feat: raw binary SDWAN data plane + EncodeRaw + TUN close-on-stop

- protocol: add SubTunnelSDWANRaw subtype + EncodeRaw() for zero-copy IP packets
- client: tunReadLoop sends raw frames (no JSON/base64 overhead)
- client: SubTunnelSDWANRaw handler strips header and writes directly to TUN
- client: Stop() closes TUN file FIRST to unblock tunReadLoop
- server: SubTunnelSDWANRaw handler parses IPv4 src/dst from raw packet
- server: RouteSDWANPacket forwards as raw frame to destination

Verified: hcss(10.10.0.3) ↔ i-6986(10.10.0.2) ping 3/3, 0% loss, 46ms RTT

internal/client/client.go

@@ -289,6 +289,18 @@ func (c *Client) registerHandlers() {
 		return c.writeTUN(pkt.Payload)
 	})
 
+	// SDWAN raw packet (binary payload) from server
+	c.conn.OnMessage(protocol.MsgTunnel, protocol.SubTunnelSDWANRaw, func(data []byte) error {
+		if len(data) <= protocol.HeaderSize {
+			return nil
+		}
+		payload := data[protocol.HeaderSize:]
+		if len(payload) == 0 {
+			return nil
+		}
+		return c.writeTUN(payload)
+	})
+
 	// Handle edit app push
 	c.conn.OnMessage(protocol.MsgPush, protocol.SubPushEditApp, func(data []byte) error {
 		var app protocol.AppConfig
@@ -643,18 +655,15 @@ func (c *Client) tunReadLoop() {
 			continue
 		}
 		dstIP := net.IP(pkt[16:20]).String()
-		srcIP := net.IP(pkt[12:16]).String()
 		c.sdwanMu.RLock()
 		self := c.sdwanIP
 		c.sdwanMu.RUnlock()
 		if dstIP == self {
 			continue
 		}
-		_ = c.conn.Write(protocol.MsgTunnel, protocol.SubTunnelSDWANData, protocol.SDWANPacket{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			Payload: append([]byte(nil), pkt...),
-		})
+		// send raw binary to avoid JSON base64 overhead
+		frame := protocol.EncodeRaw(protocol.MsgTunnel, protocol.SubTunnelSDWANRaw, pkt)
+		_ = c.conn.WriteRaw(frame)
 	}
 }
 
@@ -690,6 +699,12 @@ func runCmd(name string, args ...string) error {
 // Stop shuts down the client.
 func (c *Client) Stop() {
 	close(c.quit)
+	c.tunMu.Lock()
+	if c.tunFile != nil {
+		_ = c.tunFile.Close()
+		c.tunFile = nil
+	}
+	c.tunMu.Unlock()
 	if c.conn != nil {
 		c.conn.Close()
 	}
@@ -701,12 +716,6 @@ func (c *Client) Stop() {
 		t.Close()
 	}
 	c.tMu.Unlock()
-	c.tunMu.Lock()
-	if c.tunFile != nil {
-		_ = c.tunFile.Close()
-		c.tunFile = nil
-	}
-	c.tunMu.Unlock()
 	c.wg.Wait()
 }
 

internal/server/sdwan_api.go

@@ -143,5 +143,6 @@ func (s *Server) RouteSDWANPacket(from *NodeInfo, pkt protocol.SDWANPacket) {
 
 	pkt.FromNode = from.Name
 	pkt.ToNode = toNode
-	_ = to.Conn.Write(protocol.MsgTunnel, protocol.SubTunnelSDWANData, pkt)
+	frame := protocol.EncodeRaw(protocol.MsgTunnel, protocol.SubTunnelSDWANRaw, pkt.Payload)
+	_ = to.Conn.WriteRaw(frame)
 }

internal/server/server.go

@@ -309,7 +309,7 @@ func (s *Server) registerHandlers(conn *signal.Conn, node *NodeInfo) {
 		return s.handleRelayNodeReq(conn, node, req)
 	})
 
-	// SDWAN data plane packet relay (server as control-plane router)
+	// SDWAN data plane packet relay (JSON control payload)
 	conn.OnMessage(protocol.MsgTunnel, protocol.SubTunnelSDWANData, func(data []byte) error {
 		var pkt protocol.SDWANPacket
 		if err := protocol.DecodePayload(data, &pkt); err != nil {
@@ -318,6 +318,26 @@ func (s *Server) registerHandlers(conn *signal.Conn, node *NodeInfo) {
 		s.RouteSDWANPacket(node, pkt)
 		return nil
 	})
+
+	// SDWAN data plane packet relay (raw IP payload)
+	conn.OnMessage(protocol.MsgTunnel, protocol.SubTunnelSDWANRaw, func(data []byte) error {
+		if len(data) <= protocol.HeaderSize {
+			return nil
+		}
+		payload := data[protocol.HeaderSize:]
+		if len(payload) < 20 {
+			return nil
+		}
+		version := payload[0] >> 4
+		if version != 4 {
+			return nil
+		}
+		srcIP := net.IP(payload[12:16]).String()
+		dstIP := net.IP(payload[16:20]).String()
+		pkt := protocol.SDWANPacket{SrcIP: srcIP, DstIP: dstIP, Payload: payload}
+		s.RouteSDWANPacket(node, pkt)
+		return nil
+	})
 }
 
 // handleRelayNodeReq finds and returns the best relay node.