m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor RDP proxy handling and update related tests

Browse Source
This commit is contained in:
Mikhail
2026-05-17 20:38:35 +03:00
parent 8e9402580f
commit d551e57fd5
172 changed files with 22117 additions and 2509 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/architecture/SECURE_ACCESS_FABRIC_TARGET.md
+37
View File
@@ -204,6 +204,8 @@ Examples:
- `vnc-worker` wraps a future VNC client/runtime.
- `vpn-exit` handles exit routing.
- `vpn-connector` handles private network reachability.
- `vpn-client` runs on an end-user device, including Android, as a normal farm node.
- `ipv4-egress` marks a node/service that can send authorized VPN packet traffic to ordinary IPv4 networks.
- `video-relay` handles media optimized paths.
Rules:
@@ -293,6 +295,41 @@ Responsibilities:
- applies route, DNS, and egress restrictions
- reports traffic and health telemetry
### `ipv4-egress`
Fabric-only IPv4 exit service. It is assigned to nodes that may forward authorized VPN packet channels from the mesh to ordinary IPv4 networks.
Responsibilities:
- accepts VPN packet channels only through the fabric service channel
- advertises exit pool membership, region, route policy, and health
- enforces user, organization, cluster, and owner visibility policy before accepting traffic
- participates in latency-aware and load-aware exit selection
- supports failover between nodes in the same exit pool without changing the Android client protocol
- does not expose legacy VPN protocols as the steady-state data plane
### `vpn-client`
Client-side VPN node role. On Android the installed application is a node-agent/runtime with this role, then the VPN client service is started locally and joins the farm like any other node.
Responsibilities:
- joins the mesh using the current QUIC fabric transport
- requests the list of visible IPv4 exit pools and nodes according to the current user's access level
- creates VPN packet channels to the selected `ipv4-egress`/`vpn-exit` pool
- switches to another authorized exit when the selected exit fails or becomes slow
- keeps old protocol compatibility out of the runtime data plane; old nodes may only use legacy download/update paths long enough to fetch the new agent
- exposes its local IPv4 ingress as service configuration: on Android this is the
`VpnService` TUN, and on Linux/Docker it may also include explicit TCP/UDP
listen ports that are mapped into VPN packet channels.
Rules:
- A VPN client does not use a dedicated entry node. It is itself a mesh node.
- The farm builds the route from the client node to an authorized exit pool.
- Exits are addressed as pools. A pool may contain one node, but that is a degraded redundancy posture and should be visible as a risk.
- The control plane may issue policy and signed route authority, but it must not become the packet entry point for the VPN client.
### `vpn-connector`
Connector to private networks.