Windows proxy server support does not respect global Windows proxy configuration

[sailorfrag]

What is the issue?

There seem to be multiple overlapping issues when using a proxy server on Windows:

1. The frontend sends logs via the backend. If a proxy is configured, it requests a CONNECT to the proxy address, not the log server's name, so it ends up rejected. ipnserver: conn71: invalid CONNECT target "192.168.1.14:8888"; want "log.tailscale.io:443"
2. While some of the code seems to see the manual proxy configuration, outgoing connections don't seem to actually use the manual proxy configuration. Received error: fetch control key: Get "https://controlplane.tailscale.com/key?v=29": dial tcp 52.29.8.43:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
3. If "Automatically detect settings" is disabled, the DHCP-provided PAC file is fetched and used anyway.

These issues seem to be related to a bunch of deep Windows API details + Go maybe doing some stuff automatically that I don't fully understand and are beyond what I can spend time on at the moment.

For now, the workaround appears to be configuring a PAC file via DHCP and using the automatic proxy detection provided through that mechanism.

Steps to reproduce

1. Set up a Windows 10 device on a network where outgoing ports 80 and 443 are blocked but there is a HTTP proxy available.
2. Configure the Windows proxy configuration to use that HTTP proxy
3. Install Tailscale and try to use it

Are there any recent changes that introduced the issue?

No response

OS

Windows

OS version

Windows 10

Tailscale version

1.22.2, 1.23.144

Bug report

BUG-1291e9e77191aa4825f5f5228903c619dedafd4478260e56284896c845105dd2-20220411182511Z-6d8e6a8a6ccf43e5

[sailorfrag]

Ah, I found another workaround on Windows for static configuration.

Add a pair of global environment variables:

HTTP_PROXY = http://192.168.1.14:8888
HTTPS_PROXY = http://192.168.1.14:8888

Perhaps HTTPS_PROXY is not also required, I didn't check with just the one variable set.

Another problem I discovered is that if the proxy is not reachable via the interface with the default route (in my case, I had the VM's default route via a NAT interface and the proxy accessible via a second host-only interface), it will still try to connect via the default route's interface.

[DentonGentry]

Possibly related: https://github.com/tailscale/tailscale/issues/4811

[bradfitz]

Yes, the 3 comments starting at https://github.com/tailscale/tailscale/issues/4811#issuecomment-1305075375 summarize the situation.

(We need to use WinHttpGetIEProxyConfigForCurrentUser.)

[bradfitz]

cc @dblohm7

[DentonGentry]

https://github.com/tailscale/tailscale/issues/4811#issuecomment-1338228143 notes that 1.34.0 resolved the proxy issues seen there. I think that was the same problem as this bug.

(removed the comment about closing, so as to not show up in my search next time)

[bradfitz]

I don't think we've fixed this yet. We still don't respect the one listed most prominently in the GUI per my comment/link above.

[NanoG6]

I have similar issue. Already set the env. variables, but running tailscale status gives me "Proxy Authentication Required". Yes my proxy server requires LDAP username and password, and I already input my username & password in env. variables. Any help would be greatly appreciated.

[stailscale]

I used the following powershell command for windows and reinstalled tailscale. Worked for me.