[client] Fix WG watcher missing initial handshake

[pappz]

Start the WireGuard watcher before configuring the WG endpoint to ensure it captures the initial handshake timestamp.

Previously, the watcher was started after endpoint configuration, causing it to miss the handshake that occurred during setup.

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Refactor
  • Optimized WireGuard connection initialization by consolidating watcher activation to earlier stages in both direct and relay connection upgrade paths. Eliminated redundant enablement calls and ensured a single early activation point before endpoint configuration, improving the connection upgrade sequence efficiency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request refactors WireGuard watcher activation in the peer connection module. The enableWgWatcherIfNeeded function is invoked earlier in both ICE and relay connection upgrade paths, and redundant duplicate calls are removed to eliminate unnecessary repetition.

Changes

Cohort / File(s)	Summary
WireGuard Watcher Activation Consolidation client/internal/peer/conn.go	Moved enableWgWatcherIfNeeded calls to earlier points in onICEConnectionIsReady (before WG endpoint configuration) and onRelayConnectionIsReady (immediately after presharedKey computation), removing duplicate subsequent calls to consolidate watcher activation to single early checkpoints in both upgrade paths.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• [client] Extend WG watcher for ICE connection too #5133: Directly related refactoring of enableWgWatcher calls in the same file, consolidating and reorganizing watcher activation logic across connection upgrade paths.

Suggested reviewers

• mlsmaycon
• lixmal

Poem

🐰 The watcher hops early in the morn,
No longer late, no longer worn,
Twin paths now shine with grace aligned,
Duplicates fade, one call refined! 🔗✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[client] Fix WG watcher missing initial handshake' clearly and specifically describes the main bug fix - ensuring the WireGuard watcher captures the initial handshake by starting it before endpoint configuration.
Description check	✅ Passed	The description provides context for the bug fix (watcher starting before endpoint config to capture handshake) and includes most template sections, though the 'Issue ticket number and link' and 'Stack' sections are empty.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud