Extremely slow VPN performance (< 1 kbit/s)

madbrain

I was accessing my home VPN while having dinner earlier tonight.
The client on my Android phone connected just fine.
However, once connected, I could not get anything done, not even resolve the hostname for pfsense.localdomain to see what was going.

The OpenVPN app reported throughput between 10-100 bytes/s. This brought me back to the modem performance of the 1980s.

I ran a speedtest while not on VPN, and got a result of 557 Mbps down / 20 Mbps up. So, I wasn't being limited by the 5G cell network.

During this time, there was a PC at home uploading photos to Amazon on the cloud, eating most of the upstream bandwidth.

I'm not really sure what was going on with the performance. I feel like I should still have been able to resolve a DNS name in this situation.

Is it a problem with prioritization / traffic shaping ? Or is there something else that explains this unusability ?

Unfortunately, I cannot test any VPN / traffic shaping config change at home as I'm unable to get a cell data signal with a speed greater than 1 kilobit/s.. It usually just drops off, too.

madbrain

What's a possible explanation for this ?

michmoor

@madbrain Have to post some santized pictures of your OpenVPN configuration on pfsense.
The only thing i can think is that from your phone to your home internet its either being rate limited as its been identified as VPN traffic (which does happen on some carriers) or the path has packet drops or perhaps you do have traffic shaping enabled.
Are you full tunnled or split tunneled?

madbrain

@michmoor Fully tunneled, as far as I know. Though some apps on the Android device still manage to go directly to the ISP - that is the case for Ookla speedtest.
I had to use the browser and speedtest.net to get it to go through VPN.
This is a major security flaw in Android and/or the OpenVPN client.

California has a net neutrality law, which covers all lawful access, including the use of a home VPN. It prevents the ISP from blocking VPNs, or throttling VPNs. Also, even in places where this is allowed, going from 557 Mbps off-VPN to < 1 kbps on VPN is indicative of something else than throttling going wrong, IMO. The ISP would be better off blocking VPN traffic altogether rather than slow by a factor of a milllion.

Here is the VPN config. I don't see anything sensitive on this page :

Or this :

It was created by the wizard. It should be noted that the VPN is not universally problematic. From some locations, it works fine. Others, not so much.
I have seen this when traveling abroad as well. Not quite this slow, though. But slow enough that I couldn't login to my Home Assistant§. Much less stream video over the tunnel. Other countries don't all have net neutrality, though.
I have seen it being slow either when the phone i connected to a cell network or to public Wifi.

I think there has to be something wrong with my configuration causing this, but I just don't have any idea what. I have been meaning to give Wireguard another try. Last time, I didn't succeed in setting it up. Whereas I know a lot of PKI and X.509, so setting up the OpenVPN one was much easier - for me.

madbrain

I'm still experiencing this. At the vet today and getting 0.3 Mbps in a speedtest in the browser while on VPN.
And 220 Mbps in the same browser off VPN.

I'm not using the native speedtest Android app because it somehow manages to bypass any VPN. But speedtest within Firefox does not.

madbrain

Tonight at a restaurant, using Wi-Fi, I got 4 Mbps on speedtest in the browser. I then connected to VPN, and got the same 4 Mbps on the speedtest. I think that's strong evidence that my home ISP is not throttling.

I then turned off both Wifi and VPN. Got 220 Mbps on speedredt in the browser. With VPN, could not even get the speedrest going. OpenVPN showed about 80 bytes/s throughput, ie. Less than 1 kilobit/s as I saw before in my OP.

Perhaps it is the cell carrier throttling. I'm using US Mobile, a T-Mobile MVNO. I will ask them what's going on. They are not supposed to throttle VPNs, and I believe it's illegal here. I would like to rule out any technical problems with my pfSense config, though, before I contact the CPUC and FCC.