chore: add vpn-daemon run command for macos (#19080)

Continues to address https://github.com/coder/coder-desktop-macos/issues/201

Identical to the windows command, except we don't write to stdio. We're retaining the system we have for logging on macOS, where we push logs over the tunnel and use the OS logger. 

I've tested that a build with this command works end-to-end with my new version of Coder Desktop macOS.

Also brings in the soft net isolation changes from `main` of coder/tailscale.

cli/vpndaemon_darwin.go

@@ -0,0 +1,73 @@
+//go:build darwin
+
+package cli
+
+import (
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/vpn"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) vpnDaemonRun() *serpent.Command {
+	var (
+		rpcReadFD  int64
+		rpcWriteFD int64
+	)
+
+	cmd := &serpent.Command{
+		Use:   "run",
+		Short: "Run the VPN daemon on macOS.",
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(0),
+		),
+		Options: serpent.OptionSet{
+			{
+				Flag:        "rpc-read-fd",
+				Env:         "CODER_VPN_DAEMON_RPC_READ_FD",
+				Description: "The file descriptor for the pipe to read from the RPC connection.",
+				Value:       serpent.Int64Of(&rpcReadFD),
+				Required:    true,
+			},
+			{
+				Flag:        "rpc-write-fd",
+				Env:         "CODER_VPN_DAEMON_RPC_WRITE_FD",
+				Description: "The file descriptor for the pipe to write to the RPC connection.",
+				Value:       serpent.Int64Of(&rpcWriteFD),
+				Required:    true,
+			},
+		},
+		Handler: func(inv *serpent.Invocation) error {
+			ctx := inv.Context()
+
+			if rpcReadFD < 0 || rpcWriteFD < 0 {
+				return xerrors.Errorf("rpc-read-fd (%v) and rpc-write-fd (%v) must be positive", rpcReadFD, rpcWriteFD)
+			}
+			if rpcReadFD == rpcWriteFD {
+				return xerrors.Errorf("rpc-read-fd (%v) and rpc-write-fd (%v) must be different", rpcReadFD, rpcWriteFD)
+			}
+
+			pipe, err := vpn.NewBidirectionalPipe(uintptr(rpcReadFD), uintptr(rpcWriteFD))
+			if err != nil {
+				return xerrors.Errorf("create bidirectional RPC pipe: %w", err)
+			}
+			defer pipe.Close()
+
+			tunnel, err := vpn.NewTunnel(ctx, slog.Make().Leveled(slog.LevelDebug), pipe,
+				vpn.NewClient(),
+				vpn.UseOSNetworkingStack(),
+				vpn.UseAsLogger(),
+			)
+			if err != nil {
+				return xerrors.Errorf("create new tunnel for client: %w", err)
+			}
+			defer tunnel.Close()
+
+			<-ctx.Done()
+			return nil
+		},
+	}
+
+	return cmd
+}

cli/vpndaemon_other.go

@@ -1,4 +1,4 @@
-//go:build !windows
+//go:build !windows && !darwin
 
 package cli
 

go.mod

@@ -36,7 +36,7 @@ replace github.com/tcnksm/go-httpstat => github.com/coder/go-httpstat v0.0.0-202
 
 // There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here:
 // https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main
-replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20250724015444-494197765996
+replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20250729141742-067f1e5d9716
 
 // This is replaced to include
 // 1. a fix for a data race: c.f. https://github.com/tailscale/wireguard-go/pull/25

go.sum

@@ -926,8 +926,8 @@ github.com/coder/serpent v0.10.0 h1:ofVk9FJXSek+SmL3yVE3GoArP83M+1tX+H7S4t8BSuM=
 github.com/coder/serpent v0.10.0/go.mod h1:cZFW6/fP+kE9nd/oRkEHJpG6sXCtQ+AX7WMMEHv0Y3Q=
 github.com/coder/ssh v0.0.0-20231128192721-70855dedb788 h1:YoUSJ19E8AtuUFVYBpXuOD6a/zVP3rcxezNsoDseTUw=
 github.com/coder/ssh v0.0.0-20231128192721-70855dedb788/go.mod h1:aGQbuCLyhRLMzZF067xc84Lh7JDs1FKwCmF1Crl9dxQ=
-github.com/coder/tailscale v1.1.1-0.20250724015444-494197765996 h1:9x+ouDw9BKW1tdGzuQOWGMT2XkWLs+QQjeCrxYuU1lo=
-github.com/coder/tailscale v1.1.1-0.20250724015444-494197765996/go.mod h1:l7ml5uu7lFh5hY28lGYM4b/oFSmuPHYX6uk4RAu23Lc=
+github.com/coder/tailscale v1.1.1-0.20250729141742-067f1e5d9716 h1:hi7o0sA+RPBq8Rvvz+hNrC/OTL2897OKREMIRIuQeTs=
+github.com/coder/tailscale v1.1.1-0.20250729141742-067f1e5d9716/go.mod h1:l7ml5uu7lFh5hY28lGYM4b/oFSmuPHYX6uk4RAu23Lc=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e h1:JNLPDi2P73laR1oAclY6jWzAbucf70ASAvf5mh2cME0=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI=
 github.com/coder/terraform-provider-coder/v2 v2.9.0 h1:nd9d1/qHTdx5foBLZoy0SWCc0W13GQUbPTzeGsuLlU0=