Make netstack available on desktop too

nym-vpn-app/src-tauri/src/commands/connection.rs

@@ -143,7 +143,7 @@ pub async fn connect(
 
     app.emit_connection_progress(ConnectProgressMsg::InitDone);
     match grpc
-        .vpn_connect(entry_node, exit_node, two_hop_mod, dns)
+        .vpn_connect(entry_node, exit_node, two_hop_mod, false, dns)
         .await
     {
         Ok(_) => Ok(ConnectionState::Connecting),

nym-vpn-app/src-tauri/src/grpc/client.rs

@@ -343,6 +343,7 @@ impl GrpcClient {
         entry_node: EntryNode,
         exit_node: ExitNode,
         two_hop_mod: bool,
+        netstack: bool,
         dns: Option<Dns>,
     ) -> Result<(), VpndError> {
         debug!("vpn_connect");
@@ -353,6 +354,7 @@ impl GrpcClient {
             exit: Some(exit_node),
             disable_routing: false,
             enable_two_hop: two_hop_mod,
+            netstack,
             disable_poisson_rate: false,
             disable_background_cover_traffic: false,
             enable_credentials_mode: false,

nym-vpn-core/crates/nym-vpn-cli/src/commands.rs

@@ -56,6 +56,10 @@ pub(crate) struct RunArgs {
     #[arg(long, default_value_t = false)]
     pub(crate) wireguard_mode: bool,
 
+    /// Use wireguard with nestack for multihop.
+    #[arg(long, default_value_t = false)]
+    pub(crate) netstack: bool,
+
     /// The IPv4 address of the nym TUN device that wraps IP packets in sphinx packets.
     #[arg(long, alias = "ipv4", value_parser = validate_ipv4, requires = "nym_ipv6")]
     pub(crate) nym_ipv4: Option<Ipv4Addr>,

nym-vpn-core/crates/nym-vpn-cli/src/main.rs

@@ -18,7 +18,8 @@ use nym_vpn_lib::{
     nym_config::defaults::{setup_env, var_names},
     tunnel_state_machine::{
         DnsOptions, GatewayPerformanceOptions, MixnetTunnelOptions, NymConfig, TunnelCommand,
-        TunnelEvent, TunnelSettings, TunnelStateMachine, TunnelType,
+        TunnelEvent, TunnelSettings, TunnelStateMachine, TunnelType, WireguardMultihopMode,
+        WireguardTunnelOptions,
     },
     IpPair, MixnetClientConfig, NodeIdentity, Recipient,
 };
@@ -212,12 +213,21 @@ async fn run_vpn(args: commands::RunArgs, data_path: Option<PathBuf>) -> anyhow:
         gateway_config,
     };
 
+    let wireguard_tunnel_options = WireguardTunnelOptions {
+        multihop_mode: if args.netstack {
+            WireguardMultihopMode::Netstack
+        } else {
+            WireguardMultihopMode::TunTun
+        },
+    };
+
     let tunnel_settings = TunnelSettings {
         tunnel_type,
         enable_credentials_mode: args.enable_credentials_mode,
         mixnet_client_config: Some(mixnet_client_config),
         gateway_performance_options: GatewayPerformanceOptions::default(),
         mixnet_tunnel_options,
+        wireguard_tunnel_options,
         entry_point: Box::new(entry_point),
         exit_point: Box::new(exit_point),
         dns,

nym-vpn-core/crates/nym-vpn-lib/src/platform/mod.rs

@@ -35,7 +35,7 @@ use crate::{
     tunnel_state_machine::{
         BandwidthEvent, ConnectionEvent, DnsOptions, GatewayPerformanceOptions,
         MixnetTunnelOptions, NymConfig, TunnelCommand, TunnelEvent, TunnelSettings, TunnelState,
-        TunnelStateMachine, TunnelType,
+        TunnelStateMachine, TunnelType, WireguardTunnelOptions,
     },
     uniffi_custom_impls::{
         AccountStateSummary, BandwidthStatus, ConnectionStatus, EntryPoint, ExitPoint,
@@ -324,6 +324,7 @@ async fn start_state_machine(config: VPNConfig) -> Result<StateMachineHandle, Vp
         tunnel_type,
         enable_credentials_mode: false,
         mixnet_tunnel_options: MixnetTunnelOptions::default(),
+        wireguard_tunnel_options: WireguardTunnelOptions::default(),
         gateway_performance_options: GatewayPerformanceOptions::default(),
         mixnet_client_config: None,
         entry_point: Box::new(entry_point),

nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs

@@ -78,6 +78,9 @@ pub struct TunnelSettings {
     /// Mixnet tunnel options.
     pub mixnet_tunnel_options: MixnetTunnelOptions,
 
+    /// WireGuard tunnel options.
+    pub wireguard_tunnel_options: WireguardTunnelOptions,
+
     /// Overrides gateway config.
     pub gateway_performance_options: GatewayPerformanceOptions,
 
@@ -110,6 +113,35 @@ pub struct MixnetTunnelOptions {
     pub mtu: Option<u16>,
 }
 
+#[derive(Debug, Clone, Eq, PartialEq)]
+pub enum WireguardMultihopMode {
+    /// Multihop using two tun devices to nest tunnels.
+    #[cfg(any(target_os = "linux", target_os = "macos", target_os = "windows"))]
+    TunTun,
+
+    /// Netstack based multihop.
+    Netstack,
+}
+
+impl Default for WireguardMultihopMode {
+    fn default() -> Self {
+        #[cfg(any(target_os = "ios", target_os = "android"))]
+        {
+            Self::Netstack
+        }
+
+        #[cfg(any(target_os = "linux", target_os = "macos", target_os = "windows"))]
+        {
+            Self::TunTun
+        }
+    }
+}
+
+#[derive(Debug, Default, Clone, Eq, PartialEq)]
+pub struct WireguardTunnelOptions {
+    pub multihop_mode: WireguardMultihopMode,
+}
+
 #[derive(Debug, Default, Clone, Eq, PartialEq)]
 pub enum DnsOptions {
     #[default]
@@ -133,6 +165,7 @@ impl Default for TunnelSettings {
             enable_credentials_mode: false,
             mixnet_tunnel_options: MixnetTunnelOptions::default(),
             mixnet_client_config: None,
+            wireguard_tunnel_options: WireguardTunnelOptions::default(),
             gateway_performance_options: GatewayPerformanceOptions::default(),
             entry_point: Box::new(EntryPoint::Random),
             exit_point: Box::new(ExitPoint::Random),

nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/route_handler.rs

@@ -31,6 +31,12 @@ pub enum RoutingConfig {
         #[cfg(target_os = "linux")]
         physical_interface: DefaultInterface,
     },
+    WireguardNetstack {
+        exit_tun_name: String,
+        entry_gateway_address: IpAddr,
+        #[cfg(target_os = "linux")]
+        physical_interface: DefaultInterface,
+    },
 }
 
 #[derive(Debug, Clone)]
@@ -145,6 +151,34 @@ impl RouteHandler {
                     Node::device(exit_tun_name.to_owned()),
                 ));
 
+                routes.insert(RequiredRoute::new(
+                    "::0/0".parse().unwrap(),
+                    Node::device(exit_tun_name.to_owned()),
+                ));
+            }
+            RoutingConfig::WireguardNetstack {
+                exit_tun_name,
+                entry_gateway_address,
+                #[cfg(target_os = "linux")]
+                physical_interface,
+            } => {
+                #[cfg(not(target_os = "linux"))]
+                routes.insert(RequiredRoute::new(
+                    IpNetwork::from(entry_gateway_address),
+                    NetNode::DefaultNode,
+                ));
+                // todo: remove once firewall/fwmark is active.
+                #[cfg(target_os = "linux")]
+                routes.insert(RequiredRoute::new(
+                    IpNetwork::from(entry_gateway_address),
+                    physical_interface.as_node(),
+                ));
+
+                routes.insert(RequiredRoute::new(
+                    "0.0.0.0/0".parse().unwrap(),
+                    Node::device(exit_tun_name.to_owned()),
+                ));
+
                 routes.insert(RequiredRoute::new(
                     "::0/0".parse().unwrap(),
                     Node::device(exit_tun_name.to_owned()),