Handle port correctly and delete interface

.github/dependabot.yml

@@ -1,46 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    groups:
-      dev-patch-updates:
-        dependency-type: "development"
-        update-types:
-          - "patch"
-      dev-minor-updates:
-        dependency-type: "development"
-        update-types:
-          - "minor"
-      dev-major-updates:
-        dependency-type: "development"
-        update-types:
-          - "major"
-      prod-patch-updates:
-        dependency-type: "production"
-        update-types:
-          - "patch"
-      prod-minor-updates:
-        dependency-type: "production"
-        update-types:
-          - "minor"
-      prod-major-updates:
-        dependency-type: "production"
-        update-types:
-          - "major"
-
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    groups:
-      patch-updates:
-        update-types:
-          - "patch"
-      minor-updates:
-        update-types:
-          - "minor"
-      major-updates:
-        update-types:
-          - "major"

.gitignore

@@ -1,6 +1,4 @@
 newt
 .DS_Store
 bin/
-.idea
-*.iml
-certs/
+nohup.out

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24.3-alpine AS builder
+FROM golang:1.23.1-alpine AS builder
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -15,9 +15,9 @@ COPY . .
 # Build the application
 RUN CGO_ENABLED=0 GOOS=linux go build -o /newt
 
-FROM alpine:3.22 AS runner
+FROM alpine:3.19 AS runner
 
-RUN apk --no-cache add ca-certificates tzdata
+RUN apk --no-cache add ca-certificates
 
 COPY --from=builder /newt /usr/local/bin/
 COPY entrypoint.sh /

README.md

@@ -6,6 +6,7 @@ Newt is a fully user space [WireGuard](https://www.wireguard.com/) tunnel client
 
 Newt is used with Pangolin and Gerbil as part of the larger system. See documentation below:
 
+-   [Installation Instructions](https://docs.fossorial.io)
 -   [Full Documentation](https://docs.fossorial.io)
 
 ## Preview
@@ -36,10 +37,8 @@ When Newt receives WireGuard control messages, it will use the information encod
 - `dns`: DNS server to use to resolve the endpoint
 - `log-level` (optional): The log level to use. Default: INFO
 - `updown` (optional): A script to be called when targets are added or removed.
-- `tls-client-cert` (optional): Client certificate (p12 or pfx) for mTLS. See [mTLS](#mtls)
-- `docker-socket` (optional): Set the Docker socket to use the container discovery integration
-
-- Example:
+ 
+Example:
 
 ```bash
 ./newt \
@@ -76,15 +75,23 @@ services:
         - --endpoint https://example.com
 ```
 
-### Docker Socket Integration
+Finally a basic systemd service:
 
-Newt can integrate with the Docker socket to provide remote inspection of Docker containers. This allows Pangolin to query and retrieve detailed information about containers running on the Newt client, including metadata, network configuration, port mappings, and more.
+```
+[Unit]
+Description=Newt VPN Client
+After=network.target
 
-**Configuration:**
+[Service]
+ExecStart=/usr/local/bin/newt --id 31frd0uzbjvp721 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 --endpoint https://example.com
+Restart=always
+User=root
 
-You can specify the Docker socket path using the `--docker-socket` CLI argument or by setting the `DOCKER_SOCKET` environment variable. On most linux systems the socket is `/var/run/docker.sock`
+[Install]
+WantedBy=multi-user.target
+```
 
-If the Docker socket is not available or accessible, Newt will gracefully disable Docker integration and continue normal operation.
+Make sure to `mv ./newt /usr/local/bin/newt`!
 
 ### Updown
 
@@ -100,38 +107,6 @@ Returning a string from the script in the format of a target (`ip:dst` so `10.0.
 
 You can look at updown.py as a reference script to get started!
 
-### mTLS
-Newt supports mutual TLS (mTLS) authentication, if the server has been configured to request a client certificate.
-* Only PKCS12 (.p12 or .pfx) file format is accepted
-* The PKCS12 file must contain: 
-  * Private key
-  * Public certificate
-  * CA certificate
-* Encrypted PKCS12 files are currently not supported
-
-Examples:
-
-```bash
-./newt \
---id 31frd0uzbjvp721 \
---secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
---endpoint https://example.com \
---tls-client-cert ./client.p12
-```
-
-```yaml
-services:
-  newt:
-    image: fosrl/newt
-    container_name: newt
-    restart: unless-stopped
-    environment:
-      - PANGOLIN_ENDPOINT=https://example.com
-      - NEWT_ID=2ix2t8xk22ubpfy 
-      - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
-      - TLS_CLIENT_CERT=./client.p12 
-```
-
 ## Build
 
 ### Container 
@@ -150,16 +125,6 @@ Make sure to have Go 1.23.1 installed.
 make local
 ```
 
-### Nix Flake
-
-```bash
-nix build
-```
-
-Binary will be at `./result/bin/newt`
-
-Development shell available with `nix develop`
-
 ## Licensing
 
 Newt is dual licensed under the AGPLv3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us.

docker/client.go

@@ -1,166 +0,0 @@
-package docker
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	"github.com/fosrl/newt/logger"
-)
-
-// Container represents a Docker container
-type Container struct {
-	ID       string             `json:"id"`
-	Name     string             `json:"name"`
-	Image    string             `json:"image"`
-	State    string             `json:"state"`
-	Status   string             `json:"status"`
-	Ports    []Port             `json:"ports"`
-	Labels   map[string]string  `json:"labels"`
-	Created  int64              `json:"created"`
-	Networks map[string]Network `json:"networks"`
-}
-
-// Port represents a port mapping for a Docker container
-type Port struct {
-	PrivatePort int    `json:"privatePort"`
-	PublicPort  int    `json:"publicPort,omitempty"`
-	Type        string `json:"type"`
-	IP          string `json:"ip,omitempty"`
-}
-
-// Network represents network information for a Docker container
-type Network struct {
-	NetworkID           string   `json:"networkId"`
-	EndpointID          string   `json:"endpointId"`
-	Gateway             string   `json:"gateway,omitempty"`
-	IPAddress           string   `json:"ipAddress,omitempty"`
-	IPPrefixLen         int      `json:"ipPrefixLen,omitempty"`
-	IPv6Gateway         string   `json:"ipv6Gateway,omitempty"`
-	GlobalIPv6Address   string   `json:"globalIPv6Address,omitempty"`
-	GlobalIPv6PrefixLen int      `json:"globalIPv6PrefixLen,omitempty"`
-	MacAddress          string   `json:"macAddress,omitempty"`
-	Aliases             []string `json:"aliases,omitempty"`
-	DNSNames            []string `json:"dnsNames,omitempty"`
-}
-
-// CheckSocket checks if Docker socket is available
-func CheckSocket(socketPath string) bool {
-	// Use the provided socket path or default to standard location
-	if socketPath == "" {
-		socketPath = "/var/run/docker.sock"
-	}
-
-	// Try to create a connection to the Docker socket
-	conn, err := net.Dial("unix", socketPath)
-	if err != nil {
-		logger.Debug("Docker socket not available at %s: %v", socketPath, err)
-		return false
-	}
-	defer conn.Close()
-
-	logger.Debug("Docker socket is available at %s", socketPath)
-	return true
-}
-
-// ListContainers lists all Docker containers with their network information
-func ListContainers(socketPath string) ([]Container, error) {
-	// Use the provided socket path or default to standard location
-	if socketPath == "" {
-		socketPath = "/var/run/docker.sock"
-	}
-
-	// Create a new Docker client
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	// Create client with custom socket path
-	cli, err := client.NewClientWithOpts(
-		client.WithHost("unix://"+socketPath),
-		client.WithAPIVersionNegotiation(),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create Docker client: %v", err)
-	}
-	defer cli.Close()
-
-	// List containers
-	containers, err := cli.ContainerList(ctx, container.ListOptions{All: true})
-	if err != nil {
-		return nil, fmt.Errorf("failed to list containers: %v", err)
-	}
-
-	var dockerContainers []Container
-	for _, c := range containers {
-		// Convert ports
-		var ports []Port
-		for _, port := range c.Ports {
-			dockerPort := Port{
-				PrivatePort: int(port.PrivatePort),
-				Type:        port.Type,
-			}
-			if port.PublicPort != 0 {
-				dockerPort.PublicPort = int(port.PublicPort)
-			}
-			if port.IP != "" {
-				dockerPort.IP = port.IP
-			}
-			ports = append(ports, dockerPort)
-		}
-
-		// Get container name (remove leading slash)
-		name := ""
-		if len(c.Names) > 0 {
-			name = strings.TrimPrefix(c.Names[0], "/")
-		}
-
-		// Get network information by inspecting the container
-		networks := make(map[string]Network)
-
-		// Inspect container to get detailed network information
-		containerInfo, err := cli.ContainerInspect(ctx, c.ID)
-		if err != nil {
-			logger.Debug("Failed to inspect container %s for network info: %v", c.ID[:12], err)
-			// Continue without network info if inspection fails
-		} else {
-			// Extract network information from inspection
-			if containerInfo.NetworkSettings != nil && containerInfo.NetworkSettings.Networks != nil {
-				for networkName, endpoint := range containerInfo.NetworkSettings.Networks {
-					dockerNetwork := Network{
-						NetworkID:           endpoint.NetworkID,
-						EndpointID:          endpoint.EndpointID,
-						Gateway:             endpoint.Gateway,
-						IPAddress:           endpoint.IPAddress,
-						IPPrefixLen:         endpoint.IPPrefixLen,
-						IPv6Gateway:         endpoint.IPv6Gateway,
-						GlobalIPv6Address:   endpoint.GlobalIPv6Address,
-						GlobalIPv6PrefixLen: endpoint.GlobalIPv6PrefixLen,
-						MacAddress:          endpoint.MacAddress,
-						Aliases:             endpoint.Aliases,
-						DNSNames:            endpoint.DNSNames,
-					}
-					networks[networkName] = dockerNetwork
-				}
-			}
-		}
-
-		dockerContainer := Container{
-			ID:       c.ID[:12], // Show short ID like docker ps
-			Name:     name,
-			Image:    c.Image,
-			State:    c.State,
-			Status:   c.Status,
-			Ports:    ports,
-			Labels:   c.Labels,
-			Created:  c.Created,
-			Networks: networks,
-		}
-		dockerContainers = append(dockerContainers, dockerContainer)
-	}
-
-	return dockerContainers, nil
-}

flake.lock

@@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1743827369,
-        "narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "42a1c966be226125b48c384171c44c651c236c22",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

flake.nix

@@ -1,65 +0,0 @@
-{
-  description = "newt - A tunneling client for Pangolin";
-
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  };
-
-  outputs =
-    { self, nixpkgs }:
-    let
-      supportedSystems = [
-        "x86_64-linux"
-        "aarch64-linux"
-        "x86_64-darwin"
-        "aarch64-darwin"
-      ];
-      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
-      pkgsFor = system: nixpkgs.legacyPackages.${system};
-    in
-    {
-      packages = forAllSystems (
-        system:
-        let
-          pkgs = pkgsFor system;
-        in
-        {
-          default = self.packages.${system}.pangolin-newt;
-          pangolin-newt = pkgs.buildGoModule {
-            pname = "pangolin-newt";
-            version = "1.1.3";
-
-            src = ./.;
-
-            vendorHash = "sha256-sTtiBBkZ9cuhWnrn2VG20kv4nzNFfdzP5p+ewESCjyM=";
-
-            meta = with pkgs.lib; {
-              description = "A tunneling client for Pangolin";
-              homepage = "https://github.com/fosrl/newt";
-              license = licenses.gpl3;
-              maintainers = [ ];
-            };
-          };
-        }
-      );
-      devShells = forAllSystems (
-        system:
-        let
-          pkgs = pkgsFor system;
-        in
-        {
-          default = pkgs.mkShell {
-            buildInputs = with pkgs; [
-              go
-              gopls
-              gotools
-              go-outline
-              gopkgs
-              godef
-              golint
-            ];
-          };
-        }
-      );
-    };
-}

go.mod

@@ -5,41 +5,27 @@ go 1.23.1
 toolchain go1.23.2
 
 require (
-	github.com/docker/docker v28.2.2+incompatible
+	github.com/google/gopacket v1.1.19
 	github.com/gorilla/websocket v1.5.3
-	golang.org/x/net v0.40.0
+	github.com/vishvananda/netlink v1.3.0
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
+	golang.org/x/net v0.33.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259
-	software.sslmate.com/src/go-pkcs12 v0.5.0
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/mdlayher/genetlink v1.3.2 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 )

go.sum

@@ -1,97 +1,56 @@
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
-github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
+github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
+github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
-software.sslmate.com/src/go-pkcs12 v0.5.0 h1:EC6R394xgENTpZ4RltKydeDUjtlM5drOYIG9c6TVj2M=
-software.sslmate.com/src/go-pkcs12 v0.5.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

logger/logger.go

@@ -53,23 +53,7 @@ func (l *Logger) log(level LogLevel, format string, args ...interface{}) {
 	if level < l.level {
 		return
 	}
-
-	// Get timezone from environment variable or use local timezone
-	timezone := os.Getenv("LOGGER_TIMEZONE")
-	var location *time.Location
-	var err error
-
-	if timezone != "" {
-		location, err = time.LoadLocation(timezone)
-		if err != nil {
-			// If invalid timezone, fall back to local
-			location = time.Local
-		}
-	} else {
-		location = time.Local
-	}
-
-	timestamp := time.Now().In(location).Format("2006/01/02 15:04:05")
+	timestamp := time.Now().Format("2006/01/02 15:04:05")
 	message := fmt.Sprintf(format, args...)
 	l.logger.Printf("%s: %s %s", level.String(), timestamp, message)
 }

main.go

@@ -13,15 +13,16 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"runtime"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
-	"github.com/fosrl/newt/docker"
 	"github.com/fosrl/newt/logger"
 	"github.com/fosrl/newt/proxy"
 	"github.com/fosrl/newt/websocket"
+	"github.com/fosrl/newt/wg"
 
 	"golang.org/x/net/icmp"
 	"golang.org/x/net/ipv4"
@@ -56,7 +57,7 @@ func fixKey(key string) string {
 	// Decode from base64
 	decoded, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
-		logger.Fatal("Error decoding base64: %v", err)
+		logger.Fatal("Error decoding base64")
 	}
 
 	// Convert to hex
@@ -116,12 +117,7 @@ func ping(tnet *netstack.Net, dst string) error {
 }
 
 func startPingCheck(tnet *netstack.Net, serverIP string, stopChan chan struct{}) {
-	initialInterval := 10 * time.Second
-	maxInterval := 60 * time.Second
-	currentInterval := initialInterval
-	consecutiveFailures := 0
-
-	ticker := time.NewTicker(currentInterval)
+	ticker := time.NewTicker(10 * time.Second)
 	defer ticker.Stop()
 
 	go func() {
@@ -130,34 +126,8 @@ func startPingCheck(tnet *netstack.Net, serverIP string, stopChan chan struct{})
 			case <-ticker.C:
 				err := ping(tnet, serverIP)
 				if err != nil {
-					consecutiveFailures++
-					logger.Warn("Periodic ping failed (%d consecutive failures): %v",
-						consecutiveFailures, err)
+					logger.Warn("Periodic ping failed: %v", err)
 					logger.Warn("HINT: Do you have UDP port 51820 (or the port in config.yml) open on your Pangolin server?")
-
-					// Increase interval if we have consistent failures, with a maximum cap
-					if consecutiveFailures >= 3 && currentInterval < maxInterval {
-						// Increase by 50% each time, up to the maximum
-						currentInterval = time.Duration(float64(currentInterval) * 1.5)
-						if currentInterval > maxInterval {
-							currentInterval = maxInterval
-						}
-						ticker.Reset(currentInterval)
-						logger.Info("Increased ping check interval to %v due to consecutive failures",
-							currentInterval)
-					}
-				} else {
-					// On success, if we've backed off, gradually return to normal interval
-					if currentInterval > initialInterval {
-						currentInterval = time.Duration(float64(currentInterval) * 0.8)
-						if currentInterval < initialInterval {
-							currentInterval = initialInterval
-						}
-						ticker.Reset(currentInterval)
-						logger.Info("Decreased ping check interval to %v after successful ping",
-							currentInterval)
-					}
-					consecutiveFailures = 0
 				}
 			case <-stopChan:
 				logger.Info("Stopping ping check")
@@ -167,97 +137,34 @@ func startPingCheck(tnet *netstack.Net, serverIP string, stopChan chan struct{})
 	}()
 }
 
-// Function to track connection status and trigger reconnection as needed
-func monitorConnectionStatus(tnet *netstack.Net, serverIP string, client *websocket.Client) {
-	const checkInterval = 30 * time.Second
-	connectionLost := false
-	ticker := time.NewTicker(checkInterval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ticker.C:
-			// Try a ping to see if connection is alive
-			err := ping(tnet, serverIP)
-
-			if err != nil && !connectionLost {
-				// We just lost connection
-				connectionLost = true
-				logger.Warn("Connection to server lost. Continuous reconnection attempts will be made.")
-
-				// Notify the user they might need to check their network
-				logger.Warn("Please check your internet connection and ensure the Pangolin server is online.")
-				logger.Warn("Newt will continue reconnection attempts automatically when connectivity is restored.")
-			} else if err == nil && connectionLost {
-				// Connection has been restored
-				connectionLost = false
-				logger.Info("Connection to server restored!")
-
-				// Tell the server we're back
-				err := client.SendMessage("newt/wg/register", map[string]interface{}{
-					"publicKey": privateKey.PublicKey().String(),
-				})
-
-				if err != nil {
-					logger.Error("Failed to send registration message after reconnection: %v", err)
-				} else {
-					logger.Info("Successfully re-registered with server after reconnection")
-				}
-			}
-		}
-	}
-}
-
 func pingWithRetry(tnet *netstack.Net, dst string) error {
 	const (
-		initialMaxAttempts = 15
-		initialRetryDelay  = 2 * time.Second
-		maxRetryDelay      = 60 * time.Second // Cap the maximum delay
+		maxAttempts = 5
+		retryDelay  = 2 * time.Second
 	)
 
-	attempt := 1
-	retryDelay := initialRetryDelay
+	var lastErr error
+	for attempt := 1; attempt <= maxAttempts; attempt++ {
+		logger.Info("Ping attempt %d of %d", attempt, maxAttempts)
+
+		if err := ping(tnet, dst); err != nil {
+			lastErr = err
+			logger.Warn("Ping attempt %d failed: %v", attempt, err)
+
+			if attempt < maxAttempts {
+				time.Sleep(retryDelay)
+				continue
+			}
+			return fmt.Errorf("all ping attempts failed after %d tries, last error: %w",
+				maxAttempts, lastErr)
+		}
 
-	// First try with the initial parameters
-	logger.Info("Ping attempt %d", attempt)
-	if err := ping(tnet, dst); err == nil {
 		// Successful ping
 		return nil
-	} else {
-		logger.Warn("Ping attempt %d failed: %v", attempt, err)
 	}
 
-	// Start a goroutine that will attempt pings indefinitely with increasing delays
-	go func() {
-		attempt = 2 // Continue from attempt 2
-
-		for {
-			logger.Info("Ping attempt %d", attempt)
-
-			if err := ping(tnet, dst); err != nil {
-				logger.Warn("Ping attempt %d failed: %v", attempt, err)
-
-				// Increase delay after certain thresholds but cap it
-				if attempt%5 == 0 && retryDelay < maxRetryDelay {
-					retryDelay = time.Duration(float64(retryDelay) * 1.5)
-					if retryDelay > maxRetryDelay {
-						retryDelay = maxRetryDelay
-					}
-					logger.Info("Increasing ping retry delay to %v", retryDelay)
-				}
-
-				time.Sleep(retryDelay)
-				attempt++
-			} else {
-				// Successful ping
-				logger.Info("Ping succeeded after %d attempts", attempt)
-				return
-			}
-		}
-	}()
-
-	// Return an error for the first batch of attempts (to maintain compatibility with existing code)
-	return fmt.Errorf("initial ping attempts failed, continuing in background")
+	// This shouldn't be reached due to the return in the loop, but added for completeness
+	return fmt.Errorf("unexpected error: all ping attempts failed")
 }
 
 func parseLogLevel(level string) logger.LogLevel {
@@ -308,6 +215,9 @@ func resolveDomain(domain string) (string, error) {
 		host = strings.TrimPrefix(host, "https://")
 	}
 
+	// if there are any trailing slashes, remove them
+	host = strings.TrimSuffix(host, "/")
+
 	// Lookup IP addresses
 	ips, err := net.LookupIP(host)
 	if err != nil {
@@ -341,18 +251,18 @@ func resolveDomain(domain string) (string, error) {
 }
 
 var (
-	endpoint      string
-	id            string
-	secret        string
-	mtu           string
-	mtuInt        int
-	dns           string
-	privateKey    wgtypes.Key
-	err           error
-	logLevel      string
-	updownScript  string
-	tlsPrivateKey string
-	dockerSocket  string
+	endpoint             string
+	id                   string
+	secret               string
+	mtu                  string
+	mtuInt               int
+	dns                  string
+	privateKey           wgtypes.Key
+	err                  error
+	logLevel             string
+	updownScript         string
+	interfaceName        string
+	generateAndSaveKeyTo string
 )
 
 func main() {
@@ -364,8 +274,8 @@ func main() {
 	dns = os.Getenv("DNS")
 	logLevel = os.Getenv("LOG_LEVEL")
 	updownScript = os.Getenv("UPDOWN_SCRIPT")
-	tlsPrivateKey = os.Getenv("TLS_CLIENT_CERT")
-	dockerSocket = os.Getenv("DOCKER_SOCKET")
+	interfaceName = os.Getenv("INTERFACE")
+	generateAndSaveKeyTo = os.Getenv("GENERATE_AND_SAVE_KEY_TO")
 
 	if endpoint == "" {
 		flag.StringVar(&endpoint, "endpoint", "", "Endpoint of your pangolin server")
@@ -388,11 +298,11 @@ func main() {
 	if updownScript == "" {
 		flag.StringVar(&updownScript, "updown", "", "Path to updown script to be called when targets are added or removed")
 	}
-	if tlsPrivateKey == "" {
-		flag.StringVar(&tlsPrivateKey, "tls-client-cert", "", "Path to client certificate used for mTLS")
+	if interfaceName == "" {
+		flag.StringVar(&interfaceName, "interface", "wg1", "Name of the WireGuard interface")
 	}
-	if dockerSocket == "" {
-		flag.StringVar(&dockerSocket, "docker-socket", "", "Path to Docker socket (typically /var/run/docker.sock)")
+	if generateAndSaveKeyTo == "" {
+		flag.StringVar(&generateAndSaveKeyTo, "generateAndSaveKeyTo", "", "Path to save generated private key")
 	}
 
 	// do a --version check
@@ -400,12 +310,9 @@ func main() {
 
 	flag.Parse()
 
-	newtVersion := "Newt version replaceme"
 	if *version {
-		fmt.Println(newtVersion)
+		fmt.Println("Newt version replaceme")
 		os.Exit(0)
-	} else {
-		logger.Info(newtVersion)
 	}
 
 	logger.Init()
@@ -422,21 +329,18 @@ func main() {
 	if err != nil {
 		logger.Fatal("Failed to generate private key: %v", err)
 	}
-	var opt websocket.ClientOption
-	if tlsPrivateKey != "" {
-		opt = websocket.WithTLSConfig(tlsPrivateKey)
-	}
+
 	// Create a new client
 	client, err := websocket.NewClient(
 		id,     // CLI arg takes precedence
 		secret, // CLI arg takes precedence
 		endpoint,
-		opt,
 	)
 	if err != nil {
 		logger.Fatal("Failed to create client: %v", err)
 	}
 
+	var wgService *wg.WireGuardService
 	// Create TUN device and network stack
 	var tun tun.Device
 	var tnet *netstack.Net
@@ -445,6 +349,30 @@ func main() {
 	var connected bool
 	var wgData WgData
 
+	if generateAndSaveKeyTo != "" {
+		// make sure we are running on linux
+		if runtime.GOOS != "linux" {
+			logger.Fatal("Tunnel management is only supported on Linux right now!")
+			os.Exit(1)
+		}
+
+		var host = endpoint
+		if strings.HasPrefix(host, "http://") {
+			host = strings.TrimPrefix(host, "http://")
+		} else if strings.HasPrefix(host, "https://") {
+			host = strings.TrimPrefix(host, "https://")
+		}
+
+		host = strings.TrimSuffix(host, "/")
+
+		// Create WireGuard service
+		wgService, err = wg.NewWireGuardService(interfaceName, mtuInt, generateAndSaveKeyTo, host, id, client)
+		if err != nil {
+			logger.Fatal("Failed to create WireGuard service: %v", err)
+		}
+		defer wgService.Close()
+	}
+
 	client.RegisterHandler("newt/terminate", func(msg websocket.WSMessage) {
 		logger.Info("Received terminate message")
 		if pm != nil {
@@ -465,8 +393,13 @@ func main() {
 
 		if connected {
 			logger.Info("Already connected! But I will send a ping anyway...")
-			// Even if pingWithRetry returns an error, it will continue trying in the background
-			_ = pingWithRetry(tnet, wgData.ServerIP) // Ignoring initial error as pings will continue
+			// ping(tnet, wgData.ServerIP)
+			err = pingWithRetry(tnet, wgData.ServerIP)
+			if err != nil {
+				// Handle complete failure after all retries
+				logger.Warn("Failed to ping %s: %v", wgData.ServerIP, err)
+				logger.Warn("HINT: Do you have UDP port 51820 (or the port in config.yml) open on your Pangolin server?")
+			}
 			return
 		}
 
@@ -481,6 +414,10 @@ func main() {
 			return
 		}
 
+		if wgService != nil {
+			wgService.SetServerPubKey(wgData.PublicKey)
+		}
+
 		logger.Info("Received: %+v", msg)
 		tun, tnet, err = netstack.CreateNetTUN(
 			[]netip.Addr{netip.MustParseAddr(wgData.TunnelIP)},
@@ -507,7 +444,7 @@ func main() {
 public_key=%s
 allowed_ip=%s/32
 endpoint=%s
-persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.PublicKey), wgData.ServerIP, endpoint)
+persistent_keepalive_interval=5`, fixKey(fmt.Sprintf("%s", privateKey)), fixKey(wgData.PublicKey), wgData.ServerIP, endpoint)
 
 		err = dev.IpcSet(config)
 		if err != nil {
@@ -521,18 +458,18 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		}
 
 		logger.Info("WireGuard device created. Lets ping the server now...")
+		// Ping to bring the tunnel up on the server side quickly
+		// ping(tnet, wgData.ServerIP)
+		err = pingWithRetry(tnet, wgData.ServerIP)
+		if err != nil {
+			// Handle complete failure after all retries
+			logger.Error("Failed to ping %s: %v", wgData.ServerIP, err)
+			fmt.Sprintf("%s", privateKey)
+		}
 
-		// Even if pingWithRetry returns an error, it will continue trying in the background
-		_ = pingWithRetry(tnet, wgData.ServerIP)
-
-		// Always mark as connected and start the proxy manager regardless of initial ping result
-		// as the pings will continue in the background
 		if !connected {
 			logger.Info("Starting ping check")
 			startPingCheck(tnet, wgData.ServerIP, pingStopChan)
-
-			// Start connection monitoring in a separate goroutine
-			go monitorConnectionStatus(tnet, wgData.ServerIP, client)
 		}
 
 		// Create proxy manager
@@ -549,6 +486,13 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 			updateTargets(pm, "add", wgData.TunnelIP, "udp", TargetData{Targets: wgData.Targets.UDP})
 		}
 
+		// first make sure the wpgService has a port
+		if wgService != nil {
+			// add a udp proxy for localost and the wgService port
+			// TODO: make sure this port is not used in a target
+			pm.AddTarget("udp", wgData.TunnelIP, int(wgService.Port), fmt.Sprintf("127.0.0.1:%d", wgService.Port))
+		}
+
 		err = pm.Start()
 		if err != nil {
 			logger.Error("Failed to start proxy manager: %v", err)
@@ -635,80 +579,32 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		}
 	})
 
-	// Register handler for Docker socket check
-	client.RegisterHandler("newt/socket/check", func(msg websocket.WSMessage) {
-		logger.Info("Received Docker socket check request")
-
-		if dockerSocket == "" {
-			logger.Info("Docker socket path is not set")
-			err := client.SendMessage("newt/socket/status", map[string]interface{}{
-				"available":  false,
-				"socketPath": dockerSocket,
-			})
-			if err != nil {
-				logger.Error("Failed to send Docker socket check response: %v", err)
-			}
-			return
-		}
-
-		// Check if Docker socket is available
-		isAvailable := docker.CheckSocket(dockerSocket)
-
-		// Send response back to server
-		err := client.SendMessage("newt/socket/status", map[string]interface{}{
-			"available":  isAvailable,
-			"socketPath": dockerSocket,
-		})
-		if err != nil {
-			logger.Error("Failed to send Docker socket check response: %v", err)
-		} else {
-			logger.Info("Docker socket check response sent: available=%t", isAvailable)
-		}
-	})
-
-	// Register handler for Docker container listing
-	client.RegisterHandler("newt/socket/fetch", func(msg websocket.WSMessage) {
-		logger.Info("Received Docker container fetch request")
-
-		if dockerSocket == "" {
-			logger.Info("Docker socket path is not set")
-			return
-		}
-
-		// List Docker containers
-		containers, err := docker.ListContainers(dockerSocket)
-		if err != nil {
-			logger.Error("Failed to list Docker containers: %v", err)
-			return
-		}
-
-		// Send container list back to server
-		err = client.SendMessage("newt/socket/containers", map[string]interface{}{
-			"containers": containers,
-		})
-		if err != nil {
-			logger.Error("Failed to send Docker container list: %v", err)
-		} else {
-			logger.Info("Docker container list sent, count: %d", len(containers))
-		}
-	})
-
 	client.OnConnect(func() error {
 		publicKey := privateKey.PublicKey()
 		logger.Debug("Public key: %s", publicKey)
 
 		err := client.SendMessage("newt/wg/register", map[string]interface{}{
-			"publicKey": publicKey.String(),
+			"publicKey": fmt.Sprintf("%s", publicKey),
 		})
 		if err != nil {
 			logger.Error("Failed to send registration message: %v", err)
 			return err
 		}
 
+		if wgService != nil {
+			wgService.LoadRemoteConfig()
+		}
+
 		logger.Info("Sent registration message")
 		return nil
 	})
 
+	client.OnTokenUpdate(func(token string) {
+		if wgService != nil {
+			wgService.SetToken(token)
+		}
+	})
+
 	// Connect to the WebSocket server
 	if err := client.Connect(); err != nil {
 		logger.Fatal("Failed to connect to server: %v", err)
@@ -718,13 +614,23 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 	// Wait for interrupt signal
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	sigReceived := <-sigCh
+	<-sigCh
 
-	// Cleanup
-	logger.Info("Received %s signal, stopping", sigReceived.String())
-	if dev != nil {
-		dev.Close()
+	dev.Close()
+
+	if wgService != nil {
+		wgService.Close()
 	}
+
+	if pm != nil {
+		pm.Stop()
+	}
+
+	if client != nil {
+		client.Close()
+	}
+	logger.Info("Exiting...")
+	os.Exit(0)
 }
 
 func parseTargetData(data interface{}) (TargetData, error) {

network/network.go

@@ -0,0 +1,202 @@
+package network
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net"
+	"time"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/net/bpf"
+	"golang.org/x/net/ipv4"
+)
+
+const (
+	udpProtocol = 17
+	// EmptyUDPSize is the size of an empty UDP packet
+	EmptyUDPSize = 28
+	timeout      = time.Second * 10
+)
+
+// Server stores data relating to the server
+type Server struct {
+	Hostname string
+	Addr     *net.IPAddr
+	Port     uint16
+}
+
+// PeerNet stores data about a peer's endpoint
+type PeerNet struct {
+	Resolved bool
+	IP       net.IP
+	Port     uint16
+	NewtID   string
+}
+
+// GetClientIP gets source ip address that will be used when sending data to dstIP
+func GetClientIP(dstIP net.IP) net.IP {
+	routes, err := netlink.RouteGet(dstIP)
+	if err != nil {
+		log.Fatalln("Error getting route:", err)
+	}
+	return routes[0].Src
+}
+
+// HostToAddr resolves a hostname, whether DNS or IP to a valid net.IPAddr
+func HostToAddr(hostStr string) *net.IPAddr {
+	remoteAddrs, err := net.LookupHost(hostStr)
+	if err != nil {
+		log.Fatalln("Error parsing remote address:", err)
+	}
+
+	for _, addrStr := range remoteAddrs {
+		if remoteAddr, err := net.ResolveIPAddr("ip4", addrStr); err == nil {
+			return remoteAddr
+		}
+	}
+	return nil
+}
+
+// SetupRawConn creates an ipv4 and udp only RawConn and applies packet filtering
+func SetupRawConn(server *Server, client *PeerNet) *ipv4.RawConn {
+	packetConn, err := net.ListenPacket("ip4:udp", client.IP.String())
+	if err != nil {
+		log.Fatalln("Error creating packetConn:", err)
+	}
+
+	rawConn, err := ipv4.NewRawConn(packetConn)
+	if err != nil {
+		log.Fatalln("Error creating rawConn:", err)
+	}
+
+	ApplyBPF(rawConn, server, client)
+
+	return rawConn
+}
+
+// ApplyBPF constructs a BPF program and applies it to the RawConn
+func ApplyBPF(rawConn *ipv4.RawConn, server *Server, client *PeerNet) {
+	const ipv4HeaderLen = 20
+	const srcIPOffset = 12
+	const srcPortOffset = ipv4HeaderLen + 0
+	const dstPortOffset = ipv4HeaderLen + 2
+
+	ipArr := []byte(server.Addr.IP.To4())
+	ipInt := uint32(ipArr[0])<<(3*8) + uint32(ipArr[1])<<(2*8) + uint32(ipArr[2])<<8 + uint32(ipArr[3])
+
+	bpfRaw, err := bpf.Assemble([]bpf.Instruction{
+		bpf.LoadAbsolute{Off: srcIPOffset, Size: 4},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: ipInt, SkipFalse: 5, SkipTrue: 0},
+
+		bpf.LoadAbsolute{Off: srcPortOffset, Size: 2},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: uint32(server.Port), SkipFalse: 3, SkipTrue: 0},
+
+		bpf.LoadAbsolute{Off: dstPortOffset, Size: 2},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: uint32(client.Port), SkipFalse: 1, SkipTrue: 0},
+
+		bpf.RetConstant{Val: 1<<(8*4) - 1},
+		bpf.RetConstant{Val: 0},
+	})
+
+	if err != nil {
+		log.Fatalln("Error assembling BPF:", err)
+	}
+
+	err = rawConn.SetBPF(bpfRaw)
+	if err != nil {
+		log.Fatalln("Error setting BPF:", err)
+	}
+}
+
+// MakePacket constructs a request packet to send to the server
+func MakePacket(payload []byte, server *Server, client *PeerNet) []byte {
+	buf := gopacket.NewSerializeBuffer()
+
+	opts := gopacket.SerializeOptions{
+		FixLengths:       true,
+		ComputeChecksums: true,
+	}
+
+	ipHeader := layers.IPv4{
+		SrcIP:    client.IP,
+		DstIP:    server.Addr.IP,
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolUDP,
+	}
+
+	udpHeader := layers.UDP{
+		SrcPort: layers.UDPPort(client.Port),
+		DstPort: layers.UDPPort(server.Port),
+	}
+
+	payloadLayer := gopacket.Payload(payload)
+
+	udpHeader.SetNetworkLayerForChecksum(&ipHeader)
+
+	gopacket.SerializeLayers(buf, opts, &ipHeader, &udpHeader, &payloadLayer)
+
+	return buf.Bytes()
+}
+
+// SendPacket sends packet to the Server
+func SendPacket(packet []byte, conn *ipv4.RawConn, server *Server, client *PeerNet) error {
+	fullPacket := MakePacket(packet, server, client)
+	_, err := conn.WriteToIP(fullPacket, server.Addr)
+	return err
+}
+
+// SendDataPacket sends a JSON payload to the Server
+func SendDataPacket(data interface{}, conn *ipv4.RawConn, server *Server, client *PeerNet) error {
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return fmt.Errorf("failed to marshal payload: %v", err)
+	}
+
+	return SendPacket(jsonData, conn, server, client)
+}
+
+// RecvPacket receives a UDP packet from server
+func RecvPacket(conn *ipv4.RawConn, server *Server, client *PeerNet) ([]byte, int, error) {
+	err := conn.SetReadDeadline(time.Now().Add(timeout))
+	if err != nil {
+		return nil, 0, err
+	}
+
+	response := make([]byte, 4096)
+	n, err := conn.Read(response)
+	if err != nil {
+		return nil, n, err
+	}
+	return response, n, nil
+}
+
+// RecvDataPacket receives and unmarshals a JSON packet from server
+func RecvDataPacket(conn *ipv4.RawConn, server *Server, client *PeerNet) ([]byte, error) {
+	response, n, err := RecvPacket(conn, server, client)
+	if err != nil {
+		return nil, err
+	}
+
+	// Extract payload from UDP packet
+	payload := response[EmptyUDPSize:n]
+	return payload, nil
+}
+
+// ParseResponse takes a response packet and parses it into an IP and port
+func ParseResponse(response []byte) (net.IP, uint16) {
+	ip := net.IP(response[:4])
+	port := binary.BigEndian.Uint16(response[4:6])
+	return ip, port
+}
+
+func parseForBPF(response []byte) (srcIP net.IP, srcPort uint16, dstPort uint16) {
+	srcIP = net.IP(response[12:16])
+	srcPort = binary.BigEndian.Uint16(response[20:22])
+	dstPort = binary.BigEndian.Uint16(response[22:24])
+	return
+}

self-signed-certs-for-mtls.sh

@@ -1,125 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-echo -n "Enter username for certs (eg alice): "
-read CERT_USERNAME
-echo
-
-echo -n "Enter domain of user (eg example.com): "
-read DOMAIN
-echo
-
-# Prompt for password at the start
-echo -n "Enter password for certificate: "
-read -s PASSWORD
-echo
-echo -n "Confirm password: "
-read -s PASSWORD2
-echo
-
-if [ "$PASSWORD" != "$PASSWORD2" ]; then
-    echo "Passwords don't match!"
-    exit 1
-fi
-CA_DIR="./certs/ca"
-CLIENT_DIR="./certs/clients"
-FILE_PREFIX=$(echo "$CERT_USERNAME-at-$DOMAIN" | sed 's/\./-/')
-
-mkdir -p "$CA_DIR"
-mkdir -p "$CLIENT_DIR"
-
-if [ ! -f "$CA_DIR/ca.crt" ]; then
-# Generate CA private key
-  openssl genrsa -out "$CA_DIR/ca.key" 4096
-  echo "CA key ✅"
-
-  # Generate CA root certificate
-  openssl req -x509 -new -nodes \
-    -key "$CA_DIR/ca.key" \
-    -sha256 \
-    -days 3650 \
-    -out "$CA_DIR/ca.crt" \
-    -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=ca.$DOMAIN"
-
-  echo "CA cert ✅"
-fi
-
-# Generate client private key
-openssl genrsa -aes256 -passout pass:"$PASSWORD" -out "$CLIENT_DIR/$FILE_PREFIX.key" 2048
-echo "Client key ✅"
-
-# Generate client Certificate Signing Request (CSR)
-openssl req -new \
-  -key "$CLIENT_DIR/$FILE_PREFIX.key" \
-  -out "$CLIENT_DIR/$FILE_PREFIX.csr" \
-  -passin pass:"$PASSWORD" \
-  -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=$CERT_USERNAME@$DOMAIN"
-echo "Client cert ✅"
-
-echo -n "Signing client cert..."
-# Create client certificate configuration file
-cat > "$CLIENT_DIR/$FILE_PREFIX.ext" << EOF
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = $DOMAIN
-EOF
-
-# Generate client certificate signed by CA
-openssl x509 -req \
-  -in "$CLIENT_DIR/$FILE_PREFIX.csr" \
-  -CA "$CA_DIR/ca.crt" \
-  -CAkey "$CA_DIR/ca.key" \
-  -CAcreateserial \
-  -out "$CLIENT_DIR/$FILE_PREFIX.crt" \
-  -days 365 \
-  -sha256 \
-  -extfile "$CLIENT_DIR/$FILE_PREFIX.ext"
-
-# Verify the client certificate
-openssl verify -CAfile "$CA_DIR/ca.crt" "$CLIENT_DIR/$FILE_PREFIX.crt"
-echo "Signed ✅"
-
-# Create encrypted PEM bundle
-openssl rsa -in "$CLIENT_DIR/$FILE_PREFIX.key" -passin pass:"$PASSWORD" \
-    | cat "$CLIENT_DIR/$FILE_PREFIX.crt" - > "$CLIENT_DIR/$FILE_PREFIX-bundle.enc.pem"
-
-
-# Convert to PKCS12
-echo "Converting to PKCS12 format..."
-openssl pkcs12 -export \
-  -out "$CLIENT_DIR/$FILE_PREFIX.enc.p12" \
-  -inkey "$CLIENT_DIR/$FILE_PREFIX.key" \
-  -in "$CLIENT_DIR/$FILE_PREFIX.crt" \
-  -certfile "$CA_DIR/ca.crt" \
-  -name "$CERT_USERNAME@$DOMAIN" \
-  -passin pass:"$PASSWORD" \
-  -passout pass:"$PASSWORD"
-echo "Converted to encrypted p12 for macOS ✅"
-
-# Convert to PKCS12 format without encryption
-echo "Converting to non-encrypted PKCS12 format..."
-openssl pkcs12 -export \
-  -out "$CLIENT_DIR/$FILE_PREFIX.p12" \
-  -inkey "$CLIENT_DIR/$FILE_PREFIX.key" \
-  -in "$CLIENT_DIR/$FILE_PREFIX.crt" \
-  -certfile "$CA_DIR/ca.crt" \
-  -name "$CERT_USERNAME@$DOMAIN" \
-  -passin pass:"$PASSWORD" \
-  -passout pass:""
-echo "Converted to non-encrypted p12  ✅"
-
-# Clean up intermediate files
-rm "$CLIENT_DIR/$FILE_PREFIX.csr" "$CLIENT_DIR/$FILE_PREFIX.ext" "$CA_DIR/ca.srl"
-echo
-echo
-
-echo "CA certificate:     $CA_DIR/ca.crt"
-echo "CA private key:     $CA_DIR/ca.key"
-echo "Client certificate: $CLIENT_DIR/$FILE_PREFIX.crt"
-echo "Client private key: $CLIENT_DIR/$FILE_PREFIX.key"
-echo "Client cert bundle: $CLIENT_DIR/$FILE_PREFIX.p12"
-echo "Client cert bundle (encrypted): $CLIENT_DIR/$FILE_PREFIX.enc.p12"

websocket/client.go

@@ -2,34 +2,33 @@ package websocket
 
 import (
 	"bytes"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
-	"os"
-	"software.sslmate.com/src/go-pkcs12"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/fosrl/newt/logger"
+
 	"github.com/gorilla/websocket"
 )
 
 type Client struct {
-	conn              *websocket.Conn
-	config            *Config
-	baseURL           string
-	handlers          map[string]MessageHandler
-	done              chan struct{}
-	handlersMux       sync.RWMutex
+	conn        *websocket.Conn
+	config      *Config
+	baseURL     string
+	handlers    map[string]MessageHandler
+	done        chan struct{}
+	handlersMux sync.RWMutex
+
 	reconnectInterval time.Duration
 	isConnected       bool
 	reconnectMux      sync.RWMutex
 
-	onConnect func() error
+	onConnect     func() error
+	onTokenUpdate func(token string)
 }
 
 type ClientOption func(*Client)
@@ -43,16 +42,14 @@ func WithBaseURL(url string) ClientOption {
 	}
 }
 
-func WithTLSConfig(tlsClientCertPath string) ClientOption {
-	return func(c *Client) {
-		c.config.TlsClientCert = tlsClientCertPath
-	}
-}
-
 func (c *Client) OnConnect(callback func() error) {
 	c.onConnect = callback
 }
 
+func (c *Client) OnTokenUpdate(callback func(token string)) {
+	c.onTokenUpdate = callback
+}
+
 // NewClient creates a new Newt client
 func NewClient(newtID, secret string, endpoint string, opts ...ClientOption) (*Client, error) {
 	config := &Config{
@@ -71,13 +68,8 @@ func NewClient(newtID, secret string, endpoint string, opts ...ClientOption) (*C
 	}
 
 	// Apply options before loading config
-	if opts != nil {
-		for _, opt := range opts {
-			if opt == nil {
-				continue
-			}
-			opt(client)
-		}
+	for _, opt := range opts {
+		opt(client)
 	}
 
 	// Load existing config if available
@@ -162,14 +154,6 @@ func (c *Client) getToken() (string, error) {
 	// Ensure we have the base URL without trailing slashes
 	baseEndpoint := strings.TrimRight(baseURL.String(), "/")
 
-	var tlsConfig *tls.Config = nil
-	if c.config.TlsClientCert != "" {
-		tlsConfig, err = loadClientCertificate(c.config.TlsClientCert)
-		if err != nil {
-			return "", fmt.Errorf("failed to load certificate %s: %w", c.config.TlsClientCert, err)
-		}
-	}
-
 	// If we already have a token, try to use it
 	if c.config.Token != "" {
 		tokenCheckData := map[string]interface{}{
@@ -198,11 +182,6 @@ func (c *Client) getToken() (string, error) {
 
 		// Make the request
 		client := &http.Client{}
-		if tlsConfig != nil {
-			client.Transport = &http.Transport{
-				TLSClientConfig: tlsConfig,
-			}
-		}
 		resp, err := client.Do(req)
 		if err != nil {
 			return "", fmt.Errorf("failed to check token validity: %w", err)
@@ -246,11 +225,6 @@ func (c *Client) getToken() (string, error) {
 
 	// Make the request
 	client := &http.Client{}
-	if tlsConfig != nil {
-		client.Transport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
-	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("failed to request new token: %w", err)
@@ -301,6 +275,8 @@ func (c *Client) establishConnection() error {
 		return fmt.Errorf("failed to get token: %w", err)
 	}
 
+	c.onTokenUpdate(token)
+
 	// Parse the base URL to determine protocol and hostname
 	baseURL, err := url.Parse(c.baseURL)
 	if err != nil {
@@ -323,19 +299,11 @@ func (c *Client) establishConnection() error {
 	// Add token to query parameters
 	q := u.Query()
 	q.Set("token", token)
+	q.Set("clientType", "newt")
 	u.RawQuery = q.Encode()
 
 	// Connect to WebSocket
-	dialer := websocket.DefaultDialer
-	if c.config.TlsClientCert != "" {
-		logger.Info("Adding tls to req")
-		tlsConfig, err := loadClientCertificate(c.config.TlsClientCert)
-		if err != nil {
-			return fmt.Errorf("failed to load certificate %s: %w", c.config.TlsClientCert, err)
-		}
-		dialer.TLSClientConfig = tlsConfig
-	}
-	conn, _, err := dialer.Dial(u.String(), nil)
+	conn, _, err := websocket.DefaultDialer.Dial(u.String(), nil)
 	if err != nil {
 		return fmt.Errorf("failed to connect to WebSocket: %w", err)
 	}
@@ -393,42 +361,3 @@ func (c *Client) setConnected(status bool) {
 	defer c.reconnectMux.Unlock()
 	c.isConnected = status
 }
-
-// LoadClientCertificate Helper method to load client certificates
-func loadClientCertificate(p12Path string) (*tls.Config, error) {
-	logger.Info("Loading tls-client-cert %s", p12Path)
-	// Read the PKCS12 file
-	p12Data, err := os.ReadFile(p12Path)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read PKCS12 file: %w", err)
-	}
-
-	// Parse PKCS12 with empty password for non-encrypted files
-	privateKey, certificate, caCerts, err := pkcs12.DecodeChain(p12Data, "")
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode PKCS12: %w", err)
-	}
-
-	// Create certificate
-	cert := tls.Certificate{
-		Certificate: [][]byte{certificate.Raw},
-		PrivateKey:  privateKey,
-	}
-
-	// Optional: Add CA certificates if present
-	rootCAs, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, fmt.Errorf("failed to load system cert pool: %w", err)
-	}
-	if len(caCerts) > 0 {
-		for _, caCert := range caCerts {
-			rootCAs.AddCert(caCert)
-		}
-	}
-
-	// Create TLS configuration
-	return &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		RootCAs:      rootCAs,
-	}, nil
-}

websocket/config.go

@@ -54,9 +54,6 @@ func (c *Client) loadConfig() error {
 	if c.config.Secret == "" {
 		c.config.Secret = config.Secret
 	}
-	if c.config.TlsClientCert == "" {
-		c.config.TlsClientCert = config.TlsClientCert
-	}
 	if c.config.Endpoint == "" {
 		c.config.Endpoint = config.Endpoint
 		c.baseURL = config.Endpoint

websocket/types.go

@@ -1,11 +1,10 @@
 package websocket
 
 type Config struct {
-	NewtID        string `json:"newtId"`
-	Secret        string `json:"secret"`
-	Token         string `json:"token"`
-	Endpoint      string `json:"endpoint"`
-	TlsClientCert string `json:"tlsClientCert"`
+	NewtID   string `json:"newtId"`
+	Secret   string `json:"secret"`
+	Token    string `json:"token"`
+	Endpoint string `json:"endpoint"`
 }
 
 type TokenResponse struct {

wg/wg.go

@@ -0,0 +1,801 @@
+package wg
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/network"
+	"github.com/fosrl/newt/websocket"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/exp/rand"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+type WgConfig struct {
+	IpAddress string `json:"ipAddress"`
+	Peers     []Peer `json:"peers"`
+}
+
+type Peer struct {
+	PublicKey  string   `json:"publicKey"`
+	AllowedIPs []string `json:"allowedIps"`
+	Endpoint   string   `json:"endpoint"`
+}
+
+type PeerBandwidth struct {
+	PublicKey string  `json:"publicKey"`
+	BytesIn   float64 `json:"bytesIn"`
+	BytesOut  float64 `json:"bytesOut"`
+}
+
+type PeerReading struct {
+	BytesReceived    int64
+	BytesTransmitted int64
+	LastChecked      time.Time
+}
+
+type WireGuardService struct {
+	interfaceName string
+	mtu           int
+	client        *websocket.Client
+	wgClient      *wgctrl.Client
+	config        WgConfig
+	key           wgtypes.Key
+	newtId        string
+	lastReadings  map[string]PeerReading
+	mu            sync.Mutex
+	Port          uint16
+	stopHolepunch chan struct{}
+	host          string
+	serverPubKey  string
+	token         string
+}
+
+// Add this type definition
+type fixedPortBind struct {
+	port uint16
+	conn.Bind
+}
+
+func (b *fixedPortBind) Open(port uint16) ([]conn.ReceiveFunc, uint16, error) {
+	// Ignore the requested port and use our fixed port
+	return b.Bind.Open(b.port)
+}
+
+func NewFixedPortBind(port uint16) conn.Bind {
+	return &fixedPortBind{
+		port: port,
+		Bind: conn.NewDefaultBind(),
+	}
+}
+
+func FindAvailableUDPPort(minPort, maxPort uint16) (uint16, error) {
+	if maxPort < minPort {
+		return 0, fmt.Errorf("invalid port range: min=%d, max=%d", minPort, maxPort)
+	}
+
+	// Create a slice of all ports in the range
+	portRange := make([]uint16, maxPort-minPort+1)
+	for i := range portRange {
+		portRange[i] = minPort + uint16(i)
+	}
+
+	// Fisher-Yates shuffle to randomize the port order
+	rand.Seed(uint64(time.Now().UnixNano()))
+	for i := len(portRange) - 1; i > 0; i-- {
+		j := rand.Intn(i + 1)
+		portRange[i], portRange[j] = portRange[j], portRange[i]
+	}
+
+	// Try each port in the randomized order
+	for _, port := range portRange {
+		addr := &net.UDPAddr{
+			IP:   net.ParseIP("127.0.0.1"),
+			Port: int(port),
+		}
+		conn, err := net.ListenUDP("udp", addr)
+		if err != nil {
+			continue // Port is in use or there was an error, try next port
+		}
+		_ = conn.SetDeadline(time.Now())
+		conn.Close()
+		return port, nil
+	}
+
+	return 0, fmt.Errorf("no available UDP ports found in range %d-%d", minPort, maxPort)
+}
+
+func NewWireGuardService(interfaceName string, mtu int, generateAndSaveKeyTo string, host string, newtId string, wsClient *websocket.Client) (*WireGuardService, error) {
+	wgClient, err := wgctrl.New()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create WireGuard client: %v", err)
+	}
+
+	var key wgtypes.Key
+	// if generateAndSaveKeyTo is provided, generate a private key and save it to the file. if the file already exists, load the key from the file
+	if _, err := os.Stat(generateAndSaveKeyTo); os.IsNotExist(err) {
+		// generate a new private key
+		key, err = wgtypes.GeneratePrivateKey()
+		if err != nil {
+			logger.Fatal("Failed to generate private key: %v", err)
+		}
+		// save the key to the file
+		err = os.WriteFile(generateAndSaveKeyTo, []byte(key.String()), 0644)
+		if err != nil {
+			logger.Fatal("Failed to save private key: %v", err)
+		}
+	} else {
+		keyData, err := os.ReadFile(generateAndSaveKeyTo)
+		if err != nil {
+			logger.Fatal("Failed to read private key: %v", err)
+		}
+		key, err = wgtypes.ParseKey(string(keyData))
+		if err != nil {
+			logger.Fatal("Failed to parse private key: %v", err)
+		}
+	}
+
+	port, err := FindAvailableUDPPort(49152, 65535)
+	if err != nil {
+		fmt.Printf("Error finding available port: %v\n", err)
+		return nil, err
+	}
+
+	service := &WireGuardService{
+		interfaceName: interfaceName,
+		mtu:           mtu,
+		client:        wsClient,
+		wgClient:      wgClient,
+		key:           key,
+		newtId:        newtId,
+		lastReadings:  make(map[string]PeerReading),
+		Port:          port,
+		stopHolepunch: make(chan struct{}),
+		host:          host,
+	}
+
+	// Register websocket handlers
+	wsClient.RegisterHandler("newt/wg/receive-config", service.handleConfig)
+	wsClient.RegisterHandler("newt/wg/peer/add", service.handleAddPeer)
+	wsClient.RegisterHandler("newt/wg/peer/remove", service.handleRemovePeer)
+
+	return service, nil
+}
+
+func (s *WireGuardService) Close() {
+	s.wgClient.Close()
+	// Remove the WireGuard interface
+	if err := s.removeInterface(); err != nil {
+		logger.Error("Failed to remove WireGuard interface: %v", err)
+	}
+}
+
+func (s *WireGuardService) SetServerPubKey(serverPubKey string) {
+	s.serverPubKey = serverPubKey
+}
+
+func (s *WireGuardService) SetToken(token string) {
+	s.token = token
+}
+
+func (s *WireGuardService) LoadRemoteConfig() error {
+
+	// get the exising wireguard port
+	device, err := s.wgClient.Device(s.interfaceName)
+	if err == nil {
+		s.Port = uint16(device.ListenPort)
+		logger.Info("WireGuard interface %s already exists with port %d\n", s.interfaceName, s.Port)
+	}
+
+	err = s.client.SendMessage("newt/wg/get-config", map[string]interface{}{
+		"publicKey": fmt.Sprintf("%s", s.key.PublicKey().String()),
+		"port":      s.Port,
+	})
+	if err != nil {
+		logger.Error("Failed to send registration message: %v", err)
+		return err
+	}
+
+	logger.Info("Requesting WireGuard configuration from remote server")
+
+	go s.periodicBandwidthCheck()
+
+	return nil
+}
+
+func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
+	var config WgConfig
+
+	logger.Info("Received message: %v", msg)
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Info("Error marshaling data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &config); err != nil {
+		logger.Info("Error unmarshaling target data: %v", err)
+		return
+	}
+	s.config = config
+
+	// Ensure the WireGuard interface and peers are configured
+	if err := s.ensureWireguardInterface(config); err != nil {
+		logger.Error("Failed to ensure WireGuard interface: %v", err)
+	}
+
+	if err := s.ensureWireguardPeers(config.Peers); err != nil {
+		logger.Error("Failed to ensure WireGuard peers: %v", err)
+	}
+
+	if err := s.sendUDPHolePunch(s.host + ":21820"); err != nil {
+		logger.Error("Failed to send UDP hole punch: %v", err)
+	}
+
+	// start the UDP holepunch
+	go s.keepSendingUDPHolePunch(s.host)
+}
+
+func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
+	// Check if the WireGuard interface exists
+	_, err := netlink.LinkByName(s.interfaceName)
+	if err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			// Interface doesn't exist, so create it
+			err = s.createWireGuardInterface()
+			if err != nil {
+				logger.Fatal("Failed to create WireGuard interface: %v", err)
+			}
+			logger.Info("Created WireGuard interface %s\n", s.interfaceName)
+		} else {
+			logger.Fatal("Error checking for WireGuard interface: %v", err)
+		}
+	} else {
+		logger.Info("WireGuard interface %s already exists\n", s.interfaceName)
+
+		// get the exising wireguard port
+		device, err := s.wgClient.Device(s.interfaceName)
+		if err != nil {
+			return fmt.Errorf("failed to get device: %v", err)
+		}
+
+		// get the existing port
+		s.Port = uint16(device.ListenPort)
+		logger.Info("WireGuard interface %s already exists with port %d\n", s.interfaceName, s.Port)
+
+		return nil
+	}
+
+	logger.Info("Assigning IP address %s to interface %s\n", wgconfig.IpAddress, s.interfaceName)
+	// Assign IP address to the interface
+	err = s.assignIPAddress(wgconfig.IpAddress)
+	if err != nil {
+		logger.Fatal("Failed to assign IP address: %v", err)
+	}
+
+	// Check if the interface already exists
+	_, err = s.wgClient.Device(s.interfaceName)
+	if err != nil {
+		return fmt.Errorf("interface %s does not exist", s.interfaceName)
+	}
+
+	// Parse the private key
+	key, err := wgtypes.ParseKey(s.key.String())
+	if err != nil {
+		return fmt.Errorf("failed to parse private key: %v", err)
+	}
+
+	config := wgtypes.Config{
+		PrivateKey: &key,
+		ListenPort: new(int),
+	}
+
+	// Use the service's fixed port instead of the config port
+	*config.ListenPort = int(s.Port)
+
+	// Create and configure the WireGuard interface
+	err = s.wgClient.ConfigureDevice(s.interfaceName, config)
+	if err != nil {
+		return fmt.Errorf("failed to configure WireGuard device: %v", err)
+	}
+
+	// bring up the interface
+	link, err := netlink.LinkByName(s.interfaceName)
+	if err != nil {
+		return fmt.Errorf("failed to get interface: %v", err)
+	}
+
+	if err := netlink.LinkSetMTU(link, s.mtu); err != nil {
+		return fmt.Errorf("failed to set MTU: %v", err)
+	}
+
+	if err := netlink.LinkSetUp(link); err != nil {
+		return fmt.Errorf("failed to bring up interface: %v", err)
+	}
+
+	// if err := s.ensureMSSClamping(); err != nil {
+	// 	logger.Warn("Failed to ensure MSS clamping: %v", err)
+	// }
+
+	logger.Info("WireGuard interface %s created and configured", s.interfaceName)
+
+	return nil
+}
+
+func (s *WireGuardService) createWireGuardInterface() error {
+	wgLink := &netlink.GenericLink{
+		LinkAttrs: netlink.LinkAttrs{Name: s.interfaceName},
+		LinkType:  "wireguard",
+	}
+	return netlink.LinkAdd(wgLink)
+}
+
+func (s *WireGuardService) assignIPAddress(ipAddress string) error {
+	link, err := netlink.LinkByName(s.interfaceName)
+	if err != nil {
+		return fmt.Errorf("failed to get interface: %v", err)
+	}
+
+	addr, err := netlink.ParseAddr(ipAddress)
+	if err != nil {
+		return fmt.Errorf("failed to parse IP address: %v", err)
+	}
+
+	return netlink.AddrAdd(link, addr)
+}
+
+func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error {
+	// get the current peers
+	device, err := s.wgClient.Device(s.interfaceName)
+	if err != nil {
+		return fmt.Errorf("failed to get device: %v", err)
+	}
+
+	// get the peer public keys
+	var currentPeers []string
+	for _, peer := range device.Peers {
+		currentPeers = append(currentPeers, peer.PublicKey.String())
+	}
+
+	// remove any peers that are not in the config
+	for _, peer := range currentPeers {
+		found := false
+		for _, configPeer := range peers {
+			if peer == configPeer.PublicKey {
+				found = true
+				break
+			}
+		}
+		if !found {
+			err := s.removePeer(peer)
+			if err != nil {
+				return fmt.Errorf("failed to remove peer: %v", err)
+			}
+		}
+	}
+
+	// add any peers that are in the config but not in the current peers
+	for _, configPeer := range peers {
+		found := false
+		for _, peer := range currentPeers {
+			if configPeer.PublicKey == peer {
+				found = true
+				break
+			}
+		}
+		if !found {
+			err := s.addPeer(configPeer)
+			if err != nil {
+				return fmt.Errorf("failed to add peer: %v", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *WireGuardService) handleAddPeer(msg websocket.WSMessage) {
+	var peer Peer
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Info("Error marshaling data: %v", err)
+	}
+
+	if err := json.Unmarshal(jsonData, &peer); err != nil {
+		logger.Info("Error unmarshaling target data: %v", err)
+	}
+
+	err = s.addPeer(peer)
+	if err != nil {
+		logger.Info("Error adding peer: %v", err)
+		return
+	}
+}
+
+func (s *WireGuardService) addPeer(peer Peer) error {
+	pubKey, err := wgtypes.ParseKey(peer.PublicKey)
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %v", err)
+	}
+
+	// parse allowed IPs into array of net.IPNet
+	var allowedIPs []net.IPNet
+	for _, ipStr := range peer.AllowedIPs {
+		_, ipNet, err := net.ParseCIDR(ipStr)
+		if err != nil {
+			return fmt.Errorf("failed to parse allowed IP: %v", err)
+		}
+		allowedIPs = append(allowedIPs, *ipNet)
+	}
+	// add keep alive using *time.Duration	 of 1 second
+	keepalive := time.Second
+
+	var peerConfig wgtypes.PeerConfig
+	if peer.Endpoint != "" {
+		endpoint, err := net.ResolveUDPAddr("udp", peer.Endpoint)
+		if err != nil {
+			return fmt.Errorf("failed to resolve endpoint address: %w", err)
+		}
+
+		// make the endpoint localhost to test
+
+		peerConfig = wgtypes.PeerConfig{
+			PublicKey:                   pubKey,
+			AllowedIPs:                  allowedIPs,
+			PersistentKeepaliveInterval: &keepalive,
+			Endpoint:                    endpoint,
+		}
+	} else {
+		peerConfig = wgtypes.PeerConfig{
+			PublicKey:                   pubKey,
+			AllowedIPs:                  allowedIPs,
+			PersistentKeepaliveInterval: &keepalive,
+		}
+		logger.Info("Added peer with no endpoint!")
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peerConfig},
+	}
+
+	if err := s.wgClient.ConfigureDevice(s.interfaceName, config); err != nil {
+		return fmt.Errorf("failed to add peer: %v", err)
+	}
+
+	logger.Info("Peer %s added successfully", peer.PublicKey)
+
+	return nil
+}
+
+func (s *WireGuardService) handleRemovePeer(msg websocket.WSMessage) {
+	// parse the publicKey from the message which is json { "publicKey": "asdfasdfl;akjsdf" }
+	type RemoveRequest struct {
+		PublicKey string `json:"publicKey"`
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Info("Error marshaling data: %v", err)
+	}
+
+	var request RemoveRequest
+	if err := json.Unmarshal(jsonData, &request); err != nil {
+		logger.Info("Error unmarshaling data: %v", err)
+		return
+	}
+
+	if err := s.removePeer(request.PublicKey); err != nil {
+		logger.Info("Error removing peer: %v", err)
+		return
+	}
+}
+
+func (s *WireGuardService) removePeer(publicKey string) error {
+	pubKey, err := wgtypes.ParseKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %v", err)
+	}
+
+	peerConfig := wgtypes.PeerConfig{
+		PublicKey: pubKey,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peerConfig},
+	}
+
+	if err := s.wgClient.ConfigureDevice(s.interfaceName, config); err != nil {
+		return fmt.Errorf("failed to remove peer: %v", err)
+	}
+
+	logger.Info("Peer %s removed successfully", publicKey)
+
+	return nil
+}
+
+func (s *WireGuardService) periodicBandwidthCheck() {
+	ticker := time.NewTicker(10 * time.Second)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		if err := s.reportPeerBandwidth(); err != nil {
+			logger.Info("Failed to report peer bandwidth: %v", err)
+		}
+	}
+}
+
+func (s *WireGuardService) calculatePeerBandwidth() ([]PeerBandwidth, error) {
+	device, err := s.wgClient.Device(s.interfaceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get device: %v", err)
+	}
+
+	peerBandwidths := []PeerBandwidth{}
+	now := time.Now()
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	for _, peer := range device.Peers {
+		publicKey := peer.PublicKey.String()
+		currentReading := PeerReading{
+			BytesReceived:    peer.ReceiveBytes,
+			BytesTransmitted: peer.TransmitBytes,
+			LastChecked:      now,
+		}
+
+		var bytesInDiff, bytesOutDiff float64
+		lastReading, exists := s.lastReadings[publicKey]
+
+		if exists {
+			timeDiff := currentReading.LastChecked.Sub(lastReading.LastChecked).Seconds()
+			if timeDiff > 0 {
+				// Calculate bytes transferred since last reading
+				bytesInDiff = float64(currentReading.BytesReceived - lastReading.BytesReceived)
+				bytesOutDiff = float64(currentReading.BytesTransmitted - lastReading.BytesTransmitted)
+
+				// Handle counter wraparound (if the counter resets or overflows)
+				if bytesInDiff < 0 {
+					bytesInDiff = float64(currentReading.BytesReceived)
+				}
+				if bytesOutDiff < 0 {
+					bytesOutDiff = float64(currentReading.BytesTransmitted)
+				}
+
+				// Convert to MB
+				bytesInMB := bytesInDiff / (1024 * 1024)
+				bytesOutMB := bytesOutDiff / (1024 * 1024)
+
+				peerBandwidths = append(peerBandwidths, PeerBandwidth{
+					PublicKey: publicKey,
+					BytesIn:   bytesInMB,
+					BytesOut:  bytesOutMB,
+				})
+			} else {
+				// If readings are too close together or time hasn't passed, report 0
+				peerBandwidths = append(peerBandwidths, PeerBandwidth{
+					PublicKey: publicKey,
+					BytesIn:   0,
+					BytesOut:  0,
+				})
+			}
+		} else {
+			// For first reading of a peer, report 0 to establish baseline
+			peerBandwidths = append(peerBandwidths, PeerBandwidth{
+				PublicKey: publicKey,
+				BytesIn:   0,
+				BytesOut:  0,
+			})
+		}
+
+		// Update the last reading
+		s.lastReadings[publicKey] = currentReading
+	}
+
+	// Clean up old peers
+	for publicKey := range s.lastReadings {
+		found := false
+		for _, peer := range device.Peers {
+			if peer.PublicKey.String() == publicKey {
+				found = true
+				break
+			}
+		}
+		if !found {
+			delete(s.lastReadings, publicKey)
+		}
+	}
+
+	return peerBandwidths, nil
+}
+
+func (s *WireGuardService) reportPeerBandwidth() error {
+	bandwidths, err := s.calculatePeerBandwidth()
+	if err != nil {
+		return fmt.Errorf("failed to calculate peer bandwidth: %v", err)
+	}
+
+	err = s.client.SendMessage("newt/receive-bandwidth", map[string]interface{}{
+		"bandwidthData": bandwidths,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to send bandwidth data: %v", err)
+	}
+
+	return nil
+}
+
+func (s *WireGuardService) sendUDPHolePunch(serverAddr string) error {
+
+	if s.serverPubKey == "" || s.token == "" {
+		return fmt.Errorf("server public key or token is not set")
+	}
+
+	// Parse server address
+	serverSplit := strings.Split(serverAddr, ":")
+	if len(serverSplit) < 2 {
+		return fmt.Errorf("invalid server address format, expected hostname:port")
+	}
+
+	serverHostname := serverSplit[0]
+	serverPort, err := strconv.ParseUint(serverSplit[1], 10, 16)
+	if err != nil {
+		return fmt.Errorf("failed to parse server port: %v", err)
+	}
+
+	// Resolve server hostname to IP
+	serverIPAddr := network.HostToAddr(serverHostname)
+	if serverIPAddr == nil {
+		return fmt.Errorf("failed to resolve server hostname")
+	}
+
+	// Get client IP based on route to server
+	clientIP := network.GetClientIP(serverIPAddr.IP)
+
+	// Create server and client configs
+	server := &network.Server{
+		Hostname: serverHostname,
+		Addr:     serverIPAddr,
+		Port:     uint16(serverPort),
+	}
+
+	client := &network.PeerNet{
+		IP:     clientIP,
+		Port:   s.Port,
+		NewtID: s.newtId,
+	}
+
+	// Setup raw connection with BPF filtering
+	rawConn := network.SetupRawConn(server, client)
+	defer rawConn.Close()
+
+	// Create JSON payload
+	payload := struct {
+		NewtID string `json:"newtId"`
+		Token  string `json:"token"`
+	}{
+		NewtID: s.newtId,
+		Token:  s.token,
+	}
+
+	// Convert payload to JSON
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("failed to marshal payload: %v", err)
+	}
+
+	// Encrypt the payload using the server's WireGuard public key
+	encryptedPayload, err := s.encryptPayload(payloadBytes)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt payload: %v", err)
+	}
+
+	// Send the encrypted packet using the raw connection
+	err = network.SendDataPacket(encryptedPayload, rawConn, server, client)
+	if err != nil {
+		return fmt.Errorf("failed to send UDP packet: %v", err)
+	}
+
+	return nil
+}
+
+func (s *WireGuardService) encryptPayload(payload []byte) (interface{}, error) {
+	// Generate an ephemeral keypair for this message
+	ephemeralPrivateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate ephemeral private key: %v", err)
+	}
+	ephemeralPublicKey := ephemeralPrivateKey.PublicKey()
+
+	// Parse the server's public key
+	serverPubKey, err := wgtypes.ParseKey(s.serverPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse server public key: %v", err)
+	}
+
+	// Use X25519 for key exchange (replacing deprecated ScalarMult)
+	var ephPrivKeyFixed [32]byte
+	copy(ephPrivKeyFixed[:], ephemeralPrivateKey[:])
+
+	// Perform X25519 key exchange
+	sharedSecret, err := curve25519.X25519(ephPrivKeyFixed[:], serverPubKey[:])
+	if err != nil {
+		return nil, fmt.Errorf("failed to perform X25519 key exchange: %v", err)
+	}
+
+	// Create an AEAD cipher using the shared secret
+	aead, err := chacha20poly1305.New(sharedSecret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AEAD cipher: %v", err)
+	}
+
+	// Generate a random nonce
+	nonce := make([]byte, aead.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %v", err)
+	}
+
+	// Encrypt the payload
+	ciphertext := aead.Seal(nil, nonce, payload, nil)
+
+	// Prepare the final encrypted message
+	encryptedMsg := struct {
+		EphemeralPublicKey string `json:"ephemeralPublicKey"`
+		Nonce              []byte `json:"nonce"`
+		Ciphertext         []byte `json:"ciphertext"`
+	}{
+		EphemeralPublicKey: ephemeralPublicKey.String(),
+		Nonce:              nonce,
+		Ciphertext:         ciphertext,
+	}
+
+	return encryptedMsg, nil
+}
+
+func (s *WireGuardService) keepSendingUDPHolePunch(host string) {
+	ticker := time.NewTicker(3 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-s.stopHolepunch:
+			logger.Info("Stopping UDP holepunch")
+			return
+		case <-ticker.C:
+			if err := s.sendUDPHolePunch(host + ":21820"); err != nil {
+				logger.Error("Failed to send UDP hole punch: %v", err)
+			}
+		}
+	}
+}
+
+func (s *WireGuardService) removeInterface() error {
+	// Remove the WireGuard interface
+	link, err := netlink.LinkByName(s.interfaceName)
+	if err != nil {
+		return fmt.Errorf("failed to get interface: %v", err)
+	}
+
+	err = netlink.LinkDel(link)
+	if err != nil {
+		return fmt.Errorf("failed to delete interface: %v", err)
+	}
+
+	logger.Info("WireGuard interface %s removed successfully", s.interfaceName)
+
+	return nil
+}