Adds edge connection

Author: luiscape

README.md

@@ -1,8 +1,8 @@
 # vprox
 
-vprox is a high-performance network proxy acting as a split tunnel VPN. The server accepts peering requests from clients, which then establish WireGuard tunnels that direct all traffic on the client's network interface through the server, with IP masquerading.
+vprox is a high-performance network proxy acting as a split tunnel VPN. The server accepts peering requests from clients, which then establish WireGuard tunnels that direct all traffic on the client's network interface through the server, with IP masquerading. It also supports **edge connectors** that allow clients to reach private resources inside a remote VPC through the server.
 
-Both the client and server commands need root access. The server can have multiple public IP addresses attached, and on cloud providers, it automatically uses the instance metadata endpoint to discover its public IP addresses and start one proxy for each.
+Both the client, server, and edge commands need root access. The server can have multiple public IP addresses attached, and on cloud providers, it automatically uses the instance metadata endpoint to discover its public IP addresses and start one proxy for each.
 
 This property allows the server to be high-availability. In the event of a restart or network partition, the tunnels remain open. If the server's IP address is attached to a new host, clients will automatically re-establish connections. This means that IP addresses can be moved to different hosts in event of an outage.
 
@@ -135,6 +135,76 @@ Note that Machine B must be able to send UDP packets to port 50227 on Machine A,
 
 All outbound network traffic seen by `vprox0` will automatically be forwarded through the WireGuard tunnel. The VPN server masquerades the source IP address.
 
+### Edge Connector
+
+The `vprox edge` command deploys an edge connector inside a customer's VPC that makes an **outbound** connection to a vprox server and acts as an exit node into the local network. This allows `connect` clients to access private resources (databases, internal APIs, etc.) in the remote VPC through the server — without opening any inbound ports in the customer's network.
+
+```
+                         WireGuard                          WireGuard
+┌──────────────┐        UDP tunnel        ┌──────────────┐  UDP tunnel  ┌──────────────────┐
+│              │◄────────────────────────► │              │◄────────────►│                  │
+│  connect     │  routes all traffic      │  vprox       │  advertises  │  edge connector  │
+│  client      │  through server          │  server      │  10.0.5.0/24 │  (customer VPC)  │
+│              │                          │  (public)    │              │                  │
+└──────────────┘                          └──────────────┘              └────────┬─────────┘
+  Sees 10.0.5.x                            Routes 10.0.5.0/24                  │
+  traffic go through                       toward edge peer             ┌───────┴────────┐
+  the tunnel                                                            │  Private        │
+                                                                        │  resources      │
+                                                                        │  10.0.5.0/24    │
+                                                                        └────────────────┘
+```
+
+**How it works:**
+
+1. The edge connector makes an outbound HTTPS request to the server (`POST /edge-connect`), advertising which CIDR routes it can reach.
+2. The server registers the edge as a WireGuard peer with `AllowedIPs` set to both the peer's tunnel address and the advertised routes.
+3. When a `connect` client sends a packet to a private IP (e.g. `10.0.5.100`), the server's WireGuard interface routes it to the edge peer.
+4. The edge connector receives the packet, masquerades the source IP, and forwards it into the local VPC network.
+5. Replies follow the same path in reverse.
+
+**Edge setup (inside customer VPC):**
+
+On the edge host, install system requirements:
+
+```bash
+# On Amazon Linux
+sudo dnf install -y iptables wireguard-tools
+sudo sysctl -w net.ipv4.ip_forward=1
+sudo sysctl -w net.ipv4.conf.all.rp_filter=2
+```
+
+Then start the edge connector, pointing it at the vprox server and advertising the local routes:
+
+```bash
+# [Machine C: inside customer VPC, can reach 10.0.5.0/24]
+VPROX_PASSWORD=my-password vprox edge 1.2.3.4 \
+  --routes 10.0.5.0/24 \
+  --interface vprox-edge0
+```
+
+**Full three-machine example:**
+
+```bash
+# [Machine A: vprox server, public IP 1.2.3.4, private IP 172.31.64.125]
+VPROX_PASSWORD=my-password vprox server --ip 172.31.64.125 --wg-block 240.1.0.0/16
+
+# [Machine C: edge connector in customer VPC, can reach 10.0.5.0/24]
+VPROX_PASSWORD=my-password vprox edge 1.2.3.4 --routes 10.0.5.0/24
+
+# [Machine B: connect client]
+VPROX_PASSWORD=my-password vprox connect 1.2.3.4 --interface vprox0
+curl --interface vprox0 http://10.0.5.100:8080   # => reaches private resource
+```
+
+**Notes:**
+
+- The edge connector only requires **outbound** connectivity to the server (UDP port 50227 and TCP port 443). No inbound firewall rules are needed in the customer's VPC.
+- WireGuard's `PersistentKeepalive` (25s) keeps the NAT mapping alive for the outbound UDP tunnel.
+- Multiple edge connectors can connect to the same server as long as their advertised routes don't overlap.
+- The edge automatically reconnects if the tunnel goes unhealthy.
+- The `--routes` flag accepts multiple comma-separated CIDRs (e.g. `--routes 10.0.5.0/24,172.16.0.0/12`).
+
 ### Building
 
 To build `vprox`, run the following command with Go 1.22+ installed:
@@ -164,6 +234,7 @@ On AWS in particular, the `--cloud aws` option allows you to automatically disco
 - Optimized for throughput with automatic MTU, MSS, GSO/GRO, and multi-queue configuration
 - Connection tracking bypass (NOTRACK) for reduced CPU overhead on WireGuard UDP flows
 - OIDC authentication for passwordless auth from Modal containers (`oidc-modal`)
+- Edge connectors for accessing private VPC resources through the server (outbound-only, no inbound ports required)
 
 ## Authors
 

cmd/edge.go

@@ -0,0 +1,172 @@
+package cmd
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"net/netip"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl"
+
+	"github.com/modal-labs/vprox/lib"
+)
+
+const edgeHealthCheckInterval = 2 * time.Second
+const edgeHealthCheckTimeout = 5 * time.Second
+const edgeReconnectInterval = 2 * time.Second
+
+var EdgeCmd = &cobra.Command{
+	Use:        "edge [flags] <server-ip>",
+	Short:      "Connect to a VPN server as an edge node, advertising local routes",
+	Args:       cobra.ExactArgs(1),
+	ArgAliases: []string{"server-ip"},
+	RunE:       runEdge,
+}
+
+var edgeCmdArgs struct {
+	ifname string
+	routes string
+}
+
+func init() {
+	EdgeCmd.Flags().StringVar(&edgeCmdArgs.ifname, "interface",
+		"vprox-edge0", "WireGuard interface name for the edge tunnel")
+	EdgeCmd.Flags().StringVar(&edgeCmdArgs.routes, "routes",
+		"", "Comma-separated CIDR prefixes to advertise (e.g. 10.0.5.0/24,172.16.0.0/12)")
+}
+
+func runEdge(cmd *cobra.Command, args []string) error {
+	serverIp, err := netip.ParseAddr(args[0])
+	if err != nil || !serverIp.Is4() {
+		return fmt.Errorf("invalid IPv4 address: %s", args[0])
+	}
+
+	if edgeCmdArgs.routes == "" {
+		return errors.New("missing required flag: --routes")
+	}
+
+	// Parse and validate routes.
+	var routes []netip.Prefix
+	for _, r := range strings.Split(edgeCmdArgs.routes, ",") {
+		r = strings.TrimSpace(r)
+		if r == "" {
+			continue
+		}
+		prefix, err := netip.ParsePrefix(r)
+		if err != nil {
+			return fmt.Errorf("invalid route CIDR %q: %v", r, err)
+		}
+		if !prefix.Addr().Is4() {
+			return fmt.Errorf("only IPv4 routes are supported: %q", r)
+		}
+		routes = append(routes, prefix.Masked())
+	}
+	if len(routes) == 0 {
+		return errors.New("at least one route must be specified with --routes")
+	}
+
+	key, err := lib.GetClientKey(edgeCmdArgs.ifname)
+	if err != nil {
+		return fmt.Errorf("failed to load edge key: %v", err)
+	}
+
+	token, err := lib.GetClientToken()
+	if err != nil {
+		return err
+	}
+
+	wgClient, err := wgctrl.New()
+	if err != nil {
+		return fmt.Errorf("failed to initialize wgctrl: %v", err)
+	}
+
+	edge := &lib.EdgeClient{
+		Key:      key,
+		Ifname:   edgeCmdArgs.ifname,
+		ServerIp: serverIp,
+		Token:    token,
+		Routes:   routes,
+		WgClient: wgClient,
+		Http: &http.Client{
+			Timeout: 5 * time.Second,
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+					return dialWithRetry(ctx, network, addr)
+				},
+			},
+		},
+	}
+
+	ctx, done := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer done()
+
+	if err := edge.CreateInterface(); err != nil {
+		return err
+	}
+	defer edge.DeleteInterface()
+
+	if err := edge.Connect(); err != nil {
+		return err
+	}
+	defer func() {
+		log.Println("Sending /edge-disconnect request to server.")
+		if err := edge.Disconnect(); err != nil {
+			log.Printf("warning: failed to disconnect from server: %v", err)
+		}
+	}()
+
+	if err := edge.SetupForwarding(); err != nil {
+		return fmt.Errorf("failed to set up forwarding: %v", err)
+	}
+	defer func() {
+		if err := edge.CleanupForwarding(); err != nil {
+			log.Printf("warning: failed to clean up forwarding rules: %v", err)
+		}
+	}()
+
+	log.Printf("Edge connected, advertising routes: %v", routes)
+	if !edge.CheckConnection(edgeHealthCheckTimeout, ctx) {
+		return fmt.Errorf("edge connection failed initial healthcheck after %v", edgeHealthCheckTimeout)
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Println("Context done. Returning from runEdge.")
+			return nil
+		case <-time.After(edgeHealthCheckInterval):
+		}
+
+		if !edge.CheckConnection(edgeHealthCheckTimeout, ctx) {
+			log.Println("Edge tunnel unhealthy. Attempting to reconnect...")
+		unhealthy_loop:
+			for {
+				err = edge.Connect()
+				if err == nil {
+					log.Println("Edge reconnected.")
+					break unhealthy_loop
+				}
+				if !lib.IsRecoverableError(err) {
+					return fmt.Errorf("unrecoverable edge connection error: %w", err)
+				}
+				log.Printf("Failed to reconnect edge: %v", err)
+				select {
+				case <-ctx.Done():
+					log.Println("Context done during reconnect. Breaking out.")
+					break unhealthy_loop
+				case <-time.After(edgeReconnectInterval):
+				}
+			}
+		}
+	}
+}