1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. GazD

    GazD New Around Here

    Joined:
    Apr 25, 2016
    Messages:
    4
    Thanks for the reply. Sorry if I wasn't explaining myself properly. When using the PIA Windows Client on my Laptop connected to my my router (with no VPN enabled on my router) I get my full line speed pretty much (~ 47Mpbs), When I use just the VPN client from my router my speeds drop to 10-15Mbps, which makes me think the router is holding the connection back. When I get in tonight from work I will run the tests that you have asked and I will try the VPN client from my router with all encryption methods and post my results here.

    Thanks
     
  2. GazD

    GazD New Around Here

    Joined:
    Apr 25, 2016
    Messages:
    4
    Ok here are my results.

    No VPN enabled

    [​IMG]

    VPN Enabled - AES-128-CBC Encryption - Port 1196

    [​IMG]

    VPN Enabled - No Encryption - Port 1195

    [​IMG]

    So not too far off my line speed with no encryption.

    Any ideas with this? Want me to try any more encryption methods?

    Thanks in Advance
     
  3. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Did you try other servers besides London?
    Are you routing all traffic to VPN or are you using policy rules?
    can you post your settings in the VPN client.
    You should be getting 40+ mbps
     
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    The new Firmware version 380.59 works fine with VPN but one has to Disable QOS because they don't like each other.
    It slowed down my VPN speed by half when I enabled QOS bandwidth monitor. I didn't even enable QOS
    I don't even want to know what will happen if I do that.
    I strongly urge People who are using 380.59 that have an 87U and higher not to use QOS or QOS bandwidth Monitor
     
  5. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Are you using 380.58 or 380.59 firmware?
    if you are using .59 disable QOS, or maybe go back to .58 and try it again.
    If You followed my guide you shouldn't have problems unless you enabled QOS
    but I would try 380.58 to be sure
     
  6. strange_guy

    strange_guy New Around Here

    Joined:
    Feb 3, 2011
    Messages:
    8
    Location:
    Austria
    Dear yorgi,

    I have pretty much the same problem. My unfiltered ISP speed is 50/5 and I have an ASUS RT-AC68U. I would like to route traffic over a PIA tunnel with the Netherlands as the endpoint. If I do a speedtest for a server in Amsterdam without VPN I have nearly my full ISP speed: [​IMG]

    If I have VPN enabled with no encryption - Port 1195 the speed is almost the same: [​IMG]

    If I have VPN enabled with AES-128-CBC encryption - Port 1196 the speed drops to these values:
    [​IMG]

    Is there a way for me to boost these values further or is this already the maximum speed I can expect over VPN?

    Thank you in advance for your help and all the best from Austria.
     
  7. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    What firmware version are you using? do you have QOS enabled?Are you using compression or do you have it set to none?
    Which VPN client out of the 5 are you using? You should be in 2 or 4 this way you would us the second core just for VPN.
    Please check these questions and get back to me
     
  8. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    30mbps is really not bad at all. It maybe PIA throttling. I have seen this issue a few times in the past.
    A guy had a 68u and his bandwidth was 50mbps and he couldn't get faster then 20-30 mbps
    but I have seen someone else with a 68u do 50 mbps on VPN without any issues.
    the first guy with the 68u that didn't get full speeds on VPN had bought a refurbished router.
    So if I where to make an educated guess it would be either PIA is throttling or you have a defective router. did you get this router new or refurbished?
    One thing I would definitely try if you really want to get to the bottom of this is buy another router if you can return within 30 days and try using the VPN and see if the same results happen
    Or could be the new firmware if you put 380.59
    So things to try, go back to 380.57 and see if you get the same issues.
    Could be a firmware issue or something else. answer a few questions and lets take it from there :)
     
  9. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I answered a guy with similar problems. check my posts on this topic and get back to me.
     
  10. CiscoX

    CiscoX Senior Member

    Joined:
    Aug 13, 2013
    Messages:
    205
    Hi yorgi
    Thank you very much for your guide. Keep up the good work :)
     
  11. Boosted

    Boosted New Around Here

    Joined:
    May 31, 2016
    Messages:
    2
    I am having a strange issue with my Asus 88U reporting wrong IP for one of my OpenVPN clients. Hoping you would have some idea why.

    I have:

    Asus 88U
    Merlin 380.59
    VPN service provider
    using OpenVPN client to connect to VPN provider
    2 seperate OpenVPN Clients on router

    Client 1 is AppleTV4, TCP 443 (Canadian server), Accept DNS Config. [Exlcusive], Policy Rules with IP of AppleTV4.
    Client 2 is PC, UDP 443 (Miami-US server), Accept DNS Config. [Exlusive], Policy Rules with IP of PC.

    Problem: Both connections are working finewhen turned on and show as connected within the router with no Error. But, when I do a DNS leak test using doileak or ipleak site, the client that is turned on first will show the proper IP VPN address that it is connected to, as it should. When I do a DNS leak test of the other client the IP address that shows up is the same as the client I turned on first. There are no leaks for either, it just wrongly identifies the client that I turned on second with the first client's VPN address. Very odd.

    So, basically whatever OpenVPN client is turned on first is the VPN IP that is passed on to the client turned on afterwards even though they each use a different .ovpn server file from different server and one is using TCP and the other is using UDP.

    Both LAN and WAN DNS Server is set to 192.168.1.1. I have DNSFilter on with Custom DNS as an OpenNIC DNS IP for the PC client when the PC OpenVPN tunnel is turned off for the PC. NOTE: Turning on or off DNSFilter makes no impact on the above problem with OpenVPN.

    Is this a bug with firmware or do I have something setup wrong?

    Suggestions for fix are welcome.

    Thanks.
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Take note that you don't need dnsfiltering with the new firmware so turning that on wont help in anything but confuse the matter further.
    Looks like you are having a router conflict. You need to turn the power off cold boot the router. but before you do that disable both clients and make sure you take off start with LAN
    What encryption are you using? Sometimes its happens when you use 2 servers from the same company that are on the same subnet.
    try turning client 1 on and test it and then turn turn client 1 off
    then turn client 2 on and test it .If there is no issues there then its a same subnet issue.
    Now turn one client on and off until you have no issues when both clients are on at the same time.
    I have seen this problem happen many times although i never saw that happen to me when I used blowfish-cbc
    I had 3 clients on at the same time and never had a glitch.
    I know Merlin is going to come here and say I am wrong because encryption doesn't matter but I think there is a bug with the aes-128-cbc where although its the preferred method I only started seeing these conflicts when I changed over to AES-128-CBC
    and if you use AES-256-CBC good luck to have 2 clients working at the same time.
    I really don't have the need to have 2 clients on at the same time. I have them configured but I use one at a time.
    Maybe that would be the best solution for you. If you are not using the appleTV and the PC at the same time try doing that.
    If not turn each service off and on until you have no issues when both services are ON.
    Once that happens you are OK until the next router conflict.
    I have seen some real weird things where the router freaks out so much that it actually leaks your local ISP IP address and DNS, scary.
    So use multiple clients from the same server with caution.
    What Merlin would probably suggest is have 2 separate VPN servers then its different subnets thus having no issues with dns leak.
    or try Blowfish-cbc for both clients. Its not that it has ever been cracked and the big problem is with SHA and SHA1
    google and Microsoft are trying to get that encryption out of the way because they feel its a security problem because its old technology
    so even if you are using aes-128 its no better then blowfish.
    Try out blowfish on both clients and see if you get any problems. If you don't stick with it that way.
    I hvae 8 mbps modem so I now use AES-256 with sha256 because my bandwidth is not the end of the world
    but if bandwidth limitations are an issue for you then try one of the methods I mentioned and see which works for you.
    I know I am going to hear it from some people but you have nothing to lose but try :)
     
  13. Boosted

    Boosted New Around Here

    Joined:
    May 31, 2016
    Messages:
    2
    I will try the methods you described above.

    I am using AES-256-CBC and each client is using a different server and location from each other, but I am using same VPN service provider.

    I will try these methods out and report back.
     
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    you should be able to get 2 aes-128-cbc to work well. although I did run into conflicts
    blowfish never gave me a problem.
     
    patrick sullivan likes this.
  15. patrick sullivan

    patrick sullivan Regular Contributor

    Joined:
    Dec 16, 2015
    Messages:
    71
    Location:
    Oregon
    Great guide yorgi! I hadn't upgraded to the latest firmware yet, but I finally intend to do so tonight. The only problem I have with my current setup is that sometimes, ipleak shows my DNS/IP as USA instead of Canada. The VPN tunnel isn't down as far as I can tell because the status shows that it is active, and I can connect to the net (like you I have the box checked to kill internet access if VPN goes down). Usually when this happens, I go in and turn off the VPN, then turn it back on, and that solves the problem. This happened to me last night, but my usual fix didn't work. So, I'll upgrade the firmware and see if that helps. If anything goes wrong, I'll use this guide as a walkthrough/refresher. Hope life is good up North!

    Cheers!
    Patrick
     
    Last edited: Jun 10, 2016
  16. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Hey Brother Patrick :)
    Its normal to see USA instead of Canada. I get the same issue. I guess if their Canadian servers get over loaded they use US servers with the same subnet to handle the load.
    I do the exact thing you do to resolve it. Its not a firmware bug its PIA that has the problem.
    Upgrading to this firmware is a great move. Let me know how it goes for you.
    Also you don't need to use DNSfiltering anymore.
    Up north is not good so far, a lot of rain :(
     
    patrick sullivan likes this.
  17. patrick sullivan

    patrick sullivan Regular Contributor

    Joined:
    Dec 16, 2015
    Messages:
    71
    Location:
    Oregon
    Upgrade worked perfectly. Glad I finally got around to doing it. Take care man and hang in there-Summer's around the corner.

    Cheers!
     
  18. patrick sullivan

    patrick sullivan Regular Contributor

    Joined:
    Dec 16, 2015
    Messages:
    71
    Location:
    Oregon
    Oh, and I didn't mess with DNS filtering because I forgot where/how to turn that on/off? But, all appears to be working well as is.
     
  19. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    You don't need DNSfiltering anymore :)
     
    patrick sullivan likes this.
  20. patrick sullivan

    patrick sullivan Regular Contributor

    Joined:
    Dec 16, 2015
    Messages:
    71
    Location:
    Oregon
    Copy that....but, where is it turned on/off? I forget! You and Rango were discussing it, but I didn't see where to actually adjust the filtering...
     
    Last edited: Jun 12, 2016