarity and support. And want to thank them for solving a problem that a whole trail of notes leading to 10 or more pages did not seem to answer.