Am I the only one with this issue?

[docque]

Ok, time to nerd out and I hope someone can assist.

My setup. Laptop running two VMs. One is my development environment, the other is an Oracle database. The development environment uses a VPN to connect to Linode servers that contains our ticketing system, test Oracle database, etc.

Now for the issue. I have my phone as a hotspot carrier doesn't matter, it is a hotspot. I can ping, ssh and sftp the servers. But I cannot browse to them. Get more nerdy here I can "curl" to the http side but I get no response if I do the https side.

It looks like a hotspot is out of the question or I am missing something. Congratulations if you made it to the end. I am hoping there are other nerds like me out there.

 

[Soundsailor]

Ok, time to nerd out and I hope someone can assist.

My setup. Laptop running two VMs. One is my development environment, the other is an Oracle database. The development environment uses a VPN to connect to Linode servers that contains our ticketing system, test Oracle database, etc.

Now for the issue. I have my phone as a hotspot carrier doesn't matter, it is a hotspot. I can ping, ssh and sftp the servers. But I cannot browse to them. Get more nerdy here I can "curl" to the http side but I get no response if I do the https side.

It looks like a hotspot is out of the question or I am missing something. Congratulations if you made it to the end. I am hoping there are other nerds like me out there.

Could it be that your provider is blocking certain ports on the hot spot?

 

[MoonShadow_1911]

Ok, time to nerd out and I hope someone can assist.

My setup. Laptop running two VMs. One is my development environment, the other is an Oracle database. The development environment uses a VPN to connect to Linode servers that contains our ticketing system, test Oracle database, etc.

Now for the issue. I have my phone as a hotspot carrier doesn't matter, it is a hotspot. I can ping, ssh and sftp the servers. But I cannot browse to them. Get more nerdy here I can "curl" to the http side but I get no response if I do the https side.

It looks like a hotspot is out of the question or I am missing something. Congratulations if you made it to the end. I am hoping there are other nerds like me out there.

For all of this, I'm assuming that you havea little more than a base knowledge of networking and computers.

First thing to try: check to see if you are getting a private IP address, if so configure your adapters to do IPv6 and disable IPv4. If that doesn't work, or the VPN is configured for IPv4 only, then see if you can ssh to port 80. The ssh connection should fail with a connection refused message.

Second fire up Wire Shark (you will have to filter the crap out of the log) and trace the connection to see where it is failing. If it's failing in the send side then it's probably the hotspot blocking something, or striping packets (which usually only the high end firewalls, or pfSense, will do). If it's in the ack side, it your not receiving and ack, then the hotspot is blocking things.

To try to resolve this, see if the hotspot can be put into bridge mode (most won't do this); bridge mode will bypass the hotspot firewall.

Second, turn off the hotspot firewall.

Third, put your source system into the DMZ of the hotspot.

Fourth, get a new hotspot. [emoji16]



Sent from my SM-N986U using Tapatalk

 

[docque]

For all of this, I'm assuming that you havea little more than a base knowledge of networking and computers.

First thing to try: check to see if you are getting a private IP address, if so configure your adapters to do IPv6 and disable IPv4. If that doesn't work, or the VPN is configured for IPv4 only, then see if you can ssh to port 80. The ssh connection should fail with a connection refused message.

Second fire up Wire Shark (you will have to filter the crap out of the log) and trace the connection to see where it is failing. If it's failing in the send side then it's probably the hotspot blocking something, or striping packets (which usually only the high end firewalls, or pfSense, will do). If it's in the ack side, it your not receiving and ack, then the hotspot is blocking things.

To try to resolve this, see if the hotspot can be put into bridge mode (most won't do this); bridge mode will bypass the hotspot firewall.

Second, turn off the hotspot firewall.

Third, put your source system into the DMZ of the hotspot.

Fourth, get a new hotspot. [emoji16]



Sent from my SM-N986U using Tapatalk

It has to be the port that is getting blocked. This is a phone hotspot so it is not that robust. Because I can do everything (ssh, sftp, etc) i just can't do https

 

[MoonShadow_1911]

It has to be the port that is getting blocked. This is a phone hotspot so it is not that robust. Because I can do everything (ssh, sftp, etc) i just can't do https

Ah, it's a phone. It might be blocked by your provider. Can you visit the site on the phone? If so, then your provider thinks you are tethering the phone to get past the data caps.

Sent from my SM-N986U using Tapatalk

 

[uwskier]

If your VPN is terminating on your dev VM, that VM should be able to access the remote servers. The hotspot can't block ports inside the VPN because your traffic is actually encrypted inside a UDP tunnel that's all using the same src/dst port pair. There has to be something else going on here. What happens if you take the laptop to a Starbucks and try the same test?

Are you trying to hit it via IP address directly or is there DNS involved?

 

[docque]

If your VPN is terminating on your dev VM, that VM should be able to access the remote servers. The hotspot can't block ports inside the VPN because your traffic is actually encrypted inside a UDP tunnel that's all using the same src/dst port pair. There has to be something else going on here. What happens if you take the laptop to a Starbucks and try the same test?

Are you trying to hit it via IP address directly or is there DNS involved?

DNS is involved and it can resolve it, I can ping the servers by name. Just no https.

 

[uwskier]

does the HTTPS connection typically redirect you to a captive portal/login page or something that would require you to be on a domain that may not be open to VPN clients?

 

[uwskier]

I would still be interested to see if this setup works on non-hotspot wifi also like if you are at an RV park with decent wifi, or a Starbucks or something. How do you have the VM networking configured? Is it bridged or NATted?

 

[docque]

I would still be interested to see if this setup works on non-hotspot wifi also like if you are at an RV park with decent wifi, or a Starbucks or something. How do you have the VM networking configured? Is it bridged or NATted?

Ok, I can do more explaining. This setup I have works 100% at home. No issues at all. I actually set up a nano router (for the RV) to connect to the Hotspot so I could have certain IP addresses (this is needed for the app server to communicate with the database). So my configuration works great until I try to use the hotspot on my phone. I already know the phone hotspot is not great.

I am hoping that a true hotspot will solve these issues since it is more robust but I am not holding my breath.

Overall, this setup works great except when I am connected to the hotspot.

 

[MoonShadow_1911]

Ok, I can do more explaining. This setup I have works 100% at home. No issues at all. I actually set up a nano router (for the RV) to connect to the Hotspot so I could have certain IP addresses (this is needed for the app server to communicate with the database). So my configuration works great until I try to use the hotspot on my phone. I already know the phone hotspot is not great.

I am hoping that a true hotspot will solve these issues since it is more robust but I am not holding my breath.

Overall, this setup works great except when I am connected to the hotspot.

That sounds like your cell phone provider is blocking port 443. Try ssh'ing to port 443?

Sent from my SM-N986U using Tapatalk

 

[ajg617]

Kind of interesting. There are a lot of wildcards here. Are you using your phone or a carrier hotspot? Phones were not designed with data in mind (surprise). Carriers have been tightening up on IP range access as have CSPs. The number of firewalls between your phone and servers is likely much ~ 1. Recently found 6 Palo Altos between me and my destination CSP. None were config'ed the same and the company could not identify who owned one of them. Apple and Samsung have had issues with VPNs over IOS and android. A number of browser updates have bitten me getting to https lately (notably FF ESR and the latest Chromium Edge). My Horizon client on my Win10 laptop stopped connecting one day and I was forced to update client SW. If I start browsing on my 5G T-Mobile phone as a hotspot, it blocks internet activity (read browsing) yet it stays connected. Not so on my Verizon LTE phone as a hotspot yet.

 

[uwskier]

So you have a VM going through a laptop going through a nano router going through a hotspot. I'm surprised that works at all. Try setting the TTL of the VM to 68 and see how that behaves. This technically violates the TOU of tethering phone plans, but if it works, it shows the problem. I still don't think there's any way for the hotspot or a firewall in path to be blocking this flow unless it's cracking your VPN. That'd be bad.

 

[MoonShadow_1911]

So you have a VM going through a laptop going through a nano router going through a hotspot. I'm surprised that works at all. Try setting the TTL of the VM to 68 and see how that behaves. This technically violates the TOU of tethering phone plans, but if it works, it shows the problem. I still don't think there's any way for the hotspot or a firewall in path to be blocking this flow unless it's cracking your VPN. That'd be bad.

Good point. I seemed to have ignored the VPN part, unless the VPN is only allowing intranet traffic through it and internet traffic through the ISP (split tunnel).

Sent from my SM-N986U using Tapatalk

 

[trailrydr]

We to use a hotspot on our phone when camping. And my wife VPNs all day week long to her work through it. Im sure all of her servers are HTTPS because of where she works as an IT Software Engineer reading sensitive HIPAA data (I too used to work there as an IT Software Engineer).

She has no issue using our VZ Hotspot to access any of her servers. One caveat though, she VPNs to a work related Data Center, and once there she networks to each server she requires. Not sure if this is your case but it may have something to do with it as well.

However, I will note that some HTTPS sites (financial institutions, government, INS, etc) do not like VPN's at all when trying to gain access to their URL/servers. VPNs apparently will block some identifying data that they require to access their webpage.

 

[docque]

We to use a hotspot on our phone when camping. And my wife VPNs all day week long to her work through it. Im sure all of her servers are HTTPS because of where she works as an IT Software Engineer reading sensitive HIPAA data (I too used to work there as an IT Software Engineer).

She has no issue using our VZ Hotspot to access any of her servers. One caveat though, she VPNs to a work related Data Center, and once there she networks to each server she requires. Not sure if this is your case but it may have something to do with it as well.

However, I will note that some HTTPS sites (financial institutions, government, INS, etc) do not like VPN's at all when trying to gain access to their URL/servers. VPNs apparently will block some identifying data that they require to access their webpage.

I am going to get a real hotspot today and see how it goes. I really think it is the phone.

To answer everyone's questions about how this even works. It does, flawlessly and has been for many years. That is why it confuses me as to why it just doesn't work correctly when it is paired with the phone.

Here is another fun one. The main laptop has zero connectivity if the CentOS VM is not running. That is because it uses it as a proxy. Always thought that was funny.

I will keep you all informed as to what happens when I get the new hotspot. I assume the MiFi M2000 is not a bad hotspot?

 

[MoonShadow_1911]

I am going to get a real hotspot today and see how it goes. I really think it is the phone.

To answer everyone's questions about how this even works. It does, flawlessly and has been for many years. That is why it confuses me as to why it just doesn't work correctly when it is paired with the phone.

Here is another fun one. The main laptop has zero connectivity if the CentOS VM is not running. That is because it uses it as a proxy. Always thought that was funny.

I will keep you all informed as to what happens when I get the new hotspot. I assume the MiFi M2000 is not a bad hotspot?

Something tells me that the proxy might be blocking port 443? I dunno, without getting hands on the setup, it's a bit difficult to do a deep dive into it.

Definitely let us know if the new hotspot works. If it doesn't, you are probably looking at something within the configuration itself.

Sent from my SM-N986U using Tapatalk

 

[docque]

Something tells me that the proxy might be blocking port 443? I dunno, without getting hands on the setup, it's a bit difficult to do a deep dive into it.

Definitely let us know if the new hotspot works. If it doesn't, you are probably looking at something within the configuration itself.

Sent from my SM-N986U using Tapatalk

I wanted to go Starlink but it is not available in our area. Which is very confusing because last I checked, satellites don't avoid certain areas.

But chances are I need Internet and not Hotspot due to the complexity of my configuration.

 

[MoonShadow_1911]

I wanted to go Starlink but it is not available in our area. Which is very confusing because last I checked, satellites don't avoid certain areas.

But chances are I need Internet and not Hotspot due to the complexity of my configuration.

Sign up for the starlink RV package it's available everywhere for $135 a month.

Sent from my SM-N986U using Tapatalk

 

[fmartinmn]

After reading through this thread, I can honestly and unequivocally say I didn't understand anything I just read...... and I hope I never have to.