Fix tunmux wgconf disconnect deadlock (and the cleanup fallout it caused)

[pansen]

Summary

wgconf disconnect could hang and leave the machine wedged: the userspace helper
ignored SIGTERM, never ran its network cleanup, and so left routes and DNS
overrides in place — hijacking the LAN until a reboot. This PR fixes the root-cause
deadlock and bundles the surrounding cleanup/observability work that the bug exposed.

The deadlock

The macOS helper runs on a single-threaded (current_thread) Tokio runtime. Its
once-per-second shutdown loop ran a diagnostic probe (wg show <iface> transfer)
inline as a blocking call. That probe connects to gotatun's own in-process UAPI
server, whose reply is produced by an async task on the very runtime thread now
blocked in the probe — a circular wait:

runtime thread → blocked in Command::output() waiting for `wg`
        `wg`   → waiting for gotatun's UAPI thread to reply
 UAPI thread   → blocking_recv, waiting for handle_api
  handle_api   → needs the runtime thread … which is blocked in `wg`

While wedged, the select! arms for SIGTERM/SIGINT and the control-socket
removal check were never polled, and the tunnel's packet tasks stopped — so the
process survived disconnect, its routes blackholed the LAN, and DNS overrides
persisted.

Fix: run the probe on spawn_blocking bounded by a timeout, so it can no
longer stall the executor. The shutdown select! (signals + socket removal) is now
always reachable, and device stop is likewise bounded by a timeout. SIGTERM is
honored, cleanup_network runs, and routes/DNS are restored on disconnect.

Resilience to stale state

To stop the system getting stuck in a phantom "connected" state after a crash or
reboot, ConnectionState gained is_live() (verifies the tunnel process/interface
still exists), and stale or corrupted state files are pruned automatically on the
next connect.

Other changes in this branch

• wgconf status — report current connection state.
• Streamed logs — a framed response protocol lets the privileged service capture
  and stream setup/teardown logs (including the gotatun helper's, via a tailed log
  file) back to the CLI in real time.
• --debug flag — enable debug logging from the CLI.
• --mtu for userspace wgconf — wgconf reads MTU = from [Interface];
  --mtu overrides it for direct kernel/userspace mode and kernel --proxy (not
  --local-proxy, which creates no host TUN). Includes MTU validation and macOS
  data-plane testing notes in the README.
• LAN reconciliation — when the VPN overlaps the local network, reconcile against
  the current LAN rather than blackholing it.
• Dependencies — bump gotatun to 0.7.1 (and restore the smoltcp submodule
  pin after an accidental downgrade).

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR expands userspace WireGuard support (gotatun) with MTU override handling, improved helper lifecycle/logging, and better stale-state detection so reconnects don’t get wedged after reboots/crashes.

Changes:

• Add MTU parsing/validation and plumb MTU overrides through wgconf/userspace gotatun flows.
• Improve privileged<->CLI observability by streaming privileged-side log frames and adding per-interface helper log files + PID tracking/cleanup confirmation.
• Add stale direct-connection detection (is_live / direct_connection_active) and a new wgconf status command.

Reviewed changes

Copilot reviewed 26 out of 28 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/wireguard/userspace.rs	Adds MTU-aware up/down wrappers and passes MTU override to privileged gotatun run
src/wireguard/proxy_tunnel/mod.rs	Formatting-only changes to spawned proxy handlers
src/wireguard/kernel.rs	Moves MTU validation into shared config module
src/wireguard/connection.rs	Adds ConnectionState::is_live() + tests for stale-state detection
src/wireguard/config.rs	Parses MTU= from [Interface], adds parse_mtu/validate_mtu, and tests
src/wgconf/handlers.rs	Adds wgconf status, MTU validation, and routes MTU to userspace connect
src/userspace_helper.rs	Adds MTU support, helper PID/name/log/cleanup status files, macOS route reconcile, and structured cleanup
src/shared/util.rs	Test formatting change
src/shared/connection_ops.rs	Makes disconnect remove state even on teardown error; adds stale direct cleanup helper
src/proton/handlers.rs	Formatting-only change
src/privileged_client/util.rs	Import reordering
src/privileged_client/transport.rs	Adds --debug propagation, detaches daemon stdio, and implements framed log/response reader
src/privileged_client/mod.rs	Extends gotatun_run request with MTU override + debug flag
src/privileged_api.rs	Adds MTU override + debug fields to requests and validates MTU override
src/privileged/mod.rs	Streams per-request logs back to clients via framed responses; merges helper + service logs
src/privileged/dispatch.rs	Passes MTU/debug through to gotatun up implementation
src/privileged/commands.rs	Implements gotatun helper PID tracking, cleanup confirmation, and MTU/debug env propagation
src/mullvad/handlers.rs	Formatting-only change
src/main.rs	Enables debug via env and uses service logging initializer in privileged mode
src/logging.rs	Adds debug env flag, service log capture writer, and synchronous file logger
src/local_proxy.rs	Exposes proc_alive for connection liveness checks
src/ivpn/handlers.rs	Formatting-only change
src/cli.rs	Adds --debug alias for verbose and adds wgconf status subcommand + tests
src/airvpn/handlers.rs	Formatting-only change
README.md	Documents --debug and MTU behavior; adds macOS testing note
Cargo.toml	Updates gotatun dependency version
.gitignore	Ignores repo-local /var directory

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 28 changed files in this pull request and generated 5 comments.