To implement the CoderVPN feature, we'll use aNetwork Extension PacketTunnelProvider. It extends the abstract base classNEPacketTunnelProvider. From this process, we will contact the Coder Server and download a dynamic library (dylib), written in Go using cgo for C FFI bindings (coder/coder#14734)

After downloading the CoderVPN library, we shouldcheck the digital signature on it before exec’ing it. We should verify the following fields:

• kSecCodeInfoIdentifier
  • validate it is the CoderVPN library
• kSecCodeInfoRuntimeVersion
  • validating the expected version can help mitigate an attacker maliciously forcing downgrade to an old version to exploit a vulnerability we’ve since patched
• kSecCodeInfoTeamIdentifier

After verifying the digital signature, the NetworkExtension creates a pair of pipes to communicate with the CoderVPN library (via#1 ), and opens the library viadlopen. Then it starts the VPN, passing the pipes.

Over the CoderVPN Protocol it receives

• Peer status updates, which it sends to the user application
• Logs, which it sends to the system log via native APIs
• Network Settings (IP and DNS config) which it uses to configure networking viasetTunnelNetworkSettings()