T-Mobile's Netflix/Youtube Hotspot Throttling and Bypassing It with a VPN on OPNsense

My home internet started flapping. Frontier fiber—usually rock solid—began dropping intermittently, and I needed a failover solution fast. I already had T-Mobile's Essentials plan on my phone, so I set up my OPNsense router to use the T-Mobile hotspot as a secondary WAN. Problem solved, right?

Not quite.

The Failover Worked — But Something Was Off

With T-Mobile as my backup connection, most things worked fine. Browsing, streaming YouTube, general use—all acceptable. But something felt sluggish. I decided to run a speed test.

I pulled up fast.com and got a depressing 310 Kbps. YouTube on the TV couldn't hold anything above 480p without constant buffering. But I'm sitting less than 100 feet from a 5G tower. That can't be right.

So I ran the same test on Cloudflare's speed test (speed.cloudflare.com). The result? 300 Mbps.

What's Actually Happening: Application-Level Throttling

This isn't a signal problem. T-Mobile is doing deep packet inspection (DPI) and throttling specific traffic types. fast.com is owned by Netflix—T-Mobile recognizes it and caps the throughput to simulate exactly what Netflix would get on an Essentials plan. Cloudflare's test uses generic HTTPS traffic that doesn't get flagged.

The Essentials plan includes “unlimited hotspot at 3G speeds”—which isn't actually 3G. Your phone stays connected to whatever 5G or LTE tower it's on. T-Mobile simply applies a software rate limit at the network level and calls it “3G speeds.” The tower connection is identical. The throttle lives in T-Mobile's core network and applies to everyone on Essentials regardless of signal strength.

Upload is unthrottled—both tests showed ~17 Mbps up. T-Mobile only squeezes download for video traffic.

So my 300 Mbps pipe was being intentionally knotted every time my TV tried to stream something.

The Fix: ProtonVPN via WireGuard on OPNsense

The solution is straightforward: if T-Mobile can't identify the traffic, they can't throttle it. A VPN encrypts everything into a single tunnel—T-Mobile just sees encrypted packets going to a VPN server IP. No way to tell if it's Netflix, YouTube, or anything else.

I already had a ProtonVPN subscription, and OPNsense has native WireGuard support. Here's the high-level setup:

1. Generated a WireGuard config from account.protonvpn.com—selecting a US server, Router platform, and VPN Accelerator
2. Created a WireGuard Instance in OPNsense (VPN → WireGuard → Instances) with the private key, tunnel address (10.2.0.2/32), and DNS from the config
3. Added the Peer (VPN → WireGuard → Peers) with ProtonVPN's public key, endpoint IP, port 51820, and keepalive of 25 seconds
4. Assigned the interface (Interfaces → Assignments → wg0) and enabled it
5. Added a gateway (System → Gateways) pointing to 10.2.0.1 with Far Gateway enabled
6. Added an outbound NAT rule (Firewall → NAT → Outbound, Hybrid mode) for the WireGuard interface
7. Added a LAN firewall rule routing all traffic through ProtonVPN_GW, placed above the default rules

The Gotchas

The Result

Fast.com now shows full speed. YouTube throttling is gone. T-Mobile sees nothing but an encrypted WireGuard tunnel—no application fingerprinting possible.

The latency stayed essentially the same since the ProtonVPN server is local to California and the underlying tower connection is already solid at 28ms unloaded.

For anyone on T-Mobile Essentials using a hotspot as primary or backup internet—this setup turns a throttled 300 Kbps pipe into a full 5G connection. The Essentials plan becomes a very different product with a VPN in front of it.

You Don't Need a Router for This

I went the OPNsense route because I wanted every device on my network to benefit automatically. But you don't need any of that. If you just want to unthrottle a single device—your laptop, your TV, your phone—just install a VPN app directly on it. ProtonVPN, Mullvad, Windscribe, whatever you prefer. Turn it on, and T-Mobile can't fingerprint your traffic anymore. Same result, zero router configuration.