feat: QUIC agent tunnel — protocol, listener, agent client#1738
Draft
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 1 commit intomasterfrom
Draft
feat: QUIC agent tunnel — protocol, listener, agent client#1738irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 1 commit intomasterfrom
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 1 commit intomasterfrom
Conversation
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
2 times, most recently
from
306cb50 to
4201ac9
Compare
Add QUIC-based agent tunnel core infrastructure. Agents in private
networks connect outbound to Gateway via QUIC/mTLS, advertise reachable
subnets and domains, and proxy TCP connections on behalf of Gateway.
Protocol (agent-tunnel-proto crate):
- RouteAdvertise with subnets + domain advertisements
- ConnectMessage/ConnectResponse for session stream setup
- Heartbeat/HeartbeatAck for liveness detection
- Protocol version negotiation (v2)
Gateway (agent_tunnel module):
- QUIC listener with mTLS authentication
- Agent registry with subnet/domain tracking
- Certificate authority for agent enrollment
- Enrollment token store (one-time tokens)
- Bidirectional proxy stream multiplexing
Agent (devolutions-agent):
- QUIC client with auto-reconnect and exponential backoff
- Agent enrollment with config merge (preserves existing settings)
- Domain auto-detection (Windows: USERDNSDOMAIN, Linux: resolv.conf)
- Subnet validation on incoming connections
- Certificate file permissions (0o600 on Unix)
API endpoints:
- POST /jet/agent-tunnel/enroll — agent enrollment
- GET /jet/agent-tunnel/agents — list agents
- GET /jet/agent-tunnel/agents/{id} — get agent
- DELETE /jet/agent-tunnel/agents/{id} — delete agent
- POST /jet/agent-tunnel/agents/resolve-target — routing diagnostics
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-1-core
branch
from
4201ac9 to
05347b8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add QUIC-based agent tunnel core infrastructure. Agents in private networks connect outbound to Gateway via QUIC/mTLS, advertise reachable subnets and domains, and proxy TCP connections on behalf of Gateway.
This is PR 1 of 4 in a stacked PR series:
What's included
Protocol (
crates/agent-tunnel-proto/):Gateway (
devolutions-gateway/src/agent_tunnel/):Agent (
devolutions-agent/):API endpoints:
POST /jet/agent-tunnel/enrollGET /jet/agent-tunnel/agentsGET/DELETE /jet/agent-tunnel/agents/{id}POST /jet/agent-tunnel/agents/resolve-targetTest plan
cargo check -p devolutions-gateway -p devolutions-agent --releasecargo test -p devolutions-gateway --release --lib -- agent_tunnel)cargo test -p agent-tunnel-proto --release🤖 Generated with Claude Code