Service VPNs on system boot level (pre-user login)

[teon]

There are use cases where some services need to be accessible to the system/computer before the user even logs in.
A common scenario is making Active Directory / LDAP available so that the system can authenticate the user, who can then log in and then use the VPN (with MFA).

For that reason, we need to implement Service Location, which will be a VPN connection without MFA (since the user cannot perform MFA before logging in, as the UI is not yet available).
This will be marked as Service VPN with the following explanation:

A Service VPN will automatically connect when the user’s computer boots, ensuring that remote services required for login (e.g., Active Directory, LDAP) are available over the VPN.

This VPN **will not be visible** in the Desktop & Mobile clients and will automatically disconnect after the user logs in.

Additional changes are required in our Desktop Client service to ensure it automatically connects to this VPN at boot and disconnects after login.
As an MVP, the Windows client will need to support this first.

PS. Alternative approach is to spawn the Defguard Client UI and make MFA VPN available on the login screen - but that will only work on Windows and this approach can be done also on Linux/macOS...

Steps to implement this feature:

• research ways in which we can detect that the user is/is not logged in or has just logged out or logged in (windows only for now)
• implement storing service locations in a shared directory so our service can access it
• implement turning on the VPN before login and turning it off after login
• implement defguard core handling of the service locations (ability to mark the location as service, passing this information to the client)
• setting acls on service location files
• proper client error handling & cleanup
• merge and test changes with our new windows WireGuard handling
• cleanup and fix bugs after change merges
• add documentation

[redbaron73gmail]

Auto connect VPNs should be controlled by an option when the VPN is created. This will allow the admin portal to have complete control over the VPN. It would be an expectation that these VPN would not use MFA.

The feature to disconnect upon login should also be a setting that is controlled by the admin portal.

We have a specific use case that requires this network control vpn to be in use 100% of the time.