netbird icon indicating copy to clipboard operation
netbird copied to clipboard
verified publisher icon netbirdio

support web proxy for https traffic to establish connection?

Open juju4 opened this issue 7 months ago • 5 comments

Is your feature request related to a problem? Please describe. currently, it does not seem possible to establish a vpn connection without a proxy exception. direct https traffic must be allowed in the same way than turn/stun/relays. Else, when doing netbird up, only seeing access to http://169.254.169.254/opc/v2/instance/, http://169.254.169.254/latest/ and similar with ua Go-http-client/1.1 (a netbird ua would be better too) and ending with "Error: login backoff cycle failed: rpc error: code = DeadlineExceeded desc = context deadline exceeded". Only pkgs.netbird.io seems "compatible" with web proxy. Tested with netbird 0.40.0 on ubuntu 24.04 LTS

Other tool like bigbluebutton allows http(s) traffic to be proxied while coturn/stun has direct access.

Describe the solution you'd like if a proxy is defined (like http(s)_proxy environment in linux), the web traffic should go through it and not require direct access.

Describe alternatives you've considered Only alternative is to open web direct access which is depending on environments.

juju4 avatar May 04 '25 20:05 juju4

Does your proxy support http/2 and grpc?

lixmal avatar May 05 '25 15:05 lixmal

Test was with squid which seems to have http/2+grpc support (if sslbump and extra config) and also direct connect (no sslbump) should work per https://docs.spectrocloud.com/architecture/grps-proxy/#grpc-and-proxies

Quick check some other web proxies Squid: https://wiki.squid-cache.org/Features/HTTP2 Tinyproxy: no http/2 https://github.com/tinyproxy/tinyproxy/issues/139 Envoy: http/2 and grpc https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_protocols/grpc#grpc Nginx: http/2 and grpc https://blog.nginx.org/blog/nginx-1-13-10-grpc, https://github.com/chobits/ngx_http_proxy_connect_module

Tested with Squid 6.10, no sslbump

juju4 avatar May 11 '25 20:05 juju4

Having exactly the same use case - peer can access the public Internet only via HTTP PROXY (defined in $HTTP_PROXY or similar env variable). The proxy itself is Squid.

Btw. FRP supports it ;-) https://github.com/fatedier/frp?tab=readme-ov-file#connecting-to-frps-via-proxy

vaclcer avatar May 22 '25 11:05 vaclcer

Can you try configuring the proxy envs for the netbird service, e.g. similar to https://docs.netbird.io/how-to/troubleshooting-client#on-linux-with-systemd

lixmal avatar May 22 '25 12:05 lixmal

This does not help.. You can see below that curl works, because it by default uses $HTTP_PROXY. Direct connection by Netbird does not.

2025-05-22T13:14:05Z INFO util/grpc/dialer.go:89: DialContext error: context deadline exceeded 2025-05-22T13:14:05Z INFO management/client/grpc.go:57: createConnection error: context deadline exceeded 2025-05-22T13:14:05Z ERRO util/grpc/dialer.go:45: Failed to dial: d.Dialer.DialContext: dial tcp 91.99.74.154:443: operation was canceled 2025-05-22T13:14:05Z INFO ./caller_not_available:0: 2025/05/22 13:14:05 WARNING: [core] [Channel #11 SubChannel #12]grpc: addrConn.createTransport failed to connect to {Addr: "netbird.magentify.eu:443", ServerName: "netbird.magentify.eu:443", }. Err: connection error: desc = "transport: Error while dialing: nbnet.NewDialer().DialContext: d.Dialer.DialContext: dial tcp 91.99.74.154:443: operation was canceled" 2025-05-22T13:14:05Z ERRO management/client/grpc.go:65: failed creating connection to Management Service: context deadline exceeded 2025-05-22T13:14:05Z ERRO client/internal/device_auth.go:60: failed connecting to Management Service https://netbird.magentify.eu:443 context deadline exceeded 2025-05-22T13:14:05Z INFO ./caller_not_available:0: 2025/05/22 13:14:05 WARNING: [core] [Server #1]grpc: Server.processUnaryRPC failed to write status: connection error: desc = "transport is closing"

curl works:

(base) root@turing:/home/vaclav# curl -I https://netbird.magentify.eu:443 HTTP/1.1 200 Connection established

vaclcer avatar May 22 '25 12:05 vaclcer

Hi, do you think this would be ever achievable?

vaclcer avatar Jul 06 '25 15:07 vaclcer

@vaclcer not sure what system are you running, but are you sure the $HTTP_PROXY envvar is active for the NetBird service? The main process is a system-wide background daemon that needs a separate handling of envvars depending on the system.

On Linux you can add the vars to /etc/sysconfig/netbird On Windows you can run [Environment]::SetEnvironmentVariable("HTTP_PROXY", "XXXX", "Machine") On MacOS you have to resort to editing netbird.plist file manually

nazarewk avatar Jul 07 '25 12:07 nazarewk