coder
diff --git a/‎tailnet/conn.go
Lines changed: 17 additions & 7 deletions b/‎tailnet/conn.go
Lines changed: 17 additions & 7 deletions
diff --git a/‎tailnet/controllers.go
Lines changed: 59 additions & 10 deletions b/‎tailnet/controllers.go
Lines changed: 59 additions & 10 deletions
diff --git a/‎tailnet/controllers_test.go
Lines changed: 4 additions & 0 deletions b/‎tailnet/controllers_test.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎vpn/client.go
Lines changed: 154 additions & 0 deletions b/‎vpn/client.go
Lines changed: 154 additions & 0 deletions
@@ -14,6 +14,7 @@ import (
 
 	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/xerrors"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
@@ -113,6 +114,8 @@ type Options struct {
 	DNSConfigurator dns.OSConfigurator
 	// Router is optional, and is passed to the underlying wireguard engine.
 	Router router.Router
+	// TUNDev is optional, and is passed to the underlying wireguard engine.
+	TUNDev tun.Device
 }
 
 // TelemetrySink allows tailnet.Conn to send network telemetry to the Coder
@@ -143,6 +146,8 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		return nil, xerrors.New("At least one IP range must be provided")
 	}
 
+	netns.SetEnabled(options.TUNDev != nil)
+
 	var telemetryStore *TelemetryStore
 	if options.TelemetrySink != nil {
 		var err error
@@ -187,6 +192,7 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		SetSubsystem: sys.Set,
 		DNS:          options.DNSConfigurator,
 		Router:       options.Router,
+		Tun:          options.TUNDev,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create wgengine: %w", err)
@@ -197,11 +203,14 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		}
 	}()
 	wireguardEngine.InstallCaptureHook(options.CaptureHook)
-	dialer.UseNetstackForIP = func(ip netip.Addr) bool {
-		_, ok := wireguardEngine.PeerForIP(ip)
-		return ok
+	if options.TUNDev == nil {
+		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
+			_, ok := wireguardEngine.PeerForIP(ip)
+			return ok
+		}
 	}
 
+	wireguardEngine = wgengine.NewWatchdog(wireguardEngine)
 	sys.Set(wireguardEngine)
 
 	magicConn := sys.MagicSock.Get()
@@ -244,11 +253,12 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		return nil, xerrors.Errorf("create netstack: %w", err)
 	}
 
-	dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-		return netStack.DialContextTCP(ctx, dst)
+	if options.TUNDev == nil {
+		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
+			return netStack.DialContextTCP(ctx, dst)
+		}
+		netStack.ProcessLocalIPs = true
 	}
-	netStack.ProcessLocalIPs = true
-	wireguardEngine = wgengine.NewWatchdog(wireguardEngine)
 
 	cfgMaps := newConfigMaps(
 		options.Logger,
 
@@ -104,6 +104,7 @@ type WorkspaceUpdatesClient interface {
 
 type WorkspaceUpdatesController interface {
 	New(WorkspaceUpdatesClient) CloserWaiter
+	CurrentState() *proto.WorkspaceUpdate
 }
 
 // DNSHostsSetter is something that you can set a mapping of DNS names to IPs on. It's the subset
@@ -856,10 +857,14 @@ func (r *basicResumeTokenRefresher) refresh() {
 }
 
 type tunnelAllWorkspaceUpdatesController struct {
-	coordCtrl     *TunnelSrcCoordController
-	dnsHostSetter DNSHostsSetter
-	ownerUsername string
-	logger        slog.Logger
+	coordCtrl      *TunnelSrcCoordController
+	dnsHostSetter  DNSHostsSetter
+	updateCallback func(*proto.WorkspaceUpdate)
+	ownerUsername  string
+	logger         slog.Logger
+
+	sync.Mutex
+	updater *tunnelUpdater
 }
 
 type workspace struct {
@@ -902,18 +907,51 @@ type agent struct {
 }
 
 func (t *tunnelAllWorkspaceUpdatesController) New(client WorkspaceUpdatesClient) CloserWaiter {
+	t.Lock()
+	defer t.Unlock()
 	updater := &tunnelUpdater{
 		client:         client,
 		errChan:        make(chan error, 1),
 		logger:         t.logger,
 		coordCtrl:      t.coordCtrl,
 		dnsHostsSetter: t.dnsHostSetter,
+		updateCallback: t.updateCallback,
 		ownerUsername:  t.ownerUsername,
 		recvLoopDone:   make(chan struct{}),
 		workspaces:     make(map[uuid.UUID]*workspace),
 	}
-	go updater.recvLoop()
-	return updater
+	t.updater = updater
+	go t.updater.recvLoop()
+	return t.updater
+}
+
+func (t *tunnelAllWorkspaceUpdatesController) CurrentState() *proto.WorkspaceUpdate {
+	t.Lock()
+	defer t.Unlock()
+	if t.updater == nil {
+		return nil
+	}
+	t.updater.Lock()
+	defer t.updater.Unlock()
+	out := &proto.WorkspaceUpdate{
+		UpsertedWorkspaces: make([]*proto.Workspace, 0, len(t.updater.workspaces)),
+		UpsertedAgents:     make([]*proto.Agent, 0, len(t.updater.workspaces)),
+	}
+	for _, w := range t.updater.workspaces {
+		upw := &proto.Workspace{
+			Id:   UUIDToByteSlice(w.id),
+			Name: w.name,
+		}
+		out.UpsertedWorkspaces = append(out.UpsertedWorkspaces, upw)
+		for _, a := range w.agents {
+			out.UpsertedAgents = append(out.UpsertedAgents, &proto.Agent{
+				Id:          UUIDToByteSlice(a.id),
+				Name:        a.name,
+				WorkspaceId: UUIDToByteSlice(w.id),
+			})
+		}
+	}
+	return out
 }
 
 type tunnelUpdater struct {
@@ -922,14 +960,13 @@ type tunnelUpdater struct {
 	client         WorkspaceUpdatesClient
 	coordCtrl      *TunnelSrcCoordController
 	dnsHostsSetter DNSHostsSetter
+	updateCallback func(*proto.WorkspaceUpdate)
 	ownerUsername  string
 	recvLoopDone   chan struct{}
 
-	// don't need the mutex since only manipulated by the recvLoop
-	workspaces map[uuid.UUID]*workspace
-
 	sync.Mutex
-	closed bool
+	workspaces map[uuid.UUID]*workspace
+	closed     bool
 }
 
 func (t *tunnelUpdater) Close(ctx context.Context) error {
@@ -991,6 +1028,8 @@ func (t *tunnelUpdater) recvLoop() {
 }
 
 func (t *tunnelUpdater) handleUpdate(update *proto.WorkspaceUpdate) error {
+	t.Lock()
+	defer t.Unlock()
 	for _, uw := range update.UpsertedWorkspaces {
 		workspaceID, err := uuid.FromBytes(uw.Id)
 		if err != nil {
@@ -1056,6 +1095,10 @@ func (t *tunnelUpdater) handleUpdate(update *proto.WorkspaceUpdate) error {
 	} else {
 		t.logger.Debug(context.Background(), "skipping setting DNS names because we have no setter")
 	}
+	if t.updateCallback != nil {
+		t.logger.Debug(context.Background(), "calling update callback")
+		t.updateCallback(update)
+	}
 	return nil
 }
 
@@ -1128,6 +1171,12 @@ func WithDNS(d DNSHostsSetter, ownerUsername string) TunnelAllOption {
 	}
 }
 
+func WithCallback(cb func(*proto.WorkspaceUpdate)) TunnelAllOption {
+	return func(t *tunnelAllWorkspaceUpdatesController) {
+		t.updateCallback = cb
+	}
+}
+
 // NewTunnelAllWorkspaceUpdatesController creates a WorkspaceUpdatesController that creates tunnels
 // (via the TunnelSrcCoordController) to all agents received over the WorkspaceUpdates RPC. If a
 // DNSHostSetter is provided, it also programs DNS hosts based on the agent and workspace names.
 
@@ -1778,6 +1778,10 @@ type fakeWorkspaceUpdatesController struct {
 	calls chan *newWorkspaceUpdatesCall
 }
 
+func (*fakeWorkspaceUpdatesController) CurrentState() *proto.WorkspaceUpdate {
+	panic("unimplemented")
+}
+
 type newWorkspaceUpdatesCall struct {
 	client tailnet.WorkspaceUpdatesClient
 	resp   chan<- tailnet.CloserWaiter
 
@@ -0,0 +1,154 @@
+package vpn
+
+import (
+	"context"
+	"net/http"
+	"net/netip"
+
+	"github.com/tailscale/wireguard-go/tun"
+	"golang.org/x/xerrors"
+	"nhooyr.io/websocket"
+	"tailscale.com/net/dns"
+	"tailscale.com/wgengine/router"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/workspacesdk"
+	"github.com/coder/coder/v2/tailnet"
+	"github.com/coder/coder/v2/tailnet/proto"
+	"github.com/coder/quartz"
+)
+
+type Client struct {
+	sdk *codersdk.Client
+}
+
+// NewClient creates a new VPN client.
+func NewClient(c *codersdk.Client) *Client {
+	return &Client{
+		sdk: c,
+	}
+}
+
+type DialOptions struct {
+	Logger          slog.Logger
+	DNSConfigurator dns.OSConfigurator
+	Router          router.Router
+	TUNDev          tun.Device
+	UpdatesCallback func(*proto.WorkspaceUpdate)
+}
+
+func (c *Client) Dial(dialCtx context.Context, options *DialOptions) (vpnConn Conn, err error) {
+	if options == nil {
+		options = &DialOptions{}
+	}
+
+	var headers http.Header
+	if headerTransport, ok := c.sdk.HTTPClient.Transport.(*codersdk.HeaderTransport); ok {
+		headers = headerTransport.Header
+	}
+	headers.Set(codersdk.SessionTokenHeader, c.sdk.SessionToken())
+
+	// New context, separate from dialCtx. We don't want to cancel the
+	// connection if dialCtx is canceled.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer func() {
+		if err != nil {
+			cancel()
+		}
+	}()
+
+	rpcURL, err := c.sdk.URL.Parse("/api/v2/tailnet")
+	if err != nil {
+		return Conn{}, xerrors.Errorf("parse rpc url: %w", err)
+	}
+
+	me, err := c.sdk.User(dialCtx, codersdk.Me)
+	if err != nil {
+		return Conn{}, xerrors.Errorf("get user: %w", err)
+	}
+
+	connInfo, err := workspacesdk.New(c.sdk).AgentConnectionInfoGeneric(dialCtx)
+	if err != nil {
+		return Conn{}, xerrors.Errorf("get connection info: %w", err)
+	}
+
+	dialer := workspacesdk.NewWebsocketDialer(options.Logger, rpcURL, &websocket.DialOptions{
+		HTTPClient:      c.sdk.HTTPClient,
+		HTTPHeader:      headers,
+		CompressionMode: websocket.CompressionDisabled,
+	}, workspacesdk.WithWorkspaceUpdates(&proto.WorkspaceUpdatesRequest{
+		WorkspaceOwnerId: tailnet.UUIDToByteSlice(me.ID),
+	}))
+
+	ip := tailnet.CoderServicePrefix.RandomAddr()
+	conn, err := tailnet.NewConn(&tailnet.Options{
+		Addresses:           []netip.Prefix{netip.PrefixFrom(ip, 128)},
+		DERPMap:             connInfo.DERPMap,
+		DERPHeader:          &headers,
+		DERPForceWebSockets: connInfo.DERPForceWebSockets,
+		Logger:              options.Logger,
+		BlockEndpoints:      connInfo.DisableDirectConnections,
+		DNSConfigurator:     options.DNSConfigurator,
+		Router:              options.Router,
+		TUNDev:              options.TUNDev,
+	})
+	if err != nil {
+		return Conn{}, xerrors.Errorf("create tailnet: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			_ = conn.Close()
+		}
+	}()
+
+	clk := quartz.NewReal()
+	controller := tailnet.NewController(options.Logger, dialer)
+	coordCtrl := tailnet.NewTunnelSrcCoordController(options.Logger, conn)
+	controller.ResumeTokenCtrl = tailnet.NewBasicResumeTokenController(options.Logger, clk)
+	controller.CoordCtrl = coordCtrl
+	controller.DERPCtrl = tailnet.NewBasicDERPController(options.Logger, conn)
+	controller.WorkspaceUpdatesCtrl = tailnet.NewTunnelAllWorkspaceUpdatesController(
+		options.Logger,
+		coordCtrl,
+		tailnet.WithDNS(conn, me.Name),
+		tailnet.WithCallback(options.UpdatesCallback),
+	)
+	controller.Run(ctx)
+
+	options.Logger.Debug(ctx, "running tailnet API v2+ connector")
+
+	select {
+	case <-dialCtx.Done():
+		return Conn{}, xerrors.Errorf("timed out waiting for coordinator and derp map: %w", dialCtx.Err())
+	case err = <-dialer.Connected():
+		if err != nil {
+			options.Logger.Error(ctx, "failed to connect to tailnet v2+ API", slog.Error(err))
+			return Conn{}, xerrors.Errorf("start connector: %w", err)
+		}
+		options.Logger.Debug(ctx, "connected to tailnet v2+ API")
+	}
+
+	return Conn{
+		Conn:       conn,
+		cancelFn:   cancel,
+		controller: controller,
+	}, nil
+}
+
+type Conn struct {
+	*tailnet.Conn
+
+	cancelFn   func()
+	controller *tailnet.Controller
+}
+
+func (c Conn) CurrentWorkspaceState() *proto.WorkspaceUpdate {
+	return c.controller.WorkspaceUpdatesCtrl.CurrentState()
+}
+
+func (c Conn) Close() error {
+	c.cancelFn()
+	<-c.controller.Closed()
+	return c.Conn.Close()
+}