feat: VPN protocol (#11)

Adds support for the VPN Protocol, up to a generic, abstract base `Speaker` class.  We'll subclass this and override the handlers for the real `Manager` class in the network extension.

Author: spikecurtis

Diff for: Coder Desktop/Coder Desktop.xcodeproj/project.pbxproj

@@ -13,6 +13,8 @@
 		AA8BC33F2D0061F200E1ABAA /* FluidMenuBarExtra in Frameworks */ = {isa = PBXBuildFile; productRef = AA8BC33E2D0061F200E1ABAA /* FluidMenuBarExtra */; };
 		AA8BC4CF2D00A4B700E1ABAA /* KeychainAccess in Frameworks */ = {isa = PBXBuildFile; productRef = AA8BC4CE2D00A4B700E1ABAA /* KeychainAccess */; };
 		AAD720D02D0816B200F6304D /* Alamofire in Frameworks */ = {isa = PBXBuildFile; productRef = AAD720CF2D0816B200F6304D /* Alamofire */; };
+		961679532CFF207900B2B6DF /* SwiftProtobuf in Frameworks */ = {isa = PBXBuildFile; productRef = 961679522CFF207900B2B6DF /* SwiftProtobuf */; };
+		961679552CFF207900B2B6DF /* SwiftProtobufPluginLibrary in Frameworks */ = {isa = PBXBuildFile; productRef = 961679542CFF207900B2B6DF /* SwiftProtobufPluginLibrary */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -37,6 +39,13 @@
 			remoteGlobalIDString = 9616792F2CFF117300B2B6DF;
 			remoteInfo = VPN;
 		};
+		961679DD2D030E1D00B2B6DF /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 961678F42CFF100D00B2B6DF /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 961678FB2CFF100D00B2B6DF;
+			remoteInfo = "Coder Desktop";
+		};
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXCopyFilesBuildPhase section */
@@ -59,6 +68,7 @@
 		961679192CFF100E00B2B6DF /* Coder DesktopUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "Coder DesktopUITests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
 		961679302CFF117300B2B6DF /* com.coder.Coder-Desktop.VPN.systemextension */ = {isa = PBXFileReference; explicitFileType = "wrapper.system-extension"; includeInIndex = 0; path = "com.coder.Coder-Desktop.VPN.systemextension"; sourceTree = BUILT_PRODUCTS_DIR; };
 		961679322CFF117300B2B6DF /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = System/Library/Frameworks/NetworkExtension.framework; sourceTree = SDKROOT; };
+		961679D92D030E1D00B2B6DF /* ProtoTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = ProtoTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
 /* End PBXFileReference section */
 
 /* Begin PBXFileSystemSynchronizedBuildFileExceptionSet section */
@@ -69,6 +79,13 @@
 			);
 			target = 9616792F2CFF117300B2B6DF /* VPN */;
 		};
+		961679472CFF14EA00B2B6DF /* Exceptions for "Proto" folder in "VPN" target */ = {
+			isa = PBXFileSystemSynchronizedBuildFileExceptionSet;
+			membershipExceptions = (
+				Sender.swift,
+			);
+			target = 9616792F2CFF117300B2B6DF /* VPN */;
+		};
 /* End PBXFileSystemSynchronizedBuildFileExceptionSet section */
 
 /* Begin PBXFileSystemSynchronizedRootGroup section */
@@ -95,6 +112,19 @@
 			path = VPN;
 			sourceTree = "<group>";
 		};
+		961679432CFF149000B2B6DF /* Proto */ = {
+			isa = PBXFileSystemSynchronizedRootGroup;
+			exceptions = (
+				961679472CFF14EA00B2B6DF /* Exceptions for "Proto" folder in "VPN" target */,
+			);
+			path = Proto;
+			sourceTree = "<group>";
+		};
+		961679DA2D030E1D00B2B6DF /* ProtoTests */ = {
+			isa = PBXFileSystemSynchronizedRootGroup;
+			path = ProtoTests;
+			sourceTree = "<group>";
+		};
 /* End PBXFileSystemSynchronizedRootGroup section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -105,6 +135,8 @@
 				AAD720D02D0816B200F6304D /* Alamofire in Frameworks */,
 				AA8BC4CF2D00A4B700E1ABAA /* KeychainAccess in Frameworks */,
 				AA8BC33F2D0061F200E1ABAA /* FluidMenuBarExtra in Frameworks */,
+				961679552CFF207900B2B6DF /* SwiftProtobufPluginLibrary in Frameworks */,
+				961679532CFF207900B2B6DF /* SwiftProtobuf in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -127,7 +159,16 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				961679E52D03144C00B2B6DF /* SwiftProtobufPluginLibrary in Frameworks */,
 				961679332CFF117300B2B6DF /* NetworkExtension.framework in Frameworks */,
+				961679E32D03144900B2B6DF /* SwiftProtobuf in Frameworks */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		961679D62D030E1D00B2B6DF /* Frameworks */ = {
+			isa = PBXFrameworksBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -137,6 +178,8 @@
 		961678F32CFF100D00B2B6DF = {
 			isa = PBXGroup;
 			children = (
+				961679432CFF149000B2B6DF /* Proto */,
+				961679DA2D030E1D00B2B6DF /* ProtoTests */,
 				961678FE2CFF100D00B2B6DF /* Coder Desktop */,
 				961679122CFF100E00B2B6DF /* Coder DesktopTests */,
 				9616791C2CFF100E00B2B6DF /* Coder DesktopUITests */,
@@ -153,6 +196,7 @@
 				9616790F2CFF100E00B2B6DF /* Coder DesktopTests.xctest */,
 				961679192CFF100E00B2B6DF /* Coder DesktopUITests.xctest */,
 				961679302CFF117300B2B6DF /* com.coder.Coder-Desktop.VPN.systemextension */,
+				961679D92D030E1D00B2B6DF /* ProtoTests.xctest */,
 			);
 			name = Products;
 			sourceTree = "<group>";
@@ -185,12 +229,15 @@
 			);
 			fileSystemSynchronizedGroups = (
 				961678FE2CFF100D00B2B6DF /* Coder Desktop */,
+				961679432CFF149000B2B6DF /* Proto */,
 			);
 			name = "Coder Desktop";
 			packageProductDependencies = (
 				AA8BC33E2D0061F200E1ABAA /* FluidMenuBarExtra */,
 				AA8BC4CE2D00A4B700E1ABAA /* KeychainAccess */,
 				AAD720CF2D0816B200F6304D /* Alamofire */,
+				961679522CFF207900B2B6DF /* SwiftProtobuf */,
+				961679542CFF207900B2B6DF /* SwiftProtobufPluginLibrary */,
 			);
 			productName = "Coder Desktop";
 			productReference = 961678FC2CFF100D00B2B6DF /* Coder Desktop.app */;
@@ -260,11 +307,36 @@
 			);
 			name = VPN;
 			packageProductDependencies = (
+				961679E22D03144900B2B6DF /* SwiftProtobuf */,
+				961679E42D03144C00B2B6DF /* SwiftProtobufPluginLibrary */,
 			);
 			productName = VPN;
 			productReference = 961679302CFF117300B2B6DF /* com.coder.Coder-Desktop.VPN.systemextension */;
 			productType = "com.apple.product-type.system-extension";
 		};
+		961679D82D030E1D00B2B6DF /* ProtoTests */ = {
+			isa = PBXNativeTarget;
+			buildConfigurationList = 961679DF2D030E1D00B2B6DF /* Build configuration list for PBXNativeTarget "ProtoTests" */;
+			buildPhases = (
+				961679D52D030E1D00B2B6DF /* Sources */,
+				961679D62D030E1D00B2B6DF /* Frameworks */,
+				961679D72D030E1D00B2B6DF /* Resources */,
+			);
+			buildRules = (
+			);
+			dependencies = (
+				961679DE2D030E1D00B2B6DF /* PBXTargetDependency */,
+			);
+			fileSystemSynchronizedGroups = (
+				961679DA2D030E1D00B2B6DF /* ProtoTests */,
+			);
+			name = ProtoTests;
+			packageProductDependencies = (
+			);
+			productName = ProtoTests;
+			productReference = 961679D92D030E1D00B2B6DF /* ProtoTests.xctest */;
+			productType = "com.apple.product-type.bundle.unit-test";
+		};
 /* End PBXNativeTarget section */
 
 /* Begin PBXProject section */
@@ -289,6 +361,10 @@
 					9616792F2CFF117300B2B6DF = {
 						CreatedOnToolsVersion = 16.1;
 					};
+					961679D82D030E1D00B2B6DF = {
+						CreatedOnToolsVersion = 16.1;
+						TestTargetID = 961678FB2CFF100D00B2B6DF;
+					};
 				};
 			};
 			buildConfigurationList = 961678F72CFF100D00B2B6DF /* Build configuration list for PBXProject "Coder Desktop" */;
@@ -306,6 +382,7 @@
 				AA8BC33D2D0061F200E1ABAA /* XCRemoteSwiftPackageReference "fluid-menu-bar-extra" */,
 				AA8BC4CD2D00A4B700E1ABAA /* XCRemoteSwiftPackageReference "KeychainAccess" */,
 				AAD720CE2D0816B200F6304D /* XCRemoteSwiftPackageReference "Alamofire" */,
+				961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */,
 			);
 			preferredProjectObjectVersion = 77;
 			productRefGroup = 961678FD2CFF100D00B2B6DF /* Products */;
@@ -316,6 +393,7 @@
 				9616790E2CFF100E00B2B6DF /* Coder DesktopTests */,
 				961679182CFF100E00B2B6DF /* Coder DesktopUITests */,
 				9616792F2CFF117300B2B6DF /* VPN */,
+				961679D82D030E1D00B2B6DF /* ProtoTests */,
 			);
 		};
 /* End PBXProject section */
@@ -349,6 +427,13 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		961679D72D030E1D00B2B6DF /* Resources */ = {
+			isa = PBXResourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXResourcesBuildPhase section */
 
 /* Begin PBXSourcesBuildPhase section */
@@ -380,6 +465,13 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		961679D52D030E1D00B2B6DF /* Sources */ = {
+			isa = PBXSourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXSourcesBuildPhase section */
 
 /* Begin PBXTargetDependency section */
@@ -402,6 +494,11 @@
 			isa = PBXTargetDependency;
 			productRef = AA8BC33B2D0060E700E1ABAA /* SwiftLintBuildToolPlugin */;
 		};
+		961679DE2D030E1D00B2B6DF /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 961678FB2CFF100D00B2B6DF /* Coder Desktop */;
+			targetProxy = 961679DD2D030E1D00B2B6DF /* PBXContainerItemProxy */;
+		};
 /* End PBXTargetDependency section */
 
 /* Begin XCBuildConfiguration section */
@@ -701,6 +798,40 @@
 			};
 			name = Release;
 		};
+		961679E02D030E1D00B2B6DF /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				BUNDLE_LOADER = "$(TEST_HOST)";
+				CODE_SIGN_STYLE = Automatic;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = 4399GN35BJ;
+				GENERATE_INFOPLIST_FILE = YES;
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = "com.coder.Coder-Desktop.ProtoTests";
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				SWIFT_EMIT_LOC_STRINGS = NO;
+				SWIFT_VERSION = 5.0;
+				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/Coder Desktop.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/Coder Desktop";
+			};
+			name = Debug;
+		};
+		961679E12D030E1D00B2B6DF /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				BUNDLE_LOADER = "$(TEST_HOST)";
+				CODE_SIGN_STYLE = Automatic;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = 4399GN35BJ;
+				GENERATE_INFOPLIST_FILE = YES;
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = "com.coder.Coder-Desktop.ProtoTests";
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				SWIFT_EMIT_LOC_STRINGS = NO;
+				SWIFT_VERSION = 5.0;
+				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/Coder Desktop.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/Coder Desktop";
+			};
+			name = Release;
+		};
 /* End XCBuildConfiguration section */
 
 /* Begin XCConfigurationList section */
@@ -749,6 +880,15 @@
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
+		961679DF2D030E1D00B2B6DF /* Build configuration list for PBXNativeTarget "ProtoTests" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				961679E02D030E1D00B2B6DF /* Debug */,
+				961679E12D030E1D00B2B6DF /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
 /* End XCConfigurationList section */
 
 /* Begin XCRemoteSwiftPackageReference section */
@@ -792,6 +932,14 @@
 				minimumVersion = 5.10.2;
 			};
 		};
+		961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */ = {
+			isa = XCRemoteSwiftPackageReference;
+			repositoryURL = "https://github.com/apple/swift-protobuf.git";
+			requirement = {
+				kind = exactVersion;
+				version = 1.28.2;
+			};
+		};
 /* End XCRemoteSwiftPackageReference section */
 
 /* Begin XCSwiftPackageProductDependency section */
@@ -820,6 +968,26 @@
 			package = AAD720CE2D0816B200F6304D /* XCRemoteSwiftPackageReference "Alamofire" */;
 			productName = Alamofire;
 		};
+		961679522CFF207900B2B6DF /* SwiftProtobuf */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */;
+			productName = SwiftProtobuf;
+		};
+		961679542CFF207900B2B6DF /* SwiftProtobufPluginLibrary */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */;
+			productName = SwiftProtobufPluginLibrary;
+		};
+		961679E22D03144900B2B6DF /* SwiftProtobuf */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */;
+			productName = SwiftProtobuf;
+		};
+		961679E42D03144C00B2B6DF /* SwiftProtobufPluginLibrary */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 961679512CFF207900B2B6DF /* XCRemoteSwiftPackageReference "swift-protobuf" */;
+			productName = SwiftProtobufPluginLibrary;
+		};
 /* End XCSwiftPackageProductDependency section */
 	};
 	rootObject = 961678F42CFF100D00B2B6DF /* Project object */;

Diff for: Coder Desktop/Coder Desktop.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -27,6 +27,15 @@
         "revision" : "e0c7eebc5a4465a3c4680764f26b7a61f567cdaf"
       }
     },
+    {
+      "identity" : "swift-protobuf",
+      "kind" : "remoteSourceControl",
+      "location" : "https://github.com/apple/swift-protobuf.git",
+      "state" : {
+        "revision" : "ebc7251dd5b37f627c93698e4374084d98409633",
+        "version" : "1.28.2"
+      }
+    },
     {
       "identity" : "swiftlintplugins",
       "kind" : "remoteSourceControl",
@@ -41,8 +50,8 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/nalexn/ViewInspector",
       "state" : {
-        "revision" : "5acfa0a3c095ac9ad050abe51c60d1831e8321da",
-        "version" : "0.10.0"
+        "revision" : "788e7879d38a839c4e348ab0762dcc0364e646a2",
+        "version" : "0.10.1"
       }
     }
   ],

Diff for: Coder Desktop/Coder Desktop.xcodeproj/xcshareddata/xcschemes/Coder Desktop.xcscheme

@@ -57,6 +57,17 @@
                ReferencedContainer = "container:Coder Desktop.xcodeproj">
             </BuildableReference>
          </TestableReference>
+         <TestableReference
+            skipped = "NO"
+            parallelizable = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "961679D82D030E1D00B2B6DF"
+               BuildableName = "ProtoTests.xctest"
+               BlueprintName = "ProtoTests"
+               ReferencedContainer = "container:Coder Desktop.xcodeproj">
+            </BuildableReference>
+         </TestableReference>
       </Testables>
    </TestAction>
    <LaunchAction

Diff for: Coder Desktop/Coder Desktop.xcodeproj/xcshareddata/xcschemes/ProtoTests.xcscheme

@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "1610"
+   version = "1.7">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      shouldAutocreateTestPlan = "YES">
+      <Testables>
+         <TestableReference
+            skipped = "NO"
+            parallelizable = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "961679D82D030E1D00B2B6DF"
+               BuildableName = "ProtoTests.xctest"
+               BlueprintName = "ProtoTests"
+               ReferencedContainer = "container:Coder Desktop.xcodeproj">
+            </BuildableReference>
+         </TestableReference>
+      </Testables>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "961678FB2CFF100D00B2B6DF"
+            BuildableName = "Coder Desktop.app"
+            BlueprintName = "Coder Desktop"
+            ReferencedContainer = "container:Coder Desktop.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "961678FB2CFF100D00B2B6DF"
+            BuildableName = "Coder Desktop.app"
+            BlueprintName = "Coder Desktop"
+            ReferencedContainer = "container:Coder Desktop.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>

Diff for: Coder Desktop/Proto/Receiver.swift

@@ -0,0 +1,94 @@
+import Foundation
+import SwiftProtobuf
+import os
+
+/// An actor that reads data from a `DispatchIO` channel, and deserializes it into VPN protocol messages.
+actor Receiver<RecvMsg: Message> {
+    private let dispatch: DispatchIO
+    private let queue: DispatchQueue
+    private var running = false
+    private let logger = Logger(subsystem: "com.coder.Coder-Desktop", category: "proto")
+
+    /// Creates an instance using the given `DispatchIO` channel and queue.
+    init(dispatch: DispatchIO, queue: DispatchQueue) {
+        self.dispatch = dispatch
+        self.queue = queue
+    }
+
+    /// Reads the protobuf message length from the `DispatchIO`, decodes it and returns it.
+    private func readLen() async throws -> UInt32 {
+        let lenD: Data = try await withCheckedThrowingContinuation { continuation in
+            var lenData = Data()
+            dispatch.read(offset: 0, length: 4, queue: queue) {done, data, error in
+                guard error == 0 else {
+                    let errStrPtr = strerror(error)
+                    let errStr = String(validatingUTF8: errStrPtr!)!
+                    continuation.resume(throwing: ReceiveError.readError(errStr))
+                    return
+                }
+                lenData.append(contentsOf: data!)
+                if done {
+                    continuation.resume(returning: lenData)
+                }
+            }
+        }
+        return try deserializeLen(lenD)
+    }
+
+    /// Reads a protobuf message from the `DispatchIO` of the given length, then decodes it and returns it.
+    private func readMsg(_ length: UInt32) async throws -> RecvMsg {
+        let msgData: Data = try await withCheckedThrowingContinuation { continuation in
+            var msgData = Data()
+            dispatch.read(offset: 0, length: Int(length), queue: queue) {done, data, error in
+                guard error == 0 else {
+                    let errStrPtr = strerror(error)
+                    let errStr = String(validatingUTF8: errStrPtr!)!
+                    continuation.resume(throwing: ReceiveError.readError(errStr))
+                    return
+                }
+                msgData.append(contentsOf: data!)
+                if done {
+                    continuation.resume(returning: msgData)
+                }
+            }
+        }
+        return try RecvMsg(serializedBytes: msgData)
+    }
+
+    /// Starts reading protocol messages from the `DispatchIO` channel and returns them as an `AsyncStream` of messages.
+    /// On read or decoding error, it logs and closes the stream.
+    func messages() throws -> AsyncStream<RecvMsg> {
+        if running {
+            throw ReceiveError.alreadyRunning
+        }
+        running = true
+        return AsyncStream(
+            unfolding: {
+                do {
+                    let length = try await self.readLen()
+                    return try await self.readMsg(length)
+                } catch {
+                    self.logger.error("failed to read proto message: \(error)")
+                    return nil
+                }
+            },
+            onCancel: {
+                self.logger.debug("async stream canceled")
+                self.dispatch.close()
+            }
+        )
+    }
+}
+
+enum ReceiveError: Error {
+    case readError(String)
+    case invalidLength
+    case alreadyRunning
+}
+
+func deserializeLen(_ data: Data) throws -> UInt32 {
+    if data.count != 4 {
+        throw ReceiveError.invalidLength
+    }
+    return UInt32(data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3])
+}

Diff for: Coder Desktop/Proto/Sender.swift

@@ -0,0 +1,33 @@
+import Foundation
+import SwiftProtobuf
+
+/// A actor that serializes and sends VPN protocol messages over a `FileHandle`, which is typically
+/// the write-side of a `Pipe`.
+actor Sender<SendMsg: Message> {
+    private let writeFD: FileHandle
+
+    init(writeFD: FileHandle) {
+        self.writeFD = writeFD
+    }
+
+    func send(_ msg: SendMsg) throws {
+        let data = try msg.serializedData()
+        let length = serializeLen(UInt32(data.count))
+        try writeFD.write(contentsOf: length)
+        try writeFD.write(contentsOf: data)
+    }
+
+    func close() throws {
+        try writeFD.close()
+    }
+}
+
+/// Returns the given length as Data suitable to be serialized. Encodes as an unsigned 32-bit big-endian integer.
+func serializeLen(_ len: UInt32) -> Data {
+    var out = Data(count: 4)
+    out[0] = UInt8(len >> 24 & 0xFF)
+    out[1] = UInt8(len >> 16 & 0xFF)
+    out[2] = UInt8(len >> 8 & 0xFF)
+    out[3] = UInt8(len & 0xFF)
+    return out
+}

Diff for: Coder Desktop/Proto/Speaker.swift

@@ -0,0 +1,339 @@
+import Foundation
+import SwiftProtobuf
+import os
+
+let newLine = 0x0a
+let headerPreamble = "codervpn"
+
+/// A message that has the `rpc` property for recording participation in a unary RPC.
+protocol RPCMessage {
+    var rpc: Vpn_RPC {get set}
+    /// Returns true if `rpc` has been explicitly set.
+    var hasRpc: Bool {get}
+}
+
+extension Vpn_TunnelMessage: RPCMessage {}
+extension Vpn_ManagerMessage: RPCMessage {}
+
+/// A role within the VPN protocol. Determines what message types are allowed to be sent and recieved.
+enum ProtoRole: String {
+    case manager
+    case tunnel
+}
+
+/// A version of the VPN protocol that can be negotiated.
+struct ProtoVersion: CustomStringConvertible, Equatable, Codable {
+    let major: Int
+    let minor: Int
+
+    var description: String {"\(major).\(minor)"}
+
+    init(_ major: Int, _ minor: Int) {
+        self.major = major
+        self.minor = minor
+    }
+
+    init(parse str: String) throws {
+        let parts = str.split(separator: ".").map({Int($0)})
+        if parts.count != 2 {
+            throw HandshakeError.invalidVersion(str)
+        }
+        guard let major = parts[0] else {
+            throw HandshakeError.invalidVersion(str)
+        }
+        guard let minor = parts[1] else {
+            throw HandshakeError.invalidVersion(str)
+        }
+        self.major = major
+        self.minor = minor
+    }
+}
+
+/// An abstract base class for implementations that need to communicate using the VPN protocol.
+class Speaker<SendMsg: RPCMessage & Message, RecvMsg: RPCMessage & Message> {
+    private let logger = Logger(subsystem: "com.coder.Coder-Desktop", category: "proto")
+    private let writeFD: FileHandle
+    private let readFD: FileHandle
+    private let dispatch: DispatchIO
+    private let queue: DispatchQueue = .global(qos: .utility)
+    private let sender: Sender<SendMsg>
+    private let receiver: Receiver<RecvMsg>
+    private let secretary = RPCSecretary<RecvMsg>()
+    let role: ProtoRole
+
+    /// Creates an instance that communicates over the provided file handles.
+    init(writeFD: FileHandle, readFD: FileHandle) {
+        self.writeFD = writeFD
+        self.readFD = readFD
+        self.sender = Sender(writeFD: writeFD)
+        self.dispatch = DispatchIO(
+            type: .stream,
+            fileDescriptor: readFD.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {_ in
+            do {
+                try readFD.close()
+            } catch {
+                // TODO
+            }
+        })
+        self.receiver = Receiver(dispatch: self.dispatch, queue: self.queue)
+        if SendMsg.self == Vpn_TunnelMessage.self {
+            self.role = .tunnel
+        } else {
+            self.role = .manager
+        }
+    }
+
+    /// Does the VPN Protocol handshake and validates the result
+    func handshake() async throws {
+        let hndsh = Handshaker(writeFD: writeFD, dispatch: dispatch, queue: queue, role: role)
+        // ignore the version for now because we know it can only be 1.0
+        try _ = await hndsh.handshake()
+    }
+
+    /// Reads and handles protocol messages.
+    func readLoop() async throws {
+        for try await msg in try await self.receiver.messages() {
+            guard msg.hasRpc else {
+                self.handleMessage(msg)
+                continue
+            }
+            guard msg.rpc.msgID == 0 else {
+                let req = RPCRequest<SendMsg, RecvMsg>(req: msg, sender: self.sender)
+                self.handleRPC(req)
+                continue
+            }
+            guard msg.rpc.responseTo == 0 else {
+                self.logger.debug("got RPC reply for msgID \(msg.rpc.responseTo)")
+                do throws(RPCError) {
+                    try await self.secretary.route(reply: msg)
+                } catch {
+                    self.logger.error(
+                        "couldn't route RPC reply for \(msg.rpc.responseTo): \(error)")
+                }
+                continue
+            }
+        }
+    }
+
+    /// Handles a single non-RPC message. It is expected that subclasses override this method with their own handlers.
+    func handleMessage(_ msg: RecvMsg) {
+        // just log
+        self.logger.debug("got non-RPC message \(msg.textFormatString())")
+    }
+
+    /// Handle a single RPC request. It is expected that subclasses override this method with their own handlers.
+    func handleRPC(_ req: RPCRequest<SendMsg, RecvMsg>) {
+        // just log
+        self.logger.debug("got RPC message \(req.msg.textFormatString())")
+    }
+
+    /// Send a unary RPC message and handle the response
+    func unaryRPC(_ req: SendMsg) async throws -> RecvMsg {
+        return try await withCheckedThrowingContinuation { continuation in
+            Task {
+                let msgID = await self.secretary.record(continuation: continuation)
+                var req = req
+                req.rpc = Vpn_RPC()
+                req.rpc.msgID = msgID
+                do {
+                    self.logger.debug("sending RPC with msgID: \(msgID)")
+                    try await self.sender.send(req)
+                } catch {
+                    self.logger.warning("failed to send RPC with msgID: \(msgID): \(error)")
+                    await self.secretary.erase(id: req.rpc.msgID)
+                    continuation.resume(throwing: error)
+                }
+                self.logger.debug("sent RPC with msgID: \(msgID)")
+            }
+        }
+    }
+
+    func closeWrite() {
+        do {
+            try self.writeFD.close()
+        } catch {
+            logger.error("failed to close write file handle: \(error)")
+        }
+    }
+
+    func closeRead() {
+        do {
+            try self.readFD.close()
+        } catch {
+            logger.error("failed to close read file handle: \(error)")
+        }
+    }
+}
+
+/// A class that performs the initial VPN protocol handshake and version negotiation.
+class Handshaker {
+    private let writeFD: FileHandle
+    private let dispatch: DispatchIO
+    private var theirData: Data = Data()
+    private let versions: [ProtoVersion]
+    private let role: ProtoRole
+    private var continuation: CheckedContinuation<Data, any Error>?
+    private let queue: DispatchQueue
+
+    init (writeFD: FileHandle, dispatch: DispatchIO, queue: DispatchQueue,
+          role: ProtoRole,
+          versions: [ProtoVersion] = [.init(1, 0)]
+    ) {
+        self.writeFD = writeFD
+        self.dispatch = dispatch
+        self.role = role
+        self.queue = queue
+        self.versions = versions
+    }
+
+    /// Performs the initial VPN protocol handshake, returning the negotiated `ProtoVersion` that we should use.
+    func handshake() async throws -> ProtoVersion {
+        // kick off the read async before we try to write, synchronously, so we don't deadlock, both
+        // waiting to write with nobody reading.
+        async let theirs = try withCheckedThrowingContinuation { cont in
+            continuation = cont
+            // send in a nil read to kick us off
+            handleRead(false, nil, 0)
+        }
+
+        let vStr = versions.map({$0.description}).joined(separator: ",")
+        let ours = String(format: "\(headerPreamble) \(role) \(vStr)\n")
+        try writeFD.write(contentsOf: ours.data(using: .utf8)!)
+
+        let theirData = try await theirs
+        guard let theirsString = String(bytes: theirData, encoding: .utf8) else {
+            throw HandshakeError.invalidHeader("<unparsable: \(theirData)")
+        }
+        do {
+            return try validateHeader(theirsString)
+        } catch {
+            writeFD.closeFile()
+            dispatch.close()
+            throw error
+        }
+    }
+
+    private func handleRead(_: Bool, _ data: DispatchData?, _ error: Int32) {
+        guard error == 0 else {
+            let errStrPtr = strerror(error)
+            let errStr = String(validatingUTF8: errStrPtr!)!
+            continuation?.resume(throwing: HandshakeError.readError(errStr))
+            return
+        }
+        if let ddd = data, !ddd.isEmpty {
+            guard ddd[0] != newLine else {
+                continuation?.resume(returning: theirData)
+                return
+            }
+            theirData.append(contentsOf: ddd)
+        }
+
+        // read another byte, one at a time, so we don't read beyond the header.
+        dispatch.read(offset: 0, length: 1, queue: queue, ioHandler: handleRead)
+    }
+
+    private func validateHeader(_ header: String) throws -> ProtoVersion {
+        let parts = header.split(separator: " ")
+        guard parts.count == 3 else {
+            throw HandshakeError.invalidHeader("expected 3 parts: \(header)")
+        }
+        guard parts[0] == headerPreamble else {
+            throw HandshakeError.invalidHeader("expected \(headerPreamble) but got \(parts[0])")
+        }
+        var expectedRole = ProtoRole.manager
+        if self.role == .manager {
+            expectedRole = .tunnel
+        }
+        guard parts[1] == expectedRole.rawValue else {
+            throw HandshakeError.wrongRole("expected \(expectedRole) but got \(parts[1])")
+        }
+        let theirVersions = try parts[2]
+            .split(separator: ",")
+            .map({try ProtoVersion(parse: String($0))})
+        return try pickVersion(ours: versions, theirs: theirVersions)
+    }
+}
+
+func pickVersion(ours: [ProtoVersion], theirs: [ProtoVersion]) throws -> ProtoVersion {
+    for our in ours.reversed() {
+        for their in theirs.reversed() where our.major == their.major {
+            if our.minor < their.minor {
+                return our
+            }
+            return their
+        }
+    }
+    throw HandshakeError.unsupportedVersion(theirs)
+}
+
+enum HandshakeError: Error {
+    case readError(String)
+    case invalidHeader(String)
+    case wrongRole(String)
+    case invalidVersion(String)
+    case unsupportedVersion([ProtoVersion])
+}
+
+struct RPCRequest<SendMsg: RPCMessage & Message, RecvMsg: RPCMessage> {
+    let msg: RecvMsg
+    private let sender: Sender<SendMsg>
+
+    public init(req: RecvMsg, sender: Sender<SendMsg>) {
+        self.msg = req
+        self.sender = sender
+    }
+
+    func sendReply(_ reply: SendMsg) async throws {
+        var reply = reply
+        reply.rpc.responseTo = msg.rpc.msgID
+        try await sender.send(reply)
+    }
+}
+
+enum RPCError: Error {
+    case missingRPC
+    case notARequest
+    case notAResponse
+    case unknownResponseID(UInt64)
+    case shutdown
+}
+
+/// An actor to record outgoing RPCs and route their replies to the original sender
+actor RPCSecretary<RecvMsg: RPCMessage> {
+    private var continuations: [UInt64: CheckedContinuation<RecvMsg, Error>] = [:]
+    private var nextMsgID: UInt64 = 1
+
+    func record(continuation: CheckedContinuation<RecvMsg, Error>) -> UInt64 {
+        let id = nextMsgID
+        nextMsgID += 1
+        continuations[id] = continuation
+        return id
+    }
+
+    func erase(id: UInt64) {
+        continuations[id] = nil
+    }
+
+    func shutdown() {
+        for cont in continuations.values {
+            cont.resume(throwing: RPCError.shutdown)
+        }
+        continuations = [:]
+    }
+
+    func route(reply: RecvMsg) throws(RPCError) {
+        guard reply.hasRpc else {
+            throw RPCError.missingRPC
+        }
+        guard reply.rpc.responseTo != 0 else {
+            throw RPCError.notAResponse
+        }
+        guard let cont = continuations[reply.rpc.responseTo] else {
+            throw RPCError.unknownResponseID(reply.rpc.responseTo)
+        }
+        continuations[reply.rpc.responseTo] = nil
+        cont.resume(returning: reply)
+    }
+}

Diff for: Coder Desktop/Proto/vpn.pb.swift

@@ -0,0 +1,198 @@
+syntax = "proto3";
+option go_package = "github.com/coder/coder/v2/vpn";
+option csharp_namespace = "Coder.Desktop.Vpn.Proto";
+
+import "google/protobuf/timestamp.proto";
+
+package vpn;
+
+// The CoderVPN protocol operates over a bidirectional stream between a "manager" and a "tunnel."
+// The manager is part of the Coder Desktop application and written in OS native code. It handles
+// configuring the VPN and displaying status to the end user.  The tunnel is written in Go and
+// handles operating the actual tunnel, including reading and writing packets, & communicating with
+// the Coder server control plane.
+
+
+// RPC allows a very simple unary request/response RPC mechanism.  The requester generates a unique
+// msg_id which it sets on the request, the responder sets response_to that msg_id on the response
+// message
+message RPC {
+	uint64 msg_id = 1;
+	uint64 response_to = 2;
+}
+
+// ManagerMessage is a message from the manager (to the tunnel).
+message ManagerMessage {
+	RPC rpc = 1;
+	oneof msg {
+		GetPeerUpdate get_peer_update = 2;
+		NetworkSettingsResponse network_settings = 3;
+		StartRequest start = 4;
+		StopRequest stop = 5;
+	}
+}
+
+// TunnelMessage is a message from the tunnel (to the manager).
+message TunnelMessage {
+	RPC rpc = 1;
+	oneof msg {
+		Log log = 2;
+		PeerUpdate peer_update = 3;
+		NetworkSettingsRequest network_settings = 4;
+		StartResponse start = 5;
+		StopResponse stop = 6;
+	}
+}
+
+// Log is a log message generated by the tunnel.  The manager should log it to the system log. It is
+// one-way tunnel -> manager with no response.
+message Log {
+	enum Level {
+		// these are designed to match slog levels
+		DEBUG = 0;
+		INFO = 1;
+		WARN = 2;
+		ERROR = 3;
+		CRITICAL = 4;
+		FATAL = 5;
+	}
+	Level level = 1;
+
+	string message = 2;
+	repeated string logger_names = 3;
+
+	message Field {
+		string name = 1;
+		string value = 2;
+	}
+	repeated Field fields = 4;
+}
+
+// GetPeerUpdate asks for a PeerUpdate with a full set of data.
+message GetPeerUpdate {}
+
+// PeerUpdate is an update about workspaces and agents connected via the tunnel. It is generated in
+// response to GetPeerUpdate (which dumps the full set). It is also generated on any changes (not in
+// response to any request).
+message PeerUpdate {
+	repeated Workspace upserted_workspaces = 1;
+	repeated Agent upserted_agents = 2;
+	repeated Workspace deleted_workspaces = 3;
+	repeated Agent deleted_agents = 4;
+}
+
+message Workspace {
+	bytes id = 1; // UUID
+	string name = 2;
+
+	enum Status {
+		UNKNOWN = 0;
+		PENDING = 1;
+		STARTING = 2;
+		RUNNING = 3;
+		STOPPING = 4;
+		STOPPED = 5;
+		FAILED = 6;
+		CANCELING = 7;
+		CANCELED = 8;
+		DELETING = 9;
+		DELETED = 10;
+	}
+	Status status = 3;
+}
+
+message Agent {
+	bytes id = 1; // UUID
+	string name = 2;
+	bytes workspace_id = 3; // UUID
+	string fqdn = 4;
+	repeated string ip_addrs = 5;
+	// last_handshake is the primary indicator of whether we are connected to a peer. Zero value or
+	// anything longer than 5 minutes ago means there is a problem.
+	google.protobuf.Timestamp last_handshake = 6;
+}
+
+// NetworkSettingsRequest is based on
+// https://developer.apple.com/documentation/networkextension/nepackettunnelnetworksettings for
+// macOS.  It is a request/response message with response NetworkSettingsResponse
+message NetworkSettingsRequest {
+	uint32 tunnel_overhead_bytes = 1;
+	uint32 mtu = 2;
+
+	message DNSSettings {
+		repeated string servers = 1;
+		repeated string search_domains = 2;
+		// domain_name is the primary domain name of the tunnel
+		string domain_name = 3;
+		repeated string match_domains = 4;
+		// match_domains_no_search specifies if the domains in the matchDomains list should not be
+		// appended to the resolver’s list of search domains.
+		bool match_domains_no_search = 5;
+	}
+	DNSSettings dns_settings = 3;
+
+	string tunnel_remote_address = 4;
+
+	message IPv4Settings {
+		repeated string addrs = 1;
+		repeated string subnet_masks = 2;
+		// router is the next-hop router in dotted-decimal format
+		string router = 3;
+
+		message IPv4Route {
+			string destination = 1;
+			string mask = 2;
+			// router is the next-hop router in dotted-decimal format
+			string router = 3;
+		}
+		repeated IPv4Route included_routes = 4;
+		repeated IPv4Route excluded_routes = 5;
+	}
+	IPv4Settings ipv4_settings = 5;
+
+	message IPv6Settings {
+		repeated string addrs = 1;
+		repeated uint32 prefix_lengths = 2;
+
+		message IPv6Route {
+			string destination = 1;
+			uint32 prefix_length = 2;
+			// router is the address of the next-hop
+			string router = 3;
+		}
+		repeated IPv6Route included_routes = 3;
+		repeated IPv6Route excluded_routes = 4;
+	}
+	IPv6Settings ipv6_settings = 6;
+}
+
+// NetworkSettingsResponse is the response from the manager to the tunnel for a
+// NetworkSettingsRequest
+message NetworkSettingsResponse {
+	bool success = 1;
+	string error_message = 2;
+}
+
+// StartRequest is a request from the manager to start the tunnel.  The tunnel replies with a
+// StartResponse.
+message StartRequest {
+	int32 tunnel_file_descriptor = 1;
+	string coder_url = 2;
+	string api_token = 3;
+}
+
+message StartResponse {
+	bool success = 1;
+	string error_message = 2;
+}
+
+// StopRequest is a request from the manager to stop the tunnel. The tunnel replies with a
+// StopResponse.
+message StopRequest {}
+
+// StopResponse is a response to stopping the tunnel. After sending this response, the tunnel closes
+// its side of the bidirectional stream for writing.
+message StopResponse {
+	bool success = 1;
+	string error_message = 2;
+}

Diff for: Coder Desktop/Proto/vpn.proto

@@ -0,0 +1,253 @@
+import Testing
+import Foundation
+@testable import Coder_Desktop
+
+@Suite(.timeLimit(.minutes(1)))
+struct SenderReceiverTests {
+    let pipe = Pipe()
+    let dispatch: DispatchIO
+    let queue: DispatchQueue = .global(qos: .utility)
+    
+    init() {
+        self.dispatch = DispatchIO(
+            type: .stream,
+            fileDescriptor: pipe.fileHandleForReading.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {error in print("cleanupHandler: \(error)")}
+        )
+    }
+
+    @Test func sendOne() async throws {
+        let s = Sender<Vpn_TunnelMessage>(writeFD: pipe.fileHandleForWriting)
+        let r = Receiver<Vpn_TunnelMessage>(dispatch: dispatch, queue: queue)
+        var msg = Vpn_TunnelMessage()
+        msg.log = Vpn_Log()
+        msg.log.message = "test log"
+        Task {
+            try await s.send(msg)
+            try await s.close()
+        }
+        var count = 0
+        for try await got in try await r.messages() {
+            #expect(got.log.message == "test log")
+            count += 1
+        }
+        #expect(count == 1)
+    }
+    
+    @Test func sendMany() async throws {
+        let s = Sender<Vpn_ManagerMessage>(writeFD: pipe.fileHandleForWriting)
+        let r = Receiver<Vpn_ManagerMessage>(dispatch: dispatch, queue: queue)
+        var msg = Vpn_ManagerMessage()
+        msg.networkSettings.errorMessage = "test error"
+        Task {
+            for _ in 0..<10 {
+                try await s.send(msg)
+            }
+            try await s.close()
+        }
+        var count = 0
+        for try await got in try await r.messages() {
+            #expect(got.networkSettings.errorMessage == "test error")
+            count += 1
+        }
+        #expect(count == 10)
+    }
+}
+
+@Suite(.timeLimit(.minutes(1)))
+struct HandshakerTests {
+    let pipeMT = Pipe()
+    let pipeTM = Pipe()
+    let dispatchT: DispatchIO
+    let dispatchM: DispatchIO
+    let queue: DispatchQueue = .global(qos: .utility)
+    
+    init() {
+        self.dispatchT = DispatchIO(
+            type: .stream,
+            fileDescriptor: pipeMT.fileHandleForReading.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {error in print("cleanupHandler: \(error)")}
+        )
+        self.dispatchM = DispatchIO(
+            type: .stream,
+            fileDescriptor: pipeTM.fileHandleForReading.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {error in print("cleanupHandler: \(error)")}
+        )
+    }
+    
+    @Test("Default versions")
+    func mainline() async throws {
+        let uutTun = Handshaker(
+            writeFD: pipeTM.fileHandleForWriting, dispatch: dispatchT, queue: queue, role: .tunnel)
+        let uutMgr = Handshaker(
+            writeFD: pipeMT.fileHandleForWriting, dispatch: dispatchM, queue: queue, role: .manager)
+        let taskTun = Task {
+            try await uutTun.handshake()
+        }
+        let taskMgr = Task {
+            try await uutMgr.handshake()
+        }
+        let versionTun = try await taskTun.value
+        #expect(versionTun == ProtoVersion(1, 0))
+        let versionMgr = try await taskMgr.value
+        #expect(versionMgr == ProtoVersion(1, 0))
+    }
+    
+    
+    struct versionCase : CustomStringConvertible {
+        let tun: [ProtoVersion]
+        let mgr: [ProtoVersion]
+        let result: ProtoVersion
+        
+        var description: String {
+            return "\(tun) vs \(mgr) -> \(result)"
+        }
+    }
+    
+    @Test("explicit versions", arguments: [
+        versionCase(
+            tun: [ProtoVersion(1, 0)],
+            mgr: [ProtoVersion(1, 1)],
+            result: ProtoVersion(1,0)),
+        versionCase(
+            tun: [ProtoVersion(1, 1)],
+            mgr: [ProtoVersion(1, 7)],
+            result: ProtoVersion(1,1)),
+        versionCase(
+            tun: [ProtoVersion(1, 7), ProtoVersion(2, 1)],
+            mgr: [ProtoVersion(1, 7)],
+            result: ProtoVersion(1, 7)),
+        versionCase(
+            tun: [ProtoVersion(1, 7)],
+            mgr: [ProtoVersion(1, 7), ProtoVersion(2, 1)],
+            result: ProtoVersion(1, 7)),
+        versionCase(
+            tun: [ProtoVersion(1, 3), ProtoVersion(2, 1)],
+            mgr: [ProtoVersion(1, 7)],
+            result: ProtoVersion(1, 3)),
+    ])
+    func explictVersions(tc: versionCase) async throws {
+        let uutTun = Handshaker(
+            writeFD: pipeTM.fileHandleForWriting, dispatch: dispatchT, queue: queue, role: .tunnel,
+            versions: tc.tun
+        )
+        let uutMgr = Handshaker(
+            writeFD: pipeMT.fileHandleForWriting, dispatch: dispatchM, queue: queue, role: .manager,
+            versions: tc.mgr
+        )
+        let taskTun = Task {
+            try await uutTun.handshake()
+        }
+        let taskMgr = Task {
+            try await uutMgr.handshake()
+        }
+        let versionTun = try await taskTun.value
+        #expect(versionTun == tc.result)
+        let versionMgr = try await taskMgr.value
+        #expect(versionMgr == tc.result)
+    }
+    
+    @Test
+    func incompatible() async throws {
+        let uutTun = Handshaker(
+            writeFD: pipeTM.fileHandleForWriting, dispatch: dispatchT, queue: queue, role: .tunnel,
+            versions: [ProtoVersion(1,8)]
+        )
+        let uutMgr = Handshaker(
+            writeFD: pipeMT.fileHandleForWriting, dispatch: dispatchM, queue: queue, role: .manager,
+            versions: [ProtoVersion(2,8)]
+        )
+        let taskTun = Task {
+            try await uutTun.handshake()
+        }
+        let taskMgr = Task {
+            try await uutMgr.handshake()
+        }
+        await #expect(throws: HandshakeError.self) {
+            try await taskTun.value
+        }
+        await #expect(throws: HandshakeError.self) {
+            try await taskMgr.value
+        }
+    }
+}
+
+@Suite(.timeLimit(.minutes(1)))
+struct OneSidedHandshakerTests {
+    let pipeMT = Pipe()
+    let pipeTM = Pipe()
+    let queue: DispatchQueue = .global(qos: .utility)
+    let dispatchT: DispatchIO
+    let uut: Handshaker
+    
+    init() {
+        self.dispatchT =  DispatchIO(
+            type: .stream,
+            fileDescriptor: pipeMT.fileHandleForReading.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {error in print("cleanupHandler: \(error)")}
+        )
+        self.uut = Handshaker(
+            writeFD: pipeTM.fileHandleForWriting, dispatch: dispatchT, queue: queue, role: .tunnel
+        )
+    }
+    
+    @Test()
+    func badPreamble() async throws {
+        let taskTun = Task {
+            try await uut.handshake()
+        }
+        pipeMT.fileHandleForWriting.write(Data("something manager 1.0\n".utf8))
+        let tunHdr = try pipeTM.fileHandleForReading.readToEnd()
+        #expect(tunHdr == Data("codervpn tunnel 1.0\n".utf8))
+        await #expect(throws: HandshakeError.self) {
+            try await taskTun.value
+        }
+    }
+    
+    @Test(.timeLimit(.minutes(1)))
+    func badRole() async throws {
+        let taskTun = Task {
+            try await uut.handshake()
+        }
+        pipeMT.fileHandleForWriting.write(Data("codervpn head-honcho 1.0\n".utf8))
+        let tunHdr = try pipeTM.fileHandleForReading.readToEnd()
+        #expect(tunHdr == Data("codervpn tunnel 1.0\n".utf8))
+        await #expect(throws: HandshakeError.self) {
+            try await taskTun.value
+        }
+    }
+    
+    @Test(.timeLimit(.minutes(1)))
+    func badVersion() async throws {
+        let taskTun = Task {
+            try await uut.handshake()
+        }
+        pipeMT.fileHandleForWriting.write(Data("codervpn manager one-dot-oh\n".utf8))
+        let tunHdr = try pipeTM.fileHandleForReading.readToEnd()
+        #expect(tunHdr == Data("codervpn tunnel 1.0\n".utf8))
+        await #expect(throws: HandshakeError.self) {
+            try await taskTun.value
+        }
+    }
+    
+    @Test(.timeLimit(.minutes(1)))
+    func mainline() async throws {
+        let taskTun = Task {
+            let v = try await uut.handshake()
+            // close our pipe so that `readToEnd()` below succeeds.
+            try pipeTM.fileHandleForWriting.close()
+            return v
+        }
+        pipeMT.fileHandleForWriting.write(Data("codervpn manager 1.0\n".utf8))
+        let tunHdr = try pipeTM.fileHandleForReading.readToEnd()
+        #expect(tunHdr == Data("codervpn tunnel 1.0\n".utf8))
+        
+        let v = try await taskTun.value
+        #expect(v == ProtoVersion(1,0))
+    }
+}
+

Diff for: Coder Desktop/ProtoTests/ProtoTests.swift

@@ -0,0 +1,136 @@
+import Testing
+import Foundation
+@testable import Coder_Desktop
+
+/// A concrete, test class for the abstract Speaker, which overrides the handlers to send things to
+/// continuations we set in the test.
+class TestTunnel: Speaker<Vpn_TunnelMessage, Vpn_ManagerMessage> {
+    var msgHandler: CheckedContinuation<Vpn_ManagerMessage, Error>?
+    override func handleMessage(_ msg: Vpn_ManagerMessage) {
+        msgHandler?.resume(returning: msg)
+    }
+    
+    var rpcHandler: CheckedContinuation<RPCRequest<Vpn_TunnelMessage, Vpn_ManagerMessage>, Error>?
+    override func handleRPC(_ req: RPCRequest<Vpn_TunnelMessage, Vpn_ManagerMessage>) {
+        rpcHandler?.resume(returning: req)
+    }
+}
+
+@Suite(.timeLimit(.minutes(1)))
+struct SpeakerTests {
+    let pipeMT = Pipe()
+    let pipeTM = Pipe()
+    let uut: TestTunnel
+    let sender: Sender<Vpn_ManagerMessage>
+    let dispatch: DispatchIO
+    let receiver: Receiver<Vpn_TunnelMessage>
+    let handshaker: Handshaker
+    
+    init() {
+        let queue = DispatchQueue.global(qos: .utility)
+        self.uut = TestTunnel(
+            writeFD: pipeTM.fileHandleForWriting,
+            readFD: pipeMT.fileHandleForReading
+        )
+        self.dispatch = DispatchIO(
+            type: .stream,
+            fileDescriptor: pipeTM.fileHandleForReading.fileDescriptor,
+            queue: queue,
+            cleanupHandler: {error in print("cleanupHandler: \(error)")}
+        )
+        self.sender = Sender(writeFD: pipeMT.fileHandleForWriting)
+        self.receiver = Receiver(dispatch: dispatch, queue: queue)
+        self.handshaker = Handshaker(
+            writeFD: pipeMT.fileHandleForWriting,
+            dispatch: self.dispatch, queue: queue,
+            role: .manager)
+    }
+    
+    @Test func handshake() async throws {
+        async let v = handshaker.handshake()
+        try await uut.handshake()
+        #expect(try await v == ProtoVersion(1, 0))
+    }
+    
+    @Test func handleSingleMessage() async throws {
+        async let readDone: () = try uut.readLoop()
+        
+        let got = try await withCheckedThrowingContinuation { continuation in
+            uut.msgHandler = continuation
+            Task {
+                var s = Vpn_ManagerMessage()
+                s.start = Vpn_StartRequest()
+                await #expect(throws: Never.self) {
+                    try await sender.send(s)
+                }
+            }
+        }
+        #expect(got.msg == .start(Vpn_StartRequest()))
+        try await sender.close()
+        try await readDone
+    }
+    
+    @Test func handleRPC() async throws {
+        async let readDone: () = try uut.readLoop()
+        
+        let got = try await withCheckedThrowingContinuation { continuation in
+            uut.rpcHandler = continuation
+            Task {
+                var s = Vpn_ManagerMessage()
+                s.start = Vpn_StartRequest()
+                s.rpc = Vpn_RPC()
+                s.rpc.msgID = 33
+                await #expect(throws: Never.self) {
+                    try await sender.send(s)
+                }
+            }
+        }
+        #expect(got.msg.msg == .start(Vpn_StartRequest()))
+        #expect(got.msg.rpc.msgID == 33)
+        var reply = Vpn_TunnelMessage()
+        reply.start = Vpn_StartResponse()
+        reply.rpc.responseTo = 33
+        try await got.sendReply(reply)
+        uut.closeWrite()
+        
+        var count = 0
+        await #expect(throws: Never.self) {
+            for try await reply in try await receiver.messages() {
+                count += 1
+                #expect(reply.rpc.responseTo == 33)
+            }
+            #expect(count == 1)
+        }
+        try await sender.close()
+        try await readDone
+    }
+    
+    @Test func sendRPCs() async throws {
+        async let readDone: () = try uut.readLoop()
+        
+        async let managerDone = Task {            
+            var count = 0
+            for try await req in try await receiver.messages() {
+                #expect(req.msg == .networkSettings(Vpn_NetworkSettingsRequest()))
+                try #require(req.rpc.msgID != 0)
+                var reply = Vpn_ManagerMessage()
+                reply.networkSettings = Vpn_NetworkSettingsResponse()
+                reply.networkSettings.errorMessage = "test \(count)"
+                reply.rpc.responseTo = req.rpc.msgID
+                try await sender.send(reply)
+                count += 1
+            }
+            #expect(count == 2)
+        }
+        for i in 0..<2 {
+            var req = Vpn_TunnelMessage()
+            req.networkSettings = Vpn_NetworkSettingsRequest()
+            let got = try await uut.unaryRPC(req)
+            #expect(got.networkSettings.errorMessage == "test \(i)")
+        }
+        uut.closeWrite()
+        _ = await managerDone
+        try await sender.close()
+        try await readDone
+    }
+}

Diff for: Coder Desktop/ProtoTests/SpeakerTests.swift

@@ -0,0 +1,2 @@
+proto:
+	protoc --swift_out=. 'Coder Desktop/Proto/vpn.proto'