Transparent mode issue (with VPN)


I’ve set up an openvpn server (tcp connection).
After the traffic passes through the vpn i redirect port 80/443 to 8080 (iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080) (also ip6tables) (tun0 is the vpn gateway).
(Mitmproxy is working explicitly (installed the cert, etc))
Then I start mitm with --mode transparent --showhost (also tried --ssl-insecure).
Most traffic passes through normally, but some sites give alot of warnings:
1- Client Handshake failed. The client may not trust the proxy’s certificate for xxxx.
2- Certificate verification error for xxx: unable to get local issuer certificate(errno:20, depth: 1)
3- Invalid certificate, closing connection
4- (just a few) Cannot establish TLS with xxx:443(sni:xxx): TlsException(“SSL handshake error:SysCallError(104, ‘ECONNRESERT’)”,)

What have I done wrong? Do I need to replace openvpn certificates with mitm certificate?

PS: I’m probably just dumb.



Not sure if this is the problem, but I found out that chrome has a hkpk preload list (couldnt find a way to remove it yet) and for some reason transparent mode cant bypass that list like explicit mode.
On the other hand, traffic in firefox shows up almost perfectly (they probably have a list aswell).
The thing is, I dont understand why that only applies to transparent mode…

Any suggestions?