Let's talk about VPN's for a moment

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,743
So,

All the current news about the Senate and the FCC reversing its position on privacy, and allowing ISP's to sell user data without user permission, has renewed my long standing interest in VPN's, but it is a confusing topic, and I'd love some input from those of you who know more about it.

My desire would be to set up a VPN service connected to my pfSense router such that all local clients automatically benefit from the service, but several key questions still remain:

1.) What services are recommended? PureVPN seems to get the best reviews for speed, but the fact that they are a Hong Kong company falling under the jurisdiction of China has me a bit concerned. Protections for privacy and personal data are even worse there than they are here.

2.) How much can I expect these services to impact my bandwidth and latencies? If I go the router route, are there ways to bypass the VPN for specific tasks - like gaming - where latency is key, but no sensitive personal data is being transferred? How might I set this up? Can I use firewall/NAT rules to tell OpenVPN to ignore traffic on certain ports and just pass it through?

3.) I currently run pfSense. I know it is OpenVPN compatible, and can take advantage of AES-NI, but I also know it has a very weak CPU, and I'd almost certainly need to upgrade in order to max out my bandwidth over VPN. Are there any thoughts as to what it would take - CPU wise - to be able to max out 150Mbit up and down at the same time?

4.) I currently use NO-IP for dynamic DNS purposes in order to reach my server when I am out of the house. It is fairly cheap. Will this still work through a VPN? If not, is it better to just purchase an additional dedicated static IP through the VPN service?

I appreciate any light anyone with more knowledge on this subject than I have can shed on it.
 
Last edited:
For PfSense, you can get away with very little, what really impacts are how many addons you are running and other features. Most of the off the shelf PfSense routers being sold are running Atom CPU's, there was a thread a while back I had read when I first started looking into building my own where the guy had a gig connection on a box with a G530 CPU, however he turned off turbo AND down clocked the CPU to 1.6Ghz, stock base is 2.4Ghz for that chip and I believe he was seeing 50-60% load of the CPU, when setting to stock he was seeing 25% load at 94%+ connection usage. With full NAT and VPN CPU usage will go up alot, mostly from VPN from my understanding, but if the CPU supports AES-NI, I don't think that is a problem. The off the shelf units can do NAT/VPN at gig speeds with an Atom that supports AES-NI.
 
1.) What services are recommended? PureVPN seems to get the best reviews for speed, but the fact that they are a Hong Kong company falling under the jurisdiction of China has me a bit concerned. Protections for privacy and personal data are even worse there than they are here.

I use Tunnel Bear. It's faster than most and very easy to use. I used NordVPN for awhile and found it to be kind of slow, though the interface was good. A friend of mine swears by PureVPN "THE SPEED". Personally, I don't like my data routed anywhere near ChinaTelecom.

2.) How much can I expect these services to impact my bandwidth and latencies? If I go the router route, are there ways to bypass the VPN for specific tasks - like gaming - where latency is key, but no sensitive personal data is being transferred? How might I set this up? Can I use firewall/NAT rules to tell OpenVPN to ignore traffic on certain ports and just pass it through?

I turn my VPN off for gaming. Bandwidth is constrained on a VPN, and many games (BF1) and gaming services (steam) don't play well with them no matter how fast they are. Tunnel Bear makes turning the VPN on and off pretty easy. If I'm working or surfing, I'm not gaming. The VPN is turned back on and off I go. There's no real need to VPN a game anyway, unless you're playing something that sends data via cleartext ie. Second Life...and if you play Second Life, you've got bigger problems to worry about.


3.) I currently run pfSense. I know it is OpenVPN compatible, and can take advantage of AES-NI, but I also know it has a very weak CPU, and I'd almost certainly need to upgrade in order to max out my bandwidth over VPN. Are there any thoughts as to what it would take - CPU wise - to be able to max out 150Mbit up and down at the same time?

Your wish is my command. Check this out.

4.) I currently use NO-IP for dynamic DNS purposes in order to reach my server when I am out of the house. It is fairly cheap. Will this still work through a VPN? If not, is it better to just purchase an additional dedicated static IP through the VPN service?

NoIP may not play well with a VPN. I don't use it so I can't give a definitive there.
 
I appreciate the response!

Personally, I don't like my data routed anywhere near ChinaTelecom.

My thoughts exactly.

I turn my VPN off for gaming. Bandwidth is constrained on a VPN, and many games (BF1) and gaming services (steam) don't play well with them no matter how fast they are. Tunnel Bear makes turning the VPN on and off pretty easy. If I'm working or surfing, I'm not gaming. The VPN is turned back on and off I go. There's no real need to VPN a game anyway, unless you're playing something that sends data via cleartext ie. Second Life...and if you play Second Life, you've got bigger problems to worry about.

Hmm, turning it on and off again may not be a viable solution for me. I operate several servers constantly accessing the outside world, and have a few household members, so just because I'm playing a game, doesn't mean that they aren't browsing anything sensitive.

I wonder how I might have a way to circumvent the VPN for certain devices on the network at certain times, without having to go all the way to a per-device VPN setup. I definitely want it to be done on the gateway, so I don't have to worry about configuring every device on the network for the VPN.
 
I appreciate the response!






Hmm, turning it on and off again may not be a viable solution for me. I operate several servers constantly accessing the outside world, and have a few household members, so just because I'm playing a game, doesn't mean that they aren't browsing anything sensitive.

I wonder how I might have a way to circumvent the VPN for certain devices on the network at certain times, without having to go all the way to a per-device VPN setup. I definitely want it to be done on the gateway, so I don't have to worry about configuring every device on the network for the VPN.

Zara, my issues with VPN are due to Tunnel Bear. Give buffer or expressVPN a look. They are good for gaming and will probably suit your needs.
 
I will respond to the rest of the question when I'm off my phone. Lol
 
Also, I have a hardware conversation going over on the pfSense forums if anyone is interested.

The going recommendation right now is that an i3-7100 ought to do quite nicely. I've priced out a sparse such system using some parts I already have with a motherboard that has dual intel NIC's at just under $300, which is manageable.
 
I like PIA. Great speeds, no logging, kill switch built into their desktop app and it works with android. I haven't experienced any speed issues with torrents either. Although, I have never had that fast if a connection to begin with so I can't say for sure that it wouldn't be a bottleneck.

I use a dedicated PC for gaming and I don't use VPN on it so I have nothing to contribute in that regard.
 
I like PIA. Great speeds, no logging, kill switch built into their desktop app and it works with android. I haven't experienced any speed issues with torrents either. Although, I have never had that fast if a connection to begin with so I can't say for sure that it wouldn't be a bottleneck.

I use a dedicated PC for gaming and I don't use VPN on it so I have nothing to contribute in that regard.

I'm with Chance_P. I use PIA set up on my PFSense router (woefully underpowered Soekris Net6501, but still easily handles 300 megabit without blinking). The only difference is I have it assigned to a specific interface so that only some of the clients go through it. Netflix doesn't like it, so we have the XBox and a few other things not being sent over the tunnel. The other cool thing you can do is set up tagging for packets so that if you want something to go over the VPN and the connection is down, you can drop packets on match instead of routing them out the default gateway. This is kind of like the kill-switch thing, just implemented at the packet filtering layer.
 
Other have said issues with no-ip and VPNs.

For dynamic dns i use freedns.afraid.org and did a one time donation. works just like a standard register.
 
No VPN - 900 Mbps

OpenVPN - 179Mbps

Tunnelbear - 57Mbps

That was with the free trials. Do their pay tiers provide better throughput or simply increase data allowance?
 
No VPN - 900 Mbps

OpenVPN - 179Mbps

Tunnelbear - 57Mbps

That was with the free trials. Do their pay tiers provide better throughput or simply increase data allowance?

Speed was the same from Tunnel Bear trial to Tunnel Bear paid. Roughly a 10% hit.
 
I use ExpressVPN and I like it a lot. It doesn't have much performance hit on my normal bandwidth, and the network lock feature guarantess that no leaks happen if the app disconnects. If the app disconnects, then the network itself disconnects until the VPN gets reconnected. I came from using NordVPN but was having too many connectivity/speed issues. I tried AirVPN but the interface was an outdated mess and also had way too many connectivity problems. With ExpressVPN they give you a big ol' button to press and that's it. Connects 100% of the time. I'm getting gigabit fiber here soon, so I'll be testing the speed with it. I contacted a support tech at ExpressVPN and they said the fiber speed should still be really good, so we'll see. It also works really well to bypass the Great Firewall of China. My cousin was there for a while and I let him use my account and it worked perfectly. I pretty much use my VPN exclusively now except for gaming. Just so tired of hearing about all this crap lately regarding ISPs.
 
I use ExpressVPN and I like it a lot. It doesn't have much performance hit on my normal bandwidth, and the network lock feature guarantess that no leaks happen if the app disconnects. If the app disconnects, then the network itself disconnects until the VPN gets reconnected. I came from using NordVPN but was having too many connectivity/speed issues. I tried AirVPN but the interface was an outdated mess and also had way too many connectivity problems. With ExpressVPN they give you a big ol' button to press and that's it. Connects 100% of the time. I'm getting gigabit fiber here soon, so I'll be testing the speed with it. I contacted a support tech at ExpressVPN and they said the fiber speed should still be really good, so we'll see. It also works really well to bypass the Great Wall of China. My cousin was there for a while and I let him use my account and it worked perfectly. I pretty much use my VPN exclusively now except for gaming. Just so tired of hearing about all this crap lately regarding ISPs.


What is all this about interfaces?

Do they make you run some sort of app on the local machine?

I pictured it running on the router, with all the devices on the local network thus automatically going through the VPN?
 
What is all this about interfaces?

Do they make you run some sort of app on the local machine?

I pictured it running on the router, with all the devices on the local network thus automatically going through the VPN?
It's an app installed to the local machine, not the router. Too many people in my house to be running a VPN through our router.
 
What is all this about interfaces?

Do they make you run some sort of app on the local machine?

I pictured it running on the router, with all the devices on the local network thus automatically going through the VPN?

private internet access can be setup like that. I have no first hand experience though.
 
I appreciate the response!



My thoughts exactly.



Hmm, turning it on and off again may not be a viable solution for me. I operate several servers constantly accessing the outside world, and have a few household members, so just because I'm playing a game, doesn't mean that they aren't browsing anything sensitive.

I wonder how I might have a way to circumvent the VPN for certain devices on the network at certain times, without having to go all the way to a per-device VPN setup. I definitely want it to be done on the gateway, so I don't have to worry about configuring every device on the network for the VPN.

Pretty sure PfSense can be setup like that, by setting up an alias for each computer/IP and routing it though the VPN, while the gaming PC sits outside of it. You can also run a number of the VPN clients on the gaming PC, such as PIA, so when done gaming, you can click connect and be behind the VPN in a few seconds without having to log into the router or turning on/off VPN for everything. I can check on this when I get home, but I am no expert either, so even if I can't figure out the settings, doesn't mean it cant be done, I have been meaning to setup VPN anyway.

Thing to note however, lots of streaming services and websites DO NOT play nice with VPN, as said already Netflix is one of them, because content providers force them to, as content is region locked, they don't want someone from the EU watching TV shows licensed for the US only, this is ungodly stupid of providers and one of the things that annoys me most. But it is something to test and keep in mind if anyone uses a VPN blocking service such as Netflix they will not be able to view it. I have no idea if they can be set based on website, however I know there are a ton of settings and options I have not even touched as well as addon options that might fill a use for you.
 
Last edited by a moderator:
Kinda late to the party, should have started using one in 2015 when every major US ISP was part of the deep packet inspection agreement with the copyright stasi.

If you think they weren't already doing similar even before that, I have a bridge to sell you.

For games, you can split tunnel with client based VPN (start making notes of their ranges) or make rules if you do everything on the router. Some games are fairly static (anything battle.net for example) but anything peer based or 3rd party servers is going to be a bit of a pain to keep up with.
 
Last edited:
PIA is the way to go. No logging, based in the US which surprisingly has the least VPN restrictions compared to other countries. (like they are not required to log and track user for example)
 
Thing to note however, lots of streaming services and websites DO NOT play nice with VPN, as said already Netflix is one of them, because content providers force them to, as content is region locked, they don't want someone from the EU watching TV shows licensed for the US only, this is ungodly stupid of providers and one of the things that annoys me most..
And that's exactly why I don't use my VPN at the router level because of Netflix.


PIA is the way to go. No logging, based in the US which surprisingly has the least VPN restrictions compared to other countries. (like they are not required to log and track user for example)
I don't use any VPN based in the US, though I've used PIA in the past with no issues. I've downloaded "red flag" torrents that would cause the ISP to send out a notice (that friends without VPNs previously had notices from with their ISP) and received nothing. NordVPN has one of the better privacy laws as they are based in Panama, and their laws pretty much flip the bird to any US requests.
 
That One Privacy Site has some pretty crappy things to say about PIA.
 
So i'm thinking of getting a VPN, but I don't know shit about them.

Just to clarify my understanding:
-You can either get the service and run a client on a PC, or get a special router that supports direct VPN connection?
-Apparently encrypted VPN traffic takes a lot of processing power, so my ~180Mbps connection will require a router with real processing capability? (how much resources does a client take on a PC?)
-I should be able to set static IPs for the network devices and a good VPN router can set VPN or non-VPN per each client address?
 
So i'm thinking of getting a VPN, but I don't know shit about them.

Just to clarify my understanding:
-You can either get the service and run a client on a PC, or get a special router that supports direct VPN connection?
-Apparently encrypted VPN traffic takes a lot of processing power, so my ~180Mbps connection will require a router with real processing capability? (how much resources does a client take on a PC?)
-I should be able to set static IPs for the network devices and a good VPN router can set VPN or non-VPN per each client address?
You may find this article helpful: https://www.howtogeek.com/221889/co...-vpn-to-bypass-censorship-filtering-and-more/
 
  • Like
Reactions: Xrave
like this
That's because it's US based. But "That One Privacy Site" is pretty questionable as well.

It's also because of some questionable business practices. Care to say why you thing That One Privacy Site is questionable?
 
It's also because of some questionable business practices. Care to say why you thing That One Privacy Site is questionable?
Because it's just some guy ... and he doesn't have magical powers to actually see what's going on behind the scenes. VPNs themselves are pretty questionable, but he just sees what's at the surface like everyone else.
 
Thing to note however, lots of streaming services and websites DO NOT play nice with VPN, as said already Netflix is one of them, because content providers force them to, as content is region locked, they don't want someone from the EU watching TV shows licensed for the US only, this is ungodly stupid of providers and one of the things that annoys me most. But it is something to test and keep in mind if anyone uses a VPN blocking service such as Netflix they will not be able to view it. I have no idea if they can be set based on website, however I know there are a ton of settings and options I have not even touched as well as addon options that might fill a use for you.

Yep, that's why you'd need to create an exception rule for those as well. If I can create rules by IP, I can easily assign my HTPC's static IP's and filter them to not use the VPN. They don't do anything sensitive on the internet anyway.
 
Yep, that's why you'd need to create an exception rule for those as well. If I can create rules by IP, I can easily assign my HTPC's static IP's and filter them to not use the VPN. They don't do anything sensitive on the internet anyway.
I wasn't aware you could do this. I'll look into it more. Thanks.
 
Yep, that's why you'd need to create an exception rule for those as well. If I can create rules by IP, I can easily assign my HTPC's static IP's and filter them to not use the VPN. They don't do anything sensitive on the internet anyway.

How secure is https, though? It wouldn't require going through a VPN (other than them knowing what address you're hitting via DNS), would it?

I was thinking of going with a decent VPN provider but only for torrent traffic and http. Other ports (gaming, https) would go over the standard WAN sans VPN. (https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/)

I'd like to see a layer 7 type of VPN. Where you can whitelist certain sites to use the non-VPN connection and everything else to use the VPN. Router level.

With basic web traffic and torrents, I'm not worried about my speed much. It'll handle it with a little latency. Gaming, not so much.

I want the best privacy with the least trouble. I want it to be as transparent as possible. If not, the wife will bitch that whatever isn't working. :/
 
So,

All the current news about the Senate and the FCC reversing its position on privacy, and allowing ISP's to sell user data without user permission, has renewed my long standing interest in VPN's, but it is a confusing topic, and I'd love some input from those of you who know more about it.

My desire would be to set up a VPN service connected to my pfSense router such that all local clients automatically benefit from the service, but several key questions still remain:

1.) What services are recommended? PureVPN seems to get the best reviews for speed, but the fact that they are a Hong Kong company falling under the jurisdiction of China has me a bit concerned. Protections for privacy and personal data are even worse there than they are here.

2.) How much can I expect these services to impact my bandwidth and latencies? If I go the router route, are there ways to bypass the VPN for specific tasks - like gaming - where latency is key, but no sensitive personal data is being transferred? How might I set this up? Can I use firewall/NAT rules to tell OpenVPN to ignore traffic on certain ports and just pass it through?

3.) I currently run pfSense. I know it is OpenVPN compatible, and can take advantage of AES-NI, but I also know it has a very weak CPU, and I'd almost certainly need to upgrade in order to max out my bandwidth over VPN. Are there any thoughts as to what it would take - CPU wise - to be able to max out 150Mbit up and down at the same time?

4.) I currently use NO-IP for dynamic DNS purposes in order to reach my server when I am out of the house. It is fairly cheap. Will this still work through a VPN? If not, is it better to just purchase an additional dedicated static IP through the VPN service?

I appreciate any light anyone with more knowledge on this subject than I have can shed on it.

1. I personally use TorGuard
2. I have 25MBPS Down 6MBPS Up. The VPN limits my Up to 2MBPS. I configured in pfsense to have 1 of my internal IPs (plex media server) to not use the VPN so that I can' stream at full speed.
3. No Idea
4. Yes it still works for me.
 
So ... tried my new gigabit line with my current VPN and getting 70 Mbps down as opposed to my normal 850-950 Mb/sec. That was with the OpenVPN protocol which is supposed to have a 150 Mbps cap, is it not? Should I be looking into using the VPN on the router end? 70 Mb is pretty craptastic, comparatively speaking.
 
So ... tried my new gigabit line with my current VPN and getting 70 Mbps down as opposed to my normal 850-950 Mb/sec. That was with the OpenVPN protocol which is supposed to have a 150 Mbps cap, is it not? Should I be looking into using the VPN on the router end? 70 Mb is pretty craptastic, comparatively speaking.


What is your setup? Are you running OpenVPN locally or on your router? If on the router, you need a pretty damned beefy to keep up with the load of high speed VPN.

For my 150/150 solution I am building a pfSense router with an i3-7100. This is probably more than I need, but if you are going for gigabit, you probably need a serious CPU to drive it.
Remember, OpenVPN is not multithreaded for a single connection, so any given connection will be limited by the max performance of any one core. Not quite sure what it would take to max out a gigabit with a single connection, probably just about eh fastest single core performance CPU you can think of.

You can - of course - utilize multiple cores by saturating that gigabit with multiple connections, such as with torrents, or multiple people browsing, etc. etc.
 
What is your setup? Are you running OpenVPN locally or on your router? If on the router, you need a pretty damned beefy to keep up with the load of high speed VPN.

For my 150/150 solution I am building a pfSense router with an i3-7100. This is probably more than I need, but if you are going for gigabit, you probably need a serious CPU to drive it.
Remember, OpenVPN is not multithreaded for a single connection, so any given connection will be limited by the max performance of any one core. Not quite sure what it would take to max out a gigabit with a single connection, probably just about eh fastest single core performance CPU you can think of.

You can - of course - utilize multiple cores by saturating that gigabit with multiple connections, such as with torrents, or multiple people browsing, etc. etc.
Looks like I'll need to do some research. Thanks for the info!
 
Just because purevpn is in talks and i am one of their users', I would love to share what their CEO said in an open letter (it is a bit emotional but I like his request to Trump)! Anyways I just wanna share my experience that it ain't bad for me in speed and connectivity. Plus, I usually connect my servers in my own country which means the data passes through their server in my country rather than any chinese one! please correct me if I am wrong. Though, I have heard good about some other services too, but the one I am using ain't bad at least for me!
 
I built an over the top pfsense router this week and am now using PIA on it. Thoughts so far:

Dynamic DNS seems to be impossible. I'm going to need to find a way to not run some ports through the VPN.... if that's even possible...... ? :/

The Android app is shit. It slaughters my battery. At least at the house I've been working at all week with poor cell reception. It occasionally won't connect and brings down my connection to cellular data. It crashes. It makes my phone crash. The slider to disconnect only works about 10% of the time. Maybe less. Junk.

Using a VPN is something I should have done years ago. I feel like an idiot for not doing this sooner.
 
Back
Top