OpenVPN TCP over 443 won't load https websites - how to fix?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dpw818
OpenVpn Newbie
Posts: 9
Joined: Thu Feb 25, 2016 4:46 pm

OpenVPN TCP over 443 won't load https websites - how to fix?

Post by dpw818 » Mon May 30, 2016 11:14 pm

Hi, I've identified the issue - that when connected to OpenVPN, and OpenVPN is configured to use TCP/443, I can't open any websites that are of that same port - that is, https:// , 443. All other websites (http://) open perfectly fine. I was hoping someone could help me find a solution for how to fix this.

Thanks!!

FalconTent
OpenVpn Newbie
Posts: 18
Joined: Fri Sep 12, 2014 3:29 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by FalconTent » Tue May 31, 2016 12:27 pm

dpw818 wrote:how to fix this
Start by reading the Forum rules (above)

dpw818
OpenVpn Newbie
Posts: 9
Joined: Thu Feb 25, 2016 4:46 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by dpw818 » Sat Jun 04, 2016 4:23 am

By way of background, all machines involved are Linux.

Hi, here is my OpenVPN server.conf.

Code: Select all

local 192.168.0.10
dev tun0
proto tcp
port 443
ca /etc/openvpn/easy-rsa/keys/thisisok.crt
cert /etc/openvpn/easy-rsa/keys/thisisok.crt
key /etc/openvpn/easy-rsa/keys/thisisok.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.30 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/thisisok.key 0
cipher AES-256-CBC
keysize 256
comp-lzo
user thisisok
group thisisok
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6

Code: Select all

Below is my firewall (which is what I have a feeling it is...):

# Flush all current rules from iptables
iptables -F
#
#
# Set access for localhost - necessary for many programs
iptables -A INPUT -i lo -j ACCEPT
#
#
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
# Allow tcp port 443 and udp port 1194 (VPN)
#1194 is not actice in server.conf, but leave open for fun
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
#
# Allows VPN traffic to Forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
#
#
# Make and exception to 'iptables -P FORWARD DROP', allowing specifically 1194 or 443 connections to forward.  Note that 192.168.0.10 could come with a port, i.e., 192.168.0.10:22 (or even a range of ports), allowing the VPN client to forward (access) only one port on the outbound.  See http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
#iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.0.10
#
#
# Allows proper routing of VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.10
#

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
#
# Save settings
/sbin/service iptables save
#
#
# List rules, verbose
iptables -L -v

Thanks for any help!!

User avatar
disqualified
OpenVPN User
Posts: 40
Joined: Fri Jun 03, 2016 7:13 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by disqualified » Sat Jun 04, 2016 5:02 pm

OpenVPN requires only one iptables rule and then only if you cannot setup appropriate routing.

See this HOWTO:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

dpw818
OpenVpn Newbie
Posts: 9
Joined: Thu Feb 25, 2016 4:46 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by dpw818 » Sat Jun 04, 2016 5:41 pm

Thanks for the quick response. So to be clear, I can delete all my other iptables rules, including iptables -A INPUT -p tcp --dport 443 -j ACCEPT?

dpw818
OpenVpn Newbie
Posts: 9
Joined: Thu Feb 25, 2016 4:46 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by dpw818 » Fri Jun 17, 2016 6:33 am

Hi, does anyone have any (non-trolling) ideas on how I could possibly solve this? Thanks a ton.

rajnunna
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 29, 2018 3:47 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by rajnunna » Wed Aug 29, 2018 3:48 pm

dpw818 wrote:
Fri Jun 17, 2016 6:33 am
Hi, does anyone have any (non-trolling) ideas on how I could possibly solve this? Thanks a ton.
I have the same issue. How did you resolve this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by TinCanTech » Wed Aug 29, 2018 5:00 pm

dpw818 wrote:
Mon May 30, 2016 11:14 pm
I've identified the issue - that when connected to OpenVPN, and OpenVPN is configured to use TCP/443, I can't open any websites that are of that same port - that is, https:// , 443. All other websites (http://) open perfectly fine
This is not true .. using port TCP:443 for your VPN has no effect on browsing the internet via your VPN.

Caveat: Encapsulating TCP packets within a TCP VPN packet does have problems ..
rajnunna wrote:
Wed Aug 29, 2018 3:48 pm
I have the same issue. How did you resolve this?
If you want a solution start here:
HOWTO: Request Help !

spartanjack
OpenVpn Newbie
Posts: 5
Joined: Tue Feb 21, 2023 2:15 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by spartanjack » Sat Apr 22, 2023 11:47 am

Same issue. Macbook pro.

Code: Select all

curl -v http://website
works but

Code: Select all

curl -v https://website
doesn't.

spartanjack
OpenVpn Newbie
Posts: 5
Joined: Tue Feb 21, 2023 2:15 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by spartanjack » Mon Apr 24, 2023 2:15 pm

:arrow: Some additional logs:

Code: Select all

jack@jacksmbp ~ % curl -vvv http://google.com
*   Trying 142.251.167.102:80...
* Connected to google.com (142.251.167.102) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-yQ1xhdWLnCxg7ytvSWsCbw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< Date: Mon, 24 Apr 2023 14:18:50 GMT
< Expires: Wed, 24 May 2023 14:18:50 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact
jack@jacksmbp ~ % curl -vvv https://google.com
*   Trying 142.251.167.102:443...
* Connected to google.com (142.251.167.102) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):
At this point it just hangs for minutes. I don't bother letting it finish.

nehakakar
OpenVpn Newbie
Posts: 11
Joined: Tue Jul 11, 2023 1:29 pm

Re: OpenVPN TCP over 443 won't load https websites - how to fix?

Post by nehakakar » Thu Jul 20, 2023 12:00 pm

you can try using a web proxy for accessing HTTPS websites while connected to OpenVPN. This can help bypass port conflicts and access websites that use port 443. You can verify individual URL on any online tool Such as https://redirectchecker.com/ and compare output for better understanding.

Post Reply