fix(windows): only consider online adapters (#6810)

When deciding which interface we are going to use for connecting to the
portal API, we need to filter through all adapters on Windows and
exclude our own TUN adapter to avoid routing loops. In addition, we also
need to filter for only online adapters, otherwise we might pick one
that is not actually routable.

Resolves: #6802.

rust/bin-shared/src/windows.rs

@@ -19,6 +19,7 @@ use windows::Win32::{
         CreateIpForwardEntry2, DeleteIpForwardEntry2, GetBestRoute2, GetIpForwardTable2,
         GET_ADAPTERS_ADDRESSES_FLAGS, IP_ADAPTER_ADDRESSES_LH, MIB_IPFORWARD_ROW2,
     },
+    NetworkManagement::Ndis::IfOperStatusUp,
     Networking::WinSock::{ADDRESS_FAMILY, AF_INET, AF_INET6, AF_UNSPEC, SOCKADDR_INET},
 };
 
@@ -216,6 +217,7 @@ impl Drop for RoutingTableEntry {
 fn get_best_non_tunnel_route(dst: IpAddr) -> io::Result<Route> {
     let route = list_adapters()?
         .filter(|adapter| !is_tun(adapter))
+        .filter(|adapter| is_up(adapter))
         .filter_map(|adapter| find_best_route_for_luid(&adapter.Luid, dst).ok())
         .min()
         .ok_or(io::Error::other("No route to host"))?;
@@ -299,6 +301,10 @@ fn is_tun(adapter: &IP_ADAPTER_ADDRESSES_LH) -> bool {
     friendly_name == TUNNEL_NAME
 }
 
+fn is_up(adapter: &IP_ADAPTER_ADDRESSES_LH) -> bool {
+    adapter.OperStatus == IfOperStatusUp
+}
+
 struct Route {
     metric: u32,
     addr: IpAddr,

website/src/components/Changelog/GUI.tsx

@@ -32,6 +32,9 @@ export default function GUI({ title }: { title: string }) {
             Fixes a bug where auto-sign-in with an expired token would cause a
             "Couldn't send Disconnect" error message.
           </ChangeItem>
+          <ChangeItem enable={title === "Windows"} pull="6810">
+            Fixes a bug where roaming from Ethernet to WiFi would cause Firezone to fail to connect to the portal.
+          </ChangeItem>
         </ul>
       </Entry>
       <Entry version="1.3.4" date={new Date("2024-09-19")}>