Use the right time

Fixes #220

.github/workflows/cicd.yml

@@ -11,7 +11,9 @@ permissions:
 on:
   push:
     tags:
-      - "*"
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
   workflow_dispatch:
     inputs:
       version:
@@ -273,7 +275,7 @@ jobs:
           tags: |
             type=semver,pattern={{version}},value=${{ env.TAG }}
             type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG }},enable=${{ env.PUBLISH_MINOR == 'true' && env.IS_RC != 'true' }}
-            type=raw,value=latest,enable=${{ env.PUBLISH_LATEST == 'true' && env.IS_RC != 'true' }}
+            type=raw,value=latest,enable=${{ env.IS_RC != 'true' }}
           flavor: |
             latest=false
           labels: |
@@ -587,28 +589,28 @@ jobs:
       #     sarif_file: trivy-ghcr.sarif
       #     category: Image Vulnerability Scan
 
-      # - name: Build binaries
-      #   env:
-      #     CGO_ENABLED: "0"
-      #     GOFLAGS: "-trimpath"
-      #   run: |
-      #     set -euo pipefail
-      #     TAG_VAR="${TAG}"
-      #     make go-build-release tag=$TAG_VAR
-      #   shell: bash
+      - name: Build binaries
+        env:
+          CGO_ENABLED: "0"
+          GOFLAGS: "-trimpath"
+        run: |
+          set -euo pipefail
+          TAG_VAR="${TAG}"
+          make -j 10 go-build-release tag=$TAG_VAR
+        shell: bash
 
-      # - name: Create GitHub Release
-      #   uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
-      #   with:
-      #     tag_name: ${{ env.TAG }}
-      #     generate_release_notes: true
-      #     prerelease: ${{ env.IS_RC == 'true' }}
-      #     files: |
-      #       bin/*
-      #     fail_on_unmatched_files: true
-      #     draft: true
-      #     body: |
-      #       ## Container Images
-      #       - GHCR: `${{ env.GHCR_REF }}`
-      #       - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
-      #       **Digest:** `${{ steps.build.outputs.digest }}`
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        with:
+          tag_name: ${{ env.TAG }}
+          generate_release_notes: true
+          prerelease: ${{ env.IS_RC == 'true' }}
+          files: |
+            bin/*
+          fail_on_unmatched_files: true
+          draft: true
+          body: |
+            ## Container Images
+            - GHCR: `${{ env.GHCR_REF }}`
+            - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
+            **Digest:** `${{ steps.build.outputs.digest }}`

.github/workflows/nix-build.yml

@@ -0,0 +1,23 @@
+name: Build Nix package
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - go.mod
+      - go.sum
+
+jobs:
+  nix-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Build flake package
+        run: |
+          nix build .#pangolin-newt -L

.github/workflows/nix-dependabot-update-hash.yml

@@ -0,0 +1,48 @@
+name: Update Nix Package Hash On Dependabot PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+
+jobs:
+  nix-update:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Run nix-update
+        run: |
+          nix run nixpkgs#nix-update -- --flake pangolin-newt --no-src --version skip
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit and push changes
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config user.name "dependabot[bot]"
+          git config user.email "dependabot[bot]@users.noreply.github.com"
+
+          git add .
+          git commit -m "chore(nix): fix hash for updated go dependencies"
+          git push

.gitignore

@@ -5,4 +5,6 @@ nohup.out
 *.iml
 certs/
 newt_arm64
-key
+key
+/.direnv/
+/result*

Makefile

@@ -27,6 +27,18 @@ docker-build-release:
         go-build-release-darwin-amd64 go-build-release-windows-amd64 \
         go-build-release-freebsd-amd64 go-build-release-freebsd-arm64
 
+go-build-release: \
+    go-build-release-linux-arm64 \
+    go-build-release-linux-arm32-v7 \
+    go-build-release-linux-arm32-v6 \
+    go-build-release-linux-amd64 \
+    go-build-release-linux-riscv64 \
+    go-build-release-darwin-arm64 \
+    go-build-release-darwin-amd64 \
+    go-build-release-windows-amd64 \
+    go-build-release-freebsd-amd64 \
+    go-build-release-freebsd-arm64
+
 go-build-release-linux-arm64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
 

bind/shared_bind.go

@@ -523,7 +523,7 @@ func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes [
 func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
 	// Check if this is a test request packet
 	if len(data) >= MagicTestRequestLen && bytes.HasPrefix(data, MagicTestRequest) {
-		logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
+		// logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
 		// Extract the random data portion to echo back
 		echoData := data[len(MagicTestRequest) : len(MagicTestRequest)+MagicPacketDataLen]
 
@@ -546,7 +546,7 @@ func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
 
 	// Check if this is a test response packet
 	if len(data) >= MagicTestResponseLen && bytes.HasPrefix(data, MagicTestResponse) {
-		logger.Debug("Received magic test RESPONSE from %s", addr.String())
+		// logger.Debug("Received magic test RESPONSE from %s", addr.String())
 		// Extract the echoed data
 		echoData := data[len(MagicTestResponse) : len(MagicTestResponse)+MagicPacketDataLen]
 

clients.go

@@ -24,7 +24,7 @@ func setupClients(client *websocket.Client) {
 
 	host = strings.TrimSuffix(host, "/")
 
-	logger.Info("Setting up clients with netstack2...")
+	logger.Debug("Setting up clients with netstack2...")
 
 	// if useNativeInterface is true make sure we have permission to use native interface
 	if useNativeInterface {
@@ -63,7 +63,7 @@ func closeClients() {
 	}
 }
 
-func clientsHandleNewtConnection(publicKey string, endpoint string) {
+func clientsHandleNewtConnection(publicKey string, endpoint string, relayPort uint16) {
 	if !ready {
 		return
 	}
@@ -77,7 +77,7 @@ func clientsHandleNewtConnection(publicKey string, endpoint string) {
 	endpoint = strings.Join(parts[:len(parts)-1], ":")
 
 	if wgService != nil {
-		wgService.StartHolepunch(publicKey, endpoint)
+		wgService.StartHolepunch(publicKey, endpoint, relayPort)
 	}
 }
 

clients/clients.go

@@ -141,7 +141,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 	// Add a reference for the hole punch manager (creator already has one reference for WireGuard)
 	sharedBind.AddRef()
 
-	logger.Info("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
+	logger.Debug("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
 
 	// Parse DNS addresses
 	dnsAddrs := []netip.Addr{netip.MustParseAddr(dns)}
@@ -172,6 +172,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 	wsClient.RegisterHandler("newt/wg/targets/add", service.handleAddTarget)
 	wsClient.RegisterHandler("newt/wg/targets/remove", service.handleRemoveTarget)
 	wsClient.RegisterHandler("newt/wg/targets/update", service.handleUpdateTarget)
+	wsClient.RegisterHandler("newt/wg/sync", service.handleSyncConfig)
 
 	return service, nil
 }
@@ -270,16 +271,21 @@ func (s *WireGuardService) SetOnNetstackClose(callback func()) {
 }
 
 // StartHolepunch starts hole punching to a specific endpoint
-func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
+func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, relayPort uint16) {
 	if s.holePunchManager == nil {
 		logger.Warn("Hole punch manager not initialized")
 		return
 	}
 
+	if relayPort == 0 {
+	    relayPort = 21820
+	}
+
 	// Convert websocket.ExitNode to holepunch.ExitNode
 	hpExitNodes := []holepunch.ExitNode{
 		{
 			Endpoint:  endpoint,
+			RelayPort: relayPort,
 			PublicKey: publicKey,
 		},
 	}
@@ -289,7 +295,7 @@ func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
 		logger.Warn("Failed to start hole punch: %v", err)
 	}
 
-	logger.Info("Starting hole punch to %s with public key: %s", endpoint, publicKey)
+	logger.Debug("Starting hole punch to %s with public key: %s", endpoint, publicKey)
 }
 
 // StartDirectUDPRelay starts a direct UDP relay from the main tunnel netstack to the clients' WireGuard.
@@ -336,7 +342,7 @@ func (s *WireGuardService) StartDirectUDPRelay(tunnelIP string) error {
 	// Set the netstack connection on the SharedBind so responses go back through the tunnel
 	s.sharedBind.SetNetstackConn(listener)
 
-	logger.Info("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
+	logger.Debug("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
 
 	// Start the relay goroutine to read from netstack and inject into SharedBind
 	s.directRelayWg.Add(1)
@@ -354,7 +360,7 @@ func (s *WireGuardService) runDirectUDPRelay(listener net.PacketConn) {
 	// Note: Don't close listener here - it's also used by SharedBind for sending responses
 	// It will be closed when the relay is stopped
 
-	logger.Info("Direct UDP relay started (bidirectional through SharedBind)")
+	logger.Debug("Direct UDP relay started (bidirectional through SharedBind)")
 
 	buf := make([]byte, 65535) // Max UDP packet size
 
@@ -440,7 +446,7 @@ func (s *WireGuardService) LoadRemoteConfig() error {
 		"port":      s.Port,
 	}, 2*time.Second)
 
-	logger.Info("Requesting WireGuard configuration from remote server")
+	logger.Debug("Requesting WireGuard configuration from remote server")
 	go s.periodicBandwidthCheck()
 
 	return nil
@@ -450,7 +456,7 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	var config WgConfig
 
 	logger.Debug("Received message: %v", msg)
-	logger.Info("Received WireGuard clients configuration from remote server")
+	logger.Debug("Received WireGuard clients configuration from remote server")
 
 	jsonData, err := json.Marshal(msg.Data)
 	if err != nil {
@@ -472,6 +478,8 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	// Ensure the WireGuard interface and peers are configured
 	if err := s.ensureWireguardInterface(config); err != nil {
 		logger.Error("Failed to ensure WireGuard interface: %v", err)
+		logger.Error("Clients functionality will be disabled until the interface can be created")
+		return
 	}
 
 	if err := s.ensureWireguardPeers(config.Peers); err != nil {
@@ -481,6 +489,185 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	if err := s.ensureTargets(config.Targets); err != nil {
 		logger.Error("Failed to ensure WireGuard targets: %v", err)
 	}
+
+	logger.Info("Client connectivity setup. Ready to accept connections from clients!")
+}
+
+// SyncConfig represents the configuration sent from server for syncing
+type SyncConfig struct {
+	Targets []Target `json:"targets"`
+	Peers   []Peer   `json:"peers"`
+}
+
+func (s *WireGuardService) handleSyncConfig(msg websocket.WSMessage) {
+	var syncConfig SyncConfig
+
+	logger.Debug("Received sync message: %v", msg)
+	logger.Info("Received sync configuration from remote server")
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling sync data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &syncConfig); err != nil {
+		logger.Error("Error unmarshaling sync data: %v", err)
+		return
+	}
+
+	// Sync peers
+	if err := s.syncPeers(syncConfig.Peers); err != nil {
+		logger.Error("Failed to sync peers: %v", err)
+	}
+
+	// Sync targets
+	if err := s.syncTargets(syncConfig.Targets); err != nil {
+		logger.Error("Failed to sync targets: %v", err)
+	}
+}
+
+// syncPeers synchronizes the current peers with the desired state
+// It removes peers not in the desired list and adds missing ones
+func (s *WireGuardService) syncPeers(desiredPeers []Peer) error {
+	if s.device == nil {
+		return fmt.Errorf("WireGuard device is not initialized")
+	}
+
+	// Get current peers from the device
+	currentConfig, err := s.device.IpcGet()
+	if err != nil {
+		return fmt.Errorf("failed to get current device config: %v", err)
+	}
+
+	// Parse current peer public keys
+	lines := strings.Split(currentConfig, "\n")
+	currentPeerKeys := make(map[string]bool)
+	for _, line := range lines {
+		if strings.HasPrefix(line, "public_key=") {
+			pubKey := strings.TrimPrefix(line, "public_key=")
+			currentPeerKeys[pubKey] = true
+		}
+	}
+
+	// Build a map of desired peers by their public key (normalized)
+	desiredPeerMap := make(map[string]Peer)
+	for _, peer := range desiredPeers {
+		// Normalize the public key for comparison
+		pubKey, err := wgtypes.ParseKey(peer.PublicKey)
+		if err != nil {
+			logger.Warn("Invalid public key in desired peers: %s", peer.PublicKey)
+			continue
+		}
+		normalizedKey := util.FixKey(pubKey.String())
+		desiredPeerMap[normalizedKey] = peer
+	}
+
+	// Remove peers that are not in the desired list
+	for currentKey := range currentPeerKeys {
+		if _, exists := desiredPeerMap[currentKey]; !exists {
+			// Parse the key back to get the original format for removal
+			removeConfig := fmt.Sprintf("public_key=%s\nremove=true", currentKey)
+			if err := s.device.IpcSet(removeConfig); err != nil {
+				logger.Warn("Failed to remove peer %s during sync: %v", currentKey, err)
+			} else {
+				logger.Info("Removed peer %s during sync", currentKey)
+			}
+		}
+	}
+
+	// Add peers that are missing
+	for normalizedKey, peer := range desiredPeerMap {
+		if _, exists := currentPeerKeys[normalizedKey]; !exists {
+			if err := s.addPeerToDevice(peer); err != nil {
+				logger.Warn("Failed to add peer %s during sync: %v", peer.PublicKey, err)
+			} else {
+				logger.Info("Added peer %s during sync", peer.PublicKey)
+			}
+		}
+	}
+
+	return nil
+}
+
+// syncTargets synchronizes the current targets with the desired state
+// It removes targets not in the desired list and adds missing ones
+func (s *WireGuardService) syncTargets(desiredTargets []Target) error {
+	if s.tnet == nil {
+		// Native interface mode - proxy features not available, skip silently
+		logger.Debug("Skipping target sync - using native interface (no proxy support)")
+		return nil
+	}
+
+	// Get current rules from the proxy handler
+	currentRules := s.tnet.GetProxySubnetRules()
+
+	// Build a map of current rules by source+dest prefix
+	type ruleKey struct {
+		sourcePrefix string
+		destPrefix   string
+	}
+	currentRuleMap := make(map[ruleKey]bool)
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		currentRuleMap[key] = true
+	}
+
+	// Build a map of desired targets
+	desiredTargetMap := make(map[ruleKey]Target)
+	for _, target := range desiredTargets {
+		key := ruleKey{
+			sourcePrefix: target.SourcePrefix,
+			destPrefix:   target.DestPrefix,
+		}
+		desiredTargetMap[key] = target
+	}
+
+	// Remove targets that are not in the desired list
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		if _, exists := desiredTargetMap[key]; !exists {
+			s.tnet.RemoveProxySubnetRule(rule.SourcePrefix, rule.DestPrefix)
+			logger.Info("Removed target %s -> %s during sync", rule.SourcePrefix.String(), rule.DestPrefix.String())
+		}
+	}
+
+	// Add targets that are missing
+	for key, target := range desiredTargetMap {
+		if _, exists := currentRuleMap[key]; !exists {
+			sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
+			if err != nil {
+				logger.Warn("Invalid source prefix %s during sync: %v", target.SourcePrefix, err)
+				continue
+			}
+
+			destPrefix, err := netip.ParsePrefix(target.DestPrefix)
+			if err != nil {
+				logger.Warn("Invalid dest prefix %s during sync: %v", target.DestPrefix, err)
+				continue
+			}
+
+			var portRanges []netstack2.PortRange
+			for _, pr := range target.PortRange {
+				portRanges = append(portRanges, netstack2.PortRange{
+					Min:      pr.Min,
+					Max:      pr.Max,
+					Protocol: pr.Protocol,
+				})
+			}
+
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
+			logger.Info("Added target %s -> %s during sync", target.SourcePrefix, target.DestPrefix)
+		}
+	}
+
+	return nil
 }
 
 func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
@@ -628,7 +815,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
 		return fmt.Errorf("failed to bring up WireGuard device: %v", err)
 	}
 
-	logger.Info("WireGuard netstack device created and configured")
+	logger.Debug("WireGuard netstack device created and configured")
 
 	// Release the mutex before calling the callback
 	s.mu.Unlock()
@@ -647,6 +834,11 @@ func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error {
 	// For netstack, we need to manage peers differently
 	// We'll configure peers directly on the device using IPC
 
+	// Check if device is initialized
+	if s.device == nil {
+		return fmt.Errorf("WireGuard device is not initialized")
+	}
+
 	// First, clear all existing peers by getting current config and removing them
 	currentConfig, err := s.device.IpcGet()
 	if err != nil {

clients/permissions/permissions_android.go

@@ -0,0 +1,8 @@
+//go:build android
+
+package permissions
+
+// CheckNativeInterfacePermissions always allows permission on Android.
+func CheckNativeInterfacePermissions() error {
+	return nil
+}

clients/permissions/permissions_darwin.go

@@ -1,4 +1,4 @@
-//go:build darwin
+//go:build darwin && !ios
 
 package permissions
 

clients/permissions/permissions_ios.go

@@ -0,0 +1,8 @@
+//go:build ios
+
+package permissions
+
+// CheckNativeInterfacePermissions always allows permission on iOS.
+func CheckNativeInterfacePermissions() error {
+	return nil
+}

clients/permissions/permissions_linux.go

@@ -1,4 +1,4 @@
-//go:build linux
+//go:build linux && !android
 
 package permissions
 

flake.nix

@@ -25,7 +25,7 @@
           inherit (pkgs) lib;
 
           # Update version when releasing
-          version = "1.7.0";
+          version = "1.8.0";
         in
         {
           default = self.packages.${system}.pangolin-newt;
@@ -37,14 +37,26 @@
 
             vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU=";
 
+            nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
+
             env = {
               CGO_ENABLED = 0;
             };
 
             ldflags = [
+              "-s"
+              "-w"
               "-X main.newtVersion=${version}"
             ];
 
+            # Tests are broken due to a lack of Internet.
+            # Disable running `go test`, and instead do
+            # a simple version check instead.
+            doCheck = false;
+            doInstallCheck = true;
+
+            versionCheckProgramArg = [ "-version" ];
+
             meta = {
               description = "A tunneling client for Pangolin";
               homepage = "https://github.com/fosrl/newt";
@@ -52,6 +64,7 @@
               maintainers = [
                 lib.maintainers.water-sucks
               ];
+              mainProgram = "newt";
             };
           };
         }

healthcheck/healthcheck.go

@@ -61,6 +61,7 @@ type Target struct {
 	timer      *time.Timer
 	ctx        context.Context
 	cancel     context.CancelFunc
+	client     *http.Client
 }
 
 // StatusChangeCallback is called when any target's status changes
@@ -185,6 +186,16 @@ func (m *Monitor) addTargetUnsafe(config Config) error {
 		Status: StatusUnknown,
 		ctx:    ctx,
 		cancel: cancel,
+		client: &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					// Configure TLS settings based on certificate enforcement
+					InsecureSkipVerify: !m.enforceCert,
+					// Use SNI TLS header if present
+					ServerName: config.TLSServerName,
+				},
+			},
+		},
 	}
 
 	m.targets[config.ID] = target
@@ -378,17 +389,6 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second)
 	defer cancel()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				// Configure TLS settings based on certificate enforcement
-				InsecureSkipVerify: !m.enforceCert,
-				// Use SNI TLS header if present
-				ServerName: target.Config.TLSServerName,
-			},
-		},
-	}
-
 	req, err := http.NewRequestWithContext(ctx, target.Config.Method, url, nil)
 	if err != nil {
 		target.Status = StatusUnhealthy
@@ -408,7 +408,7 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	}
 
 	// Perform request
-	resp, err := client.Do(req)
+	resp, err := target.client.Do(req)
 	if err != nil {
 		target.Status = StatusUnhealthy
 		target.LastError = fmt.Sprintf("request failed: %v", err)
@@ -521,3 +521,82 @@ func (m *Monitor) DisableTarget(id int) error {
 
 	return nil
 }
+
+// GetTargetIDs returns a slice of all current target IDs
+func (m *Monitor) GetTargetIDs() []int {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	ids := make([]int, 0, len(m.targets))
+	for id := range m.targets {
+		ids = append(ids, id)
+	}
+	return ids
+}
+
+// SyncTargets synchronizes the current targets to match the desired set.
+// It removes targets not in the desired set and adds targets that are missing.
+func (m *Monitor) SyncTargets(desiredConfigs []Config) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	logger.Info("Syncing health check targets: %d desired targets", len(desiredConfigs))
+
+	// Build a set of desired target IDs
+	desiredIDs := make(map[int]Config)
+	for _, config := range desiredConfigs {
+		desiredIDs[config.ID] = config
+	}
+
+	// Find targets to remove (exist but not in desired set)
+	var toRemove []int
+	for id := range m.targets {
+		if _, exists := desiredIDs[id]; !exists {
+			toRemove = append(toRemove, id)
+		}
+	}
+
+	// Remove targets that are not in the desired set
+	for _, id := range toRemove {
+		logger.Info("Sync: removing health check target %d", id)
+		if target, exists := m.targets[id]; exists {
+			target.cancel()
+			delete(m.targets, id)
+		}
+	}
+
+	// Add or update targets from the desired set
+	var addedCount, updatedCount int
+	for id, config := range desiredIDs {
+		if existing, exists := m.targets[id]; exists {
+			// Target exists - check if config changed and update if needed
+			// For now, we'll replace it to ensure config is up to date
+			logger.Debug("Sync: updating health check target %d", id)
+			existing.cancel()
+			delete(m.targets, id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to update target %d: %v", id, err)
+				return fmt.Errorf("failed to update target %d: %v", id, err)
+			}
+			updatedCount++
+		} else {
+			// Target doesn't exist - add it
+			logger.Debug("Sync: adding health check target %d", id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to add target %d: %v", id, err)
+				return fmt.Errorf("failed to add target %d: %v", id, err)
+			}
+			addedCount++
+		}
+	}
+
+	logger.Info("Sync complete: removed %d, added %d, updated %d targets",
+		len(toRemove), addedCount, updatedCount)
+
+	// Notify callback if any changes were made
+	if (len(toRemove) > 0 || addedCount > 0 || updatedCount > 0) && m.callback != nil {
+		go m.callback(m.getAllTargetsUnsafe())
+	}
+
+	return nil
+}

holepunch/holepunch.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"strconv"
 	"sync"
 	"time"
 
@@ -19,7 +20,9 @@ import (
 // ExitNode represents a WireGuard exit node for hole punching
 type ExitNode struct {
 	Endpoint  string `json:"endpoint"`
+	RelayPort uint16 `json:"relayPort"`
 	PublicKey string `json:"publicKey"`
+	SiteIds   []int  `json:"siteIds,omitempty"`
 }
 
 // Manager handles UDP hole punching operations
@@ -35,21 +38,29 @@ type Manager struct {
 	exitNodes  map[string]ExitNode // key is endpoint
 	updateChan chan struct{}       // signals the goroutine to refresh exit nodes
 
-	sendHolepunchInterval time.Duration
+	sendHolepunchInterval    time.Duration
+	sendHolepunchIntervalMin time.Duration
+	sendHolepunchIntervalMax time.Duration
+	defaultIntervalMin       time.Duration
+	defaultIntervalMax       time.Duration
 }
 
-const sendHolepunchIntervalMax = 60 * time.Second
-const sendHolepunchIntervalMin = 1 * time.Second
+const defaultSendHolepunchIntervalMax = 60 * time.Second
+const defaultSendHolepunchIntervalMin = 1 * time.Second
 
 // NewManager creates a new hole punch manager
 func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string) *Manager {
 	return &Manager{
-		sharedBind:            sharedBind,
-		ID:                    ID,
-		clientType:            clientType,
-		publicKey:             publicKey,
-		exitNodes:             make(map[string]ExitNode),
-		sendHolepunchInterval: sendHolepunchIntervalMin,
+		sharedBind:               sharedBind,
+		ID:                       ID,
+		clientType:               clientType,
+		publicKey:                publicKey,
+		exitNodes:                make(map[string]ExitNode),
+		sendHolepunchInterval:    defaultSendHolepunchIntervalMin,
+		sendHolepunchIntervalMin: defaultSendHolepunchIntervalMin,
+		sendHolepunchIntervalMax: defaultSendHolepunchIntervalMax,
+		defaultIntervalMin:       defaultSendHolepunchIntervalMin,
+		defaultIntervalMax:       defaultSendHolepunchIntervalMax,
 	}
 }
 
@@ -140,6 +151,51 @@ func (m *Manager) RemoveExitNode(endpoint string) bool {
 	return true
 }
 
+/*
+RemoveExitNodesByPeer removes the peer ID from the SiteIds list in each exit node.
+If the SiteIds list becomes empty after removal, the exit node is removed entirely.
+Returns the number of exit nodes removed.
+*/
+func (m *Manager) RemoveExitNodesByPeer(peerID int) int {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	removed := 0
+	for endpoint, node := range m.exitNodes {
+		// Remove peerID from SiteIds if present
+		newSiteIds := make([]int, 0, len(node.SiteIds))
+		for _, id := range node.SiteIds {
+			if id != peerID {
+				newSiteIds = append(newSiteIds, id)
+			}
+		}
+		if len(newSiteIds) != len(node.SiteIds) {
+			node.SiteIds = newSiteIds
+			if len(node.SiteIds) == 0 {
+				delete(m.exitNodes, endpoint)
+				logger.Info("Removed exit node %s as no more site IDs remain after removing peer %d", endpoint, peerID)
+				removed++
+			} else {
+				m.exitNodes[endpoint] = node
+				logger.Info("Removed peer %d from exit node %s site IDs", peerID, endpoint)
+			}
+		}
+	}
+
+	if removed > 0 {
+		// Signal the goroutine to refresh if running
+		if m.running && m.updateChan != nil {
+			select {
+			case m.updateChan <- struct{}{}:
+			default:
+				// Channel full or closed, skip
+			}
+		}
+	}
+
+	return removed
+}
+
 // GetExitNodes returns a copy of the current exit nodes
 func (m *Manager) GetExitNodes() []ExitNode {
 	m.mu.Lock()
@@ -152,17 +208,46 @@ func (m *Manager) GetExitNodes() []ExitNode {
 	return nodes
 }
 
-// ResetInterval resets the hole punch interval back to the minimum value,
-// allowing it to climb back up through exponential backoff.
-// This is useful when network conditions change or connectivity is restored.
-func (m *Manager) ResetInterval() {
+// SetServerHolepunchInterval sets custom min and max intervals for hole punching.
+// This is useful for low power mode where longer intervals are desired.
+func (m *Manager) SetServerHolepunchInterval(min, max time.Duration) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	if m.sendHolepunchInterval != sendHolepunchIntervalMin {
-		m.sendHolepunchInterval = sendHolepunchIntervalMin
-		logger.Info("Reset hole punch interval to minimum (%v)", sendHolepunchIntervalMin)
+	m.sendHolepunchIntervalMin = min
+	m.sendHolepunchIntervalMax = max
+	m.sendHolepunchInterval = min
+
+	logger.Info("Set hole punch intervals: min=%v, max=%v", min, max)
+
+	// Signal the goroutine to apply the new interval if running
+	if m.running && m.updateChan != nil {
+		select {
+		case m.updateChan <- struct{}{}:
+		default:
+			// Channel full or closed, skip
+		}
 	}
+}
+
+// GetInterval returns the current min and max intervals
+func (m *Manager) GetServerHolepunchInterval() (min, max time.Duration) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.sendHolepunchIntervalMin, m.sendHolepunchIntervalMax
+}
+
+// ResetServerHolepunchInterval resets the hole punch interval back to the default values.
+// This restores normal operation after low power mode or other custom settings.
+func (m *Manager) ResetServerHolepunchInterval() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.sendHolepunchIntervalMin = m.defaultIntervalMin
+	m.sendHolepunchIntervalMax = m.defaultIntervalMax
+	m.sendHolepunchInterval = m.defaultIntervalMin
+
+	logger.Info("Reset hole punch intervals to defaults: min=%v, max=%v", m.defaultIntervalMin, m.defaultIntervalMax)
 
 	// Signal the goroutine to apply the new interval if running
 	if m.running && m.updateChan != nil {
@@ -202,7 +287,7 @@ func (m *Manager) TriggerHolePunch() error {
 			continue
 		}
 
-		serverAddr := net.JoinHostPort(host, "21820")
+		serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
 		remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
 		if err != nil {
 			logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
@@ -247,7 +332,7 @@ func (m *Manager) StartMultipleExitNodes(exitNodes []ExitNode) error {
 	m.updateChan = make(chan struct{}, 1)
 	m.mu.Unlock()
 
-	logger.Info("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
+	logger.Debug("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
 
 	go m.runMultipleExitNodes()
 
@@ -313,7 +398,7 @@ func (m *Manager) runMultipleExitNodes() {
 				continue
 			}
 
-			serverAddr := net.JoinHostPort(host, "21820")
+			serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
 			remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
 			if err != nil {
 				logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
@@ -325,7 +410,7 @@ func (m *Manager) runMultipleExitNodes() {
 				publicKey:    exitNode.PublicKey,
 				endpointName: exitNode.Endpoint,
 			})
-			logger.Info("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
+			logger.Debug("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
 		}
 		return resolvedNodes
 	}
@@ -345,7 +430,7 @@ func (m *Manager) runMultipleExitNodes() {
 
 	// Start with minimum interval
 	m.mu.Lock()
-	m.sendHolepunchInterval = sendHolepunchIntervalMin
+	m.sendHolepunchInterval = m.sendHolepunchIntervalMin
 	m.mu.Unlock()
 
 	ticker := time.NewTicker(m.sendHolepunchInterval)
@@ -367,7 +452,7 @@ func (m *Manager) runMultipleExitNodes() {
 			}
 			// Reset interval to minimum on update
 			m.mu.Lock()
-			m.sendHolepunchInterval = sendHolepunchIntervalMin
+			m.sendHolepunchInterval = m.sendHolepunchIntervalMin
 			m.mu.Unlock()
 			ticker.Reset(m.sendHolepunchInterval)
 			// Send immediate hole punch to newly resolved nodes
@@ -387,8 +472,8 @@ func (m *Manager) runMultipleExitNodes() {
 				// Exponential backoff: double the interval up to max
 				m.mu.Lock()
 				newInterval := m.sendHolepunchInterval * 2
-				if newInterval > sendHolepunchIntervalMax {
-					newInterval = sendHolepunchIntervalMax
+				if newInterval > m.sendHolepunchIntervalMax {
+					newInterval = m.sendHolepunchIntervalMax
 				}
 				if newInterval != m.sendHolepunchInterval {
 					m.sendHolepunchInterval = newInterval

holepunch/tester.go

@@ -41,6 +41,12 @@ func DefaultTestOptions() TestConnectionOptions {
 	}
 }
 
+// cachedAddr holds a cached resolved UDP address
+type cachedAddr struct {
+	addr      *net.UDPAddr
+	resolvedAt time.Time
+}
+
 // HolepunchTester monitors holepunch connectivity using magic packets
 type HolepunchTester struct {
 	sharedBind *bind.SharedBind
@@ -53,6 +59,11 @@ type HolepunchTester struct {
 
 	// Callback when connection status changes
 	callback HolepunchStatusCallback
+
+	// Address cache to avoid repeated DNS/UDP resolution
+	addrCache    map[string]*cachedAddr
+	addrCacheMu  sync.RWMutex
+	addrCacheTTL time.Duration // How long cached addresses are valid
 }
 
 // HolepunchStatus represents the status of a holepunch connection
@@ -75,7 +86,9 @@ type pendingRequest struct {
 // NewHolepunchTester creates a new holepunch tester using the given SharedBind
 func NewHolepunchTester(sharedBind *bind.SharedBind) *HolepunchTester {
 	return &HolepunchTester{
-		sharedBind: sharedBind,
+		sharedBind:   sharedBind,
+		addrCache:    make(map[string]*cachedAddr),
+		addrCacheTTL: 5 * time.Minute, // Cache addresses for 5 minutes
 	}
 }
 
@@ -135,12 +148,70 @@ func (t *HolepunchTester) Stop() {
 		return true
 	})
 
+	// Clear address cache
+	t.addrCacheMu.Lock()
+	t.addrCache = make(map[string]*cachedAddr)
+	t.addrCacheMu.Unlock()
+
 	logger.Debug("HolepunchTester stopped")
 }
 
+// resolveEndpoint resolves an endpoint to a UDP address, using cache when possible
+func (t *HolepunchTester) resolveEndpoint(endpoint string) (*net.UDPAddr, error) {
+	// Check cache first
+	t.addrCacheMu.RLock()
+	cached, ok := t.addrCache[endpoint]
+	ttl := t.addrCacheTTL
+	t.addrCacheMu.RUnlock()
+
+	if ok && time.Since(cached.resolvedAt) < ttl {
+		return cached.addr, nil
+	}
+
+	// Resolve the endpoint
+	host, err := util.ResolveDomain(endpoint)
+	if err != nil {
+		host = endpoint
+	}
+
+	_, _, err = net.SplitHostPort(host)
+	if err != nil {
+		host = net.JoinHostPort(host, "21820")
+	}
+
+	remoteAddr, err := net.ResolveUDPAddr("udp", host)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
+	}
+
+	// Cache the result
+	t.addrCacheMu.Lock()
+	t.addrCache[endpoint] = &cachedAddr{
+		addr:       remoteAddr,
+		resolvedAt: time.Now(),
+	}
+	t.addrCacheMu.Unlock()
+
+	return remoteAddr, nil
+}
+
+// InvalidateCache removes a specific endpoint from the address cache
+func (t *HolepunchTester) InvalidateCache(endpoint string) {
+	t.addrCacheMu.Lock()
+	delete(t.addrCache, endpoint)
+	t.addrCacheMu.Unlock()
+}
+
+// ClearCache clears all cached addresses
+func (t *HolepunchTester) ClearCache() {
+	t.addrCacheMu.Lock()
+	t.addrCache = make(map[string]*cachedAddr)
+	t.addrCacheMu.Unlock()
+}
+
 // handleResponse is called by SharedBind when a magic response is received
 func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
-	logger.Debug("Received magic response from %s", addr.String())
+	// logger.Debug("Received magic response from %s", addr.String())
 	key := string(echoData)
 
 	value, ok := t.pendingRequests.LoadAndDelete(key)
@@ -152,7 +223,7 @@ func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
 
 	req := value.(*pendingRequest)
 	rtt := time.Since(req.sentAt)
-	logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
+	// logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
 
 	// Send RTT to the waiting goroutine (non-blocking)
 	select {
@@ -183,20 +254,10 @@ func (t *HolepunchTester) TestEndpoint(endpoint string, timeout time.Duration) T
 		return result
 	}
 
-	// Resolve the endpoint
-	host, err := util.ResolveDomain(endpoint)
+	// Resolve the endpoint (using cache)
+	remoteAddr, err := t.resolveEndpoint(endpoint)
 	if err != nil {
-		host = endpoint
-	}
-
-	_, _, err = net.SplitHostPort(host)
-	if err != nil {
-		host = net.JoinHostPort(host, "21820")
-	}
-
-	remoteAddr, err := net.ResolveUDPAddr("udp", host)
-	if err != nil {
-		result.Error = fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
+		result.Error = err
 		return result
 	}
 

main.go

@@ -37,6 +37,7 @@ import (
 
 type WgData struct {
 	Endpoint           string               `json:"endpoint"`
+	RelayPort          uint16               `json:"relayPort"`
 	PublicKey          string               `json:"publicKey"`
 	ServerIP           string               `json:"serverIP"`
 	TunnelIP           string               `json:"tunnelIP"`
@@ -419,7 +420,7 @@ func runNewtMain(ctx context.Context) {
 	}
 	if tel != nil {
 		// Admin HTTP server (exposes /metrics when Prometheus exporter is enabled)
-		logger.Info("Starting metrics server on %s", tcfg.AdminAddr)
+		logger.Debug("Starting metrics server on %s", tcfg.AdminAddr)
 		mux := http.NewServeMux()
 		mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) })
 		if tel.PrometheusHandler != nil {
@@ -505,7 +506,7 @@ func runNewtMain(ctx context.Context) {
 		id,     // CLI arg takes precedence
 		secret, // CLI arg takes precedence
 		endpoint,
-		pingInterval,
+		30*time.Second, // 30 seconds
 		pingTimeout,
 		opt,
 	)
@@ -691,7 +692,12 @@ func runNewtMain(ctx context.Context) {
 			return
 		}
 
-		clientsHandleNewtConnection(wgData.PublicKey, endpoint)
+		relayPort := wgData.RelayPort
+		if relayPort == 0 {
+			relayPort = 21820
+		}
+
+		clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort)
 
 		// Configure WireGuard
 		config := fmt.Sprintf(`private_key=%s
@@ -1100,6 +1106,151 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
+	// Register handler for syncing targets (TCP, UDP, and health checks)
+	client.RegisterHandler("newt/sync", func(msg websocket.WSMessage) {
+		logger.Info("Received sync message")
+
+		// if there is no wgData or pm, we can't sync targets
+		if wgData.TunnelIP == "" || pm == nil {
+			logger.Info(msgNoTunnelOrProxy)
+			return
+		}
+
+		// Define the sync data structure
+		type SyncData struct {
+			Targets            TargetsByType        `json:"targets"`
+			HealthCheckTargets []healthcheck.Config `json:"healthCheckTargets"`
+		}
+
+		var syncData SyncData
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Error("Error marshaling sync data: %v", err)
+			return
+		}
+
+		if err := json.Unmarshal(jsonData, &syncData); err != nil {
+			logger.Error("Error unmarshaling sync data: %v", err)
+			return
+		}
+
+		logger.Debug("Sync data received: TCP targets=%d, UDP targets=%d, health check targets=%d",
+			len(syncData.Targets.TCP), len(syncData.Targets.UDP), len(syncData.HealthCheckTargets))
+
+		// Build sets of desired targets (port -> target string)
+		desiredTCP := make(map[int]string)
+		for _, t := range syncData.Targets.TCP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid TCP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in TCP target: %s", parts[0])
+				continue
+			}
+			desiredTCP[port] = parts[1] + ":" + parts[2]
+		}
+
+		desiredUDP := make(map[int]string)
+		for _, t := range syncData.Targets.UDP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid UDP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in UDP target: %s", parts[0])
+				continue
+			}
+			desiredUDP[port] = parts[1] + ":" + parts[2]
+		}
+
+		// Get current targets from proxy manager
+		currentTCP, currentUDP := pm.GetTargets()
+
+		// Sync TCP targets
+		// Remove TCP targets not in desired set
+		if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+			for port := range tcpForIP {
+				if _, exists := desiredTCP[port]; !exists {
+					logger.Info("Sync: removing TCP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, tcpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add TCP targets that are missing
+		for port, target := range desiredTCP {
+			needsAdd := true
+			if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := tcpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating TCP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding TCP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync UDP targets
+		// Remove UDP targets not in desired set
+		if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+			for port := range udpForIP {
+				if _, exists := desiredUDP[port]; !exists {
+					logger.Info("Sync: removing UDP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, udpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add UDP targets that are missing
+		for port, target := range desiredUDP {
+			needsAdd := true
+			if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := udpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating UDP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding UDP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync health check targets
+		if err := healthMonitor.SyncTargets(syncData.HealthCheckTargets); err != nil {
+			logger.Error("Failed to sync health check targets: %v", err)
+		} else {
+			logger.Info("Successfully synced health check targets")
+		}
+
+		logger.Info("Sync complete")
+	})
+
 	// Register handler for Docker socket check
 	client.RegisterHandler("newt/socket/check", func(msg websocket.WSMessage) {
 		logger.Debug("Received Docker socket check request")

netstack2/handlers.go

@@ -372,7 +372,7 @@ func copyPacketData(dst, src net.PacketConn, to net.Addr, timeout time.Duration)
 // InstallICMPHandler installs the ICMP handler on the stack
 func (h *ICMPHandler) InstallICMPHandler() error {
 	h.stack.SetTransportProtocolHandler(header.ICMPv4ProtocolNumber, h.handleICMPPacket)
-	logger.Info("ICMP Handler: Installed ICMP protocol handler")
+	logger.Debug("ICMP Handler: Installed ICMP protocol handler")
 	return nil
 }
 
@@ -600,7 +600,7 @@ func (h *ICMPHandler) sendAndReceiveICMP(conn *icmp.PacketConn, actualDstIP stri
 			logger.Debug("ICMP Handler: Reply seq mismatch: got seq=%d, want seq=%d", reply.Seq, seq)
 			continue
 		}
-		
+
 		if !ignoreIdent && reply.ID != int(ident) {
 			logger.Debug("ICMP Handler: Reply ident mismatch: got ident=%d, want ident=%d", reply.ID, ident)
 			continue

netstack2/proxy.go

@@ -101,6 +101,18 @@ func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
 	delete(sl.rules, key)
 }
 
+// GetAllRules returns a copy of all subnet rules
+func (sl *SubnetLookup) GetAllRules() []SubnetRule {
+	sl.mu.RLock()
+	defer sl.mu.RUnlock()
+
+	rules := make([]SubnetRule, 0, len(sl.rules))
+	for _, rule := range sl.rules {
+		rules = append(rules, *rule)
+	}
+	return rules
+}
+
 // Match checks if a source IP, destination IP, port, and protocol match any subnet rule
 // Returns the matched rule if ALL of these conditions are met:
 //   - The source IP is in the rule's source prefix
@@ -254,7 +266,7 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 		if err := handler.icmpHandler.InstallICMPHandler(); err != nil {
 			return nil, fmt.Errorf("failed to install ICMP handler: %v", err)
 		}
-		logger.Info("ProxyHandler: ICMP handler enabled")
+		logger.Debug("ProxyHandler: ICMP handler enabled")
 	}
 
 	// // Example 1: Add a rule with no port restrictions (all ports allowed)
@@ -296,6 +308,14 @@ func (p *ProxyHandler) RemoveSubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	p.subnetLookup.RemoveSubnet(sourcePrefix, destPrefix)
 }
 
+// GetAllRules returns all subnet rules from the proxy handler
+func (p *ProxyHandler) GetAllRules() []SubnetRule {
+	if p == nil || !p.enabled {
+		return nil
+	}
+	return p.subnetLookup.GetAllRules()
+}
+
 // LookupDestinationRewrite looks up the rewritten destination for a connection
 // This is used by TCP/UDP handlers to find the actual target address
 func (p *ProxyHandler) LookupDestinationRewrite(srcIP, dstIP string, dstPort uint16, proto uint8) (netip.Addr, bool) {
@@ -550,8 +570,8 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
 		return true
 	}
 
-	logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)",
-		srcAddr, dstAddr, protocol, dstPort)
+	// logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)",
+		// srcAddr, dstAddr, protocol, dstPort)
 	return false
 }
 

netstack2/tun.go

@@ -369,6 +369,15 @@ func (net *Net) RemoveProxySubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	}
 }
 
+// GetProxySubnetRules returns all subnet rules from the proxy handler
+func (net *Net) GetProxySubnetRules() []SubnetRule {
+	tun := (*netTun)(net)
+	if tun.proxyHandler != nil {
+		return tun.proxyHandler.GetAllRules()
+	}
+	return nil
+}
+
 // GetProxyHandler returns the proxy handler (for advanced use cases)
 // Returns nil if proxy is not enabled
 func (net *Net) GetProxyHandler() *ProxyHandler {

network/interface.go

@@ -44,9 +44,13 @@ func ConfigureInterface(interfaceName string, tunnelIp string, mtu int) error {
 		return configureDarwin(interfaceName, ip, ipNet)
 	case "windows":
 		return configureWindows(interfaceName, ip, ipNet)
-	default:
-		return fmt.Errorf("unsupported operating system: %s", runtime.GOOS)
+	case "android":
+		return nil
+	case "ios":
+		return nil
 	}
+
+	return nil
 }
 
 // waitForInterfaceUp polls the network interface until it's up or times out

network/route.go

@@ -126,13 +126,14 @@ func LinuxRemoveRoute(destination string) error {
 
 // addRouteForServerIP adds an OS-specific route for the server IP
 func AddRouteForServerIP(serverIP, interfaceName string) error {
-	if err := AddRouteForNetworkConfig(serverIP); err != nil {
-		return err
-	}
 	if interfaceName == "" {
 		return nil
 	}
-	if runtime.GOOS == "darwin" {
+	// TODO: does this also need to be ios?
+	if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
+		if err := AddRouteForNetworkConfig(serverIP); err != nil {
+			return err
+		}
 		return DarwinAddRoute(serverIP, "", interfaceName)
 	}
 	// else if runtime.GOOS == "windows" {
@@ -145,13 +146,14 @@ func AddRouteForServerIP(serverIP, interfaceName string) error {
 
 // removeRouteForServerIP removes an OS-specific route for the server IP
 func RemoveRouteForServerIP(serverIP string, interfaceName string) error {
-	if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
-		return err
-	}
 	if interfaceName == "" {
 		return nil
 	}
-	if runtime.GOOS == "darwin" {
+	// TODO: does this also need to be ios?
+	if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
+		if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
+			return err
+		}
 		return DarwinRemoveRoute(serverIP)
 	}
 	// else if runtime.GOOS == "windows" {
@@ -217,21 +219,22 @@ func AddRoutes(remoteSubnets []string, interfaceName string) error {
 			continue
 		}
 
-		if runtime.GOOS == "darwin" {
+		switch runtime.GOOS {
+		case "darwin":
 			if err := DarwinAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Darwin route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "windows" {
+		case "windows":
 			if err := WindowsAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Windows route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "linux" {
+		case "linux":
 			if err := LinuxAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Linux route for subnet %s: %v", subnet, err)
-				return err
 			}
+		case "android", "ios":
+			// Routes handled by the OS/VPN service
+			continue
 		}
 
 		logger.Info("Added route for remote subnet: %s", subnet)
@@ -258,21 +261,22 @@ func RemoveRoutes(remoteSubnets []string) error {
 		}
 
 		// Remove route based on operating system
-		if runtime.GOOS == "darwin" {
+		switch runtime.GOOS {
+		case "darwin":
 			if err := DarwinRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Darwin route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "windows" {
+		case "windows":
 			if err := WindowsRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Windows route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "linux" {
+		case "linux":
 			if err := LinuxRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Linux route for subnet %s: %v", subnet, err)
-				return err
 			}
+		case "android", "ios":
+			// Routes handled by the OS/VPN service
+			continue
 		}
 
 		logger.Info("Removed route for remote subnet: %s", subnet)

network/settings.go

@@ -115,7 +115,7 @@ func RemoveIPv4IncludedRoute(route IPv4Route) {
 		if r == route {
 			networkSettings.IPv4IncludedRoutes = append(routes[:i], routes[i+1:]...)
 			logger.Info("Removed IPv4 included route: %+v", route)
-			return
+			break
 		}
 	}
 	incrementor++

proxy/manager.go

@@ -736,3 +736,28 @@ func (pm *ProxyManager) PrintTargets() {
 		}
 	}
 }
+
+// GetTargets returns a copy of the current TCP and UDP targets
+// Returns map[listenIP]map[port]targetAddress for both TCP and UDP
+func (pm *ProxyManager) GetTargets() (tcpTargets map[string]map[int]string, udpTargets map[string]map[int]string) {
+	pm.mutex.RLock()
+	defer pm.mutex.RUnlock()
+
+	tcpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.tcpTargets {
+		tcpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			tcpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	udpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.udpTargets {
+		udpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			udpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	return tcpTargets, udpTargets
+}

websocket/client.go

@@ -47,6 +47,11 @@ type Client struct {
 	metricsCtx        context.Context
 	configNeedsSave   bool // Flag to track if config needs to be saved
 	serverVersion     string
+	configVersion     int64        // Latest config version received from server
+	configVersionMux  sync.RWMutex
+	processingMessage bool           // Flag to track if a message is currently being processed
+	processingMux     sync.RWMutex   // Protects processingMessage
+	processingWg      sync.WaitGroup // WaitGroup to wait for message processing to complete
 }
 
 type ClientOption func(*Client)
@@ -154,6 +159,20 @@ func (c *Client) GetServerVersion() string {
 	return c.serverVersion
 }
 
+// GetConfigVersion returns the latest config version received from server
+func (c *Client) GetConfigVersion() int64 {
+	c.configVersionMux.RLock()
+	defer c.configVersionMux.RUnlock()
+	return c.configVersion
+}
+
+// setConfigVersion updates the config version
+func (c *Client) setConfigVersion(version int64) {
+	c.configVersionMux.Lock()
+	defer c.configVersionMux.Unlock()
+	c.configVersion = version
+}
+
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
 	go c.connectWithRetry()
@@ -653,12 +672,33 @@ func (c *Client) pingMonitor() {
 			if c.conn == nil {
 				return
 			}
+
+			// Skip ping if a message is currently being processed
+			c.processingMux.RLock()
+			isProcessing := c.processingMessage
+			c.processingMux.RUnlock()
+			if isProcessing {
+				logger.Debug("Skipping ping, message is being processed")
+				continue
+			}
+
+			c.configVersionMux.RLock()
+			configVersion := c.configVersion
+			c.configVersionMux.RUnlock()
+
+			pingMsg := WSMessage{
+				Type:          "newt/ping",
+				Data:          map[string]interface{}{},
+				ConfigVersion: configVersion,
+			}
+
 			c.writeMux.Lock()
-			err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
+			err := c.conn.WriteJSON(pingMsg)
 			if err == nil {
 				telemetry.IncWSMessage(c.metricsContext(), "out", "ping")
 			}
 			c.writeMux.Unlock()
+
 			if err != nil {
 				// Check if we're shutting down before logging error and reconnecting
 				select {
@@ -737,9 +777,24 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
 				}
 			}
 
+			// Update config version from incoming message
+			c.setConfigVersion(msg.ConfigVersion)
+
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
+				// Mark that we're processing a message
+				c.processingMux.Lock()
+				c.processingMessage = true
+				c.processingMux.Unlock()
+				c.processingWg.Add(1)
+
 				handler(msg)
+
+				// Mark that we're done processing
+				c.processingWg.Done()
+				c.processingMux.Lock()
+				c.processingMessage = false
+				c.processingMux.Unlock()
 			}
 			c.handlersMux.RUnlock()
 		}

websocket/types.go

@@ -17,6 +17,7 @@ type TokenResponse struct {
 }
 
 type WSMessage struct {
-	Type string      `json:"type"`
-	Data interface{} `json:"data"`
+	Type          string      `json:"type"`
+	Data          interface{} `json:"data"`
+	ConfigVersion int64       `json:"configVersion,omitempty"`
 }

wgtester/wgtester.go

@@ -38,7 +38,6 @@ type Server struct {
 	isRunning    bool
 	runningLock  sync.Mutex
 	newtID       string
-	outputPrefix string
 	useNetstack  bool
 	tnet         interface{} // Will be *netstack2.Net when using netstack
 }
@@ -50,7 +49,6 @@ func NewServer(serverAddr string, serverPort uint16, newtID string) *Server {
 		serverPort:   serverPort + 1, // use the next port for the server
 		shutdownCh:   make(chan struct{}),
 		newtID:       newtID,
-		outputPrefix: "[WGTester] ",
 		useNetstack:  false,
 		tnet:         nil,
 	}
@@ -63,7 +61,6 @@ func NewServerWithNetstack(serverAddr string, serverPort uint16, newtID string,
 		serverPort:   serverPort + 1, // use the next port for the server
 		shutdownCh:   make(chan struct{}),
 		newtID:       newtID,
-		outputPrefix: "[WGTester] ",
 		useNetstack:  true,
 		tnet:         tnet,
 	}
@@ -109,7 +106,7 @@ func (s *Server) Start() error {
 	s.isRunning = true
 	go s.handleConnections()
 
-	logger.Info("%sServer started on %s:%d", s.outputPrefix, s.serverAddr, s.serverPort)
+	logger.Debug("WGTester Server started on %s:%d", s.serverAddr, s.serverPort)
 	return nil
 }
 
@@ -127,7 +124,7 @@ func (s *Server) Stop() {
 		s.conn.Close()
 	}
 	s.isRunning = false
-	logger.Info("%sServer stopped", s.outputPrefix)
+	logger.Info("WGTester Server stopped")
 }
 
 // RestartWithNetstack stops the current server and restarts it with netstack
@@ -162,7 +159,7 @@ func (s *Server) handleConnections() {
 			// Set read deadline to avoid blocking forever
 			err := s.conn.SetReadDeadline(time.Now().Add(1 * time.Second))
 			if err != nil {
-				logger.Error("%sError setting read deadline: %v", s.outputPrefix, err)
+				logger.Error("Error setting read deadline: %v", err)
 				continue
 			}
 
@@ -192,7 +189,7 @@ func (s *Server) handleConnections() {
 					if err == io.EOF {
 						return
 					}
-					logger.Error("%sError reading from UDP: %v", s.outputPrefix, err)
+					logger.Error("Error reading from UDP: %v", err)
 				}
 				continue
 			}
@@ -224,7 +221,7 @@ func (s *Server) handleConnections() {
 			copy(responsePacket[5:13], buffer[5:13])
 
 			// Log response being sent for debugging
-			// logger.Debug("%sSending response to %s", s.outputPrefix, addr.String())
+			// logger.Debug("Sending response to %s", addr.String())
 
 			// Send the response packet - handle both regular UDP and netstack UDP
 			if s.useNetstack {
@@ -238,9 +235,9 @@ func (s *Server) handleConnections() {
 			}
 
 			if err != nil {
-				logger.Error("%sError sending response: %v", s.outputPrefix, err)
+				logger.Error("Error sending response: %v", err)
 			} else {
-				// logger.Debug("%sResponse sent successfully", s.outputPrefix)
+				// logger.Debug("Response sent successfully")
 			}
 		}
 	}