Pihole - openvpn - HTTPS response ERR_TIMED_OUT via mobile network

Help
1

Actual issue:

On openvpn - pihole on mobile ( LTE | 4G | 3G ), I cannot connect to website with any https web browsers ( firefox, chrome)
While I switch to Wifi, it WORKS.

  • OS:

Debian 9 on VPS cloud

  • this is my openvpn connection while I'm on my mobile network.
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:21059, sid=6e149cac 8a85d956
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 VERIFY OK: depth=1, CN=ChangeMe
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 VERIFY OK: depth=0, CN=nokia81
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_GUI_VER=OC30Android
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_VER=3.2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_PLAT=android
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_NCP=2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_TCPNL=1
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_PROTO=2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_AUTO_SESS=1
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 [nokia81] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:21059
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI: Learn: 10.8.0.2 -> nokia81/xx.xx.xx.xx:21059
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI: primary virtual IP for nokia81/xx.xx.xx.xx:21059: 10.8.0.2
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 PUSH: Received control message: 'PUSH_REQUEST'
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 SENT CONTROL [nokia81]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

I can see DNS requests on my pihole

10:15:15.316203 IP 10.8.0.2.34478 > 10.8.0.1.53: 62715+ A? github.com. (28)
10:15:15.316675 IP pihole-pub-ip.34052 > 8.8.4.4.53: 54504+ A? github.com. (28)
10:15:15.338065 IP 8.8.4.4.53 > pihole-pub-ip.34052: 54504 2/0/0 A 140.82.118.3, A 140.82.118.4 (60)
10:15:15.338425 IP 10.8.0.1.53 > 10.8.0.2.34478: 62715 2/0/0 A 140.82.118.3, A 140.82.118.4 (60)

The web browser returned ERR_TIMED_OUT

  • Configuration files

Openvpn: server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
mode server
tls-server
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
  • Pihole:

dnsmasq.d/01-pihole.conf

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=8.8.8.8
server=8.8.4.4
interface=tun0
  • FW iptables
*nat
:PREROUTING ACCEPT [20881:1017729]
:INPUT ACCEPT [1955:130752]
:OUTPUT ACCEPT [1508:93789]
:POSTROUTING ACCEPT [1510:93869]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source pihole-pub-ip
COMMIT

*filter
:INPUT DROP [1355:75838]
:FORWARD ACCEPT [111836:81338347]
:OUTPUT ACCEPT [107336:56530422]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 811 -j ACCEPT # personal 
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
COMMIT

Debug Token:

5gdkjc593x!

Thanks for your help.

3
  • update:
    I can ping the gateway 10.8.0.1 from my mobile
    I can run dig command to get dns ip for a website from my mobile
    Only HTTP request from browser get ERR_TIMED_OUT
6

Seems like it's only HTTS requests that timed_out.

I installed Termux on android.
I curl -IL www.free.fr
I saw the timeout on https requests.

OpenSS SS_connect: SSL_ERROR_SYSCALL in connection to www.free.fr:443
closing connection 0
7

Confirmed:
I can access HTTP website with pihole - openvpn through mobile network but not HTTS website.

8

thing that makes me crazy :disappointed:
How this ?
Wifi + pihole + openvpn -> ( http + https ) OK
Mobile network + pihole + openvpn -> ( http -> OK / HTTPS -> NOK )
:roll_eyes:

9

I'll really appreciate if someone has a clue about this.

thanks for your help.

10

Your IPTABLES are blocking HTTPS requests ...

1 Like
12

hello,

those rules were on the installation's instruction, and weird on wifi, those rules didn't prevent any https connection.
so I removed it anyway

*nat
:PREROUTING ACCEPT [52243:4094148]
:INPUT ACCEPT [11155:743693]
:OUTPUT ACCEPT [7412:466949]
:POSTROUTING ACCEPT [7430:467625]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 116.203.59.232
COMMIT
# Completed on Sat Apr 20 01:01:10 2019
# Generated by iptables-save v1.6.0 on Sat Apr 20 01:01:10 2019
*filter
:INPUT DROP [18:880]
:FORWARD ACCEPT [2:100]
:OUTPUT ACCEPT [178:25043]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 811 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.8.0.0/24 -d 10.8.0.1/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

and test on mobile network:

same issue. :frowning:
ERR_TIMED_OUT on firefox or Chrome

thanks for helping me.

13

Not too sure what's going on over there and what instructions you followed but those are a lot more than needed IPTABLES rules and seems like an overall complicated setup.

In order to get Pi-hole and OpenVPN running properly, use the official guide available here:

https://docs.pi-hole.net/guides/vpn/installation/

I run it like this on 4 nodes, and I have no problems with any sites, regardless of connection type.

1 Like
14

It was that link I followed.
let me rebuild from scratch, perhaps I missed something

thanks , I let you know.

15

OpenVPN requires only 3 entries for IPTABLES and those are automatically set by the OpenVPN RoadWarrior install script:

        iptables -I INPUT -p udp --dport $PORT -j ACCEPT
        iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
        iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

You can use this also for your installation of OpenVPN:

16

thanks,

I'll start from scratch with first this OpenVPN script, then I'll add pi-hole. I'll let you know.

17

I tried on my iPhone and it works.
I tried on my nokia 8.1 it fails on https.
so I suspect the openvpn client version on android. ( I suppose)

Thanks for all.

18

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.