refactor(firezone-tunnel): move routes and DNS control out of connlib and up to the Client

[ReactorScram]

Refs #3636 (This pays down some of the technical debt from Linux DNS)
Refs #4473 (This partially fulfills it)
Refs #5068 (This is needed to make FIREZONE_DNS_CONTROL mandatory)

As of dd6421:

• On both Linux and Windows, DNS control and IP setting (i.e. on_set_interface_config) both move to the Client
• On Windows, route setting stays in tun_windows.rs. Route setting in Windows requires us to know the interface index, which we don't know in the Client code. If we could pass opaque platform-specific data between the tunnel and the Client it would be easy.
• On Linux, route setting moves to the Client and Gateway, which completely removes the worker task in tun_linux.rs
• Notifying systemd that we're ready moves up to the headless Client / IPC service

Before merging / notes

Edit tasklist title

Beta Give feedback Tasklist Before merging / notes, more options

• Rename
• Copy markdown
• Delete tasklist

Delete tasklist

Delete tasklist block?

Are you sure? All relationships in this tasklist will be removed.

Cancel Delete

1. Does DNS roaming work on Linux on `main`? I don't see where it hooks up. I think I only set up DNS in `Tun::new` (Yes, the `Tun` gets recreated every time we reconfigure the device)

   Does DNS roaming work on Linux on main? I don't see where it hooks up. I think I only set up DNS in Tun::new (Yes, the Tun gets recreated every time we reconfigure the device)
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
2. Fix Windows Clients

   Fix Windows Clients
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
3. Fix Gateway

   Fix Gateway
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
4. Make sure connlib doesn't get the DNS control method from the env var (will be fixed in #5068)

   Make sure connlib doesn't get the DNS control method from the env var (will be fixed in feat(headless-client/linux)!: make FIREZONE_DNS_CONTROL mandatory #5068)
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
5. De-dupe consts

   De-dupe consts
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
6. ~~Add DNS control test~~ (failed)

   Add DNS control test (failed)
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
7. Smoke test Linux

   Smoke test Linux
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
8. Smoke test Windows

   Smoke test Windows
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove

Add item to Before merging / notes

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
firezone	⬜️ Ignored (Inspect)	Visit Preview		Jun 3, 2024 2:13pm

[github-actions]

Terraform Cloud Plan Output

Plan: 17 to add, 14 to change, 17 to destroy.

Terraform Cloud Plan

[thomaseizinger]

• On Windows, Route settings stays in tun_windows.rs. Route setting in Windows requires us to know the interface index, which we don't know in the Client code. If we could pass opaque platform-specific data between the tunnel and the Client it would be easy.

Or, if you construct Tun in the clients too (as a result of the on-interface-callback) and make a setter on Tunnel then the Windows client can query and remember the interface index itself. For Tunnel, all we need to know about Tun is Stream + Sink of IpPacket.

[conectado]

Nice work! I think there are some minor comments to be addressed before merging

[conectado]

is pin needed here? aren't these Unpin?

[ReactorScram]

🤷‍♀️ If I try to remove either of those pin!() macros it won't compile.
I don't know how pinning works so I could be overlooking something.

[conectado]

• On Windows, Route settings stays in tun_windows.rs. Route setting in Windows requires us to know the interface index, which we don't know in the Client code. If we could pass opaque platform-specific data between the tunnel and the Client it would be easy.

Or, if you construct Tun in the clients too (as a result of the on-interface-callback) and make a setter on Tunnel then the Windows client can query and remember the interface index itself. For Tunnel, all we need to know about Tun is Stream + Sink of IpPacket.

We could just construct the Tun without the on-interface-callback for windows and linux, for macos and android it's needed because we need to set some ip. Though we can just pick a placeholder ip and always have a tun interface created when the program starts. Move everything to the clients and just pass a reference Stream + Sink when calling poll_next_event.

[thomaseizinger]

Great work! Slowly things are moving into the places where they belong :)

[thomaseizinger]

Do we have to keep DNS in here? How we control DNS doesn't really have anything to do with the TUN device.

[ReactorScram]

I was using it for RAII but yeah looks like that can be split out into its own struct, so I will

[thomaseizinger]

Great work, thank you for cleaning this up!

[thomaseizinger]

We can delete this because we will just do it on the first tick of the timer?

[ReactorScram]

Maybe. I don't think I have a test to prove that yet, so I'll leave it. If DNS control is up in the Client now, maybe I can try to enforce in the Client that the "Firezone connected" notification or the systemd ready notification only fires after we definitely control DNS. Maybe in another PR

[thomaseizinger]

Nice work!

Move 👏 more 👏 config 👏 to 👏 the 👏 clients 👏