netbirdio · lixmal · Oct 16, 2025 · Oct 15, 2025 · Oct 16, 2025 · Oct 16, 2025
diff --git a/client/iface/device.go b/client/iface/device.go
@@ -23,4 +23,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }
diff --git a/client/iface/device/device_android.go b/client/iface/device/device_android.go
@@ -150,6 +150,11 @@ func (t *WGTunDevice) GetNet() *netstack.Net {
 	return nil
 }
 
+// GetICEBind returns the ICEBind instance
+func (t *WGTunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
+
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }

diff --git a/client/iface/device/device_darwin.go b/client/iface/device/device_darwin.go
@@ -154,3 +154,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
diff --git a/client/iface/device/device_ios.go b/client/iface/device/device_ios.go
@@ -144,3 +144,8 @@ func (t *TunDevice) FilteredDevice() *FilteredDevice {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
diff --git a/client/iface/device/device_kernel_unix.go b/client/iface/device/device_kernel_unix.go
@@ -179,3 +179,8 @@ func (t *TunKernelDevice) assignAddr() error {
 func (t *TunKernelDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns nil for kernel mode devices
+func (t *TunKernelDevice) GetICEBind() EndpointManager {
+	return nil
+}
diff --git a/client/iface/device/device_netstack.go b/client/iface/device/device_netstack.go
@@ -21,6 +21,7 @@ type Bind interface {
 	conn.Bind
 	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
 	ActivityRecorder() *bind.ActivityRecorder
+	EndpointManager
 }
 
 type TunNetstackDevice struct {
@@ -155,3 +156,8 @@ func (t *TunNetstackDevice) Device() *device.Device {
 func (t *TunNetstackDevice) GetNet() *netstack.Net {
 	return t.net
 }
+
+// GetICEBind returns the bind instance
+func (t *TunNetstackDevice) GetICEBind() EndpointManager {
+	return t.bind
+}
diff --git a/client/iface/device/device_usp_unix.go b/client/iface/device/device_usp_unix.go
@@ -146,3 +146,8 @@ func (t *USPDevice) assignAddr() error {
 func (t *USPDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *USPDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
diff --git a/client/iface/device/device_windows.go b/client/iface/device/device_windows.go
@@ -185,3 +185,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
diff --git a/client/iface/device/endpoint_manager.go b/client/iface/device/endpoint_manager.go
@@ -0,0 +1,13 @@
+package device
+
+import (
+	"net"
+	"net/netip"
+)
+
+// EndpointManager manages fake IP to connection mappings for userspace bind implementations.
+// Implemented by bind.ICEBind and bind.RelayBindJS.
+type EndpointManager interface {
+	SetEndpoint(fakeIP netip.Addr, conn net.Conn)
+	RemoveEndpoint(fakeIP netip.Addr)
+}
diff --git a/client/iface/device_android.go b/client/iface/device_android.go
@@ -21,4 +21,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }
diff --git a/client/iface/iface.go b/client/iface/iface.go
@@ -80,6 +80,17 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }
 
+// GetBind returns the EndpointManager userspace bind mode.
+func (w *WGIface) GetBind() device.EndpointManager {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.tun == nil {
+		return nil
+	}
+	return w.tun.GetICEBind()
+}
+
 // IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
 func (w *WGIface) IsUserspaceBind() bool {
 	return w.userspaceBind

diff --git a/client/internal/lazyconn/activity/lazy_conn.go b/client/internal/lazyconn/activity/lazy_conn.go
@@ -0,0 +1,82 @@
+package activity
+
+import (
+	"context"
+	"io"
+	"net"
+	"time"
+)
+
+// lazyConn detects activity when WireGuard attempts to send packets.
+// It does not deliver packets, only signals that activity occurred.
+type lazyConn struct {
+	activityCh chan struct{}
+	ctx        context.Context
+	cancel     context.CancelFunc
+}
+
+// newLazyConn creates a new lazyConn for activity detection.
+func newLazyConn() *lazyConn {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &lazyConn{
+		activityCh: make(chan struct{}, 1),
+		ctx:        ctx,
+		cancel:     cancel,
+	}
+}
+
+// Read blocks until the connection is closed.
+func (c *lazyConn) Read(_ []byte) (n int, err error) {
+	<-c.ctx.Done()
+	return 0, io.EOF
+}
+
+// Write signals activity detection when ICEBind routes packets to this endpoint.
+func (c *lazyConn) Write(b []byte) (n int, err error) {
+	if c.ctx.Err() != nil {
+		return 0, io.EOF
+	}
+
+	select {
+	case c.activityCh <- struct{}{}:
+	default:
+	}
+
+	return len(b), nil
+}
+
+// ActivityChan returns the channel that signals when activity is detected.
+func (c *lazyConn) ActivityChan() <-chan struct{} {
+	return c.activityCh
+}
+
+// Close closes the connection.
+func (c *lazyConn) Close() error {
+	c.cancel()
+	return nil
+}
+
+// LocalAddr returns the local address.
+func (c *lazyConn) LocalAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// RemoteAddr returns the remote address.
+func (c *lazyConn) RemoteAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// SetDeadline sets the read and write deadlines.
+func (c *lazyConn) SetDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetReadDeadline sets the deadline for future Read calls.
+func (c *lazyConn) SetReadDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetWriteDeadline sets the deadline for future Write calls.
+func (c *lazyConn) SetWriteDeadline(_ time.Time) error {
+	return nil
+}
diff --git a/client/internal/lazyconn/activity/listener.go b/client/internal/lazyconn/activity/listener.go
@@ -1,107 +1,28 @@
 package activity
 
 import (
-	"fmt"
-	"net"
-	"sync"
-	"sync/atomic"
-
-	log "github.com/sirupsen/logrus"
+	"errors"
 
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 )
 
-// Listener it is not a thread safe implementation, do not call Close before ReadPackets. It will cause blocking
-type Listener struct {
-	wgIface  WgInterface
-	peerCfg  lazyconn.PeerConfig
-	conn     *net.UDPConn
-	endpoint *net.UDPAddr
-	done     sync.Mutex
-
-	isClosed atomic.Bool // use to avoid error log when closing the listener
-}
-
-func NewListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*Listener, error) {
-	d := &Listener{
-		wgIface: wgIface,
-		peerCfg: cfg,
-	}
-
-	conn, err := d.newConn()
-	if err != nil {
-		return nil, fmt.Errorf("failed to creating activity listener: %v", err)
-	}
-	d.conn = conn
-	d.endpoint = conn.LocalAddr().(*net.UDPAddr)
-
-	if err := d.createEndpoint(); err != nil {
-		return nil, err
-	}
-	d.done.Lock()
-	cfg.Log.Infof("created activity listener: %s", conn.LocalAddr().(*net.UDPAddr).String())
-	return d, nil
-}
-
-func (d *Listener) ReadPackets() {
-	for {
-		n, remoteAddr, err := d.conn.ReadFromUDP(make([]byte, 1))
-		if err != nil {
-			if d.isClosed.Load() {
-				d.peerCfg.Log.Infof("exit from activity listener")
-			} else {
-				d.peerCfg.Log.Errorf("failed to read from activity listener: %s", err)
-			}
-			break
-		}
-
-		if n < 1 {
-			d.peerCfg.Log.Warnf("received %d bytes from %s, too short", n, remoteAddr)
-			continue
-		}
-		d.peerCfg.Log.Infof("activity detected")
-		break
-	}
-
-	d.peerCfg.Log.Debugf("removing lazy endpoint: %s", d.endpoint.String())
-	if err := d.removeEndpoint(); err != nil {
-		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
-	}
-
-	_ = d.conn.Close() // do not care err because some cases it will return "use of closed network connection"
-	d.done.Unlock()
-}
-
-func (d *Listener) Close() {
-	d.peerCfg.Log.Infof("closing activity listener: %s", d.conn.LocalAddr().String())
-	d.isClosed.Store(true)
-
-	if err := d.conn.Close(); err != nil {
-		d.peerCfg.Log.Errorf("failed to close UDP listener: %s", err)
-	}
-	d.done.Lock()
-}
-
-func (d *Listener) removeEndpoint() error {
-	return d.wgIface.RemovePeer(d.peerCfg.PublicKey)
-}
-
-func (d *Listener) createEndpoint() error {
-	d.peerCfg.Log.Debugf("creating lazy endpoint: %s", d.endpoint.String())
-	return d.wgIface.UpdatePeer(d.peerCfg.PublicKey, d.peerCfg.AllowedIPs, 0, d.endpoint, nil)
+// listener defines the contract for activity detection listeners.
+type listener interface {
+	ReadPackets()
+	Close()
 }
 
-func (d *Listener) newConn() (*net.UDPConn, error) {
-	addr := &net.UDPAddr{
-		Port: 0,
-		IP:   listenIP,
+// newListener creates a listener appropriate for the WireGuard interface type.
+// Returns BindListener for userspace bind mode with ICEBind, otherwise UDPListener.
+func newListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (listener, error) {
+	if !wgIface.IsUserspaceBind() {
+		return NewUDPListener(wgIface, cfg)
 	}
 
-	conn, err := net.ListenUDP("udp", addr)
-	if err != nil {
-		log.Errorf("failed to create activity listener on %s: %s", addr, err)
-		return nil, err
+	provider, ok := wgIface.(bindProvider)
+	if !ok {
+		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")
 	}
 
-	return conn, nil
+	return NewBindListener(wgIface, provider.GetBind(), cfg)
 }