Dietpi-VPN blocking 443

jonyskids · 6 June 2022 15:48

I am stumped. I changed ISP. Now while my dietpi-vpn connects it fails to curl on 443 but when the VPN is disconnected no problem?

I tried Nordvpn and PIA.

Any suggestions?

Joulinar · 6 June 2022 15:49

you mean to access the system from your local network on https/443??

jonyskids · 6 June 2022 16:04

I mean in my banner I get: curl: (28) Failed to connect to dietpi.com port 443: Connection timed out

And no packets are transfered.

Joulinar · 6 June 2022 16:08

Are you sure your VPN is connected correctly if no packages are transferred while VPN is activated? Does your ISP might block VPN connections?

jonyskids · 6 June 2022 16:12

So I can connect to the VPN via the NordVpn app on my PC. This is in my banner at boot:
VPN status : Connected - Sent = 0 MiB | Received = 0 MiB

Freespace (userdata) : 22G

curl: (28) Failed to connect to dietpi.com port 443: Connection timed out

In truth my friend I am not sure if anything and am sure I am doing something dumb.

jonyskids · 6 June 2022 16:18

Oh, I am on CenturyLink and do not see anything online about limitations.

Joulinar · 6 June 2022 16:20

I don’t know what CenturyLink is but does it mean there is a limitation by your ISP on using a VPN?

jonyskids · 6 June 2022 16:21

My ISP is CenturyLink and all searches say VPN no issue and again I can login to my VPN via my PC.

Joulinar · 6 June 2022 16:23

once the VPN is connected, are you able to ping any IP address on the internet like ping 8.8.8.8 or ping google.com?

jonyskids · 6 June 2022 16:29

No, does not seem to be connected. I put my pi in the DMZ on my router just to test too…

Really appreciate the consultation.

Joulinar · 6 June 2022 16:31

Did your local network IP address range has been changed while changing the ISP? Maybe there are some old iptable rules not fitting to the new setup?

jonyskids · 6 June 2022 16:46

Nope. So everything works with out the VPN. VPN works on my PC. Going to chat with NordVPN. Let you know what I find.

jonyskids · 7 June 2022 02:59

Ok so I worked with Nordvpn and if I run this:

openvpn /etc/openvpn/nordvpn/ovpn_udp/ch299.nordvpn.com.udp.ovpn

I connect but when I run dietpi-vpn with the same credentials it fails with:

[  OK  ] DietPi-VPN | chmod +x /var/lib/dietpi/dietpi-vpn/static_up.sh /var/lib/dietpi/dietpi-vpn/static_down.sh
[  OK  ] DietPi-VPN | umask 0077
[ INFO ] DietPi-VPN | Generating OVPN file, please wait...
[  OK  ] DietPi-VPN | cp -f /etc/openvpn/nordvpn/ovpn_udp/ch299.nordvpn.com.udp.ovpn /etc/openvpn/client.ovpn
[  OK  ] DietPi-VPN | umask 0022
[  OK  ] DietPi-VPN | chmod 0600 /var/lib/dietpi/dietpi-vpn/settings_ovpn.conf /var/lib/dietpi/dietpi-vpn/settings_dietpi.conf /etc/openvpn/client.ovpn
[  OK  ] DietPi-VPN | chown root:root /var/lib/dietpi/dietpi-vpn/settings_ovpn.conf /var/lib/dietpi/dietpi-vpn/settings_dietpi.conf /etc/openvpn/client.ovpn
[  OK  ] DietPi-VPN | Setting in /etc/openvpn/client.ovpn adjusted: auth-user-pass /var/lib/dietpi/dietpi-vpn/settings_ovpn.conf
[  OK  ] DietPi-VPN | Added setting script-security 2 to /etc/openvpn/client.ovpn after line auth SHA512
[  OK  ] DietPi-VPN | Added setting up /var/lib/dietpi/dietpi-vpn/static_up.sh to /etc/openvpn/client.ovpn after line script-security 2
[  OK  ] DietPi-VPN | Added setting down /var/lib/dietpi/dietpi-vpn/static_down.sh to /etc/openvpn/client.ovpn after line up /var/lib/dietpi/dietpi-vpn/static_up.sh
[  OK  ] DietPi-VPN | sed -i /^[[:blank:]]*route-up[[:blank:]]/d /etc/openvpn/client.ovpn
[  OK  ] DietPi-VPN | sed -i /^[[:blank:]]*route-pre-down[[:blank:]]/d /etc/openvpn/client.ovpn
[ INFO ] DietPi-VPN | Checking for required APT packages: openvpn
[  OK  ] DietPi-VPN | systemctl restart dietpi-vpn
[FAILED] DietPi-VPN | Connection failed/timeout: ch299.nordvpn.com.udp.ovpn
[  OK  ] DietPi-VPN | systemctl stop dietpi-vpn

MichaIng · 7 June 2022 05:46

Mysterious. Could you try the manual openvpn command again with /etc/openvpn/client.ovpn? We store the credentials in a dedicated file, as can be seen in the log. But strange also that the VPN status was shown as connected before even that the service did now fail.

I’ll try it with our NordVPN account, possibly something changed in their configs.

jonyskids · 7 June 2022 06:03

Do you mean run:

openvpn /etc/openvpn/client.ovpn?

I get:

root@SkidsBrain:~# openvpn /etc/openvpn/client.ovpn?
Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/client.ovpn?

MichaIng · 7 June 2022 06:06

So there seems to be something wrong in the config indeed. I’ll have a look when I’m back home.

Joulinar · 7 June 2022 06:50

Just a stupid idea but could you try to reset dietpi-vpn settings and create a new configuration?

jonyskids · 7 June 2022 06:53

I have tried that multiple times. Even switched to PIA and got similar reesults.

trendy · 7 June 2022 08:57

The command is
openvpn /etc/openvpn/client.ovpn
without the question mark at the end.

jonyskids · 7 June 2022 10:58

2022-06-07 06:57:11 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-06-07 06:57:11 OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-06-07 06:57:11 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-06-07 06:57:11 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-06-07 06:57:11 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-06-07 06:57:11 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-06-07 06:57:11 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-06-07 06:57:11 TCP/UDP: Preserving recently used remote address: [AF_INET]37.120.213.107:1194
2022-06-07 06:57:11 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-06-07 06:57:11 UDP link local: (not bound)
2022-06-07 06:57:11 UDP link remote: [AF_INET]37.120.213.107:1194
2022-06-07 06:57:11 TLS: Initial packet from [AF_INET]37.120.213.107:1194, sid=50d15665 65aeb448
2022-06-07 06:57:11 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2022-06-07 06:57:11 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
2022-06-07 06:57:11 VERIFY KU OK
2022-06-07 06:57:11 Validating certificate extended key usage
2022-06-07 06:57:11 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-06-07 06:57:11 VERIFY EKU OK
2022-06-07 06:57:11 VERIFY OK: depth=0, CN=ch299.nordvpn.com
2022-06-07 06:57:11 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
2022-06-07 06:57:11 [ch299.nordvpn.com] Peer Connection Initiated with [AF_INET]37.120.213.107:1194
2022-06-07 06:57:12 SENT CONTROL [ch299.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2022-06-07 06:57:13 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.10 255.255.255.0,peer-id 7,cipher AES-256-GCM'
2022-06-07 06:57:13 OPTIONS IMPORT: timers and/or timeouts modified
2022-06-07 06:57:13 OPTIONS IMPORT: explicit notify parm(s) modified
2022-06-07 06:57:13 OPTIONS IMPORT: compression parms modified
2022-06-07 06:57:13 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-06-07 06:57:13 Socket Buffers: R=[212992->425984] S=[212992->425984]
2022-06-07 06:57:13 OPTIONS IMPORT: --ifconfig/up options modified
2022-06-07 06:57:13 OPTIONS IMPORT: route options modified
2022-06-07 06:57:13 OPTIONS IMPORT: route-related options modified
2022-06-07 06:57:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-06-07 06:57:13 OPTIONS IMPORT: peer-id set
2022-06-07 06:57:13 OPTIONS IMPORT: adjusting link_mtu to 1657
2022-06-07 06:57:13 OPTIONS IMPORT: data channel crypto options modified
2022-06-07 06:57:13 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-06-07 06:57:13 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-06-07 06:57:13 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-06-07 06:57:13 net_route_v4_best_gw query: dst 0.0.0.0
2022-06-07 06:57:13 net_route_v4_best_gw result: via 192.168.2.1 dev eth0
2022-06-07 06:57:13 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:08:7f:d5
2022-06-07 06:57:13 TUN/TAP device tun0 opened
2022-06-07 06:57:13 net_iface_mtu_set: mtu 1500 for tun0
2022-06-07 06:57:13 net_iface_up: set tun0 up
2022-06-07 06:57:13 net_addr_v4_add: 10.8.2.10/24 dev tun0
2022-06-07 06:57:13 /var/lib/dietpi/dietpi-vpn/static_up.sh tun0 1500 1585 10.8.2.10 255.255.255.0 init
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
iptables-restore v1.8.7 (nf_tables): host/network `ch299.nordvpn.com.udp.ovpn' not found
Error occurred at line: 10
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2022-06-07 06:57:13 WARNING: Failed running command (--up/--down): external program exited with error status: 2
2022-06-07 06:57:13 Exiting due to fatal error