Use the right time

Fixes #220

.github/workflows/cicd.yml

@@ -11,7 +11,9 @@ permissions:
 on:
   push:
     tags:
-      - "*"
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
   workflow_dispatch:
     inputs:
       version:
@@ -273,7 +275,7 @@ jobs:
           tags: |
             type=semver,pattern={{version}},value=${{ env.TAG }}
             type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG }},enable=${{ env.PUBLISH_MINOR == 'true' && env.IS_RC != 'true' }}
-            type=raw,value=latest,enable=${{ env.PUBLISH_LATEST == 'true' && env.IS_RC != 'true' }}
+            type=raw,value=latest,enable=${{ env.IS_RC != 'true' }}
           flavor: |
             latest=false
           labels: |
@@ -587,28 +589,28 @@ jobs:
       #     sarif_file: trivy-ghcr.sarif
       #     category: Image Vulnerability Scan
 
-      # - name: Build binaries
-      #   env:
-      #     CGO_ENABLED: "0"
-      #     GOFLAGS: "-trimpath"
-      #   run: |
-      #     set -euo pipefail
-      #     TAG_VAR="${TAG}"
-      #     make go-build-release tag=$TAG_VAR
-      #   shell: bash
+      - name: Build binaries
+        env:
+          CGO_ENABLED: "0"
+          GOFLAGS: "-trimpath"
+        run: |
+          set -euo pipefail
+          TAG_VAR="${TAG}"
+          make -j 10 go-build-release tag=$TAG_VAR
+        shell: bash
 
-      # - name: Create GitHub Release
-      #   uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
-      #   with:
-      #     tag_name: ${{ env.TAG }}
-      #     generate_release_notes: true
-      #     prerelease: ${{ env.IS_RC == 'true' }}
-      #     files: |
-      #       bin/*
-      #     fail_on_unmatched_files: true
-      #     draft: true
-      #     body: |
-      #       ## Container Images
-      #       - GHCR: `${{ env.GHCR_REF }}`
-      #       - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
-      #       **Digest:** `${{ steps.build.outputs.digest }}`
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        with:
+          tag_name: ${{ env.TAG }}
+          generate_release_notes: true
+          prerelease: ${{ env.IS_RC == 'true' }}
+          files: |
+            bin/*
+          fail_on_unmatched_files: true
+          draft: true
+          body: |
+            ## Container Images
+            - GHCR: `${{ env.GHCR_REF }}`
+            - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
+            **Digest:** `${{ steps.build.outputs.digest }}`

.github/workflows/nix-build.yml

@@ -0,0 +1,23 @@
+name: Build Nix package
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - go.mod
+      - go.sum
+
+jobs:
+  nix-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Build flake package
+        run: |
+          nix build .#pangolin-newt -L

.github/workflows/nix-dependabot-update-hash.yml

@@ -0,0 +1,48 @@
+name: Update Nix Package Hash On Dependabot PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+
+jobs:
+  nix-update:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Run nix-update
+        run: |
+          nix run nixpkgs#nix-update -- --flake pangolin-newt --no-src --version skip
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit and push changes
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config user.name "dependabot[bot]"
+          git config user.email "dependabot[bot]@users.noreply.github.com"
+
+          git add .
+          git commit -m "chore(nix): fix hash for updated go dependencies"
+          git push

.github/workflows/test.yml

@@ -10,22 +10,30 @@ on:
       - dev
 
 jobs:
-  test:
-    runs-on: amd64-runner
-
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target:
+          - local
+          - docker-build
+          - go-build-release-darwin-amd64
+          - go-build-release-darwin-arm64
+          - go-build-release-freebsd-amd64
+          - go-build-release-freebsd-arm64
+          - go-build-release-linux-amd64
+          - go-build-release-linux-arm32-v6
+          - go-build-release-linux-arm32-v7
+          - go-build-release-linux-riscv64
+          - go-build-release-windows-amd64
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version: 1.25
 
-      - name: Build go
-        run: go build
-
-      - name: Build Docker image
-        run: make docker-build-release
-
-      - name: Build binaries
-        run: make go-build-release
+      - name: Build targets via `make`
+        run: make ${{ matrix.target }}

.gitignore

@@ -5,4 +5,6 @@ nohup.out
 *.iml
 certs/
 newt_arm64
-key
+key
+/.direnv/
+/result*

Dockerfile

@@ -20,7 +20,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt
 
 FROM alpine:3.23 AS runner
 
-RUN apk --no-cache add ca-certificates tzdata
+RUN apk --no-cache add ca-certificates tzdata iputils
 
 COPY --from=builder /newt /usr/local/bin/
 COPY entrypoint.sh /

Makefile

@@ -1,25 +1,70 @@
+.PHONY: all local docker-build docker-build-release
 
 all: local
 
+local:
+	CGO_ENABLED=0 go build -o ./bin/newt
+
+docker-build:
+	docker build -t fosrl/newt:latest .
+
 docker-build-release:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/newt:latest -f Dockerfile --push .
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/newt:$(tag) -f Dockerfile --push .
+	docker buildx build . \
+		--platform linux/arm/v7,linux/arm64,linux/amd64 \
+		-t fosrl/newt:latest \
+		-t fosrl/newt:$(tag) \
+		-f Dockerfile \
+		--push
 
-local: 
-	CGO_ENABLED=0 go build -o ./bin/newt
+.PHONY: go-build-release \
+        go-build-release-linux-arm64 go-build-release-linux-arm32-v7 \
+        go-build-release-linux-arm32-v6 go-build-release-linux-amd64 \
+        go-build-release-linux-riscv64 go-build-release-darwin-arm64 \
+        go-build-release-darwin-amd64 go-build-release-windows-amd64 \
+        go-build-release-freebsd-amd64 go-build-release-freebsd-arm64
 
-go-build-release:
+go-build-release: \
+    go-build-release-linux-arm64 \
+    go-build-release-linux-arm32-v7 \
+    go-build-release-linux-arm32-v6 \
+    go-build-release-linux-amd64 \
+    go-build-release-linux-riscv64 \
+    go-build-release-darwin-arm64 \
+    go-build-release-darwin-amd64 \
+    go-build-release-windows-amd64 \
+    go-build-release-freebsd-amd64 \
+    go-build-release-freebsd-arm64
+
+go-build-release-linux-arm64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
+
+go-build-release-linux-arm32-v7:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/newt_linux_arm32
+
+go-build-release-linux-arm32-v6:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/newt_linux_arm32v6
+
+go-build-release-linux-amd64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/newt_linux_amd64
+
+go-build-release-linux-riscv64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/newt_linux_riscv64
+
+go-build-release-darwin-arm64:
 	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/newt_darwin_arm64
+
+go-build-release-darwin-amd64:
 	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/newt_darwin_amd64
+
+go-build-release-windows-amd64:
 	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/newt_windows_amd64.exe
+
+go-build-release-freebsd-amd64:
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o bin/newt_freebsd_amd64
-	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64
+
+go-build-release-freebsd-arm64:
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64

bind/shared_bind.go

@@ -523,7 +523,7 @@ func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes [
 func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
 	// Check if this is a test request packet
 	if len(data) >= MagicTestRequestLen && bytes.HasPrefix(data, MagicTestRequest) {
-		logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
+		// logger.Debug("Received magic test REQUEST from %s, sending response", addr.String())
 		// Extract the random data portion to echo back
 		echoData := data[len(MagicTestRequest) : len(MagicTestRequest)+MagicPacketDataLen]
 
@@ -546,7 +546,7 @@ func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool {
 
 	// Check if this is a test response packet
 	if len(data) >= MagicTestResponseLen && bytes.HasPrefix(data, MagicTestResponse) {
-		logger.Debug("Received magic test RESPONSE from %s", addr.String())
+		// logger.Debug("Received magic test RESPONSE from %s", addr.String())
 		// Extract the echoed data
 		echoData := data[len(MagicTestResponse) : len(MagicTestResponse)+MagicPacketDataLen]
 

clients.go

@@ -24,7 +24,7 @@ func setupClients(client *websocket.Client) {
 
 	host = strings.TrimSuffix(host, "/")
 
-	logger.Info("Setting up clients with netstack2...")
+	logger.Debug("Setting up clients with netstack2...")
 
 	// if useNativeInterface is true make sure we have permission to use native interface
 	if useNativeInterface {
@@ -63,7 +63,7 @@ func closeClients() {
 	}
 }
 
-func clientsHandleNewtConnection(publicKey string, endpoint string) {
+func clientsHandleNewtConnection(publicKey string, endpoint string, relayPort uint16) {
 	if !ready {
 		return
 	}
@@ -77,7 +77,7 @@ func clientsHandleNewtConnection(publicKey string, endpoint string) {
 	endpoint = strings.Join(parts[:len(parts)-1], ":")
 
 	if wgService != nil {
-		wgService.StartHolepunch(publicKey, endpoint)
+		wgService.StartHolepunch(publicKey, endpoint, relayPort)
 	}
 }
 

clients/clients.go

@@ -40,12 +40,13 @@ type Target struct {
 	SourcePrefix string      `json:"sourcePrefix"`
 	DestPrefix   string      `json:"destPrefix"`
 	RewriteTo    string      `json:"rewriteTo,omitempty"`
+	DisableIcmp  bool        `json:"disableIcmp,omitempty"`
 	PortRange    []PortRange `json:"portRange,omitempty"`
 }
 
 type PortRange struct {
-	Min uint16 `json:"min"`
-	Max uint16 `json:"max"`
+	Min      uint16 `json:"min"`
+	Max      uint16 `json:"max"`
 	Protocol string `json:"protocol"` // "tcp" or "udp"
 }
 
@@ -140,7 +141,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 	// Add a reference for the hole punch manager (creator already has one reference for WireGuard)
 	sharedBind.AddRef()
 
-	logger.Info("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
+	logger.Debug("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount())
 
 	// Parse DNS addresses
 	dnsAddrs := []netip.Addr{netip.MustParseAddr(dns)}
@@ -171,6 +172,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 	wsClient.RegisterHandler("newt/wg/targets/add", service.handleAddTarget)
 	wsClient.RegisterHandler("newt/wg/targets/remove", service.handleRemoveTarget)
 	wsClient.RegisterHandler("newt/wg/targets/update", service.handleUpdateTarget)
+	wsClient.RegisterHandler("newt/wg/sync", service.handleSyncConfig)
 
 	return service, nil
 }
@@ -269,16 +271,21 @@ func (s *WireGuardService) SetOnNetstackClose(callback func()) {
 }
 
 // StartHolepunch starts hole punching to a specific endpoint
-func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
+func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, relayPort uint16) {
 	if s.holePunchManager == nil {
 		logger.Warn("Hole punch manager not initialized")
 		return
 	}
 
+	if relayPort == 0 {
+	    relayPort = 21820
+	}
+
 	// Convert websocket.ExitNode to holepunch.ExitNode
 	hpExitNodes := []holepunch.ExitNode{
 		{
 			Endpoint:  endpoint,
+			RelayPort: relayPort,
 			PublicKey: publicKey,
 		},
 	}
@@ -288,7 +295,7 @@ func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) {
 		logger.Warn("Failed to start hole punch: %v", err)
 	}
 
-	logger.Info("Starting hole punch to %s with public key: %s", endpoint, publicKey)
+	logger.Debug("Starting hole punch to %s with public key: %s", endpoint, publicKey)
 }
 
 // StartDirectUDPRelay starts a direct UDP relay from the main tunnel netstack to the clients' WireGuard.
@@ -335,7 +342,7 @@ func (s *WireGuardService) StartDirectUDPRelay(tunnelIP string) error {
 	// Set the netstack connection on the SharedBind so responses go back through the tunnel
 	s.sharedBind.SetNetstackConn(listener)
 
-	logger.Info("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
+	logger.Debug("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port)
 
 	// Start the relay goroutine to read from netstack and inject into SharedBind
 	s.directRelayWg.Add(1)
@@ -353,7 +360,7 @@ func (s *WireGuardService) runDirectUDPRelay(listener net.PacketConn) {
 	// Note: Don't close listener here - it's also used by SharedBind for sending responses
 	// It will be closed when the relay is stopped
 
-	logger.Info("Direct UDP relay started (bidirectional through SharedBind)")
+	logger.Debug("Direct UDP relay started (bidirectional through SharedBind)")
 
 	buf := make([]byte, 65535) // Max UDP packet size
 
@@ -439,7 +446,7 @@ func (s *WireGuardService) LoadRemoteConfig() error {
 		"port":      s.Port,
 	}, 2*time.Second)
 
-	logger.Info("Requesting WireGuard configuration from remote server")
+	logger.Debug("Requesting WireGuard configuration from remote server")
 	go s.periodicBandwidthCheck()
 
 	return nil
@@ -449,7 +456,7 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	var config WgConfig
 
 	logger.Debug("Received message: %v", msg)
-	logger.Info("Received WireGuard clients configuration from remote server")
+	logger.Debug("Received WireGuard clients configuration from remote server")
 
 	jsonData, err := json.Marshal(msg.Data)
 	if err != nil {
@@ -471,6 +478,8 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	// Ensure the WireGuard interface and peers are configured
 	if err := s.ensureWireguardInterface(config); err != nil {
 		logger.Error("Failed to ensure WireGuard interface: %v", err)
+		logger.Error("Clients functionality will be disabled until the interface can be created")
+		return
 	}
 
 	if err := s.ensureWireguardPeers(config.Peers); err != nil {
@@ -480,6 +489,185 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	if err := s.ensureTargets(config.Targets); err != nil {
 		logger.Error("Failed to ensure WireGuard targets: %v", err)
 	}
+
+	logger.Info("Client connectivity setup. Ready to accept connections from clients!")
+}
+
+// SyncConfig represents the configuration sent from server for syncing
+type SyncConfig struct {
+	Targets []Target `json:"targets"`
+	Peers   []Peer   `json:"peers"`
+}
+
+func (s *WireGuardService) handleSyncConfig(msg websocket.WSMessage) {
+	var syncConfig SyncConfig
+
+	logger.Debug("Received sync message: %v", msg)
+	logger.Info("Received sync configuration from remote server")
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling sync data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &syncConfig); err != nil {
+		logger.Error("Error unmarshaling sync data: %v", err)
+		return
+	}
+
+	// Sync peers
+	if err := s.syncPeers(syncConfig.Peers); err != nil {
+		logger.Error("Failed to sync peers: %v", err)
+	}
+
+	// Sync targets
+	if err := s.syncTargets(syncConfig.Targets); err != nil {
+		logger.Error("Failed to sync targets: %v", err)
+	}
+}
+
+// syncPeers synchronizes the current peers with the desired state
+// It removes peers not in the desired list and adds missing ones
+func (s *WireGuardService) syncPeers(desiredPeers []Peer) error {
+	if s.device == nil {
+		return fmt.Errorf("WireGuard device is not initialized")
+	}
+
+	// Get current peers from the device
+	currentConfig, err := s.device.IpcGet()
+	if err != nil {
+		return fmt.Errorf("failed to get current device config: %v", err)
+	}
+
+	// Parse current peer public keys
+	lines := strings.Split(currentConfig, "\n")
+	currentPeerKeys := make(map[string]bool)
+	for _, line := range lines {
+		if strings.HasPrefix(line, "public_key=") {
+			pubKey := strings.TrimPrefix(line, "public_key=")
+			currentPeerKeys[pubKey] = true
+		}
+	}
+
+	// Build a map of desired peers by their public key (normalized)
+	desiredPeerMap := make(map[string]Peer)
+	for _, peer := range desiredPeers {
+		// Normalize the public key for comparison
+		pubKey, err := wgtypes.ParseKey(peer.PublicKey)
+		if err != nil {
+			logger.Warn("Invalid public key in desired peers: %s", peer.PublicKey)
+			continue
+		}
+		normalizedKey := util.FixKey(pubKey.String())
+		desiredPeerMap[normalizedKey] = peer
+	}
+
+	// Remove peers that are not in the desired list
+	for currentKey := range currentPeerKeys {
+		if _, exists := desiredPeerMap[currentKey]; !exists {
+			// Parse the key back to get the original format for removal
+			removeConfig := fmt.Sprintf("public_key=%s\nremove=true", currentKey)
+			if err := s.device.IpcSet(removeConfig); err != nil {
+				logger.Warn("Failed to remove peer %s during sync: %v", currentKey, err)
+			} else {
+				logger.Info("Removed peer %s during sync", currentKey)
+			}
+		}
+	}
+
+	// Add peers that are missing
+	for normalizedKey, peer := range desiredPeerMap {
+		if _, exists := currentPeerKeys[normalizedKey]; !exists {
+			if err := s.addPeerToDevice(peer); err != nil {
+				logger.Warn("Failed to add peer %s during sync: %v", peer.PublicKey, err)
+			} else {
+				logger.Info("Added peer %s during sync", peer.PublicKey)
+			}
+		}
+	}
+
+	return nil
+}
+
+// syncTargets synchronizes the current targets with the desired state
+// It removes targets not in the desired list and adds missing ones
+func (s *WireGuardService) syncTargets(desiredTargets []Target) error {
+	if s.tnet == nil {
+		// Native interface mode - proxy features not available, skip silently
+		logger.Debug("Skipping target sync - using native interface (no proxy support)")
+		return nil
+	}
+
+	// Get current rules from the proxy handler
+	currentRules := s.tnet.GetProxySubnetRules()
+
+	// Build a map of current rules by source+dest prefix
+	type ruleKey struct {
+		sourcePrefix string
+		destPrefix   string
+	}
+	currentRuleMap := make(map[ruleKey]bool)
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		currentRuleMap[key] = true
+	}
+
+	// Build a map of desired targets
+	desiredTargetMap := make(map[ruleKey]Target)
+	for _, target := range desiredTargets {
+		key := ruleKey{
+			sourcePrefix: target.SourcePrefix,
+			destPrefix:   target.DestPrefix,
+		}
+		desiredTargetMap[key] = target
+	}
+
+	// Remove targets that are not in the desired list
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		if _, exists := desiredTargetMap[key]; !exists {
+			s.tnet.RemoveProxySubnetRule(rule.SourcePrefix, rule.DestPrefix)
+			logger.Info("Removed target %s -> %s during sync", rule.SourcePrefix.String(), rule.DestPrefix.String())
+		}
+	}
+
+	// Add targets that are missing
+	for key, target := range desiredTargetMap {
+		if _, exists := currentRuleMap[key]; !exists {
+			sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
+			if err != nil {
+				logger.Warn("Invalid source prefix %s during sync: %v", target.SourcePrefix, err)
+				continue
+			}
+
+			destPrefix, err := netip.ParsePrefix(target.DestPrefix)
+			if err != nil {
+				logger.Warn("Invalid dest prefix %s during sync: %v", target.DestPrefix, err)
+				continue
+			}
+
+			var portRanges []netstack2.PortRange
+			for _, pr := range target.PortRange {
+				portRanges = append(portRanges, netstack2.PortRange{
+					Min:      pr.Min,
+					Max:      pr.Max,
+					Protocol: pr.Protocol,
+				})
+			}
+
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
+			logger.Info("Added target %s -> %s during sync", target.SourcePrefix, target.DestPrefix)
+		}
+	}
+
+	return nil
 }
 
 func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
@@ -593,8 +781,9 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
 		s.dns,
 		s.mtu,
 		netstack2.NetTunOptions{
-			EnableTCPProxy: true,
-			EnableUDPProxy: true,
+			EnableTCPProxy:  true,
+			EnableUDPProxy:  true,
+			EnableICMPProxy: true,
 		},
 	)
 	if err != nil {
@@ -626,7 +815,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
 		return fmt.Errorf("failed to bring up WireGuard device: %v", err)
 	}
 
-	logger.Info("WireGuard netstack device created and configured")
+	logger.Debug("WireGuard netstack device created and configured")
 
 	// Release the mutex before calling the callback
 	s.mu.Unlock()
@@ -645,6 +834,11 @@ func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error {
 	// For netstack, we need to manage peers differently
 	// We'll configure peers directly on the device using IPC
 
+	// Check if device is initialized
+	if s.device == nil {
+		return fmt.Errorf("WireGuard device is not initialized")
+	}
+
 	// First, clear all existing peers by getting current config and removing them
 	currentConfig, err := s.device.IpcGet()
 	if err != nil {
@@ -700,13 +894,13 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
 		var portRanges []netstack2.PortRange
 		for _, pr := range target.PortRange {
 			portRanges = append(portRanges, netstack2.PortRange{
-				Min: pr.Min,
-				Max: pr.Max,
+				Min:      pr.Min,
+				Max:      pr.Max,
 				Protocol: pr.Protocol,
 			})
 		}
 
-		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
+		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
 		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
 	}
@@ -1094,10 +1288,11 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
 			portRanges = append(portRanges, netstack2.PortRange{
 				Min: pr.Min,
 				Max: pr.Max,
+				Protocol:    pr.Protocol,
 			})
 		}
 
-		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
+		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
 		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
 	}
@@ -1209,12 +1404,13 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
 		var portRanges []netstack2.PortRange
 		for _, pr := range target.PortRange {
 			portRanges = append(portRanges, netstack2.PortRange{
-				Min: pr.Min,
-				Max: pr.Max,
+				Min:         pr.Min,
+				Max:         pr.Max,
+				Protocol:    pr.Protocol,
 			})
 		}
 
-		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges)
+		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
 	}
 }

clients/permissions/permissions_android.go

@@ -0,0 +1,8 @@
+//go:build android
+
+package permissions
+
+// CheckNativeInterfacePermissions always allows permission on Android.
+func CheckNativeInterfacePermissions() error {
+	return nil
+}

clients/permissions/permissions_darwin.go

@@ -1,4 +1,4 @@
-//go:build darwin
+//go:build darwin && !ios
 
 package permissions
 

clients/permissions/permissions_ios.go

@@ -0,0 +1,8 @@
+//go:build ios
+
+package permissions
+
+// CheckNativeInterfacePermissions always allows permission on iOS.
+func CheckNativeInterfacePermissions() error {
+	return nil
+}

clients/permissions/permissions_linux.go

@@ -1,4 +1,4 @@
-//go:build linux
+//go:build linux && !android
 
 package permissions
 

flake.nix

@@ -25,7 +25,7 @@
           inherit (pkgs) lib;
 
           # Update version when releasing
-          version = "1.7.0";
+          version = "1.8.0";
         in
         {
           default = self.packages.${system}.pangolin-newt;
@@ -37,14 +37,26 @@
 
             vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU=";
 
+            nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
+
             env = {
               CGO_ENABLED = 0;
             };
 
             ldflags = [
+              "-s"
+              "-w"
               "-X main.newtVersion=${version}"
             ];
 
+            # Tests are broken due to a lack of Internet.
+            # Disable running `go test`, and instead do
+            # a simple version check instead.
+            doCheck = false;
+            doInstallCheck = true;
+
+            versionCheckProgramArg = [ "-version" ];
+
             meta = {
               description = "A tunneling client for Pangolin";
               homepage = "https://github.com/fosrl/newt";
@@ -52,6 +64,7 @@
               maintainers = [
                 lib.maintainers.water-sucks
               ];
+              mainProgram = "newt";
             };
           };
         }

healthcheck/healthcheck.go

@@ -61,6 +61,7 @@ type Target struct {
 	timer      *time.Timer
 	ctx        context.Context
 	cancel     context.CancelFunc
+	client     *http.Client
 }
 
 // StatusChangeCallback is called when any target's status changes
@@ -185,6 +186,16 @@ func (m *Monitor) addTargetUnsafe(config Config) error {
 		Status: StatusUnknown,
 		ctx:    ctx,
 		cancel: cancel,
+		client: &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					// Configure TLS settings based on certificate enforcement
+					InsecureSkipVerify: !m.enforceCert,
+					// Use SNI TLS header if present
+					ServerName: config.TLSServerName,
+				},
+			},
+		},
 	}
 
 	m.targets[config.ID] = target
@@ -378,17 +389,6 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second)
 	defer cancel()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				// Configure TLS settings based on certificate enforcement
-				InsecureSkipVerify: !m.enforceCert,
-				// Use SNI TLS header if present
-				ServerName: target.Config.TLSServerName,
-			},
-		},
-	}
-
 	req, err := http.NewRequestWithContext(ctx, target.Config.Method, url, nil)
 	if err != nil {
 		target.Status = StatusUnhealthy
@@ -408,7 +408,7 @@ func (m *Monitor) performHealthCheck(target *Target) {
 	}
 
 	// Perform request
-	resp, err := client.Do(req)
+	resp, err := target.client.Do(req)
 	if err != nil {
 		target.Status = StatusUnhealthy
 		target.LastError = fmt.Sprintf("request failed: %v", err)
@@ -521,3 +521,82 @@ func (m *Monitor) DisableTarget(id int) error {
 
 	return nil
 }
+
+// GetTargetIDs returns a slice of all current target IDs
+func (m *Monitor) GetTargetIDs() []int {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	ids := make([]int, 0, len(m.targets))
+	for id := range m.targets {
+		ids = append(ids, id)
+	}
+	return ids
+}
+
+// SyncTargets synchronizes the current targets to match the desired set.
+// It removes targets not in the desired set and adds targets that are missing.
+func (m *Monitor) SyncTargets(desiredConfigs []Config) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	logger.Info("Syncing health check targets: %d desired targets", len(desiredConfigs))
+
+	// Build a set of desired target IDs
+	desiredIDs := make(map[int]Config)
+	for _, config := range desiredConfigs {
+		desiredIDs[config.ID] = config
+	}
+
+	// Find targets to remove (exist but not in desired set)
+	var toRemove []int
+	for id := range m.targets {
+		if _, exists := desiredIDs[id]; !exists {
+			toRemove = append(toRemove, id)
+		}
+	}
+
+	// Remove targets that are not in the desired set
+	for _, id := range toRemove {
+		logger.Info("Sync: removing health check target %d", id)
+		if target, exists := m.targets[id]; exists {
+			target.cancel()
+			delete(m.targets, id)
+		}
+	}
+
+	// Add or update targets from the desired set
+	var addedCount, updatedCount int
+	for id, config := range desiredIDs {
+		if existing, exists := m.targets[id]; exists {
+			// Target exists - check if config changed and update if needed
+			// For now, we'll replace it to ensure config is up to date
+			logger.Debug("Sync: updating health check target %d", id)
+			existing.cancel()
+			delete(m.targets, id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to update target %d: %v", id, err)
+				return fmt.Errorf("failed to update target %d: %v", id, err)
+			}
+			updatedCount++
+		} else {
+			// Target doesn't exist - add it
+			logger.Debug("Sync: adding health check target %d", id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to add target %d: %v", id, err)
+				return fmt.Errorf("failed to add target %d: %v", id, err)
+			}
+			addedCount++
+		}
+	}
+
+	logger.Info("Sync complete: removed %d, added %d, updated %d targets",
+		len(toRemove), addedCount, updatedCount)
+
+	// Notify callback if any changes were made
+	if (len(toRemove) > 0 || addedCount > 0 || updatedCount > 0) && m.callback != nil {
+		go m.callback(m.getAllTargetsUnsafe())
+	}
+
+	return nil
+}

holepunch/holepunch.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"strconv"
 	"sync"
 	"time"
 
@@ -19,7 +20,9 @@ import (
 // ExitNode represents a WireGuard exit node for hole punching
 type ExitNode struct {
 	Endpoint  string `json:"endpoint"`
+	RelayPort uint16 `json:"relayPort"`
 	PublicKey string `json:"publicKey"`
+	SiteIds   []int  `json:"siteIds,omitempty"`
 }
 
 // Manager handles UDP hole punching operations
@@ -35,21 +38,29 @@ type Manager struct {
 	exitNodes  map[string]ExitNode // key is endpoint
 	updateChan chan struct{}       // signals the goroutine to refresh exit nodes
 
-	sendHolepunchInterval time.Duration
+	sendHolepunchInterval    time.Duration
+	sendHolepunchIntervalMin time.Duration
+	sendHolepunchIntervalMax time.Duration
+	defaultIntervalMin       time.Duration
+	defaultIntervalMax       time.Duration
 }
 
-const sendHolepunchIntervalMax = 60 * time.Second
-const sendHolepunchIntervalMin = 1 * time.Second
+const defaultSendHolepunchIntervalMax = 60 * time.Second
+const defaultSendHolepunchIntervalMin = 1 * time.Second
 
 // NewManager creates a new hole punch manager
 func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string) *Manager {
 	return &Manager{
-		sharedBind:            sharedBind,
-		ID:                    ID,
-		clientType:            clientType,
-		publicKey:             publicKey,
-		exitNodes:             make(map[string]ExitNode),
-		sendHolepunchInterval: sendHolepunchIntervalMin,
+		sharedBind:               sharedBind,
+		ID:                       ID,
+		clientType:               clientType,
+		publicKey:                publicKey,
+		exitNodes:                make(map[string]ExitNode),
+		sendHolepunchInterval:    defaultSendHolepunchIntervalMin,
+		sendHolepunchIntervalMin: defaultSendHolepunchIntervalMin,
+		sendHolepunchIntervalMax: defaultSendHolepunchIntervalMax,
+		defaultIntervalMin:       defaultSendHolepunchIntervalMin,
+		defaultIntervalMax:       defaultSendHolepunchIntervalMax,
 	}
 }
 
@@ -140,6 +151,51 @@ func (m *Manager) RemoveExitNode(endpoint string) bool {
 	return true
 }
 
+/*
+RemoveExitNodesByPeer removes the peer ID from the SiteIds list in each exit node.
+If the SiteIds list becomes empty after removal, the exit node is removed entirely.
+Returns the number of exit nodes removed.
+*/
+func (m *Manager) RemoveExitNodesByPeer(peerID int) int {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	removed := 0
+	for endpoint, node := range m.exitNodes {
+		// Remove peerID from SiteIds if present
+		newSiteIds := make([]int, 0, len(node.SiteIds))
+		for _, id := range node.SiteIds {
+			if id != peerID {
+				newSiteIds = append(newSiteIds, id)
+			}
+		}
+		if len(newSiteIds) != len(node.SiteIds) {
+			node.SiteIds = newSiteIds
+			if len(node.SiteIds) == 0 {
+				delete(m.exitNodes, endpoint)
+				logger.Info("Removed exit node %s as no more site IDs remain after removing peer %d", endpoint, peerID)
+				removed++
+			} else {
+				m.exitNodes[endpoint] = node
+				logger.Info("Removed peer %d from exit node %s site IDs", peerID, endpoint)
+			}
+		}
+	}
+
+	if removed > 0 {
+		// Signal the goroutine to refresh if running
+		if m.running && m.updateChan != nil {
+			select {
+			case m.updateChan <- struct{}{}:
+			default:
+				// Channel full or closed, skip
+			}
+		}
+	}
+
+	return removed
+}
+
 // GetExitNodes returns a copy of the current exit nodes
 func (m *Manager) GetExitNodes() []ExitNode {
 	m.mu.Lock()
@@ -152,17 +208,46 @@ func (m *Manager) GetExitNodes() []ExitNode {
 	return nodes
 }
 
-// ResetInterval resets the hole punch interval back to the minimum value,
-// allowing it to climb back up through exponential backoff.
-// This is useful when network conditions change or connectivity is restored.
-func (m *Manager) ResetInterval() {
+// SetServerHolepunchInterval sets custom min and max intervals for hole punching.
+// This is useful for low power mode where longer intervals are desired.
+func (m *Manager) SetServerHolepunchInterval(min, max time.Duration) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	if m.sendHolepunchInterval != sendHolepunchIntervalMin {
-		m.sendHolepunchInterval = sendHolepunchIntervalMin
-		logger.Info("Reset hole punch interval to minimum (%v)", sendHolepunchIntervalMin)
+	m.sendHolepunchIntervalMin = min
+	m.sendHolepunchIntervalMax = max
+	m.sendHolepunchInterval = min
+
+	logger.Info("Set hole punch intervals: min=%v, max=%v", min, max)
+
+	// Signal the goroutine to apply the new interval if running
+	if m.running && m.updateChan != nil {
+		select {
+		case m.updateChan <- struct{}{}:
+		default:
+			// Channel full or closed, skip
+		}
 	}
+}
+
+// GetInterval returns the current min and max intervals
+func (m *Manager) GetServerHolepunchInterval() (min, max time.Duration) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.sendHolepunchIntervalMin, m.sendHolepunchIntervalMax
+}
+
+// ResetServerHolepunchInterval resets the hole punch interval back to the default values.
+// This restores normal operation after low power mode or other custom settings.
+func (m *Manager) ResetServerHolepunchInterval() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.sendHolepunchIntervalMin = m.defaultIntervalMin
+	m.sendHolepunchIntervalMax = m.defaultIntervalMax
+	m.sendHolepunchInterval = m.defaultIntervalMin
+
+	logger.Info("Reset hole punch intervals to defaults: min=%v, max=%v", m.defaultIntervalMin, m.defaultIntervalMax)
 
 	// Signal the goroutine to apply the new interval if running
 	if m.running && m.updateChan != nil {
@@ -202,7 +287,7 @@ func (m *Manager) TriggerHolePunch() error {
 			continue
 		}
 
-		serverAddr := net.JoinHostPort(host, "21820")
+		serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
 		remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
 		if err != nil {
 			logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
@@ -247,7 +332,7 @@ func (m *Manager) StartMultipleExitNodes(exitNodes []ExitNode) error {
 	m.updateChan = make(chan struct{}, 1)
 	m.mu.Unlock()
 
-	logger.Info("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
+	logger.Debug("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes))
 
 	go m.runMultipleExitNodes()
 
@@ -313,7 +398,7 @@ func (m *Manager) runMultipleExitNodes() {
 				continue
 			}
 
-			serverAddr := net.JoinHostPort(host, "21820")
+			serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort)))
 			remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
 			if err != nil {
 				logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err)
@@ -325,7 +410,7 @@ func (m *Manager) runMultipleExitNodes() {
 				publicKey:    exitNode.PublicKey,
 				endpointName: exitNode.Endpoint,
 			})
-			logger.Info("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
+			logger.Debug("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
 		}
 		return resolvedNodes
 	}
@@ -345,7 +430,7 @@ func (m *Manager) runMultipleExitNodes() {
 
 	// Start with minimum interval
 	m.mu.Lock()
-	m.sendHolepunchInterval = sendHolepunchIntervalMin
+	m.sendHolepunchInterval = m.sendHolepunchIntervalMin
 	m.mu.Unlock()
 
 	ticker := time.NewTicker(m.sendHolepunchInterval)
@@ -367,7 +452,7 @@ func (m *Manager) runMultipleExitNodes() {
 			}
 			// Reset interval to minimum on update
 			m.mu.Lock()
-			m.sendHolepunchInterval = sendHolepunchIntervalMin
+			m.sendHolepunchInterval = m.sendHolepunchIntervalMin
 			m.mu.Unlock()
 			ticker.Reset(m.sendHolepunchInterval)
 			// Send immediate hole punch to newly resolved nodes
@@ -387,8 +472,8 @@ func (m *Manager) runMultipleExitNodes() {
 				// Exponential backoff: double the interval up to max
 				m.mu.Lock()
 				newInterval := m.sendHolepunchInterval * 2
-				if newInterval > sendHolepunchIntervalMax {
-					newInterval = sendHolepunchIntervalMax
+				if newInterval > m.sendHolepunchIntervalMax {
+					newInterval = m.sendHolepunchIntervalMax
 				}
 				if newInterval != m.sendHolepunchInterval {
 					m.sendHolepunchInterval = newInterval

holepunch/tester.go

@@ -41,6 +41,12 @@ func DefaultTestOptions() TestConnectionOptions {
 	}
 }
 
+// cachedAddr holds a cached resolved UDP address
+type cachedAddr struct {
+	addr      *net.UDPAddr
+	resolvedAt time.Time
+}
+
 // HolepunchTester monitors holepunch connectivity using magic packets
 type HolepunchTester struct {
 	sharedBind *bind.SharedBind
@@ -53,6 +59,11 @@ type HolepunchTester struct {
 
 	// Callback when connection status changes
 	callback HolepunchStatusCallback
+
+	// Address cache to avoid repeated DNS/UDP resolution
+	addrCache    map[string]*cachedAddr
+	addrCacheMu  sync.RWMutex
+	addrCacheTTL time.Duration // How long cached addresses are valid
 }
 
 // HolepunchStatus represents the status of a holepunch connection
@@ -75,7 +86,9 @@ type pendingRequest struct {
 // NewHolepunchTester creates a new holepunch tester using the given SharedBind
 func NewHolepunchTester(sharedBind *bind.SharedBind) *HolepunchTester {
 	return &HolepunchTester{
-		sharedBind: sharedBind,
+		sharedBind:   sharedBind,
+		addrCache:    make(map[string]*cachedAddr),
+		addrCacheTTL: 5 * time.Minute, // Cache addresses for 5 minutes
 	}
 }
 
@@ -135,12 +148,70 @@ func (t *HolepunchTester) Stop() {
 		return true
 	})
 
+	// Clear address cache
+	t.addrCacheMu.Lock()
+	t.addrCache = make(map[string]*cachedAddr)
+	t.addrCacheMu.Unlock()
+
 	logger.Debug("HolepunchTester stopped")
 }
 
+// resolveEndpoint resolves an endpoint to a UDP address, using cache when possible
+func (t *HolepunchTester) resolveEndpoint(endpoint string) (*net.UDPAddr, error) {
+	// Check cache first
+	t.addrCacheMu.RLock()
+	cached, ok := t.addrCache[endpoint]
+	ttl := t.addrCacheTTL
+	t.addrCacheMu.RUnlock()
+
+	if ok && time.Since(cached.resolvedAt) < ttl {
+		return cached.addr, nil
+	}
+
+	// Resolve the endpoint
+	host, err := util.ResolveDomain(endpoint)
+	if err != nil {
+		host = endpoint
+	}
+
+	_, _, err = net.SplitHostPort(host)
+	if err != nil {
+		host = net.JoinHostPort(host, "21820")
+	}
+
+	remoteAddr, err := net.ResolveUDPAddr("udp", host)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
+	}
+
+	// Cache the result
+	t.addrCacheMu.Lock()
+	t.addrCache[endpoint] = &cachedAddr{
+		addr:       remoteAddr,
+		resolvedAt: time.Now(),
+	}
+	t.addrCacheMu.Unlock()
+
+	return remoteAddr, nil
+}
+
+// InvalidateCache removes a specific endpoint from the address cache
+func (t *HolepunchTester) InvalidateCache(endpoint string) {
+	t.addrCacheMu.Lock()
+	delete(t.addrCache, endpoint)
+	t.addrCacheMu.Unlock()
+}
+
+// ClearCache clears all cached addresses
+func (t *HolepunchTester) ClearCache() {
+	t.addrCacheMu.Lock()
+	t.addrCache = make(map[string]*cachedAddr)
+	t.addrCacheMu.Unlock()
+}
+
 // handleResponse is called by SharedBind when a magic response is received
 func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
-	logger.Debug("Received magic response from %s", addr.String())
+	// logger.Debug("Received magic response from %s", addr.String())
 	key := string(echoData)
 
 	value, ok := t.pendingRequests.LoadAndDelete(key)
@@ -152,7 +223,7 @@ func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) {
 
 	req := value.(*pendingRequest)
 	rtt := time.Since(req.sentAt)
-	logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
+	// logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt)
 
 	// Send RTT to the waiting goroutine (non-blocking)
 	select {
@@ -183,20 +254,10 @@ func (t *HolepunchTester) TestEndpoint(endpoint string, timeout time.Duration) T
 		return result
 	}
 
-	// Resolve the endpoint
-	host, err := util.ResolveDomain(endpoint)
+	// Resolve the endpoint (using cache)
+	remoteAddr, err := t.resolveEndpoint(endpoint)
 	if err != nil {
-		host = endpoint
-	}
-
-	_, _, err = net.SplitHostPort(host)
-	if err != nil {
-		host = net.JoinHostPort(host, "21820")
-	}
-
-	remoteAddr, err := net.ResolveUDPAddr("udp", host)
-	if err != nil {
-		result.Error = fmt.Errorf("failed to resolve UDP address %s: %w", host, err)
+		result.Error = err
 		return result
 	}
 

main.go

@@ -37,6 +37,7 @@ import (
 
 type WgData struct {
 	Endpoint           string               `json:"endpoint"`
+	RelayPort          uint16               `json:"relayPort"`
 	PublicKey          string               `json:"publicKey"`
 	ServerIP           string               `json:"serverIP"`
 	TunnelIP           string               `json:"tunnelIP"`
@@ -419,7 +420,7 @@ func runNewtMain(ctx context.Context) {
 	}
 	if tel != nil {
 		// Admin HTTP server (exposes /metrics when Prometheus exporter is enabled)
-		logger.Info("Starting metrics server on %s", tcfg.AdminAddr)
+		logger.Debug("Starting metrics server on %s", tcfg.AdminAddr)
 		mux := http.NewServeMux()
 		mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) })
 		if tel.PrometheusHandler != nil {
@@ -505,7 +506,7 @@ func runNewtMain(ctx context.Context) {
 		id,     // CLI arg takes precedence
 		secret, // CLI arg takes precedence
 		endpoint,
-		pingInterval,
+		30*time.Second, // 30 seconds
 		pingTimeout,
 		opt,
 	)
@@ -691,7 +692,12 @@ func runNewtMain(ctx context.Context) {
 			return
 		}
 
-		clientsHandleNewtConnection(wgData.PublicKey, endpoint)
+		relayPort := wgData.RelayPort
+		if relayPort == 0 {
+			relayPort = 21820
+		}
+
+		clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort)
 
 		// Configure WireGuard
 		config := fmt.Sprintf(`private_key=%s
@@ -1100,6 +1106,151 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
+	// Register handler for syncing targets (TCP, UDP, and health checks)
+	client.RegisterHandler("newt/sync", func(msg websocket.WSMessage) {
+		logger.Info("Received sync message")
+
+		// if there is no wgData or pm, we can't sync targets
+		if wgData.TunnelIP == "" || pm == nil {
+			logger.Info(msgNoTunnelOrProxy)
+			return
+		}
+
+		// Define the sync data structure
+		type SyncData struct {
+			Targets            TargetsByType        `json:"targets"`
+			HealthCheckTargets []healthcheck.Config `json:"healthCheckTargets"`
+		}
+
+		var syncData SyncData
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Error("Error marshaling sync data: %v", err)
+			return
+		}
+
+		if err := json.Unmarshal(jsonData, &syncData); err != nil {
+			logger.Error("Error unmarshaling sync data: %v", err)
+			return
+		}
+
+		logger.Debug("Sync data received: TCP targets=%d, UDP targets=%d, health check targets=%d",
+			len(syncData.Targets.TCP), len(syncData.Targets.UDP), len(syncData.HealthCheckTargets))
+
+		// Build sets of desired targets (port -> target string)
+		desiredTCP := make(map[int]string)
+		for _, t := range syncData.Targets.TCP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid TCP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in TCP target: %s", parts[0])
+				continue
+			}
+			desiredTCP[port] = parts[1] + ":" + parts[2]
+		}
+
+		desiredUDP := make(map[int]string)
+		for _, t := range syncData.Targets.UDP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid UDP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in UDP target: %s", parts[0])
+				continue
+			}
+			desiredUDP[port] = parts[1] + ":" + parts[2]
+		}
+
+		// Get current targets from proxy manager
+		currentTCP, currentUDP := pm.GetTargets()
+
+		// Sync TCP targets
+		// Remove TCP targets not in desired set
+		if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+			for port := range tcpForIP {
+				if _, exists := desiredTCP[port]; !exists {
+					logger.Info("Sync: removing TCP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, tcpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add TCP targets that are missing
+		for port, target := range desiredTCP {
+			needsAdd := true
+			if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := tcpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating TCP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding TCP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync UDP targets
+		// Remove UDP targets not in desired set
+		if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+			for port := range udpForIP {
+				if _, exists := desiredUDP[port]; !exists {
+					logger.Info("Sync: removing UDP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, udpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add UDP targets that are missing
+		for port, target := range desiredUDP {
+			needsAdd := true
+			if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := udpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating UDP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding UDP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync health check targets
+		if err := healthMonitor.SyncTargets(syncData.HealthCheckTargets); err != nil {
+			logger.Error("Failed to sync health check targets: %v", err)
+		} else {
+			logger.Info("Successfully synced health check targets")
+		}
+
+		logger.Info("Sync complete")
+	})
+
 	// Register handler for Docker socket check
 	client.RegisterHandler("newt/socket/check", func(msg websocket.WSMessage) {
 		logger.Debug("Received Docker socket check request")

netstack2/handlers.go

@@ -10,12 +10,18 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
+	"os/exec"
 	"sync"
 	"time"
 
 	"github.com/fosrl/newt/logger"
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv4"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
+	"gvisor.dev/gvisor/pkg/tcpip/checksum"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
@@ -58,6 +64,9 @@ const (
 
 	// Buffer size for copying data
 	bufferSize = 32 * 1024
+
+	// icmpTimeout is the default timeout for ICMP ping requests.
+	icmpTimeout = 5 * time.Second
 )
 
 // TCPHandler handles TCP connections from netstack
@@ -72,6 +81,12 @@ type UDPHandler struct {
 	proxyHandler *ProxyHandler
 }
 
+// ICMPHandler handles ICMP packets from netstack
+type ICMPHandler struct {
+	stack        *stack.Stack
+	proxyHandler *ProxyHandler
+}
+
 // NewTCPHandler creates a new TCP handler
 func NewTCPHandler(s *stack.Stack, ph *ProxyHandler) *TCPHandler {
 	return &TCPHandler{stack: s, proxyHandler: ph}
@@ -82,6 +97,11 @@ func NewUDPHandler(s *stack.Stack, ph *ProxyHandler) *UDPHandler {
 	return &UDPHandler{stack: s, proxyHandler: ph}
 }
 
+// NewICMPHandler creates a new ICMP handler
+func NewICMPHandler(s *stack.Stack, ph *ProxyHandler) *ICMPHandler {
+	return &ICMPHandler{stack: s, proxyHandler: ph}
+}
+
 // InstallTCPHandler installs the TCP forwarder on the stack
 func (h *TCPHandler) InstallTCPHandler() error {
 	tcpForwarder := tcp.NewForwarder(h.stack, defaultWndSize, maxConnAttempts, func(r *tcp.ForwarderRequest) {
@@ -348,3 +368,334 @@ func copyPacketData(dst, src net.PacketConn, to net.Addr, timeout time.Duration)
 		dst.SetReadDeadline(time.Now().Add(timeout))
 	}
 }
+
+// InstallICMPHandler installs the ICMP handler on the stack
+func (h *ICMPHandler) InstallICMPHandler() error {
+	h.stack.SetTransportProtocolHandler(header.ICMPv4ProtocolNumber, h.handleICMPPacket)
+	logger.Debug("ICMP Handler: Installed ICMP protocol handler")
+	return nil
+}
+
+// handleICMPPacket handles incoming ICMP packets
+func (h *ICMPHandler) handleICMPPacket(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
+	logger.Debug("ICMP Handler: Received ICMP packet from %s to %s", id.RemoteAddress, id.LocalAddress)
+
+	// Get the ICMP header from the packet
+	icmpData := pkt.TransportHeader().Slice()
+	if len(icmpData) < header.ICMPv4MinimumSize {
+		logger.Debug("ICMP Handler: Packet too small for ICMP header: %d bytes", len(icmpData))
+		return false
+	}
+
+	icmpHdr := header.ICMPv4(icmpData)
+	icmpType := icmpHdr.Type()
+	icmpCode := icmpHdr.Code()
+
+	logger.Debug("ICMP Handler: Type=%d, Code=%d, Ident=%d, Seq=%d",
+		icmpType, icmpCode, icmpHdr.Ident(), icmpHdr.Sequence())
+
+	// Only handle Echo Request (ping)
+	if icmpType != header.ICMPv4Echo {
+		logger.Debug("ICMP Handler: Ignoring non-echo ICMP type: %d", icmpType)
+		return false
+	}
+
+	// Extract source and destination addresses
+	srcIP := id.RemoteAddress.String()
+	dstIP := id.LocalAddress.String()
+
+	logger.Info("ICMP Handler: Echo Request from %s to %s (ident=%d, seq=%d)",
+		srcIP, dstIP, icmpHdr.Ident(), icmpHdr.Sequence())
+
+	// Convert to netip.Addr for subnet matching
+	srcAddr, err := netip.ParseAddr(srcIP)
+	if err != nil {
+		logger.Debug("ICMP Handler: Failed to parse source IP %s: %v", srcIP, err)
+		return false
+	}
+	dstAddr, err := netip.ParseAddr(dstIP)
+	if err != nil {
+		logger.Debug("ICMP Handler: Failed to parse dest IP %s: %v", dstIP, err)
+		return false
+	}
+
+	// Check subnet rules (use port 0 for ICMP since it doesn't have ports)
+	if h.proxyHandler == nil {
+		logger.Debug("ICMP Handler: No proxy handler configured")
+		return false
+	}
+
+	matchedRule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, 0, header.ICMPv4ProtocolNumber)
+	if matchedRule == nil {
+		logger.Debug("ICMP Handler: No matching subnet rule for %s -> %s", srcIP, dstIP)
+		return false
+	}
+
+	logger.Info("ICMP Handler: Matched subnet rule for %s -> %s", srcIP, dstIP)
+
+	// Determine actual destination (with possible rewrite)
+	actualDstIP := dstIP
+	if matchedRule.RewriteTo != "" {
+		resolvedAddr, err := h.proxyHandler.resolveRewriteAddress(matchedRule.RewriteTo)
+		if err != nil {
+			logger.Info("ICMP Handler: Failed to resolve rewrite address %s: %v", matchedRule.RewriteTo, err)
+		} else {
+			actualDstIP = resolvedAddr.String()
+			logger.Info("ICMP Handler: Using rewritten destination %s (original: %s)", actualDstIP, dstIP)
+		}
+	}
+
+	// Get the full ICMP payload (including the data after the header)
+	icmpPayload := pkt.Data().AsRange().ToSlice()
+
+	// Handle the ping in a goroutine to avoid blocking
+	go h.proxyPing(srcIP, dstIP, actualDstIP, icmpHdr.Ident(), icmpHdr.Sequence(), icmpPayload)
+
+	return true
+}
+
+// proxyPing sends a ping to the actual destination and injects the reply back
+func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, seq uint16, payload []byte) {
+	logger.Debug("ICMP Handler: Proxying ping from %s to %s (actual: %s), ident=%d, seq=%d",
+		srcIP, originalDstIP, actualDstIP, ident, seq)
+
+	// Try three methods in order: ip4:icmp -> udp4 -> ping command
+	// Track which method succeeded so we can handle identifier matching correctly
+	method, success := h.tryICMPMethods(actualDstIP, ident, seq, payload)
+
+	if !success {
+		logger.Info("ICMP Handler: All ping methods failed for %s", actualDstIP)
+		return
+	}
+
+	logger.Info("ICMP Handler: Ping successful to %s using %s, injecting reply (ident=%d, seq=%d)",
+		actualDstIP, method, ident, seq)
+
+	// Build the reply packet to inject back into the netstack
+	// The reply should appear to come from the original destination (before rewrite)
+	h.injectICMPReply(srcIP, originalDstIP, ident, seq, payload)
+}
+
+// tryICMPMethods tries all available ICMP methods in order
+func (h *ICMPHandler) tryICMPMethods(actualDstIP string, ident, seq uint16, payload []byte) (string, bool) {
+	if h.tryRawICMP(actualDstIP, ident, seq, payload, false) {
+		return "raw ICMP", true
+	}
+	if h.tryUnprivilegedICMP(actualDstIP, ident, seq, payload) {
+		return "unprivileged ICMP", true
+	}
+	if h.tryPingCommand(actualDstIP, ident, seq, payload) {
+		return "ping command", true
+	}
+	return "", false
+}
+
+// tryRawICMP attempts to ping using raw ICMP sockets (requires CAP_NET_RAW or root)
+func (h *ICMPHandler) tryRawICMP(actualDstIP string, ident, seq uint16, payload []byte, ignoreIdent bool) bool {
+	conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
+	if err != nil {
+		logger.Debug("ICMP Handler: Raw ICMP socket not available: %v", err)
+		return false
+	}
+	defer conn.Close()
+
+	logger.Debug("ICMP Handler: Using raw ICMP socket")
+	return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, false, ignoreIdent)
+}
+
+// tryUnprivilegedICMP attempts to ping using unprivileged ICMP (requires ping_group_range configured)
+func (h *ICMPHandler) tryUnprivilegedICMP(actualDstIP string, ident, seq uint16, payload []byte) bool {
+	conn, err := icmp.ListenPacket("udp4", "0.0.0.0")
+	if err != nil {
+		logger.Debug("ICMP Handler: Unprivileged ICMP socket not available: %v", err)
+		return false
+	}
+	defer conn.Close()
+
+	logger.Debug("ICMP Handler: Using unprivileged ICMP socket")
+	// Unprivileged ICMP doesn't let us control the identifier, so we ignore it in matching
+	return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, true, true)
+}
+
+// sendAndReceiveICMP sends an ICMP echo request and waits for the reply
+func (h *ICMPHandler) sendAndReceiveICMP(conn *icmp.PacketConn, actualDstIP string, ident, seq uint16, payload []byte, isUnprivileged bool, ignoreIdent bool) bool {
+	// Build the ICMP echo request message
+	echoMsg := &icmp.Message{
+		Type: ipv4.ICMPTypeEcho,
+		Code: 0,
+		Body: &icmp.Echo{
+			ID:   int(ident),
+			Seq:  int(seq),
+			Data: payload,
+		},
+	}
+
+	msgBytes, err := echoMsg.Marshal(nil)
+	if err != nil {
+		logger.Debug("ICMP Handler: Failed to marshal ICMP message: %v", err)
+		return false
+	}
+
+	// Resolve destination address based on socket type
+	var writeErr error
+	if isUnprivileged {
+		// For unprivileged ICMP, use UDP-style addressing
+		udpAddr := &net.UDPAddr{IP: net.ParseIP(actualDstIP)}
+		logger.Debug("ICMP Handler: Sending ping to %s (unprivileged)", udpAddr.String())
+		conn.SetDeadline(time.Now().Add(icmpTimeout))
+		_, writeErr = conn.WriteTo(msgBytes, udpAddr)
+	} else {
+		// For raw ICMP, use IP addressing
+		dst, err := net.ResolveIPAddr("ip4", actualDstIP)
+		if err != nil {
+			logger.Debug("ICMP Handler: Failed to resolve destination %s: %v", actualDstIP, err)
+			return false
+		}
+		logger.Debug("ICMP Handler: Sending ping to %s (raw)", dst.String())
+		conn.SetDeadline(time.Now().Add(icmpTimeout))
+		_, writeErr = conn.WriteTo(msgBytes, dst)
+	}
+
+	if writeErr != nil {
+		logger.Debug("ICMP Handler: Failed to send ping to %s: %v", actualDstIP, writeErr)
+		return false
+	}
+
+	logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply (ident=%d, seq=%d)", actualDstIP, ident, seq)
+
+	// Wait for reply - loop to filter out non-matching packets
+	replyBuf := make([]byte, 1500)
+
+	for {
+		n, peer, err := conn.ReadFrom(replyBuf)
+		if err != nil {
+			logger.Debug("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err)
+			return false
+		}
+
+		logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String())
+
+		// Parse the reply
+		replyMsg, err := icmp.ParseMessage(1, replyBuf[:n])
+		if err != nil {
+			logger.Debug("ICMP Handler: Failed to parse ICMP message: %v", err)
+			continue
+		}
+
+		// Check if it's an echo reply (type 0), not an echo request (type 8)
+		if replyMsg.Type != ipv4.ICMPTypeEchoReply {
+			logger.Debug("ICMP Handler: Received non-echo-reply type: %v, continuing to wait", replyMsg.Type)
+			continue
+		}
+
+		reply, ok := replyMsg.Body.(*icmp.Echo)
+		if !ok {
+			logger.Debug("ICMP Handler: Invalid echo reply body type, continuing to wait")
+			continue
+		}
+
+		// Verify the sequence matches what we sent
+		// For unprivileged ICMP, the kernel controls the identifier, so we only check sequence
+		if reply.Seq != int(seq) {
+			logger.Debug("ICMP Handler: Reply seq mismatch: got seq=%d, want seq=%d", reply.Seq, seq)
+			continue
+		}
+
+		if !ignoreIdent && reply.ID != int(ident) {
+			logger.Debug("ICMP Handler: Reply ident mismatch: got ident=%d, want ident=%d", reply.ID, ident)
+			continue
+		}
+
+		// Found matching reply
+		logger.Debug("ICMP Handler: Received valid echo reply")
+		return true
+	}
+}
+
+// tryPingCommand attempts to ping using the system ping command (always works, but less control)
+func (h *ICMPHandler) tryPingCommand(actualDstIP string, ident, seq uint16, payload []byte) bool {
+	logger.Debug("ICMP Handler: Attempting to use system ping command")
+
+	ctx, cancel := context.WithTimeout(context.Background(), icmpTimeout)
+	defer cancel()
+
+	// Send one ping with timeout
+	// -c 1: count = 1 packet
+	// -W 5: timeout = 5 seconds
+	// -q: quiet output (just summary)
+	cmd := exec.CommandContext(ctx, "ping", "-c", "1", "-W", "5", "-q", actualDstIP)
+	output, err := cmd.CombinedOutput()
+
+	if err != nil {
+		logger.Debug("ICMP Handler: System ping command failed: %v, output: %s", err, string(output))
+		return false
+	}
+
+	logger.Debug("ICMP Handler: System ping command succeeded")
+	return true
+}
+
+// injectICMPReply creates an ICMP echo reply packet and queues it to be sent back through the tunnel
+func (h *ICMPHandler) injectICMPReply(dstIP, srcIP string, ident, seq uint16, payload []byte) {
+	logger.Debug("ICMP Handler: Creating reply from %s to %s (ident=%d, seq=%d)",
+		srcIP, dstIP, ident, seq)
+
+	// Parse addresses
+	srcAddr, err := netip.ParseAddr(srcIP)
+	if err != nil {
+		logger.Info("ICMP Handler: Failed to parse source IP for reply: %v", err)
+		return
+	}
+	dstAddr, err := netip.ParseAddr(dstIP)
+	if err != nil {
+		logger.Info("ICMP Handler: Failed to parse dest IP for reply: %v", err)
+		return
+	}
+
+	// Calculate total packet size
+	ipHeaderLen := header.IPv4MinimumSize
+	icmpHeaderLen := header.ICMPv4MinimumSize
+	totalLen := ipHeaderLen + icmpHeaderLen + len(payload)
+
+	// Create the packet buffer
+	pkt := make([]byte, totalLen)
+
+	// Build IPv4 header
+	ipHdr := header.IPv4(pkt[:ipHeaderLen])
+	ipHdr.Encode(&header.IPv4Fields{
+		TotalLength: uint16(totalLen),
+		TTL:         64,
+		Protocol:    uint8(header.ICMPv4ProtocolNumber),
+		SrcAddr:     tcpip.AddrFrom4(srcAddr.As4()),
+		DstAddr:     tcpip.AddrFrom4(dstAddr.As4()),
+	})
+	ipHdr.SetChecksum(^ipHdr.CalculateChecksum())
+
+	// Build ICMP header
+	icmpHdr := header.ICMPv4(pkt[ipHeaderLen : ipHeaderLen+icmpHeaderLen])
+	icmpHdr.SetType(header.ICMPv4EchoReply)
+	icmpHdr.SetCode(0)
+	icmpHdr.SetIdent(ident)
+	icmpHdr.SetSequence(seq)
+
+	// Copy payload
+	copy(pkt[ipHeaderLen+icmpHeaderLen:], payload)
+
+	// Calculate ICMP checksum (covers ICMP header + payload)
+	icmpHdr.SetChecksum(0)
+	icmpData := pkt[ipHeaderLen:]
+	icmpHdr.SetChecksum(^checksum.Checksum(icmpData, 0))
+
+	logger.Debug("ICMP Handler: Built reply packet, total length=%d", totalLen)
+
+	// Queue the packet to be sent back through the tunnel
+	if h.proxyHandler != nil {
+		if h.proxyHandler.QueueICMPReply(pkt) {
+			logger.Info("ICMP Handler: Queued echo reply packet for transmission")
+		} else {
+			logger.Info("ICMP Handler: Failed to queue echo reply packet")
+		}
+	} else {
+		logger.Info("ICMP Handler: Cannot queue reply - proxy handler not available")
+	}
+}

netstack2/proxy.go

@@ -43,6 +43,7 @@ type PortRange struct {
 type SubnetRule struct {
 	SourcePrefix netip.Prefix // Source IP prefix (who is sending)
 	DestPrefix   netip.Prefix // Destination IP prefix (where it's going)
+	DisableIcmp  bool         // If true, ICMP traffic is blocked for this subnet
 	RewriteTo    string       // Optional rewrite address for DNAT - can be IP/CIDR or domain name
 	PortRanges   []PortRange  // empty slice means all ports allowed
 }
@@ -69,7 +70,7 @@ func NewSubnetLookup() *SubnetLookup {
 // AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions
 // If portRanges is nil or empty, all ports are allowed for this subnet
 // rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
-func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
+func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) {
 	sl.mu.Lock()
 	defer sl.mu.Unlock()
 
@@ -81,6 +82,7 @@ func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewrite
 	sl.rules[key] = &SubnetRule{
 		SourcePrefix: sourcePrefix,
 		DestPrefix:   destPrefix,
+		DisableIcmp:  disableIcmp,
 		RewriteTo:    rewriteTo,
 		PortRanges:   portRanges,
 	}
@@ -99,6 +101,18 @@ func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
 	delete(sl.rules, key)
 }
 
+// GetAllRules returns a copy of all subnet rules
+func (sl *SubnetLookup) GetAllRules() []SubnetRule {
+	sl.mu.RLock()
+	defer sl.mu.RUnlock()
+
+	rules := make([]SubnetRule, 0, len(sl.rules))
+	for _, rule := range sl.rules {
+		rules = append(rules, *rule)
+	}
+	return rules
+}
+
 // Match checks if a source IP, destination IP, port, and protocol match any subnet rule
 // Returns the matched rule if ALL of these conditions are met:
 //   - The source IP is in the rule's source prefix
@@ -123,6 +137,11 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.
 			continue
 		}
 
+		if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) {
+		    // ICMP is disabled for this subnet
+			return nil
+		}
+
 		// Both IPs match - now check port restrictions
 		// If no port ranges specified, all ports are allowed
 		if len(rule.PortRanges) == 0 {
@@ -180,23 +199,27 @@ type ProxyHandler struct {
 	proxyNotifyHandle *channel.NotificationHandle
 	tcpHandler        *TCPHandler
 	udpHandler        *UDPHandler
+	icmpHandler       *ICMPHandler
 	subnetLookup      *SubnetLookup
 	natTable          map[connKey]*natState
 	destRewriteTable  map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups
 	natMu             sync.RWMutex
 	enabled           bool
+	icmpReplies       chan []byte          // Channel for ICMP reply packets to be sent back through the tunnel
+	notifiable        channel.Notification // Notification handler for triggering reads
 }
 
 // ProxyHandlerOptions configures the proxy handler
 type ProxyHandlerOptions struct {
-	EnableTCP bool
-	EnableUDP bool
-	MTU       int
+	EnableTCP  bool
+	EnableUDP  bool
+	EnableICMP bool
+	MTU        int
 }
 
 // NewProxyHandler creates a new proxy handler for promiscuous mode
 func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
-	if !options.EnableTCP && !options.EnableUDP {
+	if !options.EnableTCP && !options.EnableUDP && !options.EnableICMP {
 		return nil, nil // No proxy needed
 	}
 
@@ -205,6 +228,7 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 		subnetLookup:     NewSubnetLookup(),
 		natTable:         make(map[connKey]*natState),
 		destRewriteTable: make(map[destKey]netip.Addr),
+		icmpReplies:      make(chan []byte, 256), // Buffer for ICMP reply packets
 		proxyEp:          channel.New(1024, uint32(options.MTU), ""),
 		proxyStack: stack.New(stack.Options{
 			NetworkProtocols: []stack.NetworkProtocolFactory{
@@ -236,6 +260,15 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 		}
 	}
 
+	// Initialize ICMP handler if enabled
+	if options.EnableICMP {
+		handler.icmpHandler = NewICMPHandler(handler.proxyStack, handler)
+		if err := handler.icmpHandler.InstallICMPHandler(); err != nil {
+			return nil, fmt.Errorf("failed to install ICMP handler: %v", err)
+		}
+		logger.Debug("ProxyHandler: ICMP handler enabled")
+	}
+
 	// // Example 1: Add a rule with no port restrictions (all ports allowed)
 	// // This accepts all traffic FROM 10.0.0.0/24 TO 10.20.20.0/24
 	// sourceSubnet := netip.MustParsePrefix("10.0.0.0/24")
@@ -260,11 +293,11 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 // destPrefix: The IP prefix of the destination
 // rewriteTo: Optional address to rewrite destination to - can be IP/CIDR or domain name
 // If portRanges is nil or empty, all ports are allowed for this subnet
-func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
+func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) {
 	if p == nil || !p.enabled {
 		return
 	}
-	p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges)
+	p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp)
 }
 
 // RemoveSubnetRule removes a subnet from the proxy handler
@@ -275,6 +308,14 @@ func (p *ProxyHandler) RemoveSubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	p.subnetLookup.RemoveSubnet(sourcePrefix, destPrefix)
 }
 
+// GetAllRules returns all subnet rules from the proxy handler
+func (p *ProxyHandler) GetAllRules() []SubnetRule {
+	if p == nil || !p.enabled {
+		return nil
+	}
+	return p.subnetLookup.GetAllRules()
+}
+
 // LookupDestinationRewrite looks up the rewritten destination for a connection
 // This is used by TCP/UDP handlers to find the actual target address
 func (p *ProxyHandler) LookupDestinationRewrite(srcIP, dstIP string, dstPort uint16, proto uint8) (netip.Addr, bool) {
@@ -343,6 +384,9 @@ func (p *ProxyHandler) Initialize(notifiable channel.Notification) error {
 		return nil
 	}
 
+	// Store notifiable for triggering notifications on ICMP replies
+	p.notifiable = notifiable
+
 	// Add notification handler
 	p.proxyNotifyHandle = p.proxyEp.AddNotify(notifiable)
 
@@ -421,14 +465,21 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
 		}
 		udpHeader := header.UDP(packet[headerLen:])
 		dstPort = udpHeader.DestinationPort()
-	default:
-		// For other protocols (ICMP, etc.), use port 0 (must match rules with no port restrictions)
+	case header.ICMPv4ProtocolNumber:
+		// ICMP doesn't have ports, use port 0 (must match rules with no port restrictions)
 		dstPort = 0
+		logger.Debug("HandleIncomingPacket: ICMP packet from %s to %s", srcAddr, dstAddr)
+	default:
+		// For other protocols, use port 0 (must match rules with no port restrictions)
+		dstPort = 0
+		logger.Debug("HandleIncomingPacket: Unknown protocol %d from %s to %s", protocol, srcAddr, dstAddr)
 	}
 
 	// Check if the source IP, destination IP, port, and protocol match any subnet rule
 	matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort, protocol)
 	if matchedRule != nil {
+		logger.Debug("HandleIncomingPacket: Matched rule for %s -> %s (proto=%d, port=%d)",
+			srcAddr, dstAddr, protocol, dstPort)
 		// Check if we need to perform DNAT
 		if matchedRule.RewriteTo != "" {
 			// Create connection tracking key using original destination
@@ -515,9 +566,12 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
 			Payload: buffer.MakeWithData(packet),
 		})
 		p.proxyEp.InjectInbound(header.IPv4ProtocolNumber, pkb)
+		logger.Debug("HandleIncomingPacket: Injected packet into proxy stack (proto=%d)", protocol)
 		return true
 	}
 
+	// logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)",
+		// srcAddr, dstAddr, protocol, dstPort)
 	return false
 }
 
@@ -640,6 +694,15 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
 		return nil
 	}
 
+	// First check for ICMP reply packets (non-blocking)
+	select {
+	case icmpReply := <-p.icmpReplies:
+		logger.Debug("ReadOutgoingPacket: Returning ICMP reply packet (%d bytes)", len(icmpReply))
+		return buffer.NewViewWithData(icmpReply)
+	default:
+		// No ICMP reply available, continue to check proxy endpoint
+	}
+
 	pkt := p.proxyEp.Read()
 	if pkt != nil {
 		view := pkt.ToView()
@@ -669,6 +732,11 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
 					srcPort = udpHeader.SourcePort()
 					dstPort = udpHeader.DestinationPort()
 				}
+			case header.ICMPv4ProtocolNumber:
+				// ICMP packets don't need NAT translation in our implementation
+				// since we construct reply packets with the correct addresses
+				logger.Debug("ReadOutgoingPacket: ICMP packet from %s to %s", srcIP, dstIP)
+				return view
 			}
 
 			// Look up NAT state for reverse translation
@@ -702,12 +770,37 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
 	return nil
 }
 
+// QueueICMPReply queues an ICMP reply packet to be sent back through the tunnel
+func (p *ProxyHandler) QueueICMPReply(packet []byte) bool {
+	if p == nil || !p.enabled {
+		return false
+	}
+
+	select {
+	case p.icmpReplies <- packet:
+		logger.Debug("QueueICMPReply: Queued ICMP reply packet (%d bytes)", len(packet))
+		// Trigger notification so WriteNotify picks up the packet
+		if p.notifiable != nil {
+			p.notifiable.WriteNotify()
+		}
+		return true
+	default:
+		logger.Info("QueueICMPReply: ICMP reply channel full, dropping packet")
+		return false
+	}
+}
+
 // Close cleans up the proxy handler resources
 func (p *ProxyHandler) Close() error {
 	if p == nil || !p.enabled {
 		return nil
 	}
 
+	// Close ICMP replies channel
+	if p.icmpReplies != nil {
+		close(p.icmpReplies)
+	}
+
 	if p.proxyStack != nil {
 		p.proxyStack.RemoveNIC(1)
 		p.proxyStack.Close()

netstack2/tun.go

@@ -56,15 +56,17 @@ type Net netTun
 
 // NetTunOptions contains options for creating a NetTUN device
 type NetTunOptions struct {
-	EnableTCPProxy bool
-	EnableUDPProxy bool
+	EnableTCPProxy  bool
+	EnableUDPProxy  bool
+	EnableICMPProxy bool
 }
 
 // CreateNetTUN creates a new TUN device with netstack without proxying
 func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error) {
 	return CreateNetTUNWithOptions(localAddresses, dnsServers, mtu, NetTunOptions{
-		EnableTCPProxy: true,
-		EnableUDPProxy: true,
+		EnableTCPProxy:  true,
+		EnableUDPProxy:  true,
+		EnableICMPProxy: true,
 	})
 }
 
@@ -84,13 +86,14 @@ func CreateNetTUNWithOptions(localAddresses, dnsServers []netip.Addr, mtu int, o
 		mtu:            mtu,
 	}
 
-	// Initialize proxy handler if TCP or UDP proxying is enabled
-	if options.EnableTCPProxy || options.EnableUDPProxy {
+	// Initialize proxy handler if TCP, UDP, or ICMP proxying is enabled
+	if options.EnableTCPProxy || options.EnableUDPProxy || options.EnableICMPProxy {
 		var err error
 		dev.proxyHandler, err = NewProxyHandler(ProxyHandlerOptions{
-			EnableTCP: options.EnableTCPProxy,
-			EnableUDP: options.EnableUDPProxy,
-			MTU:       mtu,
+			EnableTCP:  options.EnableTCPProxy,
+			EnableUDP:  options.EnableUDPProxy,
+			EnableICMP: options.EnableICMPProxy,
+			MTU:        mtu,
 		})
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create proxy handler: %v", err)
@@ -351,10 +354,10 @@ func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error) {
 // AddProxySubnetRule adds a subnet rule to the proxy handler
 // If portRanges is nil or empty, all ports are allowed for this subnet
 // rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
-func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) {
+func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) {
 	tun := (*netTun)(net)
 	if tun.proxyHandler != nil {
-		tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges)
+		tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp)
 	}
 }
 
@@ -366,6 +369,15 @@ func (net *Net) RemoveProxySubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	}
 }
 
+// GetProxySubnetRules returns all subnet rules from the proxy handler
+func (net *Net) GetProxySubnetRules() []SubnetRule {
+	tun := (*netTun)(net)
+	if tun.proxyHandler != nil {
+		return tun.proxyHandler.GetAllRules()
+	}
+	return nil
+}
+
 // GetProxyHandler returns the proxy handler (for advanced use cases)
 // Returns nil if proxy is not enabled
 func (net *Net) GetProxyHandler() *ProxyHandler {

network/interface.go

@@ -44,9 +44,13 @@ func ConfigureInterface(interfaceName string, tunnelIp string, mtu int) error {
 		return configureDarwin(interfaceName, ip, ipNet)
 	case "windows":
 		return configureWindows(interfaceName, ip, ipNet)
-	default:
-		return fmt.Errorf("unsupported operating system: %s", runtime.GOOS)
+	case "android":
+		return nil
+	case "ios":
+		return nil
 	}
+
+	return nil
 }
 
 // waitForInterfaceUp polls the network interface until it's up or times out

network/route.go

@@ -126,13 +126,14 @@ func LinuxRemoveRoute(destination string) error {
 
 // addRouteForServerIP adds an OS-specific route for the server IP
 func AddRouteForServerIP(serverIP, interfaceName string) error {
-	if err := AddRouteForNetworkConfig(serverIP); err != nil {
-		return err
-	}
 	if interfaceName == "" {
 		return nil
 	}
-	if runtime.GOOS == "darwin" {
+	// TODO: does this also need to be ios?
+	if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
+		if err := AddRouteForNetworkConfig(serverIP); err != nil {
+			return err
+		}
 		return DarwinAddRoute(serverIP, "", interfaceName)
 	}
 	// else if runtime.GOOS == "windows" {
@@ -145,13 +146,14 @@ func AddRouteForServerIP(serverIP, interfaceName string) error {
 
 // removeRouteForServerIP removes an OS-specific route for the server IP
 func RemoveRouteForServerIP(serverIP string, interfaceName string) error {
-	if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
-		return err
-	}
 	if interfaceName == "" {
 		return nil
 	}
-	if runtime.GOOS == "darwin" {
+	// TODO: does this also need to be ios?
+	if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms
+		if err := RemoveRouteForNetworkConfig(serverIP); err != nil {
+			return err
+		}
 		return DarwinRemoveRoute(serverIP)
 	}
 	// else if runtime.GOOS == "windows" {
@@ -217,21 +219,22 @@ func AddRoutes(remoteSubnets []string, interfaceName string) error {
 			continue
 		}
 
-		if runtime.GOOS == "darwin" {
+		switch runtime.GOOS {
+		case "darwin":
 			if err := DarwinAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Darwin route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "windows" {
+		case "windows":
 			if err := WindowsAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Windows route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "linux" {
+		case "linux":
 			if err := LinuxAddRoute(subnet, "", interfaceName); err != nil {
 				logger.Error("Failed to add Linux route for subnet %s: %v", subnet, err)
-				return err
 			}
+		case "android", "ios":
+			// Routes handled by the OS/VPN service
+			continue
 		}
 
 		logger.Info("Added route for remote subnet: %s", subnet)
@@ -258,21 +261,22 @@ func RemoveRoutes(remoteSubnets []string) error {
 		}
 
 		// Remove route based on operating system
-		if runtime.GOOS == "darwin" {
+		switch runtime.GOOS {
+		case "darwin":
 			if err := DarwinRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Darwin route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "windows" {
+		case "windows":
 			if err := WindowsRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Windows route for subnet %s: %v", subnet, err)
-				return err
 			}
-		} else if runtime.GOOS == "linux" {
+		case "linux":
 			if err := LinuxRemoveRoute(subnet); err != nil {
 				logger.Error("Failed to remove Linux route for subnet %s: %v", subnet, err)
-				return err
 			}
+		case "android", "ios":
+			// Routes handled by the OS/VPN service
+			continue
 		}
 
 		logger.Info("Removed route for remote subnet: %s", subnet)

network/settings.go

@@ -115,7 +115,7 @@ func RemoveIPv4IncludedRoute(route IPv4Route) {
 		if r == route {
 			networkSettings.IPv4IncludedRoutes = append(routes[:i], routes[i+1:]...)
 			logger.Info("Removed IPv4 included route: %+v", route)
-			return
+			break
 		}
 	}
 	incrementor++

proxy/manager.go

@@ -736,3 +736,28 @@ func (pm *ProxyManager) PrintTargets() {
 		}
 	}
 }
+
+// GetTargets returns a copy of the current TCP and UDP targets
+// Returns map[listenIP]map[port]targetAddress for both TCP and UDP
+func (pm *ProxyManager) GetTargets() (tcpTargets map[string]map[int]string, udpTargets map[string]map[int]string) {
+	pm.mutex.RLock()
+	defer pm.mutex.RUnlock()
+
+	tcpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.tcpTargets {
+		tcpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			tcpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	udpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.udpTargets {
+		udpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			udpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	return tcpTargets, udpTargets
+}

websocket/client.go

@@ -47,6 +47,11 @@ type Client struct {
 	metricsCtx        context.Context
 	configNeedsSave   bool // Flag to track if config needs to be saved
 	serverVersion     string
+	configVersion     int64        // Latest config version received from server
+	configVersionMux  sync.RWMutex
+	processingMessage bool           // Flag to track if a message is currently being processed
+	processingMux     sync.RWMutex   // Protects processingMessage
+	processingWg      sync.WaitGroup // WaitGroup to wait for message processing to complete
 }
 
 type ClientOption func(*Client)
@@ -154,6 +159,20 @@ func (c *Client) GetServerVersion() string {
 	return c.serverVersion
 }
 
+// GetConfigVersion returns the latest config version received from server
+func (c *Client) GetConfigVersion() int64 {
+	c.configVersionMux.RLock()
+	defer c.configVersionMux.RUnlock()
+	return c.configVersion
+}
+
+// setConfigVersion updates the config version
+func (c *Client) setConfigVersion(version int64) {
+	c.configVersionMux.Lock()
+	defer c.configVersionMux.Unlock()
+	c.configVersion = version
+}
+
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
 	go c.connectWithRetry()
@@ -653,12 +672,33 @@ func (c *Client) pingMonitor() {
 			if c.conn == nil {
 				return
 			}
+
+			// Skip ping if a message is currently being processed
+			c.processingMux.RLock()
+			isProcessing := c.processingMessage
+			c.processingMux.RUnlock()
+			if isProcessing {
+				logger.Debug("Skipping ping, message is being processed")
+				continue
+			}
+
+			c.configVersionMux.RLock()
+			configVersion := c.configVersion
+			c.configVersionMux.RUnlock()
+
+			pingMsg := WSMessage{
+				Type:          "newt/ping",
+				Data:          map[string]interface{}{},
+				ConfigVersion: configVersion,
+			}
+
 			c.writeMux.Lock()
-			err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
+			err := c.conn.WriteJSON(pingMsg)
 			if err == nil {
 				telemetry.IncWSMessage(c.metricsContext(), "out", "ping")
 			}
 			c.writeMux.Unlock()
+
 			if err != nil {
 				// Check if we're shutting down before logging error and reconnecting
 				select {
@@ -737,9 +777,24 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
 				}
 			}
 
+			// Update config version from incoming message
+			c.setConfigVersion(msg.ConfigVersion)
+
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
+				// Mark that we're processing a message
+				c.processingMux.Lock()
+				c.processingMessage = true
+				c.processingMux.Unlock()
+				c.processingWg.Add(1)
+
 				handler(msg)
+
+				// Mark that we're done processing
+				c.processingWg.Done()
+				c.processingMux.Lock()
+				c.processingMessage = false
+				c.processingMux.Unlock()
 			}
 			c.handlersMux.RUnlock()
 		}

websocket/types.go

@@ -17,6 +17,7 @@ type TokenResponse struct {
 }
 
 type WSMessage struct {
-	Type string      `json:"type"`
-	Data interface{} `json:"data"`
+	Type          string      `json:"type"`
+	Data          interface{} `json:"data"`
+	ConfigVersion int64       `json:"configVersion,omitempty"`
 }

wgtester/wgtester.go

@@ -38,7 +38,6 @@ type Server struct {
 	isRunning    bool
 	runningLock  sync.Mutex
 	newtID       string
-	outputPrefix string
 	useNetstack  bool
 	tnet         interface{} // Will be *netstack2.Net when using netstack
 }
@@ -50,7 +49,6 @@ func NewServer(serverAddr string, serverPort uint16, newtID string) *Server {
 		serverPort:   serverPort + 1, // use the next port for the server
 		shutdownCh:   make(chan struct{}),
 		newtID:       newtID,
-		outputPrefix: "[WGTester] ",
 		useNetstack:  false,
 		tnet:         nil,
 	}
@@ -63,7 +61,6 @@ func NewServerWithNetstack(serverAddr string, serverPort uint16, newtID string,
 		serverPort:   serverPort + 1, // use the next port for the server
 		shutdownCh:   make(chan struct{}),
 		newtID:       newtID,
-		outputPrefix: "[WGTester] ",
 		useNetstack:  true,
 		tnet:         tnet,
 	}
@@ -109,7 +106,7 @@ func (s *Server) Start() error {
 	s.isRunning = true
 	go s.handleConnections()
 
-	logger.Info("%sServer started on %s:%d", s.outputPrefix, s.serverAddr, s.serverPort)
+	logger.Debug("WGTester Server started on %s:%d", s.serverAddr, s.serverPort)
 	return nil
 }
 
@@ -127,7 +124,7 @@ func (s *Server) Stop() {
 		s.conn.Close()
 	}
 	s.isRunning = false
-	logger.Info("%sServer stopped", s.outputPrefix)
+	logger.Info("WGTester Server stopped")
 }
 
 // RestartWithNetstack stops the current server and restarts it with netstack
@@ -162,7 +159,7 @@ func (s *Server) handleConnections() {
 			// Set read deadline to avoid blocking forever
 			err := s.conn.SetReadDeadline(time.Now().Add(1 * time.Second))
 			if err != nil {
-				logger.Error("%sError setting read deadline: %v", s.outputPrefix, err)
+				logger.Error("Error setting read deadline: %v", err)
 				continue
 			}
 
@@ -192,7 +189,7 @@ func (s *Server) handleConnections() {
 					if err == io.EOF {
 						return
 					}
-					logger.Error("%sError reading from UDP: %v", s.outputPrefix, err)
+					logger.Error("Error reading from UDP: %v", err)
 				}
 				continue
 			}
@@ -224,7 +221,7 @@ func (s *Server) handleConnections() {
 			copy(responsePacket[5:13], buffer[5:13])
 
 			// Log response being sent for debugging
-			// logger.Debug("%sSending response to %s", s.outputPrefix, addr.String())
+			// logger.Debug("Sending response to %s", addr.String())
 
 			// Send the response packet - handle both regular UDP and netstack UDP
 			if s.useNetstack {
@@ -238,9 +235,9 @@ func (s *Server) handleConnections() {
 			}
 
 			if err != nil {
-				logger.Error("%sError sending response: %v", s.outputPrefix, err)
+				logger.Error("Error sending response: %v", err)
 			} else {
-				// logger.Debug("%sResponse sent successfully", s.outputPrefix)
+				// logger.Debug("Response sent successfully")
 			}
 		}
 	}