bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,707
How can these providers charge so little for bandwidth?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Let's talk about VPN's for a moment
- Thread starter Zarathustra[H]
- Start date
So all you have to do is split tunnel your traffic. This means that ddns traffic should go out locally. In general, all low ports can go out the VPN for your web traffic and dynamic or higher ports can out locally (I.e. gaming)
Edit: smart TV can probably go local too.
harsaphes
Supreme [H]ardness
- Joined
- Aug 29, 2005
- Messages
- 5,330
IVPN anyone?
https://www.bestvpn.com/ivpn-review/
https://www.bestvpn.com/ivpn-review/
Last edited:
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1707758471){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,862
An update:
I went ahead and built a new router for pfSense + OpenVPN use with the following hardware:
And that's it. Total: 393.31 (less for me, since I already had a few of the parts left over from other projects.
The CPU comes with a cooler. Before you assemble everything, it looks like it won't fit in the M350 enclosure, but it does (just barely), as long as you don't use the 2.5" drive brackets. (use an M2, USB drive or SATA DOM)
I also pulled out the mini-Wlan card (you loosen two screws on the bottom of the board and it comes right out). I wasn't using it, and I figured I'd rather not have it wasting power. Also disabled everything in BIOS I wasnt planning on using, and enabled all power saving states, except suspend to RAM, as the router needs to be operating 24/7.
When I tested with Ubuntu 16.10, I got a 7.1W idle power usage at the wall using my Kill-A-Watt. That went down to 6.2W when I killed the desktop. Load testing with mprime (Linux version of prime95) maxed out at 46W at the wall, at 3.9Ghz 2C4T.
After installing pfSense my idle power went up to 8W. Possibly due to setting power settings to "hidaptive" or mayube because FreeBSD 10.3 (which current pfSense is based on) isn't as good at power management as Ubuntu 16.10.
I used a fan profile on the board. The CPU puts out so little power that it seems to stay at the coolers minimum fan speed most of the time. Granted it is pretty cold in my basement right now. (Warmer temps will result in higher fan speeds which will drive up power consumption noticeably. At this low power use the fans use a surprisingly large percentage of the power)
I had a PCEngines APU2C4 before (4 core AMD Jaguar at 1Ghz). It's a low power design intended to sip power, but idle power usage isn't much lower than the Kaby Lake i3 above, at ~7W.
I had some troubles installing pfSense at first, turns out it doesn't like the USB3 ports. Will install fine from a USB2 port.
Here are some comparative openSSL numbers,
First the PcEngines APU2C4:
Now the i3-7100:
Looks like an average of about an order of magnitude improvement across the board.
I signed up for a PIA account, and tried to set it up in OpenVPN, but it won't quite work.
Despite following th eofficial guide for pfSense on PIA's site, I'm having some odd password authentication issue causing the OpenVPN service to have a fatal error and shut down.
I'm currently running with the desktop client instead, and it's quite nice. I'm maxing out my connection right now.
I have a 150/150 connection, but my traffic shaping rules prevent any one connection from using all th ebandwidth, so I usually bench in the 130's each way. This hasn't changed when connected to PIA. Pings seem excellent too...
Now I just need to get it to work in pfSense.
I went ahead and built a new router for pfSense + OpenVPN use with the following hardware:
- Intel Core i3-7100 ($119.96 w. Prime)
- ASRock H270M-ITX/ac Mini-ITX motherboard with dual Intel NIC's ($96.98)
- Crucial 8GB (2x4GB) DDR4-2133 kit ($55.49 w. Prime)
- BiWin 60GB M.2 Sata SSD ($40.98)
- PicoPSU-80 + 60W Adapter Power Kit ($35)
- M350 Universal Mini-ITX enclosure ($39.95)
- Molex to P4 power adapter ($4.95)
And that's it. Total: 393.31 (less for me, since I already had a few of the parts left over from other projects.
The CPU comes with a cooler. Before you assemble everything, it looks like it won't fit in the M350 enclosure, but it does (just barely), as long as you don't use the 2.5" drive brackets. (use an M2, USB drive or SATA DOM)
I also pulled out the mini-Wlan card (you loosen two screws on the bottom of the board and it comes right out). I wasn't using it, and I figured I'd rather not have it wasting power. Also disabled everything in BIOS I wasnt planning on using, and enabled all power saving states, except suspend to RAM, as the router needs to be operating 24/7.
When I tested with Ubuntu 16.10, I got a 7.1W idle power usage at the wall using my Kill-A-Watt. That went down to 6.2W when I killed the desktop. Load testing with mprime (Linux version of prime95) maxed out at 46W at the wall, at 3.9Ghz 2C4T.
After installing pfSense my idle power went up to 8W. Possibly due to setting power settings to "hidaptive" or mayube because FreeBSD 10.3 (which current pfSense is based on) isn't as good at power management as Ubuntu 16.10.
I used a fan profile on the board. The CPU puts out so little power that it seems to stay at the coolers minimum fan speed most of the time. Granted it is pretty cold in my basement right now. (Warmer temps will result in higher fan speeds which will drive up power consumption noticeably. At this low power use the fans use a surprisingly large percentage of the power)
I had a PCEngines APU2C4 before (4 core AMD Jaguar at 1Ghz). It's a low power design intended to sip power, but idle power usage isn't much lower than the Kaby Lake i3 above, at ~7W.
I had some troubles installing pfSense at first, turns out it doesn't like the USB3 ports. Will install fine from a USB2 port.
Here are some comparative openSSL numbers,
First the PcEngines APU2C4:
Code:
[2.3.1-RELEASE][[email protected]]/root: openssl speed -elapsed -evp aes-128-ecb
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ecb for 3s on 16 size blocks: 23413097 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 18438085 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 7473361 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 2115520 aes-128-ecb's in 3.01s
Doing aes-128-ecb for 3s on 8192 size blocks: 279464 aes-128-ecb's in 3.00s
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ecb 124869.85k 393345.81k 637726.81k 720221.92k 763123.03kNow the i3-7100:
Code:
[2.3.3-RELEASE][[email protected]]/var/log: openssl speed -elapsed -evp aes-128-ecb
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ecb for 3s on 16 size blocks: 242729953 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 207367303 aes-128-ecb's in 3.01s
Doing aes-128-ecb for 3s on 256 size blocks: 69510589 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 17831161 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 2219499 aes-128-ecb's in 3.00s
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-ecb 1294559.75k 4412345.31k 5931570.26k 6086369.62k 6060711.94kLooks like an average of about an order of magnitude improvement across the board.
I signed up for a PIA account, and tried to set it up in OpenVPN, but it won't quite work.
Despite following th eofficial guide for pfSense on PIA's site, I'm having some odd password authentication issue causing the OpenVPN service to have a fatal error and shut down.
I'm currently running with the desktop client instead, and it's quite nice. I'm maxing out my connection right now.
I have a 150/150 connection, but my traffic shaping rules prevent any one connection from using all th ebandwidth, so I usually bench in the 130's each way. This hasn't changed when connected to PIA. Pings seem excellent too...
Now I just need to get it to work in pfSense.
Last edited:
As an Amazon Associate, HardForum may earn from qualifying purchases.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,862
I haven't played with it yet, but isnt it to be expected that battery life is shorter using a VPN? All your traffic is encrypted, and encryption uses CPU cycles.
D
Deleted member 278999
Guest
My experience with PIA has been pretty good. I'm not using a custom router though.
I've thought about building one but it's pretty low on my priority list.
Totally agree on anonymous usage. Though, a lot of that information is logged anyways when you log into Google, etc. You need a lot of layers to truly remove yourself. It makes it a huge pain.
I generally combine these things with other means of removing tracking at the browser level.
There are easy and hard ways of going about things. I work in the industry and I'm not particularly enthusiastic about what's happening.
Collecting data is one thing. Tying it to individuals is another. Not to get all 1984, but there are very nefarious people in this world. And the lot of people have no idea just how scary it is.
IMO it's going to take one big incident to bring the hammer down. People were all up in arms about the feds tracking people and that's not even getting into things like wire sharks and stingrays.
It's a bit sickening.
Anyways. We're getting towards the deep end somewhat OT. Sorry.
As an Amazon Associate, HardForum may earn from qualifying purchases.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,817
Majority of user likely don't use a ton of bandwidth, sheer volume of users to cover all costs.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,862
A question about ciphers:
By default it seems the most commonly used cipher is AES-128-CBC
I've done some performance testing on my machines - however - and I have found very little performance difference between AES-128-CBC and AES-256-CBC.
While this is surprising (one would expect the lower bit version would be faster,) If this is the case, why not just always use 256bit?
Are there any other ciphers than CBC ones that should be considered?
By default it seems the most commonly used cipher is AES-128-CBC
I've done some performance testing on my machines - however - and I have found very little performance difference between AES-128-CBC and AES-256-CBC.
While this is surprising (one would expect the lower bit version would be faster,) If this is the case, why not just always use 256bit?
Are there any other ciphers than CBC ones that should be considered?
Thanks for this thread guys, I feel like VPN's are something I should have learned about long time ago.
Just because I can lock the door doesn't mean I'm going to, but its something else entirely when you don't even know how to lock it.
Just because I can lock the door doesn't mean I'm going to, but its something else entirely when you don't even know how to lock it.
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
I don't know if that's a fair assessment. For the most part, the people that seek these types of services are the ones that consume a lot of data (P2P, etc.).
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
Nah, this isn't necessary.
Well, I've went the route of using a Qotom q355g4 mini Pc off of Amazon. It has four Intel LAN ports and an i5 5250u. It arrived last night and this will be my first foray into pfsense. I brought it to work and got pfsense 2.3.3 installed, as it came with an unactivated copy of Windows 7 on it. I won't have time to actually install it and get it all setup until this weekend, but I'll try to post back on my thoughts. I ordered the version with 4 GB RAM and a 30GB Intel SSD instead of shopping around for other parts.
It's a heavy little PC with the case basically being a big heat sink. It got a little warm installing pfsense, but not hot for a fanless unit. I might jury rig a USB powered case fan attached to a modified coat hanger as legs to have it blow directly down onto the top of the PC if heat seems to become an issue. I'll be using this to replace my Asus AC68 to connect to PIA since the Asus couldn't get more than 20 Mbps download from my 200 Mbps plan. The desktop PIA app has a barely noticeable decrease compared to running without a VPN.
It's a heavy little PC with the case basically being a big heat sink. It got a little warm installing pfsense, but not hot for a fanless unit. I might jury rig a USB powered case fan attached to a modified coat hanger as legs to have it blow directly down onto the top of the PC if heat seems to become an issue. I'll be using this to replace my Asus AC68 to connect to PIA since the Asus couldn't get more than 20 Mbps download from my 200 Mbps plan. The desktop PIA app has a barely noticeable decrease compared to running without a VPN.
Update:
So far I'm quite impressed with the power and capabilities of the pfSense router system. Although I'm still having difficulty running both an OpenVPN server (remote network access) as well as a PIA VPN client at the same time. I can run the OpenVPN server just fine, but not with PIA client...and vice versa. As for the Qotom i5, it seems to run like a champ. The fanless system runs a little hot (Core temps range from 50C to 60C) and the CPU usage is usually 2% or less running the Open VPN server. Since I require the remote access, the OpenVPN server without the PIA client is currently my base setup. I'll just have to keep tinkering until I figure this pfSense thing out, but my ten year old son has had enough of it with him losing his XBox connection every time I do a reboot or restore to my default configuration...lol.
If anyone has advice on how to get both the OpenVPN server running along with the PIA client, I'd open to suggestions. Not much from googling about running such a system that I've found.
Edit: Added a spare noiseless Coolermaster 120mm fan at 5v (via USB) about 2 inches above the case and the Core temps are now between 46C and 55C.
So far I'm quite impressed with the power and capabilities of the pfSense router system. Although I'm still having difficulty running both an OpenVPN server (remote network access) as well as a PIA VPN client at the same time. I can run the OpenVPN server just fine, but not with PIA client...and vice versa. As for the Qotom i5, it seems to run like a champ. The fanless system runs a little hot (Core temps range from 50C to 60C) and the CPU usage is usually 2% or less running the Open VPN server. Since I require the remote access, the OpenVPN server without the PIA client is currently my base setup. I'll just have to keep tinkering until I figure this pfSense thing out, but my ten year old son has had enough of it with him losing his XBox connection every time I do a reboot or restore to my default configuration...lol.
If anyone has advice on how to get both the OpenVPN server running along with the PIA client, I'd open to suggestions. Not much from googling about running such a system that I've found.
Edit: Added a spare noiseless Coolermaster 120mm fan at 5v (via USB) about 2 inches above the case and the Core temps are now between 46C and 55C.
Last edited:
Update #2 on Qotom q355g4 mini PC: Learning pfSense has been a challenging, frustrating, rewarding, and tedious endeavor over the past 3 weeks to say the least. As of last night, I can say that I now have this router doing everything that I wanted it to do...after three weeks of cutting off my family's Internet in order to reboot, restore a prior configuration, or because a rule I setup incorrectly "broke the Internet." I can't even begin to count the times my 10 year old yelled down the hall "you broke the Internet again!"
This little i5 mini PC is running quite a few tasks:
1) OpenVPN server for remote access to my network server
2) PIA VPN client covering all desktop computers, iPads, and iPhones in my house
3) Snort for network intrusion detection
4) Squid + Squidguard proxy + ClamAV
CPU usage is generally between 1% and 30% with the packages that I have running and the temps range from 42C up to 62C. These temps are with an inaudible 120mm case fan running at 5v, via USB modification, positioned about 2"s above the fanless case...otherwise they would be higher. I've ordered a Zalman fanmate so that I can swap out the 5v fan with another fan and set the voltage/speed to less than the default 12v that is audible from most fans. Intel indicates that this 15w TDP i5 has a max operating temp of 105C, so well below that but I'd like to keep operating temps as low as possible. My 4GB RAM has shown memory usage between 15% and 57%. I'm still quite impressed by this little PC and even more so with pfSense. I can see how powerful pfSense can be, and I've only just scratched the surface. It definitely involves a learning curve with the firewall rules and NAT rules.
I have found the squidguard blacklist from urlblacklist.com to provide less false blocks than Shalla's, but it does eat a lot of CPU usage at startup or package restart. The difference in memory usuage between the two lists increased from 33% to 57% as well of my 4GB system.
As for PIA VPN running as a client on this router, I'm easily getting 95+% of my 200/20 bandwidth, a far cry from the 15/10 I got from the old Asus router.
This little i5 mini PC is running quite a few tasks:
1) OpenVPN server for remote access to my network server
2) PIA VPN client covering all desktop computers, iPads, and iPhones in my house
3) Snort for network intrusion detection
4) Squid + Squidguard proxy + ClamAV
CPU usage is generally between 1% and 30% with the packages that I have running and the temps range from 42C up to 62C. These temps are with an inaudible 120mm case fan running at 5v, via USB modification, positioned about 2"s above the fanless case...otherwise they would be higher. I've ordered a Zalman fanmate so that I can swap out the 5v fan with another fan and set the voltage/speed to less than the default 12v that is audible from most fans. Intel indicates that this 15w TDP i5 has a max operating temp of 105C, so well below that but I'd like to keep operating temps as low as possible. My 4GB RAM has shown memory usage between 15% and 57%. I'm still quite impressed by this little PC and even more so with pfSense. I can see how powerful pfSense can be, and I've only just scratched the surface. It definitely involves a learning curve with the firewall rules and NAT rules.
I have found the squidguard blacklist from urlblacklist.com to provide less false blocks than Shalla's, but it does eat a lot of CPU usage at startup or package restart. The difference in memory usuage between the two lists increased from 33% to 57% as well of my 4GB system.
As for PIA VPN running as a client on this router, I'm easily getting 95+% of my 200/20 bandwidth, a far cry from the 15/10 I got from the old Asus router.
Last edited:
mdaniel
Thanks for all this info. I am getting more into networking, being that I have a very small datacenter of my own now. On my home setup I have been trying to improve security and such. I realized that when using windows or mac osx, I can still get leaks at ip leaks using tools found here - http://vpnpick.com/check-ip-downloading-torrents/ - and I was also able to detect ipv6 level leaks by doing pings to 8.8.8.8 on short intervals. I only tested a handful of monthly subs but still it shocked me. Sometimes it leaks when the connection drops and after reconnection it remains unsecured. PIA only seemed to have the problem if the connection dropped (interrupted by me in the testing cases)
If I go the tedious route of a pfsense router for example, and add some of those layers, will this improve leaks that I found even when using PIA?
Thanks for all this info. I am getting more into networking, being that I have a very small datacenter of my own now. On my home setup I have been trying to improve security and such. I realized that when using windows or mac osx, I can still get leaks at ip leaks using tools found here - http://vpnpick.com/check-ip-downloading-torrents/ - and I was also able to detect ipv6 level leaks by doing pings to 8.8.8.8 on short intervals. I only tested a handful of monthly subs but still it shocked me. Sometimes it leaks when the connection drops and after reconnection it remains unsecured. PIA only seemed to have the problem if the connection dropped (interrupted by me in the testing cases)
If I go the tedious route of a pfsense router for example, and add some of those layers, will this improve leaks that I found even when using PIA?
I'm just using it for my home, but using the tools in the link you provided, minus the torrent download, I have no DNS links using PIA VPN with PIA DNS servers.
longblock454
2[H]4U
- Joined
- Nov 28, 2004
- Messages
- 2,738
How did you end up solving this, I have the exact same issue with PIA.
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
Why would you run both at the same time? Are you trying to connect to PIA and then connect to your home OpenVPN server from PIA's IP addresses? I guess I'm having a hard time understanding the use-case.
longblock454
2[H]4U
- Joined
- Nov 28, 2004
- Messages
- 2,738
Not exactly. I want to connect my home network to PIA 24-7, then use OpenVPN server to connect various other outside devices to my home network, utilizing my ISP WAN IP.
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
You will need to use your home router/firewall for this. Create rules based on destination or source and it should work.
longblock454
2[H]4U
- Joined
- Nov 28, 2004
- Messages
- 2,738
Yup, that's exactly what I'm attempting, however like mdaniel said above, with the server configured the client side (PIA pipe) quits working.
Get info from a real site, not one that some guy made.
https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/
PIA highly rated and I use it for 3+ years now.
sorry, I just saw this and I don't remember the exact steps at this point since I resolved it a while ago. This post from the pfSense forums contains mys settings that ended up working: https://forum.pfsense.org/index.php?topic=129528.msg713736#msg713736. I hope it helps, as it's all the NAT or Firewall rules that is where the solution is with setting the correct interface to the correct setting.
I have PIA active for the IPs I want it for, off for the IPs that I want to bypass it, and I can remotely OpenVPN into my home network from outside...mainly to deal with my PLEX server.
Cmustang87
Supreme [H]ardness
- Joined
- Oct 4, 2007
- Messages
- 4,498
Yes, what mdaniel is doing is correct. You can get even more granular than this if you have an application firewall, etc...
Larry Gilmore
n00b
- Joined
- May 4, 2017
- Messages
- 33
A
As far as PureVPN is concerned, they recently shared their user's log with FBI. So, getting that out of the equation, I would recommend you go through these super fast VPNs that I think would fulfil the requirements of every VPN user out there.
As far as PureVPN is concerned, they recently shared their user's log with FBI. So, getting that out of the equation, I would recommend you go through these super fast VPNs that I think would fulfil the requirements of every VPN user out there.
Machupo
Gravity Tester
- Joined
- Nov 14, 2004
- Messages
- 5,759
I have enjoyed PIA for quite some time, but I'd really like it if they started going with GCM instead of CBC :/
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,862
Agreed.
Back then I decided against PureVPN based on their closeness to China Telecom, and landed with PIA based on their claims that they don't keep server logs.
Who knows if you can trust that statement. ONly leverage we have is that if something like this becomes public, the VPN's essentially lose their entire customer base overnight, so the interests are aligned.
It will be interesting to see what happens to PureVPN's finances in light of this breach of customer privacy.
I have been using PIA for more than a year. At first I used it only on my desktop and used the app for that. It worked well. I then switch to an Asus RT-AC68u router and set up the VPN on it. The processor on this router is not good enough to manage 128bit encryption for the VPN. The CPU usage was always near max and maximum bandwidth was about 8mbps. I now use an R710 and have it run the VPN. It has an L5640 cpu that doesn't break a sweat and manages 10x the speed the router could do. I am now only limited by my ISP. The server is running windows 10 and runs the PIA app. The VPN connection is shared with the Asus router mentioned above and shared with the rest of the house there. Works very well for me. I do need to get a more efficient server though. The iDRAC states it's normal power usage is about 120watts!