Wayk Now : problem with lan proxy

Hi Mario,

Can you activate the logs in Wayk Now, reproduce the issue with your LAN proxy, and send back the logs? You can find information on how to do so in the manual: https://helpwayk.devolutions.net/index.html?options_advanced.htm

We currently don't have explicit support for proxy servers, but this is something we have on our backlog. If you can tell me which proxy server you are using, it would be helpful.

The connection to the Wayk Den uses the secure WebSocket protocol, a standard protocol designed to look like HTTPS except that it is stateful.

The first thing I will try to determine is if the connection is blocked because it didn't go through the proxy, or if the connection was intercepted (and possibly modified) by the proxy for deep packet inspection purposes like we've seen with some advanced products. I should be able to tell the difference just by looking at the logs.

Best regards,

Thanks for your reply, here's the log in DEBUG level, I think you should get proxy settings directly from OS or put a new setting inside Wayk Now, actually our lan proxy supports standard protocols like http, https, socks v4 and v5 , etc..... it's a simple Windows program : CCPROXY, for more info their web site is :

http://www.youngzsoft.net/ccproxy/

Please let me know if you need more logs or tests.

Thanks again.

regards

Hi Mario,

Thank you for your quick response. Just looking at the logs, it appears to me that explicit proxy support is mandatory in your case. We are currently setting up a new lab environment to properly test such networking scenarios and enhance support for proxy environments.

We are currently working hard on fixing issues reported by Wayk Now 3.0 beta testers but I will see that we increase the priority on this specific task.

Best regards,

Ok, thanks, let me know if you need more tests also on beta version, or translation in Italian language of your program if you need that.

Regards

PS : I don't find on your web site the download for beta 3 release....

Hi Mario,

The original download links have been sent to those who registered for the beta, but you can find the beta builds here:
https://devolutions.bintray.com/wayk-unattended/

As for the translation, I attached the current English json file that you can translate to Italian if you wish to do it :)

Since Italian is currently not listed in our UI, you can simply rename it to "fr.json" and copy it to "%AppData%\Wayk\locales\fr.json" and select "French" as your language. From there, you can edit the fr.json file and restart Wayk Now to see your Italian translations.

Best regards,

I confirm you that also last beta version doesn't work with proxy (as you say....)


However please find attached log (trace) if you need it.

I'm working on Italian translation.....

Thanks, regard

> As for the translation, I attached the current English json file that you can translate to Italian if you wish to do it :)
>

> Since Italian is currently not listed in our UI, you can simply rename it to "fr.json" and copy it to "%AppData%\Wayk\locales\fr.json" and select
> "French" as your language. From there, you can edit the fr.json file and restart Wayk Now to see your Italian translations.

I attach the Italian translation, but I'm not sure about it because I was not able to test / debug it on Wayk program, I don't find the path with *.json files on my machine ! I search also all disk content but no fr.json or other file similar on it (please look at wayk.txt for all files and dir I find under the %appdata% path : where I find the txt logs in the past).

Please tell me how to test the Italian language... do I need a special executable for that ? I tried both the portable and the MSI installer of Wayk but no path for json file appears on file system.

Thanks.


Regards

Hi Mario,

I got it working here, there were two small issues in the file that broke JSON parsing. You can use a site like jsonlint.com to validate the JSON formatting and avoid errors in the future. I attached a fixed it.json file so you can try it :)

As for the %AppData%\Wayk\locales directory, it is not created by default, you just have to create it manually.

To test, you can either copy "it.json" inside that directory and then manually edit %AppData%\Wayk\WaykNow.cfg and edit the following line:

"Language": "it",

After which you can restart the application. You will need to restart the application every time you want to reload your modifications.

Alternatively, you can select an existing language in the UI, such as French, and rename "it.json" to "fr.json" such that your Italian translations will get picked up instead. As we integrate your Italian translations, we will add "Italian" to the list of languages in the UI.

Best regards,

Ok, I tested the Italian translation on Windows Wayk program and for me it's ok, you can use it in next releases.


I attach the json file here.


Please advise me when you'll release a beta Wayk with Lan proxy support so I can test it in our environment.

Thanks for your porgram and your support.

Regards

Hi Mario,

Thank you for the Italian translation, we will integrate it in the 3.0 release :)

As for the LAN proxy support, I can't make any promises, but we're working on it. There is one thing I am wondering: does everything need to go through the proxy, or is it only with connections to port 80/443 (HTTP/HTTPS)? The first thing I would adapt to go through the proxy would be the Wayk Den connection, but I am wondering if we need to make the remote desktop connection itself go through the proxy as well. If possible, I would recommend against forcing the remote desktop connection to go through the proxy for performance reasons.

You can try a direct connection using the IP address or machine hostname on the local network to see if it works with your proxy. Direct Wayk Now connections use TCP/4489. Connections done through the Wayk Den are UDP based with a port that changes every time, similar to WebRTC peer-to-peer connections.

Best regards,

In out Lan every clients pc goes out on Internet via proxy, any Tcp or Udp port should go via proxy.

Normally we use standard ports like 80-443-21 and so on and when we need that a client use stange ports the better way is to sockify the program, we simply set the program to use SOCKS protocol on port 1080 and the program "tunnels" its protocols over this port via proxy.

Probably the best way to test your app is to install a proxy on your test Lan and try, there're a lot of free proxy programs for windows or Linux, also our CCProxy program is free with 3 users limit (http://www.youngzsoft.net/ccproxy/), so you can install it on any Windows pc and make some tests.

FYI : many remote control programs like TeamViewer, Anydesk or Supremo are able to work with proxy without socks but only on standard port like http or https I presume... (I personally tested them on my lan and some programs like TV get automatically proxy settings from Windows and use them, other need a proxy set in their parameters); I'm not a programmer (I'm a sys admin / blogger) but I think the right way is to "tunnels" your protocols over standard port when you get a proxy on Lan, in this way the program runs immediately and it's trasparent to end user.

Don't hesitate to contact me if you need some tests....

Regards

Hi Mario,

Thank you for the insight. I managed to get an initial connection to the Wayk Den using a SOCKS5 proxy today. I still need to improve the code robustness and implement the multiple SOCKS variants and then look into the HTTP proxies. If initial proxy support isn't ready for the 3.0 release, it should normally be available in a minor release not very long after.

As for using the proxy for peer-to-peer connections (UDP-based), I would expect it to require more work. One thing for sure is I will set up a lab environment with ccproxy to make some experiments and see how the other products behave in such a case. I don't even know how the standard WebRTC peer-to-peer connections operate with proxies, I am curious to see how it works. We're not using a standard form of WebRTC, but we are logically equivalent to it, so whatever affects WebRTC should normally apply to us as well.

Best regards,

Hi Mario,

Just a quick update on this: I have initial support for SOCKS4/SOCKS4A/SOCKS5/SOCKS5H + HTTP/HTTPS proxies and I have tested with ccproxy. My code currently detects the same environment variables that tools like curl accept, but I have no idea yet how to detect system proxy settings for Windows.

If you can tell me the way you configured system-side proxy settings for Windows, I would make sure to add code to detect the configuration from the same place. One other thing: do you need proxy authentication? I didn't get the time to implement it yet.

Best regards,

I attach my proxy settings for "normal" client (proxy1, usually only web navigation) or "full" client (proxy2 with socks support).

I think you can get proxy set from a Windows machine with this commands :

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | find /i "proxyserver"

or


netsh winhttp show proxy

We don't use authentication on our proxy, we use pc Mac addresses to categorize them, so we use the internal hardware address of nic to authorize a pc on proxy, but on other environments probably someone use authentication, in Windows Server lans probably AD users....

Regards

Hi Mario,

We have just released the Wayk Now 3.0 beta8 build, with initial support for proxies:

https://forum.devolutions.net/topic30635-wayk-now--unattended-mode-beta.aspx

Best regards,

I tested beta8 but I was not able to make a connection with a Windows 7 prof 64 bit pc.... please could you send me an image of your internet settings in control panel so I can check them ?

thanks, regards

Hi Mario,

Were you able to connect to the Wayk Den first, or was it only the direct connection that failed? For the moment, I only enabled the proxy support for the Wayk Den connection. As for the Wayk Now to Wayk Now connection, it would be possible to enable proxy support for direct connections using the hostname or IP address, but it would not yet be possible to do so with peer-to-peer connections done using the Wayk Den.

Let me know which part did not work, and if you are trying a direct connection using the IP or hostname.


Best regards,

I'm able to connect over local lan with hostname / IP address, but when I try a remote connection I get always the messages :

- Connecting to Wayk Den
- Disconnected from Wayk Den
and Source ID is empty.....
I attach some screenshots.
Regards

Hi Mario,

Can you enable the logs using these instructions?

There is a good chance that I should be able to figure out what goes wrong from the logs alone.

You can send the logs to support@devolutions.net

Best regards,

Hi Mario,

Sorry for the late reply. I have looked at the logs, and it looks like we did not detect proxy settings. Can you export the registry keys under "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ? We parse "ProxyEnable" and "ProxyServer" under that registry key on Windows to detect proxy settings. If you export it as a .reg, I would be able to simulate detecting the same proxy settings on my side and ensure that it works. You can send them here or send them to support@devolutions.net. If this isn't the correct registry key, please point me to the right one.


Best regards,

No problem, it's not an urgent matter, you're stiill in beta, so... we can make all tests.

I think the problem is in registry, I don't find the proxy setting ip server under HKCU but in HKLM, I attach the exported reg files so it will be clear, sincerely I don't understand why proxy settings is present both on local user and local machine registry paths.....

I made a full search on registry to find every key where my proxy IP appears, I attach all files here.

Thanks for your support and good work

Hi Mario,

We released Wayk Now 3.0.0 on November 2nd and 3.0.1 on November 12th :) We are no longer in beta.

As for the proxy settings, I will modify the logic to check HKCU and then HKLM, which should make it work. I don't know when Windows decides to store it in one or the other, but checking both, in order, should work fine.

Until this is fixed, you can also try setting the same key in HKCU and see if it works. Otherwise, you can wait until we release a fix to check both places.


Best regards,

Hi,

I did my first try with Wayk Now v3.0.3 and I have the problem, that it can't connect.
We are forced here to use a proxy and it seems (debug logs) to find the right one but fails with the following:

setsockopt
curl_easy_perform (ipify)

But if I enter those 4 addresses (i.e. https://icanhazip.com) to get the public ip into a browser using our proxy it show the ip.

[11:09:25:720] [5944:00001598] [WARN][NowTcp] - setsockopt(SOL_TCP, TCP_KEEPCNT) failed
[11:09:25:720] [5944:00001598] [WARN][NowTcp] - setsockopt(SOL_TCP, TCP_KEEPINTVL) failed
[11:09:25:720] [5944:00001598] [WARN][NowTcp] - setsockopt(SOL_TCP, TCP_KEEPCNT) failed

[11:09:25:720] [5944:00001598] [WARN][NowTcp] - setsockopt(SOL_TCP, TCP_KEEPINTVL) failed

...

[11:09:33:236] [5944:00001598] [WARN][NowNat] - curl_easy_perform failure: Couldn't connect to server
[11:09:33:236] [5944:00001598] [DEBUG][NowNat] - ipify (https://api.ipify.org/) status: -1002
[11:09:37:939] [5944:00001598] [WARN][NowNat] - curl_easy_perform failure: Couldn't connect to server
[11:09:37:939] [5944:00001598] [DEBUG][NowNat] - ipify (https://ipinfo.io/ip) status: -1002
[11:09:42:939] [5944:00001598] [WARN][NowNat] - curl_easy_perform failure: Timeout was reached
[11:09:42:939] [5944:00001598] [DEBUG][NowNat] - ipify (https://icanhazip.com) status: -1002
[11:09:47:939] [5944:00001598] [WARN][NowNat] - curl_easy_perform failure: Timeout was reached
[11:09:47:939] [5944:00001598] [DEBUG][NowNat] - ipify (https://devolutions.net/getpublicip.ashx) status: -1002
[11:09:47:939] [5944:00001598] [WARN][NowDen] - Failed to fetch publicIp: -1002



Any idea what I could try?



I have renamed the IPs in the logs from Windows 10 / 2012 R2.

Hi,

As you have probably noticed from the logs, we are using libcurl internally to try and detect the external IP. I can see from the logs that the connection to the Wayk Den (WebSocket) worked with proper detection of the proxy settings from Windows. libcurl, just like curl.exe, doesn't detect proxy settings from the regular location on Windows and checks for the "http_proxy" or "https_proxy" environment variable.

Our code to detect proxy settings sets the "https_proxy" environment variable inside the process such that calls to libcurl will use the proxy. One way to debug this issue would be to try and use curl.exe on Windows, passing it explicit command-line arguments for your proxy settings. My guess is we probably don't produce an https_proxy environment variable string that libcurl processes correctly, so we can simulate the same issue with curl.exe.

You can find curl for Windows here:
https://curl.haxx.se/windows/

And instructions on how to pass proxy settings to curl here:
https://ec.haxx.se/usingcurl-proxies.html

The value of the https_proxy environment variable set by Wayk Now after detection of proxy settings from the Windows registry corresponds to the value in the log shown in the "[DEBUG][NowProxy] - proxyUrl:" line.

Start by trying to reproduce the issue with curl.exe. If you can reproduce it, it's good, we just need to figure out an alternative format for the https_proxy environment that will get picked up correctly.

Best regards,

Thanks, that was quick.

Yes the generated proxy URL is the problem, because the proxy is only working with http:// not https://:

curl -x http://proxy.x.x.com:8080https://icanhazip.com
xx.xx.xx.xx

curl -x https://proxy.x.x.com:8080https://icanhazip.com

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number


...
Update:

I manually set the environment variable https_proxy in a commandline window and then started wayk from there and it does connect to the Den successfully!

But I am unable to establish a connection between two of my systems, when I try to connect to the target ID 5xx xxx it shows the "Initiating remote connection ..." and then closes it again without any further message.

Could not attach the log to the previous message for some reason ...

Hi,

From the logs you provided, it looks like UDP traffic is blocked. Can you provide more details on the proxy server enforced in your network environment?

Best regards,

Yes we have many networks separated with firewalls and proxy servers, there is nearly blocked everything in most networks.
So there is no tunneling currently possible over http(s) + Proxy + Den as far as I heave read?

Wayk Now still needs a "direct" connection for the UDP packets ... so yeah, this will not work here, it would need to go over the proxy.


As firewalls we mostly use Cisco ASA, but what exactly the proxy is, I don't know right now, could be some Squid based or some professional appliances.
I can tell that it uses "Blue Coat Web Filter".


Maybe I can get the details. I will try to find out.

Hi,

Please try to get the details about the proxy server, it will make it easier to investigate potential options that could work with it. One thing I would like to know is if it supports SOCKS5 in addition to HTTP proxying (SOCKS works with HTTP, but "true" HTTP proxies only work with HTTP).

We have developed a prototype TCP relay server protocol in hope of improving support for cases where UDP traffic gets blocked. It is not yet production ready, but we could look into getting you to test it in your environment. However, if your network environment requires explicit proxy support (the application is fully aware of the proxy and connects to it directly), we would need to make further improvements before it could work. If your proxy is "transparent", meaning applications don't need to be fully aware of proxy settings, we could look into getting a prototype ready for testing next week.

Best regards,

I got the type of our proxy it is: Symantec SSG900

Hi Mario

The 3.1 release is now available for download, and includes the option of using a TCP relay server.

The setting can be found under the "Connectivity" section - you need to enable "Prioritize relay servers for peer-to-peer connections". Note you only need to enable the setting on one "side" of the connection (you do not have to instruct the remote user to change anything).

I would recommend you to give this a try in your environment :)

Thank you for your patience.

Hi, jsut to add: for me 3.1 was still not working.
But I expect I need "explicit proxy support" so I will have to wait a bit longer then.
Let me know if there is something new to test.

Hi,

The "Prioritize relay servers for peer-to-peer connections" has explicit proxy support and requires port TCP/8080 outgoing to be allowed through the proxy on both sides. This new peer-to-peer connectivity option requires both the client and server to be using 3.1.0. If it still doesn't work, the first step would be to collect the logs to see if we correctly detected the proxy settings from the system: https://helpwayk.devolutions.net/index.html?kb_logs.htm

Best regards,

Tried last 3.1 release but I'm still not able to connect via proxy with Wayk, I tried also the new "Prioritize relay servers for peer-to-peer connections" option but with no success.
Here the captured log.

I think you should add a specific proxy option in your program, so we'll be able to "force" some settings here like proxy address, port to use, authentication, socks, etc......

Thanks for your support.

Regards

Hi,

Looking at the logs, the detected proxy url ("https://" with no hostname and port) appears to be incorrect, causing a connection failure to the proxy. Can you provide more details on what version of Windows (or other OS) you are using, and how exactly the proxy settings have been configured?

Wayk Now searches for "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" under HKEY_CURRENT_USER and then HKEY_LOCAL_MACHINE, and parses the registry key value to figure out where the proxy server is. Can you extract both registry keys (if available) such that we can figure out what possibly went wrong with the proxy settings detection?

Best regards,

The machine is a win10 pro 64 bit pc, my proxy is 192.168.2.232:8080 for web and 192.168.2.232:1080 for socks, our proxy don't use authentication, it checks machine mac address to authorize or not.


Please find attached registry export and internet settings screenshot.

Regards

Hi,

I think I can see what the problem is. We currently check for the presence of the ProxyServer registry key in HKEY_CURRENT_USER and then HKEY_LOCAL_MACHINE, and pick the first one available. However, your real settings are stored in HKEY_LOCAL_MACHINE but you have a bogus registry key in HKEY_CURRENT_USER ("ProxyServer"="").

A quick workaround would be to rename "ProxyServer" to something else like "ProxyServerOld" under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] such that the ProxyServer registry key from HKEY_CURRENT_USER won't get picked up by Wayk Now.

Best regards,

OK, I understand, effectively is strange that there's no proxy setting under HKCU, I manually modify the HKCU registry key with my correct proxy setting, enabled the "Prioritize relay servers for peer-to-peer connections" option in Wayk and not it works perfectly !

One suggestion : probably in next Wayk releases is better to check both registry location (HKLM and HKCU) and if one of these locations contain a value for the ProxyServer key (is not empty like in my case....) you should use it for Wayk.

However you make a great program !

Thanks again for your support.

Regards

I'm testing Wayknow free 3.2.0 but I get problems using it with proxy, I'm running it on a win7 prof machine, same proxy, same settings, but it's not able to get a valid ID; the message is "Connecting to Waykden......."

I check proxy key in registry and they are ok (HKCU has proxy, HKLM no), I attach here log for debug.
I make also a try with a direct internet connection (no proxy) and the new release works, I remember that old one 3.1.x worked with proxy....


To solve this proxy problems probably is better to explicit proxy setting in Wayknow parameters and use standard TCP protocol to get out, example http, https, etc.....


I have also another bug / feature request : when you connect to a remote machine and the disconnect, on host machine the Wayknow password change immediately, instead with Teamviewer a dynamic generated password doesn't change until you force a manual change or you close and re-run the program.
Probably is better TV in this way because if you lost connection (for example for poor internet connection) then you'll never be able to re-connect to wayknow host because in the meantime the password is changed ! The dynamic generated password for an ID should change only forced or when you run the program with a new istance.


Thanks, regards

Hello

To answer your question regarding the password auto-reset - this is a security feature, however it is possible to opt-out of that behaviour in two ways:

1 - Set a custom password in the Options window (under Security > Password Type)
2 - There is an undocumented setting to control this as well. You need to add the key "GeneratedPasswordAutoReset" to the configuration file, with a value of false.

You can add the key directly to the config file (%APPDATA%\Wayk\WaykNow.cfg for the standalone client, %PROGRAMDATA%\Wayk\WaykNow.cfg for the unattended service) or execute the following command:

[path-to-wayk-now]\WaykNow.exe config GeneratedPasswordAutoReset false

If you have installed the unattended service, you can use the alias 'wayk-now' and pass the --global switch to configure it system-wide. So, for example:

wayk-now config --global GeneratedPasswordAutoReset false

Note that will require you to run from an elevated command prompt.

I hope that helps, if you have any questions please let us know!

Hello again

With regard to the connection issue, the problem is caused by stricter certificate validation in 3.2 which we didn't test with proxies afterwards. I've opened a ticket for that and will post back here once we have some more information.

In the meantime, the best option will be to continue with 3.1.1. I'm sorry for the inconvenience.

Hello again

We've fixed this issue internally and that will be available in the next release. I'll post back here once that's available. We will validate future certificate validation changes using a proxy server.

Sorry again for any inconvenience,

Hello

Version 3.2.1 is now available and includes a fix for this issue.

Please let us know if you have further questions or problems!

Best regards,

Sorry, but there're still problems with proxy and last release 3.2.1, no connection, no wayk source ID generated, here the log.....

Regards

Hi,

Did you forget to attach the logs to your last reply? We did find an issue with the proxy certificate validation (we tested with ccproxy) but it sounds like you are encountering another problem.

Sorry, here the log

Hello

Thanks for sending the log through.

Indeed, as Marc suggested, it looks like you are encountering another problem than the one we fixed in 3.2.1.

We did validate 3.2.1 using ccproxy on a test LAN, and it worked well for us. Are you still using ccproxy at your end, or something else?

It's possible that we configured something to prevent breakage on our side, or you are using ccproxy differently to us.

Is your proxy / configuration doing anything like replacing TLS certificates?

What would be really helpful is a Wireshark capture while you reproduce the issue (i.e. start the Wayk Now client, wait a few moments while it tries to connect to Wayk Den a couple of times). If possible, you can send the capture to support@devolutions.net.

Let me know if you have further questions or comments, and sorry once again for the inconvenience. We do appreciate your help while we improve our proxy support.

Thanks,

Hello

We suspect this issue was caused by a proxy server using a custom root TLS certificate. Wayk Now 3.3.0 is now available, and should load custom root certificates from the system certificate store. If you continue to experience issues with the latest version, please let us know.

Thanks and kind regards,