Actual issue:
On openvpn - pihole on mobile ( LTE | 4G | 3G ), I cannot connect to website with any https web browsers ( firefox, chrome)
While I switch to Wifi, it WORKS.
- OS:
Debian 9 on VPS cloud
- this is my openvpn connection while I'm on my mobile network.
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:21059, sid=6e149cac 8a85d956
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 VERIFY OK: depth=1, CN=ChangeMe
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 VERIFY OK: depth=0, CN=nokia81
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_GUI_VER=OC30Android
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_VER=3.2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_PLAT=android
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_NCP=2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_TCPNL=1
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_PROTO=2
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 peer info: IV_AUTO_SESS=1
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 19 10:07:51 pivpn ovpn-server[2514]: xx.xx.xx.xx:21059 [nokia81] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:21059
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI: Learn: 10.8.0.2 -> nokia81/xx.xx.xx.xx:21059
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 MULTI: primary virtual IP for nokia81/xx.xx.xx.xx:21059: 10.8.0.2
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 PUSH: Received control message: 'PUSH_REQUEST'
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 SENT CONTROL [nokia81]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 19 10:07:51 pivpn ovpn-server[2514]: nokia81/xx.xx.xx.xx:21059 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
I can see DNS requests on my pihole
10:15:15.316203 IP 10.8.0.2.34478 > 10.8.0.1.53: 62715+ A? github.com. (28)
10:15:15.316675 IP pihole-pub-ip.34052 > 8.8.4.4.53: 54504+ A? github.com. (28)
10:15:15.338065 IP 8.8.4.4.53 > pihole-pub-ip.34052: 54504 2/0/0 A 140.82.118.3, A 140.82.118.4 (60)
10:15:15.338425 IP 10.8.0.1.53 > 10.8.0.2.34478: 62715 2/0/0 A 140.82.118.3, A 140.82.118.4 (60)
The web browser returned ERR_TIMED_OUT
- Configuration files
Openvpn: server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
mode server
tls-server
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
- Pihole:
dnsmasq.d/01-pihole.conf
addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=8.8.8.8
server=8.8.4.4
interface=tun0
- FW iptables
*nat
:PREROUTING ACCEPT [20881:1017729]
:INPUT ACCEPT [1955:130752]
:OUTPUT ACCEPT [1508:93789]
:POSTROUTING ACCEPT [1510:93869]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source pihole-pub-ip
COMMIT
*filter
:INPUT DROP [1355:75838]
:FORWARD ACCEPT [111836:81338347]
:OUTPUT ACCEPT [107336:56530422]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 811 -j ACCEPT # personal
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
COMMIT
Debug Token:
5gdkjc593x!
Thanks for your help.