Tips for VPN on pfSense

So I've been messing around for a while trying to use a VPN through pfSense (as a client) and didn't have a lot of success. Setting up the VPN is fairly straight forward but I could never get a stable connection. But I finally figured out what the problem is and thought I'd share it with everyone in case someone else was having similar problems.

This isn't going to be a guide on setting up a VPN client of pfsense (although if anyone wants I can probably write one up) Most VPN services have a guide for setting it up. This will just explain the problem I was having and how I solved it.

The problem I was having with my VPN was that the connection would drop all the time, especially when it was under load. This made it pretty much unusable. But I couldn't figure out what the problem was. I messed around with the keepalive option for openvpn aswell as the ping-restart but neither of these seemed to have any effect. I thought it might have been a problem with packet fragmenting so I messed around with the MTU and MSS settings but this also had no effect.

The problem turned out to be caused by pfsense's gateway monitoring daemon. You have probably seen the gateway quality info on the main page of the pfSense webUI. Well the program which gives you that info, apinger, isn't just for displaying info. It is used in multi-WAN setups to switch traffic to a different gateway when the quality drops. In a single WAN configuration it will restart the connection which will cause openVPN to restart aswell. It does this when the latency or packet loss reaches a preset limit, this is when the status changes from a green 'online' to a yellow 'latency', i think the default is around 400ms.

There are three ways to fix this, although I've only tried two. The first and simplest is to disable gateway monitoring. This will stop the gateway quality info aswell though. To do it go to system>routing and edit both the WAN and VPN gateway and check the 'disable gateway monitoring' box.

The next option is to change the thresholds for when apinger will restart the gateway. To do this go in to the gateway settings and click advanced. You want to put something high in here to prevent apinger from restarting the gateway, here are the settings I use:

latency threshold: 3000 - 4000

packet loss threshold: 30 - 40

Probe interval: 2

Down: 30

This way the connection should only restart if the gateway really is down, and not just because the ping took too long to complete.

The third option is to prioritize ICMP traffic. I haven't tried this but if you have the traffic shaper set up just make a rule for ICMP traffic and put it in the highest priority queue. This should prioritize pings and prevent apinger from reporting high latency and restarting the gateway.

Anyway, just thought I'd share this. If anyone wants any help setting up a VPN on pfsense just let me know.

Thank you for posting this! Very useful info as I plan to set one up as soon as I figure out what hardware to use (concerned about energy efficiency). What did you use for hardware?

I used whatever I had lying around, which was a phenom II x4 945. It runs at about 80W which is a little high. I hear that for anything under 1gbps the newer intel atoms do alright. I was thinking about getting something like that but it's not worth the cost for what I would save. I'm going to change the CPU for a dual core athlon II, hopefully that will drop the wattage a little.

I've been looking into it a bit from the amd side. It looks like the socket AM1 using 25w quad core chips (1.2 - 2.1Ghz) is their answer to that market segment. There's a 2-core chip available as well.

That's a lot more appealing than embedded solutions actually which are sometimes 32-bit only, and especially the atom platform with it's lack of VT-x.

The newer atoms support visualization (not that you need it for pfsense) like the c2550 and c2750, and they're something like 14W.

The firewall in the current version of pfSense isn't multithreaded, so your throughput will be limited by CPU speed regardless of how many cores it has, but it shouldn't matter for regular home internet stuff. Having said that using a VPN on a high speed connection might be too much for a low powered CPU. Find out what kind of performance a chip will get on pfsense before you commit to it and make sure it'll work for what you want. A regular desktop chip will pretty much handle anything you throw at it but the lower power stuff can struggle.

My phenom pretty much just sits on 800mhz and rarely goes above 10% cpu usage. The only reason I'm swapping it for a athlon II is because all I have is an old AM2+ board and I don't really want to spend too much money on it just to save a few watts.

I have 4GB of RAM but it usually sits around 25%. That's with it running two snort instances which is a real memory hog, so you really don't need much memory unless you plan of having an insane number of connections.

If you do go with a low power CPU have a look at getting some intel server NICs, they can offload some of the processing from the CPU so it won't bottleneck as much as if you were using cheaper realtek NICs

Oh I was thinking of getting a new ESXi/Xen box as I wrote that but it's nice to know atoms support vt now. An atom might be nice for pfsense.