[tunnel] advertise overlay network prefix to tunnel clients

Always include the /72 network prefix in routes advertised to tunnel
agents so they can reach other endpoints in the same overlay network
(e.g. backplane services) without requiring egressGateway.enabled=true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dilyevsky

pkg/tunnel/relay.go

@@ -26,6 +26,7 @@ import (
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/api"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/controllers"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/hasher"
+	tunnet "github.com/apoxy-dev/apoxy/pkg/tunnel/net"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel/router"
 )
 
@@ -299,6 +300,13 @@ func (r *Relay) handleConnect(w http.ResponseWriter, req *http.Request, ps httpr
 				pfx = netip.PrefixFrom(pfx.Addr(), 128)
 			}
 			routes = append(routes, api.Route{Destination: pfx.String()})
+			// Always include the network prefix so the agent can reach other endpoints
+			// in the same overlay network (e.g. backplane services).
+			if pfx.Addr().Is6() {
+				if ula, err := tunnet.ULAFromPrefix(req.Context(), pfx); err == nil {
+					routes = append(routes, api.Route{Destination: ula.NetPrefix().String()})
+				}
+			}
 		}
 	}
 	if r.egressGateway {

pkg/tunnel/server.go

@@ -698,8 +698,13 @@ func (t *TunnelServer) setupConn(
 
 	log.Info("Client addresses assigned")
 
-	// Advertise routes to client - read egress gateway from TunnelNode spec.
+	// Advertise routes to client.
 	advRoutes := []netip.Prefix{netip.PrefixFrom(addrv6.Addr(), 128)}
+	// Always include the network prefix so the agent can reach other endpoints
+	// in the same overlay network (e.g. backplane services).
+	if ula, err := tunnet.ULAFromPrefix(ctx, addrv6); err == nil {
+		advRoutes = append(advRoutes, ula.NetPrefix())
+	}
 	if conn.obj.Spec.EgressGateway != nil && conn.obj.Spec.EgressGateway.Enabled {
 		log.Info("Enabling egress gateway")
 		advRoutes = append(advRoutes,