Files
codex-oauth-plus-onboarding…/skill/codex-oauth-plus-onboarding/references/openai-lan-proxy-endpoint-probe-2026-05-08.md
T

3.3 KiB
Raw Blame History

OpenAI/ChatGPT Proxy Endpoint Probe Notes — 2026-05-08

Context

During Codex/OpenAI OAuth prerequisite testing, BOSS asked to verify direct browser access and then explicit LAN proxy endpoints:

  • socks5://192.168.2.8:1085 (tested as socks5h:// so DNS resolves through proxy)
  • http://192.168.2.8:1084

The Mac had local IP 192.168.2.69/24, default route via 192.168.2.8, and an ARP entry for 192.168.2.8, but ICMP/TCP to the gateway/proxy endpoint failed.

Observed failure signatures

System/browser without working proxy:

chatgpt.com -> polluted IPs such as 202.160.128.16 / 199.59.150.40 / 2a03:2880:...
accounts.openai.com -> polluted IPs such as 192.133.77.189 / 128.121.146.109 / 2a03:2880:...
Chrome: ERR_CONNECTION_CLOSED
curl: LibreSSL SSL_connect: SSL_ERROR_SYSCALL

Explicit SOCKS5/HTTP proxy endpoint unavailable:

ping 192.168.2.8 -> sendto: No route to host / 100% packet loss
nc -vz -w 5 192.168.2.8 1085 -> No route to host
curl --proxy socks5h://192.168.2.8:1085 https://chatgpt.com/ -> Failed to connect
nc -vz -w 3 192.168.2.8 1084 -> No route to host
curl --proxy http://192.168.2.8:1084 https://chatgpt.com/ -> Failed to connect

Route/ARP could still look superficially valid:

default gateway: 192.168.2.8
192.168.2.8 at <mac> on en0 ifscope
local IP: 192.168.2.69

Do not mistake this for a ChatGPT/OpenAI auth bug or extension bug. If the LAN proxy endpoint itself is unreachable, browser automation and OAuth should stop.

  1. Flush DNS cache only as a low-risk refresh:
dscacheutil -flushcache || true
killall -HUP mDNSResponder 2>/dev/null || true
  1. Check current DNS and detect pollution:
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
    try:
        print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
    except Exception as e:
        print(host, 'ERR', e)
PY
  1. Test gateway and proxy endpoint before browser tests:
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
nc -vz -w 5 192.168.2.8 1084 || true
  1. For SOCKS5, use socks5h:// in curl so DNS is performed through the proxy:
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
curl --proxy socks5h://192.168.2.8:1085 --max-time 20 https://api.ipify.org
  1. For HTTP proxy:
curl --proxy http://192.168.2.8:1084 -I -L --max-time 30 https://chatgpt.com/
curl --proxy http://192.168.2.8:1084 --max-time 20 https://api.ipify.org
  1. Only launch a proxied browser or extension run after at least one proxy endpoint succeeds.

Interpretation

  • No route to host to the proxy IP/port means the local Mac cannot reach the LAN proxy service. Fix LAN/gateway/firewall/WiFi/VLAN/router first.
  • Connection refused means the host is reachable but no service is listening on that port or firewall actively rejects it.
  • HTTP 200/30x/403 Cloudflare challenge through the proxy is better than transport failure; browser testing can proceed, but CAPTCHA/security challenge may still require manual action.
  • Polluted system DNS may remain even while explicit socks5h:// works; in that case use browser --proxy-server=socks5://... or ensure PassWall2 DNS hijack/remote DNS is correctly applied.