feat(e2e): Add tunnel establishment E2E tests (T-6.1)

[obtFusi]

Summary

• Add PowerShell E2E test script for tunnel establishment validation
• Add Go GUID-based WireGuard interface verification
• Add GitHub Actions workflow for lab testing

Test Cases Implemented

Test	Description	Status
TC1.1	Service Running	✅
TC1.2	WireGuard Interface	✅
TC1.3	Route to DC Network	✅
TC1.4	DC LDAP (389/TCP)	✅
TC1.5	DC Kerberos (88/TCP)	✅
TC1.6	DC DNS (53/TCP)	✅
TC1.7	Kerberos TGT	✅
TC2.1	LDAP SRV Record	✅
TC3.1	Kerberos SRV (UDP)	✅
TC3.2	Kerberos SRV (TCP)	✅
TC4.1	DC Discovery (nltest)	✅
TC4.2	UDP Kerberos Indicator	✅

Test Evidence (Windows 11 VM - 10.0.0.160)

============================================================
  TEST SUMMARY
============================================================

  Passed:  8
  Failed:  5  (Expected: Service not installed, NRPT not configured)
  Skipped: 1

  Pass Rate: 61.5%

Files Changed

• scripts/tests/Test-TunnelEstablishment.ps1 - PowerShell E2E test script
• client/internal/tunnel/interface_windows.go - Go interface verification (Windows)
• client/internal/tunnel/interface_other.go - Stub for non-Windows
• .github/workflows/e2e-tunnel.yml - CI workflow for lab testing

Test Plan

• PowerShell syntax validated
• Go code compiles for Windows
• Tests executed on Windows 11 VM
• TC1.2-TC1.6 pass (connectivity tests)
• TC2.1b pass (SRV discovery via nslookup)
• TC4.1-TC4.2 pass (DC discovery)

Closes #54

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added machine tunnel bootstrap with mTLS authentication support for domain-joined Windows devices
  • Added automated certificate enrollment and validation for secure machine authentication
  • Added domain connectivity validation and pre-join requirement checks
  • Added PowerShell automation scripts for client bootstrap, domain join, and configuration management

• Build & Infrastructure

  • Added multi-platform build targets supporting Windows and Linux builds
  • Added automated dependency update management via Dependabot
  • Added pre-commit code quality and security validation checks

• Testing & Verification

  • Added end-to-end tunnel establishment test suite
  • Added lab CA setup and certificate template configuration utilities
  • Added client certificate enrollment and verification tools

• Documentation

  • Added GitHub issue templates and workflow automation
  • Added architecture decision records for mTLS and cryptography strategies

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[obtFusi]

Wrong repo - meant for fork

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Introduces comprehensive Windows machine tunnel support with mTLS-based authentication for pre-login VPN scenarios. Adds client-side bootstrap logic for certificate-based authentication, management server mTLS support with multi-tenant domain-to-account mapping, domain join validation utilities, protocol definitions for machine peer registration and sync, and extensive PowerShell automation scripts for lab setup and client onboarding.

Changes

Cohort / File(s)	Summary
Pre-commit hooks .githooks/pre-commit	Enforces code formatting (gofmt) and secret detection on staged files; exits with error on violations.
GitHub repository configuration .github/ISSUE_TEMPLATE/bug_report.md, .github/ISSUE_TEMPLATE/epic.md, .github/ISSUE_TEMPLATE/story.md, .github/ISSUE_TEMPLATE/task.md, .github/ISSUE_TEMPLATE/feature_request.md, .github/ISSUE_TEMPLATE/config.yml	Introduces German-language issue templates (bug reports, epics, stories, tasks) and disables blank issues; adds contact links to documentation and discussions.
GitHub Actions workflows .github/workflows/auto-label.yml, .github/workflows/pr-lint.yml, .github/workflows/e2e-tunnel.yml	Adds auto-labeling for issues/PRs based on title/prefix patterns, conventional commits linting, and manual end-to-end tunnel testing workflow with validation and documentation steps.
Dependabot and build configuration .github/dependabot.yml, Makefile, .gitignore	Configures Dependabot for gomod/github-actions/docker; adds cross-platform build targets (Windows, Linux) with version injection; refines VSCode config exclusions.
Client tunnel bootstrap client/internal/tunnel/bootstrap.go, client/internal/tunnel/bootstrap_test.go	Implements two-phase machine tunnel authentication (Setup-Key phase 1, mTLS phase 2) with automatic fallback; includes certificate validation, mTLS client setup, and WireGuard key generation.
Certificate enrollment client/internal/tunnel/certenroll.go, client/internal/tunnel/certenroll_test.go	Provides certificate validation, renewal detection, AD CS enrollment script generation, and certificate metadata extraction; includes certificate expiry watching and issuer fingerprint handling.
Domain join utilities client/internal/tunnel/domainjoin.go, client/internal/tunnel/domainjoin_test.go	Validates DC connectivity (LDAP, Kerberos, DNS, SMB, NTP), pre-join requirements, and generates domain join PowerShell scripts with credential/OU/restart options.
WireGuard interface discovery client/internal/tunnel/interface_windows.go, client/internal/tunnel/interface_other.go	Implements platform-specific interface discovery via GUID/description/name matching on Windows; returns not-supported errors on non-Windows platforms.
Management server mTLS infrastructure management/internals/server/mtls_auth.go, management/internals/server/mtls_auth_test.go, management/internals/server/mtls_server.go, management/internals/server/boot.go	Adds mTLS interceptors with multi-tenant domain-to-account mapping, issuer CA validation, peer type determination from certificate templates, and separate mTLS-enabled gRPC server on dedicated port.
Management server machine tunnel RPC management/internals/shared/grpc/machine_tunnel.go	Implements RegisterMachinePeer, SyncMachinePeer (skeleton), GetMachineRoutes (skeleton), and ReportMachineStatus RPCs with mTLS identity extraction and audit logging.
Management server configuration and lifecycle management/internals/server/config/config.go, management/internals/server/server.go, management/internals/shared/mtls/identity.go, management/internals/shared/mtls/dnslabel.go, management/internals/shared/mtls/dnslabel_test.go	Extends HttpServerConfig with MTLS fields, adds BaseServer.GetMTLSServer accessor, implements shared mTLS Identity context propagation, and provides RFC 1123-compliant DNS label generation with hash-based collision resistance.
Management server peer metadata management/server/peer/peer.go, management/server/peer.go	Extends PeerSystemMeta with mTLS certificate/authentication fields (PeerType, AuthMethod, CertDNSName, CertDomain, etc.); integrates DNS label generation for mTLS peers.
Protocol definitions shared/management/proto/management.proto	Adds four machine tunnel RPCs (RegisterMachinePeer, SyncMachinePeer, GetMachineRoutes, ReportMachineStatus) and supporting messages (MachineIdentity, MachineRegisterRequest/Response, machine config/route/status payloads) with no EncryptedMessage wrapper.
PowerShell bootstrap automation scripts/bootstrap-new-client.ps1, scripts/reset-netbird-machine.ps1, scripts/reinstall-and-test.ps1	Orchestrates multi-phase machine tunnel onboarding: NTP sync, tunnel setup with Setup-Key, DC connectivity validation, domain join, certificate enrollment, and mTLS configuration; includes service/interface cleanup and reinstall workflows.
Lab environment setup scripts/lab/autounattend.xml, scripts/lab/setup-lab-ca.ps1, scripts/lab/test-client-enrollment.ps1, scripts/lab/verify-lab-ca.ps1	Provides unattended Windows Server setup, AD CS lab CA provisioning with NetBirdMachine template and auto-enrollment GPO, automated client enrollment testing, and comprehensive CA verification with DCOM/RPC configuration.
Lab testing and verification scripts/tests/Test-TunnelEstablishment.ps1, scripts/verify-nrpt-cleanup.ps1	End-to-end tunnel establishment test suite validating DC connectivity, DNS-SRV/Kerberos discovery, and UDP reachability; includes NRPT rule cleanup verification after reset.
Documentation and analysis docs/ADR-001-mTLS-Port-Strategy.md, docs/ADR-002-CNG-Signer-Interface.md	Documents decision on single mTLS port with method-based routing using VerifyClientCertIfGiven, and Windows-only CNG crypto.Signer wrapper for non-exportable machine certificate keys.
Test certificates and utilities test/certs/{ca,client,server}.{crt,key,csr,cnf}, test/certs/ca.srl, management/internals/shared/grpc/conversion_test.go	Provides PKI test infrastructure with CA, client, and server certificates for mTLS testing; adds nolint directive for deprecated JWT audience field.
Spike implementations spike/cng-signer/{go.mod,main.go}, spike/san-parser/{go.mod,main.go}	Proof-of-concept implementations for Windows CNG-backed crypto.Signer and AD CS certificate SAN/template parsing with peer type classification.
Container build management/Dockerfile.multistage	Multi-stage Docker build for management component using golang:1.25 builder and ubuntu:24.04 runtime with ca-certificates.

Sequence Diagram(s)

sequenceDiagram
    participant Client as NetBird Client
    participant MGM as Management Server
    participant CA as AD CS
    participant DC as Domain Controller
    participant Tunnel as WireGuard Tunnel

    Client->>Client: Phase 0: Pre-Tunnel NTP Sync
    Client->>Tunnel: Phase 1: Start tunnel with Setup-Key
    Client->>MGM: Login/Register (Setup-Key auth)
    MGM-->>Client: Peer config
    Tunnel-->>Client: Tunnel up
    
    Client->>DC: Check DC Connectivity via tunnel
    DC-->>Client: LDAP/Kerberos/DNS reachable
    
    Client->>Client: NTP sync with DC
    Client->>DC: Domain Join via tunnel
    DC-->>Client: Domain join complete
    
    Client->>CA: Enroll machine certificate (certreq)
    CA-->>Client: Machine certificate issued
    
    Client->>Client: Update config for mTLS
    Client->>MGM: RegisterMachinePeer (mTLS Phase 2)
    MGM->>MGM: Validate mTLS identity from cert
    MGM-->>Client: MachineRegisterResponse
    
    Client->>Tunnel: Switch to mTLS authenticated tunnel
    Client->>MGM: SyncMachinePeer (streaming, mTLS)
    MGM-->>Client: Network map & routes

Loading

sequenceDiagram
    participant Client as Machine Client
    participant MTLSServer as mTLS Server (Port 33074)
    participant Interceptor as mTLS Interceptor
    participant Validator as Identity Validator
    participant AccountMgr as Account Manager

    Client->>MTLSServer: RegisterMachinePeer (TLS client cert)
    MTLSServer->>Interceptor: Extract TLS state
    Interceptor->>Validator: Get identity from cert
    Validator->>Validator: Validate SAN DNSName
    Validator->>Validator: Map domain → account
    Validator->>Validator: Validate issuer CA fingerprint
    Validator-->>Interceptor: MTLSIdentity (with AccountID)
    Interceptor->>Interceptor: Inject into context
    MTLSServer->>AccountMgr: LoginPeer (machine metadata)
    AccountMgr-->>MTLSServer: Login response
    MTLSServer-->>Client: MachineRegisterResponse

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

The review spans multiple heterogeneous subsystems with dense logic: client-side two-phase bootstrap with fallback logic, certificate enrollment and validation, domain join orchestration, multi-tenant mTLS authentication with domain-to-account mapping and issuer validation, Windows-specific interface discovery, extensive PowerShell automation, and new protocol definitions. The 31+ new files, cross-cutting concerns (certificate handling, Windows APIs, gRPC interceptors), and integration points between client and server components require careful examination of both individual component correctness and interaction semantics.

Possibly related PRs

• [management] pass config to controller #4807: Modifies management network-map controller API to propagate server config through NewController and call sites, introducing similar config-passing patterns to those used in mTLS server initialization in this PR.
• [management, infrastructure, idp] Simplified IdP Management - Embedded IdP #5008: Extends management server lifecycle and handler registration (e.g., handler attachment in boot.go), overlapping with the mTLS server lifecycle additions in this PR's boot.go and server.go.

Suggested reviewers

• pascal-fischer

---

🐰 A tunnel is born with cryptographic grace,
Machines authenticate in their rightful place,
With certs and keys and domains aligned,
Pre-login VPN leaves no peer behind—
Two phases dance, then settle secure,
mTLS keeps the bad guys out for sure! ✨

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
12 New issues
3 Security Hotspots
C Security Rating on New Code (required ≥ A)
10 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE