Skip to content
Proxy error: why is proxy being forced for http?
Got a problem with Viscosity or need help? Ask here!
Hiya,
We've had a Viscosity / OpenVPN setup working for the past year or so on our MacOS Ventura clients but just recently any http connection while VPN is up is forcing http links to use a proxy producing a Proxy Error 502 message in Safari / Chrome.
Connection to other network services like file shares, email, etc... are not affected. Viscosity is working as expected. We updated to version1.10.14 no change.
We do have a reverse proxy to allow certain connections to pass through to backend web servers but not all. Those that do have a reverse proxy setup do work (they would anyway) but any not in that configuration don't work while they used to up until recently.
We don't have a proxy server setup for clients and its not pushed via the VPN server or configured on any of our clients in Viscosity or MacOS configuration.
DNS is resolving properly when VPN is up.
No changes to Viscosity or VPN configuration. This does not impact our OpenVPN Windows Clients.
Any pointers on why this is happening now?
Cheers.
We've had a Viscosity / OpenVPN setup working for the past year or so on our MacOS Ventura clients but just recently any http connection while VPN is up is forcing http links to use a proxy producing a Proxy Error 502 message in Safari / Chrome.
Connection to other network services like file shares, email, etc... are not affected. Viscosity is working as expected. We updated to version1.10.14 no change.
We do have a reverse proxy to allow certain connections to pass through to backend web servers but not all. Those that do have a reverse proxy setup do work (they would anyway) but any not in that configuration don't work while they used to up until recently.
We don't have a proxy server setup for clients and its not pushed via the VPN server or configured on any of our clients in Viscosity or MacOS configuration.
DNS is resolving properly when VPN is up.
No changes to Viscosity or VPN configuration. This does not impact our OpenVPN Windows Clients.
Any pointers on why this is happening now?
Cheers.
Hi mitchellh,
In regards to direct proxy use, make sure none of the following are the case:
1. Make sure no advanced proxy commands are set for your connection in Viscosity:
https://www.sparklabs.com/support/kb/ar ... -automatic
2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.
3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.
However, if this is only occurring for HTTP (not HTTPS) traffic, and only Macs and not Windows computers, it's possible you're running into a Private Relay problem. Recent versions of macOS consider plain HTTP insecure, and now automatically route any plain HTTP request (that's not for a local IP range) connection through "iCloud Private Relay" (if enabled). It's possible this may be blocked or clashing with your network setup, causing the error. Allowing iCloud Private Relay traffic to pass unfiltered, or turning off the feature, will likely solve the issue.
https://www.sparklabs.com/support/kb/ar ... viscosity/
Cheers,
James
In regards to direct proxy use, make sure none of the following are the case:
1. Make sure no advanced proxy commands are set for your connection in Viscosity:
https://www.sparklabs.com/support/kb/ar ... -automatic
2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.
3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.
However, if this is only occurring for HTTP (not HTTPS) traffic, and only Macs and not Windows computers, it's possible you're running into a Private Relay problem. Recent versions of macOS consider plain HTTP insecure, and now automatically route any plain HTTP request (that's not for a local IP range) connection through "iCloud Private Relay" (if enabled). It's possible this may be blocked or clashing with your network setup, causing the error. Allowing iCloud Private Relay traffic to pass unfiltered, or turning off the feature, will likely solve the issue.
https://www.sparklabs.com/support/kb/ar ... viscosity/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hiya, thanks for getting back to us.
1. Make sure no advanced proxy commands are set for your connection in Viscosity:
There are no advanced cmds set.
2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.
There are no dhcp-options set.
resolv-retry infinite
data-ciphers-fallback AES-128-CBC
reneg-sec 0
auth-nocache
comp-lzo adaptive
data-ciphers AES-128-GCM
auth SHA256
lport 0
3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.
There is no transparent proxy running and this issue just started recently, perhaps with the upgrade to Ventura, and there have been no changes to our proxy configuration.
4. iCloud Private Relay
This is and has been turned off.
Anything else we can check?
Cheers,
Mitch
1. Make sure no advanced proxy commands are set for your connection in Viscosity:
There are no advanced cmds set.
2. Make sure the OpenVPN server isn't pushing any proxy server settings to connecting clients, such as by pushing "dhcp-option HTTPPROXY", "dhcp-option WPAD", "dhcp-option PROXY_AUTO_CONFIG_URL", etc. settings. You'll need to check the server's OpenVPN configuration file to check this.
There are no dhcp-options set.
resolv-retry infinite
data-ciphers-fallback AES-128-CBC
reneg-sec 0
auth-nocache
comp-lzo adaptive
data-ciphers AES-128-GCM
auth SHA256
lport 0
3. Make sure there isn't a transparent proxy running on the VPN server or remote network. A transparent proxy will attempt to redirect all web traffic through a proxy server without any configuration needed by the client computers.
There is no transparent proxy running and this issue just started recently, perhaps with the upgrade to Ventura, and there have been no changes to our proxy configuration.
4. iCloud Private Relay
This is and has been turned off.
Anything else we can check?
Cheers,
Mitch
Hi Mitch,
I recommend checking the server-side logs on your reverse proxy and see if they're the source of the 502 errors. If they are, they should also contain more information about why the connection attempts are being rejected.
Cheers,
James
There are no dhcp-options set.Please be sure that you're checking what the OpenVPN server is pushing, not the Advanced commands area in Viscosity. OpenVPN has a "push" command that lets it dynamically send commands to OpenVPN clients, and this is typically used to push dhcp-option settings from the server.
Anything else we can check?I'm afraid that's it from a client-side perspective.
I recommend checking the server-side logs on your reverse proxy and see if they're the source of the 502 errors. If they are, they should also contain more information about why the connection attempts are being rejected.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hiya, for those having similar issues this ended up being the DNS setting pushed via DHCP in the OpenVPN server config.
Only have your local DNS in the DHCP config. If you add a 2nd backup DNS like google (8.8.8.8) for whatever reason MacOS defaults to that and ignores the local DNS server even if the local domain is included. So for us when VPN was connected all HTTP traffic was still being routed via our external IP address which would then forward to our reverse-proxy instead of connecting directly on the internal network.
Why it worked fine for ages then just stopped I don't know. Bug in MacOS?
Cheers.
Only have your local DNS in the DHCP config. If you add a 2nd backup DNS like google (8.8.8.8) for whatever reason MacOS defaults to that and ignores the local DNS server even if the local domain is included. So for us when VPN was connected all HTTP traffic was still being routed via our external IP address which would then forward to our reverse-proxy instead of connecting directly on the internal network.
Why it worked fine for ages then just stopped I don't know. Bug in MacOS?
Cheers.
Great to hear you solved it - thanks for posting a follow-up.
Cheers,
James
Why it worked fine for ages then just stopped I don't know. Bug in MacOS?I'd say what you're running into here is macOS's recent DoH (DNS over HTTPS) support. If you specify a DNS server with known DoH support (such as Google's 8.8.8.8) macOS will prefer to use it over other DNS servers without DoH support (on the same interface).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts
Page 1 of 1