To support a macOS version of a native desktop VPN to Coder workspaces, we plan to use a dynamic library loaded by a host NetworkExtension written in Swift. The dynamic library will be embedded in the full coder binary that includes the Coder server. Coder server will allow downloading the dynamic library just like we do for "slim" client binaries on different operating systems.

This allows our macOS application to seamless work with multiple versions of Coder, but downloading the dynamic library from the Coder server you sign into.

The dynamic library will export a function via the C foreign function interface (FFI) that accepts a pair of pipes for bi-directional communication. The function then sets up the CoderVPN Control Protocol (#14731) over the pipes, and implements the "Tunnel" side of the protocol. The macOS application can then start and stop the VPN via this protocol.

To implement the VPN, we use the workspacesdk API to start a tailnet for all the user's workspaces (#14730), including the Router (#14732) and dns.OSConfigurator (#14733) components built for this purpose.