I was doing some experiments with my internet download speed with and without PIA VPN. I have a gigabit connection to my house. When I do a speed test over the VPN I get roughly 100 Mbps. When I do the speed test not on the VPN I am getting around 750 Mbps. I was thinking these speeds should be close to the same? I am running PfSense for my router. During both downloads the CPU usage goes to about 40% but is perhaps a bit lower whilst on the VPN than without. Is this reduction in speed due to my router not having sufficient power? Surely the bandwidth from PIA isn’t the limitation. I appreciate any insights you kind folks can provide.
VPN will be significantly lower due to encryption and service provider bandwidth. That is the nature of VPN.
Thanks for the reply. If I got a router with a more powerful processor or Quickassist would it be faster?
It’s possible but a VPN is a 2 way street. Either the provider might not have the means or bandwidth limit each connection. Or like you are saying that offloading the encryption using quickassist or aes-ni or both. Just giving information to consider.
Using a privacy VPN will also likely add latency. This is why I only use one for specific services and not for all my traffic.
Funnily enough I have noticed the download speeds on my VPN have begun to suck, it’s about 50% of line speed. After a bit of faffing it’s still about 50% of line speed!
An easy test to see what you should be getting is to set up a VPN client on your laptop and let the VPN exit via your ISP and you will see what that server is capable of, mine is about 80% of line speed. That’s without doing anything on the client.
Some things I have noticed that you can tweak that make a difference:
Protocol - TCP might be a bit faster than UDP
DCO - if this is enabled on the server you can enable it on the client
Ports - you might try different port numbers other than 443, I didn’t notice any difference myself, perhaps the ISP is throttling but I’d doubt it
Data Encryption Algorithms - this might make a difference, I need to inspect this a bit more
Auth digest algorithm - I couldn’t tell if this made a difference, higher might not be better (I don’t know)
Server Certificate Key Usage Validation - this killed my speed
Custom options - tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; added the following tweaking the mtu and mss might make a difference, I don’t know enough about it
Send/Receive Buffer - found 256 to be more optimal
UDP Fast I/O - under UDP I found this killed my speed (however I have traffic shaping on the vpn vlan)
Putting a couple of VPNs in a gateway group might ensure you have the “fastest” connection but I don’t think it will matter greatly if your speeds suck to begin with.
I don’t think there is a processor limitation because some of these Netgate routers don’t seem to be overly powerful and still achieve fast throughputs.
Personally I think there is some combination of settings which are optimal, the trick is to find it! There might be a way to inspect the settings for the client connection on the laptop and mirror these on the router, but nothing stands out.
I did this test and I got 200 Mbps instead of the 100 Mbps I was getting when I connected to PIA through PfSense. Thanks for the suggestions.
I would be curious to know what your OpenVPN client settings on pfSense are, if you manage to increase the throughput after making some tweaks.
Just for reference my Air VPN client config looks like:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512
I’m now replicating this on the client in pfSense to see if it makes any difference. In the past I only used one data cipher, AES-256-GCM perhaps if the others are added, openVPN is smart enough to select an optimal cipher.
This is a bit embarrassing, I had previously configured traffic shaping to address bufferbloat, took that off my VPN vlans and hey presto I’m getting 95% of line speed over the VPN. I tweaked a few other things but this made the most difference. I have the same traffic shaping on my ISP line and I get the limit I set.
Now to investigate how to do traffic shaping over a VPN connection …
There are a few variables that can cause the lower throughput you’re seeing but I’d guess it’s mostly likely the hardware you’re running pfSense on. I use a Dell Optiplex with a 9th gen Intel Core i5 processor which isn’t anything special but I’m able to saturate my internet connection at just over 1Gb/s. I’m using OpenVPN on Mullvad with the ChaCha20-Poly1305 cipher, I can get the same throughput using AES256-GCM also and my latency is between 12-20ms whilst doing a download speed test. I’d suggest trying WireGuard if you aren’t already. OpenVPN uses only a single CPU core if you’re on the Community Edition of pfSense like myself, unlike WireGuard which is multi-threaded. So if you have a low powered multi-core CPU that isn’t clocked very high, latency and throughput could be improved significantly using WireGuard instead of OpenVPN. If you upgrade your hardware I’d certainly recommend Mullvad over PIA for throughput (and privacy). I used PIA until they were purchased by Kape Technologies, I did lots of research and narrowed my choice down to IVPN and Mullvad. Both were relatively small companies that were fully open-source run by a small group of well known people in the privacy world that have done a lot for the community and open-source in general with no marketing fluff, and don’t poach influencers to sell ads falsifying what VPNs do. Mullvad own and operate their own servers and made almost no difference to my latency so I ended up choosing Mullvad over IVPN. My pfSense has been connected to one of their servers with all my traffic going through there for two years now without any issues at all.
Thanks so much for your reply. Funnily enough I just signed up for a month with Mullvad 2 days ago specifically to test it out. I was working to configure Wireguard following their tutorial, but didn’t have success getting it to work. I also don’t want to break my PIA OpenVPN connection. I plan to work on it more this weekend. I am self taught will all this stuff but improving all the time.
Let us know how you get on if you get a chance on the weekend, if you have any problems post them on here.
OK, I will take you up on your offer. 
I am following the mullvad PfSense wireguard instructions and I have gotten stuck at the NAT section. I do not understand NAT. However, it seems like they are setting up the VPN so that everything exits through it. I only want to select the specific devices that use it via firewall rules. That is how my current setup works with PIA openvpn. My settings right up to the point where the mullvad instructions tell you to switch to Manual Outbound NAT. I am not sure what I want to do here. The mullvad interface is OPT3. I also have a DMZ configured that is on 192.168.2.1. I am honestly not sure what 192.168.3.1 is. Perhaps a holdover from something else I worked on. I am not sure what is forcing these automatic rules to be generated for OPT3 and why I don’t have them for PIA_CHICAGO. For PIA_CHICAGO I have a set of IP addresses defined by an alias that are directed to the VPN gateway. Hopefully this is enough information to work with. I pressed ahead and added a firewall rule that forced traffic from a specific ip address out the mullvad gateway. It seems to work. I made no changes to the settings in the page below. It seems as though I have some mistakes in the settings below that I would be interested in fixing. I tested the connection to through the Mullvad gateway and got 434 Mbps. I tested the same computer over the PIAVPN gateway and got 111 Mbps.
NAT stands for Network Address Translation, without it traffic from your local network would leave your WAN with the same local IP address it was sent from with no way of getting back to your firewall on the public internet. What NAT does is give traffic leaving your local networks your WAN’s public facing IP address allowing it to return back to your firewall once it gets out onto the public internet. This needs to be set up for your VPN too because the remote server you’re connected to over the VPN is expecting to receive traffic from your WireGuard interface address not one of your internal network addresses.
It’s worth noting that if you send traffic out of a gateway without NAT configured in pfSense whether it’s a WAN or a VPN gateway, then it will still exit that gateway only it will leave with a local IP address and have no way to return once it reaches its destination IP address. NAT cannot be thought of as a firewall rule as it does not pass or block traffic, it merely applies an IP ‘translation’ to passing traffic that matches a mapping.
NAT is used as a solution to the limited number of IPv4 addresses addresses available so that every device behind a network doesn’t need a public facing IP address
So you have it up and running which is awesome. First I’d suggest maybe renaming your OPT3 interface to Mullvad_WireGuard or something similar so you know what interface it is. The 192.168.3.0/24 network I think you mentioned must belong to a network that is or maybe was configured as it’s an automatic rule. If you want to clean up your NAT mappings I’d suggest using manual mode. Once in manual mode edit the two OPT3 mappings changing the source IP to only the ones you have defined as aliases for your VPN gateway, aliases can also be used for these source network(s). Here you can also remove the 192.168.3.0/24 network from each mapping on every interface to clean things up if you’re sure it’s not in use. I think maybe the best thing to do from here would be to spend a bit of time understanding NAT and it should fall into place.
If you wan’t to make sure those set of IP addresses only leave on your WireGuard gateway I’d suggest using floating rules on your WAN, here’s a good video Tom did on it using Tags.
I also had that in place for bufferbloat but in the end i just made sure my equipment was not the weakest link. That keeps bufferbloat reasonable even when you go full tilt up or down. Which works much better for me. I mean it’s just a private connection with 3 users. Idle i have 5 ms ping to 1.1.1.1 full down it goes to 20 ms and full up to 9 ms. Thats good enough for me.
I’m using Mullvad on my pfSense with OpenVPN ChaCha20-Poly1305 and I saturate a 1Gb internet connection at about 30% CPU load. I only have a 9th gen Core i5.
Funnily enough, I have traffic shaping on my ISP vlan which is working perfectly, however, after switching ISP I’ve now noticed that my traffic shaping isn’t working so well on openVPN or wireguard traffic vlans. Not totally sure that it makes sense on encrypted traffic but on my previous ISP it looked ok.
OP, if you are using a client vpn for SSL vpn, the problem for slow speed can be at 2 places:
- Your router/firewall doesn’t have hardware to assist in decryption/encryption of packets (ex if you have an entry level Netgate).
- Your client that is connecting has a week CPU on his/her PC/laptop and thus greatly impacts encryption and decryption on that end.
I ended up trying Mullvad VPN with wireguard over the weekend and was about 10x faster than PIA. I am saturating my internet connection. My router CPU usage hit 80% and I had never seen it above 25%.