[client] Add bind activity listener to bypass udp sockets

client/iface/device.go

@@ -23,4 +23,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }

client/iface/device/device_android.go

@@ -150,6 +150,11 @@ func (t *WGTunDevice) GetNet() *netstack.Net {
 	return nil
 }
 
+// GetICEBind returns the ICEBind instance
+func (t *WGTunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
+
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }

client/iface/device/device_darwin.go

@@ -154,3 +154,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_ios.go

@@ -144,3 +144,8 @@ func (t *TunDevice) FilteredDevice() *FilteredDevice {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_kernel_unix.go

@@ -179,3 +179,8 @@ func (t *TunKernelDevice) assignAddr() error {
 func (t *TunKernelDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns nil for kernel mode devices
+func (t *TunKernelDevice) GetICEBind() EndpointManager {
+	return nil
+}

client/iface/device/device_netstack.go

@@ -21,6 +21,7 @@ type Bind interface {
 	conn.Bind
 	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
 	ActivityRecorder() *bind.ActivityRecorder
+	EndpointManager
 }
 
 type TunNetstackDevice struct {
@@ -155,3 +156,8 @@ func (t *TunNetstackDevice) Device() *device.Device {
 func (t *TunNetstackDevice) GetNet() *netstack.Net {
 	return t.net
 }
+
+// GetICEBind returns the bind instance
+func (t *TunNetstackDevice) GetICEBind() EndpointManager {
+	return t.bind
+}

client/iface/device/device_usp_unix.go

@@ -146,3 +146,8 @@ func (t *USPDevice) assignAddr() error {
 func (t *USPDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *USPDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_windows.go

@@ -185,3 +185,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/endpoint_manager.go

@@ -0,0 +1,13 @@
+package device
+
+import (
+	"net"
+	"net/netip"
+)
+
+// EndpointManager manages fake IP to connection mappings for userspace bind implementations.
+// Implemented by bind.ICEBind and bind.RelayBindJS.
+type EndpointManager interface {
+	SetEndpoint(fakeIP netip.Addr, conn net.Conn)
+	RemoveEndpoint(fakeIP netip.Addr)
+}

client/iface/device_android.go

@@ -21,4 +21,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }

client/iface/iface.go

@@ -80,6 +80,17 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }
 
+// GetBind returns the EndpointManager userspace bind mode.
+func (w *WGIface) GetBind() device.EndpointManager {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.tun == nil {
+		return nil
+	}
+	return w.tun.GetICEBind()
+}
+
 // IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
 func (w *WGIface) IsUserspaceBind() bool {
 	return w.userspaceBind

client/internal/lazyconn/activity/lazy_conn.go

@@ -0,0 +1,82 @@
+package activity
+
+import (
+	"context"
+	"io"
+	"net"
+	"time"
+)
+
+// lazyConn detects activity when WireGuard attempts to send packets.
+// It does not deliver packets, only signals that activity occurred.
+type lazyConn struct {
+	activityCh chan struct{}
+	ctx        context.Context
+	cancel     context.CancelFunc
+}
+
+// newLazyConn creates a new lazyConn for activity detection.
+func newLazyConn() *lazyConn {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &lazyConn{
+		activityCh: make(chan struct{}, 1),
+		ctx:        ctx,
+		cancel:     cancel,
+	}
+}
+
+// Read blocks until the connection is closed.
+func (c *lazyConn) Read(_ []byte) (n int, err error) {
+	<-c.ctx.Done()
+	return 0, io.EOF
+}
+
+// Write signals activity detection when ICEBind routes packets to this endpoint.
+func (c *lazyConn) Write(b []byte) (n int, err error) {
+	if c.ctx.Err() != nil {
+		return 0, io.EOF
+	}
+
+	select {
+	case c.activityCh <- struct{}{}:
+	default:
+	}
+
+	return len(b), nil
+}
+
+// ActivityChan returns the channel that signals when activity is detected.
+func (c *lazyConn) ActivityChan() <-chan struct{} {
+	return c.activityCh
+}
+
+// Close closes the connection.
+func (c *lazyConn) Close() error {
+	c.cancel()
+	return nil
+}
+
+// LocalAddr returns the local address.
+func (c *lazyConn) LocalAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// RemoteAddr returns the remote address.
+func (c *lazyConn) RemoteAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// SetDeadline sets the read and write deadlines.
+func (c *lazyConn) SetDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetReadDeadline sets the deadline for future Read calls.
+func (c *lazyConn) SetReadDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetWriteDeadline sets the deadline for future Write calls.
+func (c *lazyConn) SetWriteDeadline(_ time.Time) error {
+	return nil
+}

client/internal/lazyconn/activity/listener_bind.go

@@ -0,0 +1,127 @@
+package activity
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+type bindProvider interface {
+	GetBind() device.EndpointManager
+}
+
+const (
+	// lazyBindPort is an obscure port used for lazy peer endpoints to avoid confusion with real peers.
+	// The actual routing is done via fakeIP in ICEBind, not by this port.
+	lazyBindPort = 17473
+)
+
+// BindListener uses lazyConn with bind implementations for direct data passing in userspace bind mode.
+type BindListener struct {
+	wgIface WgInterface
+	peerCfg lazyconn.PeerConfig
+	done    sync.WaitGroup
+
+	lazyConn *lazyConn
+	bind     device.EndpointManager
+	fakeIP   netip.Addr
+}
+
+// NewBindListener creates a listener that passes data directly through bind using LazyConn.
+// It automatically derives a unique fake IP from the peer's NetBird IP in the 127.2.x.x range.
+func NewBindListener(wgIface WgInterface, bind device.EndpointManager, cfg lazyconn.PeerConfig) (*BindListener, error) {
+	fakeIP, err := deriveFakeIP(wgIface, cfg.AllowedIPs)
+	if err != nil {
+		return nil, fmt.Errorf("derive fake IP: %w", err)
+	}
+
+	d := &BindListener{
+		wgIface: wgIface,
+		peerCfg: cfg,
+		bind:    bind,
+		fakeIP:  fakeIP,
+	}
+
+	if err := d.setupLazyConn(); err != nil {
+		return nil, fmt.Errorf("setup lazy connection: %v", err)
+	}
+
+	d.done.Add(1)
+	return d, nil
+}
+
+// deriveFakeIP creates a deterministic fake IP for bind mode based on peer's NetBird IP.
+// Maps peer IP 100.64.x.y to fake IP 127.2.x.y (similar to relay proxy using 127.1.x.y).
+// It finds the peer's actual NetBird IP by checking which allowedIP is in the same subnet as our WG interface.
+func deriveFakeIP(wgIface WgInterface, allowedIPs []netip.Prefix) (netip.Addr, error) {
+	if len(allowedIPs) == 0 {
+		return netip.Addr{}, fmt.Errorf("no allowed IPs for peer")
+	}
+
+	ourNetwork := wgIface.Address().Network
+
+	var peerIP netip.Addr
+	for _, allowedIP := range allowedIPs {
+		ip := allowedIP.Addr()
+		if !ip.Is4() {
+			continue
+		}
+		if ourNetwork.Contains(ip) {
+			peerIP = ip
+			break
+		}
+	}
+
+	if !peerIP.IsValid() {
+		return netip.Addr{}, fmt.Errorf("no peer NetBird IP found in allowed IPs")
+	}
+
+	octets := peerIP.As4()
+	fakeIP := netip.AddrFrom4([4]byte{127, 2, octets[2], octets[3]})
+	return fakeIP, nil
+}
+
+func (d *BindListener) setupLazyConn() error {
+	d.lazyConn = newLazyConn()
+	d.bind.SetEndpoint(d.fakeIP, d.lazyConn)
+
+	endpoint := &net.UDPAddr{
+		IP:   d.fakeIP.AsSlice(),
+		Port: lazyBindPort,
+	}
+	return d.wgIface.UpdatePeer(d.peerCfg.PublicKey, d.peerCfg.AllowedIPs, 0, endpoint, nil)
+}
+
+// ReadPackets blocks until activity is detected on the LazyConn or the listener is closed.
+func (d *BindListener) ReadPackets() {
+	select {
+	case <-d.lazyConn.ActivityChan():
+		d.peerCfg.Log.Infof("activity detected via LazyConn")
+	case <-d.lazyConn.ctx.Done():
+		d.peerCfg.Log.Infof("exit from activity listener")
+	}
+
+	d.peerCfg.Log.Debugf("removing lazy endpoint for peer %s", d.peerCfg.PublicKey)
+	if err := d.wgIface.RemovePeer(d.peerCfg.PublicKey); err != nil {
+		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
+	}
+
+	_ = d.lazyConn.Close()
+	d.bind.RemoveEndpoint(d.fakeIP)
+	d.done.Done()
+}
+
+// Close stops the listener and cleans up resources.
+func (d *BindListener) Close() {
+	d.peerCfg.Log.Infof("closing activity listener (LazyConn)")
+
+	if err := d.lazyConn.Close(); err != nil {
+		d.peerCfg.Log.Errorf("failed to close LazyConn: %s", err)
+	}
+
+	d.done.Wait()
+}