Proxy support for Windows with moproxy

[tperale]

Problem Description

I've been working for the past month on the support of proxies for the Windows version of rancher-desktop. It has been a known issue for a long time that you can't use rancher-desktop with a corporate proxy in Windows because WSL does not takes the proxy settings of the host into account. Here is a list of some issues related to proxy in Windows:

• Issue 767: Create an rancher-desktop-ready script to verify the environment is working
  • Verifying the VM connection is not blocked by a proxy connection
• Issue 843: kuberlr does not support Windows system proxy
  • Getting an error if no http_proxy variable set
• Issue 866: Custom Environment Variable support for Win/WSL2
  • Suggesting to be able to add environment variable to WSL to be able to use a proxy
• Issue 905: Kubernetes was unable to start: TypeError [ERR_INVALID_PROTOCOL]: Protocol "http:" not supported. Expected "https:"
  • Kubernetes not starting with the proxy env var set with wslenv.
• Issue 995: Rancher doesn't work on VPN / Corporate Proxy
• Issue 1509: "nerdctl compose up" fails to pull postgres image
  • Probably did the install without a proxy and try to run nerdctl compose up behind a proxy
• Issue 1568: Error starting Kubernetes -- Updating kubeconfig -- kubectl.exe exited with code 255
  • Kubernetes not starting when running rancher-desktop behind a proxy (installation probably done without a proxy).
• Issue 1772: Error starting kubernetes - waiting for services
  • Kubernetes not starting with the proxy env var set.
• Issue 2147: RD fails to complete Kubernetes init when Proxy configured
  • Kubernetes not starting with the proxy env var set with wslenv.
• Issue 2695: Kubernetes fails to start on Windows 10 (corporate envrionment with proxy).
• Issue 2759: Add ability to configure proxies in Rancher Desktop preferences
• Issue 2815: Kubernetes Error - Rancher Desktop 1.5.1 - win32(x64)
• Issue 3545: Stuck at "Waiting for Kubernetes API"

If you use rancher-desktop behind a proxy you can't:

• Install it, because you need to pull docker container during the installation
• Run it because you get an error from kubernetes.
• Do a docker pull/push

There has been different proposal in Github issue discussions about how to use a proxy with rancher-desktop:

• Setting http_proxy, https_proxy in WSLENV. This will create an error from kubernetes.
• Using wsl-vpnkit
• Setting the variable in rc.conf

Proposed Solution

None of the solution proposed really worked. Using WSLENV introduce the error with kubernetes and will share the proxy variable with every WSL VM. Based on discussion I had in the rancher-desktop slack I opted for a solution based on the usage of a proxy running inside WSL that could be programmatically enabled/disabled to catch the network traffic and forward it to an http proxy.

My changes to the rancher-desktop-wsl-vm and rancher-desktop code are available here:

• rancher-desktop
• rancher-desktop-wsl-distro

My solution is based on a software named moproxy, a software installed on WSL as a service that handles the connections and transmissions of packets to an http proxy. The traffic from the network interface is redirected to moproxy using iptables, so any type of filtering on ports/address is supported.

flowchart  LR;
 subgraph VM["WSL VM"]
   direction LR
   apps{{"Apps"}}
   subgraph vmIptables["iptables"]
   direction LR
     rules{"Rules"}
   end
   moproxy["moproxy"]
   apps -- TCP --> rules
   rules --> moproxy
 end
 proxy((("Proxy")))
 moproxy --> proxy

Loading

I also made changes to the rancher-desktop graphical interface to make the proxy configurable from the rancher-desktop settings page or during the first run. For now my changes are only available in the WSL setting page but in the future it could probably be ported to other platforms.

Changes on the proxy configuration take effect immediately after clicking on Apply without having to restart the backend like the other change in settings.

Additional Information

Recently there has been some activity on the Github issues to port the network stack to work with gvisor-tap-vsock (see Epic: Incorporate gvisor into Rancher Desktop's networking stack). I'm waiting for the release of this experimental feature in rancher-desktop 1.8 to see how gvisor-tap-vsock can work with proxy and if my changes are still required.

flowchart  LR;
 subgraph VM["VM"]
   direction LR
   apps{{"Apps"}}
   subgraph vmIptables["iptables"]
   direction LR
     rules{"Rules"}
   end
   moproxy["moproxy"]
   vmSwitch["VM Daemon Switch"]
   apps -- TCP --> rules
   rules --> moproxy
   moproxy -- TAP --> vmSwitch
 end
 subgraph host["Host"]
   hostSwitch["Host Switch"]
 end
 vmSwitch -- VSOCK --> hostSwitch
 proxy((("Proxy")))
 hostSwitch -- CONNECT --> proxy

Loading

[gaktive]

Work for this is being tracked in #4603 so closing this as a sorta duplicate.