coder
diff --git a/‎enterprise/coderd/roles_test.go
+1-1 b/‎enterprise/coderd/roles_test.go
+1-1
diff --git a/‎tailnet/test/integration/integration.go
+32-10 b/‎tailnet/test/integration/integration.go
+32-10
diff --git a/‎tailnet/test/integration/integration_test.go
+123-25 b/‎tailnet/test/integration/integration_test.go
+123-25
@@ -64,7 +64,7 @@ func TestCustomRole(t *testing.T) {
 
 		// Verify the role exists in the list
 		// TODO: Turn this assertion back on when the cli api experience is created.
-		//allRoles, err := tmplAdmin.ListSiteRoles(ctx)
+		// allRoles, err := tmplAdmin.ListSiteRoles(ctx)
 		//require.NoError(t, err)
 		//
 		//require.True(t, slices.ContainsFunc(allRoles, func(selected codersdk.AssignableRoles) bool {
 
@@ -59,7 +59,7 @@ type TestTopology struct {
 	Server ServerStarter
 	// StartClient gets called in each client subprocess. It's expected to
 	// create the tailnet.Conn and ensure connectivity to it's peer.
-	StartClient func(t *testing.T, logger slog.Logger, serverURL *url.URL, myID uuid.UUID, peerID uuid.UUID) *tailnet.Conn
+	StartClient func(t *testing.T, logger slog.Logger, serverURL *url.URL, derpMap *tailcfg.DERPMap, clientNumber int, myID uuid.UUID, peerID uuid.UUID) *tailnet.Conn
 
 	// RunTests is the main test function. It's called in each of the client
 	// subprocesses. If tests can only run once, they should check the client ID
@@ -264,13 +264,18 @@ http {
 
 // StartClientDERP creates a client connection to the server for coordination
 // and creates a tailnet.Conn which will only use DERP to connect to the peer.
-func StartClientDERP(t *testing.T, logger slog.Logger, serverURL *url.URL, myID, peerID uuid.UUID) *tailnet.Conn {
+func StartClientDERP(t *testing.T, logger slog.Logger, serverURL *url.URL, derpMap *tailcfg.DERPMap, clientNumber int, myID, peerID uuid.UUID) *tailnet.Conn {
+	listenPort := uint16(client1Port)
+	if clientNumber == 2 {
+		listenPort = client2Port
+	}
 	return startClientOptions(t, logger, serverURL, myID, peerID, &tailnet.Options{
 		Addresses:           []netip.Prefix{netip.PrefixFrom(tailnet.IPFromUUID(myID), 128)},
-		DERPMap:             basicDERPMap(t, serverURL),
+		DERPMap:             derpMap,
 		BlockEndpoints:      true,
 		Logger:              logger,
 		DERPForceWebSockets: false,
+		ListenPort:          listenPort,
 		// These tests don't have internet connection, so we need to force
 		// magicsock to do anything.
 		ForceNetworkUp: true,
@@ -279,13 +284,18 @@ func StartClientDERP(t *testing.T, logger slog.Logger, serverURL *url.URL, myID,
 
 // StartClientDERPWebSockets does the same thing as StartClientDERP but will
 // only use DERP WebSocket fallback.
-func StartClientDERPWebSockets(t *testing.T, logger slog.Logger, serverURL *url.URL, myID, peerID uuid.UUID) *tailnet.Conn {
+func StartClientDERPWebSockets(t *testing.T, logger slog.Logger, serverURL *url.URL, derpMap *tailcfg.DERPMap, clientNumber int, myID, peerID uuid.UUID) *tailnet.Conn {
+	listenPort := uint16(client1Port)
+	if clientNumber == 2 {
+		listenPort = client2Port
+	}
 	return startClientOptions(t, logger, serverURL, myID, peerID, &tailnet.Options{
 		Addresses:           []netip.Prefix{netip.PrefixFrom(tailnet.IPFromUUID(myID), 128)},
-		DERPMap:             basicDERPMap(t, serverURL),
+		DERPMap:             derpMap,
 		BlockEndpoints:      true,
 		Logger:              logger,
 		DERPForceWebSockets: true,
+		ListenPort:          listenPort,
 		// These tests don't have internet connection, so we need to force
 		// magicsock to do anything.
 		ForceNetworkUp: true,
@@ -295,13 +305,18 @@ func StartClientDERPWebSockets(t *testing.T, logger slog.Logger, serverURL *url.
 // StartClientDirect does the same thing as StartClientDERP but disables
 // BlockEndpoints (which enables Direct connections), and waits for a direct
 // connection to be established between the two peers.
-func StartClientDirect(t *testing.T, logger slog.Logger, serverURL *url.URL, myID, peerID uuid.UUID) *tailnet.Conn {
+func StartClientDirect(t *testing.T, logger slog.Logger, serverURL *url.URL, derpMap *tailcfg.DERPMap, clientNumber int, myID, peerID uuid.UUID) *tailnet.Conn {
+	listenPort := uint16(client1Port)
+	if clientNumber == 2 {
+		listenPort = client2Port
+	}
 	conn := startClientOptions(t, logger, serverURL, myID, peerID, &tailnet.Options{
 		Addresses:           []netip.Prefix{netip.PrefixFrom(tailnet.IPFromUUID(myID), 128)},
-		DERPMap:             basicDERPMap(t, serverURL),
+		DERPMap:             derpMap,
 		BlockEndpoints:      false,
 		Logger:              logger,
 		DERPForceWebSockets: true,
+		ListenPort:          listenPort,
 		// These tests don't have internet connection, so we need to force
 		// magicsock to do anything.
 		ForceNetworkUp: true,
@@ -365,10 +380,17 @@ func startClientOptions(t *testing.T, logger slog.Logger, serverURL *url.URL, my
 	return conn
 }
 
-func basicDERPMap(t *testing.T, serverURL *url.URL) *tailcfg.DERPMap {
+func basicDERPMap(serverURLStr string) (*tailcfg.DERPMap, error) {
+	serverURL, err := url.Parse(serverURLStr)
+	if err != nil {
+		return nil, xerrors.Errorf("parse server URL %q: %w", serverURLStr, err)
+	}
+
 	portStr := serverURL.Port()
 	port, err := strconv.Atoi(portStr)
-	require.NoError(t, err, "parse server port")
+	if err != nil {
+		return nil, xerrors.Errorf("parse port %q: %w", portStr, err)
+	}
 
 	hostname := serverURL.Hostname()
 	ipv4 := ""
@@ -399,7 +421,7 @@ func basicDERPMap(t *testing.T, serverURL *url.URL) *tailcfg.DERPMap {
 				},
 			},
 		},
-	}
+	}, nil
 }
 
 // ExecBackground starts a subprocess with the given flags and returns a
 
@@ -4,19 +4,28 @@
 package integration_test
 
 import (
+	"context"
+	"encoding/json"
 	"flag"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"runtime"
+	"strconv"
 	"syscall"
 	"testing"
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"tailscale.com/net/stun/stuntest"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/nettype"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
@@ -30,17 +39,22 @@ const runTestEnv = "CODER_TAILNET_TESTS"
 var (
 	isSubprocess = flag.Bool("subprocess", false, "Signifies that this is a test subprocess")
 	testID       = flag.String("test-name", "", "Which test is being run")
-	role         = flag.String("role", "", "The role of the test subprocess: server, client")
+	role         = flag.String("role", "", "The role of the test subprocess: server, stun, client")
 
 	// Role: server
 	serverListenAddr = flag.String("server-listen-addr", "", "The address to listen on for the server")
 
+	// Role: stun
+	stunListenAddr = flag.String("stun-listen-addr", "", "The address to listen on for the STUN server")
+
 	// Role: client
-	clientName      = flag.String("client-name", "", "The name of the client for logs")
-	clientServerURL = flag.String("client-server-url", "", "The url to connect to the server")
-	clientMyID      = flag.String("client-id", "", "The id of the client")
-	clientPeerID    = flag.String("client-peer-id", "", "The id of the other client")
-	clientRunTests  = flag.Bool("client-run-tests", false, "Run the tests in the client subprocess")
+	clientName        = flag.String("client-name", "", "The name of the client for logs")
+	clientNumber      = flag.Int("client-number", 0, "The number of the client")
+	clientMyID        = flag.String("client-id", "", "The id of the client")
+	clientPeerID      = flag.String("client-peer-id", "", "The id of the other client")
+	clientServerURL   = flag.String("client-server-url", "", "The url to connect to the server")
+	clientDERPMapPath = flag.String("client-derp-map-path", "", "The path to the DERP map file to use on this client")
+	clientRunTests    = flag.Bool("client-run-tests", false, "Run the tests in the client subprocess")
 )
 
 func TestMain(m *testing.M) {
@@ -87,7 +101,7 @@ var topologies = []integration.TestTopology{
 		// endpoints to connect as routing is enabled between client 1 and
 		// client 2.
 		Name:            "EasyNATDirect",
-		SetupNetworking: integration.SetupNetworkingEasyNAT,
+		SetupNetworking: integration.SetupNetworkingEasyNATWithSTUN,
 		Server:          integration.SimpleServerOptions{},
 		StartClient:     integration.StartClientDirect,
 		RunTests:        integration.TestSuite,
@@ -143,17 +157,41 @@ func TestIntegration(t *testing.T) {
 			log := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
 			networking := topo.SetupNetworking(t, log)
 
-			// Fork the three child processes.
+			// Useful for debugging network namespaces by avoiding cleanup.
+			// t.Cleanup(func() {
+			// 	time.Sleep(time.Minute * 15)
+			// })
+
 			closeServer := startServerSubprocess(t, topo.Name, networking)
+
+			closeSTUN := func() error { return nil }
+			if networking.STUN.ListenAddr != "" {
+				closeSTUN = startSTUNSubprocess(t, topo.Name, networking)
+			}
+
+			// Write the DERP maps to a file.
+			tempDir := t.TempDir()
+			client1DERPMapPath := filepath.Join(tempDir, "client1-derp-map.json")
+			client1DERPMap, err := networking.Client1.ResolveDERPMap()
+			require.NoError(t, err, "resolve client 1 DERP map")
+			err = writeDERPMapToFile(client1DERPMapPath, client1DERPMap)
+			require.NoError(t, err, "write client 1 DERP map")
+			client2DERPMapPath := filepath.Join(tempDir, "client2-derp-map.json")
+			client2DERPMap, err := networking.Client2.ResolveDERPMap()
+			require.NoError(t, err, "resolve client 2 DERP map")
+			err = writeDERPMapToFile(client2DERPMapPath, client2DERPMap)
+			require.NoError(t, err, "write client 2 DERP map")
+
 			// client1 runs the tests.
-			client1ErrCh, _ := startClientSubprocess(t, topo.Name, networking, 1)
-			_, closeClient2 := startClientSubprocess(t, topo.Name, networking, 2)
+			client1ErrCh, _ := startClientSubprocess(t, topo.Name, networking, 1, client1DERPMapPath)
+			_, closeClient2 := startClientSubprocess(t, topo.Name, networking, 2, client2DERPMapPath)
 
 			// Wait for client1 to exit.
 			require.NoError(t, <-client1ErrCh, "client 1 exited")
 
 			// Close client2 and the server.
 			require.NoError(t, closeClient2(), "client 2 exited")
+			require.NoError(t, closeSTUN(), "stun exited")
 			require.NoError(t, closeServer(), "server exited")
 		})
 	}
@@ -169,10 +207,11 @@ func handleTestSubprocess(t *testing.T) {
 		}
 	}
 	require.NotEmptyf(t, topo.Name, "unknown test topology %q", *testID)
+	require.Contains(t, []string{"server", "stun", "client"}, *role, "unknown role %q", *role)
 
 	testName := topo.Name + "/"
-	if *role == "server" {
-		testName += "server"
+	if *role == "server" || *role == "stun" {
+		testName += *role
 	} else {
 		testName += *clientName
 	}
@@ -185,18 +224,34 @@ func handleTestSubprocess(t *testing.T) {
 			topo.Server.StartServer(t, logger, *serverListenAddr)
 			// no exit
 
+		case "stun":
+			launchSTUNServer(t, *stunListenAddr)
+			// no exit
+
 		case "client":
 			logger = logger.Named(*clientName)
+			if *clientNumber != 1 && *clientNumber != 2 {
+				t.Fatalf("invalid client number %d", clientNumber)
+			}
 			serverURL, err := url.Parse(*clientServerURL)
 			require.NoErrorf(t, err, "parse server url %q", *clientServerURL)
 			myID, err := uuid.Parse(*clientMyID)
 			require.NoErrorf(t, err, "parse client id %q", *clientMyID)
 			peerID, err := uuid.Parse(*clientPeerID)
 			require.NoErrorf(t, err, "parse peer id %q", *clientPeerID)
 
+			// Load the DERP map.
+			var derpMap tailcfg.DERPMap
+			derpMapPath := *clientDERPMapPath
+			f, err := os.Open(derpMapPath)
+			require.NoErrorf(t, err, "open DERP map %q", derpMapPath)
+			err = json.NewDecoder(f).Decode(&derpMap)
+			_ = f.Close()
+			require.NoErrorf(t, err, "decode DERP map %q", derpMapPath)
+
 			waitForServerAvailable(t, serverURL)
 
-			conn := topo.StartClient(t, logger, serverURL, myID, peerID)
+			conn := topo.StartClient(t, logger, serverURL, &derpMap, *clientNumber, myID, peerID)
 
 			if *clientRunTests {
 				// Wait for connectivity.
@@ -218,6 +273,23 @@ func handleTestSubprocess(t *testing.T) {
 	})
 }
 
+type forcedAddrPacketListener struct {
+	addr string
+}
+
+var _ nettype.PacketListener = forcedAddrPacketListener{}
+
+func (ln forcedAddrPacketListener) ListenPacket(ctx context.Context, network, _ string) (net.PacketConn, error) {
+	return nettype.Std{}.ListenPacket(ctx, network, ln.addr)
+}
+
+func launchSTUNServer(t *testing.T, listenAddr string) {
+	ln := forcedAddrPacketListener{addr: listenAddr}
+	addr, cleanup := stuntest.ServeWithPacketListener(t, ln)
+	t.Cleanup(cleanup)
+	assert.Equal(t, listenAddr, addr.String(), "listen address should match forced addr")
+}
+
 func waitForServerAvailable(t *testing.T, serverURL *url.URL) {
 	const delay = 100 * time.Millisecond
 	const reqTimeout = 2 * time.Second
@@ -247,45 +319,55 @@ func waitForServerAvailable(t *testing.T, serverURL *url.URL) {
 }
 
 func startServerSubprocess(t *testing.T, topologyName string, networking integration.TestNetworking) func() error {
-	_, closeFn := startSubprocess(t, "server", networking.ProcessServer.NetNS, []string{
+	_, closeFn := startSubprocess(t, "server", networking.Server.Process.NetNS, []string{
 		"--subprocess",
 		"--test-name=" + topologyName,
 		"--role=server",
-		"--server-listen-addr=" + networking.ServerListenAddr,
+		"--server-listen-addr=" + networking.Server.ListenAddr,
+	})
+	return closeFn
+}
+
+func startSTUNSubprocess(t *testing.T, topologyName string, networking integration.TestNetworking) func() error {
+	_, closeFn := startSubprocess(t, "stun", networking.STUN.Process.NetNS, []string{
+		"--subprocess",
+		"--test-name=" + topologyName,
+		"--role=stun",
+		"--stun-listen-addr=" + networking.STUN.ListenAddr,
 	})
 	return closeFn
 }
 
-func startClientSubprocess(t *testing.T, topologyName string, networking integration.TestNetworking, clientNumber int) (<-chan error, func() error) {
+func startClientSubprocess(t *testing.T, topologyName string, networking integration.TestNetworking, clientNumber int, derpMapPath string) (<-chan error, func() error) {
 	require.True(t, clientNumber == 1 || clientNumber == 2)
 
 	var (
-		clientName = fmt.Sprintf("client%d", clientNumber)
-		myID       = integration.Client1ID
-		peerID     = integration.Client2ID
-		accessURL  = networking.ServerAccessURLClient1
-		netNS      = networking.ProcessClient1.NetNS
+		clientName   = fmt.Sprintf("client%d", clientNumber)
+		myID         = integration.Client1ID
+		peerID       = integration.Client2ID
+		clientConfig = networking.Client1
 	)
 	if clientNumber == 2 {
 		myID, peerID = peerID, myID
-		accessURL = networking.ServerAccessURLClient2
-		netNS = networking.ProcessClient2.NetNS
+		clientConfig = networking.Client2
 	}
 
 	flags := []string{
 		"--subprocess",
 		"--test-name=" + topologyName,
 		"--role=client",
 		"--client-name=" + clientName,
-		"--client-server-url=" + accessURL,
+		"--client-number=" + strconv.Itoa(clientNumber),
+		"--client-server-url=" + clientConfig.ServerAccessURL,
 		"--client-id=" + myID.String(),
 		"--client-peer-id=" + peerID.String(),
+		"--client-derp-map-path=" + derpMapPath,
 	}
 	if clientNumber == 1 {
 		flags = append(flags, "--client-run-tests")
 	}
 
-	return startSubprocess(t, clientName, netNS, flags)
+	return startSubprocess(t, clientName, clientConfig.Process.NetNS, flags)
 }
 
 // startSubprocess launches the test binary with the same flags as the test, but
@@ -298,3 +380,19 @@ func startSubprocess(t *testing.T, processName string, netNS *os.File, flags []s
 	args := append(os.Args[1:], append([]string{"-test.v=true"}, flags...)...)
 	return integration.ExecBackground(t, processName, netNS, name, args)
 }
+
+func writeDERPMapToFile(path string, derpMap *tailcfg.DERPMap) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	enc := json.NewEncoder(f)
+	enc.SetIndent("", "  ")
+	err = enc.Encode(derpMap)
+	if err != nil {
+		return err
+	}
+	return nil
+}