# MITM Proxy Troubleshooting Guide ## ERR_TUNNEL_CONNECTION_FAILED Error This error typically occurs when the browser cannot establish a secure tunnel through the proxy. Here are the most common causes and solutions: ### 1. Certificate Issues **Problem**: The CA certificate is not properly installed or trusted by the browser. **Solutions**: - Run the program as Administrator to ensure certificate installation - Manually verify certificate installation: ```cmd certlm.msc ``` Check if "Charles Proxy CA" appears in "Trusted Root Certification Authorities" - If certificate installation fails, try: ```cmd certutil -addstore -f "Root" CA.crt ``` ### 2. Proxy Configuration Issues **Problem**: System proxy is not properly configured or there are conflicting proxy settings. **Solutions**: - Verify proxy settings in Windows: - Go to Settings > Network & Internet > Proxy - Ensure "Use a proxy server" is enabled - Check that proxy address is `127.0.0.1:8080` - Clear existing proxy settings: ```cmd netsh winhttp reset proxy ``` ### 3. Firewall/Antivirus Blocking **Problem**: Security software is blocking the proxy connections. **Solutions**: - Temporarily disable Windows Firewall - Add exception for the proxy program in antivirus software - Add exception for port 8080 ### 4. TLS Handshake Issues **Problem**: The proxy cannot properly negotiate TLS connections. **Solutions**: - The updated code now includes: - Better TLS handshake handling - Fallback to transparent proxy mode - Improved error logging - Connection timeouts ### 5. Testing and Debugging Use the built-in test mode to verify connectivity: ```cmd # Run with test flag go run . -test ``` This will: - Start the proxy server - Test HTTP and HTTPS connections - Show detailed error messages - Help identify the specific issue ### 6. Common Error Messages and Solutions **"TLS handshake failed"**: - Certificate not trusted by browser - Try accessing a simple HTTP site first - Check certificate installation **"Failed to connect to target server"**: - Network connectivity issue - DNS resolution problems - Target server blocking connections **"Write error" or "Read error"**: - Connection interrupted - Network timeout - Proxy overloaded **HTTP Redirects (302/301) Issues**: - ✅ FIXED: Proxy is now completely transparent - All redirects are passed through exactly as-is - Browser handles redirects automatically - No interference with redirect chains ### 7. Manual Testing Steps 1. **Test without proxy**: ```cmd curl https://httpbin.org/ip ``` 2. **Test with proxy**: ```cmd curl --proxy 127.0.0.1:8080 https://httpbin.org/ip ``` 3. **Test certificate**: ```cmd curl --proxy 127.0.0.1:8080 --insecure https://httpbin.org/ip ``` ### 8. Browser-Specific Issues **Chrome**: - Clear SSL state: Settings > Privacy and security > Security > Manage certificates > Clear SSL state - Disable certificate transparency checks temporarily **Firefox**: - Import certificate manually: Settings > Privacy & Security > Certificates > Import - Disable OCSP checking temporarily **Edge**: - Same as Chrome (uses Windows certificate store) ### 9. Advanced Debugging Enable verbose logging by modifying the code to show more details: - Connection attempts - TLS handshake details - Certificate validation steps - Network I/O operations ### 10. Alternative Solutions If the proxy still doesn't work: 1. **Use transparent mode only**: Modify code to skip TLS termination 2. **Use different certificate**: Generate new certificates with proper SAN fields 3. **Use different port**: Change from 8080 to 8081 or 3128 4. **Bypass problematic domains**: Add exceptions for specific sites ## Getting Help If none of these solutions work: 1. Run with `-test` flag and save the output 2. Check Windows Event Viewer for errors 3. Use Process Monitor to see file/registry access issues 4. Provide the exact error message and browser version