Merge pull request #542 from 9seconds/multiple-ip-detectors

internal/cli/access.go

 package cli
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net"
 		return fmt.Errorf("cannot init network: %w", err)
 	}
 
-	wg := &sync.WaitGroup{}
+	ctx, cancel := context.WithTimeout(context.Background(), getIPTimeout)
+	defer cancel()
 
+	wg := &sync.WaitGroup{}
 	wg.Go(func() {
 		ip := a.PublicIPv4
+
 		if ip == nil {
 			ip = conf.PublicIPv4.Get(nil)
 		}
+
 		if ip == nil {
-			ip = getIP(ntw, "tcp4")
+			ip, _ = getIP(ctx, ntw, "tcp4")
 		}
 
 		if ip != nil {
-			ip = ip.To4()
+			resp.IPv4 = a.makeURLs(conf, ip.To4())
 		}
-
-		resp.IPv4 = a.makeURLs(conf, ip)
 	})
 	wg.Go(func() {
 		ip := a.PublicIPv6
+
 		if ip == nil {
 			ip = conf.PublicIPv6.Get(nil)
 		}
+
 		if ip == nil {
-			ip = getIP(ntw, "tcp6")
+			ip, _ = getIP(ctx, ntw, "tcp6")
 		}
 
 		if ip != nil {
-			ip = ip.To16()
+			resp.IPv6 = a.makeURLs(conf, ip.To16())
 		}
-
-		resp.IPv6 = a.makeURLs(conf, ip)
 	})
-
 	wg.Wait()
 
 	encoder := json.NewEncoder(os.Stdout)

internal/cli/doctor.go

 )
 
 var (
+	funcs = template.FuncMap{
+		"join": strings.Join,
+	}
+
 	tplError = template.Must(
-		template.New("").Parse("  ‼️ {{ .description }}: {{ .error }}\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ‼️ {{ .description }}: {{ .error }}\n"),
 	)
 
 	tplWDeprecatedConfig = template.Must(
 		template.New("").
+			Funcs(funcs).
 			Parse(`  ⚠️ Option {{ .old | printf "%q" }}{{ if .old_section }} from section [{{ .old_section }}]{{ end }} is deprecated and will be removed in v{{ .when }}. Please use {{ .new | printf "%q" }}{{ if .new_section }} in [{{ .new_section }}] section{{ end }} instead.` + "\n"),
 	)
 
 	tplOTimeSkewness = template.Must(
 		template.New("").
+			Funcs(funcs).
 			Parse("  ✅ Time drift is {{ .drift }}, but tolerate-time-skewness is {{ .value }}\n"),
 	)
 	tplWTimeSkewness = template.Must(
 		template.New("").
+			Funcs(funcs).
 			Parse("  ⚠️ Time drift is {{ .drift }}, but tolerate-time-skewness is {{ .value }}. Please check ntp.\n"),
 	)
 	tplETimeSkewness = template.Must(
 		template.New("").
+			Funcs(funcs).
 			Parse("  ❌ Time drift is {{ .drift }}, but tolerate-time-skewness is {{ .value }}. You will get many rejected connections!\n"),
 	)
 
 	tplODCConnect = template.Must(
-		template.New("").Parse("  ✅ DC {{ .dc }} (rpc {{ .rtt }})\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ✅ DC {{ .dc }} (rpc {{ .rtt }})\n"),
 	)
 	tplEDCConnect = template.Must(
-		template.New("").Parse("  ❌ DC {{ .dc }}: {{ .error }}\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ❌ DC {{ .dc }}: {{ .error }}\n"),
 	)
 
 	tplODNSSNIMatch = template.Must(
-		template.New("").Parse("  ✅ IP address {{ .ip }} matches secret hostname {{ .hostname }}\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ✅ IP address {{ .ip }} matches secret hostname {{ .hostname }}\n"),
 	)
 	tplEDNSSNIMatch = template.Must(
-		template.New("").Parse("  ❌ Hostname {{ .hostname }} {{ if .resolved }}resolves to {{ .resolved }}, but the proxy's public IP is {{ if .ip4 }}{{ .ip4 }}{{ else }}<not detected>{{ end }} (IPv4) / {{ if .ip6 }}{{ .ip6 }}{{ else }}<not detected>{{ end }} (IPv6) — none of the resolved addresses match{{ else }}cannot be resolved to any host{{ end }}\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse(`  ❌ Hostname {{ .hostname }} resolves to {{ join ", " .resolved }} but public IP is {{ .ip }}` + "\n"),
 	)
 
 	tplOFrontingDomain = template.Must(
-		template.New("").Parse("  ✅ {{ .address }} is reachable\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ✅ {{ .address }} is reachable\n"),
 	)
 	tplEFrontingDomain = template.Must(
-		template.New("").Parse("  ❌ {{ .address }}: {{ .error }}\n"),
+		template.New("").
+			Funcs(funcs).
+			Parse("  ❌ {{ .address }}: {{ .error }}\n"),
 	)
 )
 
 type Doctor struct {
 	conf *config.Config
 
-	ConfigPath      string `kong:"arg,required,type='existingfile',help='Path to the configuration file.',name='config-path'"` //nolint: lll
+	ConfigPath      string `kong:"arg,required,type='existingfile',help='Path to the configuration file.',name='config-path'"`                                                                       //nolint: lll
 	SkipNativeCheck bool   `kong:"help='Skip the native network connectivity check (useful when proxy chaining is configured and direct egress is not expected to work).',name='skip-native-check'"` //nolint: lll
 }
 
 }
 
 func (d *Doctor) checkSecretHost(resolver *net.Resolver, ntw mtglib.Network) bool {
-	res := runSNICheck(context.Background(), resolver, d.conf, ntw)
-
-	if res.ResolveErr != nil {
+	res, err := runSNICheck(context.Background(), d.conf, resolver, ntw)
+	if err != nil {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck
 			"description": fmt.Sprintf("cannot resolve DNS name of %s", d.conf.Secret.Host),
-			"error":       res.ResolveErr,
+			"error":       err,
 		})
 		return false
 	}
 
-	if !res.PublicIPKnown() {
+	if res.OurIP4 == "" && res.OurIP6 == "" {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck
 			"description": "cannot detect public IP address",
 			"error":       errors.New("cannot detect automatically and public-ipv4/public-ipv6 are not set in config"),
 		return false
 	}
 
-	if res.IPv4Match || res.IPv6Match {
-		var matched net.IP
+	ok := true
 
-		for _, ip := range res.Resolved {
-			if (res.OurIPv4 != nil && ip.String() == res.OurIPv4.String()) ||
-				(res.OurIPv6 != nil && ip.String() == res.OurIPv6.String()) {
-				matched = ip
-				break
-			}
+	if len(res.ResolvedIP4) > 0 {
+		if slices.Contains(res.ResolvedIP4, res.OurIP4) {
+			tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+				"ip":       res.OurIP4,
+				"hostname": d.conf.Secret.Host,
+			})
+		} else {
+			tplEDNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+				"ip":       res.OurIP4,
+				"resolved": res.ResolvedIP4,
+				"hostname": d.conf.Secret.Host,
+			})
+			ok = false
 		}
-
-		tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-			"ip":       matched,
-			"hostname": d.conf.Secret.Host,
-		})
-		return true
 	}
-
-	strAddresses := make([]string, 0, len(res.Resolved))
-	for _, ip := range res.Resolved {
-		strAddresses = append(strAddresses, `"`+ip.String()+`"`)
+	if len(res.ResolvedIP6) > 0 {
+		if slices.Contains(res.ResolvedIP6, res.OurIP6) {
+			tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+				"ip":       res.OurIP6,
+				"hostname": d.conf.Secret.Host,
+			})
+		} else {
+			tplEDNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+				"ip":       res.OurIP6,
+				"resolved": res.ResolvedIP6,
+				"hostname": d.conf.Secret.Host,
+			})
+			ok = false
+		}
 	}
 
-	tplEDNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-		"hostname": d.conf.Secret.Host,
-		"resolved": strings.Join(strAddresses, ", "),
-		"ip4":      res.OurIPv4,
-		"ip6":      res.OurIPv6,
-	})
-
-	return false
+	return ok
 }

internal/cli/get_ip.go

+package cli
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/9seconds/mtg/v2/essentials"
+	"github.com/9seconds/mtg/v2/mtglib"
+)
+
+const (
+	getIPTimeout = 5 * time.Second
+)
+
+var getIPServicesPlain = []string{
+	"https://ifconfig.co",
+	"https://ifconfig.me",
+	"https://api.ipify.org",
+	"https://ipecho.net/plain",
+}
+
+func getIP(ctx context.Context, ntw mtglib.Network, protocol string) (net.IP, error) {
+	ctx, cancel := context.WithTimeout(ctx, getIPTimeout)
+	defer cancel()
+
+	ctx, cancelCause := context.WithCancelCause(ctx)
+	defer cancelCause(nil)
+
+	var ip net.IP
+
+	rvChan := make(chan net.IP)
+	errChan := make(chan error)
+	errs := []error{}
+	wg := &sync.WaitGroup{}
+	dialer := ntw.NativeDialer()
+	client := ntw.MakeHTTPClient(func(_ context.Context, network, address string) (essentials.Conn, error) {
+		conn, err := dialer.DialContext(ctx, protocol, address)
+		if err != nil {
+			return nil, err
+		}
+		return essentials.WrapNetConn(conn), err
+	})
+
+	for _, url := range getIPServicesPlain {
+		wg.Go(func() {
+			lErrChan := errChan
+			rChan := rvChan
+
+			ip, err := getIPAddressPlain(ctx, client, url)
+			if err == nil {
+				lErrChan = nil
+			} else {
+				rChan = nil
+			}
+
+			select {
+			case <-ctx.Done():
+			case lErrChan <- fmt.Errorf("%s: %w", url, err):
+			case rChan <- ip:
+			}
+		})
+	}
+
+	wg.Go(func() {
+		defer cancelCause(nil)
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case foundIP := <-rvChan:
+				ip = foundIP
+				return
+			case err := <-errChan:
+				errs = append(errs, err)
+				if len(errs) == len(getIPServicesPlain) {
+					cancelCause(fmt.Errorf(
+						"cannot resolve %s address: %w",
+						protocol,
+						errors.Join(errs...),
+					))
+				}
+			}
+		}
+	})
+
+	wg.Wait()
+
+	if ip != nil {
+		return ip, nil
+	}
+
+	return nil, context.Cause(ctx)
+}
+
+func getIPAddressPlain(ctx context.Context, client *http.Client, address string) (net.IP, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, address, nil)
+	if err != nil {
+		panic(err)
+	}
+
+	req.Header.Add("Accept", "text/plain")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		io.Copy(io.Discard, resp.Body) //nolint: errcheck
+		resp.Body.Close()              //nolint: errcheck
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status code %d", resp.StatusCode)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	data = bytes.TrimSpace(data)
+	ip := net.ParseIP(string(data))
+
+	if ip == nil {
+		return nil, errors.New("cannot parse as IP address")
+	}
+
+	return ip, nil
+}

internal/cli/run_proxy.go

 	"fmt"
 	"net"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/9seconds/mtg/v2/antireplay"
 		return
 	}
 
-	res := runSNICheck(context.Background(), net.DefaultResolver, conf, ntw)
+	log = log.BindStr("hostname", host)
 
-	if res.ResolveErr != nil {
-		log.BindStr("hostname", host).
-			WarningError("SNI-DNS check: cannot resolve secret hostname", res.ResolveErr)
+	res, err := runSNICheck(context.Background(), conf, net.DefaultResolver, ntw)
+	if err != nil {
+		log.WarningError("SNI-DNS check: cannot resolve secret hostname", err)
 		return
 	}
 
-	if !res.PublicIPKnown() {
+	if res.OurIP4 == "" && res.OurIP6 == "" {
 		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")
 		return
 	}
 
-	v4Match := res.OurIPv4 == nil || res.IPv4Match
-	v6Match := res.OurIPv6 == nil || res.IPv6Match
-
-	if v4Match && v6Match {
-		return
-	}
-
-	resolved := make([]string, 0, len(res.Resolved))
-	for _, ip := range res.Resolved {
-		resolved = append(resolved, ip.String())
+	if len(res.ResolvedIP4) > 0 && !slices.Contains(res.ResolvedIP4, res.OurIP4) {
+		log.
+			BindStr("public_ip", res.OurIP4).
+			BindStr("resolved", strings.Join(res.ResolvedIP4, ",")).
+			Warning("SNI-DNS check: address mismatch")
 	}
 
-	our := ""
-	if res.OurIPv4 != nil {
-		our = res.OurIPv4.String()
+	if len(res.ResolvedIP6) > 0 && !slices.Contains(res.ResolvedIP6, res.OurIP6) {
+		log.
+			BindStr("public_ip", res.OurIP6).
+			BindStr("resolved", strings.Join(res.ResolvedIP6, ",")).
+			Warning("SNI-DNS check: address mismatch")
 	}
-
-	if res.OurIPv6 != nil {
-		if our != "" {
-			our += "/"
-		}
-
-		our += res.OurIPv6.String()
-	}
-
-	entry := log.BindStr("hostname", host).
-		BindStr("resolved", strings.Join(resolved, ", ")).
-		BindStr("public_ip", our)
-
-	if res.OurIPv4 != nil {
-		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))
-	}
-
-	if res.OurIPv6 != nil {
-		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))
-	}
-
-	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
-		"DPI may detect and block the proxy. See 'mtg doctor' for details")
 }
 
 func warnDeprecatedDomainFronting(conf *config.Config, log mtglib.Logger) {

internal/cli/sni_check.go

 
 import (
 	"context"
+	"fmt"
 	"net"
+	"sync"
 
 	"github.com/9seconds/mtg/v2/internal/config"
 	"github.com/9seconds/mtg/v2/mtglib"
 )
 
-// sniCheckResult holds the data gathered while comparing the secret
-// hostname's DNS records against this server's public IP addresses.
-//
-// IPv4Match / IPv6Match report whether a resolved record actually equals the
-// corresponding public IP. They are false when that family's public IP could
-// not be determined — there is nothing to compare against. Callers decide
-// what counts as a clean result from these fields: `mtg doctor` and the
-// startup warning apply different rules.
 type sniCheckResult struct {
-	Resolved   []net.IP
-	OurIPv4    net.IP
-	OurIPv6    net.IP
-	IPv4Match  bool
-	IPv6Match  bool
-	ResolveErr error
+	ResolvedIP4 []string
+	ResolvedIP6 []string
+	OurIP4      string
+	OurIP6      string
 }
 
-// PublicIPKnown reports whether at least one public IP family was detected.
-func (r sniCheckResult) PublicIPKnown() bool {
-	return r.OurIPv4 != nil || r.OurIPv6 != nil
-}
-
-// runSNICheck resolves conf.Secret.Host and compares the records with this
-// server's public IPv4 and IPv6. Public IPs come from config first and fall
-// back to on-the-fly detection via ntw. It gathers data only — it does not
-// decide success; see sniCheckResult.
 func runSNICheck(
 	ctx context.Context,
-	resolver *net.Resolver,
 	conf *config.Config,
+	resolver *net.Resolver,
 	ntw mtglib.Network,
-) sniCheckResult {
+) (sniCheckResult, error) {
 	res := sniCheckResult{}
 
 	addrs, err := resolver.LookupIPAddr(ctx, conf.Secret.Host)
 	if err != nil {
-		res.ResolveErr = err
-
-		return res
+		return res, fmt.Errorf("cannot resolve addresses of %s: %w", conf.Secret.Host, err)
 	}
 
-	res.Resolved = make([]net.IP, 0, len(addrs))
-	for _, a := range addrs {
-		res.Resolved = append(res.Resolved, a.IP)
+	if len(addrs) == 0 {
+		return res, fmt.Errorf("no known addresses for %s", conf.Secret.Host)
 	}
 
-	res.OurIPv4 = conf.PublicIPv4.Get(nil)
-	if res.OurIPv4 == nil {
-		res.OurIPv4 = getIP(ntw, "tcp4")
+	for _, addr := range addrs {
+		if ip := addr.IP.To4(); ip == nil {
+			res.ResolvedIP6 = append(res.ResolvedIP6, addr.IP.To16().String())
+		} else {
+			res.ResolvedIP4 = append(res.ResolvedIP4, ip.String())
+		}
 	}
 
-	res.OurIPv6 = conf.PublicIPv6.Get(nil)
-	if res.OurIPv6 == nil {
-		res.OurIPv6 = getIP(ntw, "tcp6")
+	wg := &sync.WaitGroup{}
+
+	if len(res.ResolvedIP4) > 0 {
+		wg.Go(func() {
+			ip := conf.PublicIPv4.Get(nil)
+			if ip == nil {
+				ip, _ = getIP(ctx, ntw, "tcp4")
+			}
+
+			if ip != nil {
+				res.OurIP4 = ip.To4().String()
+			}
+		})
 	}
 
-	for _, ip := range res.Resolved {
-		if res.OurIPv4 != nil && ip.String() == res.OurIPv4.String() {
-			res.IPv4Match = true
-		}
+	if len(res.ResolvedIP6) > 0 {
+		wg.Go(func() {
+			ip := conf.PublicIPv6.Get(nil)
+			if ip == nil {
+				ip, _ = getIP(ctx, ntw, "tcp6")
+			}
 
-		if res.OurIPv6 != nil && ip.String() == res.OurIPv6.String() {
-			res.IPv6Match = true
-		}
+			if ip != nil {
+				res.OurIP6 = ip.To16().String()
+			}
+		})
 	}
 
-	return res
+	wg.Wait()
+
+	return res, nil
 }

internal/cli/sni_check_test.go

+package cli
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/9seconds/mtg/v2/essentials"
+	"github.com/9seconds/mtg/v2/internal/config"
+	"github.com/9seconds/mtg/v2/mtglib"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/dns/dnsmessage"
+)
+
+// startSNITestDNS spins up a loopback UDP resolver that answers every query
+// with the given A and AAAA records, so runSNICheck sees a dual-stack secret
+// host without touching the real network. It returns a *net.Resolver wired to
+// it.
+func startSNITestDNS(t *testing.T, a, aaaa net.IP) *net.Resolver {
+	t.Helper()
+
+	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { pc.Close() }) //nolint: errcheck
+
+	go func() {
+		buf := make([]byte, 512)
+
+		for {
+			n, addr, err := pc.ReadFrom(buf)
+			if err != nil {
+				return
+			}
+
+			var parser dnsmessage.Parser
+
+			hdr, err := parser.Start(buf[:n])
+			if err != nil {
+				continue
+			}
+
+			question, err := parser.Question()
+			if err != nil {
+				continue
+			}
+
+			builder := dnsmessage.NewBuilder(nil, dnsmessage.Header{
+				ID:                 hdr.ID,
+				Response:           true,
+				RecursionAvailable: true,
+			})
+			builder.EnableCompression()
+			_ = builder.StartQuestions()
+			_ = builder.Question(question)
+			_ = builder.StartAnswers()
+
+			rh := dnsmessage.ResourceHeader{
+				Name:  question.Name,
+				Class: dnsmessage.ClassINET,
+				TTL:   60,
+			}
+
+			switch question.Type {
+			case dnsmessage.TypeA:
+				rh.Type = dnsmessage.TypeA
+				var v4 [4]byte
+				copy(v4[:], a.To4())
+				_ = builder.AResource(rh, dnsmessage.AResource{A: v4})
+			case dnsmessage.TypeAAAA:
+				rh.Type = dnsmessage.TypeAAAA
+				var v6 [16]byte
+				copy(v6[:], aaaa.To16())
+				_ = builder.AAAAResource(rh, dnsmessage.AAAAResource{AAAA: v6})
+			}
+
+			msg, err := builder.Finish()
+			if err != nil {
+				continue
+			}
+
+			pc.WriteTo(msg, addr) //nolint: errcheck
+		}
+	}()
+
+	dnsAddr := pc.LocalAddr().String()
+
+	return &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
+			var d net.Dialer
+
+			return d.DialContext(ctx, "udp", dnsAddr)
+		},
+	}
+}
+
+// ipv4OnlyEgressNetwork fakes mtglib.Network so that public-IP detection
+// succeeds over tcp4 and fails over tcp6 — the classic IPv4-only-egress
+// server. getIP's per-protocol dial is routed at a loopback listener: a tcp4
+// dial to 127.0.0.1 connects, a tcp6 dial to the same address fails ("no
+// suitable address"), so we exercise the real getIP code path without the
+// internet.
+type ipv4OnlyEgressNetwork struct {
+	listenerAddr string
+	detectedV4   string
+}
+
+func (n *ipv4OnlyEgressNetwork) Dial(_, _ string) (essentials.Conn, error) {
+	panic("unused")
+}
+
+func (n *ipv4OnlyEgressNetwork) DialContext(_ context.Context, _, _ string) (essentials.Conn, error) {
+	panic("unused")
+}
+
+func (n *ipv4OnlyEgressNetwork) NativeDialer() *net.Dialer {
+	return &net.Dialer{}
+}
+
+func (n *ipv4OnlyEgressNetwork) MakeHTTPClient(
+	dialFunc func(ctx context.Context, network, address string) (essentials.Conn, error),
+) *http.Client {
+	return &http.Client{
+		Transport: roundTripFunc(func(req *http.Request) (*http.Response, error) {
+			conn, err := dialFunc(req.Context(), "tcp", n.listenerAddr)
+			if err != nil {
+				return nil, err
+			}
+
+			conn.Close() //nolint: errcheck
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(strings.NewReader(n.detectedV4)),
+				Header:     make(http.Header),
+			}, nil
+		}),
+	}
+}
+
+type roundTripFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}
+
+// TestRunSNICheckIPv4OnlyEgressGraceful reproduces the #529/#542 regression:
+// a dual-stack secret host on a server whose IPv6 egress is down. The tcp6
+// public-IP detection fails, but the tcp4 detection succeeds and matches the
+// host's A record, so the SNI check must NOT report a hard error — one
+// family being undetectable is graceful degradation, not failure.
+func TestRunSNICheckIPv4OnlyEgressGraceful(t *testing.T) {
+	const ourV4 = "192.0.2.4" // RFC 5737 TEST-NET-1
+
+	resolver := startSNITestDNS(t, net.ParseIP(ourV4), net.ParseIP("2001:db8::1")) // RFC 3849 doc range
+
+	// Loopback target for getIP's dial. Keep it the IPv4 literal 127.0.0.1: a
+	// "tcp6" dial to it fails deterministically ("no suitable address") on any
+	// host regardless of IPv6 connectivity, which is what makes tcp6 detection
+	// fail here. Do not replace with a real ::1 setup — that reintroduces flake.
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { listener.Close() }) //nolint: errcheck
+
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+
+			conn.Close() //nolint: errcheck
+		}
+	}()
+
+	ntw := &ipv4OnlyEgressNetwork{
+		listenerAddr: listener.Addr().String(),
+		detectedV4:   ourV4,
+	}
+
+	conf := &config.Config{}
+	conf.Secret.Host = "secret-host.test"
+
+	res, err := runSNICheck(context.Background(), conf, resolver, ntw)
+
+	// The load-bearing assertion: a single family's detection failure must not
+	// poison the whole result. Before the fix this returns a non-nil error.
+	require.NoError(t, err)
+	require.Equal(t, ourV4, res.OurIP4, "IPv4 public IP should be detected and match the A record")
+	require.Empty(t, res.OurIP6, "IPv6 is undetectable on IPv4-only egress; must degrade, not error")
+}
+
+var _ mtglib.Network = (*ipv4OnlyEgressNetwork)(nil)

internal/cli/utils.go

-package cli
-
-import (
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-
-	"github.com/9seconds/mtg/v2/essentials"
-	"github.com/9seconds/mtg/v2/mtglib"
-)
-
-func getIP(ntw mtglib.Network, protocol string) net.IP {
-	dialer := ntw.NativeDialer()
-	client := ntw.MakeHTTPClient(func(ctx context.Context, network, address string) (essentials.Conn, error) {
-		conn, err := dialer.DialContext(ctx, protocol, address)
-		if err != nil {
-			return nil, err
-		}
-		return essentials.WrapNetConn(conn), err
-	})
-
-	req, err := http.NewRequest(http.MethodGet, "https://ifconfig.co", nil) //nolint: noctx
-	if err != nil {
-		panic(err)
-	}
-
-	req.Header.Add("Accept", "text/plain")
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil
-	}
-
-	defer func() {
-		io.Copy(io.Discard, resp.Body) //nolint: errcheck
-		resp.Body.Close()              //nolint: errcheck
-	}()
-
-	data, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil
-	}
-
-	return net.ParseIP(strings.TrimSpace(string(data)))
-}