I may have a silly question regarding VPN and XT8 - please be nice

[oharag]

Okay - so I've been playing with OpenVPN on my XT8 router. I posted some questions on Reddit, but this may be the better place to post - since you guys are experts

So a little bit about me:
- I live in USA
- I have a XT8 router in Mesh mode (with another XT8).
- I use the Mac eco system (Mac/iPhone/iPad) and have an Xbox. I don't have security cameras. I do have a NAS.
- I have Fios service - I have Xbox - noticed upload speeds are atrocious. So I did investigation. Verizon says "No way we throttle Xbox uploads" Sure. So all my devices (even my Xbox internet) gets 250/250 from a max 300/300. Xbox live gets 250/2. So someone suggested that I go behind a VPN and check speeds. So I found a free VPN provider - and tested. I know get 40/34! So yeah I lost some download, but gained a bunch in upload. So why care: Well I was warned for having a slow connection on a game. I was even banned for 2 weeks from playing multiplayer. This is why I decided to investigate solutions. I don't want to be THROTTLED in any way.
- So I know VPNs are not the cure all - but I think being hidden from the outside world is a good thing (and yes I know you are not truly hidden). I also considering setting up an OpenVPN server on my XT8 (thus the reason for this post) to share my NAS behind my router with family - and maybe watch moves outside my home.
- So I did some research on a good cheap VPN - and realized a lot of their claims are BS. I actually paid for NordVPN because they were the FASTEST. Uh no. There speeds in my area were crap - many servers gave me an error on download and upload tests. I quickly canceled. Most people posted on Reddit that commercial VPNs are crap - and as stated - don't really protect you.

So I thought - how can I do this cheaply and efficiently. I'm not a network expert - but I want to learn.

So here are my thoughts/actions to date:
- I realized I can setup an OpenVPN server on my XT8. I looked on the internet - and it seems straight forward.
- So I follow the simple instructions on the tubes - and whatever.
- So my question: If I can setup a Server on my router - can I also connect to this server on the same server as a client???? Or is this stupid.
- So I realize setting up the Asus Router to be an OpenVPN server allows outside devices to securely connect to my home (cell phone/computer/etc...). I haven't tested this yet, because I'm trying to do something different. BUT I also want to connect to this server inside my home with connected devices. That is my computer/XBox/etc... Why - well I gave you a reason above - when I'm behind a VPN Client on my Xbox I get way better upload speeds. Also, the benefit of hiding my IP from outside prying eyes.
- Again is this how this works???
- Here's what I did to date (again following what little info I can garner from tubes).
- I created a DDNS using ASUS DDNS service. I used Free Cert from Let's Encrypt to activate my DDNS. It is said that since I have a
Dynamic DNS from my ISP I needed to create a DDNS to at least address dynamic IP. This is where I need help? I still don't know how
this helps me? I know once I created and made it active - this DDNS shows up on my Asus router map. I guess having a DDNS allows me
to connect from the outside World even though I have a Dynamic DNS address. Any explanation (again make it easy to understand) would
be helpful.
- So I setup up OpenVPN server on Asus - created a PW - hit Apply -and Export OpenVPN config File.
- I then go to OpenVPN Client section on Asus - name the client AsusVPN - put in login/pw credentials - and upload exported OpenVPN
file.
- When I connect I get this" IP/Routing conflict: Please change your router LAN subnet, please refer to this FAQ for detail". I also get
an yellow exclamation point for Status. Also no traffic gets through once active. I went and read about the error - all info was sparse or
confusing.
- So if I look at advance settings under OpenVPN server I see a "VPN Subnet/Network" setting. Is this what I need to change to get the
Client to start working?
- So any help with my efforts would be greatly appreciated. I don't want to purchase a static IP but if this is what I have to do then I will. I don't want to purchase a commercial VPN, but if this is what I need to do then fine. I saw on tubes that I can actually host my own VPN Sever in the Cloud - how is this different from the Asus Router. I don't want to create a VPN server in my home - since I think the Asus router can serve as the OpenVPN server. As you can see I'm throwing everything out there.
- Can anyone here easily and succinctly provide me step by step procedures to help me do what I proposed. If it's not achievable - ie.. it doesn't work like this - Asus can not be both he Server and Client together - than that's all I want to know.
-Please recommend your proposed setup. I hope you got what I want - I only care about hiding my IP address and getting better upload speeds on my Xbox. I may want to share my NAS behind a VPN, or connect to my home network. It would be nice to have my streaming services to work behind the VPN, but if I have to deactivate to watch TV that's fine. I don't P2P or Tor.

Hey some additional questions:
- Is Wireguard supported - or will be supported on AsusWRT? Just reading about the new protocol. I saw a writeup of installing Wireguard on an Asus router - but mine doesn't have this option? Was it removed.
- Does anyone know is Merlin will support XT8 anytime soon? I think I reached out to a dude on twitter that may be associated with Merlin - and he said not at this time. Anyone have any leads?

My goal is to learn more about home networking. If I can take advantage of the security measures my router offers than that's great. I realize I need to actively pursue other measures to protect my name/address/accounts. I will do this as well.

Thanks for any help you can provide. Any links/resources/tubes you can suggest would be greatly appreciated.

 

[Smokey613]

First off, your vpn server running on your XT8 is used so you can access your system from outside your network.

The client config you downloaded from the XT8 is used on your phone, tablet, laptop, etc to setup a vpn client to be used for remote access into your XT8 system when you are away from home. You will probably need to use a DDNS service unless you have a static internet IP on your WAN. The built in Asus DDNS service actually works pretty good. This will allow you to specify a hostname instead of an IP address inside you VPN client. That way, when your ISP issues you a new WAN IP, the DDNS service will change your custom hostname DNS to point to the new IP.

You can setup the built in vpn client on the XT8 to connect to an outside vpn provider. This will route your LAN traffic out the vpn through your vpn provider's system thereby eliminating the need to install a vpn client on each LAN devices.

There is one thing to note about using the router's vpn client, not all Asus routers will give good vpn performance depending on which model you choose. I am not sure if the XT8 supports vpn encryption. If not then that 40/34 you are getting is about right.

My Asus RT-AC86U would give me almost 80/60 over a vpn on a 100/100 connection. My CT8 units do not support vpn encryption and their speed was in line with your experiences.

Now days, my Firewalla Gold handles all routing and VPN Server / Client needs. It supports Wireguard natively. Now I get the same speed over Wireguard that I get without using a VPN.

One last thing, I do not expect Merlin to support the XT8.

 

[eibgrad]

You're confusing having your *own* OpenVPN server, w/ accessing a remote, commerical OpenVPN server (using the router's OpenVPN client) from the likes of NordVPN. These are completely different things! You use the former to access *your* home network, and the latter to secure your home network access to the internet.

 

[oharag]

You're confusing having your *own* OpenVPN server, w/ accessing a remote, commerical OpenVPN server (using the router's OpenVPN client) from the likes of NordVPN. These are completely different things! You use the former to access *your* home network, and the latter to secure your home network access to the internet.

Okay that's all I want to hear - thanks. I couldn't even get an answer anywhere else.
So as for commercial vs maybe setting up your own VPN Client - which would you recommend?

 

[eibgrad]

Okay that's all I want to hear - thanks. I couldn't even get an answer anywhere else.
So as for commercial vs maybe setting up your own VPN Client - which would you recommend?

I think you meant setting up your own OpenVPN *server* (typically on some VPS) to use w/ your router's OpenVPN client.

Just depends. For most ppl, using a commercial OpenVPN provider is just easier. You don't have to manage the server (configure it, apply updates, etc.). And it means you're not bound to *one* specific public IP on that server (i.e., anonymity/obfuscation is harder to achieve unless you're prepared to rebuild w/ a new public IP from time to time). Even if you have your own OpenVPN server on some VPS, it's going to cost something (at least $5 month from my experience). OTOH, having your own OpenVPN server means your independent of a commercial provider, which might be advantageous if you don't trust them in terms of your privacy (but even so, you end up having to trust the VPS provider).

The biggest advantage I find for having your own OpenVPN server on some VPS is the ability to use it for remote access into your home network, which is necessary for those users who do NOT have a public IP from their ISP (e.g., CGNAT). Having your own OpenVPN server in that case extends the reach of your home network out past the private WAN ip from your ISP to a public IP.

But even given the remote access capabilities of having your own OpenVPN server on some VPS, there are commerical OpenVPN providers who support port forwarding, which essentially accomplishes the same thing. And as I said, that gets you out of the business of supporting your own server (which assumes you have the skills and time to do so).

 

[oharag]

First off, your vpn server running on your XT8 is used so you can access your system from outside your network.

The client config you downloaded from the XT8 is used on your phone, tablet, laptop, etc to setup a vpn client to be used for remote access into your XT8 system when you are away from home. You will probably need to use a DDNS service unless you have a static internet IP on your WAN. The built in Asus DDNS service actually works pretty good. This will allow you to specify a hostname instead of an IP address inside you VPN client. That way, when your ISP issues you a new WAN IP, the DDNS service will change your custom hostname DNS to point to the new IP.

You can setup the built in vpn client on the XT8 to connect to an outside vpn provider. This will route your LAN traffic out the vpn through your vpn provider's system thereby eliminating the need to install a vpn client on each LAN devices.

There is one thing to note about using the router's vpn client, not all Asus routers will give good vpn performance depending on which model you choose. I am not sure if the XT8 supports vpn encryption. If not then that 40/34 you are getting is about right.

My Asus RT-AC86U would give me almost 80/60 over a vpn on a 100/100 connection. My CT8 units do not support vpn encryption and their speed was in line with your experiences.

Now days, my Firewalla Gold handles all routing and VPN Server / Client needs. It supports Wireguard natively. Now I get the same speed over Wireguard that I get without using a VPN.

One last thing, I do not expect Merlin to support the XT8.

Cool thanks for response. I will learn.

My speeds suck on XT8 when I have max 300/300. So I was looking around for a better VPN provider. I'm using free ProtoVPN - I get great speeds on computer - terrible on router. I looked up XT8 - and it seems like they don't offer acceleration for VPN. Proton states they have their own VPN acceleration but I have to pay for it. So I posted on Reddit for any other recommendations. I tried NordVPN and was appalled. ProtonVPN Free with easy connect destroyed 10 different NordVPN servers! I canceled Nord. I do worry about Country of origin. Nord is in Panama - Proton is in Switz. Both are supposed to protect users. Most are in USA - which concerns me.

Firewalla Gold is not a wifi router - correct. Just a wired router - right? So if I purchase this - do I plug my Fios ethernet directly into this - then connect my XT 8 to this - or do I leave XT8 attached to Fios - and plug FG into XT8? The ethernet ports on the back of FG state 3+ Gps. My XT8 has 2.5 but only for WAN. LANs are 1 Gig. If you can help with my setup I would appreciate this a bunch. So FG is $478. I can get a commercial VPN for $80/3 years - and use my Asus router as VPN server. Can you sell me on FG? Security? Speed? Is it that having your own VPN Client in your home you don't need to worry about log retention/tracking? Any other recommended systems similar to FG I need to investigate.

RE: Wireguard: I just happened upon this during my research. It's supposed to be faster - but I used NordVPNs implementation and I got slower speeds. Also everywhere I read - Wireguard is not a VPN - but a tunneling solution through VPNs - am I wrong? pfSense and freeBSD dropped WG support - I think claiming it wasn't as secure. Any thoughts?

I wonder why XT8 and Merlin support won't be coming? Doesn't XT8 use same processor than other Asus routers? I guess I'm only intrigued by Merlin since I've read it offers more features - better security - and customization than standard AsusWRT.

 

[oharag]

I think you meant setting up your own OpenVPN *server* (typically on some VPS) to use w/ your router's OpenVPN client.

Just depends. For most ppl, using a commercial OpenVPN provider is just easier. You don't have to manage the server (configure it, apply updates, etc.). And it means you're not bound to *one* specific public IP on that server (i.e., anonymity/obfuscation is harder to achieve unless you're prepared to rebuild w/ a new public IP from time to time). Even if you have your own OpenVPN server on some VPS, it's going to cost something (at least $5 month from my experience). OTOH, having your own OpenVPN server means your independent of a commercial provider, which might be advantageous if you don't trust them in terms of your privacy (but even so, you end up having to trust the VPS provider).

The biggest advantage I find for having your own OpenVPN server on some VPS is the ability to use it for remote access into your home network, which is necessary for those users who do NOT have a public IP from their ISP (e.g., CGNAT). Having your own OpenVPN server in that case extends the reach of your home network out past the private WAN ip from your ISP to a public IP.

But even given the remote access capabilities of having your own OpenVPN server on some VPS, there are commerical OpenVPN providers who support port forwarding, which essentially accomplishes the same thing. And as I said, that gets you out of the business of supporting your own server (which assumes you have the skills and time to do so).

Who do you use for commercial VPN? that's if you even use one. I'm interested in VPN first due to Xoxo throttling by ISP - and second hiding behind VPN. Again - I realize it's not a cure all for prying eyes - I'm going to keep at securing my home on my end (browser - PW - to form authentication - encryption - etc..). Thanks for the response.

 

[oharag]

Just an update. I started my OpenVPN server on Asus Router. I downloaded tunnel back SW for my Mac as requested by Asus. I launched TB - and uploaded the ovpn file exported out of Asus. I connect to my Router using the credential I setup on router. It looked like to it worked out well. It says connected success - it shows my current dynamic DNS on router - shows the port I assigned - it shows connected on my Asus Router OpenVPN server page. So it seems I'm connected. So I decide to check on the Mac side and initiate a ping to my DDNS. Well it says: "
Request timeout for icmp_seq 0


Request timeout for icmp_seq 1


Request timeout for icmp_seq 2


Request timeout for icmp_seq 3


Request timeout for icmp_seq 4


Request timeout for icmp_seq 5


Request timeout for icmp_seq 6


Request timeout for icmp_seq 7


Request timeout for icmp_seq 8

10 packets transmitted, 0 packets received, 100.0% packet loss

So what's the deal? I typed ping "my DDNS address".
Did I do something wrong? If it says connected in TB how do I check whether I am connected? I know ping is the way - but did I do something wrong in commands?

Thanks

 

[oharag]

Just an update. I started my OpenVPN server on Asus Router. I downloaded tunnel back SW for my Mac as requested by Asus. I launched TB - and uploaded the ovpn file exported out of Asus. I connect to my Router using the credential I setup on router. It looked like to it worked out well. It says connected success - it shows my current dynamic DNS on router - shows the port I assigned - it shows connected on my Asus Router OpenVPN server page. So it seems I'm connected. So I decide to check on the Mac side and initiate a ping to my DDNS. Well it says: "
Request timeout for icmp_seq 0


Request timeout for icmp_seq 1


Request timeout for icmp_seq 2


Request timeout for icmp_seq 3


Request timeout for icmp_seq 4


Request timeout for icmp_seq 5


Request timeout for icmp_seq 6


Request timeout for icmp_seq 7


Request timeout for icmp_seq 8

10 packets transmitted, 0 packets received, 100.0% packet loss

So what's the deal? I typed ping "my DDNS address".
Did I do something wrong? If it says connected in TB how do I check whether I am connected? I know ping is the way - but did I do something wrong in commands?

Thanks

Even when I initiate Ping for DDNS it shows my current DNS assigned by ISP - and yet it fails to connect.

 

[eibgrad]

It's difficult for me or anyone else to say what is a good VPN provider since what YOU and I consider good will vary. You originally started out complaining about the abysmal performance of your Xbox unless connected to a VPN (specifically on the upload side). But just about *any* VPN provider is going to offer vastly more than a meager 2Mbps upload. So on that basis alone, any VPN provider would do. But if you're NOW comparing performance through the VPN to your ISP *generally*, well that's another matter.

I use NordVPN, and I normally get about 120-140Mbps for most USA servers, with occasional spikes to 180Mbps, and even 250Mbps w/ the Denver server specifically (fwiw, my ISP provides 600Mbps+ up/down). But I'm NOT using my primary router (ASUS RT-AC68U) for those purposes since its VPN performance is limited to about 30Mbps, but instead a small form-factor PC I build out of spare parts runing DD-WRT x86, and acting as an alternate gateway.

I don't know anything more about Firewalla Gold than what I just researched a moment ago. Seems to be an Intel-based small form-factor router, which like my own PC-based OpenVPN gateway, is going to make mincemeat out of any consumer-grade router when it comes to VPN performance. But even so, you're always limited by what your ISP and VPN provider can offer in terms of bandwidth.

As far as WG (WireGuard), I don't normally use it. Don't have the need now that my VPN is no longer running on my ASUS router. But I did some experimentation a few months ago and found using DD-WRT and WG that I could get ~111Mbps w/ KeepSolid VPN (aka, VPNUnlimited). That's an impressive improvement given the 30Mbps over OpenVPN. But it's no panacea either. There have been issues raises by some providers when it comes to privacy. And it only supports routed tunnels, NOT bridged. And since it runs in the kernel (which is what primarily gives it it's biggest performance boost compared to user-space VPNs like OpenVPN), it also means if compromised, RCE (Remote Code Execution) vulnerabilities are theoretically possible.

 

[oharag]

It's difficult for me or anyone else to say what is a good VPN provider since what YOU and I consider good will vary. You originally started out complaining about the abysmal performance of your Xbox unless connected to a VPN (specifically on the upload side). But just about *any* VPN provider is going to offer vastly more than a meager 2Mbps upload. So on that basis alone, any VPN provider would do. But if you're NOW comparing performance through the VPN to your ISP *generally*, well that's another matter.

I use NordVPN, and I normally get about 120-140Mbps for most USA servers, with occasional spikes to 180Mbps, and even 250Mbps w/ the Denver server specifically (fwiw, my ISP provides 600Mbps+ up/down). But I'm NOT using my primary router (ASUS RT-AC68U) for those purposes since its VPN performance is limited to about 30Mbps, but instead a small form-factor PC I build out of spare parts runing DD-WRT x86, and acting as an alternate gateway.

I don't know anything more about Firewalla Gold than what I just researched a moment ago. Seems to be an Intel-based small form-factor router, which like my own PC-based OpenVPN gateway, is going to make mincemeat out of any router when it comes to VPN performance. But even so, you're always limited by what your ISP and VPN provider can offer in terms of bandwidth.

As far as WG (WireGuard), I don't normally use it. Don't have the need now that my VPN is no longer running on my ASUS router. But I did some experimentation a few months ago and found using DD-WRT and WG that I could get ~111Mbps w/ KeepSolid VPN (aka, VPNUnlimited). That's an impressive improvement given the 30Mbps over OpenVPN. But it's no panacea either. There have been issues raises by some providers when it comes to privacy. And it only supports routed tunnels, NOT bridged. And since it runs in the kernel (which is what primarily gives it it's biggest performance boost compared to user-space VPNs like OpenVPN), it also means if compromised, RCE (Remote Code Execution) vulnerabilities are theoretically possible.

Your response has made my brain hurt Though all and every bit of answers/input from experts makes me dig deeper.
So I also saw recommendation to build your own VPN server using an old computer. I agree Any PC processor is going to destroy router processor. I have an old Mac Intel mini - I will see if I can make this into a VPN server. I do have bits and pieces for a PC that I never built. I like the fact FG is a plug and play solution.
Can you comment on my pinging above? It seems like I connected to VPN server on router on my Mac - but Pinging gave me an error.

 

[eibgrad]

Can you comment on my pinging above? It seems like I connected to VPN server on router on my Mac - but Pinging gave me an error.

Pinging your router's WAN ip (which is what pinging the DDNS does) is only going to work if you allow such pings on the firewall configuration, which is normally disabled by default on most firmware. This has NOTHING to do w/ the VPN. But you should be able to ping the router's *LAN* network interface now (e.g., 192.168.1.1), at least if you have specified either LAN only or Both on the OpenVPN server config.

 

[oharag]

Yes I can ping my internal IP. How do I check whether I'm connected to my OpenVPn server on router? It does identify my DDNS and current DNS IP - just doesn't return ping. I understand that this is most likely a setting in VPN page.I'm just trying to flesh this out - find a use case. I also like to tinker. I may eventually just give up the whole effort. Though I will keep reading about what networking can do for me with security in mind.

Thanks

 

[eibgrad]

Yes I can ping my internal IP. How do I check whether I'm connected to my OpenVPn server on router? It does identify my DDNS and current DNS IP - just doesn't return ping. I understand that this is most likely a setting in VPN page.I'm just trying to flesh this out - find a use case. I also like to tinker. I may eventually just give up the whole effort. Though I will keep reading about what networking can do for me with security in mind.

Thanks

Based on that response, I suspect your OpenVPN client is NOT outside the WAN when accessing the OpenVPN server, but inside the same LAN as the OpenVPN server itself. If so, that is NOT a valid configuration. You need to be on the internet side of the WAN, such as on a smartphone. If you then get connected to the OpenVPN server and can ping your router's LAN ip at that point, you know you have connectivity.

 

[Tech Junky]

@oharag

First thing about network security is to turn down all services not needed from the outside. Having a smaller footprint on the internet is more ideal.
Only open services you need when you need them.
Layering protection / counter measures to make things more difficult to get beyond and into your LAN

Like @eibgrad mentioned using a PC will give you better performance. Using WIREGUARD and not OVPN will give you better speeds.

With Nord's Nordlynx (WG) I can get line speed using a PC from just about any of their servers. Also, it makes a difference in the program in which you're using to speedtest things.

 ./SpeedTest
SpeedTest++ version 1.14
Speedtest.net command line interface
Info: https://github.com/taganaka/SpeedTest
Author: Francesco Laurita <francesco.laurita@gmail.com>

IP: 2.56.190.91 ( Clouvider Limited ) Location: [32.7908, -96.8336]
Finding fastest server... 10 Servers online
..........
Server: Dallas, TX speedtest-dc04.enzu.com:8080 by Enzu Inc. (3.77722 km from you): 13 ms
Ping: 13 ms.
Jitter: 3 ms.
Determine line type (2) ........................
Fiber / Lan line type detected: profile selected fiber

Testing download speed (32) ............................................................................................................................................................................................................................................................................
Download: 1008.50 Mbit/s
Testing upload speed (12) ........................................................................
Upload: 41.81 Mbit/s

speedtest
Retrieving speedtest.net configuration...
Testing from Clouvider Limited (2.56.190.91)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Building Network Solutions, LLC (Dallas, TX) [3.78 km]: 31.163 ms
Testing download speed................................................................................
Download: 612.60 Mbit/s
Testing upload speed......................................................................................................
Upload: 41.56 Mbit/s

So, as you can see these were run back to back. One uses more of a script to test and the other is the package provided by ookla. The scripted test shows line speed over VPN and the ookla for whatever reason is showing a 40% deficit . If you go to different websites for testing you'll see the same disparity in results depending on the HW / bandwidth they have available along with the server load.

Some ISP's do throttle some types of traffic whether they admit it or not. The 2mbps through FIOS though is just petty. There's no reason for VZ to throttle gaming traffic. Nor is there a bandwidth issue I suspect with 300x300 service.

 

[Tech9]

One last thing, I do not expect Merlin to support the XT8.

There is a Asuswrt-Merlin build by @GNUton:

Release - Asuswrt-Merlin 386.5 GNUton's builds are now available

Hi there, Today I am finally happy to announce that we have a Merlin stable release for the usual models: - DSL-AC68U - DSL-AX82U/DSL-AX5400 - RT-AX82U and also for two new entries: - TUF-AX5400 - ZenWiFi AX (X8) / RT-AX95Q If you have wishes to see Merlin running on other routers please...

www.snbforums.com

 

[oharag]

Based on that response, I suspect your OpenVPN client is NOT outside the WAN when accessing the OpenVPN server, but inside the same LAN as the OpenVPN server itself. If so, that is NOT a valid configuration. You need to be on the internet side of the WAN, such as on a smartphone. If you then get connected to the OpenVPN server and can ping your router's LAN ip at that point, you know you have connectivity.

So - yes the computer was connected via ethernet to my router. So I understand. So I decided to download OpenVPN app on iPhone - disconnect from wifi and go on cellular. I downloaded network ping app and ping my DDNS. So I'm definitely connecting to the OpenVPN server on my router. I see my DDNS and assigned dynamic IP address. So that's all good. When I ping on iPhone get a number of dropped pings. I get maybe 7 out of 10. So what's with the lost pings??? Any thoughts?

 

[oharag]

@oharag

First thing about network security is to turn down all services not needed from the outside. Having a smaller footprint on the internet is more ideal.
Only open services you need when you need them.
Layering protection / counter measures to make things more difficult to get beyond and into your LAN

Like @eibgrad mentioned using a PC will give you better performance. Using WIREGUARD and not OVPN will give you better speeds.

With Nord's Nordlynx (WG) I can get line speed using a PC from just about any of their servers. Also, it makes a difference in the program in which you're using to speedtest things.

./SpeedTest
SpeedTest++ version 1.14
Speedtest.net command line interface
Info: https://github.com/taganaka/SpeedTest
Author: Francesco Laurita <francesco.laurita@gmail.com>

IP: 2.56.190.91 ( Clouvider Limited ) Location: [32.7908, -96.8336]
Finding fastest server... 10 Servers online
..........
Server: Dallas, TX speedtest-dc04.enzu.com:8080 by Enzu Inc. (3.77722 km from you): 13 ms
Ping: 13 ms.
Jitter: 3 ms.
Determine line type (2) ........................
Fiber / Lan line type detected: profile selected fiber

Testing download speed (32) ............................................................................................................................................................................................................................................................................
Download: 1008.50 Mbit/s
Testing upload speed (12) ........................................................................
Upload: 41.81 Mbit/s

speedtest
Retrieving speedtest.net configuration...
Testing from Clouvider Limited (2.56.190.91)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Building Network Solutions, LLC (Dallas, TX) [3.78 km]: 31.163 ms
Testing download speed................................................................................
Download: 612.60 Mbit/s
Testing upload speed......................................................................................................
Upload: 41.56 Mbit/s

So, as you can see these were run back to back. One uses more of a script to test and the other is the package provided by ookla. The scripted test shows line speed over VPN and the ookla for whatever reason is showing a 40% deficit . If you go to different websites for testing you'll see the same disparity in results depending on the HW / bandwidth they have available along with the server load.

Some ISP's do throttle some types of traffic whether they admit it or not. The 2mbps through FIOS though is just petty. There's no reason for VZ to throttle gaming traffic. Nor is there a bandwidth issue I suspect with 300x300 service.

So I believe the reason for throttling Upload speeds is due to all the online streamers uploading content to Twitch - etc... I kind of see the reason for doing this - imagine thousands of streamers - streaming 24-7 - maybe just in one one city?
So I understand Speedtest isn't the end all - be all for testing. It seems to be the most relevant and most supported. So the NordVPN online support rep chided me for using the desktop version of SpeedTest - that I should use the web version - I was getting the same speeds from both solutions.

 

[Tech Junky]

Using either of those 2 won't make a difference in the results. Using something like the scripted version I'm using clearly makes a difference in the results though as you see.

Well, the main difference in how streaming is presenting packets is that it uses UDP instead of TCP but, the OVPN is TCP which would mask the traffic as such. WG / Nordlynx is UDP as well but, the encrypted packets should still flow faster than OVPN and not be touched by the ISP and slowed down. If VZ is throttling based on UDP traffic you would still see an impact on the speeds but, if it's not an issue then they're purely looking at the destination and marking the traffic and deprioritizing it.

 

[oharag]

Using either of those 2 won't make a difference in the results. Using something like the scripted version I'm using clearly makes a difference in the results though as you see.

Well, the main difference in how streaming is presenting packets is that it uses UDP instead of TCP but, the OVPN is TCP which would mask the traffic as such. WG / Nordlynx is UDP as well but, the encrypted packets should still flow faster than OVPN and not be touched by the ISP and slowed down. If VZ is throttling based on UDP traffic you would still see an impact on the speeds but, if it's not an issue then they're purely looking at the destination and marking the traffic and deprioritizing it.

So without VPN:
I get 250/2
Behind VPN:
I get 45/35

So this led me to look into other faster solutions. I guess I just angry about Verizon conduct. I pay for 300/300. I get 250/250 on all my devices (wifi and wired) - it's just my Xbox upload throttling issue. I now have gone down the rabbit hole and researching options. I also like the thought of being protected - where as before I was wide open.
Thanks for input.