Curl or wget for https not working on 4G repeater but work on Ethernet on 20.03.2

Running : OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd on Glinet routers (GL-AR750EXT, GL-MT1300 and GL-MT3000)

Hi

I have a curl command that returns no error and gets executed when it is run from mwan3.user if internet connection is via Ethernet:

BUT the same exact command return the following error if I switch in repeater mode (via an Android device hotspot) :

*TLSv1.3 (OUT), TLS handshake, Client hello (1):*
** OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to [api.pushover.net:443](http://api.pushover.net:443/)*

Here is the command:

(/bin/sleep 3;
{
curl -s -v
-F “token=xxxxxxxxxxx”
-F “user=xxxxxxxxxxxx”
-F “device=anydevice”
-F “title=FailOver”
-F “priority=2”
-F “retry=30”
-F “expire=45”
-F “sound=Persistent”
-F “message=Failoverr”
https://api.pushover.net/1/messages.json
}
logger -t “Failover” “TestFailover”)&

If I connect my windows laptop via LAN and execute the same command in Command prompt, no error messages either …

BTW, I found out that if I run ANY curl command from the router command prompt when the connection is via Hotspot on 4G I always have the same result.

I tried the following:

> curl [https://ui.com](https://ui.com/) -v

and got the same error:

root@GL-AR750S:/etc# curl [https://ui.com](https://ui.com/) -v
** TLSv1.3 (OUT), TLS handshake, Client hello (1):*
** OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to [ui.com:443](http://ui.com:443/)*

I extracted a tcpdump of the connection but as I know abolutely nothing about security protocols, I have no clue where to look at ...


10:02:05.532231 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [S], seq 2034016688, win 64240, options [mss 1460,sackOK,TS val 419945492 ecr 0,nop,wscale 4], length 0
10:02:05.533826 IP X.X.X.213.47254 > 192.168.220.170.53: 55349+ PTR? 66.51.192.54.in-addr.arpa. (43)
10:02:05.584138 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [S.], seq 986314330, ack 2034016689, win 65535, options [mss 1420,sackOK,TS val 1406559468 ecr 419945492,nop,wscale 9], length 0
10:02:05.584423 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [.], ack 1, win 4015, options [nop,nop,TS val 419945544 ecr 1406559468], length 0
10:02:05.648108 IP 52.96.230.98.443 > X.X.X.213.56992: Flags [P.], seq 907508948:907508983, ack 1778201573, win 40960, length 35
10:02:05.648325 IP 52.96.230.98.443 > X.X.X.213.56992: Flags [P.], seq 35:1153, ack 1, win 40960, length 1118
10:02:05.649174 IP X.X.X.213.56992 > 52.96.230.98.443: Flags [.], ack 1153, win 1026, length 0
10:02:05.653865 IP 52.96.230.98.443 > X.X.X.213.56993: Flags [P.], seq 3544677385:3544677420, ack 208234926, win 40960, length 35
10:02:05.662121 IP 52.96.230.98.443 > X.X.X.213.56993: Flags [P.], seq 35:1153, ack 1, win 40960, length 1118
10:02:05.663186 IP X.X.X.213.56993 > 52.96.230.98.443: Flags [.], ack 1153, win 1021, length 0
10:02:05.672742 IP 192.168.220.170.53 > X.X.X.213.47254: 55349 1/0/0 PTR [server-54-192-51-66.yul62.r.cloudfront.net](http://server-54-192-51-66.yul62.r.cloudfront.net/). (99)
10:02:05.756455 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [P.], seq 1:518, ack 1, win 4015, options [nop,nop,TS val 419945716 ecr 1406559468], length 517
10:02:05.824159 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [F.], seq 1, ack 518, win 65535, length 0
10:02:05.831001 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 419945791 ecr 1406559468], length 0
10:02:05.848491 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 419945808 ecr 1406559468], length 0
10:02:05.876910 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [F.], seq 2, ack 519, win 65535, length 0

Thanks @hansome at glinet , I found a way to change TTL to 65 on the repeater interface and that seem to fix the problem.

For anyone looking for the answer, here is what I have done on OpenWRT 22.03

I created a file /etc/nftables.d/12-mangle-ttl-65.nft and added the following into it. (change “eth2” for your actual tehtering interface)

chain mangle_postrouting_ttl65 {

  • type filter hook postrouting priority 300; policy accept;*
  • oifname “eth2” counter ip ttl set 65*
    }

chain mangle_prerouting_ttl65 {

  • type filter hook prerouting priority 300; policy accept;*
  • iifname “eth2” counter ip ttl set 65*
    }

found this info Working Nftables Rule for TTL in 22.03 - #17 by richardhd - Network and Wireless Configuration - OpenWrt Forum?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.