nits

common/wireguard/src/lib.rs

@@ -42,6 +42,10 @@ pub async fn start_wireguard(
     let (tun, tun_task_tx, tun_task_response_rx) = tun_device::TunDevice::new(peers_by_ip.clone());
     tun.start();
 
+    // If we want to have the tun device on a separate host, it's the tun_task and
+    // tun_task_response channels that needs to be sent over the network to the host where the tun
+    // device is running.
+
     // The packet relayer's responsibility is to route packets between the correct tunnel and the
     // tun device. The tun device may or may not be on a separate host, which is why we can't do
     // this routing in the tun device itself.

common/wireguard/src/wg_tunnel.rs

@@ -7,6 +7,7 @@ use boringtun::{
 };
 use bytes::Bytes;
 use log::{debug, error, info, warn};
+use rand::RngCore;
 use tap::TapFallible;
 use tokio::{
     net::UdpSocket,
@@ -90,7 +91,7 @@ impl WireGuardTunnel {
                 index,
                 rate_limiter,
             )
-            .unwrap(),
+            .expect("failed to create Tunn instance"),
         ));
 
         // Channels with incoming data that is received by the main event loop
@@ -102,10 +103,7 @@ impl WireGuardTunnel {
         let mut allowed_ips = NetworkTable::new();
         allowed_ips.insert(peer_allowed_ips, ());
 
-        // random u64
-        use rand::RngCore;
-        let mut rng = rand::rngs::OsRng;
-        let tag = rng.next_u64();
+        let tag = Self::new_tag();
 
         let tunnel = WireGuardTunnel {
             peer_rx,
@@ -122,6 +120,10 @@ impl WireGuardTunnel {
         (tunnel, peer_tx, tag)
     }
 
+    fn new_tag() -> u64 {
+        rand::thread_rng().next_u64()
+    }
+
     fn close(&self) {
         let _ = self.close_tx.send(());
     }