Connectivity Issue with OpenVPN Proxy Settings

[vistalba]

Hi togehter

I expiried some issue on the tvhclient on my iOS (iOS Version: 11.2.5, iPhone X).

My tvh-Server is running at home and works great. Also with the tvhClient. Thanks for that! :D

To also watch TV outside of my home network I use a OpenVPN tunnel (OpenVPN Connect App). From OpenVPN server I push some Proxy settings. All other connectivity to my home net and internet is working well. Also there are no drops in the FW log.

OpenVPN Push Config: push "dhcp-option PROXY_BYPASS whatever.com" push "dhcp-option PROXY_HTTP 10.10.10.10 8080" push "dhcp-option PROXY_HTTPS 10.10.10.10 8080" push "dhcp-option PROXY_AUTO_CONFIG_URL https://proxy.whatever.com/proxy.pac"

I've I connected to my VPN I can use the app, it loads the EPG infos but I can't play any stream. (Tested LiveTV and Recordings).

If I switch to wifi I can play it without issues. If I remove the proxy push config from my OpenVPN Server it also works without problem. It looks like the app does not correclty handle the proxy settings but only in the Stream case... login and epg info ist loaded. If I connect to tvh-Server trought my browser on my Phone it does work also without issues.

Is there any way I can provide you more information about to solve this issue? (I know, this is a verry special configuration :))

Edit: The problematic line is push "dhcp-option PROXY_HTTP 10.10.10.10 8080"; If I remove this, it works without problems.

[zipleen]

So.. I wonder if this is really anything to do with OpenVPN but with the whole "proxy support for iOS"

I also use OpenVPN, but I don't push any proxy settings, I just directly connect to my server's ip address =)

So, if I'm not mistaken here and from what you're telling me, the app actually does work correctly with the proxy, it's just streaming (VLC) portion of it that doesn't connect through the proxy, right ?

Try one solution to see if there's anything weird with vlc. When you play, click "Copy To Clipboard" option, then download and open VLC from the app store and open the network stream. If it works, then try going to tvhclient, clicking on the open stream but this time select VLC which should popup in the selection window when playing back.

Tell me if any or all of these 2 solutions work.

[vistalba]

@zipleen Thanks for your reply.

I tried your suggested steps with vlc app (and also with infuse app) and it does not work at all, when I'm connected trought vpn and proxy settings are applied :(

If I remove all proxy settings from OpenVPN then VLC works and also tvhclient works.

What I also checked when proxy is set:

• No reqeusts hits the proxy (nothing in the log -> So traffic is not going trought the proxy)
• Can't see requests that connects to tvheadend? (Why? tcpdump not really usable because of https encryption). -> Is there any way to get more log output from tvheadend like access logs and so on?

[zipleen]

we need to separate the issues first.

if infuse and vlc don't work with the proxy (but they do work without the proxy setting), then it's probably a system wide thing. so there's nothing I can do in tvhclient, but I can try helping out diagnosing the rest.

You mentioned that with the proxy you can access the channel data - you just can't stream. So, double check that this indeed works

1. check if tvhclient can add / remove recordings - this will make sure the data is really fresh and you're getting connectivity with the server. Open tvheadend in your computer, open the log window (in the bottom) and you should see connection statements.. otherwise you might need to enable debug logging
2. open safari in iOS and point to the tvheadend address to see that it opens
3. at this point in time you know for sure that you do have connectivity with the proxy to the http server, it's just the streaming that doesn't work. Leave the previous debugging log window open and if you use vlc or infuse to connect to that tvheadend url, you should see something in the logs - if you don't then either the apps don't support the proxy support (highly doubt it, seems to be a system setting thing) or the server could not support the type of streaming that you require

This could actually be the case.. what proxy are you using on port 8080 ? You might just need to correctly configure the proxy on port 8080 to achieve streaming, there might be some additional configuration that you need to do to allow that

[vistalba]

1.) Add recordings from Smartphone connected trougth vpn works without problems. I can see it in the WebGUI on my computer connected im my LAN. (Additional info: no requests in this case in proxy logs so there goes direct to tvheadend server over https -> As configued in OpenVPN as Bypass Domains).

2.) Browse to tvheadend WebGUI with Safari and Chrome works. Also if I insert the copied link from tvhclient. (But can't play video ... think this is a browser thing.. wrong format or something like this? -> Shows a strikethrough Play sign).

3.) In log there is nothing. Nothing on proxy and also nothing in tvheadend logs. It look like the player doesn't send https:// requests at all :(

Proxy is squid on port 8080 and works for http and https traffic without any issues. Other streaming services are working. Anyway.. the traffic should never pass the proxy because of the "Bypass_URL" settings in OpenVPN and there is nothing in the squid logs that indicated such traffic requests. (No access and no error logs for this).

[vistalba]

Additional Info: If I use "iOS-Player" in tvhclient and a supported profile like "pass" in my case I can stream with OpenVPN and with proxy settings enabled.

So there is definitely no connectivity issue between the app and the tvheadend server. Requests are also not using the proxy (because of the bypass config).

So my guess is, that something with the vlc player isn't working correctly.

[zipleen]

So I'm a bit lost.. are you saying that dhcp-option PROXY_BYPASS whatever.com whatever.com is your tvheadend server and thus the PROXY is bypassed to access tvheadend ?

That's even more obfuscated config than just using a proxy!

Well, if VLC and infuse have the same issue you might open a support ticket on vlc. This might be an issue with having a proxy setting but having the option to ignore it ?

Or I'm now very confused.

edit: but if tvhclient connects correctly, but it's just VLC that does not stream then if you get the issue fixed in vlc, tvhclient will also be fixed

[vistalba]

Okay.. I will try to explain you my setip.

I have a LAN and a VPN Zone.

tvheadend is running as docker container behind traefik ingress controller on host1. squid with squidguard is also running as a docker container on host1. (without traefik ingress)

Internet access from LAN and VPN zone is only possible trougth the proxy. So they all have proxy settings. If clients from LAN or VPN zone connect to the LAN then they don't need the proxy. So I've configured a bypass for the whole internal domain space.

tvheadend is running on a domain in this internal domain space, so proxy settings in openvpn are applied for internet traffic but internal traffic goes direct to the destination system.

In this case, the vlc, infuse and tvhclient does not correctly work with configured proxy (proxy.pac) confiuration. Then they won't connect at all for streaming. If I use iOS Build-in player in tvhclient, it work (if I select a supported codec profile to transcode the steam).

So we can say:

Player	LAN (same subnet)	OpenVPN without Proxy	OpenVPN with Proxy**
tvhclient	yes	yes	no***
vlc	yes	yes	no***
infuse	no	no	no
iOS Build-in	yes*	yes*	yes*

If supported codecs are used (transcoding to: mpeg-ts, h264, aac audio) Config lines from OpenVPN server: push "dhcp-option PROXY_BYPASS whatever.com"; push "dhcp-option PROXY_HTTP 10.10.10.10 8080"; push "dhcp-option PROXY_HTTPS 10.10.10.10 8080"; push "dhcp-option PROXY_AUTO_CONFIG_URL https://proxy.whatever.com/proxy.pac"; No request visible in tvheadend logs or proxy access log. Looks like the player won't connect at all.

Edit: Added table and additional infos.

[zipleen]

I think your issue is the PROXY_BYPASS in vlc, which might have a bug somewhere in their code and it's trying to go through the proxy, instead of directly accessing it.

Double check with "copy to clipboard" to see if the url is indeed the domain that you set to bypass. If it is (which probably is because tvhclient is able to connect), then you should probably open a bug in VLC and get it fixed there.

Once VLC gets that fixed, tvhclient will be fixed. (tvhclient does NOTHING special to vlc, it's exactly the same code as VLC and uses VLCKit which bundles everything - thus I have no access to the network code at all).

edit: and you must make a differentiation between tvhclient CONNECTING to the server and tvhclient using the internal VLC to start a stream. All the code to CONNECT to the server (i.e display the channels, check recordings, view the EPG) is done by tvhclient, but everything after you click the "internal vlc" button is VLC code.