Fix formatting?

Add robust client connectivity support

.github/workflows/cicd.yml

@@ -85,7 +85,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 120
     env:
-      DOCKERHUB_IMAGE: docker.io/${{ vars.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }}
+      DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
       GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     steps:
@@ -99,7 +99,7 @@ jobs:
         shell: bash
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -108,7 +108,7 @@ jobs:
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: docker.io
-          username: ${{ vars.DOCKER_HUB_USERNAME }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Log in to GHCR
@@ -184,7 +184,7 @@ jobs:
         shell: bash
 
       - name: Install Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: go.mod
 
@@ -247,7 +247,7 @@ jobs:
         run: |
           set -euo pipefail
           images="${GHCR_IMAGE}"
-          if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] && [ -n "${{ vars.DOCKER_HUB_USERNAME }}" ]; then
+          if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] && [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]; then
             images="${images}\n${DOCKERHUB_IMAGE}"
           fi
           {
@@ -257,7 +257,7 @@ jobs:
           } >> "$GITHUB_ENV"
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.IMAGE_LIST }}
           tags: |
@@ -290,7 +290,7 @@ jobs:
           IMAGE_LICENSE:      ${{ env.IMAGE_LICENSE }}
           DOCKERHUB_IMAGE:    ${{ env.DOCKERHUB_IMAGE }}
           GHCR_IMAGE:         ${{ env.GHCR_IMAGE }}
-          DOCKER_HUB_USER:    ${{ vars.DOCKER_HUB_USERNAME }}
+          DOCKER_HUB_USER:    ${{ secrets.DOCKER_HUB_USERNAME }}
           REPO:               ${{ github.repository }}
           OWNER:              ${{ github.repository_owner }}
           WORKFLOW_REF:       ${{ github.workflow_ref }}
@@ -364,7 +364,7 @@ jobs:
         id: attest-dh
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
-          subject-name: index.docker.io/${{ vars.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }}
+          subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
           subject-digest: ${{ steps.build.outputs.digest }}
           push-to-registry: true
           show-summary: true
@@ -570,7 +570,7 @@ jobs:
 
       - name: Upload SARIF
         if: ${{ always() && hashFiles('trivy-ghcr.sarif') != '' }}
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: trivy-ghcr.sarif
           category: Image Vulnerability Scan
@@ -586,7 +586,7 @@ jobs:
         shell: bash
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
         with:
           tag_name: ${{ env.TAG }}
           generate_release_notes: true

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version: 1.25
 

Dockerfile

@@ -18,7 +18,7 @@ COPY . .
 # Build the application
 RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt
 
-FROM alpine:3.22 AS runner
+FROM alpine:3.23 AS runner
 
 RUN apk --no-cache add ca-certificates tzdata
 

README.md

@@ -47,13 +47,11 @@ When Newt receives WireGuard control messages, it will use the information encod
 -   `docker-socket` (optional): Set the Docker socket to use the container discovery integration
 -   `docker-enforce-network-validation` (optional): Validate the container target is on the same network as the newt process. Default: false
 
-### Accpet Client Connection 
+### Client Connections
 
--   `accept-clients` (optional): Enable WireGuard server mode to accept incoming newt client connections. Default: false
-    -   `generateAndSaveKeyTo` (optional): Path to save generated private key
-    -   `native` (optional): Use native WireGuard interface when accepting clients (requires WireGuard kernel module and Linux, must run as root). Default: false (uses userspace netstack)
-        -   `interface` (optional): Name of the WireGuard interface. Default: newt
-        -   `keep-interface` (optional): Keep the WireGuard interface. Default: false
+-   `disable-clients` (optional): Disable clients on the WireGuard interface. Default: false (clients enabled)
+-   `native` (optional): Use native WireGuard interface (requires WireGuard kernel module and Linux, must run as root). Default: false (uses userspace netstack)
+-   `interface` (optional): Name of the WireGuard interface. Default: newt
 
 ### Metrics & Observability
 
@@ -73,9 +71,11 @@ When Newt receives WireGuard control messages, it will use the information encod
 ### Security & TLS
 
 -   `enforce-hc-cert` (optional): Enforce certificate validation for health checks. Default: false (accepts any cert)
--   `tls-client-cert` (optional): Client certificate (p12 or pfx) for mTLS or path to client certificate (PEM format). See [mTLS](#mtls)
--   `tls-client-key` (optional): Path to private key for mTLS (PEM format, optional if using PKCS12)
--   `tls-ca-cert` (optional): Path to CA certificate to verify server (PEM format, optional if using PKCS12)
+-   `tls-client-cert-file` (optional): Path to client certificate file (PEM/DER format) for mTLS. See [mTLS](#mtls)
+-   `tls-client-key` (optional): Path to client private key file (PEM/DER format) for mTLS
+-   `tls-client-ca` (optional): Path to CA certificate file for validating remote certificates (can be specified multiple times)
+-   `tls-client-cert` (optional): Path to client certificate (PKCS12 format) - DEPRECATED: use `--tls-client-cert-file` and `--tls-client-key` instead
+-   `prefer-endpoint` (optional): Prefer this endpoint for the connection (if set, will override the endpoint from the server)
 
 ### Monitoring & Health
 
@@ -101,13 +101,11 @@ All CLI arguments can be set using environment variables as an alternative to co
 -   `DOCKER_SOCKET`: Path to Docker socket for container discovery (equivalent to `--docker-socket`)
 -   `DOCKER_ENFORCE_NETWORK_VALIDATION`: Validate container targets are on same network. Default: false (equivalent to `--docker-enforce-network-validation`)
 
-### Accept Client Connections
+### Client Connections
 
--   `ACCEPT_CLIENTS`: Enable WireGuard server mode. Default: false (equivalent to `--accept-clients`)
--   `GENERATE_AND_SAVE_KEY_TO`: Path to save generated private key (equivalent to `--generateAndSaveKeyTo`)
+-   `DISABLE_CLIENTS`: Disable clients on the WireGuard interface. Default: false (equivalent to `--disable-clients`)
 -   `USE_NATIVE_INTERFACE`: Use native WireGuard interface (Linux only). Default: false (equivalent to `--native`)
 -   `INTERFACE`: Name of the WireGuard interface. Default: newt (equivalent to `--interface`)
--   `KEEP_INTERFACE`: Keep the WireGuard interface after shutdown. Default: false (equivalent to `--keep-interface`)
 
 ### Monitoring & Health
 
@@ -132,10 +130,10 @@ All CLI arguments can be set using environment variables as an alternative to co
 ### Security & TLS
 
 -   `ENFORCE_HC_CERT`: Enforce certificate validation for health checks. Default: false (equivalent to `--enforce-hc-cert`)
--   `TLS_CLIENT_CERT`: Path to client certificate for mTLS (equivalent to `--tls-client-cert`)
--   `TLS_CLIENT_KEY`: Path to private key for mTLS (equivalent to `--tls-client-key`)
--   `TLS_CA_CERT`: Path to CA certificate to verify server (equivalent to `--tls-ca-cert`)
--   `SKIP_TLS_VERIFY`: Skip TLS verification for server connections. Default: false
+-   `TLS_CLIENT_CERT`: Path to client certificate file (PEM/DER format) for mTLS (equivalent to `--tls-client-cert-file`)
+-   `TLS_CLIENT_KEY`: Path to client private key file (PEM/DER format) for mTLS (equivalent to `--tls-client-key`)
+-   `TLS_CLIENT_CAS`: Comma-separated list of CA certificate file paths for validating remote certificates (equivalent to multiple `--tls-client-ca` flags)
+-   `TLS_CLIENT_CERT_PKCS12`: Path to client certificate (PKCS12 format) - DEPRECATED: use `TLS_CLIENT_CERT` and `TLS_CLIENT_KEY` instead
 
 ## Loading secrets from files
 
@@ -202,9 +200,9 @@ services:
             - --health-file /tmp/healthy
 ```
 
-## Accept Client Connections
+## Client Connections
 
-When the `--accept-clients` flag is enabled (or `ACCEPT_CLIENTS=true` environment variable is set), Newt operates as a WireGuard server that can accept incoming client connections from other devices. This enables peer-to-peer connectivity through the Newt instance.
+By default, Newt can accept incoming client connections from other devices, enabling peer-to-peer connectivity through the Newt instance. This behavior can be disabled with the `--disable-clients` flag (or `DISABLE_CLIENTS=true` environment variable).
 
 ### How It Works
 
@@ -260,7 +258,7 @@ To use native mode:
 3. Run Newt as root (`sudo`)
 4. Ensure the system allows creation of network interfaces
 
-Docker Compose example:
+Docker Compose example (with clients enabled by default):
 
 ```yaml
 services:
@@ -272,7 +270,6 @@ services:
             - PANGOLIN_ENDPOINT=https://example.com
             - NEWT_ID=2ix2t8xk22ubpfy
             - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
-            - ACCEPT_CLIENTS=true
 ```
 
 ### Technical Details
@@ -394,9 +391,9 @@ newt \
 
 You can now provide separate files for:
 
-* `--tls-client-cert`: client certificate (`.crt` or `.pem`)
+* `--tls-client-cert-file`: client certificate (`.crt` or `.pem`)
 * `--tls-client-key`: client private key (`.key` or `.pem`)
-* `--tls-ca-cert`: CA cert to verify the server
+* `--tls-client-ca`: CA cert to verify the server (can be specified multiple times)
 
 Example:
 
@@ -405,9 +402,9 @@ newt \
 --id 31frd0uzbjvp721 \
 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
 --endpoint https://example.com \
---tls-client-cert ./client.crt \
+--tls-client-cert-file ./client.crt \
 --tls-client-key ./client.key \
---tls-ca-cert ./ca.crt
+--tls-client-ca ./ca.crt
 ```
 
 

bind/shared_bind_test.go

@@ -553,53 +553,3 @@ func TestSocketRouting(t *testing.T) {
 		t.Errorf("Expected response from physical port %d, got %d", physicalAddr.Port, fromAddr.Port)
 	}
 }
-
-// TestClearNetstackConn tests that clearing the netstack connection works correctly
-func TestClearNetstackConn(t *testing.T) {
-	physicalConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		t.Fatalf("Failed to create physical UDP connection: %v", err)
-	}
-
-	sharedBind, err := New(physicalConn)
-	if err != nil {
-		t.Fatalf("Failed to create SharedBind: %v", err)
-	}
-	defer sharedBind.Close()
-
-	// Set a netstack connection
-	netstackConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		t.Fatalf("Failed to create netstack UDP connection: %v", err)
-	}
-	defer netstackConn.Close()
-
-	sharedBind.SetNetstackConn(netstackConn)
-
-	// Inject a packet to track an endpoint
-	testAddrPort := netip.MustParseAddrPort("192.168.1.100:51820")
-	err = sharedBind.InjectPacket([]byte("test"), testAddrPort)
-	if err != nil {
-		t.Fatalf("InjectPacket failed: %v", err)
-	}
-
-	// Verify the endpoint is tracked
-	_, tracked := sharedBind.netstackEndpoints.Load(testAddrPort.String())
-	if !tracked {
-		t.Error("Expected endpoint to be tracked as netstack-sourced")
-	}
-
-	// Clear the netstack connection
-	sharedBind.ClearNetstackConn()
-
-	// Verify the netstack connection is cleared
-	if sharedBind.GetNetstackConn() != nil {
-		t.Error("Expected netstack connection to be nil after clear")
-	}
-
-	// Verify the tracked endpoints are cleared
-	_, stillTracked := sharedBind.netstackEndpoints.Load(testAddrPort.String())
-	if stillTracked {
-		t.Error("Expected endpoint tracking to be cleared")
-	}
-}

clients/clients.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/fosrl/newt/bind"
+	newtDevice "github.com/fosrl/newt/device"
 	"github.com/fosrl/newt/holepunch"
 	"github.com/fosrl/newt/logger"
 	"github.com/fosrl/newt/netstack2"
@@ -22,7 +23,6 @@ import (
 	"github.com/fosrl/newt/websocket"
 	"github.com/fosrl/newt/wgtester"
 	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -526,13 +526,13 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
 		))
 
 		fileUAPI, err := func() (*os.File, error) {
-			return ipc.UAPIOpen(interfaceName)
+			return newtDevice.UapiOpen(interfaceName)
 		}()
 		if err != nil {
 			logger.Error("UAPI listen error: %v", err)
 		}
 
-		uapiListener, err := ipc.UAPIListen(interfaceName, fileUAPI)
+		uapiListener, err := newtDevice.UapiListen(interfaceName, fileUAPI)
 		if err != nil {
 			logger.Error("Failed to listen on uapi socket: %v", err)
 			os.Exit(1)

clients/permissions/permissions_freebsd.go

@@ -0,0 +1,57 @@
+//go:build freebsd
+
+package permissions
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/fosrl/newt/logger"
+)
+
+const (
+	// TUN device on FreeBSD
+	tunDevice = "/dev/tun"
+	ifnamsiz  = 16
+	iffTun    = 0x0001
+	iffNoPi   = 0x1000
+)
+
+// ifReq is the structure for TUN interface configuration
+type ifReq struct {
+	Name  [ifnamsiz]byte
+	Flags uint16
+	_     [22]byte // padding to match kernel structure
+}
+
+// CheckNativeInterfacePermissions checks if the process has sufficient
+// permissions to create a native TUN interface on FreeBSD.
+// This requires root privileges (UID 0).
+func CheckNativeInterfacePermissions() error {
+	logger.Debug("Checking native interface permissions on FreeBSD")
+
+	// Check if running as root
+	if os.Geteuid() == 0 {
+		logger.Debug("Running as root, sufficient permissions for native TUN interface")
+		return nil
+	}
+
+	// On FreeBSD, only root can create TUN interfaces
+	// Try to open the TUN device to verify
+	return tryOpenTunDevice()
+}
+
+// tryOpenTunDevice attempts to open the TUN device to verify permissions.
+// On FreeBSD, /dev/tun is a cloning device that creates a new interface
+// when opened.
+func tryOpenTunDevice() error {
+	// Try opening /dev/tun (cloning device)
+	f, err := os.OpenFile(tunDevice, os.O_RDWR, 0)
+	if err != nil {
+		return fmt.Errorf("cannot open %s: %v (need root privileges)", tunDevice, err)
+	}
+	defer f.Close()
+
+	logger.Debug("Successfully opened TUN device, sufficient permissions for native TUN interface")
+	return nil
+}

device/tun_unix.go

@@ -0,0 +1,44 @@
+//go:build !windows
+
+package device
+
+import (
+	"net"
+	"os"
+
+	"github.com/fosrl/newt/logger"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+func CreateTUNFromFD(tunFd uint32, mtuInt int) (tun.Device, error) {
+	dupTunFd, err := unix.Dup(int(tunFd))
+	if err != nil {
+		logger.Error("Unable to dup tun fd: %v", err)
+		return nil, err
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		unix.Close(dupTunFd)
+		return nil, err
+	}
+
+	file := os.NewFile(uintptr(dupTunFd), "/dev/tun")
+	device, err := tun.CreateTUNFromFile(file, mtuInt)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	return device, nil
+}
+
+func UapiOpen(interfaceName string) (*os.File, error) {
+	return ipc.UAPIOpen(interfaceName)
+}
+
+func UapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
+	return ipc.UAPIListen(interfaceName, fileUAPI)
+}

device/tun_windows.go

@@ -0,0 +1,25 @@
+//go:build windows
+
+package device
+
+import (
+	"errors"
+	"net"
+	"os"
+
+	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+func CreateTUNFromFD(tunFd uint32, mtuInt int) (tun.Device, error) {
+	return nil, errors.New("CreateTUNFromFile not supported on Windows")
+}
+
+func UapiOpen(interfaceName string) (*os.File, error) {
+	return nil, nil
+}
+
+func UapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
+	// On Windows, UAPIListen only takes one parameter
+	return ipc.UAPIListen(interfaceName)
+}

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1756217674,
-        "narHash": "sha256-TH1SfSP523QI7kcPiNtMAEuwZR3Jdz0MCDXPs7TS8uo=",
+        "lastModified": 1763934636,
+        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4e7667a90c167f7a81d906e5a75cba4ad8bee620",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,7 +2,7 @@
   description = "newt - A tunneling client for Pangolin";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
   };
 
   outputs =
@@ -22,30 +22,36 @@
         system:
         let
           pkgs = pkgsFor system;
+          inherit (pkgs) lib;
 
           # Update version when releasing
-          version = "1.4.2";
-
-          # Update the version in a new source tree
-          srcWithReplacedVersion = pkgs.runCommand "newt-src-with-version" { } ''
-            cp -r ${./.} $out
-            chmod -R +w $out
-            rm -rf $out/.git $out/result $out/.envrc $out/.direnv
-            sed -i "s/version_replaceme/${version}/g" $out/main.go
-          '';
+          version = "1.6.0";
         in
         {
           default = self.packages.${system}.pangolin-newt;
+
           pangolin-newt = pkgs.buildGoModule {
             pname = "pangolin-newt";
-            version = version;
-            src = srcWithReplacedVersion;
-            vendorHash = "sha256-PENsCO2yFxLVZNPgx2OP+gWVNfjJAfXkwWS7tzlm490=";
-            meta = with pkgs.lib; {
+            inherit version;
+            src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
+
+            vendorHash = "sha256-Jbu0pz+okV4N9MHUXLcTqSr3s/k5OVZ09hNuS/+4LFY=";
+
+            env = {
+              CGO_ENABLED = 0;
+            };
+
+            ldflags = [
+              "-X main.newtVersion=${version}"
+            ];
+
+            meta = {
               description = "A tunneling client for Pangolin";
               homepage = "https://github.com/fosrl/newt";
-              license = licenses.gpl3;
-              maintainers = [ ];
+              license = lib.licenses.gpl3;
+              maintainers = [
+                lib.maintainers.water-sucks
+              ];
             };
           };
         }
@@ -54,10 +60,20 @@
         system:
         let
           pkgs = pkgsFor system;
+
+          inherit (pkgs)
+            go
+            gopls
+            gotools
+            go-outline
+            gopkgs
+            godef
+            golint
+            ;
         in
         {
           default = pkgs.mkShell {
-            buildInputs = with pkgs; [
+            buildInputs = [
               go
               gopls
               gotools

go.mod

@@ -3,8 +3,7 @@ module github.com/fosrl/newt
 go 1.25
 
 require (
-	github.com/docker/docker v28.5.1+incompatible
-	github.com/google/gopacket v1.1.19
+	github.com/docker/docker v28.5.2+incompatible
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus/client_golang v1.23.2
 	github.com/vishvananda/netlink v1.3.1
@@ -17,11 +16,13 @@ require (
 	go.opentelemetry.io/otel/metric v1.38.0
 	go.opentelemetry.io/otel/sdk v1.38.0
 	go.opentelemetry.io/otel/sdk/metric v1.38.0
-	golang.org/x/crypto v0.44.0
+	golang.org/x/crypto v0.45.0
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6
 	golang.org/x/net v0.47.0
+	golang.org/x/sys v0.38.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
+	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v3 v3.0.1
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
@@ -42,14 +43,9 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
-	github.com/josharian/native v1.1.0 // indirect
-	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
@@ -71,7 +67,6 @@ require (
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect

go.sum

@@ -18,8 +18,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
-github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
@@ -37,8 +37,6 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
-github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -47,8 +45,6 @@ github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrR
 github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
-github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
-github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -57,14 +53,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
-github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
-github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -137,44 +125,34 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
 golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
 golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
 golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=

healthcheck/healthcheck.go

@@ -48,6 +48,7 @@ type Config struct {
 	Headers           map[string]string `json:"hcHeaders"`
 	Method            string            `json:"hcMethod"`
 	Status            int               `json:"hcStatus"` // HTTP status code
+	TLSServerName     string            `json:"hcTlsServerName"`
 }
 
 // Target represents a health check target with its current status
@@ -70,7 +71,6 @@ type Monitor struct {
 	targets     map[int]*Target
 	mutex       sync.RWMutex
 	callback    StatusChangeCallback
-	client      *http.Client
 	enforceCert bool
 }
 
@@ -78,21 +78,10 @@ type Monitor struct {
 func NewMonitor(callback StatusChangeCallback, enforceCert bool) *Monitor {
 	logger.Debug("Creating new health check monitor with certificate enforcement: %t", enforceCert)
 
-	// Configure TLS settings based on certificate enforcement
-	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: !enforceCert,
-		},
-	}
-
 	return &Monitor{
 		targets:     make(map[int]*Target),
 		callback:    callback,
 		enforceCert: enforceCert,
-		client: &http.Client{
-			Timeout:   30 * time.Second,
-			Transport: transport,
-		},
 	}
 }
 
@@ -388,6 +377,17 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second)
 	defer cancel()
 
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				// Configure TLS settings based on certificate enforcement
+				InsecureSkipVerify: !m.enforceCert,
+				// Use SNI TLS header if present
+				ServerName: target.Config.TLSServerName,
+			},
+		},
+	}
+
 	req, err := http.NewRequestWithContext(ctx, target.Config.Method, url, nil)
 	if err != nil {
 		target.Status = StatusUnhealthy
@@ -402,7 +402,7 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	}
 
 	// Perform request
-	resp, err := m.client.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		target.Status = StatusUnhealthy
 		target.LastError = fmt.Sprintf("request failed: %v", err)

holepunch/holepunch.go

@@ -236,12 +236,6 @@ func (m *Manager) StartMultipleExitNodes(exitNodes []ExitNode) error {
 		return fmt.Errorf("hole punch already running")
 	}
 
-	if len(exitNodes) == 0 {
-		m.mu.Unlock()
-		logger.Warn("No exit nodes provided for hole punching")
-		return fmt.Errorf("no exit nodes provided")
-	}
-
 	// Populate exit nodes map
 	m.exitNodes = make(map[string]ExitNode)
 	for _, node := range exitNodes {
@@ -270,18 +264,17 @@ func (m *Manager) Start() error {
 		return fmt.Errorf("hole punch already running")
 	}
 
-	if len(m.exitNodes) == 0 {
-		m.mu.Unlock()
-		logger.Warn("No exit nodes configured for hole punching")
-		return fmt.Errorf("no exit nodes configured")
-	}
-
 	m.running = true
 	m.stopChan = make(chan struct{})
 	m.updateChan = make(chan struct{}, 1)
+	nodeCount := len(m.exitNodes)
 	m.mu.Unlock()
 
-	logger.Info("Starting UDP hole punch with %d exit nodes", len(m.exitNodes))
+	if nodeCount == 0 {
+		logger.Info("Starting UDP hole punch manager (waiting for exit nodes to be added)")
+	} else {
+		logger.Info("Starting UDP hole punch with %d exit nodes", nodeCount)
+	}
 
 	go m.runMultipleExitNodes()
 
@@ -340,14 +333,13 @@ func (m *Manager) runMultipleExitNodes() {
 	resolvedNodes := resolveNodes()
 
 	if len(resolvedNodes) == 0 {
-		logger.Error("No exit nodes could be resolved")
-		return
-	}
-
-	// Send initial hole punch to all exit nodes
-	for _, node := range resolvedNodes {
-		if err := m.sendHolePunch(node.remoteAddr, node.publicKey); err != nil {
-			logger.Warn("Failed to send initial hole punch to %s: %v", node.endpointName, err)
+		logger.Info("No exit nodes available yet, waiting for nodes to be added")
+	} else {
+		// Send initial hole punch to all exit nodes
+		for _, node := range resolvedNodes {
+			if err := m.sendHolePunch(node.remoteAddr, node.publicKey); err != nil {
+				logger.Warn("Failed to send initial hole punch to %s: %v", node.endpointName, err)
+			}
 		}
 	}
 
@@ -370,6 +362,8 @@ func (m *Manager) runMultipleExitNodes() {
 			resolvedNodes = resolveNodes()
 			if len(resolvedNodes) == 0 {
 				logger.Warn("No exit nodes available after refresh")
+			} else {
+				logger.Info("Updated resolved nodes count: %d", len(resolvedNodes))
 			}
 			// Reset interval to minimum on update
 			m.mu.Lock()
@@ -383,24 +377,26 @@ func (m *Manager) runMultipleExitNodes() {
 				}
 			}
 		case <-ticker.C:
-			// Send hole punch to all exit nodes
-			for _, node := range resolvedNodes {
-				if err := m.sendHolePunch(node.remoteAddr, node.publicKey); err != nil {
-					logger.Debug("Failed to send hole punch to %s: %v", node.endpointName, err)
+			// Send hole punch to all exit nodes (if any are available)
+			if len(resolvedNodes) > 0 {
+				for _, node := range resolvedNodes {
+					if err := m.sendHolePunch(node.remoteAddr, node.publicKey); err != nil {
+						logger.Debug("Failed to send hole punch to %s: %v", node.endpointName, err)
+					}
 				}
+				// Exponential backoff: double the interval up to max
+				m.mu.Lock()
+				newInterval := m.sendHolepunchInterval * 2
+				if newInterval > sendHolepunchIntervalMax {
+					newInterval = sendHolepunchIntervalMax
+				}
+				if newInterval != m.sendHolepunchInterval {
+					m.sendHolepunchInterval = newInterval
+					ticker.Reset(m.sendHolepunchInterval)
+					logger.Debug("Increased hole punch interval to %v", m.sendHolepunchInterval)
+				}
+				m.mu.Unlock()
 			}
-			// Exponential backoff: double the interval up to max
-			m.mu.Lock()
-			newInterval := m.sendHolepunchInterval * 2
-			if newInterval > sendHolepunchIntervalMax {
-				newInterval = sendHolepunchIntervalMax
-			}
-			if newInterval != m.sendHolepunchInterval {
-				m.sendHolepunchInterval = newInterval
-				ticker.Reset(m.sendHolepunchInterval)
-				logger.Debug("Increased hole punch interval to %v", m.sendHolepunchInterval)
-			}
-			m.mu.Unlock()
 		}
 	}
 }

main.go

@@ -1389,7 +1389,12 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 				"noCloud": noCloud,
 			}, 3*time.Second)
 			logger.Debug("Requesting exit nodes from server")
-			clientsOnConnect()
+
+			if client.GetServerVersion() != "" { // to prevent issues with running newt > 1.7 versions with older servers
+				clientsOnConnect()
+			} else {
+				logger.Warn("CLIENTS WILL NOT WORK ON THIS VERSION OF NEWT WITH THIS VERSION OF PANGOLIN, PLEASE UPDATE THE SERVER TO 1.13 OR HIGHER OR DOWNGRADE NEWT")
+			}
 		}
 
 		// Send registration message to the server for backward compatibility

websocket/client.go

@@ -46,6 +46,7 @@ type Client struct {
 	metricsCtxMu      sync.RWMutex
 	metricsCtx        context.Context
 	configNeedsSave   bool // Flag to track if config needs to be saved
+	serverVersion     string
 }
 
 type ClientOption func(*Client)
@@ -149,6 +150,10 @@ func (c *Client) GetConfig() *Config {
 	return c.config
 }
 
+func (c *Client) GetServerVersion() string {
+	return c.serverVersion
+}
+
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
 	go c.connectWithRetry()
@@ -351,9 +356,11 @@ func (c *Client) getToken() (string, error) {
 	}
 	defer resp.Body.Close()
 
+	body, _ := io.ReadAll(resp.Body)
+	logger.Debug("Token response body: %s", string(body))
+
 	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		logger.Error("Failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
+		logger.Error("Failed to get token with status code: %d", resp.StatusCode)
 		telemetry.IncConnAttempt(ctx, "auth", "failure")
 		etype := "io_error"
 		if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
@@ -368,7 +375,7 @@ func (c *Client) getToken() (string, error) {
 	}
 
 	var tokenResp TokenResponse
-	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		logger.Error("Failed to decode token response.")
 		return "", fmt.Errorf("failed to decode token response: %w", err)
 	}
@@ -381,6 +388,11 @@ func (c *Client) getToken() (string, error) {
 		return "", fmt.Errorf("received empty token from server")
 	}
 
+	// print server version
+	logger.Info("Server version: %s", tokenResp.Data.ServerVersion)
+
+	c.serverVersion = tokenResp.Data.ServerVersion
+
 	logger.Debug("Received token: %s", tokenResp.Data.Token)
 	telemetry.IncConnAttempt(ctx, "auth", "success")
 

websocket/types.go

@@ -9,7 +9,8 @@ type Config struct {
 
 type TokenResponse struct {
 	Data struct {
-		Token string `json:"token"`
+		Token         string `json:"token"`
+		ServerVersion string `json:"serverVersion"`
 	} `json:"data"`
 	Success bool   `json:"success"`
 	Message string `json:"message"`