From 3e58d664be691a1eab77c3cce5d0b699fd94251d Mon Sep 17 00:00:00 2001
From: DL6ER <DL6ER@users.noreply.github.com>
Date: Tue, 16 Jan 2018 16:24:49 +0100
Subject: [PATCH] Updated OpenVPN server: Firewall configuration (using
 iptables) (markdown)

---
 OpenVPN-server:-Firewall-configuration-(using-iptables).md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/OpenVPN-server:-Firewall-configuration-(using-iptables).md b/OpenVPN-server:-Firewall-configuration-(using-iptables).md
index 4f07329..8cc2ff9 100644
--- a/OpenVPN-server:-Firewall-configuration-(using-iptables).md
+++ b/OpenVPN-server:-Firewall-configuration-(using-iptables).md
@@ -22,7 +22,6 @@ These commands will allow DNS and HTTP needed for name resolution (using Pi-hole
 iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
 iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
 iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
-iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
 ```
 
 You will also want to enable SSH and VPN access from anywhere.
@@ -53,12 +52,14 @@ iptables -P INPUT DROP
 
 ###### Blocking HTTPS advertisement assets
 
-Since you're `:head-desk:`ing with `iptables`, you can also use this opportunity to block HTTPS advertisements to [improve blocking ads that are loaded via HTTPS](https://discourse.pi-hole.net/t/why-do-some-sites-take-forever-to-load-when-using-pi-hole/3654/4).
+Since you're `:head-desk:`ing with `iptables`, you can also use this opportunity to block HTTPS advertisements to [improve blocking ads that are loaded via HTTPS](https://discourse.pi-hole.net/t/why-do-some-sites-take-forever-to-load-when-using-pi-hole/3654/4) and also deal with QUIC.
 
 > Why doesn't Pi-hole just use a certificate to prevent this?  The answer is [here](https://discourse.pi-hole.net/t/slow-loading-websites/3408/12).
 
 ```
-iptables -A INPUT -p tcp --dport 443 -j REJECT
+iptables -A INPUT -p udp --dport 80 -j REJECT -- reject-with icmp-port-unreachable
+iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+iptables -A INPUT -p udp --dport 443 -j REJECT -- reject-with icmp-port-unreachable
 ```
 
 Depending on the systems you have connecting, you may benefit from appending `--reject-with tcp-reset` to the command above.  If you still get slow load times of HTTPS assets, the above may help.