feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923)

- New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection
2025-10-17 01:45:50 +02:00
parent 340016521e
commit 85890520ab
25 changed files with 722 additions and 366 deletions
--- a/internal/healthcheck/dns/dns.go
+++ b/internal/healthcheck/dns/dns.go
@@ -0,0 +1,39 @@
+package dns
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+)
+
+// Client is a simple plaintext UDP DNS client, to be used for healthchecks.
+// Note the client connects to a DNS server only over UDP on port 53,
+// because we don't want to use DoT or DoH and impact the TCP connections
+// when running a healthcheck.
+type Client struct{}
+
+func New() *Client {
+	return &Client{}
+}
+
+var ErrLookupNoIPs = errors.New("no IPs found from DNS lookup")
+
+func (c *Client) Check(ctx context.Context) error {
+	resolver := &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
+			dialer := net.Dialer{}
+			return dialer.DialContext(ctx, "udp", "1.1.1.1:53")
+		},
+	}
+	ips, err := resolver.LookupIP(ctx, "ip", "github.com")
+	switch {
+	case err != nil:
+		return err
+	case len(ips) == 0:
+		return fmt.Errorf("%w", ErrLookupNoIPs)
+	default:
+		return nil
+	}
+}