TL;DR: nordVPN:
open: 84.6/15.2 (Mbps down/up)
vpn’d: 80.6/16.7 (Mbps down/up)
You?
Unabridged:
I’ve been meaning to do this for ages - finally got around to it.
I went with NordVPN as my initial provider for NetFlix support and purported policies aligning with my requirements (and I can always switch later). I ran into quite a lot of complaints about speed on all the VPN options, but then fewer and fewer as the commentary got more recent (I presume reflecting roll-out of nodes in all of them as time goes on).
Looking at the various options discussed here on L1T and elsewhere, there seemed to be equal, if not greater concern for performance as well as ownership, logging policies, but I expect that to be a moving target - I’d love to hear people’s thoughts on this.
Using a fanless box (protectLI) as my pfsense box with specs as follows:
Intel® Atom™ CPU E3845 @ 1.91GHz
AES-NI CPU Crypto: Yes (active)
4G RAM, 32G mSATA
According to megaPath my throughput is as follows (verifying/refreshing to ensure that that my IP reflected VPN and non-VPN status in this test):
open: 84.6/15.2 (Mbps down/up)
vpn’d: 80.6/16.7 (Mbps down/up)
I was/am a little surprised at the lack of impact, but then my native rate is not earth-shattering for lack of last-mile options. I do see an impact (expected) in gaming latency - connecting to the same servers in BF1, I went from 20mS to 100mS. I am not trying to obfuscate my nation of origin (or region frankly), so perhaps that makes a big difference?
Netflix works without issue, so all my “users” are happy and remain blissfully ignorant of my efforts to keep their computers safe.
Issues I ran into:
- nordVPN has not updated their pfsense tutorial to 2.4.2. There are some subtle differences between 2.3.2 (what they have up) and 2.4.x. Nothing earth-shattering.
- It should have been obvious, but nordVPN’s guide, though detailed, did not make clear (or I missed it) that each of their servers has a different certificate/key (CA and TLS), so you need to download the corresponding set for each or the full list of all of them in a ZIP. After a forehead smack having successfully connected to their example server but failed to connect to a “suggested” server, I figured that out…
- Again, maybe I missed something, but it did not reference to AES-256-GCM (they reference AES-256-CBC in their tutorial). I turned on debugging to find an error blocking connection for lack of GCM support. Adding it to the list of supported, auto-negotiated ciphers fixed this.
- My personal email server has blacklisted nordVPN’s IPs/sub-nets from prior abuse (tracked/updated automatically/dynamically based on activity observed at the server). So, I had to special-case my email traffic to bypass the VPN. Email goes over SSL anyway, so not the end of the world and the blacklisting exists for a very, very good reason.
I’m curious if I was just seeing stale concern over throughput on other services (old posts) or if lumpy service is still the order of the day?
Perhaps it is just older hardware lacking IPs (or just horse power) for en/decrypt acceleration?