revert(agent-tunnel): back out dual-stack QUIC bind from this PR

Maintainer asked for the dual-stack listener change to ship as its own
PR (#1741 review on `service.rs`). Restore the original
v4-only bind on both ends so this PR is back to "transparent routing"
scope only:

  * gateway listener — `Ipv4Addr::UNSPECIFIED` instead of `Ipv6Addr::UNSPECIFIED`
  * agent client — `0.0.0.0:0` instead of the `[::]:0` + IPv4 fallback
  * remove the `bind_dual_stack_endpoint` / `build_dual_stack_v6_socket`
    helpers and the `socket2` dependency from `agent-tunnel`

The dual-stack work is being re-submitted on a separate branch.

Author: irvingoujAtDevolution

Cargo.lock

@@ -40,7 +40,6 @@ time = { version = "0.3", default-features = false, features = ["std"] }
 
 # QUIC
 quinn = "0.11"
-socket2 = "0.5"
 
 [dev-dependencies]
 base64 = "0.22"

crates/agent-tunnel/Cargo.toml

@@ -5,7 +5,7 @@
 //! creates proxy streams on demand.
 
 use std::collections::HashMap;
-use std::net::{Ipv4Addr, SocketAddr, UdpSocket};
+use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 
@@ -136,11 +136,10 @@ impl AgentTunnelListener {
 
         server_config.transport_config(Arc::new(transport));
 
-        let endpoint = bind_dual_stack_endpoint(server_config, listen_addr)
+        let endpoint = quinn::Endpoint::server(server_config, listen_addr)
             .with_context(|| format!("bind QUIC endpoint on {listen_addr}"))?;
 
-        let bound_addr = endpoint.local_addr().unwrap_or(listen_addr);
-        info!(listen_addr = %bound_addr, "Agent tunnel QUIC endpoint bound");
+        info!(%listen_addr, "Agent tunnel QUIC endpoint bound");
 
         let registry = Arc::new(AgentRegistry::new());
         let agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>> = Arc::new(RwLock::new(HashMap::new()));
@@ -395,51 +394,3 @@ async fn handle_control_message<S: tokio::io::AsyncWrite + Unpin, R: tokio::io::
         }
     }
 }
-
-/// Bind a QUIC endpoint, preferring a dual-stack IPv6 socket so the listener
-/// accepts agents whose DNS resolution returns either IPv4 or IPv6.
-///
-/// `quinn::Endpoint::server` would otherwise honor the OS default for
-/// `IPV6_V6ONLY`, which is `0` (dual-stack) on Windows but `1` (v6-only) on
-/// Linux per RFC 3493. We explicitly clear the flag with `socket2`, then hand
-/// the socket to `quinn::Endpoint::new`. If the v6 bind fails entirely
-/// (e.g. IPv6 disabled on the host), we fall back to plain IPv4.
-fn bind_dual_stack_endpoint(
-    server_config: quinn::ServerConfig,
-    listen_addr: SocketAddr,
-) -> anyhow::Result<quinn::Endpoint> {
-    if !listen_addr.is_ipv6() {
-        return quinn::Endpoint::server(server_config, listen_addr).map_err(Into::into);
-    }
-
-    let socket = match build_dual_stack_v6_socket(listen_addr) {
-        Ok(socket) => socket,
-        Err(error) if listen_addr.ip().is_unspecified() => {
-            let v4_addr = SocketAddr::from((Ipv4Addr::UNSPECIFIED, listen_addr.port()));
-            warn!(%error, fallback = %v4_addr, "IPv6 dual-stack bind failed; falling back to IPv4");
-            return quinn::Endpoint::server(server_config, v4_addr).map_err(Into::into);
-        }
-        Err(error) => return Err(error),
-    };
-
-    let runtime = quinn::default_runtime().context("no quinn-compatible async runtime found")?;
-    quinn::Endpoint::new(quinn::EndpointConfig::default(), Some(server_config), socket, runtime).map_err(Into::into)
-}
-
-fn build_dual_stack_v6_socket(listen_addr: SocketAddr) -> anyhow::Result<UdpSocket> {
-    let socket = socket2::Socket::new(
-        socket2::Domain::IPV6,
-        socket2::Type::DGRAM,
-        Some(socket2::Protocol::UDP),
-    )
-    .context("create IPv6 UDP socket")?;
-
-    if let Err(error) = socket.set_only_v6(false) {
-        warn!(%error, "set_only_v6(false) failed; listener may be IPv6-only");
-    }
-
-    socket.set_nonblocking(true).context("set socket non-blocking")?;
-    socket.bind(&listen_addr.into()).context("bind v6 UDP socket")?;
-
-    Ok(socket.into())
-}

crates/agent-tunnel/src/listener.rs

@@ -337,19 +337,8 @@ async fn run_single_connection(
 
     // -- Connect --
 
-    // Prefer a dual-stack IPv6 client socket so we can reach gateway endpoints
-    // resolved as IPv6 (default for `localhost` and any AAAA-bearing name on
-    // modern systems). If the host has IPv6 disabled (common in stripped-down
-    // Linux containers) the v6 bind fails outright; fall back to plain IPv4
-    // rather than crash the agent with no route to take.
-    let mut endpoint = match quinn::Endpoint::client("[::]:0".parse().expect("static [::]:0 parses")) {
-        Ok(endpoint) => endpoint,
-        Err(error) => {
-            warn!(%error, "IPv6 client bind failed; falling back to IPv4");
-            quinn::Endpoint::client("0.0.0.0:0".parse().expect("static 0.0.0.0:0 parses"))
-                .context("create QUIC endpoint (IPv4 fallback)")?
-        }
-    };
+    let mut endpoint =
+        quinn::Endpoint::client("0.0.0.0:0".parse().context("parse bind address")?).context("create QUIC endpoint")?;
     endpoint.set_default_client_config(client_config);
 
     let connection = endpoint

devolutions-agent/src/tunnel.rs

@@ -283,12 +283,7 @@ async fn spawn_tasks(conf_handle: ConfHandle) -> anyhow::Result<Tasks> {
         let ca_manager = agent_tunnel::cert::CaManager::load_or_generate(&data_dir)
             .context("failed to initialize agent tunnel CA")?;
 
-        // Bind to the IPv6 unspecified address so the listener is dual-stack and
-        // accepts both IPv4 and IPv6 agent connections (matters when an agent's DNS
-        // resolution returns an IPv6 address for the configured gateway endpoint).
-        // The listener crate explicitly clears `IPV6_V6ONLY` for portability across
-        // OSes, and falls back to IPv4 if the host has IPv6 disabled.
-        let listen_addr = std::net::SocketAddr::from((std::net::Ipv6Addr::UNSPECIFIED, conf.agent_tunnel.listen_port));
+        let listen_addr = std::net::SocketAddr::from((std::net::Ipv4Addr::UNSPECIFIED, conf.agent_tunnel.listen_port));
 
         let (listener, handle) =
             agent_tunnel::AgentTunnelListener::bind(listen_addr, Arc::clone(&ca_manager), hostname)