Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bypass ISP VPN Throttling

    OpenVPN
    3
    6
    451
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      py last edited by

      Running pfsense 2.4.5-p1 as a VPN client. Testing has indicated that my ISP is throttling my OpenVPN traffic.

      Connected directly to the modem using my desktop and bypassing the pfsense box, speed tests average about 900 Mbs without VPN, and about 130 Mbs with OpenVPN, which is a bit more than I get when connected to the VPN through the pfsense box, (understandable).

      Still connected directly to the modem and using obfuscation I can get up to 270 Mbs with Stunnel and average about 250 Mbs with SSH. These were the fastest obfuscation protocols supported by my VPN provider. The box running pfsense should be able to handle those speeds.

      I have little idea how to implement either Stunnel or SSH with my VPN configuration in pfsense and I am looking for help in doing so from the experts. I have multiple OpenVPN clients running as part of a Gateway Group for failover purposes, so any implementation would need to work with multiple instances.

      Any and all help invited and appreciated.

      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by

        Did you play with TLS Encryption and Authentication and/or using TCP port 443?
        However...I'd jangle my ISP nerves all day long if they throttle my VPN or any other stuff.

        -Rico

        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

        P 1 Reply Last reply Reply Quote 0
        • P
          py @Rico last edited by

          @Rico Yep, just got finished with that. Went back and forth a couple of times to make sure, and no change. I'm leaving "TLS Encryption and Authentication" enabled and local port on 443 for the primary VPN connection. (If it matters, pfsense won't allow the same local port to be used on more than one VPN connection, which is why 443 is only used on the primary.)

          1 Reply Last reply Reply Quote 0
          • Rico
            Rico LAYER 8 Rebel Alliance last edited by

            Some more Ports you can try. 😊
            563, 853, 989, 990, 992, 993, 995, 5061, 6514, 6619

            -Rico

            2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

            1 Reply Last reply Reply Quote 0
            • P
              py last edited by

              Thanks Rico, I tired about half of those but no luck. I understand they probably use "Deep Packet Inspection" to identify VPN protocols and throttle only those, no matter what ports are being used, and that seems likely what's happening here.

              Sooo, that takes me back to using either stunnel or SSH. Reviewing my speed tests, I realized that obfsproxy3 was almost as fast as stunnel and SSH, so that's another option.

              Is there no way to implement any of these with OVPN in pfsense?

              Thanks,

              1 Reply Last reply Reply Quote 0
              • P
                parry last edited by

                I found the solution as to how to bypass a vpn on the protonvpn [this is a real nologs vpn based in Switzerland] ln this page protonvpn.com/support/pfsense-vpn-setup/

                Basically the idea is to go to the specific vlan , or if you have a single LAN and want to exclude an IP range or host from the vpn you create a rule in Firewall-->Rules for the VLAN/LAN and identify the interface (LAN or a specific VLAN) identify the source (host, alias, interface[vlan] etc.) go to Advanced and change the Gateway to WAN. Then go to Firewall-->NAT--Outbound and switch mode to auto save/apply and go back to Manual. It works. I tried setting my vlan to access the WAN directly, but that got me no connection outside my VLAN. I suspect that is because [ its somewhere in this massive trail of notes] that the settings for OpenVPN say something like "pull all connections" or something similar. Which seems to direct everything to the VPN. Anyway, although I am not connected to ProtonVPN in any way, I would recommend them for their veracity, clarity and support. And want to thank them for solving a problem that a whole trail of notes leading to 10 or more pages did not seem to answer.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post