fix: add toggle for Coder deployments behind a VPN

ethanndickson · ethanndickson · commit 4bb3a2499012 · 2025-07-28T17:50:37.000+10:00
diff --git a/Coder-Desktop/Coder-Desktop/State.swift b/Coder-Desktop/Coder-Desktop/State.swift
@@ -4,6 +4,7 @@ import KeychainAccess
 import NetworkExtension
 import os
 import SwiftUI
+import VPNLib
 
 @MainActor
 class AppState: ObservableObject {
@@ -70,6 +71,14 @@ class AppState: ObservableObject {
         }
     }
 
+    @Published var useSoftNetIsolation: Bool = UserDefaults.standard.bool(forKey: Keys.useSoftNetIsolation) {
+        didSet {
+            reconfigure()
+            guard persistent else { return }
+            UserDefaults.standard.set(useSoftNetIsolation, forKey: Keys.useSoftNetIsolation)
+        }
+    }
+
     @Published var skipHiddenIconAlert: Bool = UserDefaults.standard.bool(forKey: Keys.skipHiddenIconAlert) {
         didSet {
             guard persistent else { return }
@@ -81,11 +90,18 @@ class AppState: ObservableObject {
         if !hasSession { return nil }
         let proto = NETunnelProviderProtocol()
         proto.providerBundleIdentifier = "\(appId).VPN"
-        // HACK: We can't write to the system keychain, and the user keychain
-        // isn't accessible, so we'll use providerConfiguration, which is over XPC.
-        proto.providerConfiguration = ["token": sessionToken!]
-        if useLiteralHeaders, let headers = try? JSONEncoder().encode(literalHeaders) {
-            proto.providerConfiguration?["literalHeaders"] = headers
+
+        proto.providerConfiguration = [
+            // HACK: We can't write to the system keychain, and the user keychain
+            // isn't accessible, so we'll use providerConfiguration, which
+            // writes to disk.
+            VPNConfigurationKeys.token: sessionToken!,
+            VPNConfigurationKeys.useSoftNetIsolation: useSoftNetIsolation,
+        ]
+        if useLiteralHeaders {
+            proto.providerConfiguration?[
+                VPNConfigurationKeys.literalHeaders
+            ] = literalHeaders.map { ($0.name, $0.value) }
         }
         proto.serverAddress = baseAccessURL!.absoluteString
         return proto
@@ -188,6 +204,7 @@ class AppState: ObservableObject {
     }
 
     public func clearSession() {
+        logger.info("clearing session")
         hasSession = false
         sessionToken = nil
         refreshTask?.cancel()
@@ -216,6 +233,7 @@ class AppState: ObservableObject {
 
         static let useLiteralHeaders = "UseLiteralHeaders"
         static let literalHeaders = "LiteralHeaders"
+        static let useSoftNetIsolation = "UseSoftNetIsolation"
         static let stopVPNOnQuit = "StopVPNOnQuit"
         static let startVPNOnLaunch = "StartVPNOnLaunch"
 
diff --git a/Coder-Desktop/Coder-Desktop/Views/Settings/NetworkTab.swift b/Coder-Desktop/Coder-Desktop/Views/Settings/NetworkTab.swift
@@ -4,11 +4,30 @@ struct NetworkTab<VPN: VPNService>: View {
     var body: some View {
         Form {
             LiteralHeadersSection<VPN>()
+            SoftNetIsolationSection<VPN>()
         }
         .formStyle(.grouped)
     }
 }
 
+struct SoftNetIsolationSection<VPN: VPNService>: View {
+    @EnvironmentObject var state: AppState
+    @EnvironmentObject var vpn: VPN
+    var body: some View {
+        Section {
+            Toggle(isOn: $state.useSoftNetIsolation) {
+                Text("Enable support for corporate VPNs")
+                if !vpn.state.canBeStarted { Text("Cannot be modified while Coder Connect is enabled.") }
+            }
+            Text("This setting loosens the VPN loop protection in Coder Connect, allowing traffic to flow to a " +
+                "Coder deployment behind a corporate VPN. We only recommend enabling this option if Coder Connect " +
+                "doesn't work with your Coder deployment behind a corporate VPN.")
+                .font(.subheadline)
+                .foregroundStyle(.secondary)
+        }.disabled(!vpn.state.canBeStarted)
+    }
+}
+
 #if DEBUG
     #Preview {
         NetworkTab<PreviewVPN>()
diff --git a/Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift b/Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift
@@ -40,11 +40,13 @@ class HelperNEXPCListener: NSObject, NSXPCListenerDelegate, HelperNEXPCInterface
 
     let startSymbol = "OpenTunnel"
 
+    // swiftlint:disable:next function_parameter_count
     func startDaemon(
         accessURL: URL,
         token: String,
         tun: FileHandle,
         headers: Data?,
+        useSoftNetIsolation: Bool,
         reply: @escaping (Error?) -> Void
     ) {
         logger.info("startDaemon called")
@@ -57,6 +59,7 @@ class HelperNEXPCListener: NSObject, NSXPCListenerDelegate, HelperNEXPCInterface
                         apiToken: token,
                         serverUrl: accessURL,
                         tunFd: tun.fileDescriptor,
+                        useSoftNetIsolation: useSoftNetIsolation,
                         literalHeaders: headers.flatMap { try? JSONDecoder().decode([HTTPHeader].self, from: $0) } ?? []
                     )
                 )
diff --git a/Coder-Desktop/Coder-DesktopHelper/Manager.swift b/Coder-Desktop/Coder-DesktopHelper/Manager.swift
@@ -160,6 +160,7 @@ actor Manager {
             resp = try await speaker.unaryRPC(
                 .with { msg in
                     msg.start = .with { req in
+                        req.tunnelUseSoftNetIsolation = cfg.useSoftNetIsolation
                         req.tunnelFileDescriptor = cfg.tunFd
                         req.apiToken = cfg.apiToken
                         req.coderURL = cfg.serverUrl.absoluteString
@@ -234,6 +235,7 @@ struct ManagerConfig {
     let apiToken: String
     let serverUrl: URL
     let tunFd: Int32
+    let useSoftNetIsolation: Bool
     let literalHeaders: [HTTPHeader]
 }
 
diff --git a/Coder-Desktop/VPN/HelperXPCSpeaker.swift b/Coder-Desktop/VPN/HelperXPCSpeaker.swift
@@ -58,7 +58,13 @@ final class HelperXPCSpeaker: NEXPCInterface, @unchecked Sendable {
 
 // These methods are called to start and stop the daemon run by the Helper.
 extension HelperXPCSpeaker {
-    func startDaemon(accessURL: URL, token: String, tun: FileHandle, headers: Data?) async throws {
+    func startDaemon(
+        accessURL: URL,
+        token: String,
+        tun: FileHandle,
+        headers: Data?,
+        useSoftNetIsolation: Bool
+    ) async throws {
         let conn = connect()
         return try await withCheckedThrowingContinuation { continuation in
             guard let proxy = conn.remoteObjectProxyWithErrorHandler({ err in
@@ -69,7 +75,13 @@ extension HelperXPCSpeaker {
                 continuation.resume(throwing: XPCError.wrongProxyType)
                 return
             }
-            proxy.startDaemon(accessURL: accessURL, token: token, tun: tun, headers: headers) { err in
+            proxy.startDaemon(
+                accessURL: accessURL,
+                token: token,
+                tun: tun,
+                headers: headers,
+                useSoftNetIsolation: useSoftNetIsolation
+            ) { err in
                 if let error = err {
                     self.logger.error("Failed to start daemon: \(error.localizedDescription, privacy: .public)")
                     continuation.resume(throwing: error)
diff --git a/Coder-Desktop/VPN/PacketTunnelProvider.swift b/Coder-Desktop/VPN/PacketTunnelProvider.swift
@@ -48,27 +48,31 @@ class PacketTunnelProvider: NEPacketTunnelProvider, @unchecked Sendable {
     ) async throws {
         globalHelperXPCSpeaker.ptp = self
         guard let proto = protocolConfiguration as? NETunnelProviderProtocol,
-              let baseAccessURL = proto.serverAddress
+              let accessURL = proto.serverAddress
         else {
             logger.error("startTunnel called with nil protocolConfiguration")
             throw makeNSError(suffix: "PTP", desc: "Missing Configuration")
         }
         // HACK: We can't write to the system keychain, and the NE can't read the user keychain.
-        guard let token = proto.providerConfiguration?["token"] as? String else {
+        guard let token = proto.providerConfiguration?[VPNConfigurationKeys.token] as? String else {
             logger.error("startTunnel called with nil token")
             throw makeNSError(suffix: "PTP", desc: "Missing Token")
         }
-        let headers = proto.providerConfiguration?["literalHeaders"] as? Data
-        logger.debug("retrieved token & access URL")
+        let headers = proto.providerConfiguration?[VPNConfigurationKeys.literalHeaders] as? Data
+        let useSoftNetIsolation = proto.providerConfiguration?[
+            VPNConfigurationKeys.useSoftNetIsolation
+        ] as? Bool ?? false
+        logger.debug("retrieved vpn configuration settings")
         guard let tunFd = tunnelFileDescriptor else {
             logger.error("startTunnel called with nil tunnelFileDescriptor")
             throw makeNSError(suffix: "PTP", desc: "Missing Tunnel File Descriptor")
         }
         try await globalHelperXPCSpeaker.startDaemon(
-            accessURL: .init(string: baseAccessURL)!,
+            accessURL: .init(string: accessURL)!,
             token: token,
             tun: FileHandle(fileDescriptor: tunFd),
-            headers: headers
+            headers: headers,
+            useSoftNetIsolation: useSoftNetIsolation
         )
     }
 
diff --git a/Coder-Desktop/VPNLib/Configuration.swift b/Coder-Desktop/VPNLib/Configuration.swift
@@ -0,0 +1,9 @@
+// Keys for the `providerConfiguration` dictionary in the VPN configuration plist.
+public enum VPNConfigurationKeys {
+    // String
+    public static let token = "token"
+    // [(String, String)]
+    public static let literalHeaders = "literalHeaders"
+    // Bool
+    public static let useSoftNetIsolation = "useSoftNetIsolation"
+}
diff --git a/Coder-Desktop/VPNLib/Download.swift b/Coder-Desktop/VPNLib/Download.swift
@@ -150,15 +150,15 @@ extension DownloadManager: URLSessionDownloadDelegate {
     }
 
     public required convenience init?(coder: NSCoder) {
-        let written = coder.decodeInt64(forKey: "written")
-        let total = coder.containsValue(forKey: "total") ? coder.decodeInt64(forKey: "total") : nil
+        let written = coder.decodeInt64(forKey: Keys.written)
+        let total = coder.containsValue(forKey: Keys.total) ? coder.decodeInt64(forKey: Keys.total) : nil
         self.init(totalBytesWritten: written, totalBytesToWrite: total)
     }
 
     public func encode(with coder: NSCoder) {
-        coder.encode(totalBytesWritten, forKey: "written")
+        coder.encode(totalBytesWritten, forKey: Keys.written)
         if let total = totalBytesToWrite {
-            coder.encode(total, forKey: "total")
+            coder.encode(total, forKey: Keys.total)
         }
     }
 
@@ -169,4 +169,9 @@ extension DownloadManager: URLSessionDownloadDelegate {
         let total = totalBytesToWrite.map { fmt.string(fromByteCount: $0) } ?? "Unknown"
         return "\(done) / \(total)"
     }
+
+    enum Keys {
+        static let written = "written"
+        static let total = "total"
+    }
 }
diff --git a/Coder-Desktop/VPNLib/XPC.swift b/Coder-Desktop/VPNLib/XPC.swift
@@ -25,8 +25,16 @@ public let helperNEMachServiceName = "4399GN35BJ.com.coder.Coder-Desktop.HelperN
 // This is the XPC interface the Helper exposes to the Network Extension.
 @preconcurrency
 @objc public protocol HelperNEXPCInterface {
-    // headers is a JSON `[HTTPHeader]`
-    func startDaemon(accessURL: URL, token: String, tun: FileHandle, headers: Data?, reply: @escaping (Error?) -> Void)
+    // swiftlint:disable:next function_parameter_count
+    func startDaemon(
+        accessURL: URL,
+        token: String,
+        tun: FileHandle,
+        // headers is a JSON encoded `[HTTPHeader]`
+        headers: Data?,
+        useSoftNetIsolation: Bool,
+        reply: @escaping (Error?) -> Void
+    )
     func stopDaemon(reply: @escaping (Error?) -> Void)
 }
 
diff --git a/Coder-Desktop/VPNLib/vpn.pb.swift b/Coder-Desktop/VPNLib/vpn.pb.swift
diff --git a/Coder-Desktop/VPNLib/vpn.proto b/Coder-Desktop/VPNLib/vpn.proto
@@ -213,6 +213,7 @@ message NetworkSettingsResponse {
 // StartResponse.
 message StartRequest {
     int32 tunnel_file_descriptor = 1;
+    bool tunnel_use_soft_net_isolation = 8;
     string coder_url = 2;
     string api_token = 3;
     // Additional HTTP headers added to all requests
diff --git a/Coder-Desktop/project.yml b/Coder-Desktop/project.yml
@@ -181,7 +181,7 @@ targets:
         # so that macOS stops complaining about the app being run from an
         # untrusted folder.
         DEPLOYMENT_LOCATION: YES
-        DSTROOT: $(LOCAL_APPS_DIR)/Coder
+        DSTROOT: $(LOCAL_APPS_DIR)
         INSTALL_PATH: /
         SKIP_INSTALL: NO
         LD_RUNPATH_SEARCH_PATHS:

Original file line number	Diff line number	Diff line change
`@@ -150,15 +150,15 @@ extension DownloadManager: URLSessionDownloadDelegate {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`public required convenience init?(coder: NSCoder) {`
`153`		`- let written = coder.decodeInt64(forKey: "written")`
`154`		`- let total = coder.containsValue(forKey: "total") ? coder.decodeInt64(forKey: "total") : nil`
	`153`	`+ let written = coder.decodeInt64(forKey: Keys.written)`
	`154`	`+ let total = coder.containsValue(forKey: Keys.total) ? coder.decodeInt64(forKey: Keys.total) : nil`
`155`	`155`	`self.init(totalBytesWritten: written, totalBytesToWrite: total)`
`156`	`156`	`}`
`157`	`157`
`158`	`158`	`public func encode(with coder: NSCoder) {`
`159`		`- coder.encode(totalBytesWritten, forKey: "written")`
	`159`	`+ coder.encode(totalBytesWritten, forKey: Keys.written)`
`160`	`160`	`if let total = totalBytesToWrite {`
`161`		`- coder.encode(total, forKey: "total")`
	`161`	`+ coder.encode(total, forKey: Keys.total)`
`162`	`162`	`}`
`163`	`163`	`}`
`164`	`164`
`@@ -169,4 +169,9 @@ extension DownloadManager: URLSessionDownloadDelegate {`
`169`	`169`	`let total = totalBytesToWrite.map { fmt.string(fromByteCount: $0) } ?? "Unknown"`
`170`	`170`	`return "\(done) / \(total)"`
`171`	`171`	`}`
	`172`	`+`
	`173`	`+ enum Keys {`
	`174`	`+ static let written = "written"`
	`175`	`+ static let total = "total"`
	`176`	`+ }`
`172`	`177`	`}`