feat: QUIC agent tunnel — protocol, listener, agent client#1738
Open
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 9 commits intomasterfrom
Open
feat: QUIC agent tunnel — protocol, listener, agent client#1738irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 9 commits intomasterfrom
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 9 commits intomasterfrom
Conversation
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
11 times, most recently
from
1ab42a3 to
38e79d3
Compare
Contributor
Author
QUIC Agent Tunnel — Technical Specification1. EnrollmentHow an agent gets its certificateKey property: the private key never leaves the agent machine. Enrollment tokenThe enrollment token is either:
2. Stream MultiplexingOne QUIC connection, many independent streamsEach stream is independently ordered. How a new session is established
No new QUIC handshake is needed — streams are opened instantly on the existing connection. Message encodingAll control and session setup messages use length-prefixed bincode: After Size limits
Limits are enforced on the length prefix (before reading the payload) and on the bincode deserializer (prevents crafted payloads with huge internal Vec lengths). 3. User ExperienceNetwork topologyAdmin setup (one-time)
End-user workflow (daily use)The user has no awareness of the agent. From their perspective:
What happens behind the scenes: No VPN. No inbound firewall rules on the office network. No routing configuration. Transparent routing rulesWhen a connection request arrives, the gateway evaluates routing in priority order:
When multiple agents match the same target, the most recently seen agent is tried first. Resilience
|
1 similar comment
Contributor
Author
QUIC Agent Tunnel — Technical Specification1. EnrollmentHow an agent gets its certificateKey property: the private key never leaves the agent machine. Enrollment tokenThe enrollment token is either:
2. Stream MultiplexingOne QUIC connection, many independent streamsEach stream is independently ordered. How a new session is established
No new QUIC handshake is needed — streams are opened instantly on the existing connection. Message encodingAll control and session setup messages use length-prefixed bincode: After Size limits
Limits are enforced on the length prefix (before reading the payload) and on the bincode deserializer (prevents crafted payloads with huge internal Vec lengths). 3. User ExperienceNetwork topologyAdmin setup (one-time)
End-user workflow (daily use)The user has no awareness of the agent. From their perspective:
What happens behind the scenes: No VPN. No inbound firewall rules on the office network. No routing configuration. Transparent routing rulesWhen a connection request arrives, the gateway evaluates routing in priority order:
When multiple agents match the same target, the most recently seen agent is tried first. Resilience
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the first slice of a QUIC/mTLS “agent tunnel” system: a shared binary protocol crate, a Gateway-side QUIC listener/registry/enrollment API, and an Agent-side enrollment + reconnecting tunnel client. This enables routing Gateway-initiated TCP proxy sessions through outbound-connected agents (for private-network reachability).
Changes:
- Introduces
agent-tunnel-protocrate (control/session messages, framing, protocol versioning). - Adds Gateway agent-tunnel core (
agent_tunnelmodule), config wiring, REST endpoints, and token claim support (jet_agent_id) used in the forwarding path. - Adds Agent enrollment/bootstrap + QUIC tunnel client with auto-reconnect and domain auto-detection.
Reviewed changes
Copilot reviewed 35 out of 36 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| devolutions-gateway/tests/config.rs | Updates config samples to include agent_tunnel field. |
| devolutions-gateway/src/token.rs | Adds jet_agent_id to association claims; adjusts scope token claims serialization/visibility. |
| devolutions-gateway/src/service.rs | Initializes and registers the agent-tunnel listener task when enabled. |
| devolutions-gateway/src/ngrok.rs | Threads agent_tunnel_handle into the TCP tunnel client path. |
| devolutions-gateway/src/middleware/auth.rs | Adds auth exception for /jet/agent-tunnel/enroll (self-auth via bearer token). |
| devolutions-gateway/src/listener.rs | Threads agent_tunnel_handle into the generic client path. |
| devolutions-gateway/src/lib.rs | Exposes agent_tunnel module and adds agent_tunnel_handle to DgwState. |
| devolutions-gateway/src/generic_client.rs | Uses jet_agent_id to route Fwd connections through the agent tunnel. |
| devolutions-gateway/src/extract.rs | Adds request extractors for agent-management read/write access control. |
| devolutions-gateway/src/config.rs | Adds AgentTunnelConf to Gateway config DTO and runtime config. |
| devolutions-gateway/src/api/webapp.rs | Ensures new jet_agent_id claim is present (set to None) when minting tokens. |
| devolutions-gateway/src/api/mod.rs | Nests the new /jet/agent-tunnel/* router. |
| devolutions-gateway/src/api/agent_enrollment.rs | Implements enrollment + agent management endpoints (list/get/delete/resolve-target). |
| devolutions-gateway/src/agent_tunnel/mod.rs | Declares agent-tunnel submodules and re-exports core types. |
| devolutions-gateway/src/agent_tunnel/listener.rs | QUIC UDP listener event loop + proxy-stream request dispatching. |
| devolutions-gateway/src/agent_tunnel/enrollment_store.rs | In-memory single-use enrollment token store with expiry. |
| devolutions-gateway/src/agent_tunnel/stream.rs | Tokio AsyncRead/AsyncWrite wrapper over QUIC streams via channels. |
| devolutions-gateway/src/agent_tunnel/registry.rs | Agent registry with heartbeat liveness + subnet/domain routing selection. |
| devolutions-gateway/src/agent_tunnel/connection.rs | Managed quiche connection: handshake identity, control parsing, proxy stream setup. |
| devolutions-gateway/src/agent_tunnel/cert.rs | CA manager for enrollment signing + server cert issuance and cert parsing helpers. |
| devolutions-gateway/Cargo.toml | Adds QUIC/proto/cert/routing dependencies for the tunnel feature. |
| devolutions-agent/src/service.rs | Registers TunnelTask when tunnel is enabled; fixes conf_handle cloning for RDP task. |
| devolutions-agent/src/main.rs | Adds CLI support for enroll/up bootstrap flows and parsing helpers + tests. |
| devolutions-agent/src/lib.rs | Exposes new modules: tunnel, enrollment, domain_detect. |
| devolutions-agent/src/enrollment.rs | Implements enrollment request + persistence of certs/config merge. |
| devolutions-agent/src/domain_detect.rs | Adds Windows/Linux DNS domain auto-detection helper. |
| devolutions-agent/src/tunnel.rs | Implements reconnecting QUIC client + control/session stream handling and TCP proxying. |
| devolutions-agent/src/config.rs | Adds tunnel config section; makes save_config/get_conf_file_path public. |
| devolutions-agent/Cargo.toml | Adds proto/quiche/reqwest/rcgen dependencies and Windows feature for domain detection. |
| crates/agent-tunnel-proto/src/lib.rs | Defines the protocol crate API surface and exports. |
| crates/agent-tunnel-proto/src/version.rs | Adds protocol version constants + validation helper. |
| crates/agent-tunnel-proto/src/error.rs | Defines protocol-level error types. |
| crates/agent-tunnel-proto/src/control.rs | Adds control-plane message definitions + framed encode/decode. |
| crates/agent-tunnel-proto/src/session.rs | Adds session-plane message definitions + framed encode/decode. |
| crates/agent-tunnel-proto/Cargo.toml | New crate manifest and dependencies. |
| Cargo.lock | Locks new dependencies introduced for QUIC, cert handling, registry, and protocol crate. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
11 times, most recently
from
a9f13e5 to
884be54
Compare
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
from
884be54 to
a61aef3
Compare
Copilot started reviewing on behalf of
irvingouj@Devolutions (irvingoujAtDevolution)
April 7, 2026 01:05
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 34 out of 35 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
6 times, most recently
from
f1e6317 to
744bf2f
Compare
irvingouj@Devolutions (irvingoujAtDevolution)
marked this pull request as ready for review
This was referenced Apr 7, 2026
Add QUIC-based agent tunnel core infrastructure. Agents in private
networks connect outbound to Gateway via QUIC/mTLS, advertise reachable
subnets and domains, and proxy TCP connections on behalf of Gateway.
Protocol (agent-tunnel-proto crate):
- RouteAdvertise with subnets + domain advertisements
- ConnectMessage/ConnectResponse for session stream setup
- Heartbeat/HeartbeatAck for liveness detection
- Protocol version negotiation (v2)
Gateway (agent_tunnel module):
- QUIC listener with mTLS authentication
- Agent registry with subnet/domain tracking
- Certificate authority for agent enrollment
- Enrollment token store (one-time tokens)
- Bidirectional proxy stream multiplexing
Agent (devolutions-agent):
- QUIC client with auto-reconnect and exponential backoff
- Agent enrollment with config merge (preserves existing settings)
- Domain auto-detection (Windows: USERDNSDOMAIN, Linux: resolv.conf)
- Subnet validation on incoming connections
- Certificate file permissions (0o600 on Unix)
API endpoints:
- POST /jet/agent-tunnel/enroll — agent enrollment
- GET /jet/agent-tunnel/agents — list agents
- GET /jet/agent-tunnel/agents/{id} — get agent
- DELETE /jet/agent-tunnel/agents/{id} — delete agent
- POST /jet/agent-tunnel/agents/resolve-target — routing diagnostics
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- ConnectMessage → ConnectRequest (precise naming) - Move encode/decode into ControlStream/SessionStream wrappers (actor-on-object: ctrl.send(&msg) instead of msg.encode(&mut stream)) - ControlStream.into_split() → ControlSendStream + ControlRecvStream (compile-time separation, no phantom halves) - From<(S, R)> for stream wrappers (connection.open_bi().await?.into()) - Rename spawned tasks: run_control_reader, run_session_proxy, run_agent_connection, run_control_loop - Spawned tasks own args and handle errors internally - Collect JoinHandles, abort all on shutdown - Extract helpers to tunnel_helpers.rs - Document backoff strategy with examples Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- CaManager::load_or_generate returns Arc<Self> directly - Rename enrollment token consume → redeem - Remove unused resolve-target API endpoint + helpers + tests - Remove routing methods from registry (PR2 scope) - Remove Option from RouteAdvertisementState (empty = no routes) - Target enum for typed IP vs domain parsing - Prefix variables clearly (server_cert_*, ca_*) - Add TODO for traffic audit and Windows DACL - Backoff strategy documented with examples Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address review feedback from Benoit and Marc-André: - Rename HTTP mountpoint /jet/agent-tunnel → /jet/tunnel - Replace SkipHostnameVerification with SpkiPinnedVerifier that performs full chain + hostname + SPKI pin validation - Enrollment response now includes server_spki_sha256 for pinning - Agent sends machine hostname; gateway adds it as DNS SAN alongside the UUID SAN (dual names for future direct connectivity) - Agent connects using real gateway hostname instead of dummy value - Move sha2/hex to cross-platform deps, add x509-parser + hostname Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove agent_name from EnrollResponse (agent knows it already) - Agent generates its own UUID and sends it in EnrollRequest - Rename api/agent_enrollment.rs → api/tunnel.rs (match endpoint) - Use backoff crate for reconnect loop (same pattern as subscriber.rs) - ALPN: "devolutions-agent-tunnel" → "gw-agent-tunnel/1" (versioned) - Protocol version: 2 → 1 (previous was experimental, start fresh) - Move session tests to integration test file (public API only) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SanType::Rfc822Name → SanType::URI for urn:uuid: (correct X.509 type) - GeneralName::RFC822Name → GeneralName::URI in extraction - Reject duplicate agent UUID on enrollment (409 Conflict) - tokio::join! instead of select! for session proxy (prevents data loss) - JoinSet instead of Vec<JoinHandle> (prevents unbounded growth) - Timeout (30s) on session handshake recv_request/recv_response - Fix typos: "redeemd" → "redeemed" Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Move current_time_millis() to agent-tunnel-proto (R1: eliminate duplication) - Delete DomainInfo, use DomainAdvertisement directly in AgentInfo (R2) - Merge enroll_agent/bootstrap_and_persist into single function (I1) - Agent task_handles: Vec<JoinHandle> → JoinSet with reaping (I4) - Same-epoch route refresh: mutate updated_at in place, no clone (I5) - Add #[must_use] on enrollment_store::redeem() (I6) - connect_via_agent: cleaner error extraction with if-let (I3) - Add TODO for active_stream_count tracking (I2) - SECS_PER_DAY constant replaces magic 86400 (P4) - Consistent .context() for ProtoError instead of map_err (P7) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
from
8638365 to
ad3d3a0
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 39 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Hoist protocol version validation before match in both gateway and agent control loops (single check, no per-variant boilerplate) - Validate ConnectResponse protocol version in connect_via_agent - ServerCertStatus enum for ensure_server_cert (expiry + hostname SAN) - send.finish() after proxy copy (graceful QUIC EOF) - Fix constant_time_eq doc (inaccurate timing claim) - Extract ALPN to agent_tunnel_proto::ALPN_PROTOCOL constant - Destruct EnrollResponse at parameter level for readability - ValidatedTunnelConf: make wrong state unrepresentable at type level (dto::TunnelConf for JSON, TunnelConf for runtime with non-optional fields) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comment on lines
+158
to
+175
| fn parse_enrollment_string(value: &str) -> Result<EnrollmentStringPayload> { | ||
| const PREFIX: &str = "dgw-enroll:v1:"; | ||
|
|
||
| let encoded = value.strip_prefix(PREFIX).context("invalid enrollment string prefix")?; | ||
|
|
||
| let decoded = base64::engine::general_purpose::URL_SAFE_NO_PAD | ||
| .decode(encoded) | ||
| .context("invalid base64 enrollment string")?; | ||
|
|
||
| let payload: EnrollmentStringPayload = | ||
| serde_json::from_slice(&decoded).context("invalid enrollment string payload")?; | ||
|
|
||
| if payload.version != 1 { | ||
| bail!("unsupported enrollment string version: {}", payload.version); | ||
| } | ||
|
|
||
| Ok(payload) | ||
| } |
There was a problem hiding this comment.
suggestion: Switch to JWT instead of a custom format
There was a problem hiding this comment.
suggestion: Use the same approach as jmux-proto. Do not use serde and bincode.
| base64 = "0.22" | ||
| bincode = "1.3" | ||
| ipnetwork = "0.20" | ||
| dashmap = "6.1" |
There was a problem hiding this comment.
question: Do we really need dashmap?
There was a problem hiding this comment.
suggestion: I see a lot of new dependencies. Maybe reevaluate the dependencies what is absolutely necessary and what could be removed. I see pull multiple libraries to parse PEM files… Pretty sure we already had something before pem and rustls-pem.
There was a problem hiding this comment.
suggestion: Extract more logic into a separate crate, the same way we did for the network scanner. agent-tunnel-proto (already existing) + agent-tunnel.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
QUIC-based agent tunnel (PR 1 of 4). Agents in private networks connect outbound to Gateway via QUIC/mTLS, advertise reachable subnets and domains, and proxy TCP connections. Pure Rust (Quinn + rustls), zero C dependencies.
See Technical Spec for protocol details.
PR stack
Highlights
🤖 Generated with Claude Code