[connect-ip] client can also run in kernel mode now via TUN

go.mod

@@ -8,7 +8,11 @@ require (
 	github.com/ClickHouse/clickhouse-go/v2 v2.23.2
 	github.com/MicahParks/jwkset v0.9.5
 	github.com/MicahParks/keyfunc/v3 v3.3.10
+	github.com/adrg/xdg v0.5.3
 	github.com/alphadose/haxmap v1.4.1
+	github.com/anatol/vmtest v0.0.0-20250318022921-2f32244e2f0f
+	github.com/avast/retry-go/v4 v4.6.1
+	github.com/bramvdbogaerde/go-scp v1.5.0
 	github.com/buraksezer/olric v0.5.6
 	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42
 	github.com/coder/websocket v1.8.12
@@ -38,10 +42,13 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.19.1
 	github.com/google/go-github/v61 v61.0.0
+	github.com/google/gopacket v1.1.19
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-discover v0.0.0-20240726212017-342faf50e5d4
 	github.com/jedib0t/go-pretty/v6 v6.4.9
 	github.com/k3s-io/kine v0.13.2
+	github.com/kdomanski/iso9660 v0.4.0
+	github.com/klauspost/cpuid/v2 v2.2.10
 	github.com/metal-stack/go-ipam v1.14.7
 	github.com/miekg/dns v1.1.63
 	github.com/mitchellh/mapstructure v1.5.0
@@ -65,6 +72,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1
 	go.temporal.io/api v1.29.2
 	go.temporal.io/sdk v1.26.0
+	golang.org/x/crypto v0.37.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/net v0.39.0
 	golang.org/x/sync v0.13.0
@@ -116,21 +124,17 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/Rican7/retry v0.1.0 // indirect
 	github.com/RoaringBitmap/roaring v1.2.1 // indirect
-	github.com/adrg/xdg v0.5.3 // indirect
-	github.com/anatol/vmtest v0.0.0-20250318022921-2f32244e2f0f // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/apache/thrift v0.20.0 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/avast/retry-go/v4 v4.6.1 // indirect
 	github.com/aws/aws-sdk-go v1.55.5 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.2.0 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/bramvdbogaerde/go-scp v1.5.0 // indirect
 	github.com/buraksezer/consistent v0.10.0 // indirect
 	github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c // indirect
 	github.com/cactus/go-statsd-client/v5 v5.1.0 // indirect
@@ -234,10 +238,8 @@ require (
 	github.com/joyent/triton-go v0.0.0-20180628001255-830d2b111e62 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kdomanski/iso9660 v0.4.0 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labstack/echo/v4 v4.10.0 // indirect
 	github.com/labstack/gommon v0.4.0 // indirect
@@ -366,7 +368,6 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/oauth2 v0.29.0 // indirect
 	golang.org/x/term v0.31.0 // indirect

go.sum

@@ -528,6 +528,8 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
@@ -1258,9 +1260,11 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -1444,6 +1448,7 @@ golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=

pkg/cmd/tunnel/tunnelnode.go

@@ -222,17 +222,26 @@ func (t *tunnelNodeReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		cOpts = append(cOpts, tunnel.WithInsecureSkipVerify(true))
 	}
 
+	if t.tunC != nil {
+		log.Info("Closing existing tunnel client")
+		if err := t.tunC.Close(); err != nil {
+			log.Error(err, "Failed to close existing tunnel client")
+		}
+		t.tunC = nil
+	}
+
 	if t.tunC, err = tunnel.NewTunnelClient(cOpts...); err != nil {
 		log.Error(err, "Failed to create tunnel client")
 		t.doneCh <- fmt.Errorf("failed to create tunnel client: %w", err)
 		return ctrl.Result{}, nil // Unrecoverable error.
 	}
 
-	if err := t.tunC.Start(ctx); err != nil {
-		log.Error(err, "Failed to start tunnel client")
-		t.doneCh <- fmt.Errorf("failed to start tunnel client: %w", err)
-		return ctrl.Result{}, nil // Unrecoverable error.
-	}
+	go func() {
+		if err := t.tunC.Start(ctx); err != nil {
+			log.Error(err, "Failed to start tunnel client")
+			t.doneCh <- fmt.Errorf("failed to start tunnel client: %w", err)
+		}
+	}()
 
 	return ctrl.Result{}, nil
 }

pkg/netstack/tun_device.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/netip"
 	"os"
+	"sync/atomic"
 	"syscall"
 
 	"github.com/dpeckett/network"
@@ -35,6 +36,7 @@ type TunDevice struct {
 	events         chan tun.Event
 	incomingPacket chan *buffer.View
 	mtu            int
+	closed         atomic.Bool
 }
 
 func NewTunDevice(localAddresses []netip.Prefix, pcapPath string) (*TunDevice, error) {
@@ -145,6 +147,10 @@ func (tun *TunDevice) MTU() (int, error) { return tun.mtu, nil }
 func (tun *TunDevice) BatchSize() int { return 1 }
 
 func (tun *TunDevice) Read(buf [][]byte, sizes []int, offset int) (int, error) {
+	if tun.closed.Load() {
+		return 0, os.ErrClosed
+	}
+
 	view, ok := <-tun.incomingPacket
 	if !ok {
 		return 0, os.ErrClosed
@@ -159,6 +165,10 @@ func (tun *TunDevice) Read(buf [][]byte, sizes []int, offset int) (int, error) {
 }
 
 func (tun *TunDevice) Write(buf [][]byte, offset int) (int, error) {
+	if tun.closed.Load() {
+		return 0, os.ErrClosed
+	}
+
 	for _, buf := range buf {
 		packet := buf[offset:]
 		if len(packet) == 0 {
@@ -191,6 +201,10 @@ func (tun *TunDevice) WriteNotify() {
 }
 
 func (tun *TunDevice) Close() error {
+	if tun.closed.Swap(true) {
+		return nil
+	}
+
 	tun.stack.RemoveNIC(tun.nicID)
 
 	if tun.events != nil {

pkg/socksproxy/server.go

@@ -29,6 +29,7 @@ func NewServer(addr string, upstream network.Network, fallback network.Network)
 		socks5.WithDial((&dialer{upstream: upstream, fallback: fallback}).DialContext),
 		socks5.WithResolver(&resolver{net: upstream}),
 		socks5.WithBufferPool(bufferpool.NewPool(256 * 1024)),
+		socks5.WithLogger(&logger{}),
 		// No auth as we'll be binding exclusively to a local interface.
 		socks5.WithAuthMethods([]socks5.Authenticator{socks5.NoAuthAuthenticator{}}),
 	}
@@ -113,6 +114,8 @@ func (d *dialer) DialContext(ctx context.Context, network, address string) (net.
 		return d.fallback.DialContext(ctx, network, address)
 	}
 
+	slog.Debug("Address is private - dialing upstream", slog.String("address", addr.String()))
+
 	return d.upstream.DialContext(ctx, network, address)
 }
 
@@ -140,3 +143,9 @@ func (r *resolver) Resolve(ctx context.Context, name string) (context.Context, n
 
 	return ctx, ip, nil
 }
+
+type logger struct{}
+
+func (l *logger) Errorf(format string, arg ...any) {
+	slog.Error(fmt.Sprintf(format, arg...))
+}