To support a macOS version of a native desktop VPN to Coder workspaces, we plan to use a dynamic library loaded by a host NetworkExtension written in Swift. The dynamic library will be embedded in the fullcoder binary that includes the Coder server. Coder server will allow downloading the dynamic library just like we do for "slim" client binaries on different operating systems.

This allows our macOS application to seamless work with multiple versions of Coder, but downloading the dynamic library from the Coder server you sign into.

The dynamic library will export a function via the C foreign function interface (FFI) that accepts a pair of pipes for bi-directional communication. The function then sets up the CoderVPN Control Protocol (#14731) over the pipes, and implements the "Tunnel" side of the protocol. The macOS application can then start and stop the VPN via this protocol.

To implement the VPN, we use theworkspacesdk API to start a tailnet for all the user's workspaces (#14730), including theRouter (#14732) anddns.OSConfigurator (#14733) components built for this purpose.