VPN and internet provider blocking - what to do?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

oharag

Member
Feb 18, 2024
95
26
18
So I've had this idea to implement VPN on my Asus wireless router. I've dabbled with this before - but Asus is way too slow. I have Verizon Fios internet service. All told they seem to not throttle too much. I do believe they throttle my Xbox live since speeds are very low compared to using a browser. I have 300/300 -> desktop speeds - 256/200 -> Xbox testing shows 120/20. If I go behind a VPN my uploads speeds will triple - showing to me that Fios does try to throttle gaming. I've been banned before from Bungie Destiny for low online speeds. Again - if I test behind a VPN my speeds go up.

I recently setup VPN on my Asus router - OpenVPN using server OVP file from ProtonVPN. I was downloading large quantities of data the past few weeks behind the VPN. All of the sudden - last two days - I will start up downloading - speeds will be high and then all of the sudden - zero. I can switch servers - same issue. I tried Wireguard setup as well - same thing. I posted on another website - and they stated that maybe my provider is blocking VPN.

My questions:
- How can my provider specifically target me when I'm behind a VPN server? If they can how to prevent this?

This is after purchasing a MS-01 and a switch to provide whole home Firewall/VPN. If Fios and shutdown my connection (or slow it down) then the whole expenditure was moot. Is there a way to prevent this from happening? I have to believe that it's their rules, but I feel this is against the rights of the user to protect themselves from outside threats.

BTW I am a Noob - no experience with networking besides plugging in a router and setting up simple VPN.

EDIT: Oh forgot to say - If I run ProtonVPN App on my computer - I do not seem to be shutdown. Though obviously I would like whole house protection.

EDIT - EDIT Okay I take back that ProtonVPN SW on computer is working fine - I just now got the zero - stalled effect. Switch servers - and speeds go back up. Eventually everything freezes. Is this the I-P doing this?
 
Last edited:

ttabbal

Active Member
Mar 10, 2016
753
209
43
47
I find it difficult to believe they would block VPNs and it would work on your desktop fine. They don't really know which machine on your network is the source, though with v6 they might see it's on your subnet. They could mess with things based on the destination, but that would affect every machine. It's possible that the router box got overloaded. Those are pretty low power. It's also possible that the server side is having problems with sustained traffic.

I would say, keep running it on your desktop for now. Do some testing for a while and make sure the VPN service is reliable and fast enough. Don't assume it's the ISP unless they have some sort of policy about it. VPN is used for all sorts of things, so blocking it as a technology is a really bad idea and I've never heard of a US ISP doing it. I've never used Proton, but I haven't heard anything bad about them.

There are a lot of reasons speeds might be better on VPN. Most of them have nothing to do with ISP blocks. Internet routing is complex and coming from another source could make all the difference. You might well be hitting a different server or datacenter as well, so it could just be that your default server is overloaded.

Honestly, most traffic these days is encrypted end to end. I did an encrypted DNS link in part due to Comcast messing with DNS lookups. That might be worth trying just to see if your problem is related to that. nextdns.io has free tiers you can test with. But other than that, when I checked traffic flows, almost all of it was encrypted. A VPN can create a single point of failure and attack, so they aren't the end-all-be-all of security either. I played with this idea for a while, even set it up locally, but ended up disabling it. The VPN was causing all sorts of little issues like Netflix blocking and random stuff not working well.
 

oharag

Member
Feb 18, 2024
95
26
18
I find it difficult to believe they would block VPNs and it would work on your desktop fine. They don't really know which machine on your network is the source, though with v6 they might see it's on your subnet. They could mess with things based on the destination, but that would affect every machine. It's possible that the router box got overloaded. Those are pretty low power. It's also possible that the server side is having problems with sustained traffic.

I would say, keep running it on your desktop for now. Do some testing for a while and make sure the VPN service is reliable and fast enough. Don't assume it's the ISP unless they have some sort of policy about it. VPN is used for all sorts of things, so blocking it as a technology is a really bad idea and I've never heard of a US ISP doing it. I've never used Proton, but I haven't heard anything bad about them.

There are a lot of reasons speeds might be better on VPN. Most of them have nothing to do with ISP blocks. Internet routing is complex and coming from another source could make all the difference. You might well be hitting a different server or datacenter as well, so it could just be that your default server is overloaded.

Honestly, most traffic these days is encrypted end to end. I did an encrypted DNS link in part due to Comcast messing with DNS lookups. That might be worth trying just to see if your problem is related to that. nextdns.io has free tiers you can test with. But other than that, when I checked traffic flows, almost all of it was encrypted. A VPN can create a single point of failure and attack, so they aren't the end-all-be-all of security either. I played with this idea for a while, even set it up locally, but ended up disabling it. The VPN was causing all sorts of little issues like Netflix blocking and random stuff not working well.
@ttabbal

Thanks for reply - I will read and digest.

Yeah I get blocked on websites as well - or in the case of Google get challenged for being a real human. I probably shouldn't being doing this - but I've been rejected for an application to CC because they sensed my IP location was not near where my home address was located. All-in-all a good policy. Like going to Vegas and using your CC without telling CC Co that you would be in Vegas. I agree the protections offered now days is too much better - 2fA - verification TMs/emails or calls - etc..

So I have no clue about the DNS stuff - and the impact on speeds/issues. As stated I'm a simple minded IT punk.

As I typed it happened again (desktop) - I tried a NY server - tested with Speedtest - not so bad - started DLing - and doom zero. I mean I can't connect to anything. Turn off VPN and BOOM fast speeds again.

EDIT Oh and I turned off IP6 since I heard it can leak somehow.

EDIT EDIT Any thoughts on OpenVPN vs Wireguard vs IKEv2 etc....?

I looked at my Asus router logs - it seems like there is a shutdown due to weak signal.

"disconnect weak signal strength station

Previous authentication no longer valid

Disassociated due to inactivity

Previous authentication no longer valid

Disassociated because sending station is leaving"

Something is up. I hope it's not IP provider. As stated this started happening 2-3 days ago. I hadn't experienced this in the past - then again I really never messed with VPN on Asus. I did a reboot yesterday. Still happening. Is the router dying?

I have Fios directly plugged into Asus - and then connected via 5 Mz backplane to a mesh router upstairs. My computer is then connected via ethernet. Speeds are really good without VPN (SW or HW) running.
 
Last edited:

ttabbal

Active Member
Mar 10, 2016
753
209
43
47
Signal strength? I mean... maybe for a wifi client, but it connects to the FIOS box with ethernet, doesn't it? Or do you mean a 5ghz wifi signal? It's possible that a wifi WAN link does indeed drop packets/signal. That could be caused by all sorts of things. radio links are a pain. If your setup is like that, I would focus there first. Reliability tests that are not specifically about wifi should be done wired to limit possible problems. I would set your main router box next to the FIOS box with a short ethernet cable between them. Do your testing there, always wired. If that works, then you start looking at wifi. One option here is that new hardware you bought. Set that up on the FIOS with opnsense. Now you can set up gateway monitoring to watch the link. I would ping a well known address like 8.8.8.8 (Google DNS). That will monitor your outside connection and make sure it's working.

Then you can set up the VPN on it and monitor that gateway as well. Those aren't perfect monitoring, but it catches dropped packets and other issues. If I'm right and your issue is more on the wifi side, you will have solid connectivity from this box. If you frequently see issues with this wired setup, you need your ISP to fix their broken junk.

v6... Feel free to leave it off for now. I like it, but ISP support is horrible on it in the US. Comcast does ok, most everyone else is trash in my area.

Wireguard > OVPN > Everything else. IMO.

Multiple routers.... Please tell me at least the mesh box is set up as an AP... IF they are all routing, you are likely on a triple NAT, which could also explain your problems. You say you are a noob, this is a common noob problem. Most of us have done it at least once. :)



Here is what I would do to diagnose and fix this network.

Unplug ALL wifi devices. Scan with your phone, laptop, etc. and verify no active wifi that is yours. You will probably pick up neighbors etc, ignore them for now.

Use the new machine, install opnsense. Once booted up, connect the FIOS box to it with ethernet and configure the WAN interface. DHCP will probably do fine. Some ISP boxes need more configuration though, so you might need to research that. We don't have FIOS in my area, so I don't know.

Once you get good pings and such on the opnsense box to the internet, set up the LAN side and make sure you have a wired computer on that to test with. Your client machine should get an address from opnsense and be able to hit the internet. There are a lot of good tutorials and videos out there for getting this far.

Do some download tests with and without the VPN client running over this new link. If this doesn't work, you need ISP help. If you want to be really sure, wire the test machine direct to the FIOS box and test there. If THAT doesn't work, something is wrong with the ISP side or the FIOS box. I guess it could be your computer you are testing with, but it seems unlikely. Maybe try with a live CD/USB boot in case your OS is having an issue. If it does, but your new opnsense doesn't, get that fixed. But really, opnsense is pretty basic to get this far.


So, now you have FIOS -> Opnsense -> LAN. You likely have just the one machine on LAN. Not the most useful network. From here, I would factory reset the Asus box. Connect a PC to it's LAN port. DO NOT USE THE WAN PORT FOR ANYTHING. Log into the asus web interface and set it for AP mode if it has one. Make sure you disable the DHCP server. Give it an address on the same subnet your opnsense LAN is on. So if you used 192.168.0.1/24 on opnsense, maybe set this to 192.168.0.2/24 with 192.168.0.1 as gateway. You could also let opnsense give it an address over DHCP if it supports that. Connect the Asus LAN port to the LAN port on the opnsense box. Now the Asus box should be able to hit internet. You can set up the wifi on here for clients. Now your wifi should have internet access. And still make sure nothing is plugged into the WAN port. You can use the other LAN ports as a switch if you like for wired connections.

Now might be a good time to leave it alone, take backups of the config, etc. and test for a while. Yes, the other mesh nodes are off still. You might also map the local wifi setups. See if you can find clear channels and set them. I have seen too many problems with auto-channel selection. I just manually set them to a clear channel. If you want to connect your mesh stuff, I would reset it as well. Also make sure it is set up as an AP. Again, no WAN port, or WAN backhaul over wifi, DHCP OFF. At this point, you are still in the LAN. It should pick up addresses from opnsense. And make sure to find clear channels for it as well.


I know... wall of text. :) It's not as hard as it looks from this, but taking it in little parts helps a lot in diagnosing problems.
 

oharag

Member
Feb 18, 2024
95
26
18
Fios ethernet into Asus downstairs - then a 5Mhz backhaul connection to another Asus router upstairs. I then connect to this router via ethernet. It seems to work well. My speeds on my computer can be 300/225 with this config. It does slow down a bit if I use ProtonVPN SW but not by much. If I use Router VPN it's a significant drop (65/25). This is why I want to get a more robust firewall/VPN server to take place of my Asus wireless mesh router - I will still use Asus as my wireless router - but not as my NAT.

@ttabbal
Could this be the issue (sorry I haven't read your lengthy post - I will)


Something about:

Symptoms
After you use a VPN connection to log on to a server that is running Routing and Remote Access, you may be unable to connect to the Internet.

Cause
This issue may occur if you configure the VPN connection to use the default gateway on the remote network. This setting overrides the default gateway settings that you specify in the Transmission Control Protocol/Internet Protocol (TCP/IP) settings.

Resolution
To resolve this issue, configure the client computers to use the default gateway setting on the local network for Internet traffic and a static route on the remote network for VPN-based traffic.

Though this just started happening 2-3 days ago. Why all of the sudden - if I disconnect from VPM - Boom fast speeds.

I have Asus WRT not MerlinWRT. I have XT8's.

If I get some reports from router I will share. Hopefully it's something easy to fix rather than IP doing the dirty work. Keep in mind the process (again 2-3 days ago). Start up VPN (SW or HW) go gang busters - then all of the sudden - zero. Switch servers - BOOM fast speeds and then Zero. Disconnect from VPN - BOOM fast speeds all the time.

Now on to reading your post fully :)
 

oharag

Member
Feb 18, 2024
95
26
18
"Multiple routers.... Please tell me at least the mesh box is set up as an AP... IF they are all routing, you are likely on a triple NAT, which could also explain your problems. You say you are a noob, this is a common noob problem. Most of us have done it at least once."

Again I have the Asus XT8. They are designed to have one as AP - and then using either wired or wireless backhaul connect to the secondary mesh router. It works beautifully. I never get double NAT issues - and speeds are great. My office is sort of second floor -50 feet to the left of main - and maybe 2-3 walls.

I don't think it's backhaul - wifi connection. Without VPN - AWESOME! With VPN - it's a stinker. Again I want to stress - this has been going on for 2-3 days - the last 2 weeks flawless. I changed nothing on the router besides maybe UnP/port forwarding to get my Qbit running better. As stated above VPN SW App was running fine (overnight) and then it also now exhibits the same issues as Route VPN.
 

oharag

Member
Feb 18, 2024
95
26
18
Yeah my new machine s backordered due to some STH peeps ordering 3 or more MS-01's :) I will reach out to you guys to help setup a robust firewall/VPN service on the MS-01 when I get it. Right now my Asus is my NAT/Firewall/VPN server. Yes it sucks but for internet it works well. I don't know if installing MerlinWRT would help at all. I don't think XT8 is supported.

I used to have a wifi connection nearby called -> FBI_Survalence_Van_1. I thought this was funny - but I did check outside my window.
 

oharag

Member
Feb 18, 2024
95
26
18
So I'm still struggling with this trying understand my issue.

I switched from DNS 1.1.1.1 (Cloudflare) to 8.8.8.8 (Google). It seemed like things got worse. Could it be that 8.8.8.8 is blocking VPN traffic? Whenever I click on google search I get a warning that my VPN IP has been flagged for malicious activity - and I have to click "I am a human" to get to search. There was another website that recommended that I remove the DNS server from my computer - well that didn't work at all. I still can't figure out what is causing the eventual stopping of internet activity to zero using a VPN (router - OpenVPN or ProtonVPN or even computer VPN). This is frustrating. I definitely need more training. I hopefully will learn when my MS-01 eventually ships.

@ttabbal I get it's something to do with DNS but I don't know how to resolve this.

EDIT: Per this google issue. Sometimes when I click on an Ad Link or type in a search term for a website (in this case Petmeds). I get this link: https://www.googleadservices.com/pagead/....

Safari can't find the Server - Failed to open page. This of course only happens when using the VPN.
 
Last edited:

ttabbal

Active Member
Mar 10, 2016
753
209
43
47
Haven't been on, real life. :)

The googleadservices link is frequently blocked by DNS adblock setups. I suspect Proton is trying to help you avoid tracking, which is why they block it. You can set up your own DNS if you prefer, or perhaps they have an option to not use their DNS when you connect to the VPN. This would likely require manual configuration. The default for those servers is usually to send all traffic and DNS to them. This is to prevent "leaks". Not seeing that page is very likely intentional from the VPN. Proton is known for being privacy focused, so it makes some sense. If you scroll down a little, you will see the normal search result for that site. Google injects ads into the search results page.

VPN IPs getting flagged is expected. Lots of people are sharing that IP, so chances are good someone has done something to trip the AI setups they use for abuse flags. Same with the captchca junk they make you do. Just a side effect of being on VPN.

When you are asking for help, it's bad form to respond with "well, I don't think that's it, so I'm going to ignore it." If you knew what it was, you wouldn't need help, right? Just saying. The things I suggested are to limit the things that can be broken. Then add one at a time to see where the problem is. It's basic troubleshooting, test one thing at a time so you know where the problem is. If you don't want to do it, cool, but I doubt anyone will be able to help without it.

For the new box being backordered, got an old desktop machine around? Anything in the last 20 years will likely be more than powerful enough outside of the little stuff like Raspberry Pis. Though the newer ones are alright. If you are using something like Opnsense, you can just load the backup on a new machine. Honestly though, at 300Mbps, the Asus box should be able to handle it. Any idea what the CPU use is like while it's running a download or something? It's not always easy to get, but if you're running custom FW, there might be a way.

I don't think the microsoft link is related, it's specific to MS VPN server software, which I wouldn't think a commercial VPN would use. It's geared more to a corporate remote access setup.

I can tell you that Google DNS doesn't seem to block anything for me. Nor does Cloudflare. I've used both on VPN, though I use nextdns most of the time these days. Just because I like the setup options and I already have things set how I like them. I really don't think FIOS is either. People would be freaking out all over the net if a big telco started doing that.