fix(connlib): _always_ use one IP stack for relayed connections

[thomaseizinger]

At the moment, Firezone already attempts to prefer the same IP stack across relayed connections all the way through to the Gateway. This is achieved with a feature in str0m implemented in algesten/str0m#640 where the IceAgent computes the local preference of an added candidate such that an IPv4 candidate allocated over an IPv4 network has a higher preference than an IPv6 candidate allocated over an IPv4 network.

If a candidate gets accepted by the local agent, it is signaled to the remote via our control protocol. The remote peer then adds the candidate as a remote candidate and the ICE process starts by pairing them with local ones and testing connectivity.

Currently, str0m's API consumes the candidate and only returns a bool whether it should be sent signaled to the remote. This means the local preference computed as part of add_local_candidate is not reflected in the priority of the candidate sent to the remote. As a result, if the controlled agent (i.e. the Gateway) is behind symmetric NAT and therefore only has relay candidates available, the preference of IPv4 over IPv6 candidates on an IPv4 network is lost. This is what we are seeing in #8998.

This changes with algesten/str0m#650 being merged to main which we are updating to with this PR. Now, add_local_candidate returns an Option<&Candidate> which has been modified with the local preference of the IceAgent around the preferred IP stack of relay candidates. As such, the priority calculated and signaled to the remote embeds this information and will be taken into account by the controlling agent (i.e. the Client) when nominating a pair.

Resolves: #8998

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
firezone	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 4, 2025 11:54am

[Copilot]

Pull Request Overview

This pull request updates the handling of ICE candidates in snownet and bumps the dependency from a Firezone fork of str0m to the official algesten/str0m repository. Key changes include:

• Modifying add_local_candidate to use the new Option return signature from str0m.
• Removing the candidate cloning since the new API now returns a reference with the updated candidate.
• Updating Cargo.toml to point to the new str0m repository.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
rust/connlib/snownet/src/node.rs	Updated the candidate addition logic to use the new Option-based API return from str0m.
rust/Cargo.toml	Updated the str0m dependency to the official algesten/str0m repository.

Comments suppressed due to low confidence (2)

rust/connlib/snownet/src/node.rs:1390

• Ensure that the change from cloning the candidate to directly consuming it via pattern matching is intentional and does not affect any other parts of the system that may rely on candidate ownership.

let Some(candidate) = agent.add_local_candidate(candidate) else {

rust/Cargo.toml:218

• Confirm that the update from the Firezone fork to the official algesten/str0m repository has been fully evaluated, and verify that any behavioral changes introduced by the dependency update are addressed.

str0m = { git = "https://github.com/algesten/str0m", branch = "main" }