Problem

If the logged in Coder deployment requires the use of a VPN to connect to (i.e. it is not accessible from the public web) Coder Connect times out when attempting to download the Coder Connect .dylib.

Here's an example with a Tailscale hostname:

Even with the correct .dylib downloaded, subsequent requests to the Coder deployment, those necessary for Coder Connect to function, also fail.

Of note is that:

• The Coder Desktop app is able to reach the Coder deployment. This explains why the sign in process succeeds.
• The Coder Connect process (com.coder.Coder-Desktop.VPN, a network system extension) is unable to reach the Coder deployment.

Initial testing would indicate that network system extensions are unable to use network interfaces created by other network system extensions.
Packets written to a UDP socket bound to some other utun<X> interface do not appear in Wireshark. When that packet is written, there's also two OS logs from the kernel:

cfil_hash_entry_log:6088 <CFIL: Error: sosend_reinject() failed>: [30685 com.coder.Coder-Desktop.VPN] <UDP(17) out so b795d11aca7c26bf 57728068503033955 57728068503033955 age 0> lport 3001 fport 3001 laddr 100.108.7.40 faddr 100.112.177.88 hash 58B15863
cfil_service_inject_queue:4472 CFIL: sosend() failed 49

Apple dev forum post: https://developer.apple.com/forums/thread/793037

Solution

Whilst network extensions are subject to this limitation by the NECP (Network Extension Control Protocol), LaunchDaemons are not. Therefore, we'll run the networking component of Coder Connect in a LaunchDaemon.
LaunchDaemons are commonly referred to as:

• Privileged Helpers
• Background Items that affect all users (i.e. they run as root)

This will require passing/duping the TUN file descriptor from the NE to the LaunchDaemon process over XPC, and having that process send it's routing configuration back to the NE.

This means we avoid:

1. Manually altering the routing table
2. Manually creating a utun/TUN file descriptor.

An initial prototype of this has proved successful.

To resolve:

• Make LaunchDaemon approval mandatory (chore: make helper launchdaemon approval mandatory #205)
• Run networking component in LaunchDaemon. (chore: run coder connect networking from launchdaemon #203)
• Implement LaunchDaemon XPC signature verification (fix: add code signing requirements to xpc connections #206)
  • Ensure only Coder-signed apps can communicate with the process running as root)
• Implement soft network isolation in https://github.com/coder/tailscale
  • Similar to fix: add soft isolation mode and windows impl tailscale#88 for Windows
• Implement vpn-daemon for the coder macOS CLI.
• Implement a process watchdog within the LaunchDaemon, for the forked VPN daemon (similar to Windows).
• Add a Coder Desktop setting for opting into soft network isolation (as opposed to the default hard network isolation).