OpenVPN not working (new router and ISP)
I just got internet access installed a few days ago but I'm having problems using PIA with openvpn.
I pay for a 50 down 10 up megabit connection from Distributel who are using Bell's network in Ontario, Canada.
Speedtest.net is consistently showing just over these speeds when not using the VPN and 45 down 9 up when connected through the PIA app using TCP port 443.
The issue is that I want to be able to use OpenVPN as I am currently running Linux Mint but I'm planning to replace it with Debian 9 which is not supported by the PIA app. Also, I would prefer to use UDP over TCP as speed is supposed to be better without all the acks on the transport layer.
UDP is hardly working whether connected via the app or OpenVPN. My ISP technical support told me to enable port triggering for UDP on port 1198 as stated in my config file but this doesn't seem to help. I have a SmartR/G 505N modem / router.
Running a speed test on UDP starts to work but then quits giving an error saying: "A socket error occurred during the Download test. Please try again later."
Below is my openvpn config file which has been working flawlessly for over a year on dozens of networks including Bell so I guess the problem is with my router config. The tech support guy was pretty clueless. Can someone advise me how to configure my router?
I pay for a 50 down 10 up megabit connection from Distributel who are using Bell's network in Ontario, Canada.
Speedtest.net is consistently showing just over these speeds when not using the VPN and 45 down 9 up when connected through the PIA app using TCP port 443.
The issue is that I want to be able to use OpenVPN as I am currently running Linux Mint but I'm planning to replace it with Debian 9 which is not supported by the PIA app. Also, I would prefer to use UDP over TCP as speed is supposed to be better without all the acks on the transport layer.
UDP is hardly working whether connected via the app or OpenVPN. My ISP technical support told me to enable port triggering for UDP on port 1198 as stated in my config file but this doesn't seem to help. I have a SmartR/G 505N modem / router.
Running a speed test on UDP starts to work but then quits giving an error saying: "A socket error occurred during the Download test. Please try again later."
Below is my openvpn config file which has been working flawlessly for over a year on dozens of networks including Bell so I guess the problem is with my router config. The tech support guy was pretty clueless. Can someone advise me how to configure my router?
client dev tun proto udp remote ca-toronto.privateinternetaccess.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /home/tasgar/login.conf comp-lzo verb 1 reneg-sec 0 crl-verify crl.rsa.2048.pem ca ca.rsa.2048.crt disable-occ script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Comments
@Tasgar are you sure the advice was to use "port triggering" ? "port forwarding" makes sense but not port triggering for this use case. You are generally right to expect no better than 80% to 90% of 'wire speed' running over TCP.
The tech support guy definitely said port triggering but as packets are getting through (UDP port 1198 observed in tcpdump) without those rules I don't see why I would need it. I really don't think he had any clue what he was talking about as he was scrambling through the router documentation for quite a while.
My router documentation is here http://www.start.ca/files/smartrg505n.pdf but it doesn't mention anything about port forwarding. Is that what I need to do?
This is what my router page says about port triggering:
NAT -- Port Triggering Setup
Some applications require that specific ports in the Router's firewall be opened for access by the remote parties. Port Trigger dynamically opens up the 'Open Ports' in the firewall when an application on the LAN initiates a TCP/UDP connection to a remote party using the 'Triggering Ports'. The Router allows the remote party from the WAN side to establish new connections back to the application on the LAN side using the 'Open Ports'. A maximum 96 entries can be configured.
I've been watching tcpdump while playing a video on youtube. It's buffing a lot and the packet sizes are really small and mixed. Here is a snippet:
Any clues as to what is going on here?
dynamic port forwarding (aka "port trigger") does not make any sense to me. you just need to be sure your router does not block/drop incoming UDP traffic from port 1198 (src port). the destination port (dest port) on your system will vary.
also check to see if there are reports your router is awful handling udp traffic in volume (there are a few which are just terrible).
the small packet sizes becoming larger on the incoming video stream seems normal to me (i once was the lead tech for a demonstration video IP multicast station). segment size increases to make maximum use of available 'bandwidth' (packet rate). the small return packets are feedback to the origination server (dropped/missed frame report, for example) so the incoming stream is paced properly (not too many frames, not too few frames).
@Tasgar, block-outside-dns should fix a dns leak. But then again, this is Linux.
TCP does work ok using openvpn via the command line. I just ran a speed test and got 46 down and 9.5 up (50 / 10 without) so I'm only losing a small amount of throughput.