Using OpenVPN and pfSense to circumvent ISP throttling

Sometimes you end up moving to a place where the only ISP options available are complete and total trash cough-CenturyLink-cough, so here’s the workaround that proxies only the likely-to-be-throttled traffic while leaving all other traffic untouched (eg, ping times for games stay low, any external services you have NAT’d will still work correctly).

This project uses:

• pfSense firewall
• OpenVPN software
• DigitalOcean droplet

Set up the droplet

DigitalOcean has a very thorough guide on setting up OpenVPN, it should be plenty to get you started.

Set up pfSense

You’ll need to configure pfSense’s OpenVPN client to connect and route traffic over the OpenVPN droplet

Add the certificates

1. Open pfSense’s Cert. Manager page under the System drop-down
2. Create the CA
   • Click the Add button
   • Name the CA “OpenVPN” (or whatever you want to call it, I’m not here to tell you how to live your life)
   • Set Method to “Import an existing Certificate Authority” (It should default to this)
   • Copy the content of the ca.crt you created from DigitalOcean’s guide
   • Certificate Private Key and Serial for next certificate should both be left blank
3. Add the OpenVPN client certificate and key
   • Click the Certificates header button at the top of the page after importing the CA
   • Click the Add button
   • Leave Method as “Import an existing Certificate”
   • Name the certificate “OpenVPN” (Or don’t; it’s your party, you do what you want to)
   • Paste the content of client.crt created in DigitalOcean docs into Certificate data
   • Paste the content of client.key created in DigitalOcean docs in Private key data

Set up OpenVPN client

1. Click OpenVPN under the VPN dropdown at the top of the page
2. Click the Clients tab and click Add
   • Most settings can be left at defaults
   • Put the IP of your Droplet in Server host or address
   • Paste the content of ta.key in Key field after checking TLS authentication
   • Change the Peer Certificate Authority and Client Certificate to the CA and cert created earlier.
   • Change Auth digest algorithm to “SHA256”
   • Under Custom options, paste persist-key;persist-tun;

Start OpenVPN

1. Click OpenVPN underneath the Status button at the top of the page
2. Click the Start button at the right of the page for the client created above

Create the OpenVPN interface

1. Click (assign) underneath the Interfaces dropdown at the top of the page
2. Change the dropdown near the bottom of the page to the OpenVPN client created above and click Add

Configure Gateway

1. Click Routing under the System dropdown at the top of the page
2. Click Add to create a new Gateway
3. Change Interface to the interface created above
4. Check Disable Gateway Monitoring

Configure NAT

1. Click NAT under the Firewall dropdown at the top of the page
2. Click the Outbound tab and click Add
3. Change interface to the interface created above

Create firewall rules

1. Click Rules under the Firewall dropdown at the top of the page
2. Click the LAN tab and click the Add button with the upward-facing arrow
3. Change Protocol to TCP/UDP
4. Change Destination Port Range to HTTPS
5. Click Display Advanced under Advanced Options
6. Change Gateway to the gateway created above and click Save
7. Repeat Steps 1 through 6, swapping HTTP for the Destination Port Range
8. Reload firewall rules to include the 2 new rules

Verify it works

Google What's my IP and you should get back the IP of your droplet!

Caveats

Unfortunately, Netflix has opted to block the IP ranges of nearly all VPS providers in order to stop users from accessing content that’s unavailable in their country or region. I’ll be adding another post later on how to use pfBlockerNG that will go over how to create automatically updated lists that you can use in firewall rules to bypass using the proxy.