Proxy error: why is proxy being forced for http?

Got a problem with Viscosity or need help? Ask here!

mitchellh

Posts: 3
Joined: Fri Feb 10, 2023 1:28 am

Post by mitchellh » Fri Feb 10, 2023 1:42 am
Hiya,

We've had a Viscosity / OpenVPN setup working for the past year or so on our MacOS Ventura clients but just recently any http connection while VPN is up is forcing http links to use a proxy producing a Proxy Error 502 message in Safari / Chrome.

Connection to other network services like file shares, email, etc... are not affected. Viscosity is working as expected. We updated to version1.10.14 no change.

We do have a reverse proxy to allow certain connections to pass through to backend web servers but not all. Those that do have a reverse proxy setup do work (they would anyway) but any not in that configuration don't work while they used to up until recently.

We don't have a proxy server setup for clients and its not pushed via the VPN server or configured on any of our clients in Viscosity or MacOS configuration.

DNS is resolving properly when VPN is up.

No changes to Viscosity or VPN configuration. This does not impact our OpenVPN Windows Clients.

Any pointers on why this is happening now?

Cheers.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Feb 10, 2023 10:39 pm
Hi mitchellh,

In regards to direct proxy use, make sure none of the following are the case:

1. Make sure no advanced proxy commands are set for your connection in Viscosity:
https://www.sparklabs.com/support/kb/ar ... -automatic

2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.

3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.

However, if this is only occurring for HTTP (not HTTPS) traffic, and only Macs and not Windows computers, it's possible you're running into a Private Relay problem. Recent versions of macOS consider plain HTTP insecure, and now automatically route any plain HTTP request (that's not for a local IP range) connection through "iCloud Private Relay" (if enabled). It's possible this may be blocked or clashing with your network setup, causing the error. Allowing iCloud Private Relay traffic to pass unfiltered, or turning off the feature, will likely solve the issue.
https://www.sparklabs.com/support/kb/ar ... viscosity/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mitchellh

Posts: 3
Joined: Fri Feb 10, 2023 1:28 am

Post by mitchellh » Mon Feb 20, 2023 9:54 pm
Hiya, thanks for getting back to us.

1. Make sure no advanced proxy commands are set for your connection in Viscosity:

There are no advanced cmds set.

2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.

There are no dhcp-options set.

resolv-retry infinite
data-ciphers-fallback AES-128-CBC
reneg-sec 0
auth-nocache
comp-lzo adaptive
data-ciphers AES-128-GCM
auth SHA256
lport 0

3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.

There is no transparent proxy running and this issue just started recently, perhaps with the upgrade to Ventura, and there have been no changes to our proxy configuration.

4. iCloud Private Relay

This is and has been turned off.

Anything else we can check?

Cheers,
Mitch

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Feb 28, 2023 12:35 pm
Hi Mitch,
There are no dhcp-options set.
Please be sure that you're checking what the OpenVPN server is pushing, not the Advanced commands area in Viscosity. OpenVPN has a "push" command that lets it dynamically send commands to OpenVPN clients, and this is typically used to push dhcp-option settings from the server.
Anything else we can check?
I'm afraid that's it from a client-side perspective.

I recommend checking the server-side logs on your reverse proxy and see if they're the source of the 502 errors. If they are, they should also contain more information about why the connection attempts are being rejected.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mitchellh

Posts: 3
Joined: Fri Feb 10, 2023 1:28 am

Post by mitchellh » Wed Mar 01, 2023 8:32 pm
Hiya, for those having similar issues this ended up being the DNS setting pushed via DHCP in the OpenVPN server config.

Only have your local DNS in the DHCP config. If you add a 2nd backup DNS like google (8.8.8.8) for whatever reason MacOS defaults to that and ignores the local DNS server even if the local domain is included. So for us when VPN was connected all HTTP traffic was still being routed via our external IP address which would then forward to our reverse-proxy instead of connecting directly on the internal network.

Why it worked fine for ages then just stopped I don't know. Bug in MacOS?

Cheers.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Mar 03, 2023 1:25 pm
Great to hear you solved it - thanks for posting a follow-up.
Why it worked fine for ages then just stopped I don't know. Bug in MacOS?
I'd say what you're running into here is macOS's recent DoH (DNS over HTTPS) support. If you specify a DNS server with known DoH support (such as Google's 8.8.8.8) macOS will prefer to use it over other DNS servers without DoH support (on the same interface).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts Page 1 of 1