Unexplained outbound traffic

My VPN connection (Fsecure, which uses Openvpn.exe) shows a periodic unexplained 1-2GB upload of traffic in Glasswire to the vpn node. This traffic is not being recorded from another Windows 10 process. (For example, when Firefox access the internet for 10MB of data, 10MB is usually logged in Glasswire to Openvpn.)

I suspect either a glasswire bug or a hidden windows process that Glasswire is not capturing. I don’t think its malware but can’t 100% rule it out. Next troubleshooting steps?

Using Glasswire PRO 1.2.73, screenshot attached.

We have tested F-Secure Freedome VPN and we have not seen this ourselves, but we were not looking carefully at the graphs. It looks like your computer was idle during that time.

I found this thread on PIA where other users experienced a similar problem with Openvpn.exe https://www.privateinternetaccess.com/forum/discussion/6134/openvpn-in-pia-uploading-a-ton-of-data. Maybe it’s a bug with OpenVPN but it does seem strange.

Thanks - A Follow-up question on this - have you seen where processes (Windows or malware, or otherwise) would hide from Glasswire? I don’t really believe that openvpn is uploading that amount of data. I would likely see other evidence of this on my PC somewhere. Could Glasswire be recording local port traffic incorrectly?

Unfortunately it is so random that I haven’t been able to capture it in Wireshark.

However, I have experienced the same exact problem on 2 computers both running Windows 10, Glasswire, and Freedome.

@98274ccd
The API we use for traffic is reliable so I doubt we’re recording it incorrectly. A lot of our users use GlassWire to keep below certain ISP data levels so we work hard to show accurate data.
https://blog.glasswire.com/2016/06/15/glasswire-network-monitoring-accuracy/

With Windows malware can theoretically hide, so it’s possible. What host did it show your PC was communicating with? Did you type the IP into VirusTotal.com or do more lookups on it?

Yes, I checked that. OpenVPN.exe is ONLY communicating with legit Freedome nodes for this upload behavior that Glasswire records. (Not always the same one - 148.251.217.204, and freedome-us-gw.f-secure.akadns.net).