Merge pull request #118 from fosrl/dev

Update newt

.dockerignore

@@ -1,9 +1,9 @@
 .gitignore
 .dockerignore
-olm
 *.json
 README.md
 Makefile
 public/
 LICENSE
-CONTRIBUTING.md
+CONTRIBUTING.md
+bin/

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @oschwartz10612 @miloschwartz

.github/dependabot.yml

@@ -5,20 +5,10 @@ updates:
     schedule:
       interval: "daily"
     groups:
-      dev-patch-updates:
-        dependency-type: "development"
+      patch-updates:
         update-types:
           - "patch"
-      dev-minor-updates:
-        dependency-type: "development"
-        update-types:
-          - "minor"
-      prod-patch-updates:
-        dependency-type: "production"
-        update-types:
-          - "patch"
-      prod-minor-updates:
-        dependency-type: "production"
+      minor-updates:
         update-types:
           - "minor"
 

.github/workflows/cicd.yml

@@ -1,60 +1,936 @@
-name: CI/CD Pipeline
+name: CI/CD Pipeline (AWS Self-Hosted Runners)
+
+# CI/CD workflow for building, publishing, attesting, signing container images and building release binaries.
+# Native multi-arch pipeline using two AWS EC2 self-hosted runners (x86_64 + arm64) to build and push architecture-specific images in parallel, then create multi-arch manifests.
+#
+# Required secrets:
+# - AWS_ACCOUNT_ID, AWS_ROLE_NAME, AWS_REGION
+# - EC2_INSTANCE_ID_AMD_RUNNER, EC2_INSTANCE_ID_ARM_RUNNER
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN
+# - GITHUB_TOKEN
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY
+
+permissions:
+  contents: write          # gh-release
+  packages: write          # GHCR push
+  id-token: write          # Keyless-Signatures & Attestations (OIDC)
+  attestations: write      # actions/attest-build-provenance
+  security-events: write   # upload-sarif
+  actions: read
 
 on:
-    push:
-        tags:
-            - "*"
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release (X.Y.Z or X.Y.Z-rc.N)"
+        required: true
+        type: string
+      publish_latest:
+        description: "Publish latest tag (non-RC only)"
+        required: true
+        type: boolean
+        default: false
+      publish_minor:
+        description: "Publish minor tag (X.Y) (non-RC only)"
+        required: true
+        type: boolean
+        default: false
+      target_branch:
+        description: "Branch to tag"
+        required: false
+        default: "main"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version || github.ref_name }}
+  cancel-in-progress: true
 
 jobs:
-    release:
-        name: Build and Release
-        runs-on: amd64-runner
+  # ---------------------------------------------------------------------------
+  # 1) Start AWS EC2 runner instances
+  # ---------------------------------------------------------------------------
+  pre-run:
+    name: Start AWS EC2 runners
+    runs-on: ubuntu-latest
+    permissions: write-all
+    outputs:
+      image_created: ${{ steps.created.outputs.image_created }}
+    steps:
+      - name: Capture created timestamp (shared)
+        id: created
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "image_created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
 
-        steps:
-            - name: Checkout code
-              uses: actions/checkout@v5
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-duration-seconds: 3600
+          aws-region: ${{ secrets.AWS_REGION }}
 
-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
 
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+      - name: Start EC2 instances
+        run: |
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          echo "EC2 instances started"
 
-            - name: Log in to Docker Hub
-              uses: docker/login-action@v3
-              with:
-                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
-                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+  # ---------------------------------------------------------------------------
+  # 2) Prepare release
+  # ---------------------------------------------------------------------------
+  prepare:
+    if: github.event_name == 'workflow_dispatch'
+    name: Prepare release (create tag)
+    needs: [pre-run]
+    runs-on: [self-hosted, linux, x64]
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
 
-            - name: Extract tag name
-              id: get-tag
-              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+      - name: Validate version input
+        shell: bash
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          if ! [[ "$INPUT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
+            echo "Invalid version: $INPUT_VERSION (expected X.Y.Z or X.Y.Z-rc.N)" >&2
+            exit 1
+          fi
 
-            - name: Install Go
-              uses: actions/setup-go@v6
-              with:
-                  go-version: 1.25
+      - name: Create and push tag
+        shell: bash
+        env:
+          TARGET_BRANCH: ${{ inputs.target_branch }}
+          VERSION: ${{ inputs.version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          git config user.name  "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git fetch --prune origin
+          git checkout "$TARGET_BRANCH"
+          git pull --ff-only origin "$TARGET_BRANCH"
+          if git rev-parse -q --verify "refs/tags/$VERSION" >/dev/null; then
+            echo "Tag $VERSION already exists" >&2
+            exit 1
+          fi
+          git tag -a "$VERSION" -m "Release $VERSION"
+          git push origin "refs/tags/$VERSION"
 
-            - name: Update version in main.go
-              run: |
-                  TAG=${{ env.TAG }}
-                  if [ -f main.go ]; then
-                    sed -i 's/version_replaceme/'"$TAG"'/' main.go
-                    echo "Updated main.go with version $TAG"
-                  else
-                    echo "main.go not found"
-                  fi
-            - name: Build and push Docker images
-              run: |
-                  TAG=${{ env.TAG }}
-                  make docker-build-release tag=$TAG
+  # ---------------------------------------------------------------------------
+  # 3) Build and Release (x86 job)
+  # ---------------------------------------------------------------------------
+  build-amd:
+    name: Build image (linux/amd64)
+    needs: [pre-run, prepare]
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    runs-on: [self-hosted, linux, x64]
+    timeout-minutes: 120
+    env:
+      DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
+      IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
 
-            - name: Build binaries
-              run: |
-                  make go-build-release
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+      is_rc: ${{ steps.tag.outputs.is_rc }}
+      major: ${{ steps.tag.outputs.major }}
+      minor: ${{ steps.tag.outputs.minor }}
 
-            - name: Upload artifacts from /bin
-              uses: actions/upload-artifact@v4
-              with:
-                  name: binaries
-                  path: bin/
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Monitor storage space
+        shell: bash
+        run: |
+          THRESHOLD=75
+          USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+          echo "Used space: $USED_SPACE%"
+          if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+            echo "Disk usage >= ${THRESHOLD}%, pruning docker..."
+            echo y | docker system prune -a || true
+          else
+            echo "Disk usage < ${THRESHOLD}%, no action needed."
+          fi
+
+      - name: Determine tag + rc/major/minor
+        id: tag
+        shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            TAG="$INPUT_VERSION"
+          else
+            TAG="${{ github.ref_name }}"
+          fi
+
+          if ! [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
+            echo "Invalid tag: $TAG" >&2
+            exit 1
+          fi
+
+          IS_RC="false"
+          if [[ "$TAG" =~ -rc\.[0-9]+$ ]]; then
+            IS_RC="true"
+          fi
+
+          MAJOR="$(echo "$TAG" | cut -d. -f1)"
+          MINOR="$(echo "$TAG" | cut -d. -f1,2)"
+
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "is_rc=$IS_RC" >> "$GITHUB_OUTPUT"
+          echo "major=$MAJOR" >> "$GITHUB_OUTPUT"
+          echo "minor=$MINOR" >> "$GITHUB_OUTPUT"
+
+          echo "TAG=$TAG" >> $GITHUB_ENV
+          echo "IS_RC=$IS_RC" >> $GITHUB_ENV
+          echo "MAJOR_TAG=$MAJOR" >> $GITHUB_ENV
+          echo "MINOR_TAG=$MINOR" >> $GITHUB_ENV
+
+      - name: Wait for tag to be visible (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          for i in {1..90}; do
+            if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
+              echo "Tag ${TAG} is visible on origin"; exit 0
+            fi
+            echo "Tag not yet visible, retrying... ($i/90)"
+            sleep 2
+          done
+          echo "Tag ${TAG} not visible after waiting" >&2
+          exit 1
+
+      - name: Ensure repository is at the tagged commit (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+          git checkout "refs/tags/${TAG}"
+          echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
+
+      #- name: Set up QEMU
+      #  uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      #- name: Set up Docker Buildx
+      #  uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize image names to lowercase
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
+          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      # Build ONLY amd64 and push arch-specific tag suffixes used later for manifest creation.
+      - name: Build and push (amd64 -> *:amd64-TAG)
+        id: build_amd
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          build-args: VERSION=${{ env.TAG }}
+          tags: |
+            ${{ env.GHCR_IMAGE }}:amd64-${{ env.TAG }}
+            ${{ env.DOCKERHUB_IMAGE }}:amd64-${{ env.TAG }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.version=${{ env.TAG }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
+            org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
+            org.opencontainers.image.ref.name=${{ env.TAG }}
+            org.opencontainers.image.authors=${{ github.repository_owner }}
+          cache-from: type=gha,scope=${{ github.repository }}-amd64
+          cache-to: type=gha,mode=max,scope=${{ github.repository }}-amd64
+
+  # ---------------------------------------------------------------------------
+  # 4) Build ARM64 image natively on ARM runner
+  # ---------------------------------------------------------------------------
+  build-arm:
+    name: Build image (linux/arm64)
+    needs: [pre-run, prepare]
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    runs-on: [self-hosted, linux, arm64] # NOTE: ensure label exists on runner
+    timeout-minutes: 120
+    env:
+      DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
+      IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Monitor storage space
+        shell: bash
+        run: |
+          THRESHOLD=75
+          USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+          echo "Used space: $USED_SPACE%"
+          if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+            echo y | docker system prune -a || true
+          fi
+
+      - name: Determine tag + validate format
+        shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            TAG="$INPUT_VERSION"
+          else
+            TAG="${{ github.ref_name }}"
+          fi
+
+          if ! [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
+            echo "Invalid tag: $TAG" >&2
+            exit 1
+          fi
+
+          echo "TAG=$TAG" >> $GITHUB_ENV
+
+      - name: Wait for tag to be visible (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          for i in {1..90}; do
+            if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
+              echo "Tag ${TAG} is visible on origin"; exit 0
+            fi
+            echo "Tag not yet visible, retrying... ($i/90)"
+            sleep 2
+          done
+          echo "Tag ${TAG} not visible after waiting" >&2
+          exit 1
+
+      - name: Ensure repository is at the tagged commit (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+          git checkout "refs/tags/${TAG}"
+          echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize image names to lowercase
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
+          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      # Build ONLY arm64 and push arch-specific tag suffixes used later for manifest creation.
+      - name: Build and push (arm64 -> *:arm64-TAG)
+        id: build_arm
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64
+          build-args: VERSION=${{ env.TAG }}
+          tags: |
+            ${{ env.GHCR_IMAGE }}:arm64-${{ env.TAG }}
+            ${{ env.DOCKERHUB_IMAGE }}:arm64-${{ env.TAG }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.version=${{ env.TAG }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
+            org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
+            org.opencontainers.image.ref.name=${{ env.TAG }}
+            org.opencontainers.image.authors=${{ github.repository_owner }}
+          cache-from: type=gha,scope=${{ github.repository }}-arm64
+          cache-to: type=gha,mode=max,scope=${{ github.repository }}-arm64
+
+  # ---------------------------------------------------------------------------
+  # 4b) Build ARMv7 image (linux/arm/v7) on arm runner via QEMU
+  # ---------------------------------------------------------------------------
+  build-armv7:
+    name: Build image (linux/arm/v7)
+    needs: [pre-run, prepare]
+    if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]' && needs.prepare.result == 'skipped') || (github.event_name == 'workflow_dispatch' && (needs.prepare.result == 'success' || needs.prepare.result == 'skipped'))) }}
+    runs-on: [self-hosted, linux, arm64]
+    timeout-minutes: 120
+    env:
+      DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
+      IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Determine tag + validate format
+        shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            TAG="$INPUT_VERSION"
+          else
+            TAG="${{ github.ref_name }}"
+          fi
+
+          if ! [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
+            echo "Invalid tag: $TAG" >&2
+            exit 1
+          fi
+
+          echo "TAG=$TAG" >> $GITHUB_ENV
+
+      - name: Wait for tag to be visible (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          for i in {1..90}; do
+            if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
+              echo "Tag ${TAG} is visible on origin"; exit 0
+            fi
+            echo "Tag not yet visible, retrying... ($i/90)"
+            sleep 2
+          done
+          echo "Tag ${TAG} not visible after waiting" >&2
+          exit 1
+
+      - name: Ensure repository is at the tagged commit (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+          git checkout "refs/tags/${TAG}"
+          echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize image names to lowercase
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
+          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Build and push (arm/v7 -> *:armv7-TAG)
+        id: build_armv7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          context: .
+          push: true
+          platforms: linux/arm/v7
+          build-args: VERSION=${{ env.TAG }}
+          tags: |
+            ${{ env.GHCR_IMAGE }}:armv7-${{ env.TAG }}
+            ${{ env.DOCKERHUB_IMAGE }}:armv7-${{ env.TAG }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.version=${{ env.TAG }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
+            org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
+            org.opencontainers.image.ref.name=${{ env.TAG }}
+            org.opencontainers.image.authors=${{ github.repository_owner }}
+          cache-from: type=gha,scope=${{ github.repository }}-armv7
+          cache-to: type=gha,mode=max,scope=${{ github.repository }}-armv7
+
+  # ---------------------------------------------------------------------------
+  # 5) Create and push multi-arch manifests (TAG, plus optional latest/major/minor)
+  # ---------------------------------------------------------------------------
+  create-manifest:
+    name: Create multi-arch manifests
+    needs: [build-amd, build-arm, build-armv7]
+    if: ${{ needs.build-amd.result == 'success' && needs.build-arm.result == 'success' && needs.build-armv7.result == 'success' }}
+    runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner
+    timeout-minutes: 30
+    env:
+      DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      TAG: ${{ needs.build-amd.outputs.tag }}
+      IS_RC: ${{ needs.build-amd.outputs.is_rc }}
+      MAJOR_TAG: ${{ needs.build-amd.outputs.major }}
+      MINOR_TAG: ${{ needs.build-amd.outputs.minor }}
+      # workflow_dispatch controls are respected only here (tagging policy)
+      #PUBLISH_LATEST: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_latest || vars.PUBLISH_LATEST }}
+      #PUBLISH_MINOR:  ${{ github.event_name == 'workflow_dispatch' && inputs.publish_minor  || vars.PUBLISH_MINOR  }}
+    steps:
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize image names to lowercase
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
+          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
+
+      - name: Set up Docker Buildx (needed for imagetools)
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Create & push multi-arch index (GHCR :TAG) via imagetools
+        shell: bash
+        run: |
+          set -euo pipefail
+          docker buildx imagetools create \
+            -t "${GHCR_IMAGE}:${TAG}" \
+            "${GHCR_IMAGE}:amd64-${TAG}" \
+            "${GHCR_IMAGE}:arm64-${TAG}" \
+            "${GHCR_IMAGE}:armv7-${TAG}"
+
+      - name: Create & push multi-arch index (Docker Hub :TAG) via imagetools
+        shell: bash
+        run: |
+          set -euo pipefail
+          docker buildx imagetools create \
+            -t "${DOCKERHUB_IMAGE}:${TAG}" \
+            "${DOCKERHUB_IMAGE}:amd64-${TAG}" \
+            "${DOCKERHUB_IMAGE}:arm64-${TAG}" \
+            "${DOCKERHUB_IMAGE}:armv7-${TAG}"
+
+      # Additional tags for non-RC releases: latest, major, minor (always)
+      - name: Publish additional tags (non-RC only) via imagetools
+        if: ${{ env.IS_RC != 'true' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          tags_to_publish=("${MAJOR_TAG}" "${MINOR_TAG}" "latest")
+
+          for t in "${tags_to_publish[@]}"; do
+            echo "Publishing GHCR tag ${t} -> ${TAG}"
+            docker buildx imagetools create \
+              -t "${GHCR_IMAGE}:${t}" \
+              "${GHCR_IMAGE}:amd64-${TAG}" \
+              "${GHCR_IMAGE}:arm64-${TAG}" \
+              "${GHCR_IMAGE}:armv7-${TAG}"
+
+            echo "Publishing Docker Hub tag ${t} -> ${TAG}"
+            docker buildx imagetools create \
+              -t "${DOCKERHUB_IMAGE}:${t}" \
+              "${DOCKERHUB_IMAGE}:amd64-${TAG}" \
+              "${DOCKERHUB_IMAGE}:arm64-${TAG}" \
+              "${DOCKERHUB_IMAGE}:armv7-${TAG}"
+          done
+
+  # ---------------------------------------------------------------------------
+  # 6) Sign/attest + build binaries + draft release (x86 runner)
+  # ---------------------------------------------------------------------------
+  sign-and-release:
+    name: Sign, attest, and release
+    needs: [create-manifest, build-amd]
+    if: ${{ needs.create-manifest.result == 'success' && needs.build-amd.result == 'success' }}
+    runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner
+    timeout-minutes: 120
+    env:
+      DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+      TAG: ${{ needs.build-amd.outputs.tag }}
+      IS_RC: ${{ needs.build-amd.outputs.is_rc }}
+      IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
+      IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Ensure repository is at the tagged commit (dispatch only)
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+          git checkout "refs/tags/${TAG}"
+          echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
+
+      - name: Install Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: go.mod
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize image names to lowercase
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
+          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
+
+      - name: Ensure jq is installed
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v jq >/dev/null 2>&1; then
+            exit 0
+          fi
+          sudo apt-get update -y
+          sudo apt-get install -y jq
+
+      - name: Set up Docker Buildx (needed for imagetools)
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Resolve multi-arch digest refs (by TAG)
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          get_digest() {
+            local ref="$1"
+            local d=""
+            # Primary: buildx format output
+            d="$(docker buildx imagetools inspect "$ref" --format '{{.Manifest.Digest}}' 2>/dev/null || true)"
+
+            # Fallback: parse from plain text if format fails
+            if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then
+              d="$(docker buildx imagetools inspect "$ref" 2>/dev/null | awk '/^Digest:/ {print $2; exit}' || true)"
+            fi
+
+            if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then
+              echo "ERROR: Could not extract digest for $ref" >&2
+              docker buildx imagetools inspect "$ref" || true
+              exit 1
+            fi
+
+            echo "$d"
+          }
+
+          GHCR_DIGEST="$(get_digest "${GHCR_IMAGE}:${TAG}")"
+          echo "GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" >> "$GITHUB_ENV"
+          echo "GHCR_DIGEST=${GHCR_DIGEST}" >> "$GITHUB_ENV"
+          echo "Resolved GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}"
+
+          if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then
+            DH_DIGEST="$(get_digest "${DOCKERHUB_IMAGE}:${TAG}")"
+            echo "DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" >> "$GITHUB_ENV"
+            echo "DH_DIGEST=${DH_DIGEST}" >> "$GITHUB_ENV"
+            echo "Resolved DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}"
+          fi
+
+      - name: Attest build provenance (GHCR) (digest)
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-name: ${{ env.GHCR_IMAGE }}
+          subject-digest: ${{ env.GHCR_DIGEST }}
+          push-to-registry: true
+          show-summary: true
+
+      - name: Attest build provenance (Docker Hub)
+        continue-on-error: true
+        if: ${{ env.DH_DIGEST != '' }}
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-name: index.docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+          subject-digest: ${{ env.DH_DIGEST }}
+          push-to-registry: true
+          show-summary: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v3.0.2"
+
+      - name: Sanity check cosign private key
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign public-key --key env://COSIGN_PRIVATE_KEY >/dev/null
+
+      - name: Generate SBOM (SPDX JSON) from GHCR digest
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
+        with:
+          image-ref: ${{ env.GHCR_REF }}
+          format: spdx-json
+          output: sbom.spdx.json
+          version: v0.69.3
+
+      - name: Validate + minify SBOM JSON
+        shell: bash
+        run: |
+          set -euo pipefail
+          jq -e . sbom.spdx.json >/dev/null
+          jq -c . sbom.spdx.json > sbom.min.json && mv sbom.min.json sbom.spdx.json
+
+      - name: Sign GHCR digest (key, recursive)
+        env:
+          COSIGN_YES: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${GHCR_REF}"
+          sleep 20
+
+      - name: Create SBOM attestation (GHCR, key)
+        env:
+          COSIGN_YES: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign attest \
+            --key env://COSIGN_PRIVATE_KEY \
+            --type spdxjson \
+            --predicate sbom.spdx.json \
+            "${GHCR_REF}"
+
+      - name: Create SBOM attestation (Docker Hub, key)
+        continue-on-error: true
+        env:
+          COSIGN_YES: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_DOCKER_MEDIA_TYPES: "1"
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign attest \
+            --key env://COSIGN_PRIVATE_KEY \
+            --type spdxjson \
+            --predicate sbom.spdx.json \
+            "${DH_REF}"
+
+      - name: Keyless sign & verify GHCR digest (OIDC)
+        env:
+          COSIGN_YES: "true"
+          WORKFLOW_REF: ${{ github.workflow_ref }}
+          ISSUER: https://token.actions.githubusercontent.com
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${GHCR_REF}"
+          cosign verify \
+            --certificate-oidc-issuer "${ISSUER}" \
+            --certificate-identity "https://github.com/${WORKFLOW_REF}" \
+            "${GHCR_REF}" -o text
+
+      - name: Verify signature (public key) GHCR digest + tag
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign verify --key env://COSIGN_PUBLIC_KEY "${GHCR_REF}" -o text
+          cosign verify --key env://COSIGN_PUBLIC_KEY "${GHCR_IMAGE}:${TAG}" -o text
+
+      - name: Verify SBOM attestation (GHCR)
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+        run: cosign verify-attestation --key env://COSIGN_PUBLIC_KEY --type spdxjson "${GHCR_REF}" -o text
+        shell: bash
+
+      - name: Sign Docker Hub digest (key, recursive)
+        continue-on-error: true
+        env:
+          COSIGN_YES: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_DOCKER_MEDIA_TYPES: "1"
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${DH_REF}"
+
+      - name: Keyless sign & verify Docker Hub digest (OIDC)
+        continue-on-error: true
+        if: ${{ env.DH_REF != '' }}
+        env:
+          COSIGN_YES: "true"
+          ISSUER: https://token.actions.githubusercontent.com
+          COSIGN_DOCKER_MEDIA_TYPES: "1"
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${DH_REF}"
+          cosign verify \
+            --certificate-oidc-issuer "${ISSUER}" \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            "${DH_REF}" -o text
+
+      - name: Verify signature (public key) Docker Hub digest + tag
+        continue-on-error: true
+        if: ${{ env.DH_REF != '' }}
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          COSIGN_DOCKER_MEDIA_TYPES: "1"
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign verify --key env://COSIGN_PUBLIC_KEY "${DH_REF}" -o text
+          cosign verify --key env://COSIGN_PUBLIC_KEY "${DOCKERHUB_IMAGE}:${TAG}" -o text
+
+      - name: Build binaries
+        env:
+          CGO_ENABLED: "0"
+          GOFLAGS: "-trimpath"
+        shell: bash
+        run: |
+          set -euo pipefail
+          make -j 10 go-build-release VERSION="${TAG}"
+
+      - name: Create GitHub Release (draft)
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        with:
+          tag_name: ${{ env.TAG }}
+          generate_release_notes: true
+          prerelease: ${{ env.IS_RC == 'true' }}
+          files: |
+            bin/*
+          fail_on_unmatched_files: true
+          draft: true
+          body: |
+            ## Container Images
+            - GHCR: `${{ env.GHCR_REF }}`
+            - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
+            **Tag:** `${{ env.TAG }}`
+
+  # ---------------------------------------------------------------------------
+  # 7) Stop AWS EC2 runner instances
+  # ---------------------------------------------------------------------------
+
+  post-run:
+    name: Stop AWS EC2 runners
+    needs: [pre-run, prepare, build-amd, build-arm, build-armv7, create-manifest, sign-and-release]
+    if: ${{ always() && needs.pre-run.result == 'success' }}
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-duration-seconds: 3600
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
+
+      - name: Stop EC2 instances
+        run: |
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          echo "EC2 instances stopped"

.github/workflows/stale-bot.yml

@@ -0,0 +1,37 @@
+name: Mark and Close Stale Issues
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write # only for delete-branch option
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+        with:
+          days-before-stale: 14
+          days-before-close: 14
+          stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
+          close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
+          stale-issue-label: 'stale'
+          
+          exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
+          
+          exempt-all-issue-assignees: true
+          
+          only-labels: ''
+          exempt-pr-labels: ''
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          
+          operations-per-run: 100
+          remove-stale-when-updated: true
+          delete-branch: false
+          enable-statistics: true

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -7,22 +10,33 @@ on:
       - dev
 
 jobs:
-  test:
+  build-go:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version: 1.25
 
-      - name: Build go
-        run: go build
-
-      - name: Build Docker image
-        run: make build
-
       - name: Build binaries
         run: make go-build-release
+
+  build-docker:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      - name: Set up 1.2.0 Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Build Docker image
+        run: make docker-build-dev

.gitignore

@@ -1,3 +1,2 @@
-olm
 .DS_Store
 bin/

API.md

@@ -0,0 +1,393 @@
+## API
+
+Olm can be controlled with an embedded API server when using `--enable-api`. This allows you to start it as a daemon and trigger it with the following endpoints. The API can listen on either a TCP address or a Unix socket/Windows named pipe.
+
+### Socket vs TCP
+
+When `--enable-api` is used, Olm can listen on a TCP address when configured via `--http-addr` (like `:9452`). Alternatively, Olm can listen on a Unix socket (Linux/macOS) or Windows named pipe for local-only communication with better security when using `--socket-path` (like `/var/run/olm.sock`).
+
+**Unix Socket (Linux/macOS):**
+- Socket path example: `/var/run/olm/olm.sock`
+- The directory is created automatically if it doesn't exist
+- Socket permissions are set to `0666` to allow access
+- Existing socket files are automatically removed on startup
+- Socket file is cleaned up when Olm stops
+
+**Windows Named Pipe:**
+- Pipe path example: `\\.\pipe\olm`
+- If the path doesn't start with `\`, it's automatically prefixed with `\\.\pipe\`
+- Security descriptor grants full access to Everyone and the current owner
+- Named pipes are automatically cleaned up by Windows
+
+**Connecting to the Socket:**
+
+```bash
+# Linux/macOS - using curl with Unix socket
+curl --unix-socket /var/run/olm/olm.sock http://localhost/status
+
+---
+
+### POST /connect
+Initiates a new connection request to a Pangolin server.
+
+**Request Body:**
+```json
+{
+  "id": "string",
+  "secret": "string",
+  "endpoint": "string",
+  "userToken": "string",
+  "mtu": 1280,
+  "dns": "8.8.8.8",
+  "dnsProxyIP": "string",
+  "upstreamDNS": ["8.8.8.8:53", "1.1.1.1:53"],
+  "interfaceName": "olm",
+  "holepunch": false,
+  "tlsClientCert": "string",
+  "pingInterval": "3s",
+  "pingTimeout": "5s",
+  "orgId": "string",
+  "fingerprint": {
+    "username": "string",
+    "hostname": "string",
+    "platform": "string",
+    "osVersion": "string",
+    "kernelVersion": "string",
+    "arch": "string",
+    "deviceModel": "string",
+    "serialNumber": "string"
+  },
+  "postures": {}
+}
+```
+
+**Required Fields:**
+- `id`: Olm ID generated by Pangolin
+- `secret`: Authentication secret for the Olm ID
+- `endpoint`: Target Pangolin endpoint URL
+
+**Optional Fields:**
+- `userToken`: User authentication token
+- `mtu`: MTU for the internal WireGuard interface (default: 1280)
+- `dns`: DNS server to use for resolving the endpoint
+- `dnsProxyIP`: DNS proxy IP address
+- `upstreamDNS`: Array of upstream DNS servers
+- `interfaceName`: Name of the WireGuard interface (default: olm)
+- `holepunch`: Enable NAT hole punching (default: false)
+- `tlsClientCert`: TLS client certificate
+- `pingInterval`: Interval for pinging the server (default: 3s)
+- `pingTimeout`: Timeout for each ping (default: 5s)
+- `orgId`: Organization ID to connect to
+- `fingerprint`: Device fingerprinting information (should be set before connecting)
+  - `username`: Current username on the device
+  - `hostname`: Device hostname
+  - `platform`: Operating system platform (macos, windows, linux, ios, android, unknown)
+  - `osVersion`: Operating system version
+  - `kernelVersion`: Kernel version
+  - `arch`: System architecture (e.g., amd64, arm64)
+  - `deviceModel`: Device model identifier
+  - `serialNumber`: Device serial number
+- `postures`: Device posture/security information
+
+**Response:**
+- **Status Code:** `202 Accepted`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "connection request accepted"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `400 Bad Request` - Invalid JSON or missing required fields
+- `409 Conflict` - Already connected to a server (disconnect first)
+
+---
+
+### GET /status
+Returns the current connection status, registration state, and peer information.
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "connected": true,
+  "registered": true,
+  "terminated": false,
+  "version": "1.0.0",
+  "agent": "olm",
+  "orgId": "org_123",
+  "peers": {
+    "10": {
+      "siteId": 10,
+      "name": "Site A",
+      "connected": true,
+      "rtt": 145338339,
+      "lastSeen": "2025-08-13T14:39:17.208334428-07:00",
+      "endpoint": "p.fosrl.io:21820",
+      "isRelay": true,
+      "peerAddress": "100.89.128.5",
+      "holepunchConnected": false
+    },
+    "8": {
+      "siteId": 8,
+      "name": "Site B",
+      "connected": false,
+      "rtt": 0,
+      "lastSeen": "2025-08-13T14:39:19.663823645-07:00",
+      "endpoint": "p.fosrl.io:21820",
+      "isRelay": true,
+      "peerAddress": "100.89.128.10",
+      "holepunchConnected": false
+    }
+  },
+  "networkSettings": {
+    "tunnelIP": "100.89.128.3/20"
+  }
+}
+```
+
+**Fields:**
+- `connected`: Boolean indicating if connected to Pangolin
+- `registered`: Boolean indicating if registered with the server
+- `terminated`: Boolean indicating if the connection was terminated
+- `version`: Olm version string
+- `agent`: Agent identifier
+- `orgId`: Current organization ID
+- `peers`: Map of peer statuses by site ID
+  - `siteId`: Peer site identifier
+  - `name`: Site name
+  - `connected`: Boolean peer connection state
+  - `rtt`: Peer round-trip time (integer, nanoseconds)
+  - `lastSeen`: Last time peer was seen (RFC3339 timestamp)
+  - `endpoint`: Peer endpoint address
+  - `isRelay`: Whether the peer is relayed (true) or direct (false)
+  - `peerAddress`: Peer's IP address in the tunnel
+  - `holepunchConnected`: Whether holepunch connection is established
+- `networkSettings`: Current network configuration including tunnel IP
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-GET requests
+
+---
+
+### POST /disconnect
+Disconnects from the current Pangolin server and tears down the WireGuard tunnel.
+
+**Request Body:** None required
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "disconnect initiated"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `409 Conflict` - Not currently connected to a server
+
+---
+
+### POST /switch-org
+Switches to a different organization while maintaining the connection.
+
+**Request Body:**
+```json
+{
+  "orgId": "string"
+}
+```
+
+**Required Fields:**
+- `orgId`: The organization ID to switch to
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "org switch request accepted"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `400 Bad Request` - Invalid JSON or missing orgId field
+- `500 Internal Server Error` - Org switch failed
+
+---
+
+### PUT /metadata
+Updates device fingerprinting and posture information. This endpoint can be called at any time to update metadata, but it's recommended to provide this information in the initial `/connect` request or immediately before connecting.
+
+**Request Body:**
+```json
+{
+  "fingerprint": {
+    "username": "string",
+    "hostname": "string",
+    "platform": "string",
+    "osVersion": "string",
+    "kernelVersion": "string",
+    "arch": "string",
+    "deviceModel": "string",
+    "serialNumber": "string"
+  },
+  "postures": {}
+}
+```
+
+**Optional Fields:**
+- `fingerprint`: Device fingerprinting information
+  - `username`: Current username on the device
+  - `hostname`: Device hostname
+  - `platform`: Operating system platform (macos, windows, linux, ios, android, unknown)
+  - `osVersion`: Operating system version
+  - `kernelVersion`: Kernel version
+  - `arch`: System architecture (e.g., amd64, arm64)
+  - `deviceModel`: Device model identifier
+  - `serialNumber`: Device serial number
+- `postures`: Device posture/security information (object with arbitrary key-value pairs)
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "metadata updated"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-PUT requests
+- `400 Bad Request` - Invalid JSON
+
+**Note:** It's recommended to call this endpoint BEFORE `/connect` to ensure fingerprinting information is available during the initial connection handshake.
+
+---
+
+### POST /exit
+Initiates a graceful shutdown of the Olm process.
+
+**Request Body:** None required
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "shutdown initiated"
+}
+```
+
+**Note:** The response is sent before shutdown begins. There is a 100ms delay before the actual shutdown to ensure the response is delivered.
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+
+---
+
+### GET /health
+Simple health check endpoint to verify the API server is running.
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "ok"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-GET requests
+
+---
+
+## Usage Examples
+
+### Update metadata before connecting (recommended)
+```bash
+curl -X PUT http://localhost:9452/metadata \
+  -H "Content-Type: application/json" \
+  -d '{
+    "fingerprint": {
+      "username": "john",
+      "hostname": "johns-laptop",
+      "platform": "macos",
+      "osVersion": "14.2.1",
+      "arch": "arm64",
+      "deviceModel": "MacBookPro18,3"
+    }
+  }'
+```
+
+### Connect to a peer
+```bash
+curl -X POST http://localhost:9452/connect \
+  -H "Content-Type: application/json" \
+  -d '{
+    "id": "31frd0uzbjvp721",
+    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
+    "endpoint": "https://example.com"
+  }'
+```
+
+### Connect with additional options
+```bash
+curl -X POST http://localhost:9452/connect \
+  -H "Content-Type: application/json" \
+  -d '{
+    "id": "31frd0uzbjvp721",
+    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
+    "endpoint": "https://example.com",
+    "mtu": 1400,
+    "holepunch": true,
+    "pingInterval": "5s"
+  }'
+```
+
+### Check connection status
+```bash
+curl http://localhost:9452/status
+```
+
+### Switch organization
+```bash
+curl -X POST http://localhost:9452/switch-org \
+  -H "Content-Type: application/json" \
+  -d '{"orgId": "org_456"}'
+```
+
+### Disconnect from server
+```bash
+curl -X POST http://localhost:9452/disconnect
+```
+
+### Health check
+```bash
+curl http://localhost:9452/health
+```
+
+### Shutdown Olm
+```bash
+curl -X POST http://localhost:9452/exit
+```
+
+### Using Unix socket (Linux/macOS)
+```bash
+curl --unix-socket /var/run/olm/olm.sock http://localhost/status
+curl --unix-socket /var/run/olm/olm.sock -X POST http://localhost/disconnect
+```

Dockerfile

@@ -1,4 +1,8 @@
-FROM golang:1.25-alpine AS builder
+# FROM golang:1.25-alpine AS builder
+FROM public.ecr.aws/docker/library/golang:1.25-alpine AS builder
+
+# Install git and ca-certificates
+RUN apk --no-cache add ca-certificates git tzdata
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -13,21 +17,16 @@ RUN go mod download
 COPY . .
 
 # Build the application
-RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
+ARG VERSION=dev
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.olmVersion=${VERSION}" -o /olm
 
-# Start a new stage from scratch
-FROM alpine:3.22 AS runner
+FROM public.ecr.aws/docker/library/alpine:3.23 AS runner
 
-RUN apk --no-cache add ca-certificates
+RUN apk --no-cache add ca-certificates tzdata iputils
 
-# Copy the pre-built binary file from the previous stage and the entrypoint script
 COPY --from=builder /olm /usr/local/bin/
 COPY entrypoint.sh /
 
 RUN chmod +x /entrypoint.sh
-
-# Copy the entrypoint script
 ENTRYPOINT ["/entrypoint.sh"]
-
-# Command to run the executable
 CMD ["olm"]

Makefile

@@ -1,26 +1,70 @@
+.PHONY: all local docker-build-release
 
-all: go-build-release 
+all: local
+
+VERSION ?= dev
+LDFLAGS = -X main.olmVersion=$(VERSION)
+
+local:
+	CGO_ENABLED=0 go build -o ./bin/olm
+
+docker-build:
+	docker build -t fosrl/olm:latest .
 
 docker-build-release:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:latest -f Dockerfile --push .
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:$(tag) -f Dockerfile --push .
+	docker buildx build . \
+		--platform linux/arm/v7,linux/arm64,linux/amd64 \
+		-t fosrl/olm:latest \
+		-t fosrl/olm:$(tag) \
+		-f Dockerfile \
+		--push
 
-local: 
-	CGO_ENABLED=0 go build -o olm
+docker-build-dev:
+	docker buildx build . \
+		--platform linux/arm/v7,linux/arm64,linux/amd64 \
+		-t fosrl/olm:latest \
+		-f Dockerfile
 
-build:
-	docker build -t fosrl/olm:latest .
+.PHONY: go-build-release \
+        go-build-release-linux-arm64 go-build-release-linux-arm32-v7 \
+        go-build-release-linux-arm32-v6 go-build-release-linux-amd64 \
+        go-build-release-linux-riscv64 go-build-release-darwin-arm64 \
+        go-build-release-darwin-amd64 go-build-release-windows-amd64
 
-go-build-release:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64
-	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/olm_darwin_arm64
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/olm_darwin_amd64
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/olm_windows_amd64.exe
-	
-clean:
-	rm olm
+go-build-release: \
+    go-build-release-linux-arm64 \
+    go-build-release-linux-arm32-v7 \
+    go-build-release-linux-arm32-v6 \
+    go-build-release-linux-amd64 \
+    go-build-release-linux-riscv64 \
+    go-build-release-darwin-arm64 \
+    go-build-release-darwin-amd64 \
+    go-build-release-windows-amd64 \
+
+go-build-release-linux-arm64:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm64
+
+go-build-release-linux-arm32-v7:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm32
+
+go-build-release-linux-arm32-v6:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm32v6
+
+go-build-release-linux-amd64:
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_amd64
+
+go-build-release-linux-riscv64:
+	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_riscv64
+
+go-build-release-darwin-arm64:
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/olm_darwin_arm64
+
+go-build-release-darwin-amd64:
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_darwin_amd64
+
+go-build-release-windows-amd64:
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_windows_amd64.exe

README.md

@@ -1,4 +1,5 @@
 # Olm
+Olm is being phased out in favor of the [Pangolin CLI](https://github.com/fosrl/cli) and is only meant for advanced use cases.
 
 Olm is a [WireGuard](https://www.wireguard.com/) tunnel client designed to securely connect your computer to Newt sites running on remote networks.
 
@@ -6,7 +7,7 @@ Olm is a [WireGuard](https://www.wireguard.com/) tunnel client designed to secur
 
 Olm is used with Pangolin and Newt as part of the larger system. See documentation below:
 
--   [Full Documentation](https://docs.pangolin.net)
+-   [Full Documentation](https://docs.pangolin.net/manage/clients/understanding-clients)
 
 ## Key Functions
 
@@ -18,281 +19,18 @@ Using the Olm ID and a secret, the olm will make HTTP requests to Pangolin to re
 
 When Olm receives WireGuard control messages, it will use the information encoded (endpoint, public key) to bring up a WireGuard tunnel on your computer to a remote Newt. It will ping over the tunnel to ensure the peer is brought up.
 
-## CLI Args
-
--   `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
--   `id`: Olm ID generated by Pangolin to identify the olm.
--   `secret`: A unique secret (not shared and kept private) used to authenticate the olm ID with the websocket in order to receive commands.
--   `mtu` (optional): MTU for the internal WG interface. Default: 1280
--   `dns` (optional): DNS server to use to resolve the endpoint. Default: 8.8.8.8
--   `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO
--   `ping-interval` (optional): Interval for pinging the server. Default: 3s
--   `ping-timeout` (optional): Timeout for each ping. Default: 5s
--   `interface` (optional): Name of the WireGuard interface. Default: olm
--   `enable-http` (optional): Enable HTTP server for receiving connection requests. Default: false
--   `http-addr` (optional): HTTP server address (e.g., ':9452'). Default: :9452
--   `holepunch` (optional): Enable hole punching. Default: false
-
-## Environment Variables
-
-All CLI arguments can also be set via environment variables:
-
--   `PANGOLIN_ENDPOINT`: Equivalent to `--endpoint`
--   `OLM_ID`: Equivalent to `--id`
--   `OLM_SECRET`: Equivalent to `--secret`
--   `MTU`: Equivalent to `--mtu`
--   `DNS`: Equivalent to `--dns`
--   `LOG_LEVEL`: Equivalent to `--log-level`
--   `INTERFACE`: Equivalent to `--interface`
--   `HTTP_ADDR`: Equivalent to `--http-addr`
--   `PING_INTERVAL`: Equivalent to `--ping-interval`
--   `PING_TIMEOUT`: Equivalent to `--ping-timeout`
--   `HOLEPUNCH`: Set to "true" to enable hole punching (equivalent to `--holepunch`)
--   `CONFIG_FILE`: Set to the location of a JSON file to load secret values
-
-Examples:
-
-```bash
-olm \
---id 31frd0uzbjvp721 \
---secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
---endpoint https://example.com
-```
-
-You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
-
-```yaml
-services:
-    olm:
-        image: fosrl/olm
-        container_name: olm
-        restart: unless-stopped
-        network_mode: host
-        devices:
-            - /dev/net/tun:/dev/net/tun
-        environment:
-            - PANGOLIN_ENDPOINT=https://example.com
-            - OLM_ID=31frd0uzbjvp721
-            - OLM_SECRET=h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
-```
-
-You can also pass the CLI args to the container:
-
-```yaml
-services:
-    olm:
-        image: fosrl/olm
-        container_name: olm
-        restart: unless-stopped
-        network_mode: host
-        devices:
-            - /dev/net/tun:/dev/net/tun
-        command:
-            - --id 31frd0uzbjvp721
-            - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
-            - --endpoint https://example.com
-```
-
-**Docker Configuration Notes:**
-
-- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
-- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
-
-## Loading secrets from files
-
-You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
-
-```
-$ cat ~/.config/olm-client/config.json
-{
-  "id": "spmzu8rbpzj1qq6",
-  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
-  "endpoint": "https://app.pangolin.net",
-  "tlsClientCert": ""
-}
-```
-
-This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once! 
-
-Default locations: 
-
-- **macOS**: `~/Library/Application Support/olm-client/config.json`
-- **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
-- **Linux/Others**: `~/.config/olm-client/config.json`
-
 ## Hole Punching
 
-In the default mode, olm "relays" traffic through Gerbil in the cloud to get down to newt. This is a little more reliable. Support for NAT hole punching is also EXPERIMENTAL right now using the `--holepunch` flag. This will attempt to orchestrate a NAT hole punch between the two sites so that traffic flows directly. This will save data costs and speed. If it fails it should fall back to relaying.
-
-Right now, basic NAT hole punching is supported. We plan to add:
-
--   [ ] Birthday paradox
--   [ ] UPnP
--   [ ] LAN detection
-
-## Windows Service
-
-On Windows, olm has to be installed and run as a Windows service. When running it with the cli args live above it will attempt to install and run the service to function like a cli tool. You can also run the following:
-
-### Service Management Commands
-
-```
-# Install the service
-olm.exe install
-
-# Start the service
-olm.exe start
-
-# Stop the service
-olm.exe stop
-
-# Check service status
-olm.exe status
-
-# Remove the service
-olm.exe remove
-
-# Run in debug mode (console output) with our without id & secret
-olm.exe debug
-
-# Show help
-olm.exe help
-```
-
-Note running the service requires credentials in `%PROGRAMDATA%\olm\olm-client\config.json`.
-
-### Service Configuration
-
-When running as a service, Olm will read configuration from environment variables or you can modify the service to include command-line arguments:
-
-1. Install the service: `olm.exe install`
-2. Set the credentials in `%PROGRAMDATA%\olm\olm-client\config.json`. Hint: if you run olm once with --id and --secret this file will be populated! 
-3. Start the service: `olm.exe start`
-
-### Service Logs
-
-When running as a service, logs are written to:
-
--   Windows Event Log (Application log, source: "OlmWireguardService")
--   Log files in: `%PROGRAMDATA%\olm\logs\olm.log`
-
-You can view the Windows Event Log using Event Viewer or PowerShell:
-
-```powershell
-Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10
-```
-
-## HTTP Endpoints
-
-Olm can be controlled with an embedded http server when using `--enable-http`. This allows you to start it as a daemon and trigger it with the following endpoints:
-
-### POST /connect
-Initiates a new connection request.
-
-**Request Body:**
-```json
-{
-  "id": "string",
-  "secret": "string", 
-  "endpoint": "string"
-}
-```
-
-**Required Fields:**
-- `id`: Connection identifier
-- `secret`: Authentication secret
-- `endpoint`: Target endpoint URL
-
-**Response:**
-- **Status Code:** `202 Accepted`
-- **Content-Type:** `application/json`
-
-```json
-{
-  "status": "connection request accepted"
-}
-```
-
-**Error Responses:**
-- `405 Method Not Allowed` - Non-POST requests
-- `400 Bad Request` - Invalid JSON or missing required fields
-
-### GET /status
-Returns the current connection status and peer information.
-
-**Response:**
-- **Status Code:** `200 OK`
-- **Content-Type:** `application/json`
-
-```json
-{
-  "status": "connected",
-  "connected": true,
-  "tunnelIP": "100.89.128.3/20",
-  "version": "version_replaceme",
-  "peers": {
-    "10": {
-      "siteId": 10,
-      "connected": true,
-      "rtt": 145338339,
-      "lastSeen": "2025-08-13T14:39:17.208334428-07:00",
-      "endpoint": "p.fosrl.io:21820",
-      "isRelay": true
-    },
-    "8": {
-      "siteId": 8,
-      "connected": false,
-      "rtt": 0,
-      "lastSeen": "2025-08-13T14:39:19.663823645-07:00",
-      "endpoint": "p.fosrl.io:21820",
-      "isRelay": true
-    }
-  }
-}
-```
-
-**Fields:**
-- `status`: Overall connection status ("connected" or "disconnected")
-- `connected`: Boolean connection state
-- `tunnelIP`: IP address and subnet of the tunnel (when connected)
-- `version`: Olm version string
-- `peers`: Map of peer statuses by site ID
-  - `siteId`: Peer site identifier
-  - `connected`: Boolean peer connection state
-  - `rtt`: Peer round-trip time (integer, nanoseconds)
-  - `lastSeen`: Last time peer was seen (RFC3339 timestamp)
-  - `endpoint`: Peer endpoint address
-  - `isRelay`: Whether the peer is relayed (true) or direct (false)
-
-**Error Responses:**
-- `405 Method Not Allowed` - Non-GET requests
-
-## Usage Examples
-
-### Connect to a peer
-```bash
-curl -X POST http://localhost:8080/connect \
-  -H "Content-Type: application/json" \
-  -d '{
-    "id": "31frd0uzbjvp721",
-    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
-    "endpoint": "https://example.com"
-  }'
-```
-
-### Check connection status
-```bash
-curl http://localhost:8080/status
-```
+In the default mode, olm uses both relaying through Gerbil and NAT hole punching to connect to Newt. Hole punching attempts to orchestrate a NAT traversal between the two sites so that traffic flows directly, which can save data costs and improve speed. If hole punching fails, traffic will fall back to relaying through Gerbil.
 
 ## Build
 
 ### Binary
 
-Make sure to have Go 1.23.1 installed.
+Make sure to have Go 1.25 installed.
 
 ```bash
-make local
+make
 ```
 
 ## Licensing

api/api.go

@@ -0,0 +1,734 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/network"
+)
+
+// ConnectionRequest defines the structure for an incoming connection request
+type ConnectionRequest struct {
+	ID            string   `json:"id"`
+	Secret        string   `json:"secret"`
+	Endpoint      string   `json:"endpoint"`
+	UserToken     string   `json:"userToken,omitempty"`
+	MTU           int      `json:"mtu,omitempty"`
+	DNS           string   `json:"dns,omitempty"`
+	DNSProxyIP    string   `json:"dnsProxyIP,omitempty"`
+	UpstreamDNS   []string `json:"upstreamDNS,omitempty"`
+	InterfaceName string   `json:"interfaceName,omitempty"`
+	Holepunch     bool     `json:"holepunch,omitempty"`
+	TlsClientCert string   `json:"tlsClientCert,omitempty"`
+	PingInterval  string   `json:"pingInterval,omitempty"`
+	PingTimeout   string   `json:"pingTimeout,omitempty"`
+	OrgID         string   `json:"orgId,omitempty"`
+}
+
+// SwitchOrgRequest defines the structure for switching organizations
+type SwitchOrgRequest struct {
+	OrgID string `json:"org_id"`
+}
+
+// PowerModeRequest represents a request to change power mode
+type PowerModeRequest struct {
+	Mode string `json:"mode"` // "normal" or "low"
+}
+
+// PeerStatus represents the status of a peer connection
+type PeerStatus struct {
+	SiteID             int           `json:"siteId"`
+	Name               string        `json:"name"`
+	Connected          bool          `json:"connected"`
+	RTT                time.Duration `json:"rtt"`
+	LastSeen           time.Time     `json:"lastSeen"`
+	Endpoint           string        `json:"endpoint,omitempty"`
+	IsRelay            bool          `json:"isRelay"`
+	PeerIP             string        `json:"peerAddress,omitempty"`
+	HolepunchConnected bool          `json:"holepunchConnected"`
+}
+
+// OlmError holds error information from registration failures
+type OlmError struct {
+	Code    string `json:"code"`
+	Message string `json:"message"`
+}
+
+// StatusResponse is returned by the status endpoint
+type StatusResponse struct {
+	Connected       bool                    `json:"connected"`
+	Registered      bool                    `json:"registered"`
+	Terminated      bool                    `json:"terminated"`
+	OlmError        *OlmError               `json:"error,omitempty"`
+	Version         string                  `json:"version,omitempty"`
+	Agent           string                  `json:"agent,omitempty"`
+	OrgID           string                  `json:"orgId,omitempty"`
+	PeerStatuses    map[int]*PeerStatus     `json:"peers,omitempty"`
+	NetworkSettings network.NetworkSettings `json:"networkSettings,omitempty"`
+}
+
+type MetadataChangeRequest struct {
+	Fingerprint map[string]any `json:"fingerprint"`
+	Postures    map[string]any `json:"postures"`
+}
+
+// JITConnectionRequest defines the structure for a dynamic Just-In-Time connection request.
+// Either SiteID or ResourceID must be provided (but not necessarily both).
+type JITConnectionRequest struct {
+	Site     string `json:"site,omitempty"`
+	Resource string `json:"resource,omitempty"`
+}
+
+// API represents the HTTP server and its state
+type API struct {
+	addr       string
+	socketPath string
+	listener   net.Listener
+	server     *http.Server
+
+	onConnect        func(ConnectionRequest) error
+	onSwitchOrg      func(SwitchOrgRequest) error
+	onMetadataChange func(MetadataChangeRequest) error
+	onDisconnect     func() error
+	onExit           func() error
+	onRebind         func() error
+	onPowerMode      func(PowerModeRequest) error
+	onJITConnect     func(JITConnectionRequest) error
+
+	statusMu     sync.RWMutex
+	peerStatuses map[int]*PeerStatus
+	connectedAt  time.Time
+	isConnected  bool
+	isRegistered bool
+	isTerminated bool
+	olmError     *OlmError
+
+	version string
+	agent   string
+	orgID   string
+}
+
+// NewAPI creates a new HTTP server that listens on a TCP address
+func NewAPI(addr string) *API {
+	s := &API{
+		addr:         addr,
+		peerStatuses: make(map[int]*PeerStatus),
+	}
+
+	return s
+}
+
+// NewAPISocket creates a new HTTP server that listens on a Unix socket or Windows named pipe
+func NewAPISocket(socketPath string) *API {
+	s := &API{
+		socketPath:   socketPath,
+		peerStatuses: make(map[int]*PeerStatus),
+	}
+
+	return s
+}
+
+func NewAPIStub() *API {
+	s := &API{
+		peerStatuses: make(map[int]*PeerStatus),
+	}
+
+	return s
+}
+
+// SetHandlers sets the callback functions for handling API requests
+func (s *API) SetHandlers(
+	onConnect func(ConnectionRequest) error,
+	onSwitchOrg func(SwitchOrgRequest) error,
+	onMetadataChange func(MetadataChangeRequest) error,
+	onDisconnect func() error,
+	onExit func() error,
+	onRebind func() error,
+	onPowerMode func(PowerModeRequest) error,
+	onJITConnect func(JITConnectionRequest) error,
+) {
+	s.onConnect = onConnect
+	s.onSwitchOrg = onSwitchOrg
+	s.onMetadataChange = onMetadataChange
+	s.onDisconnect = onDisconnect
+	s.onExit = onExit
+	s.onRebind = onRebind
+	s.onPowerMode = onPowerMode
+	s.onJITConnect = onJITConnect
+}
+
+// Start starts the HTTP server
+func (s *API) Start() error {
+	if s.socketPath == "" && s.addr == "" {
+		return fmt.Errorf("either socketPath or addr must be provided to start the API server")
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/connect", s.handleConnect)
+	mux.HandleFunc("/status", s.handleStatus)
+	mux.HandleFunc("/switch-org", s.handleSwitchOrg)
+	mux.HandleFunc("/metadata", s.handleMetadataChange)
+	mux.HandleFunc("/disconnect", s.handleDisconnect)
+	mux.HandleFunc("/exit", s.handleExit)
+	mux.HandleFunc("/health", s.handleHealth)
+	mux.HandleFunc("/rebind", s.handleRebind)
+	mux.HandleFunc("/power-mode", s.handlePowerMode)
+	mux.HandleFunc("/jit-connect", s.handleJITConnect)
+
+	s.server = &http.Server{
+		Handler: mux,
+	}
+
+	var err error
+	if s.socketPath != "" {
+		// Use platform-specific socket listener
+		s.listener, err = createSocketListener(s.socketPath)
+		if err != nil {
+			return fmt.Errorf("failed to create socket listener: %w", err)
+		}
+		logger.Info("Starting HTTP server on socket %s", s.socketPath)
+	} else {
+		// Use TCP listener
+		s.listener, err = net.Listen("tcp", s.addr)
+		if err != nil {
+			return fmt.Errorf("failed to create TCP listener: %w", err)
+		}
+		logger.Info("Starting HTTP server on %s", s.addr)
+	}
+
+	go func() {
+		if err := s.server.Serve(s.listener); err != nil && err != http.ErrServerClosed {
+			logger.Error("HTTP server error: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+// Stop stops the HTTP server
+func (s *API) Stop() error {
+	logger.Info("Stopping api server")
+
+	// Close the server first, which will also close the listener gracefully
+	if s.server != nil {
+		_ = s.server.Close()
+	}
+
+	// Clean up socket file if using Unix socket
+	if s.socketPath != "" {
+		cleanupSocket(s.socketPath)
+	}
+
+	return nil
+}
+
+func (s *API) AddPeerStatus(siteID int, siteName string, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.Name = siteName
+	status.Connected = connected
+	status.RTT = rtt
+	status.LastSeen = time.Now()
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
+}
+
+// UpdatePeerStatus updates the status of a peer including endpoint and relay info
+func (s *API) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.Connected = connected
+	status.RTT = rtt
+	status.LastSeen = time.Now()
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
+}
+
+func (s *API) RemovePeerStatus(siteID int) { // remove the peer from the status map
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	delete(s.peerStatuses, siteID)
+}
+
+// SetConnectionStatus sets the overall connection status
+func (s *API) SetConnectionStatus(isConnected bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	s.isConnected = isConnected
+
+	if isConnected {
+		s.connectedAt = time.Now()
+	}
+}
+
+func (s *API) SetRegistered(registered bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.isRegistered = registered
+	// Clear any registration error when successfully registered
+	if registered {
+		s.olmError = nil
+	}
+}
+
+// SetOlmError sets the registration error
+func (s *API) SetOlmError(code string, message string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.olmError = &OlmError{
+		Code:    code,
+		Message: message,
+	}
+}
+
+// ClearOlmError clears any registration error
+func (s *API) ClearOlmError() {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.olmError = nil
+}
+
+func (s *API) SetTerminated(terminated bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.isTerminated = terminated
+}
+
+// ClearPeerStatuses clears all peer statuses
+func (s *API) ClearPeerStatuses() {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.peerStatuses = make(map[int]*PeerStatus)
+}
+
+// SetVersion sets the olm version
+func (s *API) SetVersion(version string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.version = version
+}
+
+// SetAgent sets the olm agent
+func (s *API) SetAgent(agent string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.agent = agent
+}
+
+// SetOrgID sets the organization ID
+func (s *API) SetOrgID(orgID string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.orgID = orgID
+}
+
+// UpdatePeerRelayStatus updates only the relay status of a peer
+func (s *API) UpdatePeerRelayStatus(siteID int, endpoint string, isRelay bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
+}
+
+// UpdatePeerHolepunchStatus updates the holepunch connection status of a peer
+func (s *API) UpdatePeerHolepunchStatus(siteID int, holepunchConnected bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.HolepunchConnected = holepunchConnected
+}
+
+// handleConnect handles the /connect endpoint
+func (s *API) handleConnect(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// if we are already connected, reject new connection requests
+	s.statusMu.RLock()
+	alreadyConnected := s.isConnected
+	s.statusMu.RUnlock()
+	if alreadyConnected {
+		http.Error(w, "Already connected to a server. Disconnect first before connecting again.", http.StatusConflict)
+		return
+	}
+
+	var req ConnectionRequest
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate required fields
+	if req.ID == "" || req.Secret == "" || req.Endpoint == "" {
+		http.Error(w, "Missing required fields: id, secret, and endpoint must be provided", http.StatusBadRequest)
+		return
+	}
+
+	// Call the connect handler if set
+	if s.onConnect != nil {
+		if err := s.onConnect(req); err != nil {
+			http.Error(w, fmt.Sprintf("Connection failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusAccepted)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "connection request accepted",
+	})
+}
+
+// handleStatus handles the /status endpoint
+func (s *API) handleStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	s.statusMu.RLock()
+
+	resp := StatusResponse{
+		Connected:       s.isConnected,
+		Registered:      s.isRegistered,
+		Terminated:      s.isTerminated,
+		OlmError:        s.olmError,
+		Version:         s.version,
+		Agent:           s.agent,
+		OrgID:           s.orgID,
+		PeerStatuses:    s.peerStatuses,
+		NetworkSettings: network.GetSettings(),
+	}
+
+	s.statusMu.RUnlock()
+
+	data, err := json.Marshal(resp)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Content-Length", strconv.Itoa(len(data)))
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write(data)
+}
+
+// handleHealth handles the /health endpoint
+func (s *API) handleHealth(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "ok",
+	})
+}
+
+// handleExit handles the /exit endpoint
+func (s *API) handleExit(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	logger.Info("Received exit request via API")
+
+	// Return a success response first
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "shutdown initiated",
+	})
+
+	// Call the exit handler after responding, in a goroutine with a small delay
+	// to ensure the response is fully sent before shutdown begins
+	if s.onExit != nil {
+		go func() {
+			time.Sleep(100 * time.Millisecond)
+			if err := s.onExit(); err != nil {
+				logger.Error("Exit handler failed: %v", err)
+			}
+		}()
+	}
+}
+
+// handleSwitchOrg handles the /switch-org endpoint
+func (s *API) handleSwitchOrg(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req SwitchOrgRequest
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate required fields
+	if req.OrgID == "" {
+		http.Error(w, "Missing required field: orgId must be provided", http.StatusBadRequest)
+		return
+	}
+
+	logger.Info("Received org switch request to orgId: %s", req.OrgID)
+
+	// Call the switch org handler if set
+	if s.onSwitchOrg != nil {
+		if err := s.onSwitchOrg(req); err != nil {
+			http.Error(w, fmt.Sprintf("Org switch failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "org switch request accepted",
+	})
+}
+
+// handleDisconnect handles the /disconnect endpoint
+func (s *API) handleDisconnect(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// if we are already disconnected, reject new disconnect requests
+	s.statusMu.RLock()
+	alreadyDisconnected := !s.isConnected
+	s.statusMu.RUnlock()
+	if alreadyDisconnected {
+		http.Error(w, "Not currently connected to a server.", http.StatusConflict)
+		return
+	}
+
+	logger.Info("Received disconnect request via API")
+
+	// Call the disconnect handler if set
+	if s.onDisconnect != nil {
+		if err := s.onDisconnect(); err != nil {
+			http.Error(w, fmt.Sprintf("Disconnect failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "disconnect initiated",
+	})
+}
+
+// handleMetadataChange handles the /metadata endpoint
+func (s *API) handleMetadataChange(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPut {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req MetadataChangeRequest
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	logger.Info("Received metadata change request via API: %v", req)
+
+	_ = s.onMetadataChange(req)
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "metadata updated",
+	})
+}
+
+func (s *API) GetStatus() StatusResponse {
+	return StatusResponse{
+		Connected:       s.isConnected,
+		Registered:      s.isRegistered,
+		Terminated:      s.isTerminated,
+		OlmError:        s.olmError,
+		Version:         s.version,
+		Agent:           s.agent,
+		OrgID:           s.orgID,
+		PeerStatuses:    s.peerStatuses,
+		NetworkSettings: network.GetSettings(),
+	}
+}
+
+// handleRebind handles the /rebind endpoint
+// This triggers a socket rebind, which is necessary when network connectivity changes
+// (e.g., WiFi to cellular transition on macOS/iOS) and the old socket becomes stale.
+func (s *API) handleRebind(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	logger.Info("Received rebind request via API")
+
+	// Call the rebind handler if set
+	if s.onRebind != nil {
+		if err := s.onRebind(); err != nil {
+			http.Error(w, fmt.Sprintf("Rebind failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	} else {
+		http.Error(w, "Rebind handler not configured", http.StatusNotImplemented)
+		return
+	}
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "socket rebound successfully",
+	})
+}
+
+// handleJITConnect handles the /jit-connect endpoint.
+// It initiates a dynamic Just-In-Time connection to a site identified by either
+// a site or a resource. Exactly one of the two must be provided.
+func (s *API) handleJITConnect(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req JITConnectionRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate that exactly one of site or resource is provided
+	if req.Site == "" && req.Resource == "" {
+		http.Error(w, "Missing required field: either site or resource must be provided", http.StatusBadRequest)
+		return
+	}
+	if req.Site != "" && req.Resource != "" {
+		http.Error(w, "Ambiguous request: provide either site or resource, not both", http.StatusBadRequest)
+		return
+	}
+
+	if req.Site != "" {
+		logger.Info("Received JIT connection request via API: site=%s", req.Site)
+	} else {
+		logger.Info("Received JIT connection request via API: resource=%s", req.Resource)
+	}
+
+	if s.onJITConnect != nil {
+		if err := s.onJITConnect(req); err != nil {
+			http.Error(w, fmt.Sprintf("JIT connection failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	} else {
+		http.Error(w, "JIT connect handler not configured", http.StatusNotImplemented)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusAccepted)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": "JIT connection request accepted",
+	})
+}
+
+// handlePowerMode handles the /power-mode endpoint
+// This allows changing the power mode between "normal" and "low"
+func (s *API) handlePowerMode(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req PowerModeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate power mode
+	if req.Mode != "normal" && req.Mode != "low" {
+		http.Error(w, "Invalid power mode: must be 'normal' or 'low'", http.StatusBadRequest)
+		return
+	}
+
+	logger.Info("Received power mode change request via API: mode=%s", req.Mode)
+
+	// Call the power mode handler if set
+	if s.onPowerMode != nil {
+		if err := s.onPowerMode(req); err != nil {
+			http.Error(w, fmt.Sprintf("Power mode change failed: %v", err), http.StatusInternalServerError)
+			return
+		}
+	} else {
+		http.Error(w, "Power mode handler not configured", http.StatusNotImplemented)
+		return
+	}
+
+	// Return a success response
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status": fmt.Sprintf("power mode changed to %s successfully", req.Mode),
+	})
+}

api/api_unix.go

@@ -0,0 +1,50 @@
+//go:build !windows
+// +build !windows
+
+package api
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/fosrl/newt/logger"
+)
+
+// createSocketListener creates a Unix domain socket listener
+func createSocketListener(socketPath string) (net.Listener, error) {
+	// Ensure the directory exists
+	dir := filepath.Dir(socketPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create socket directory: %w", err)
+	}
+
+	// Remove existing socket file if it exists
+	if err := os.RemoveAll(socketPath); err != nil {
+		return nil, fmt.Errorf("failed to remove existing socket: %w", err)
+	}
+
+	listener, err := net.Listen("unix", socketPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen on Unix socket: %w", err)
+	}
+
+	// Set socket permissions to allow access
+	if err := os.Chmod(socketPath, 0666); err != nil {
+		listener.Close()
+		return nil, fmt.Errorf("failed to set socket permissions: %w", err)
+	}
+
+	logger.Debug("Created Unix socket at %s", socketPath)
+	return listener, nil
+}
+
+// cleanupSocket removes the Unix socket file
+func cleanupSocket(socketPath string) {
+	if err := os.Remove(socketPath); err != nil && !os.IsNotExist(err) {
+		logger.Error("Failed to remove socket file %s: %v", socketPath, err)
+	} else {
+		logger.Debug("Removed Unix socket at %s", socketPath)
+	}
+}

api/api_windows.go

@@ -0,0 +1,41 @@
+//go:build windows
+// +build windows
+
+package api
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/fosrl/newt/logger"
+)
+
+// createSocketListener creates a Windows named pipe listener
+func createSocketListener(pipePath string) (net.Listener, error) {
+	// Ensure the pipe path has the correct format
+	if pipePath[0] != '\\' {
+		pipePath = `\\.\pipe\` + pipePath
+	}
+
+	// Create a pipe configuration that allows everyone to write
+	config := &winio.PipeConfig{
+		// Set security descriptor to allow everyone full access
+		// This SDDL string grants full access to Everyone (WD) and to the current owner (OW)
+		SecurityDescriptor: "D:(A;;GA;;;WD)(A;;GA;;;OW)",
+	}
+
+	// Create a named pipe listener using go-winio with the configuration
+	listener, err := winio.ListenPipe(pipePath, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen on named pipe: %w", err)
+	}
+
+	logger.Debug("Created named pipe at %s with write access for everyone", pipePath)
+	return listener, nil
+}
+
+// cleanupSocket is a no-op on Windows as named pipes are automatically cleaned up
+func cleanupSocket(pipePath string) {
+	logger.Debug("Named pipe %s will be automatically cleaned up", pipePath)
+}

config.go

@@ -8,35 +8,44 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 	"time"
 )
 
 // OlmConfig holds all configuration options for the Olm client
 type OlmConfig struct {
 	// Connection settings
-	Endpoint string `json:"endpoint"`
-	ID       string `json:"id"`
-	Secret   string `json:"secret"`
+	Endpoint  string `json:"endpoint"`
+	ID        string `json:"id"`
+	Secret    string `json:"secret"`
+	OrgID     string `json:"org"`
+	UserToken string `json:"userToken"`
 
 	// Network settings
-	MTU           int    `json:"mtu"`
-	DNS           string `json:"dns"`
-	InterfaceName string `json:"interface"`
+	MTU           int      `json:"mtu"`
+	DNS           string   `json:"dns"`
+	UpstreamDNS   []string `json:"upstreamDNS"`
+	InterfaceName string   `json:"interface"`
 
 	// Logging
 	LogLevel string `json:"logLevel"`
 
 	// HTTP server
-	EnableHTTP bool   `json:"enableHttp"`
+	EnableAPI  bool   `json:"enableApi"`
 	HTTPAddr   string `json:"httpAddr"`
+	SocketPath string `json:"socketPath"`
 
 	// Ping settings
 	PingInterval string `json:"pingInterval"`
 	PingTimeout  string `json:"pingTimeout"`
 
 	// Advanced
-	Holepunch     bool   `json:"holepunch"`
-	TlsClientCert string `json:"tlsClientCert"`
+	DisableHolepunch bool   `json:"disableHolepunch"`
+	TlsClientCert    string `json:"tlsClientCert"`
+	OverrideDNS      bool   `json:"overrideDNS"`
+	TunnelDNS        bool   `json:"tunnelDNS"`
+	DisableRelay     bool   `json:"disableRelay"`
+	// DoNotCreateNewClient bool   `json:"doNotCreateNewClient"`
 
 	// Parsed values (not in JSON)
 	PingIntervalDuration time.Duration `json:"-"`
@@ -44,6 +53,8 @@ type OlmConfig struct {
 
 	// Source tracking (not in JSON)
 	sources map[string]string `json:"-"`
+
+	Version string
 }
 
 // ConfigSource tracks where each config value came from
@@ -58,29 +69,48 @@ const (
 
 // DefaultConfig returns a config with default values
 func DefaultConfig() *OlmConfig {
+	// Set OS-specific socket path
+	var socketPath string
+	switch runtime.GOOS {
+	case "windows":
+		socketPath = "olm"
+	default: // darwin, linux, and others
+		socketPath = "/var/run/olm.sock"
+	}
+
 	config := &OlmConfig{
-		MTU:           1280,
-		DNS:           "8.8.8.8",
-		LogLevel:      "INFO",
-		InterfaceName: "olm",
-		EnableHTTP:    false,
-		HTTPAddr:      ":9452",
-		PingInterval:  "3s",
-		PingTimeout:   "5s",
-		Holepunch:     false,
-		sources:       make(map[string]string),
+		MTU:              1280,
+		DNS:              "8.8.8.8",
+		UpstreamDNS:      []string{"8.8.8.8:53"},
+		LogLevel:         "INFO",
+		InterfaceName:    "olm",
+		EnableAPI:        false,
+		SocketPath:       socketPath,
+		PingInterval:     "3s",
+		PingTimeout:      "5s",
+		DisableHolepunch: false,
+		OverrideDNS:      true,
+		TunnelDNS:        false,
+		// DoNotCreateNewClient: false,
+		sources: make(map[string]string),
 	}
 
 	// Track default sources
 	config.sources["mtu"] = string(SourceDefault)
 	config.sources["dns"] = string(SourceDefault)
+	config.sources["upstreamDNS"] = string(SourceDefault)
 	config.sources["logLevel"] = string(SourceDefault)
 	config.sources["interface"] = string(SourceDefault)
-	config.sources["enableHttp"] = string(SourceDefault)
+	config.sources["enableApi"] = string(SourceDefault)
 	config.sources["httpAddr"] = string(SourceDefault)
+	config.sources["socketPath"] = string(SourceDefault)
 	config.sources["pingInterval"] = string(SourceDefault)
 	config.sources["pingTimeout"] = string(SourceDefault)
-	config.sources["holepunch"] = string(SourceDefault)
+	config.sources["disableHolepunch"] = string(SourceDefault)
+	config.sources["overrideDNS"] = string(SourceDefault)
+	config.sources["tunnelDNS"] = string(SourceDefault)
+	config.sources["disableRelay"] = string(SourceDefault)
+	// config.sources["doNotCreateNewClient"] = string(SourceDefault)
 
 	return config
 }
@@ -175,6 +205,14 @@ func loadConfigFromEnv(config *OlmConfig) {
 		config.Secret = val
 		config.sources["secret"] = string(SourceEnv)
 	}
+	if val := os.Getenv("ORG"); val != "" {
+		config.OrgID = val
+		config.sources["org"] = string(SourceEnv)
+	}
+	if val := os.Getenv("USER_TOKEN"); val != "" {
+		config.UserToken = val
+		config.sources["userToken"] = string(SourceEnv)
+	}
 	if val := os.Getenv("MTU"); val != "" {
 		if mtu, err := strconv.Atoi(val); err == nil {
 			config.MTU = mtu
@@ -187,6 +225,10 @@ func loadConfigFromEnv(config *OlmConfig) {
 		config.DNS = val
 		config.sources["dns"] = string(SourceEnv)
 	}
+	if val := os.Getenv("UPSTREAM_DNS"); val != "" {
+		config.UpstreamDNS = []string{val}
+		config.sources["upstreamDNS"] = string(SourceEnv)
+	}
 	if val := os.Getenv("LOG_LEVEL"); val != "" {
 		config.LogLevel = val
 		config.sources["logLevel"] = string(SourceEnv)
@@ -207,14 +249,34 @@ func loadConfigFromEnv(config *OlmConfig) {
 		config.PingTimeout = val
 		config.sources["pingTimeout"] = string(SourceEnv)
 	}
-	if val := os.Getenv("ENABLE_HTTP"); val == "true" {
-		config.EnableHTTP = true
-		config.sources["enableHttp"] = string(SourceEnv)
+	if val := os.Getenv("ENABLE_API"); val == "true" {
+		config.EnableAPI = true
+		config.sources["enableApi"] = string(SourceEnv)
 	}
-	if val := os.Getenv("HOLEPUNCH"); val == "true" {
-		config.Holepunch = true
-		config.sources["holepunch"] = string(SourceEnv)
+	if val := os.Getenv("SOCKET_PATH"); val != "" {
+		config.SocketPath = val
+		config.sources["socketPath"] = string(SourceEnv)
 	}
+	if val := os.Getenv("DISABLE_HOLEPUNCH"); val == "true" {
+		config.DisableHolepunch = true
+		config.sources["disableHolepunch"] = string(SourceEnv)
+	}
+	if val := os.Getenv("OVERRIDE_DNS"); val == "true" {
+		config.OverrideDNS = true
+		config.sources["overrideDNS"] = string(SourceEnv)
+	}
+	if val := os.Getenv("DISABLE_RELAY"); val == "true" {
+		config.DisableRelay = true
+		config.sources["disableRelay"] = string(SourceEnv)
+	}
+	if val := os.Getenv("TUNNEL_DNS"); val == "true" {
+		config.TunnelDNS = true
+		config.sources["tunnelDNS"] = string(SourceEnv)
+	}
+	// if val := os.Getenv("DO_NOT_CREATE_NEW_CLIENT"); val == "true" {
+	// 	config.DoNotCreateNewClient = true
+	// 	config.sources["doNotCreateNewClient"] = string(SourceEnv)
+	// }
 }
 
 // loadConfigFromCLI loads configuration from command-line arguments
@@ -223,33 +285,50 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 
 	// Store original values to detect changes
 	origValues := map[string]interface{}{
-		"endpoint":     config.Endpoint,
-		"id":           config.ID,
-		"secret":       config.Secret,
-		"mtu":          config.MTU,
-		"dns":          config.DNS,
-		"logLevel":     config.LogLevel,
-		"interface":    config.InterfaceName,
-		"httpAddr":     config.HTTPAddr,
-		"pingInterval": config.PingInterval,
-		"pingTimeout":  config.PingTimeout,
-		"enableHttp":   config.EnableHTTP,
-		"holepunch":    config.Holepunch,
+		"endpoint":         config.Endpoint,
+		"id":               config.ID,
+		"secret":           config.Secret,
+		"org":              config.OrgID,
+		"userToken":        config.UserToken,
+		"mtu":              config.MTU,
+		"dns":              config.DNS,
+		"upstreamDNS":      fmt.Sprintf("%v", config.UpstreamDNS),
+		"logLevel":         config.LogLevel,
+		"interface":        config.InterfaceName,
+		"httpAddr":         config.HTTPAddr,
+		"socketPath":       config.SocketPath,
+		"pingInterval":     config.PingInterval,
+		"pingTimeout":      config.PingTimeout,
+		"enableApi":        config.EnableAPI,
+		"disableHolepunch": config.DisableHolepunch,
+		"overrideDNS":      config.OverrideDNS,
+		"disableRelay":     config.DisableRelay,
+		"tunnelDNS":        config.TunnelDNS,
+		// "doNotCreateNewClient": config.DoNotCreateNewClient,
 	}
 
 	// Define flags
 	serviceFlags.StringVar(&config.Endpoint, "endpoint", config.Endpoint, "Endpoint of your Pangolin server")
 	serviceFlags.StringVar(&config.ID, "id", config.ID, "Olm ID")
 	serviceFlags.StringVar(&config.Secret, "secret", config.Secret, "Olm secret")
+	serviceFlags.StringVar(&config.OrgID, "org", config.OrgID, "Organization ID")
+	serviceFlags.StringVar(&config.UserToken, "user-token", config.UserToken, "User token (optional)")
 	serviceFlags.IntVar(&config.MTU, "mtu", config.MTU, "MTU to use")
 	serviceFlags.StringVar(&config.DNS, "dns", config.DNS, "DNS server to use")
+	var upstreamDNSFlag string
+	serviceFlags.StringVar(&upstreamDNSFlag, "upstream-dns", "", "Upstream DNS server(s) (comma-separated, default: 8.8.8.8:53)")
 	serviceFlags.StringVar(&config.LogLevel, "log-level", config.LogLevel, "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
 	serviceFlags.StringVar(&config.InterfaceName, "interface", config.InterfaceName, "Name of the WireGuard interface")
 	serviceFlags.StringVar(&config.HTTPAddr, "http-addr", config.HTTPAddr, "HTTP server address (e.g., ':9452')")
+	serviceFlags.StringVar(&config.SocketPath, "socket-path", config.SocketPath, "Unix socket path (or named pipe on Windows)")
 	serviceFlags.StringVar(&config.PingInterval, "ping-interval", config.PingInterval, "Interval for pinging the server")
 	serviceFlags.StringVar(&config.PingTimeout, "ping-timeout", config.PingTimeout, "Timeout for each ping")
-	serviceFlags.BoolVar(&config.EnableHTTP, "enable-http", config.EnableHTTP, "Enable HTTP server for receiving connection requests")
-	serviceFlags.BoolVar(&config.Holepunch, "holepunch", config.Holepunch, "Enable hole punching")
+	serviceFlags.BoolVar(&config.EnableAPI, "enable-api", config.EnableAPI, "Enable API server for receiving connection requests")
+	serviceFlags.BoolVar(&config.DisableHolepunch, "disable-holepunch", config.DisableHolepunch, "Disable hole punching")
+	serviceFlags.BoolVar(&config.OverrideDNS, "override-dns", config.OverrideDNS, "When enabled, the client uses custom DNS servers to resolve internal resources and aliases. This overrides your system's default DNS settings. Queries that cannot be resolved as a Pangolin resource will be forwarded to your configured Upstream DNS Server. (default false)")
+	serviceFlags.BoolVar(&config.DisableRelay, "disable-relay", config.DisableRelay, "Disable relay connections")
+	serviceFlags.BoolVar(&config.TunnelDNS, "tunnel-dns", config.TunnelDNS, "When enabled, DNS queries are routed through the tunnel for remote resolution. To ensure queries are tunneled correctly, you must define the DNS server as a Pangolin resource and enter its address as an Upstream DNS Server. (default false)")
+	// serviceFlags.BoolVar(&config.DoNotCreateNewClient, "do-not-create-new-client", config.DoNotCreateNewClient, "Do not create new client")
 
 	version := serviceFlags.Bool("version", false, "Print the version")
 	showConfig := serviceFlags.Bool("show-config", false, "Show configuration sources and exit")
@@ -259,6 +338,16 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 		return false, false, err
 	}
 
+	// Parse upstream DNS flag if provided
+	if upstreamDNSFlag != "" {
+		config.UpstreamDNS = []string{}
+		for _, dns := range splitComma(upstreamDNSFlag) {
+			if dns != "" {
+				config.UpstreamDNS = append(config.UpstreamDNS, dns)
+			}
+		}
+	}
+
 	// Track which values were changed by CLI args
 	if config.Endpoint != origValues["endpoint"].(string) {
 		config.sources["endpoint"] = string(SourceCLI)
@@ -269,12 +358,21 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	if config.Secret != origValues["secret"].(string) {
 		config.sources["secret"] = string(SourceCLI)
 	}
+	if config.OrgID != origValues["org"].(string) {
+		config.sources["org"] = string(SourceCLI)
+	}
+	if config.UserToken != origValues["userToken"].(string) {
+		config.sources["userToken"] = string(SourceCLI)
+	}
 	if config.MTU != origValues["mtu"].(int) {
 		config.sources["mtu"] = string(SourceCLI)
 	}
 	if config.DNS != origValues["dns"].(string) {
 		config.sources["dns"] = string(SourceCLI)
 	}
+	if fmt.Sprintf("%v", config.UpstreamDNS) != origValues["upstreamDNS"].(string) {
+		config.sources["upstreamDNS"] = string(SourceCLI)
+	}
 	if config.LogLevel != origValues["logLevel"].(string) {
 		config.sources["logLevel"] = string(SourceCLI)
 	}
@@ -284,18 +382,33 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	if config.HTTPAddr != origValues["httpAddr"].(string) {
 		config.sources["httpAddr"] = string(SourceCLI)
 	}
+	if config.SocketPath != origValues["socketPath"].(string) {
+		config.sources["socketPath"] = string(SourceCLI)
+	}
 	if config.PingInterval != origValues["pingInterval"].(string) {
 		config.sources["pingInterval"] = string(SourceCLI)
 	}
 	if config.PingTimeout != origValues["pingTimeout"].(string) {
 		config.sources["pingTimeout"] = string(SourceCLI)
 	}
-	if config.EnableHTTP != origValues["enableHttp"].(bool) {
-		config.sources["enableHttp"] = string(SourceCLI)
+	if config.EnableAPI != origValues["enableApi"].(bool) {
+		config.sources["enableApi"] = string(SourceCLI)
 	}
-	if config.Holepunch != origValues["holepunch"].(bool) {
-		config.sources["holepunch"] = string(SourceCLI)
+	if config.DisableHolepunch != origValues["disableHolepunch"].(bool) {
+		config.sources["disableHolepunch"] = string(SourceCLI)
 	}
+	if config.OverrideDNS != origValues["overrideDNS"].(bool) {
+		config.sources["overrideDNS"] = string(SourceCLI)
+	}
+	if config.DisableRelay != origValues["disableRelay"].(bool) {
+		config.sources["disableRelay"] = string(SourceCLI)
+	}
+	if config.TunnelDNS != origValues["tunnelDNS"].(bool) {
+		config.sources["tunnelDNS"] = string(SourceCLI)
+	}
+	// if config.DoNotCreateNewClient != origValues["doNotCreateNewClient"].(bool) {
+	// 	config.sources["doNotCreateNewClient"] = string(SourceCLI)
+	// }
 
 	return *version, *showConfig, nil
 }
@@ -348,6 +461,14 @@ func mergeConfigs(dest, src *OlmConfig) {
 		dest.Secret = src.Secret
 		dest.sources["secret"] = string(SourceFile)
 	}
+	if src.OrgID != "" {
+		dest.OrgID = src.OrgID
+		dest.sources["org"] = string(SourceFile)
+	}
+	if src.UserToken != "" {
+		dest.UserToken = src.UserToken
+		dest.sources["userToken"] = string(SourceFile)
+	}
 	if src.MTU != 0 && src.MTU != 1280 {
 		dest.MTU = src.MTU
 		dest.sources["mtu"] = string(SourceFile)
@@ -356,6 +477,10 @@ func mergeConfigs(dest, src *OlmConfig) {
 		dest.DNS = src.DNS
 		dest.sources["dns"] = string(SourceFile)
 	}
+	if len(src.UpstreamDNS) > 0 && fmt.Sprintf("%v", src.UpstreamDNS) != "[8.8.8.8:53]" {
+		dest.UpstreamDNS = src.UpstreamDNS
+		dest.sources["upstreamDNS"] = string(SourceFile)
+	}
 	if src.LogLevel != "" && src.LogLevel != "INFO" {
 		dest.LogLevel = src.LogLevel
 		dest.sources["logLevel"] = string(SourceFile)
@@ -368,6 +493,14 @@ func mergeConfigs(dest, src *OlmConfig) {
 		dest.HTTPAddr = src.HTTPAddr
 		dest.sources["httpAddr"] = string(SourceFile)
 	}
+	if src.SocketPath != "" {
+		// Check if it's not the default for any OS
+		isDefault := src.SocketPath == "/var/run/olm.sock" || src.SocketPath == "olm"
+		if !isDefault {
+			dest.SocketPath = src.SocketPath
+			dest.sources["socketPath"] = string(SourceFile)
+		}
+	}
 	if src.PingInterval != "" && src.PingInterval != "3s" {
 		dest.PingInterval = src.PingInterval
 		dest.sources["pingInterval"] = string(SourceFile)
@@ -381,14 +514,26 @@ func mergeConfigs(dest, src *OlmConfig) {
 		dest.sources["tlsClientCert"] = string(SourceFile)
 	}
 	// For booleans, we always take the source value if explicitly set
-	if src.EnableHTTP {
-		dest.EnableHTTP = src.EnableHTTP
-		dest.sources["enableHttp"] = string(SourceFile)
+	if src.EnableAPI {
+		dest.EnableAPI = src.EnableAPI
+		dest.sources["enableApi"] = string(SourceFile)
 	}
-	if src.Holepunch {
-		dest.Holepunch = src.Holepunch
-		dest.sources["holepunch"] = string(SourceFile)
+	if src.DisableHolepunch {
+		dest.DisableHolepunch = src.DisableHolepunch
+		dest.sources["disableHolepunch"] = string(SourceFile)
 	}
+	if src.OverrideDNS {
+		dest.OverrideDNS = src.OverrideDNS
+		dest.sources["overrideDNS"] = string(SourceFile)
+	}
+	if src.DisableRelay {
+		dest.DisableRelay = src.DisableRelay
+		dest.sources["disableRelay"] = string(SourceFile)
+	}
+	// if src.DoNotCreateNewClient {
+	// 	dest.DoNotCreateNewClient = src.DoNotCreateNewClient
+	// 	dest.sources["doNotCreateNewClient"] = string(SourceFile)
+	// }
 }
 
 // SaveConfig saves the current configuration to the config file
@@ -405,7 +550,7 @@ func SaveConfig(config *OlmConfig) error {
 func (c *OlmConfig) ShowConfig() {
 	configPath := getOlmConfigPath()
 
-	fmt.Println("\n=== Olm Configuration ===\n")
+	fmt.Print("\n=== Olm Configuration ===\n\n")
 	fmt.Printf("Config File: %s\n", configPath)
 
 	// Check if config file exists
@@ -416,7 +561,7 @@ func (c *OlmConfig) ShowConfig() {
 	}
 
 	fmt.Println("\n--- Configuration Values ---")
-	fmt.Println("(Format: Setting = Value [source])\n")
+	fmt.Print("(Format: Setting = Value [source])\n\n")
 
 	// Helper to get source or default
 	getSource := func(key string) string {
@@ -445,21 +590,25 @@ func (c *OlmConfig) ShowConfig() {
 	fmt.Printf("  endpoint     = %s [%s]\n", formatValue("endpoint", c.Endpoint), getSource("endpoint"))
 	fmt.Printf("  id           = %s [%s]\n", formatValue("id", c.ID), getSource("id"))
 	fmt.Printf("  secret       = %s [%s]\n", formatValue("secret", c.Secret), getSource("secret"))
+	fmt.Printf("  org          = %s [%s]\n", formatValue("org", c.OrgID), getSource("org"))
+	fmt.Printf("  user-token   = %s [%s]\n", formatValue("userToken", c.UserToken), getSource("userToken"))
 
 	// Network settings
 	fmt.Println("\nNetwork:")
 	fmt.Printf("  mtu          = %d [%s]\n", c.MTU, getSource("mtu"))
 	fmt.Printf("  dns          = %s [%s]\n", c.DNS, getSource("dns"))
+	fmt.Printf("  upstream-dns = %v [%s]\n", c.UpstreamDNS, getSource("upstreamDNS"))
 	fmt.Printf("  interface    = %s [%s]\n", c.InterfaceName, getSource("interface"))
 
 	// Logging
 	fmt.Println("\nLogging:")
 	fmt.Printf("  log-level    = %s [%s]\n", c.LogLevel, getSource("logLevel"))
 
-	// HTTP server
-	fmt.Println("\nHTTP Server:")
-	fmt.Printf("  enable-http  = %v [%s]\n", c.EnableHTTP, getSource("enableHttp"))
+	// API server
+	fmt.Println("\nAPI Server:")
+	fmt.Printf("  enable-api   = %v [%s]\n", c.EnableAPI, getSource("enableApi"))
 	fmt.Printf("  http-addr    = %s [%s]\n", c.HTTPAddr, getSource("httpAddr"))
+	fmt.Printf("  socket-path  = %s [%s]\n", c.SocketPath, getSource("socketPath"))
 
 	// Timing
 	fmt.Println("\nTiming:")
@@ -468,9 +617,13 @@ func (c *OlmConfig) ShowConfig() {
 
 	// Advanced
 	fmt.Println("\nAdvanced:")
-	fmt.Printf("  holepunch    = %v [%s]\n", c.Holepunch, getSource("holepunch"))
+	fmt.Printf("  disable-holepunch     = %v [%s]\n", c.DisableHolepunch, getSource("disableHolepunch"))
+	fmt.Printf("  override-dns          = %v [%s]\n", c.OverrideDNS, getSource("overrideDNS"))
+	fmt.Printf("  tunnel-dns            = %v [%s]\n", c.TunnelDNS, getSource("tunnelDNS"))
+	fmt.Printf("  disable-relay         = %v [%s]\n", c.DisableRelay, getSource("disableRelay"))
+	// fmt.Printf("  do-not-create-new-client = %v [%s]\n", c.DoNotCreateNewClient, getSource("doNotCreateNewClient"))
 	if c.TlsClientCert != "" {
-		fmt.Printf("  tls-cert     = %s [%s]\n", c.TlsClientCert, getSource("tlsClientCert"))
+		fmt.Printf("  tls-cert              = %s [%s]\n", c.TlsClientCert, getSource("tlsClientCert"))
 	}
 
 	// Source legend
@@ -482,3 +635,16 @@ func (c *OlmConfig) ShowConfig() {
 	fmt.Println("\nPriority: cli > environment > file > default")
 	fmt.Println()
 }
+
+// splitComma splits a comma-separated string into a slice of trimmed strings
+func splitComma(s string) []string {
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		if trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+	return result
+}

create_test_creds.py

@@ -0,0 +1,43 @@
+
+import requests
+
+def create_olm(base_url, user_token, olm_name, user_id):
+    url = f"{base_url}/api/v1/user/{user_id}/olm"
+    headers = {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "User-Agent": "pangolin-cli",
+        "X-CSRF-Token": "x-csrf-protection",
+        "Cookie": f"p_session_token={user_token}"
+    }
+    payload = {"name": olm_name}
+    response = requests.put(url, json=payload, headers=headers)
+    response.raise_for_status()
+    data = response.json()
+    print(f"Response Data: {data}")
+
+def create_client(base_url, user_token, client_name):
+    url = f"{base_url}/api/v1/api/clients"
+    headers = {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "User-Agent": "pangolin-cli",
+        "X-CSRF-Token": "x-csrf-protection",
+        "Cookie": f"p_session_token={user_token}"
+    }
+    payload = {"name": client_name}
+    response = requests.post(url, json=payload, headers=headers)
+    response.raise_for_status()
+    data = response.json()
+    print(f"Response Data: {data}")
+
+if __name__ == "__main__":
+    # Example usage
+    base_url = input("Enter base URL (e.g., http://localhost:3000): ")
+    user_token = input("Enter user token: ")
+    user_id = input("Enter user ID: ")
+    olm_name = input("Enter OLM name: ")
+    client_name = input("Enter client name: ")
+
+    create_olm(base_url, user_token, olm_name, user_id)
+    # client_id = create_client(base_url, user_token, client_name)

device/middle_device.go

@@ -0,0 +1,663 @@
+package device
+
+import (
+	"io"
+	"net/netip"
+	"os"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+// PacketHandler processes intercepted packets and returns true if packet should be dropped
+type PacketHandler func(packet []byte) bool
+
+// FilterRule defines a rule for packet filtering
+type FilterRule struct {
+	DestIP  netip.Addr
+	Handler PacketHandler
+}
+
+// closeAwareDevice wraps a tun.Device along with a flag
+// indicating whether its Close method was called.
+type closeAwareDevice struct {
+	isClosed     atomic.Bool
+	tun.Device
+	closeEventCh chan struct{}
+	wg           sync.WaitGroup
+	closeOnce    sync.Once
+}
+
+func newCloseAwareDevice(tunDevice tun.Device) *closeAwareDevice {
+	return &closeAwareDevice{
+		Device:       tunDevice,
+		isClosed:     atomic.Bool{},
+		closeEventCh: make(chan struct{}),
+	}
+}
+
+// redirectEvents redirects the Events() method of the underlying tun.Device
+// to the given channel.
+func (c *closeAwareDevice) redirectEvents(out chan tun.Event) {
+	c.wg.Add(1)
+	go func() {
+		defer c.wg.Done()
+		for {
+			select {
+			case ev, ok := <-c.Device.Events():
+				if !ok {
+					return
+				}
+
+				if ev == tun.EventDown {
+					continue
+				}
+
+				select {
+				case out <- ev:
+				case <-c.closeEventCh:
+					return
+				}
+			case <-c.closeEventCh:
+				return
+			}
+		}
+	}()
+}
+
+// Close calls the underlying Device's Close method
+// after setting isClosed to true.
+func (c *closeAwareDevice) Close() (err error) {
+	c.closeOnce.Do(func() {
+		c.isClosed.Store(true)
+		close(c.closeEventCh)
+		err = c.Device.Close()
+		c.wg.Wait()
+	})
+
+	return err
+}
+
+func (c *closeAwareDevice) IsClosed() bool {
+	return c.isClosed.Load()
+}
+
+type readResult struct {
+	bufs   [][]byte
+	sizes  []int
+	offset int
+	n      int
+	err    error
+}
+
+// MiddleDevice wraps a TUN device with packet filtering capabilities
+// and supports swapping the underlying device.
+type MiddleDevice struct {
+	devices    []*closeAwareDevice
+	mu         sync.Mutex
+	cond       *sync.Cond
+	rules      []FilterRule
+	rulesMutex sync.RWMutex
+	readCh     chan readResult
+	injectCh   chan []byte
+	closed     atomic.Bool
+	events     chan tun.Event
+}
+
+// NewMiddleDevice creates a new filtered TUN device wrapper
+func NewMiddleDevice(device tun.Device) *MiddleDevice {
+	d := &MiddleDevice{
+		devices:  make([]*closeAwareDevice, 0),
+		rules:    make([]FilterRule, 0),
+		readCh:   make(chan readResult, 16),
+		injectCh: make(chan []byte, 100),
+		events:   make(chan tun.Event, 16),
+	}
+	d.cond = sync.NewCond(&d.mu)
+
+	if device != nil {
+		d.AddDevice(device)
+	}
+
+	return d
+}
+
+// AddDevice adds a new underlying TUN device, closing any previous one
+func (d *MiddleDevice) AddDevice(device tun.Device) {
+	d.mu.Lock()
+	if d.closed.Load() {
+		d.mu.Unlock()
+		_ = device.Close()
+		return
+	}
+
+	var toClose *closeAwareDevice
+	if len(d.devices) > 0 {
+		toClose = d.devices[len(d.devices)-1]
+	}
+
+	cad := newCloseAwareDevice(device)
+	cad.redirectEvents(d.events)
+
+	d.devices = []*closeAwareDevice{cad}
+
+	// Start pump for the new device
+	go d.pump(cad)
+
+	d.cond.Broadcast()
+	d.mu.Unlock()
+
+	if toClose != nil {
+		logger.Debug("MiddleDevice: Closing previous device")
+		if err := toClose.Close(); err != nil {
+			logger.Debug("MiddleDevice: Error closing previous device: %v", err)
+		}
+	}
+}
+
+func (d *MiddleDevice) pump(dev *closeAwareDevice) {
+	const defaultOffset = 16
+	batchSize := dev.BatchSize()
+	logger.Debug("MiddleDevice: pump started for device")
+
+	// Recover from panic if readCh is closed while we're trying to send
+	defer func() {
+		if r := recover(); r != nil {
+			logger.Debug("MiddleDevice: pump recovered from panic (channel closed)")
+		}
+	}()
+
+	for {
+		// Check if this device is closed
+		if dev.IsClosed() {
+			logger.Debug("MiddleDevice: pump exiting, device is closed")
+			return
+		}
+
+		// Check if MiddleDevice itself is closed
+		if d.closed.Load() {
+			logger.Debug("MiddleDevice: pump exiting, MiddleDevice is closed")
+			return
+		}
+
+		// Allocate buffers for reading
+		bufs := make([][]byte, batchSize)
+		sizes := make([]int, batchSize)
+		for i := range bufs {
+			bufs[i] = make([]byte, 2048) // Standard MTU + headroom
+		}
+
+		n, err := dev.Read(bufs, sizes, defaultOffset)
+
+		// Check if device was closed during read
+		if dev.IsClosed() {
+			logger.Debug("MiddleDevice: pump exiting, device closed during read")
+			return
+		}
+
+		// Check if MiddleDevice was closed during read
+		if d.closed.Load() {
+			logger.Debug("MiddleDevice: pump exiting, MiddleDevice closed during read")
+			return
+		}
+
+		// Try to send the result - check closed state first to avoid sending on closed channel
+		if d.closed.Load() {
+			logger.Debug("MiddleDevice: pump exiting, device closed before send")
+			return
+		}
+
+		select {
+		case d.readCh <- readResult{bufs: bufs, sizes: sizes, offset: defaultOffset, n: n, err: err}:
+		default:
+			// Channel full, check if we should exit
+			if dev.IsClosed() || d.closed.Load() {
+				return
+			}
+			// Try again with blocking
+			select {
+			case d.readCh <- readResult{bufs: bufs, sizes: sizes, offset: defaultOffset, n: n, err: err}:
+			case <-dev.closeEventCh:
+				return
+			}
+		}
+
+		if err != nil {
+			logger.Debug("MiddleDevice: pump exiting due to read error: %v", err)
+			return
+		}
+	}
+}
+
+// InjectOutbound injects a packet to be read by WireGuard (as if it came from TUN)
+func (d *MiddleDevice) InjectOutbound(packet []byte) {
+	if d.closed.Load() {
+		return
+	}
+	// Use defer/recover to handle panic from sending on closed channel
+	// This can happen during shutdown race conditions
+	defer func() {
+		if r := recover(); r != nil {
+			logger.Debug("MiddleDevice: InjectOutbound recovered from panic (channel closed)")
+		}
+	}()
+	select {
+	case d.injectCh <- packet:
+	default:
+		// Channel full, drop packet
+		logger.Debug("MiddleDevice: InjectOutbound dropping packet, channel full")
+	}
+}
+
+// AddRule adds a packet filtering rule
+func (d *MiddleDevice) AddRule(destIP netip.Addr, handler PacketHandler) {
+	d.rulesMutex.Lock()
+	defer d.rulesMutex.Unlock()
+	d.rules = append(d.rules, FilterRule{
+		DestIP:  destIP,
+		Handler: handler,
+	})
+}
+
+// RemoveRule removes all rules for a given destination IP
+func (d *MiddleDevice) RemoveRule(destIP netip.Addr) {
+	d.rulesMutex.Lock()
+	defer d.rulesMutex.Unlock()
+	newRules := make([]FilterRule, 0, len(d.rules))
+	for _, rule := range d.rules {
+		if rule.DestIP != destIP {
+			newRules = append(newRules, rule)
+		}
+	}
+	d.rules = newRules
+}
+
+// Close stops the device
+func (d *MiddleDevice) Close() error {
+	if !d.closed.CompareAndSwap(false, true) {
+		return nil // already closed
+	}
+
+	d.mu.Lock()
+	devices := d.devices
+	d.devices = nil
+	d.cond.Broadcast()
+	d.mu.Unlock()
+
+	// Close underlying devices first - this causes the pump goroutines to exit
+	// when their read operations return errors
+	var lastErr error
+	logger.Debug("MiddleDevice: Closing %d devices", len(devices))
+	for _, device := range devices {
+		if err := device.Close(); err != nil {
+			logger.Debug("MiddleDevice: Error closing device: %v", err)
+			lastErr = err
+		}
+	}
+
+	// Now close channels to unblock any remaining readers
+	// The pump should have exited by now, but close channels to be safe
+	close(d.readCh)
+	close(d.injectCh)
+	close(d.events)
+
+	return lastErr
+}
+
+// Events returns the events channel
+func (d *MiddleDevice) Events() <-chan tun.Event {
+	return d.events
+}
+
+// File returns the underlying file descriptor
+func (d *MiddleDevice) File() *os.File {
+	for {
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return nil
+			}
+			continue
+		}
+
+		file := dev.File()
+
+		if dev.IsClosed() {
+			time.Sleep(1 * time.Millisecond)
+			continue
+		}
+
+		return file
+	}
+}
+
+// MTU returns the MTU of the underlying device
+func (d *MiddleDevice) MTU() (int, error) {
+	for {
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return 0, io.EOF
+			}
+			continue
+		}
+
+		mtu, err := dev.MTU()
+		if err == nil {
+			return mtu, nil
+		}
+
+		if dev.IsClosed() {
+			time.Sleep(1 * time.Millisecond)
+			continue
+		}
+
+		return 0, err
+	}
+}
+
+// Name returns the name of the underlying device
+func (d *MiddleDevice) Name() (string, error) {
+	for {
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return "", io.EOF
+			}
+			continue
+		}
+
+		name, err := dev.Name()
+		if err == nil {
+			return name, nil
+		}
+
+		if dev.IsClosed() {
+			time.Sleep(1 * time.Millisecond)
+			continue
+		}
+
+		return "", err
+	}
+}
+
+// BatchSize returns the batch size
+func (d *MiddleDevice) BatchSize() int {
+	dev := d.peekLast()
+	if dev == nil {
+		return 1
+	}
+	return dev.BatchSize()
+}
+
+// extractDestIP extracts destination IP from packet (fast path)
+func extractDestIP(packet []byte) (netip.Addr, bool) {
+	if len(packet) < 20 {
+		return netip.Addr{}, false
+	}
+
+	version := packet[0] >> 4
+
+	switch version {
+	case 4:
+		if len(packet) < 20 {
+			return netip.Addr{}, false
+		}
+		// Destination IP is at bytes 16-19 for IPv4
+		ip := netip.AddrFrom4([4]byte{packet[16], packet[17], packet[18], packet[19]})
+		return ip, true
+	case 6:
+		if len(packet) < 40 {
+			return netip.Addr{}, false
+		}
+		// Destination IP is at bytes 24-39 for IPv6
+		var ip16 [16]byte
+		copy(ip16[:], packet[24:40])
+		ip := netip.AddrFrom16(ip16)
+		return ip, true
+	}
+
+	return netip.Addr{}, false
+}
+
+// Read intercepts packets going UP from the TUN device (towards WireGuard)
+func (d *MiddleDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
+	for {
+		if d.closed.Load() {
+			logger.Debug("MiddleDevice: Read returning io.EOF, device closed")
+			return 0, io.EOF
+		}
+
+		// Wait for a device to be available
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return 0, io.EOF
+			}
+			continue
+		}
+
+		// Now block waiting for data from readCh or injectCh
+		select {
+		case res, ok := <-d.readCh:
+			if !ok {
+				// Channel closed, device is shutting down
+				return 0, io.EOF
+			}
+			if res.err != nil {
+				// Check if device was swapped
+				if dev.IsClosed() {
+					time.Sleep(1 * time.Millisecond)
+					continue
+				}
+				logger.Debug("MiddleDevice: Read returning error from pump: %v", res.err)
+				return 0, res.err
+			}
+
+			// Copy packets from result to provided buffers
+			count := 0
+			for i := 0; i < res.n && i < len(bufs); i++ {
+				src := res.bufs[i]
+				srcOffset := res.offset
+				srcSize := res.sizes[i]
+
+				pktData := src[srcOffset : srcOffset+srcSize]
+
+				if len(bufs[i]) < offset+len(pktData) {
+					continue
+				}
+
+				copy(bufs[i][offset:], pktData)
+				sizes[i] = len(pktData)
+				count++
+			}
+			n = count
+
+		case pkt, ok := <-d.injectCh:
+			if !ok {
+				// Channel closed, device is shutting down
+				return 0, io.EOF
+			}
+			if len(bufs) == 0 {
+				return 0, nil
+			}
+			if len(bufs[0]) < offset+len(pkt) {
+				return 0, nil
+			}
+			copy(bufs[0][offset:], pkt)
+			sizes[0] = len(pkt)
+			n = 1
+		}
+
+		// Apply filtering rules
+		d.rulesMutex.RLock()
+		rules := d.rules
+		d.rulesMutex.RUnlock()
+
+		if len(rules) == 0 {
+			return n, nil
+		}
+
+		// Process packets and filter out handled ones
+		writeIdx := 0
+		for readIdx := 0; readIdx < n; readIdx++ {
+			packet := bufs[readIdx][offset : offset+sizes[readIdx]]
+
+			destIP, ok := extractDestIP(packet)
+			if !ok {
+				if writeIdx != readIdx {
+					bufs[writeIdx] = bufs[readIdx]
+					sizes[writeIdx] = sizes[readIdx]
+				}
+				writeIdx++
+				continue
+			}
+
+			handled := false
+			for _, rule := range rules {
+				if rule.DestIP == destIP {
+					if rule.Handler(packet) {
+						handled = true
+						break
+					}
+				}
+			}
+
+			if !handled {
+				if writeIdx != readIdx {
+					bufs[writeIdx] = bufs[readIdx]
+					sizes[writeIdx] = sizes[readIdx]
+				}
+				writeIdx++
+			}
+		}
+
+		return writeIdx, nil
+	}
+}
+
+// Write intercepts packets going DOWN to the TUN device (from WireGuard)
+func (d *MiddleDevice) Write(bufs [][]byte, offset int) (int, error) {
+	for {
+		if d.closed.Load() {
+			return 0, io.EOF
+		}
+
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return 0, io.EOF
+			}
+			continue
+		}
+
+		d.rulesMutex.RLock()
+		rules := d.rules
+		d.rulesMutex.RUnlock()
+
+		var filteredBufs [][]byte
+		if len(rules) == 0 {
+			filteredBufs = bufs
+		} else {
+			filteredBufs = make([][]byte, 0, len(bufs))
+			for _, buf := range bufs {
+				if len(buf) <= offset {
+					continue
+				}
+
+				packet := buf[offset:]
+				destIP, ok := extractDestIP(packet)
+				if !ok {
+					filteredBufs = append(filteredBufs, buf)
+					continue
+				}
+
+				handled := false
+				for _, rule := range rules {
+					if rule.DestIP == destIP {
+						if rule.Handler(packet) {
+							handled = true
+							break
+						}
+					}
+				}
+
+				if !handled {
+					filteredBufs = append(filteredBufs, buf)
+				}
+			}
+		}
+
+		if len(filteredBufs) == 0 {
+			return len(bufs), nil
+		}
+
+		n, err := dev.Write(filteredBufs, offset)
+		if err == nil {
+			return n, nil
+		}
+
+		if dev.IsClosed() {
+			time.Sleep(1 * time.Millisecond)
+			continue
+		}
+
+		return n, err
+	}
+}
+
+func (d *MiddleDevice) waitForDevice() bool {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	for len(d.devices) == 0 && !d.closed.Load() {
+		d.cond.Wait()
+	}
+	return !d.closed.Load()
+}
+
+func (d *MiddleDevice) peekLast() *closeAwareDevice {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	if len(d.devices) == 0 {
+		return nil
+	}
+
+	return d.devices[len(d.devices)-1]
+}
+
+// WriteToTun writes packets directly to the underlying TUN device,
+// bypassing WireGuard. This is useful for sending packets that should
+// appear to come from the TUN interface (e.g., DNS responses from a proxy).
+// Unlike Write(), this does not go through packet filtering rules.
+func (d *MiddleDevice) WriteToTun(bufs [][]byte, offset int) (int, error) {
+	for {
+		if d.closed.Load() {
+			return 0, io.EOF
+		}
+
+		dev := d.peekLast()
+		if dev == nil {
+			if !d.waitForDevice() {
+				return 0, io.EOF
+			}
+			continue
+		}
+
+		n, err := dev.Write(bufs, offset)
+		if err == nil {
+			return n, nil
+		}
+
+		if dev.IsClosed() {
+			time.Sleep(1 * time.Millisecond)
+			continue
+		}
+
+		return n, err
+	}
+}

device/middle_device_test.go

@@ -0,0 +1,102 @@
+package device
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/fosrl/newt/util"
+)
+
+func TestExtractDestIP(t *testing.T) {
+	tests := []struct {
+		name   string
+		packet []byte
+		wantIP string
+		wantOk bool
+	}{
+		{
+			name: "IPv4 packet",
+			packet: []byte{
+				0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
+				0x40, 0x11, 0x00, 0x00, 0xc0, 0xa8, 0x01, 0x01,
+				0x0a, 0x1e, 0x1e, 0x1e, // Dest IP: 10.30.30.30
+			},
+			wantIP: "10.30.30.30",
+			wantOk: true,
+		},
+		{
+			name:   "Too short packet",
+			packet: []byte{0x45, 0x00},
+			wantIP: "",
+			wantOk: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotIP, gotOk := extractDestIP(tt.packet)
+			if gotOk != tt.wantOk {
+				t.Errorf("extractDestIP() ok = %v, want %v", gotOk, tt.wantOk)
+				return
+			}
+			if tt.wantOk {
+				wantAddr := netip.MustParseAddr(tt.wantIP)
+				if gotIP != wantAddr {
+					t.Errorf("extractDestIP() ip = %v, want %v", gotIP, wantAddr)
+				}
+			}
+		})
+	}
+}
+
+func TestGetProtocol(t *testing.T) {
+	tests := []struct {
+		name      string
+		packet    []byte
+		wantProto uint8
+		wantOk    bool
+	}{
+		{
+			name: "UDP packet",
+			packet: []byte{
+				0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
+				0x40, 0x11, 0x00, 0x00, 0xc0, 0xa8, 0x01, 0x01, // Protocol: UDP (17) at byte 9
+				0x0a, 0x1e, 0x1e, 0x1e,
+			},
+			wantProto: 17,
+			wantOk:    true,
+		},
+		{
+			name:      "Too short",
+			packet:    []byte{0x45, 0x00},
+			wantProto: 0,
+			wantOk:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotProto, gotOk := util.GetProtocol(tt.packet)
+			if gotOk != tt.wantOk {
+				t.Errorf("GetProtocol() ok = %v, want %v", gotOk, tt.wantOk)
+				return
+			}
+			if gotProto != tt.wantProto {
+				t.Errorf("GetProtocol() proto = %v, want %v", gotProto, tt.wantProto)
+			}
+		})
+	}
+}
+
+func BenchmarkExtractDestIP(b *testing.B) {
+	packet := []byte{
+		0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
+		0x40, 0x11, 0x00, 0x00, 0xc0, 0xa8, 0x01, 0x01,
+		0x0a, 0x1e, 0x1e, 0x1e,
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		extractDestIP(packet)
+	}
+}

device/tun_darwin.go

@@ -0,0 +1,44 @@
+//go:build darwin
+
+package device
+
+import (
+	"net"
+	"os"
+
+	"github.com/fosrl/newt/logger"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+func CreateTUNFromFD(tunFd uint32, mtuInt int) (tun.Device, error) {
+	dupTunFd, err := unix.Dup(int(tunFd))
+	if err != nil {
+		logger.Error("Unable to dup tun fd: %v", err)
+		return nil, err
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		unix.Close(dupTunFd)
+		return nil, err
+	}
+
+	file := os.NewFile(uintptr(dupTunFd), "/dev/tun")
+	device, err := tun.CreateTUNFromFile(file, 0)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	return device, nil
+}
+
+func UapiOpen(interfaceName string) (*os.File, error) {
+	return ipc.UAPIOpen(interfaceName)
+}
+
+func UapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
+	return ipc.UAPIListen(interfaceName, fileUAPI)
+}

device/tun_linux.go

@@ -0,0 +1,50 @@
+//go:build linux
+
+package device
+
+import (
+	"net"
+	"os"
+	"runtime"
+
+	"github.com/fosrl/newt/logger"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+func CreateTUNFromFD(tunFd uint32, mtuInt int) (tun.Device, error) {
+	if runtime.GOOS == "android" { // otherwise we get a permission denied
+		theTun, _, err := tun.CreateUnmonitoredTUNFromFD(int(tunFd))
+		return theTun, err
+	} 
+	
+	dupTunFd, err := unix.Dup(int(tunFd))
+	if err != nil {
+		logger.Error("Unable to dup tun fd: %v", err)
+		return nil, err
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		unix.Close(dupTunFd)
+		return nil, err
+	}
+
+	file := os.NewFile(uintptr(dupTunFd), "/dev/tun")
+	device, err := tun.CreateTUNFromFile(file, mtuInt)
+	if err != nil {
+		file.Close()
+		return nil, err
+	}
+
+	return device, nil
+}
+
+func UapiOpen(interfaceName string) (*os.File, error) {
+	return ipc.UAPIOpen(interfaceName)
+}
+
+func UapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
+	return ipc.UAPIListen(interfaceName, fileUAPI)
+}

device/tun_windows.go

@@ -1,6 +1,6 @@
 //go:build windows
 
-package main
+package device
 
 import (
 	"errors"
@@ -11,15 +11,15 @@ import (
 	"golang.zx2c4.com/wireguard/tun"
 )
 
-func createTUNFromFD(tunFdStr string, mtuInt int) (tun.Device, error) {
+func CreateTUNFromFD(tunFd uint32, mtuInt int) (tun.Device, error) {
 	return nil, errors.New("CreateTUNFromFile not supported on Windows")
 }
 
-func uapiOpen(interfaceName string) (*os.File, error) {
+func UapiOpen(interfaceName string) (*os.File, error) {
 	return nil, nil
 }
 
-func uapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
+func UapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
 	// On Windows, UAPIListen only takes one parameter
 	return ipc.UAPIListen(interfaceName)
 }

dns/dns_proxy.go

@@ -0,0 +1,783 @@
+package dns
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/util"
+	"github.com/fosrl/olm/device"
+	"github.com/miekg/dns"
+	"gvisor.dev/gvisor/pkg/buffer"
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
+	"gvisor.dev/gvisor/pkg/tcpip/link/channel"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
+	"gvisor.dev/gvisor/pkg/tcpip/stack"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
+)
+
+const (
+	DNSPort = 53
+)
+
+// DNSProxy implements a DNS proxy using gvisor netstack
+type DNSProxy struct {
+	stack        *stack.Stack
+	ep           *channel.Endpoint
+	proxyIP      netip.Addr
+	upstreamDNS  []string
+	tunnelDNS    bool // Whether to tunnel DNS queries over WireGuard or to spit them out locally
+	mtu          int
+	middleDevice *device.MiddleDevice // Reference to MiddleDevice for packet filtering and TUN writes
+	recordStore  *DNSRecordStore      // Local DNS records
+
+	// Tunnel DNS fields - for sending queries over WireGuard
+	tunnelIP          netip.Addr   // WireGuard interface IP (source for tunneled queries)
+	tunnelStack       *stack.Stack // Separate netstack for outbound tunnel queries
+	tunnelEp          *channel.Endpoint
+	tunnelActivePorts map[uint16]bool
+	tunnelPortsLock   sync.Mutex
+
+	// jitHandler is called when a local record is resolved for a site that may not be
+	// connected yet, giving the caller a chance to initiate a JIT connection.
+	// It is invoked asynchronously so it never blocks DNS resolution.
+	jitHandler func(siteId int)
+
+	ctx    context.Context
+	cancel context.CancelFunc
+	wg     sync.WaitGroup
+}
+
+// NewDNSProxy creates a new DNS proxy
+func NewDNSProxy(middleDevice *device.MiddleDevice, mtu int, utilitySubnet string, upstreamDns []string, tunnelDns bool, tunnelIP string) (*DNSProxy, error) {
+	proxyIP, err := PickIPFromSubnet(utilitySubnet)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pick DNS proxy IP from subnet: %v", err)
+	}
+
+	if len(upstreamDns) == 0 {
+		return nil, fmt.Errorf("at least one upstream DNS server must be specified")
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	proxy := &DNSProxy{
+		proxyIP:           proxyIP,
+		mtu:               mtu,
+		middleDevice:      middleDevice,
+		upstreamDNS:       upstreamDns,
+		tunnelDNS:         tunnelDns,
+		recordStore:       NewDNSRecordStore(),
+		tunnelActivePorts: make(map[uint16]bool),
+		ctx:               ctx,
+		cancel:            cancel,
+	}
+
+	// Parse tunnel IP if provided (needed for tunneled DNS)
+	if tunnelIP != "" {
+		addr, err := netip.ParseAddr(tunnelIP)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse tunnel IP: %v", err)
+		}
+		proxy.tunnelIP = addr
+	}
+
+	// Create gvisor netstack for receiving DNS queries
+	stackOpts := stack.Options{
+		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
+		TransportProtocols: []stack.TransportProtocolFactory{udp.NewProtocol},
+		HandleLocal:        true,
+	}
+
+	proxy.ep = channel.New(256, uint32(mtu), "")
+	proxy.stack = stack.New(stackOpts)
+
+	// Create NIC
+	if err := proxy.stack.CreateNIC(1, proxy.ep); err != nil {
+		return nil, fmt.Errorf("failed to create NIC: %v", err)
+	}
+
+	// Add IP address
+	// Parse the proxy IP to get the octets
+	ipBytes := proxyIP.As4()
+	protoAddr := tcpip.ProtocolAddress{
+		Protocol:          ipv4.ProtocolNumber,
+		AddressWithPrefix: tcpip.AddrFrom4(ipBytes).WithPrefix(),
+	}
+
+	if err := proxy.stack.AddProtocolAddress(1, protoAddr, stack.AddressProperties{}); err != nil {
+		return nil, fmt.Errorf("failed to add protocol address: %v", err)
+	}
+
+	// Add default route
+	proxy.stack.AddRoute(tcpip.Route{
+		Destination: header.IPv4EmptySubnet,
+		NIC:         1,
+	})
+
+	// Initialize tunnel netstack if tunnel DNS is enabled
+	if tunnelDns {
+		if !proxy.tunnelIP.IsValid() {
+			return nil, fmt.Errorf("tunnel IP is required when tunnelDNS is enabled")
+		}
+
+		// TODO: DO WE NEED TO ESTABLISH ANOTHER NETSTACK HERE OR CAN WE COMBINE WITH WGTESTER?
+		if err := proxy.initTunnelNetstack(); err != nil {
+			return nil, fmt.Errorf("failed to initialize tunnel netstack: %v", err)
+		}
+	}
+
+	return proxy, nil
+}
+
+// initTunnelNetstack creates a separate netstack for outbound DNS queries through the tunnel
+func (p *DNSProxy) initTunnelNetstack() error {
+	// Create gvisor netstack for outbound tunnel queries
+	stackOpts := stack.Options{
+		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
+		TransportProtocols: []stack.TransportProtocolFactory{udp.NewProtocol},
+		HandleLocal:        true,
+	}
+
+	p.tunnelEp = channel.New(256, uint32(p.mtu), "")
+	p.tunnelStack = stack.New(stackOpts)
+
+	// Create NIC
+	if err := p.tunnelStack.CreateNIC(1, p.tunnelEp); err != nil {
+		return fmt.Errorf("failed to create tunnel NIC: %v", err)
+	}
+
+	// Add tunnel IP address (WireGuard interface IP)
+	ipBytes := p.tunnelIP.As4()
+	protoAddr := tcpip.ProtocolAddress{
+		Protocol:          ipv4.ProtocolNumber,
+		AddressWithPrefix: tcpip.AddrFrom4(ipBytes).WithPrefix(),
+	}
+
+	if err := p.tunnelStack.AddProtocolAddress(1, protoAddr, stack.AddressProperties{}); err != nil {
+		return fmt.Errorf("failed to add tunnel protocol address: %v", err)
+	}
+
+	// Add default route
+	p.tunnelStack.AddRoute(tcpip.Route{
+		Destination: header.IPv4EmptySubnet,
+		NIC:         1,
+	})
+
+	// Register filter rule on MiddleDevice to intercept responses
+	p.middleDevice.AddRule(p.tunnelIP, p.handleTunnelResponse)
+
+	return nil
+}
+
+// handleTunnelResponse handles packets coming back from the tunnel destined for the tunnel IP
+func (p *DNSProxy) handleTunnelResponse(packet []byte) bool {
+	// Check if it's UDP
+	proto, ok := util.GetProtocol(packet)
+	if !ok || proto != 17 { // UDP
+		return false
+	}
+
+	// Check destination port - should be one of our active outbound ports
+	port, ok := util.GetDestPort(packet)
+	if !ok {
+		return false
+	}
+
+	// Check if we are expecting a response on this port
+	p.tunnelPortsLock.Lock()
+	active := p.tunnelActivePorts[uint16(port)]
+	p.tunnelPortsLock.Unlock()
+
+	if !active {
+		return false
+	}
+
+	// Inject into tunnel netstack
+	version := packet[0] >> 4
+	pkb := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(packet),
+	})
+
+	switch version {
+	case 4:
+		p.tunnelEp.InjectInbound(ipv4.ProtocolNumber, pkb)
+	case 6:
+		p.tunnelEp.InjectInbound(ipv6.ProtocolNumber, pkb)
+	default:
+		pkb.DecRef()
+		return false
+	}
+
+	pkb.DecRef()
+	return true // Handled
+}
+
+// Start starts the DNS proxy and registers with the filter
+func (p *DNSProxy) Start() error {
+	// Install packet filter rule
+	p.middleDevice.AddRule(p.proxyIP, p.handlePacket)
+
+	// Start DNS listener
+	p.wg.Add(2)
+	go p.runDNSListener()
+	go p.runPacketSender()
+
+	// Start tunnel packet sender if tunnel DNS is enabled
+	if p.tunnelDNS {
+		p.wg.Add(1)
+		go p.runTunnelPacketSender()
+	}
+
+	logger.Info("DNS proxy started on %s:%d (tunnelDNS=%v)", p.proxyIP.String(), DNSPort, p.tunnelDNS)
+	return nil
+}
+
+// Stop stops the DNS proxy
+func (p *DNSProxy) Stop() {
+	if p.middleDevice != nil {
+		p.middleDevice.RemoveRule(p.proxyIP)
+		if p.tunnelDNS && p.tunnelIP.IsValid() {
+			p.middleDevice.RemoveRule(p.tunnelIP)
+		}
+	}
+	p.cancel()
+
+	// Close the endpoint first to unblock any pending Read() calls in runPacketSender
+	if p.ep != nil {
+		p.ep.Close()
+	}
+
+	// Close tunnel endpoint if it exists
+	if p.tunnelEp != nil {
+		p.tunnelEp.Close()
+	}
+
+	p.wg.Wait()
+
+	if p.stack != nil {
+		p.stack.Close()
+	}
+
+	if p.tunnelStack != nil {
+		p.tunnelStack.Close()
+	}
+
+	logger.Info("DNS proxy stopped")
+}
+
+func (p *DNSProxy) GetProxyIP() netip.Addr {
+	return p.proxyIP
+}
+
+// handlePacket is called by the filter for packets destined to DNS proxy IP
+func (p *DNSProxy) handlePacket(packet []byte) bool {
+	if len(packet) < 20 {
+		return false // Don't drop, malformed
+	}
+
+	// Quick check for UDP port 53
+	proto, ok := util.GetProtocol(packet)
+	if !ok || proto != 17 { // 17 = UDP
+		return false // Not UDP, don't handle
+	}
+
+	port, ok := util.GetDestPort(packet)
+	if !ok || port != DNSPort {
+		return false // Not DNS port
+	}
+
+	// Inject packet into our netstack
+	version := packet[0] >> 4
+	pkb := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(packet),
+	})
+
+	switch version {
+	case 4:
+		p.ep.InjectInbound(ipv4.ProtocolNumber, pkb)
+	case 6:
+		p.ep.InjectInbound(ipv6.ProtocolNumber, pkb)
+	default:
+		pkb.DecRef()
+		return false
+	}
+
+	pkb.DecRef()
+	return true // Drop packet from normal path
+}
+
+// runDNSListener listens for DNS queries on the netstack
+func (p *DNSProxy) runDNSListener() {
+	defer p.wg.Done()
+
+	// Create UDP listener using gonet
+	// Parse the proxy IP to get the octets
+	ipBytes := p.proxyIP.As4()
+	laddr := &tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.AddrFrom4(ipBytes),
+		Port: DNSPort,
+	}
+
+	udpConn, err := gonet.DialUDP(p.stack, laddr, nil, ipv4.ProtocolNumber)
+	if err != nil {
+		logger.Error("Failed to create DNS listener: %v", err)
+		return
+	}
+	defer udpConn.Close()
+
+	logger.Debug("DNS proxy listening on netstack")
+
+	// Handle DNS queries
+	buf := make([]byte, 4096)
+	for {
+		select {
+		case <-p.ctx.Done():
+			return
+		default:
+		}
+
+		udpConn.SetReadDeadline(time.Now().Add(1 * time.Second))
+		n, remoteAddr, err := udpConn.ReadFrom(buf)
+		if err != nil {
+			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+				continue
+			}
+			if p.ctx.Err() != nil {
+				return
+			}
+			logger.Error("DNS read error: %v", err)
+			continue
+		}
+
+		query := make([]byte, n)
+		copy(query, buf[:n])
+
+		// Handle query in background
+		go p.handleDNSQuery(udpConn, query, remoteAddr)
+	}
+}
+
+// handleDNSQuery processes a DNS query, checking local records first, then forwarding upstream
+func (p *DNSProxy) handleDNSQuery(udpConn *gonet.UDPConn, queryData []byte, clientAddr net.Addr) {
+	// Parse the DNS query
+	msg := new(dns.Msg)
+	if err := msg.Unpack(queryData); err != nil {
+		logger.Error("Failed to parse DNS query: %v", err)
+		return
+	}
+
+	if len(msg.Question) == 0 {
+		logger.Debug("DNS query has no questions")
+		return
+	}
+
+	question := msg.Question[0]
+	logger.Debug("DNS query for %s (type %s)", question.Name, dns.TypeToString[question.Qtype])
+
+	// Check if we have local records for this query
+	var response *dns.Msg
+	if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA || question.Qtype == dns.TypePTR {
+		response = p.checkLocalRecords(msg, question)
+	}
+
+	// If a local A/AAAA record was found, notify the JIT handler so that the owning
+	// site can be connected on-demand if it is not yet active.
+	if response != nil && p.jitHandler != nil &&
+		(question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA) {
+		if siteId, ok := p.recordStore.GetSiteIdForDomain(question.Name); ok && siteId != 0 {
+			handler := p.jitHandler
+			go handler(siteId)
+		}
+	}
+
+	// If no local records, forward to upstream
+	if response == nil {
+		logger.Debug("No local record for %s, forwarding upstream to %v", question.Name, p.upstreamDNS)
+		response = p.forwardToUpstream(msg)
+	}
+
+	if response == nil {
+		logger.Error("Failed to get DNS response for %s", question.Name)
+		return
+	}
+
+	// Pack and send response
+	responseData, err := response.Pack()
+	if err != nil {
+		logger.Error("Failed to pack DNS response: %v", err)
+		return
+	}
+
+	_, err = udpConn.WriteTo(responseData, clientAddr)
+	if err != nil {
+		logger.Error("Failed to send DNS response: %v", err)
+	}
+}
+
+// checkLocalRecords checks if we have local records for the query
+func (p *DNSProxy) checkLocalRecords(query *dns.Msg, question dns.Question) *dns.Msg {
+	// Handle PTR queries
+	if question.Qtype == dns.TypePTR {
+		if ptrDomain, ok := p.recordStore.GetPTRRecord(question.Name); ok {
+			logger.Debug("Found local PTR record for %s -> %s", question.Name, ptrDomain)
+
+			// Create response message
+			response := new(dns.Msg)
+			response.SetReply(query)
+			response.Authoritative = true
+
+			// Add PTR answer record
+			rr := &dns.PTR{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypePTR,
+					Class:  dns.ClassINET,
+					Ttl:    300, // 5 minutes
+				},
+				Ptr: ptrDomain,
+			}
+			response.Answer = append(response.Answer, rr)
+
+			return response
+		}
+		return nil
+	}
+
+	// Handle A and AAAA queries
+	var recordType RecordType
+	if question.Qtype == dns.TypeA {
+		recordType = RecordTypeA
+	} else if question.Qtype == dns.TypeAAAA {
+		recordType = RecordTypeAAAA
+	} else {
+		return nil
+	}
+
+	ips, exists := p.recordStore.GetRecords(question.Name, recordType)
+	if !exists {
+		// Domain not found in local records, forward to upstream
+		return nil
+	}
+
+	logger.Debug("Found %d local record(s) for %s", len(ips), question.Name)
+
+	// Create response message (NODATA if no records, otherwise with answers)
+	response := new(dns.Msg)
+	response.SetReply(query)
+	response.Authoritative = true
+
+	// Add answer records (loop is a no-op if ips is empty)
+	for _, ip := range ips {
+		var rr dns.RR
+		if question.Qtype == dns.TypeA {
+			rr = &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    300, // 5 minutes
+				},
+				A: ip.To4(),
+			}
+		} else { // TypeAAAA
+			rr = &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    300, // 5 minutes
+				},
+				AAAA: ip.To16(),
+			}
+		}
+		response.Answer = append(response.Answer, rr)
+	}
+
+	return response
+}
+
+// forwardToUpstream forwards a DNS query to upstream DNS servers
+func (p *DNSProxy) forwardToUpstream(query *dns.Msg) *dns.Msg {
+	// Try primary DNS server
+	response, err := p.queryUpstream(p.upstreamDNS[0], query, 2*time.Second)
+	if err != nil && len(p.upstreamDNS) > 1 {
+		// Try secondary DNS server
+		logger.Debug("Primary DNS failed, trying secondary: %v", err)
+		response, err = p.queryUpstream(p.upstreamDNS[1], query, 2*time.Second)
+		if err != nil {
+			logger.Error("Both DNS servers failed: %v", err)
+			return nil
+		}
+	}
+	return response
+}
+
+// queryUpstream sends a DNS query to upstream server
+func (p *DNSProxy) queryUpstream(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
+	if p.tunnelDNS {
+		return p.queryUpstreamTunnel(server, query, timeout)
+	}
+	return p.queryUpstreamDirect(server, query, timeout)
+}
+
+// queryUpstreamDirect sends a DNS query to upstream server using miekg/dns directly (host networking)
+func (p *DNSProxy) queryUpstreamDirect(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
+	client := &dns.Client{
+		Timeout: timeout,
+	}
+
+	response, _, err := client.Exchange(query, server)
+	if err != nil {
+		return nil, err
+	}
+
+	return response, nil
+}
+
+// queryUpstreamTunnel sends a DNS query through the WireGuard tunnel
+func (p *DNSProxy) queryUpstreamTunnel(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
+	// Dial through the tunnel netstack
+	conn, port, err := p.dialTunnel("udp", server)
+	if err != nil {
+		return nil, fmt.Errorf("failed to dial tunnel: %v", err)
+	}
+	defer func() {
+		conn.Close()
+		p.removeTunnelPort(port)
+	}()
+
+	// Pack the query
+	queryData, err := query.Pack()
+	if err != nil {
+		return nil, fmt.Errorf("failed to pack query: %v", err)
+	}
+
+	// Set deadline
+	conn.SetDeadline(time.Now().Add(timeout))
+
+	// Send the query
+	_, err = conn.Write(queryData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send query: %v", err)
+	}
+
+	// Read the response
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %v", err)
+	}
+
+	// Parse the response
+	response := new(dns.Msg)
+	if err := response.Unpack(buf[:n]); err != nil {
+		return nil, fmt.Errorf("failed to unpack response: %v", err)
+	}
+
+	return response, nil
+}
+
+// dialTunnel creates a UDP connection through the tunnel netstack
+func (p *DNSProxy) dialTunnel(network, addr string) (net.Conn, uint16, error) {
+	if p.tunnelStack == nil {
+		return nil, 0, fmt.Errorf("tunnel netstack not initialized")
+	}
+
+	// Parse remote address
+	raddr, err := net.ResolveUDPAddr("udp", addr)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Use tunnel IP as source
+	ipBytes := p.tunnelIP.As4()
+
+	// Create UDP connection with ephemeral port
+	laddr := &tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.AddrFrom4(ipBytes),
+		Port: 0,
+	}
+
+	raddrTcpip := &tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.AddrFrom4([4]byte(raddr.IP.To4())),
+		Port: uint16(raddr.Port),
+	}
+
+	conn, err := gonet.DialUDP(p.tunnelStack, laddr, raddrTcpip, ipv4.ProtocolNumber)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Get local port
+	localAddr := conn.LocalAddr().(*net.UDPAddr)
+	port := uint16(localAddr.Port)
+
+	// Register port so we can receive responses
+	p.tunnelPortsLock.Lock()
+	p.tunnelActivePorts[port] = true
+	p.tunnelPortsLock.Unlock()
+
+	return conn, port, nil
+}
+
+// removeTunnelPort removes a port from the active ports map
+func (p *DNSProxy) removeTunnelPort(port uint16) {
+	p.tunnelPortsLock.Lock()
+	delete(p.tunnelActivePorts, port)
+	p.tunnelPortsLock.Unlock()
+}
+
+// runTunnelPacketSender reads packets from tunnel netstack and injects them into WireGuard
+func (p *DNSProxy) runTunnelPacketSender() {
+	defer p.wg.Done()
+	logger.Debug("DNS tunnel packet sender goroutine started")
+
+	for {
+		// Use blocking ReadContext instead of polling - much more CPU efficient
+		// This will block until a packet is available or context is cancelled
+		pkt := p.tunnelEp.ReadContext(p.ctx)
+		if pkt == nil {
+			// Context was cancelled or endpoint closed
+			logger.Debug("DNS tunnel packet sender exiting")
+			// Drain any remaining packets
+			for {
+				pkt := p.tunnelEp.Read()
+				if pkt == nil {
+					break
+				}
+				pkt.DecRef()
+			}
+			return
+		}
+
+		// Extract packet data
+		slices := pkt.AsSlices()
+		if len(slices) > 0 {
+			var totalSize int
+			for _, slice := range slices {
+				totalSize += len(slice)
+			}
+
+			buf := make([]byte, totalSize)
+			pos := 0
+			for _, slice := range slices {
+				copy(buf[pos:], slice)
+				pos += len(slice)
+			}
+
+			// Inject into MiddleDevice (outbound to WG)
+			p.middleDevice.InjectOutbound(buf)
+		}
+
+		pkt.DecRef()
+	}
+}
+
+// runPacketSender sends packets from netstack back to TUN
+func (p *DNSProxy) runPacketSender() {
+	defer p.wg.Done()
+
+	// MessageTransportHeaderSize is the offset used by WireGuard device
+	// for reading/writing packets to the TUN interface
+	const offset = 16
+
+	for {
+		// Use blocking ReadContext instead of polling - much more CPU efficient
+		// This will block until a packet is available or context is cancelled
+		pkt := p.ep.ReadContext(p.ctx)
+		if pkt == nil {
+			// Context was cancelled or endpoint closed
+			return
+		}
+
+		// Extract packet data as slices
+		slices := pkt.AsSlices()
+		if len(slices) > 0 {
+			// Flatten all slices into a single packet buffer
+			var totalSize int
+			for _, slice := range slices {
+				totalSize += len(slice)
+			}
+
+			// Allocate buffer with offset space for WireGuard transport header
+			// The first 'offset' bytes are reserved for the transport header
+			buf := make([]byte, offset+totalSize)
+
+			// Copy packet data after the offset
+			pos := offset
+			for _, slice := range slices {
+				copy(buf[pos:], slice)
+				pos += len(slice)
+			}
+
+			// Write packet to TUN device via MiddleDevice
+			// offset=16 indicates packet data starts at position 16 in the buffer
+			_, err := p.middleDevice.WriteToTun([][]byte{buf}, offset)
+			if err != nil {
+				logger.Error("Failed to write DNS response to TUN: %v", err)
+			}
+		}
+
+		pkt.DecRef()
+	}
+}
+
+// SetJITHandler registers a callback that is invoked whenever a local DNS record is
+// resolved for an A or AAAA query. The siteId identifies which site owns the record.
+// The handler is called in its own goroutine so it must be safe to call concurrently.
+// Pass nil to disable JIT notifications.
+func (p *DNSProxy) SetJITHandler(handler func(siteId int)) {
+	p.jitHandler = handler
+}
+
+// AddDNSRecord adds a DNS record to the local store
+// domain should be a domain name (e.g., "example.com" or "example.com.")
+// ip should be a valid IPv4 or IPv6 address
+func (p *DNSProxy) AddDNSRecord(domain string, ip net.IP, siteId int) error {
+	logger.Debug("Adding dns record for domain %s with IP %s (siteId=%d)", domain, ip.String(), siteId)
+	return p.recordStore.AddRecord(domain, ip, siteId)
+}
+
+// RemoveDNSRecord removes a DNS record from the local store
+// If ip is nil, removes all records for the domain
+func (p *DNSProxy) RemoveDNSRecord(domain string, ip net.IP) {
+	p.recordStore.RemoveRecord(domain, ip)
+}
+
+// GetDNSRecords returns all IP addresses for a domain and record type.
+// The second return value indicates whether the domain exists.
+func (p *DNSProxy) GetDNSRecords(domain string, recordType RecordType) ([]net.IP, bool) {
+	return p.recordStore.GetRecords(domain, recordType)
+}
+
+// ClearDNSRecords removes all DNS records from the local store
+func (p *DNSProxy) ClearDNSRecords() {
+	p.recordStore.Clear()
+}
+
+func PickIPFromSubnet(subnet string) (netip.Addr, error) {
+	// given a subnet in CIDR notation, pick the first usable IP
+	prefix, err := netip.ParsePrefix(subnet)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("invalid subnet: %w", err)
+	}
+
+	// Pick the first usable IP address from the subnet
+	ip := prefix.Addr().Next()
+	if !ip.IsValid() {
+		return netip.Addr{}, fmt.Errorf("no valid IP address found in subnet: %s", subnet)
+	}
+
+	return ip, nil
+}

dns/dns_proxy_test.go

@@ -0,0 +1,178 @@
+package dns
+
+import (
+	"net"
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestCheckLocalRecordsNODATAForAAAA(t *testing.T) {
+	proxy := &DNSProxy{
+		recordStore: NewDNSRecordStore(),
+	}
+
+	// Add an A record for a domain (no AAAA record)
+	ip := net.ParseIP("10.0.0.1")
+	err := proxy.recordStore.AddRecord("myservice.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add A record: %v", err)
+	}
+
+	// Query AAAA for domain with only A record - should return NODATA
+	query := new(dns.Msg)
+	query.SetQuestion("myservice.internal.", dns.TypeAAAA)
+	response := proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected NODATA response, got nil (would forward to upstream)")
+	}
+	if response.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
+	}
+	if len(response.Answer) != 0 {
+		t.Errorf("Expected empty answer section for NODATA, got %d answers", len(response.Answer))
+	}
+	if !response.Authoritative {
+		t.Error("Expected response to be authoritative")
+	}
+
+	// Query A for same domain - should return the record
+	query = new(dns.Msg)
+	query.SetQuestion("myservice.internal.", dns.TypeA)
+	response = proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected response with A record, got nil")
+	}
+	if len(response.Answer) != 1 {
+		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
+	}
+	aRecord, ok := response.Answer[0].(*dns.A)
+	if !ok {
+		t.Fatal("Expected A record in answer")
+	}
+	if !aRecord.A.Equal(ip.To4()) {
+		t.Errorf("Expected IP %v, got %v", ip.To4(), aRecord.A)
+	}
+}
+
+func TestCheckLocalRecordsNODATAForA(t *testing.T) {
+	proxy := &DNSProxy{
+		recordStore: NewDNSRecordStore(),
+	}
+
+	// Add an AAAA record for a domain (no A record)
+	ip := net.ParseIP("2001:db8::1")
+	err := proxy.recordStore.AddRecord("ipv6only.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add AAAA record: %v", err)
+	}
+
+	// Query A for domain with only AAAA record - should return NODATA
+	query := new(dns.Msg)
+	query.SetQuestion("ipv6only.internal.", dns.TypeA)
+	response := proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected NODATA response, got nil")
+	}
+	if response.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
+	}
+	if len(response.Answer) != 0 {
+		t.Errorf("Expected empty answer section, got %d answers", len(response.Answer))
+	}
+	if !response.Authoritative {
+		t.Error("Expected response to be authoritative")
+	}
+
+	// Query AAAA for same domain - should return the record
+	query = new(dns.Msg)
+	query.SetQuestion("ipv6only.internal.", dns.TypeAAAA)
+	response = proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected response with AAAA record, got nil")
+	}
+	if len(response.Answer) != 1 {
+		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
+	}
+	aaaaRecord, ok := response.Answer[0].(*dns.AAAA)
+	if !ok {
+		t.Fatal("Expected AAAA record in answer")
+	}
+	if !aaaaRecord.AAAA.Equal(ip) {
+		t.Errorf("Expected IP %v, got %v", ip, aaaaRecord.AAAA)
+	}
+}
+
+func TestCheckLocalRecordsNonExistentDomain(t *testing.T) {
+	proxy := &DNSProxy{
+		recordStore: NewDNSRecordStore(),
+	}
+
+	// Add a record so the store isn't empty
+	err := proxy.recordStore.AddRecord("exists.internal", net.ParseIP("10.0.0.1"), 0)
+	if err != nil {
+		t.Fatalf("Failed to add record: %v", err)
+	}
+
+	// Query A for non-existent domain - should return nil (forward to upstream)
+	query := new(dns.Msg)
+	query.SetQuestion("unknown.internal.", dns.TypeA)
+	response := proxy.checkLocalRecords(query, query.Question[0])
+
+	if response != nil {
+		t.Error("Expected nil for non-existent domain, got response")
+	}
+
+	// Query AAAA for non-existent domain - should also return nil
+	query = new(dns.Msg)
+	query.SetQuestion("unknown.internal.", dns.TypeAAAA)
+	response = proxy.checkLocalRecords(query, query.Question[0])
+
+	if response != nil {
+		t.Error("Expected nil for non-existent domain, got response")
+	}
+}
+
+func TestCheckLocalRecordsNODATAWildcard(t *testing.T) {
+	proxy := &DNSProxy{
+		recordStore: NewDNSRecordStore(),
+	}
+
+	// Add a wildcard A record (no AAAA)
+	ip := net.ParseIP("10.0.0.1")
+	err := proxy.recordStore.AddRecord("*.wildcard.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard A record: %v", err)
+	}
+
+	// Query AAAA for wildcard-matched domain - should return NODATA
+	query := new(dns.Msg)
+	query.SetQuestion("host.wildcard.internal.", dns.TypeAAAA)
+	response := proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected NODATA response for wildcard match, got nil")
+	}
+	if response.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
+	}
+	if len(response.Answer) != 0 {
+		t.Errorf("Expected empty answer section, got %d answers", len(response.Answer))
+	}
+
+	// Query A for wildcard-matched domain - should return the record
+	query = new(dns.Msg)
+	query.SetQuestion("host.wildcard.internal.", dns.TypeA)
+	response = proxy.checkLocalRecords(query, query.Question[0])
+
+	if response == nil {
+		t.Fatal("Expected response with A record, got nil")
+	}
+	if len(response.Answer) != 1 {
+		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
+	}
+}

dns/dns_records.go

@@ -0,0 +1,497 @@
+package dns
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+)
+
+// RecordType represents the type of DNS record
+type RecordType uint16
+
+const (
+	RecordTypeA    RecordType = RecordType(dns.TypeA)
+	RecordTypeAAAA RecordType = RecordType(dns.TypeAAAA)
+	RecordTypePTR  RecordType = RecordType(dns.TypePTR)
+)
+
+// recordSet holds A and AAAA records for a single domain or wildcard pattern
+type recordSet struct {
+	A      []net.IP
+	AAAA   []net.IP
+	SiteId int
+}
+
+// DNSRecordStore manages local DNS records for A, AAAA, and PTR queries.
+// Exact domains are stored in a map; wildcard patterns are in a separate map.
+type DNSRecordStore struct {
+	mu         sync.RWMutex
+	exact      map[string]*recordSet // normalized FQDN -> A/AAAA records
+	wildcards  map[string]*recordSet // wildcard pattern -> A/AAAA records
+	ptrRecords map[string]string     // IP address string -> domain name
+}
+
+// NewDNSRecordStore creates a new DNS record store
+func NewDNSRecordStore() *DNSRecordStore {
+	return &DNSRecordStore{
+		exact:      make(map[string]*recordSet),
+		wildcards:  make(map[string]*recordSet),
+		ptrRecords: make(map[string]string),
+	}
+}
+
+// AddRecord adds a DNS record mapping (A or AAAA)
+// domain should be in FQDN format (e.g., "example.com.")
+// domain can contain wildcards: * (0+ chars) and ? (exactly 1 char)
+// ip should be a valid IPv4 or IPv6 address
+// siteId is the site that owns this alias/domain
+// Automatically adds a corresponding PTR record for non-wildcard domains
+func (s *DNSRecordStore) AddRecord(domain string, ip net.IP, siteId int) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if len(domain) == 0 || domain[len(domain)-1] != '.' {
+		domain = domain + "."
+	}
+	domain = strings.ToLower(dns.Fqdn(domain))
+	isWildcard := strings.ContainsAny(domain, "*?")
+
+	isV4 := ip.To4() != nil
+	if !isV4 && ip.To16() == nil {
+		return &net.ParseError{Type: "IP address", Text: ip.String()}
+	}
+
+	// Choose the appropriate map based on whether this is a wildcard
+	m := s.exact
+	if isWildcard {
+		m = s.wildcards
+	}
+
+	if m[domain] == nil {
+		m[domain] = &recordSet{SiteId: siteId}
+	}
+	rs := m[domain]
+	if isV4 {
+		for _, existing := range rs.A {
+			if existing.Equal(ip) {
+				return nil
+			}
+		}
+		rs.A = append(rs.A, ip)
+	} else {
+		for _, existing := range rs.AAAA {
+			if existing.Equal(ip) {
+				return nil
+			}
+		}
+		rs.AAAA = append(rs.AAAA, ip)
+	}
+
+	// Add PTR record for non-wildcard domains
+	if !isWildcard {
+		s.ptrRecords[ip.String()] = domain
+	}
+	return nil
+}
+
+
+// AddPTRRecord adds a PTR record mapping an IP address to a domain name
+// ip should be a valid IPv4 or IPv6 address
+// domain should be in FQDN format (e.g., "example.com.")
+func (s *DNSRecordStore) AddPTRRecord(ip net.IP, domain string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Ensure domain ends with a dot (FQDN format)
+	if len(domain) == 0 || domain[len(domain)-1] != '.' {
+		domain = domain + "."
+	}
+
+	// Normalize domain to lowercase FQDN
+	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Store PTR record using IP string as key
+	s.ptrRecords[ip.String()] = domain
+
+	return nil
+}
+
+// RemoveRecord removes a specific DNS record mapping
+// If ip is nil, removes all records for the domain (including wildcards)
+// Automatically removes corresponding PTR records for non-wildcard domains
+func (s *DNSRecordStore) RemoveRecord(domain string, ip net.IP) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if len(domain) == 0 || domain[len(domain)-1] != '.' {
+		domain = domain + "."
+	}
+	domain = strings.ToLower(dns.Fqdn(domain))
+	isWildcard := strings.ContainsAny(domain, "*?")
+
+	// Choose the appropriate map
+	m := s.exact
+	if isWildcard {
+		m = s.wildcards
+	}
+
+	rs := m[domain]
+	if rs == nil {
+		return
+	}
+
+	if ip == nil {
+		// Remove all records for this domain
+		if !isWildcard {
+			for _, ipAddr := range rs.A {
+				if ptrDomain, exists := s.ptrRecords[ipAddr.String()]; exists && ptrDomain == domain {
+					delete(s.ptrRecords, ipAddr.String())
+				}
+			}
+			for _, ipAddr := range rs.AAAA {
+				if ptrDomain, exists := s.ptrRecords[ipAddr.String()]; exists && ptrDomain == domain {
+					delete(s.ptrRecords, ipAddr.String())
+				}
+			}
+		}
+		delete(m, domain)
+		return
+	}
+
+	// Remove specific IP
+	if ip.To4() != nil {
+		rs.A = removeIP(rs.A, ip)
+		if !isWildcard {
+			if ptrDomain, exists := s.ptrRecords[ip.String()]; exists && ptrDomain == domain {
+				delete(s.ptrRecords, ip.String())
+			}
+		}
+	} else {
+		rs.AAAA = removeIP(rs.AAAA, ip)
+		if !isWildcard {
+			if ptrDomain, exists := s.ptrRecords[ip.String()]; exists && ptrDomain == domain {
+				delete(s.ptrRecords, ip.String())
+			}
+		}
+	}
+
+	// Clean up empty record sets
+	if len(rs.A) == 0 && len(rs.AAAA) == 0 {
+		delete(m, domain)
+	}
+}
+
+// RemovePTRRecord removes a PTR record for an IP address
+func (s *DNSRecordStore) RemovePTRRecord(ip net.IP) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.ptrRecords, ip.String())
+}
+
+// GetSiteIdForDomain returns the siteId associated with the given domain.
+// It checks exact matches first, then wildcard patterns.
+// The second return value is false if the domain is not found in local records.
+func (s *DNSRecordStore) GetSiteIdForDomain(domain string) (int, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Check exact match first
+	if rs, exists := s.exact[domain]; exists {
+		return rs.SiteId, true
+	}
+
+	// Check wildcard matches
+	for pattern, rs := range s.wildcards {
+		if matchWildcard(pattern, domain) {
+			return rs.SiteId, true
+		}
+	}
+
+	return 0, false
+}
+
+// GetRecords returns all IP addresses for a domain and record type.
+// The second return value indicates whether the domain exists at all
+// (true = domain exists, use NODATA if no records; false = NXDOMAIN).
+func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) ([]net.IP, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Check exact match first
+	if rs, exists := s.exact[domain]; exists {
+		var ips []net.IP
+		if recordType == RecordTypeA {
+			ips = rs.A
+		} else {
+			ips = rs.AAAA
+		}
+		if len(ips) > 0 {
+			out := make([]net.IP, len(ips))
+			copy(out, ips)
+			return out, true
+		}
+		// Domain exists but no records of this type
+		return nil, true
+	}
+
+	// Check wildcard matches
+	var records []net.IP
+	matched := false
+	for pattern, rs := range s.wildcards {
+		if !matchWildcard(pattern, domain) {
+			continue
+		}
+		matched = true
+		if recordType == RecordTypeA {
+			records = append(records, rs.A...)
+		} else {
+			records = append(records, rs.AAAA...)
+		}
+	}
+
+	if !matched {
+		return nil, false
+	}
+	if len(records) == 0 {
+		return nil, true
+	}
+	out := make([]net.IP, len(records))
+	copy(out, records)
+	return out, true
+}
+
+// GetPTRRecord returns the domain name for a PTR record query
+// domain should be in reverse DNS format (e.g., "1.0.0.127.in-addr.arpa.")
+func (s *DNSRecordStore) GetPTRRecord(domain string) (string, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	// Convert reverse DNS format to IP address
+	ip := reverseDNSToIP(domain)
+	if ip == nil {
+		return "", false
+	}
+
+	// Look up the PTR record
+	if ptrDomain, ok := s.ptrRecords[ip.String()]; ok {
+		return ptrDomain, true
+	}
+
+	return "", false
+}
+
+// HasRecord checks if a domain has any records of the specified type
+// Checks both exact matches and wildcard patterns
+func (s *DNSRecordStore) HasRecord(domain string, recordType RecordType) bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Check exact match
+	if rs, exists := s.exact[domain]; exists {
+		if recordType == RecordTypeA && len(rs.A) > 0 {
+			return true
+		}
+		if recordType == RecordTypeAAAA && len(rs.AAAA) > 0 {
+			return true
+		}
+	}
+
+	// Check wildcard matches
+	for pattern, rs := range s.wildcards {
+		if !matchWildcard(pattern, domain) {
+			continue
+		}
+		if recordType == RecordTypeA && len(rs.A) > 0 {
+			return true
+		}
+		if recordType == RecordTypeAAAA && len(rs.AAAA) > 0 {
+			return true
+		}
+	}
+	return false
+}
+
+// HasPTRRecord checks if a PTR record exists for the given reverse DNS domain
+func (s *DNSRecordStore) HasPTRRecord(domain string) bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	// Convert reverse DNS format to IP address
+	ip := reverseDNSToIP(domain)
+	if ip == nil {
+		return false
+	}
+
+	_, ok := s.ptrRecords[ip.String()]
+	return ok
+}
+
+// Clear removes all records from the store
+func (s *DNSRecordStore) Clear() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.exact = make(map[string]*recordSet)
+	s.wildcards = make(map[string]*recordSet)
+	s.ptrRecords = make(map[string]string)
+}
+
+// removeIP is a helper function to remove a specific IP from a slice
+func removeIP(ips []net.IP, toRemove net.IP) []net.IP {
+	result := make([]net.IP, 0, len(ips))
+	for _, ip := range ips {
+		if !ip.Equal(toRemove) {
+			result = append(result, ip)
+		}
+	}
+	return result
+}
+
+// matchWildcard checks if a domain matches a wildcard pattern
+// Pattern supports * (0+ chars) and ? (exactly 1 char)
+// Special case: *.domain.com does not match domain.com itself
+func matchWildcard(pattern, domain string) bool {
+	return matchWildcardInternal(pattern, domain, 0, 0)
+}
+
+// matchWildcardInternal performs the actual wildcard matching recursively
+func matchWildcardInternal(pattern, domain string, pi, di int) bool {
+	plen := len(pattern)
+	dlen := len(domain)
+
+	// Base cases
+	if pi == plen && di == dlen {
+		return true
+	}
+	if pi == plen {
+		return false
+	}
+
+	// Handle wildcard characters
+	if pattern[pi] == '*' {
+		// Special case: if pattern starts with "*." and we're at the beginning,
+		// ensure we don't match the domain without a prefix
+		// e.g., *.autoco.internal should not match autoco.internal
+		if pi == 0 && pi+1 < plen && pattern[pi+1] == '.' {
+			// The * must match at least one character
+			if di == dlen {
+				return false
+			}
+			// Try matching 1 or more characters before the dot
+			for i := di + 1; i <= dlen; i++ {
+				if matchWildcardInternal(pattern, domain, pi+1, i) {
+					return true
+				}
+			}
+			return false
+		}
+
+		// Normal * matching (0 or more characters)
+		// Try matching 0 characters (skip the *)
+		if matchWildcardInternal(pattern, domain, pi+1, di) {
+			return true
+		}
+		// Try matching 1+ characters
+		if di < dlen {
+			return matchWildcardInternal(pattern, domain, pi, di+1)
+		}
+		return false
+	}
+
+	if pattern[pi] == '?' {
+		// ? matches exactly one character
+		if di >= dlen {
+			return false
+		}
+		return matchWildcardInternal(pattern, domain, pi+1, di+1)
+	}
+
+	// Regular character - must match exactly
+	if di >= dlen || pattern[pi] != domain[di] {
+		return false
+	}
+
+	return matchWildcardInternal(pattern, domain, pi+1, di+1)
+}
+
+// reverseDNSToIP converts a reverse DNS query name to an IP address
+// Supports both IPv4 (in-addr.arpa) and IPv6 (ip6.arpa) formats
+func reverseDNSToIP(domain string) net.IP {
+	// Normalize to lowercase and ensure FQDN
+	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Check for IPv4 reverse DNS (in-addr.arpa)
+	if strings.HasSuffix(domain, ".in-addr.arpa.") {
+		// Remove the suffix
+		ipPart := strings.TrimSuffix(domain, ".in-addr.arpa.")
+		// Split by dots and reverse
+		parts := strings.Split(ipPart, ".")
+		if len(parts) != 4 {
+			return nil
+		}
+		// Reverse the octets
+		reversed := make([]string, 4)
+		for i := 0; i < 4; i++ {
+			reversed[i] = parts[3-i]
+		}
+		// Parse as IP
+		return net.ParseIP(strings.Join(reversed, "."))
+	}
+
+	// Check for IPv6 reverse DNS (ip6.arpa)
+	if strings.HasSuffix(domain, ".ip6.arpa.") {
+		// Remove the suffix
+		ipPart := strings.TrimSuffix(domain, ".ip6.arpa.")
+		// Split by dots and reverse
+		parts := strings.Split(ipPart, ".")
+		if len(parts) != 32 {
+			return nil
+		}
+		// Reverse the nibbles and group into 16-bit hex values
+		reversed := make([]string, 32)
+		for i := 0; i < 32; i++ {
+			reversed[i] = parts[31-i]
+		}
+		// Join into IPv6 format (groups of 4 nibbles separated by colons)
+		var ipv6Parts []string
+		for i := 0; i < 32; i += 4 {
+			ipv6Parts = append(ipv6Parts, reversed[i]+reversed[i+1]+reversed[i+2]+reversed[i+3])
+		}
+		// Parse as IP
+		return net.ParseIP(strings.Join(ipv6Parts, ":"))
+	}
+
+	return nil
+}
+
+// IPToReverseDNS converts an IP address to reverse DNS format
+// Returns the domain name for PTR queries (e.g., "1.0.0.127.in-addr.arpa.")
+func IPToReverseDNS(ip net.IP) string {
+	if ip4 := ip.To4(); ip4 != nil {
+		// IPv4: reverse octets and append .in-addr.arpa.
+		return dns.Fqdn(fmt.Sprintf("%d.%d.%d.%d.in-addr.arpa",
+			ip4[3], ip4[2], ip4[1], ip4[0]))
+	}
+
+	if ip6 := ip.To16(); ip6 != nil && ip.To4() == nil {
+		// IPv6: expand to 32 nibbles, reverse, and append .ip6.arpa.
+		var nibbles []string
+		for i := 15; i >= 0; i-- {
+			nibbles = append(nibbles, fmt.Sprintf("%x", ip6[i]&0x0f))
+			nibbles = append(nibbles, fmt.Sprintf("%x", ip6[i]>>4))
+		}
+		return dns.Fqdn(strings.Join(nibbles, ".") + ".ip6.arpa")
+	}
+
+	return ""
+}

dns/dns_records_test.go

@@ -0,0 +1,888 @@
+package dns
+
+import (
+	"net"
+	"testing"
+)
+
+func TestWildcardMatching(t *testing.T) {
+	tests := []struct {
+		name     string
+		pattern  string
+		domain   string
+		expected bool
+	}{
+		// Basic wildcard tests
+		{
+			name:     "*.autoco.internal matches host.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "host.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal matches longerhost.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "longerhost.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal matches sub.host.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "sub.host.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal does NOT match autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "autoco.internal.",
+			expected: false,
+		},
+
+		// Question mark wildcard tests
+		{
+			name:     "host-0?.autoco.internal matches host-01.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-0?.autoco.internal matches host-0a.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-0a.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-0?.autoco.internal does NOT match host-0.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-0.autoco.internal.",
+			expected: false,
+		},
+		{
+			name:     "host-0?.autoco.internal does NOT match host-012.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-012.autoco.internal.",
+			expected: false,
+		},
+
+		// Combined wildcard tests
+		{
+			name:     "*.host-0?.autoco.internal matches sub.host-01.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "sub.host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.host-0?.autoco.internal matches prefix.host-0a.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "prefix.host-0a.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.host-0?.autoco.internal does NOT match host-01.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: false,
+		},
+
+		// Multiple asterisks
+		{
+			name:     "*.*. autoco.internal matches any.thing.autoco.internal",
+			pattern:  "*.*.autoco.internal.",
+			domain:   "any.thing.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.*.autoco.internal does NOT match single.autoco.internal",
+			pattern:  "*.*.autoco.internal.",
+			domain:   "single.autoco.internal.",
+			expected: false,
+		},
+
+		// Asterisk in middle
+		{
+			name:     "host-*.autoco.internal matches host-anything.autoco.internal",
+			pattern:  "host-*.autoco.internal.",
+			domain:   "host-anything.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-*.autoco.internal matches host-.autoco.internal (empty match)",
+			pattern:  "host-*.autoco.internal.",
+			domain:   "host-.autoco.internal.",
+			expected: true,
+		},
+
+		// Multiple question marks
+		{
+			name:     "host-??.autoco.internal matches host-01.autoco.internal",
+			pattern:  "host-??.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-??.autoco.internal does NOT match host-1.autoco.internal",
+			pattern:  "host-??.autoco.internal.",
+			domain:   "host-1.autoco.internal.",
+			expected: false,
+		},
+
+		// Exact match (no wildcards)
+		{
+			name:     "exact.autoco.internal matches exact.autoco.internal",
+			pattern:  "exact.autoco.internal.",
+			domain:   "exact.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "exact.autoco.internal does NOT match other.autoco.internal",
+			pattern:  "exact.autoco.internal.",
+			domain:   "other.autoco.internal.",
+			expected: false,
+		},
+
+		// Edge cases
+		{
+			name:     "* matches anything",
+			pattern:  "*",
+			domain:   "anything.at.all.",
+			expected: true,
+		},
+		{
+			name:     "*.* matches multi.level.",
+			pattern:  "*.*",
+			domain:   "multi.level.",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := matchWildcard(tt.pattern, tt.domain)
+			if result != tt.expected {
+				t.Errorf("matchWildcard(%q, %q) = %v, want %v", tt.pattern, tt.domain, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestDNSRecordStoreWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add wildcard records
+	wildcardIP := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", wildcardIP, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+
+	// Add exact record
+	exactIP := net.ParseIP("10.0.0.2")
+	err = store.AddRecord("exact.autoco.internal", exactIP, 0)
+	if err != nil {
+		t.Fatalf("Failed to add exact record: %v", err)
+	}
+
+	// Test exact match takes precedence
+	ips, exists := store.GetRecords("exact.autoco.internal.", RecordTypeA)
+	if !exists {
+		t.Error("Expected domain to exist")
+	}
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for exact match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(exactIP) {
+		t.Errorf("Expected exact IP %v, got %v", exactIP, ips[0])
+	}
+
+	// Test wildcard match
+	ips, exists = store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if !exists {
+		t.Error("Expected wildcard match to exist")
+	}
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for wildcard match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(wildcardIP) {
+		t.Errorf("Expected wildcard IP %v, got %v", wildcardIP, ips[0])
+	}
+
+	// Test non-match (base domain)
+	ips, exists = store.GetRecords("autoco.internal.", RecordTypeA)
+	if exists {
+		t.Error("Expected base domain to not exist")
+	}
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for base domain, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreComplexWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add complex wildcard pattern
+	ip1 := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.host-0?.autoco.internal", ip1, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+
+	// Test matching domain
+	ips, exists := store.GetRecords("sub.host-01.autoco.internal.", RecordTypeA)
+	if !exists {
+		t.Error("Expected complex wildcard match to exist")
+	}
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for complex wildcard match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(ip1) {
+		t.Errorf("Expected IP %v, got %v", ip1, ips[0])
+	}
+
+	// Test non-matching domain (missing prefix)
+	ips, exists = store.GetRecords("host-01.autoco.internal.", RecordTypeA)
+	if exists {
+		t.Error("Expected domain without prefix to not exist")
+	}
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for domain without prefix, got %d", len(ips))
+	}
+
+	// Test non-matching domain (wrong ? position)
+	ips, exists = store.GetRecords("sub.host-012.autoco.internal.", RecordTypeA)
+	if exists {
+		t.Error("Expected domain with wrong ? match to not exist")
+	}
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for domain with wrong ? match, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreRemoveWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add wildcard record
+	ip := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+
+	// Verify it exists
+	ips, exists := store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if !exists {
+		t.Error("Expected domain to exist before removal")
+	}
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP before removal, got %d", len(ips))
+	}
+
+	// Remove wildcard record
+	store.RemoveRecord("*.autoco.internal", nil)
+
+	// Verify it's gone
+	ips, exists = store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if exists {
+		t.Error("Expected domain to not exist after removal")
+	}
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs after removal, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreMultipleWildcards(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add multiple wildcard patterns that don't overlap
+	ip1 := net.ParseIP("10.0.0.1")
+	ip2 := net.ParseIP("10.0.0.2")
+	ip3 := net.ParseIP("10.0.0.3")
+
+	err := store.AddRecord("*.prod.autoco.internal", ip1, 0)
+	if err != nil {
+		t.Fatalf("Failed to add first wildcard: %v", err)
+	}
+
+	err = store.AddRecord("*.dev.autoco.internal", ip2, 0)
+	if err != nil {
+		t.Fatalf("Failed to add second wildcard: %v", err)
+	}
+
+	// Add a broader wildcard that matches both
+	err = store.AddRecord("*.autoco.internal", ip3, 0)
+	if err != nil {
+		t.Fatalf("Failed to add third wildcard: %v", err)
+	}
+
+	// Test domain matching only the prod pattern and the broad pattern
+	ips, _ := store.GetRecords("host.prod.autoco.internal.", RecordTypeA)
+	if len(ips) != 2 {
+		t.Errorf("Expected 2 IPs (prod + broad), got %d", len(ips))
+	}
+
+	// Test domain matching only the dev pattern and the broad pattern
+	ips, _ = store.GetRecords("service.dev.autoco.internal.", RecordTypeA)
+	if len(ips) != 2 {
+		t.Errorf("Expected 2 IPs (dev + broad), got %d", len(ips))
+	}
+
+	// Test domain matching only the broad pattern
+	ips, _ = store.GetRecords("host.test.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP (broad only), got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreIPv6Wildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add IPv6 wildcard record
+	ip := net.ParseIP("2001:db8::1")
+	err := store.AddRecord("*.autoco.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add IPv6 wildcard record: %v", err)
+	}
+
+	// Test wildcard match for IPv6
+	ips, _ := store.GetRecords("host.autoco.internal.", RecordTypeAAAA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IPv6 for wildcard match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(ip) {
+		t.Errorf("Expected IPv6 %v, got %v", ip, ips[0])
+	}
+}
+
+func TestHasRecordWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add wildcard record
+	ip := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+
+	// Test HasRecord with wildcard match
+	if !store.HasRecord("host.autoco.internal.", RecordTypeA) {
+		t.Error("Expected HasRecord to return true for wildcard match")
+	}
+
+	// Test HasRecord with non-match
+	if store.HasRecord("autoco.internal.", RecordTypeA) {
+		t.Error("Expected HasRecord to return false for base domain")
+	}
+}
+
+func TestDNSRecordStoreCaseInsensitive(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add record with mixed case
+	ip := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("MyHost.AutoCo.Internal", ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add mixed case record: %v", err)
+	}
+
+	// Test lookup with different cases
+	testCases := []string{
+		"myhost.autoco.internal.",
+		"MYHOST.AUTOCO.INTERNAL.",
+		"MyHost.AutoCo.Internal.",
+		"mYhOsT.aUtOcO.iNtErNaL.",
+	}
+
+	for _, domain := range testCases {
+		ips, _ := store.GetRecords(domain, RecordTypeA)
+		if len(ips) != 1 {
+			t.Errorf("Expected 1 IP for domain %q, got %d", domain, len(ips))
+		}
+		if len(ips) > 0 && !ips[0].Equal(ip) {
+			t.Errorf("Expected IP %v for domain %q, got %v", ip, domain, ips[0])
+		}
+	}
+
+	// Test wildcard with mixed case
+	wildcardIP := net.ParseIP("10.0.0.2")
+	err = store.AddRecord("*.Example.Com", wildcardIP, 0)
+	if err != nil {
+		t.Fatalf("Failed to add mixed case wildcard: %v", err)
+	}
+
+	wildcardTestCases := []string{
+		"host.example.com.",
+		"HOST.EXAMPLE.COM.",
+		"Host.Example.Com.",
+		"HoSt.ExAmPlE.CoM.",
+	}
+
+	for _, domain := range wildcardTestCases {
+		ips, _ := store.GetRecords(domain, RecordTypeA)
+		if len(ips) != 1 {
+			t.Errorf("Expected 1 IP for wildcard domain %q, got %d", domain, len(ips))
+		}
+		if len(ips) > 0 && !ips[0].Equal(wildcardIP) {
+			t.Errorf("Expected IP %v for wildcard domain %q, got %v", wildcardIP, domain, ips[0])
+		}
+	}
+
+	// Test removal with different case
+	store.RemoveRecord("MYHOST.AUTOCO.INTERNAL", nil)
+	ips, _ := store.GetRecords("myhost.autoco.internal.", RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs after removal, got %d", len(ips))
+	}
+
+	// Test HasRecord with different case
+	if !store.HasRecord("HOST.EXAMPLE.COM.", RecordTypeA) {
+		t.Error("Expected HasRecord to return true for mixed case wildcard match")
+	}
+}
+
+func TestPTRRecordIPv4(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add PTR record for IPv4
+	ip := net.ParseIP("192.168.1.1")
+	domain := "host.example.com."
+	err := store.AddPTRRecord(ip, domain)
+	if err != nil {
+		t.Fatalf("Failed to add PTR record: %v", err)
+	}
+
+	// Test reverse DNS lookup
+	reverseDomain := "1.1.168.192.in-addr.arpa."
+	result, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected PTR record to be found")
+	}
+	if result != domain {
+		t.Errorf("Expected domain %q, got %q", domain, result)
+	}
+
+	// Test HasPTRRecord
+	if !store.HasPTRRecord(reverseDomain) {
+		t.Error("Expected HasPTRRecord to return true")
+	}
+
+	// Test non-existent PTR record
+	_, ok = store.GetPTRRecord("2.1.168.192.in-addr.arpa.")
+	if ok {
+		t.Error("Expected PTR record not to be found for different IP")
+	}
+}
+
+func TestPTRRecordIPv6(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add PTR record for IPv6
+	ip := net.ParseIP("2001:db8::1")
+	domain := "ipv6host.example.com."
+	err := store.AddPTRRecord(ip, domain)
+	if err != nil {
+		t.Fatalf("Failed to add PTR record: %v", err)
+	}
+
+	// Test reverse DNS lookup
+	// 2001:db8::1 = 2001:0db8:0000:0000:0000:0000:0000:0001
+	// Reverse: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+	reverseDomain := "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa."
+	result, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected IPv6 PTR record to be found")
+	}
+	if result != domain {
+		t.Errorf("Expected domain %q, got %q", domain, result)
+	}
+
+	// Test HasPTRRecord
+	if !store.HasPTRRecord(reverseDomain) {
+		t.Error("Expected HasPTRRecord to return true for IPv6")
+	}
+}
+
+func TestRemovePTRRecord(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add PTR record
+	ip := net.ParseIP("10.0.0.1")
+	domain := "test.example.com."
+	err := store.AddPTRRecord(ip, domain)
+	if err != nil {
+		t.Fatalf("Failed to add PTR record: %v", err)
+	}
+
+	// Verify it exists
+	reverseDomain := "1.0.0.10.in-addr.arpa."
+	_, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected PTR record to exist before removal")
+	}
+
+	// Remove PTR record
+	store.RemovePTRRecord(ip)
+
+	// Verify it's gone
+	_, ok = store.GetPTRRecord(reverseDomain)
+	if ok {
+		t.Error("Expected PTR record to be removed")
+	}
+
+	// Test HasPTRRecord after removal
+	if store.HasPTRRecord(reverseDomain) {
+		t.Error("Expected HasPTRRecord to return false after removal")
+	}
+}
+
+func TestIPToReverseDNS(t *testing.T) {
+	tests := []struct {
+		name     string
+		ip       string
+		expected string
+	}{
+		{
+			name:     "IPv4 simple",
+			ip:       "192.168.1.1",
+			expected: "1.1.168.192.in-addr.arpa.",
+		},
+		{
+			name:     "IPv4 localhost",
+			ip:       "127.0.0.1",
+			expected: "1.0.0.127.in-addr.arpa.",
+		},
+		{
+			name:     "IPv4 with zeros",
+			ip:       "10.0.0.1",
+			expected: "1.0.0.10.in-addr.arpa.",
+		},
+		{
+			name:     "IPv6 simple",
+			ip:       "2001:db8::1",
+			expected: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.",
+		},
+		{
+			name:     "IPv6 localhost",
+			ip:       "::1",
+			expected: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ip := net.ParseIP(tt.ip)
+			if ip == nil {
+				t.Fatalf("Failed to parse IP: %s", tt.ip)
+			}
+			result := IPToReverseDNS(ip)
+			if result != tt.expected {
+				t.Errorf("IPToReverseDNS(%s) = %q, want %q", tt.ip, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestReverseDNSToIP(t *testing.T) {
+	tests := []struct {
+		name        string
+		reverseDNS  string
+		expectedIP  string
+		shouldMatch bool
+	}{
+		{
+			name:        "IPv4 simple",
+			reverseDNS:  "1.1.168.192.in-addr.arpa.",
+			expectedIP:  "192.168.1.1",
+			shouldMatch: true,
+		},
+		{
+			name:        "IPv4 localhost",
+			reverseDNS:  "1.0.0.127.in-addr.arpa.",
+			expectedIP:  "127.0.0.1",
+			shouldMatch: true,
+		},
+		{
+			name:        "IPv6 simple",
+			reverseDNS:  "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.",
+			expectedIP:  "2001:db8::1",
+			shouldMatch: true,
+		},
+		{
+			name:        "Invalid IPv4 format",
+			reverseDNS:  "1.1.168.in-addr.arpa.",
+			expectedIP:  "",
+			shouldMatch: false,
+		},
+		{
+			name:        "Invalid IPv6 format",
+			reverseDNS:  "1.0.0.0.ip6.arpa.",
+			expectedIP:  "",
+			shouldMatch: false,
+		},
+		{
+			name:        "Not a reverse DNS domain",
+			reverseDNS:  "example.com.",
+			expectedIP:  "",
+			shouldMatch: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := reverseDNSToIP(tt.reverseDNS)
+			if tt.shouldMatch {
+				if result == nil {
+					t.Errorf("reverseDNSToIP(%q) returned nil, expected IP", tt.reverseDNS)
+					return
+				}
+				expectedIP := net.ParseIP(tt.expectedIP)
+				if !result.Equal(expectedIP) {
+					t.Errorf("reverseDNSToIP(%q) = %v, want %v", tt.reverseDNS, result, expectedIP)
+				}
+			} else {
+				if result != nil {
+					t.Errorf("reverseDNSToIP(%q) = %v, expected nil", tt.reverseDNS, result)
+				}
+			}
+		})
+	}
+}
+
+func TestPTRRecordCaseInsensitive(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add PTR record with mixed case domain
+	ip := net.ParseIP("192.168.1.1")
+	domain := "MyHost.Example.Com"
+	err := store.AddPTRRecord(ip, domain)
+	if err != nil {
+		t.Fatalf("Failed to add PTR record: %v", err)
+	}
+
+	// Test lookup with different cases in reverse DNS format
+	reverseDomain := "1.1.168.192.in-addr.arpa."
+	result, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected PTR record to be found")
+	}
+	// Domain should be normalized to lowercase
+	if result != "myhost.example.com." {
+		t.Errorf("Expected normalized domain %q, got %q", "myhost.example.com.", result)
+	}
+
+	// Test with uppercase reverse DNS
+	reverseDomainUpper := "1.1.168.192.IN-ADDR.ARPA."
+	result, ok = store.GetPTRRecord(reverseDomainUpper)
+	if !ok {
+		t.Error("Expected PTR record to be found with uppercase reverse DNS")
+	}
+	if result != "myhost.example.com." {
+		t.Errorf("Expected normalized domain %q, got %q", "myhost.example.com.", result)
+	}
+}
+
+func TestClearPTRRecords(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add some PTR records
+	ip1 := net.ParseIP("192.168.1.1")
+	ip2 := net.ParseIP("192.168.1.2")
+	store.AddPTRRecord(ip1, "host1.example.com.")
+	store.AddPTRRecord(ip2, "host2.example.com.")
+
+	// Add some A records too
+	store.AddRecord("test.example.com.", net.ParseIP("10.0.0.1"), 0)
+
+	// Verify PTR records exist
+	if !store.HasPTRRecord("1.1.168.192.in-addr.arpa.") {
+		t.Error("Expected PTR record to exist before clear")
+	}
+
+	// Clear all records
+	store.Clear()
+
+	// Verify PTR records are gone
+	if store.HasPTRRecord("1.1.168.192.in-addr.arpa.") {
+		t.Error("Expected PTR record to be cleared")
+	}
+	if store.HasPTRRecord("2.1.168.192.in-addr.arpa.") {
+		t.Error("Expected PTR record to be cleared")
+	}
+
+	// Verify A records are also gone
+	if store.HasRecord("test.example.com.", RecordTypeA) {
+		t.Error("Expected A record to be cleared")
+	}
+}
+
+func TestAutomaticPTRRecordOnAdd(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add an A record - should automatically add PTR record
+	domain := "host.example.com."
+	ip := net.ParseIP("192.168.1.100")
+	err := store.AddRecord(domain, ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add A record: %v", err)
+	}
+
+	// Verify PTR record was automatically created
+	reverseDomain := "100.1.168.192.in-addr.arpa."
+	result, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected PTR record to be automatically created")
+	}
+	if result != domain {
+		t.Errorf("Expected PTR to point to %q, got %q", domain, result)
+	}
+
+	// Add AAAA record - should also automatically add PTR record
+	domain6 := "ipv6host.example.com."
+	ip6 := net.ParseIP("2001:db8::1")
+	err = store.AddRecord(domain6, ip6, 0)
+	if err != nil {
+		t.Fatalf("Failed to add AAAA record: %v", err)
+	}
+
+	// Verify IPv6 PTR record was automatically created
+	reverseDomain6 := "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa."
+	result6, ok := store.GetPTRRecord(reverseDomain6)
+	if !ok {
+		t.Error("Expected IPv6 PTR record to be automatically created")
+	}
+	if result6 != domain6 {
+		t.Errorf("Expected PTR to point to %q, got %q", domain6, result6)
+	}
+}
+
+func TestAutomaticPTRRecordOnRemove(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add an A record (with automatic PTR)
+	domain := "host.example.com."
+	ip := net.ParseIP("192.168.1.100")
+	store.AddRecord(domain, ip, 0)
+
+	// Verify PTR exists
+	reverseDomain := "100.1.168.192.in-addr.arpa."
+	if !store.HasPTRRecord(reverseDomain) {
+		t.Error("Expected PTR record to exist after adding A record")
+	}
+
+	// Remove the A record
+	store.RemoveRecord(domain, ip)
+
+	// Verify PTR was automatically removed
+	if store.HasPTRRecord(reverseDomain) {
+		t.Error("Expected PTR record to be automatically removed")
+	}
+
+	// Verify A record is also gone
+	ips, _ := store.GetRecords(domain, RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected A record to be removed, got %d records", len(ips))
+	}
+}
+
+func TestAutomaticPTRRecordOnRemoveAll(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add multiple IPs for the same domain
+	domain := "host.example.com."
+	ip1 := net.ParseIP("192.168.1.100")
+	ip2 := net.ParseIP("192.168.1.101")
+	store.AddRecord(domain, ip1, 0)
+	store.AddRecord(domain, ip2, 0)
+
+	// Verify both PTR records exist
+	reverseDomain1 := "100.1.168.192.in-addr.arpa."
+	reverseDomain2 := "101.1.168.192.in-addr.arpa."
+	if !store.HasPTRRecord(reverseDomain1) {
+		t.Error("Expected first PTR record to exist")
+	}
+	if !store.HasPTRRecord(reverseDomain2) {
+		t.Error("Expected second PTR record to exist")
+	}
+
+	// Remove all records for the domain
+	store.RemoveRecord(domain, nil)
+
+	// Verify both PTR records were removed
+	if store.HasPTRRecord(reverseDomain1) {
+		t.Error("Expected first PTR record to be removed")
+	}
+	if store.HasPTRRecord(reverseDomain2) {
+		t.Error("Expected second PTR record to be removed")
+	}
+}
+
+func TestNoPTRForWildcardRecords(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add wildcard record - should NOT create PTR record
+	domain := "*.example.com."
+	ip := net.ParseIP("192.168.1.100")
+	err := store.AddRecord(domain, ip, 0)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+
+	// Verify no PTR record was created
+	reverseDomain := "100.1.168.192.in-addr.arpa."
+	_, ok := store.GetPTRRecord(reverseDomain)
+	if ok {
+		t.Error("Expected no PTR record for wildcard domain")
+	}
+
+	// Verify wildcard A record exists
+	if !store.HasRecord("host.example.com.", RecordTypeA) {
+		t.Error("Expected wildcard A record to exist")
+	}
+}
+
+func TestPTRRecordOverwrite(t *testing.T) {
+	store := NewDNSRecordStore()
+
+	// Add first domain with IP
+	domain1 := "host1.example.com."
+	ip := net.ParseIP("192.168.1.100")
+	store.AddRecord(domain1, ip, 0)
+
+	// Verify PTR points to first domain
+	reverseDomain := "100.1.168.192.in-addr.arpa."
+	result, ok := store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Fatal("Expected PTR record to exist")
+	}
+	if result != domain1 {
+		t.Errorf("Expected PTR to point to %q, got %q", domain1, result)
+	}
+
+	// Add second domain with same IP - should overwrite PTR
+	domain2 := "host2.example.com."
+	store.AddRecord(domain2, ip, 0)
+
+	// Verify PTR now points to second domain (last one added)
+	result, ok = store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Fatal("Expected PTR record to still exist")
+	}
+	if result != domain2 {
+		t.Errorf("Expected PTR to point to %q (overwritten), got %q", domain2, result)
+	}
+
+	// Remove first domain - PTR should remain pointing to second domain
+	store.RemoveRecord(domain1, ip)
+	result, ok = store.GetPTRRecord(reverseDomain)
+	if !ok {
+		t.Error("Expected PTR record to still exist after removing first domain")
+	}
+	if result != domain2 {
+		t.Errorf("Expected PTR to still point to %q, got %q", domain2, result)
+	}
+
+	// Remove second domain - PTR should now be gone
+	store.RemoveRecord(domain2, ip)
+	_, ok = store.GetPTRRecord(reverseDomain)
+	if ok {
+		t.Error("Expected PTR record to be removed after removing second domain")
+	}
+}

dns/override/dns_override_android.go

@@ -0,0 +1,22 @@
+//go:build android
+
+package olm
+
+import "net/netip"
+
+// SetupDNSOverride is a no-op on Android
+// Android handles DNS through the VpnService API at the Java/Kotlin layer
+func SetupDNSOverride(interfaceName string, proxyIp netip.Addr) error {
+	return nil
+}
+
+// RestoreDNSOverride is a no-op on Android
+func RestoreDNSOverride() error {
+	return nil
+}
+
+// CleanupStaleState is a no-op on Android as DNS configuration is handled by the VpnService API
+func CleanupStaleState(interfaceName string) error {
+	_ = interfaceName
+	return nil
+}

dns/override/dns_override_darwin.go

@@ -0,0 +1,80 @@
+//go:build darwin && !ios
+
+package olm
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/fosrl/newt/logger"
+	platform "github.com/fosrl/olm/dns/platform"
+)
+
+var configurator platform.DNSConfigurator
+
+// SetupDNSOverride configures the system DNS to use the DNS proxy on macOS
+// Uses scutil for DNS configuration
+func SetupDNSOverride(interfaceName string, proxyIp netip.Addr) error {
+	var err error
+	configurator, err = platform.NewDarwinDNSConfigurator()
+	if err != nil {
+		return fmt.Errorf("failed to create Darwin DNS configurator: %w", err)
+	}
+
+	logger.Info("Using Darwin scutil DNS configurator")
+
+	// Get current DNS servers before changing
+	currentDNS, err := configurator.GetCurrentDNS()
+	if err != nil {
+		logger.Warn("Could not get current DNS: %v", err)
+	} else {
+		logger.Info("Current DNS servers: %v", currentDNS)
+	}
+
+	// Set new DNS servers to point to our proxy
+	newDNS := []netip.Addr{
+		proxyIp,
+	}
+
+	logger.Info("Setting DNS servers to: %v", newDNS)
+	originalDNS, err := configurator.SetDNS(newDNS)
+	if err != nil {
+		return fmt.Errorf("failed to set DNS: %w", err)
+	}
+
+	logger.Info("Original DNS servers backed up: %v", originalDNS)
+	return nil
+}
+
+// RestoreDNSOverride restores the original DNS configuration
+func RestoreDNSOverride() error {
+	if configurator == nil {
+		logger.Debug("No DNS configurator to restore")
+		return nil
+	}
+
+	logger.Info("Restoring original DNS configuration")
+	if err := configurator.RestoreDNS(); err != nil {
+		return fmt.Errorf("failed to restore DNS: %w", err)
+	}
+
+	logger.Info("DNS configuration restored successfully")
+	return nil
+}
+
+// CleanupStaleState removes any stale DNS configuration left over from a previous
+// unclean shutdown (e.g., system crash, power loss while tunnel was active).
+// This function should be called early during startup, before any network operations,
+// to ensure DNS is working properly.
+//
+// On macOS, this cleans up any scutil DNS keys that were created but not removed.
+func CleanupStaleState(interfaceName string) error {
+	_ = interfaceName
+	if err := platform.CleanupStaleDarwinDNS(); err != nil {
+		logger.Warn("Failed to cleanup stale Darwin DNS config: %v", err)
+		return fmt.Errorf("Darwin DNS cleanup: %w", err)
+	}
+
+	logger.Info("Stale DNS state cleanup completed successfully")
+	return nil
+}

dns/override/dns_override_ios.go

@@ -0,0 +1,21 @@
+//go:build ios
+
+package olm
+
+import "net/netip"
+
+// SetupDNSOverride is a no-op on iOS as DNS configuration is handled by the system
+func SetupDNSOverride(interfaceName string, proxyIp netip.Addr) error {
+	return nil
+}
+
+// RestoreDNSOverride is a no-op on iOS as DNS configuration is handled by the system
+func RestoreDNSOverride() error {
+	return nil
+}
+
+// CleanupStaleState is a no-op on iOS as DNS configuration is handled by the system
+func CleanupStaleState(interfaceName string) error {
+	_ = interfaceName
+	return nil
+}

dns/override/dns_override_unix.go

@@ -0,0 +1,146 @@
+//go:build (linux && !android) || freebsd
+
+package olm
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/fosrl/newt/logger"
+	platform "github.com/fosrl/olm/dns/platform"
+)
+
+var configurator platform.DNSConfigurator
+
+// SetupDNSOverride configures the system DNS to use the DNS proxy on Linux/FreeBSD
+// Detects the DNS manager by reading /etc/resolv.conf and verifying runtime availability
+func SetupDNSOverride(interfaceName string, proxyIp netip.Addr) error {
+	var err error
+
+	// Detect which DNS manager is in use by checking /etc/resolv.conf and runtime availability
+	managerType := platform.DetectDNSManager(interfaceName)
+	logger.Info("Detected DNS manager: %s", managerType.String())
+
+	// Create configurator based on detected manager
+	switch managerType {
+	case platform.SystemdResolvedManager:
+		configurator, err = platform.NewSystemdResolvedDNSConfigurator(interfaceName)
+		if err == nil {
+			logger.Info("Using systemd-resolved DNS configurator")
+			return setDNS(proxyIp, configurator)
+		}
+		logger.Warn("Failed to create systemd-resolved configurator: %v, falling back", err)
+
+	case platform.NetworkManagerManager:
+		configurator, err = platform.NewNetworkManagerDNSConfigurator(interfaceName)
+		if err == nil {
+			logger.Info("Using NetworkManager DNS configurator")
+			return setDNS(proxyIp, configurator)
+		}
+		logger.Warn("Failed to create NetworkManager configurator: %v, falling back", err)
+
+	case platform.ResolvconfManager:
+		configurator, err = platform.NewResolvconfDNSConfigurator(interfaceName)
+		if err == nil {
+			logger.Info("Using resolvconf DNS configurator")
+			return setDNS(proxyIp, configurator)
+		}
+		logger.Warn("Failed to create resolvconf configurator: %v, falling back", err)
+	}
+
+	// Fall back to direct file manipulation
+	configurator, err = platform.NewFileDNSConfigurator()
+	if err != nil {
+		return fmt.Errorf("failed to create file DNS configurator: %w", err)
+	}
+
+	logger.Info("Using file-based DNS configurator")
+	return setDNS(proxyIp, configurator)
+}
+
+// setDNS is a helper function to set DNS and log the results
+func setDNS(proxyIp netip.Addr, conf platform.DNSConfigurator) error {
+	// Get current DNS servers before changing
+	currentDNS, err := conf.GetCurrentDNS()
+	if err != nil {
+		logger.Warn("Could not get current DNS: %v", err)
+	} else {
+		logger.Info("Current DNS servers: %v", currentDNS)
+	}
+
+	// Set new DNS servers to point to our proxy
+	newDNS := []netip.Addr{
+		proxyIp,
+	}
+
+	logger.Info("Setting DNS servers to: %v", newDNS)
+	originalDNS, err := conf.SetDNS(newDNS)
+	if err != nil {
+		return fmt.Errorf("failed to set DNS: %w", err)
+	}
+
+	logger.Info("Original DNS servers backed up: %v", originalDNS)
+	return nil
+}
+
+// RestoreDNSOverride restores the original DNS configuration
+func RestoreDNSOverride() error {
+	if configurator == nil {
+		logger.Debug("No DNS configurator to restore")
+		return nil
+	}
+
+	logger.Info("Restoring original DNS configuration")
+	if err := configurator.RestoreDNS(); err != nil {
+		return fmt.Errorf("failed to restore DNS: %w", err)
+	}
+
+	logger.Info("DNS configuration restored successfully")
+	return nil
+}
+
+// CleanupStaleState removes any stale DNS configuration left over from a previous
+// unclean shutdown (e.g., system crash, power loss while tunnel was active).
+// This function should be called early during startup, before any network operations,
+// to ensure DNS is working properly.
+//
+// It checks and cleans up stale state from all supported DNS managers:
+// - NetworkManager: removes /etc/NetworkManager/conf.d/olm-dns.conf
+// - resolvconf: removes entry for the provided interface
+// - File-based: restores /etc/resolv.conf from backup if it exists
+//
+// This is safe to call even if no stale state exists.
+func CleanupStaleState(interfaceName string) error {
+	var errs []error
+
+	// Clean up NetworkManager stale config
+	if err := platform.CleanupStaleNetworkManagerDNS(); err != nil {
+		logger.Warn("Failed to cleanup stale NetworkManager DNS config: %v", err)
+		errs = append(errs, fmt.Errorf("NetworkManager cleanup: %w", err))
+	} else {
+		logger.Debug("NetworkManager DNS cleanup completed")
+	}
+
+	// Clean up resolvconf stale entries for the provided interface
+	if err := platform.CleanupStaleResolvconfDNS(interfaceName); err != nil {
+		logger.Warn("Failed to cleanup stale resolvconf DNS config: %v", err)
+		errs = append(errs, fmt.Errorf("resolvconf cleanup: %w", err))
+	} else {
+		logger.Debug("resolvconf DNS cleanup completed")
+	}
+
+	// Clean up file-based stale backup
+	if err := platform.CleanupStaleFileDNS(); err != nil {
+		logger.Warn("Failed to cleanup stale file-based DNS config: %v", err)
+		errs = append(errs, fmt.Errorf("file DNS cleanup: %w", err))
+	} else {
+		logger.Debug("File-based DNS cleanup completed")
+	}
+
+	if len(errs) > 0 {
+		return fmt.Errorf("some DNS cleanup operations failed: %v", errs)
+	}
+
+	logger.Info("Stale DNS state cleanup completed successfully")
+	return nil
+}

dns/override/dns_override_windows.go

@@ -0,0 +1,79 @@
+//go:build windows
+
+package olm
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/fosrl/newt/logger"
+	platform "github.com/fosrl/olm/dns/platform"
+)
+
+var configurator platform.DNSConfigurator
+
+// SetupDNSOverride configures the system DNS to use the DNS proxy on Windows
+// Uses registry-based configuration (automatically extracts interface GUID)
+func SetupDNSOverride(interfaceName string, proxyIp netip.Addr) error {
+	var err error
+	configurator, err = platform.NewWindowsDNSConfigurator(interfaceName)
+	if err != nil {
+		return fmt.Errorf("failed to create Windows DNS configurator: %w", err)
+	}
+
+	logger.Info("Using Windows registry DNS configurator for interface: %s", interfaceName)
+
+	// Get current DNS servers before changing
+	currentDNS, err := configurator.GetCurrentDNS()
+	if err != nil {
+		logger.Warn("Could not get current DNS: %v", err)
+	} else {
+		logger.Info("Current DNS servers: %v", currentDNS)
+	}
+
+	// Set new DNS servers to point to our proxy
+	newDNS := []netip.Addr{
+		proxyIp,
+	}
+
+	logger.Info("Setting DNS servers to: %v", newDNS)
+	originalDNS, err := configurator.SetDNS(newDNS)
+	if err != nil {
+		return fmt.Errorf("failed to set DNS: %w", err)
+	}
+
+	logger.Info("Original DNS servers backed up: %v", originalDNS)
+	return nil
+}
+
+// RestoreDNSOverride restores the original DNS configuration
+func RestoreDNSOverride() error {
+	if configurator == nil {
+		logger.Debug("No DNS configurator to restore")
+		return nil
+	}
+
+	logger.Info("Restoring original DNS configuration")
+	if err := configurator.RestoreDNS(); err != nil {
+		return fmt.Errorf("failed to restore DNS: %w", err)
+	}
+
+	logger.Info("DNS configuration restored successfully")
+	return nil
+}
+
+// CleanupStaleState removes any stale DNS configuration left over from a previous
+// unclean shutdown (e.g., system crash, power loss while tunnel was active).
+// This function should be called early during startup, before any network operations,
+// to ensure DNS is working properly.
+//
+// On Windows, DNS configuration is tied to the interface GUID. When the WireGuard
+// interface is recreated, it gets a new GUID, so there's no stale state to clean up.
+func CleanupStaleState(interfaceName string) error {
+	// Windows DNS configuration via registry is interface-specific.
+	// When the WireGuard interface is recreated, it gets a new GUID,
+	// so there's no leftover state to clean up from previous sessions.
+	_ = interfaceName
+	logger.Debug("Windows DNS cleanup: no stale state to clean (interface-specific)")
+	return nil
+}

dns/platform/darwin.go

@@ -0,0 +1,475 @@
+//go:build darwin && !ios
+
+package dns
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/netip"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/fosrl/newt/logger"
+)
+
+const (
+	scutilPath      = "/usr/sbin/scutil"
+	dscacheutilPath = "/usr/bin/dscacheutil"
+
+	dnsStateKeyFormat    = "State:/Network/Service/Olm-%s/DNS"
+	globalIPv4State      = "State:/Network/Global/IPv4"
+	primaryServiceFormat = "State:/Network/Service/%s/DNS"
+
+	keySupplementalMatchDomains         = "SupplementalMatchDomains"
+	keySupplementalMatchDomainsNoSearch = "SupplementalMatchDomainsNoSearch"
+	keyServerAddresses                  = "ServerAddresses"
+	keyServerPort                       = "ServerPort"
+	arraySymbol                         = "* "
+	digitSymbol                         = "# "
+
+	// State file name for crash recovery
+	dnsStateFileName = "dns_state.json"
+)
+
+// DNSPersistentState represents the state saved to disk for crash recovery
+type DNSPersistentState struct {
+	CreatedKeys []string `json:"created_keys"`
+}
+
+// DarwinDNSConfigurator manages DNS settings on macOS using scutil
+type DarwinDNSConfigurator struct {
+	createdKeys   map[string]struct{}
+	originalState *DNSState
+	stateFilePath string
+}
+
+// NewDarwinDNSConfigurator creates a new macOS DNS configurator
+func NewDarwinDNSConfigurator() (*DarwinDNSConfigurator, error) {
+	stateFilePath := getDNSStateFilePath()
+
+	configurator := &DarwinDNSConfigurator{
+		createdKeys:   make(map[string]struct{}),
+		stateFilePath: stateFilePath,
+	}
+
+	// Clean up any leftover state from a previous crash
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		logger.Warn("Failed to cleanup previous DNS state: %v", err)
+	}
+
+	return configurator, nil
+}
+
+// Name returns the configurator name
+func (d *DarwinDNSConfigurator) Name() string {
+	return "darwin-scutil"
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (d *DarwinDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := d.GetCurrentDNS()
+	if err != nil {
+		return nil, fmt.Errorf("get current DNS: %w", err)
+	}
+
+	// Store original state
+	d.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: d.Name(),
+	}
+
+	// Set new DNS servers
+	if err := d.applyDNSServers(servers); err != nil {
+		return nil, fmt.Errorf("apply DNS servers: %w", err)
+	}
+
+	// Persist state to disk for crash recovery
+	if err := d.saveState(); err != nil {
+		logger.Warn("Failed to save DNS state for crash recovery: %v", err)
+	}
+
+	// Flush DNS cache
+	if err := d.flushDNSCache(); err != nil {
+		// Non-fatal, just log
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (d *DarwinDNSConfigurator) RestoreDNS() error {
+	// Remove all created keys
+	for key := range d.createdKeys {
+		if err := d.removeKey(key); err != nil {
+			return fmt.Errorf("remove key %s: %w", key, err)
+		}
+	}
+
+	// Clear state file after successful restoration
+	if err := d.clearState(); err != nil {
+		logger.Warn("Failed to clear DNS state file: %v", err)
+	}
+
+	// Flush DNS cache
+	if err := d.flushDNSCache(); err != nil {
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers
+func (d *DarwinDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	primaryServiceKey, err := d.getPrimaryServiceKey()
+	if err != nil || primaryServiceKey == "" {
+		return nil, fmt.Errorf("get primary service: %w", err)
+	}
+
+	dnsKey := fmt.Sprintf(primaryServiceFormat, primaryServiceKey)
+	cmd := fmt.Sprintf("show %s\n", dnsKey)
+
+	output, err := d.runScutil(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("run scutil: %w", err)
+	}
+
+	servers := d.parseServerAddresses(output)
+	return servers, nil
+}
+
+// CleanupUncleanShutdown removes any DNS keys left over from a previous crash
+func (d *DarwinDNSConfigurator) CleanupUncleanShutdown() error {
+	state, err := d.loadState()
+	if err != nil {
+		if os.IsNotExist(err) {
+			// No state file, nothing to clean up
+			return nil
+		}
+		return fmt.Errorf("load state: %w", err)
+	}
+
+	if len(state.CreatedKeys) == 0 {
+		// No keys to clean up
+		return nil
+	}
+
+	logger.Info("Found DNS state from previous session, cleaning up %d keys", len(state.CreatedKeys))
+
+	// Remove all keys from previous session
+	var lastErr error
+	for _, key := range state.CreatedKeys {
+		logger.Debug("Removing leftover DNS key: %s", key)
+		if err := d.removeKeyDirect(key); err != nil {
+			logger.Warn("Failed to remove DNS key %s: %v", key, err)
+			lastErr = err
+		}
+	}
+
+	// Clear state file
+	if err := d.clearState(); err != nil {
+		logger.Warn("Failed to clear DNS state file: %v", err)
+	}
+
+	// Flush DNS cache after cleanup
+	if err := d.flushDNSCache(); err != nil {
+		logger.Warn("Failed to flush DNS cache after cleanup: %v", err)
+	}
+
+	return lastErr
+}
+
+// applyDNSServers applies the DNS server configuration
+func (d *DarwinDNSConfigurator) applyDNSServers(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	key := fmt.Sprintf(dnsStateKeyFormat, "Override")
+
+	// Use SupplementalMatchDomains with empty string to match ALL domains
+	// This is the key to making DNS override work on macOS
+	// Setting SupplementalMatchDomainsNoSearch to 0 enables search domain behavior
+	err := d.addDNSState(key, "\"\"", servers[0], 53, true)
+	if err != nil {
+		return fmt.Errorf("set DNS servers: %w", err)
+	}
+
+	d.createdKeys[key] = struct{}{}
+	return nil
+}
+
+// addDNSState adds a DNS state entry with the specified configuration
+func (d *DarwinDNSConfigurator) addDNSState(state, domains string, dnsServer netip.Addr, port int, enableSearch bool) error {
+	noSearch := "1"
+	if enableSearch {
+		noSearch = "0"
+	}
+
+	// Build the scutil command following NetBird's approach
+	var commands strings.Builder
+	commands.WriteString("d.init\n")
+	commands.WriteString(fmt.Sprintf("d.add %s %s%s\n", keySupplementalMatchDomains, arraySymbol, domains))
+	commands.WriteString(fmt.Sprintf("d.add %s %s%s\n", keySupplementalMatchDomainsNoSearch, digitSymbol, noSearch))
+	commands.WriteString(fmt.Sprintf("d.add %s %s%s\n", keyServerAddresses, arraySymbol, dnsServer.String()))
+	commands.WriteString(fmt.Sprintf("d.add %s %s%s\n", keyServerPort, digitSymbol, strconv.Itoa(port)))
+	commands.WriteString(fmt.Sprintf("set %s\n", state))
+
+	if _, err := d.runScutil(commands.String()); err != nil {
+		return fmt.Errorf("applying state for domains %s, error: %w", domains, err)
+	}
+
+	logger.Info("Added DNS override with server %s:%d for domains: %s", dnsServer.String(), port, domains)
+	return nil
+}
+
+// removeKey removes a DNS configuration key and updates internal state
+func (d *DarwinDNSConfigurator) removeKey(key string) error {
+	if err := d.removeKeyDirect(key); err != nil {
+		return err
+	}
+
+	delete(d.createdKeys, key)
+	return nil
+}
+
+// removeKeyDirect removes a DNS configuration key without updating internal state
+// Used for cleanup operations
+func (d *DarwinDNSConfigurator) removeKeyDirect(key string) error {
+	cmd := fmt.Sprintf("remove %s\n", key)
+
+	if _, err := d.runScutil(cmd); err != nil {
+		return fmt.Errorf("remove key: %w", err)
+	}
+
+	return nil
+}
+
+// getPrimaryServiceKey gets the primary network service key
+func (d *DarwinDNSConfigurator) getPrimaryServiceKey() (string, error) {
+	cmd := fmt.Sprintf("show %s\n", globalIPv4State)
+
+	output, err := d.runScutil(cmd)
+	if err != nil {
+		return "", fmt.Errorf("run scutil: %w", err)
+	}
+
+	scanner := bufio.NewScanner(bytes.NewReader(output))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.Contains(line, "PrimaryService") {
+			parts := strings.Split(line, ":")
+			if len(parts) >= 2 {
+				return strings.TrimSpace(parts[1]), nil
+			}
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("scan output: %w", err)
+	}
+
+	return "", fmt.Errorf("primary service not found")
+}
+
+// parseServerAddresses parses DNS server addresses from scutil output
+func (d *DarwinDNSConfigurator) parseServerAddresses(output []byte) []netip.Addr {
+	var servers []netip.Addr
+	inServerArray := false
+
+	scanner := bufio.NewScanner(bytes.NewReader(output))
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+
+		if strings.HasPrefix(line, "ServerAddresses : <array> {") {
+			inServerArray = true
+			continue
+		}
+
+		if line == "}" {
+			inServerArray = false
+			continue
+		}
+
+		if inServerArray {
+			// Line format: "0 : 8.8.8.8"
+			parts := strings.Split(line, " : ")
+			if len(parts) >= 2 {
+				if addr, err := netip.ParseAddr(parts[1]); err == nil {
+					servers = append(servers, addr)
+				}
+			}
+		}
+	}
+
+	return servers
+}
+
+// flushDNSCache flushes the system DNS cache
+func (d *DarwinDNSConfigurator) flushDNSCache() error {
+	logger.Debug("Flushing dscacheutil cache")
+	cmd := exec.Command(dscacheutilPath, "-flushcache")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("flush cache: %w", err)
+	}
+
+	logger.Debug("Flushing mDNSResponder cache")
+
+	cmd = exec.Command("killall", "-HUP", "mDNSResponder")
+	if err := cmd.Run(); err != nil {
+		// Non-fatal, mDNSResponder might not be running
+		return nil
+	}
+
+	return nil
+}
+
+// runScutil executes an scutil command
+func (d *DarwinDNSConfigurator) runScutil(commands string) ([]byte, error) {
+	// Wrap commands with open/quit
+	wrapped := fmt.Sprintf("open\n%squit\n", commands)
+
+	logger.Debug("Running scutil with commands:\n%s\n", wrapped)
+
+	cmd := exec.Command(scutilPath)
+	cmd.Stdin = strings.NewReader(wrapped)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("scutil command failed: %w, output: %s", err, output)
+	}
+
+	logger.Debug("scutil output:\n%s\n", output)
+
+	return output, nil
+}
+
+// getDNSStateFilePath returns the path to the DNS state file
+func getDNSStateFilePath() string {
+	var stateDir string
+	switch runtime.GOOS {
+	case "darwin":
+		stateDir = filepath.Join(os.Getenv("HOME"), "Library", "Application Support", "olm-client")
+	default:
+		stateDir = filepath.Join(os.Getenv("HOME"), ".config", "olm-client")
+	}
+
+	if err := os.MkdirAll(stateDir, 0755); err != nil {
+		logger.Warn("Failed to create state directory: %v", err)
+	}
+
+	return filepath.Join(stateDir, dnsStateFileName)
+}
+
+// saveState persists the current DNS state to disk
+func (d *DarwinDNSConfigurator) saveState() error {
+	keys := make([]string, 0, len(d.createdKeys))
+	for key := range d.createdKeys {
+		keys = append(keys, key)
+	}
+
+	state := DNSPersistentState{
+		CreatedKeys: keys,
+	}
+
+	data, err := json.MarshalIndent(state, "", "  ")
+	if err != nil {
+		return fmt.Errorf("marshal state: %w", err)
+	}
+
+	if err := os.WriteFile(d.stateFilePath, data, 0644); err != nil {
+		return fmt.Errorf("write state file: %w", err)
+	}
+
+	logger.Debug("Saved DNS state to %s", d.stateFilePath)
+	return nil
+}
+
+// loadState loads the DNS state from disk
+func (d *DarwinDNSConfigurator) loadState() (*DNSPersistentState, error) {
+	data, err := os.ReadFile(d.stateFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	var state DNSPersistentState
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("unmarshal state: %w", err)
+	}
+
+	return &state, nil
+}
+
+// clearState removes the DNS state file
+func (d *DarwinDNSConfigurator) clearState() error {
+	err := os.Remove(d.stateFilePath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove state file: %w", err)
+	}
+
+	logger.Debug("Cleared DNS state file")
+	return nil
+}
+
+// CleanupStaleDarwinDNS removes any stale DNS configuration left by the Darwin
+// configurator from a previous unclean shutdown. This is a static function that can be
+// called without creating a configurator instance, useful for cleanup before network operations.
+func CleanupStaleDarwinDNS() error {
+	stateFilePath := getDNSStateFilePath()
+
+	// Check if state file exists
+	data, err := os.ReadFile(stateFilePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// No state file, nothing to clean up
+			return nil
+		}
+		return fmt.Errorf("read state file: %w", err)
+	}
+
+	var state DNSPersistentState
+	if err := json.Unmarshal(data, &state); err != nil {
+		// Invalid state file, remove it
+		os.Remove(stateFilePath)
+		return nil
+	}
+
+	if len(state.CreatedKeys) == 0 {
+		// No keys to clean up
+		return nil
+	}
+
+	logger.Info("Found DNS state from previous session, cleaning up %d keys", len(state.CreatedKeys))
+
+	// Remove all keys from previous session using scutil directly
+	for _, key := range state.CreatedKeys {
+		logger.Debug("Removing leftover DNS key: %s", key)
+		cmd := fmt.Sprintf("open\nremove %s\nquit\n", key)
+		scutilCmd := exec.Command(scutilPath)
+		scutilCmd.Stdin = strings.NewReader(cmd)
+		if err := scutilCmd.Run(); err != nil {
+			logger.Warn("Failed to remove DNS key %s: %v", key, err)
+		}
+	}
+
+	// Clear state file
+	if err := os.Remove(stateFilePath); err != nil && !os.IsNotExist(err) {
+		logger.Warn("Failed to clear DNS state file: %v", err)
+	}
+
+	// Flush DNS cache after cleanup
+	cacheCmd := exec.Command(dscacheutilPath, "-flushcache")
+	_ = cacheCmd.Run()
+
+	killCmd := exec.Command("killall", "-HUP", "mDNSResponder")
+	_ = killCmd.Run()
+
+	return nil
+}

dns/platform/detect_unix.go

@@ -0,0 +1,158 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/fosrl/newt/logger"
+)
+
+const defaultResolvConfPath = "/etc/resolv.conf"
+
+// DNSManagerType represents the type of DNS manager detected
+type DNSManagerType int
+
+const (
+	// UnknownManager indicates we couldn't determine the DNS manager
+	UnknownManager DNSManagerType = iota
+	// SystemdResolvedManager indicates systemd-resolved is managing DNS
+	SystemdResolvedManager
+	// NetworkManagerManager indicates NetworkManager is managing DNS
+	NetworkManagerManager
+	// ResolvconfManager indicates resolvconf is managing DNS
+	ResolvconfManager
+	// FileManager indicates direct file management (no DNS manager)
+	FileManager
+)
+
+// DetectDNSManagerFromFile reads /etc/resolv.conf to determine which DNS manager is in use
+// This provides a hint based on comments in the file, similar to Netbird's approach
+func DetectDNSManagerFromFile() DNSManagerType {
+	file, err := os.Open(defaultResolvConfPath)
+	if err != nil {
+		return UnknownManager
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		text := scanner.Text()
+		if len(text) == 0 {
+			continue
+		}
+
+		// If we hit a non-comment line, default to file-based
+		if text[0] != '#' {
+			return FileManager
+		}
+
+		// Check for DNS manager signatures in comments
+		if strings.Contains(text, "NetworkManager") {
+			return NetworkManagerManager
+		}
+
+		if strings.Contains(text, "systemd-resolved") {
+			return SystemdResolvedManager
+		}
+
+		if strings.Contains(text, "resolvconf") {
+			return ResolvconfManager
+		}
+	}
+
+	if err := scanner.Err(); err != nil && err != io.EOF {
+		return UnknownManager
+	}
+
+	// No indicators found, assume file-based management
+	return FileManager
+}
+
+// String returns a human-readable name for the DNS manager type
+func (d DNSManagerType) String() string {
+	switch d {
+	case SystemdResolvedManager:
+		return "systemd-resolved"
+	case NetworkManagerManager:
+		return "NetworkManager"
+	case ResolvconfManager:
+		return "resolvconf"
+	case FileManager:
+		return "file"
+	default:
+		return "unknown"
+	}
+}
+
+// DetectDNSManager combines file detection with runtime availability checks
+// to determine the best DNS configurator to use
+func DetectDNSManager(interfaceName string) DNSManagerType {
+	// First check what the file suggests
+	fileHint := DetectDNSManagerFromFile()
+
+	// Verify the hint with runtime checks
+	switch fileHint {
+	case SystemdResolvedManager:
+		// Verify systemd-resolved is actually running
+		if IsSystemdResolvedAvailable() {
+			return SystemdResolvedManager
+		}
+		logger.Warn("dns platform: Found systemd-resolved but it is not running. Falling back to file...")
+		os.Exit(0)
+		return FileManager
+
+	case NetworkManagerManager:
+		// Verify NetworkManager is actually running
+		if IsNetworkManagerAvailable() {
+			// Check if NetworkManager is delegating to systemd-resolved
+			if !IsNetworkManagerDNSModeSupported() {
+				logger.Info("NetworkManager is delegating DNS to systemd-resolved, using systemd-resolved configurator")
+				if IsSystemdResolvedAvailable() {
+					return SystemdResolvedManager
+				}
+			}
+			return NetworkManagerManager
+		}
+		logger.Warn("dns platform: Found network manager but it is not running. Falling back to file...")
+		return FileManager
+
+	case ResolvconfManager:
+		// Verify resolvconf is available
+		if IsResolvconfAvailable() {
+			return ResolvconfManager
+		}
+		// If resolvconf is mentioned but not available, fall back to file
+		return FileManager
+
+	case FileManager:
+		// File suggests direct file management
+		// But we should still check if a manager is available that wasn't mentioned
+		if IsSystemdResolvedAvailable() && interfaceName != "" {
+			return SystemdResolvedManager
+		}
+		if IsNetworkManagerAvailable() && interfaceName != "" {
+			return NetworkManagerManager
+		}
+		if IsResolvconfAvailable() && interfaceName != "" {
+			return ResolvconfManager
+		}
+		return FileManager
+
+	default:
+		// Unknown - do runtime detection
+		if IsSystemdResolvedAvailable() && interfaceName != "" {
+			return SystemdResolvedManager
+		}
+		if IsNetworkManagerAvailable() && interfaceName != "" {
+			return NetworkManagerManager
+		}
+		if IsResolvconfAvailable() && interfaceName != "" {
+			return ResolvconfManager
+		}
+		return FileManager
+	}
+}

dns/platform/file.go

@@ -0,0 +1,244 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+	"os"
+	"strings"
+)
+
+const (
+	resolvConfPath       = "/etc/resolv.conf"
+	resolvConfBackupPath = "/etc/resolv.conf.olm.backup"
+	resolvConfHeader     = "# Generated by Olm DNS Manager\n# Original file backed up to " + resolvConfBackupPath + "\n\n"
+)
+
+// FileDNSConfigurator manages DNS settings by directly modifying /etc/resolv.conf
+type FileDNSConfigurator struct {
+	originalState *DNSState
+}
+
+// NewFileDNSConfigurator creates a new file-based DNS configurator
+func NewFileDNSConfigurator() (*FileDNSConfigurator, error) {
+	f := &FileDNSConfigurator{}
+	if err := f.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+	return f, nil
+}
+
+// Name returns the configurator name
+func (f *FileDNSConfigurator) Name() string {
+	return "file-resolv.conf"
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (f *FileDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := f.GetCurrentDNS()
+	if err != nil {
+		return nil, fmt.Errorf("get current DNS: %w", err)
+	}
+
+	// Backup original resolv.conf if not already backed up
+	if !f.isBackupExists() {
+		if err := f.backupResolvConf(); err != nil {
+			return nil, fmt.Errorf("backup resolv.conf: %w", err)
+		}
+	}
+
+	// Store original state
+	f.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: f.Name(),
+	}
+
+	// Write new resolv.conf
+	if err := f.writeResolvConf(servers); err != nil {
+		return nil, fmt.Errorf("write resolv.conf: %w", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (f *FileDNSConfigurator) RestoreDNS() error {
+	if !f.isBackupExists() {
+		return fmt.Errorf("no backup file exists")
+	}
+
+	// Copy backup back to original location
+	if err := copyFile(resolvConfBackupPath, resolvConfPath); err != nil {
+		return fmt.Errorf("restore from backup: %w", err)
+	}
+
+	// Remove backup file
+	if err := os.Remove(resolvConfBackupPath); err != nil {
+		return fmt.Errorf("remove backup file: %w", err)
+	}
+
+	return nil
+}
+
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For the file-based configurator, we check if a backup file exists (indicating a crash
+// happened while DNS was configured) and restore from it if so.
+func (f *FileDNSConfigurator) CleanupUncleanShutdown() error {
+	// Check if backup file exists from a previous session
+	if !f.isBackupExists() {
+		// No backup file, nothing to clean up
+		return nil
+	}
+
+	// A backup exists, which means we crashed while DNS was configured
+	// Restore the original resolv.conf
+	if err := copyFile(resolvConfBackupPath, resolvConfPath); err != nil {
+		return fmt.Errorf("restore from backup during cleanup: %w", err)
+	}
+
+	// Remove backup file
+	if err := os.Remove(resolvConfBackupPath); err != nil {
+		return fmt.Errorf("remove backup file during cleanup: %w", err)
+	}
+
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers
+func (f *FileDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	content, err := os.ReadFile(resolvConfPath)
+	if err != nil {
+		return nil, fmt.Errorf("read resolv.conf: %w", err)
+	}
+
+	return f.parseNameservers(string(content)), nil
+}
+
+// backupResolvConf creates a backup of the current resolv.conf
+func (f *FileDNSConfigurator) backupResolvConf() error {
+	// Get file info for permissions
+	info, err := os.Stat(resolvConfPath)
+	if err != nil {
+		return fmt.Errorf("stat resolv.conf: %w", err)
+	}
+
+	if err := copyFile(resolvConfPath, resolvConfBackupPath); err != nil {
+		return fmt.Errorf("copy file: %w", err)
+	}
+
+	// Preserve permissions
+	if err := os.Chmod(resolvConfBackupPath, info.Mode()); err != nil {
+		return fmt.Errorf("chmod backup: %w", err)
+	}
+
+	return nil
+}
+
+// writeResolvConf writes a new resolv.conf with the specified DNS servers
+func (f *FileDNSConfigurator) writeResolvConf(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	// Get file info for permissions
+	info, err := os.Stat(resolvConfPath)
+	if err != nil {
+		return fmt.Errorf("stat resolv.conf: %w", err)
+	}
+
+	var content strings.Builder
+	content.WriteString(resolvConfHeader)
+
+	// Write nameservers
+	for _, server := range servers {
+		content.WriteString("nameserver ")
+		content.WriteString(server.String())
+		content.WriteString("\n")
+	}
+
+	// Write the file
+	if err := os.WriteFile(resolvConfPath, []byte(content.String()), info.Mode()); err != nil {
+		return fmt.Errorf("write resolv.conf: %w", err)
+	}
+
+	return nil
+}
+
+// isBackupExists checks if a backup file exists
+func (f *FileDNSConfigurator) isBackupExists() bool {
+	_, err := os.Stat(resolvConfBackupPath)
+	return err == nil
+}
+
+// parseNameservers extracts nameserver entries from resolv.conf content
+func (f *FileDNSConfigurator) parseNameservers(content string) []netip.Addr {
+	var servers []netip.Addr
+
+	lines := strings.Split(content, "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+
+		// Skip comments and empty lines
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		// Look for nameserver lines
+		if strings.HasPrefix(line, "nameserver") {
+			fields := strings.Fields(line)
+			if len(fields) >= 2 {
+				if addr, err := netip.ParseAddr(fields[1]); err == nil {
+					servers = append(servers, addr)
+				}
+			}
+		}
+	}
+
+	return servers
+}
+
+// copyFile copies a file from src to dst
+func copyFile(src, dst string) error {
+	content, err := os.ReadFile(src)
+	if err != nil {
+		return fmt.Errorf("read source: %w", err)
+	}
+
+	// Get source file permissions
+	info, err := os.Stat(src)
+	if err != nil {
+		return fmt.Errorf("stat source: %w", err)
+	}
+
+	if err := os.WriteFile(dst, content, info.Mode()); err != nil {
+		return fmt.Errorf("write destination: %w", err)
+	}
+
+	return nil
+}
+
+// CleanupStaleFileDNS removes any stale DNS configuration left by the file-based
+// configurator from a previous unclean shutdown. This is a static function that can be
+// called without creating a configurator instance, useful for cleanup before network operations.
+func CleanupStaleFileDNS() error {
+	// Check if backup file exists from a previous session
+	if _, err := os.Stat(resolvConfBackupPath); os.IsNotExist(err) {
+		// No backup file, nothing to clean up
+		return nil
+	}
+
+	// A backup exists, which means we crashed while DNS was configured
+	// Restore the original resolv.conf
+	if err := copyFile(resolvConfBackupPath, resolvConfPath); err != nil {
+		return fmt.Errorf("restore from backup during cleanup: %w", err)
+	}
+
+	// Remove backup file
+	if err := os.Remove(resolvConfBackupPath); err != nil {
+		return fmt.Errorf("remove backup file during cleanup: %w", err)
+	}
+
+	return nil
+}

dns/platform/network_manager.go

@@ -0,0 +1,363 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"os"
+	"strings"
+	"time"
+
+	dbus "github.com/godbus/dbus/v5"
+)
+
+const (
+	// NetworkManager D-Bus constants
+	networkManagerDest                       = "org.freedesktop.NetworkManager"
+	networkManagerDbusObjectNode             = "/org/freedesktop/NetworkManager"
+	networkManagerDbusDNSManagerInterface    = "org.freedesktop.NetworkManager.DnsManager"
+	networkManagerDbusDNSManagerObjectNode   = networkManagerDbusObjectNode + "/DnsManager"
+	networkManagerDbusDNSManagerModeProperty = networkManagerDbusDNSManagerInterface + ".Mode"
+	networkManagerDbusVersionProperty        = "org.freedesktop.NetworkManager.Version"
+
+	// NetworkManager dispatcher script path
+	networkManagerDispatcherDir  = "/etc/NetworkManager/dispatcher.d"
+	networkManagerConfDir        = "/etc/NetworkManager/conf.d"
+	networkManagerDNSConfFile    = "olm-dns.conf"
+	networkManagerDispatcherFile = "01-olm-dns"
+)
+
+// NetworkManagerDNSConfigurator manages DNS settings using NetworkManager configuration files
+// This approach works with unmanaged interfaces by modifying NetworkManager's global DNS settings
+type NetworkManagerDNSConfigurator struct {
+	ifaceName     string
+	originalState *DNSState
+	confPath      string
+	dispatchPath  string
+}
+
+// NewNetworkManagerDNSConfigurator creates a new NetworkManager DNS configurator
+func NewNetworkManagerDNSConfigurator(ifaceName string) (*NetworkManagerDNSConfigurator, error) {
+	if ifaceName == "" {
+		return nil, fmt.Errorf("interface name is required")
+	}
+
+	// Check that NetworkManager conf.d directory exists
+	if _, err := os.Stat(networkManagerConfDir); os.IsNotExist(err) {
+		return nil, fmt.Errorf("NetworkManager conf.d directory not found: %s", networkManagerConfDir)
+	}
+
+	configurator := &NetworkManagerDNSConfigurator{
+		ifaceName:    ifaceName,
+		confPath:     networkManagerConfDir + "/" + networkManagerDNSConfFile,
+		dispatchPath: networkManagerDispatcherDir + "/" + networkManagerDispatcherFile,
+	}
+
+	// Clean up any stale configuration from a previous unclean shutdown
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+
+	return configurator, nil
+}
+
+// Name returns the configurator name
+func (n *NetworkManagerDNSConfigurator) Name() string {
+	return "network-manager"
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (n *NetworkManagerDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := n.GetCurrentDNS()
+	if err != nil {
+		// If we can't get current DNS, proceed anyway
+		originalServers = []netip.Addr{}
+	}
+
+	// Store original state
+	n.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: n.Name(),
+	}
+
+	// Apply new DNS servers
+	if err := n.applyDNSServers(servers); err != nil {
+		return nil, fmt.Errorf("apply DNS servers: %w", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (n *NetworkManagerDNSConfigurator) RestoreDNS() error {
+	// Remove our configuration file
+	if err := os.Remove(n.confPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove DNS config file: %w", err)
+	}
+
+	// Reload NetworkManager to apply the change
+	if err := n.reloadNetworkManager(); err != nil {
+		return fmt.Errorf("reload NetworkManager: %w", err)
+	}
+
+	return nil
+}
+
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For NetworkManager, we check if our config file exists and remove it if so.
+// This ensures that if the process crashed while DNS was configured, the stale
+// configuration is removed on the next startup.
+func (n *NetworkManagerDNSConfigurator) CleanupUncleanShutdown() error {
+	// Check if our config file exists from a previous session
+	if _, err := os.Stat(n.confPath); os.IsNotExist(err) {
+		// No config file, nothing to clean up
+		return nil
+	}
+
+	// Remove the stale configuration file
+	if err := os.Remove(n.confPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove stale DNS config file: %w", err)
+	}
+
+	// Reload NetworkManager to apply the change
+	if err := n.reloadNetworkManager(); err != nil {
+		return fmt.Errorf("reload NetworkManager after cleanup: %w", err)
+	}
+
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers by reading /etc/resolv.conf
+func (n *NetworkManagerDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	content, err := os.ReadFile("/etc/resolv.conf")
+	if err != nil {
+		return nil, fmt.Errorf("read resolv.conf: %w", err)
+	}
+
+	var servers []netip.Addr
+	lines := strings.Split(string(content), "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "nameserver") {
+			fields := strings.Fields(line)
+			if len(fields) >= 2 {
+				if addr, err := netip.ParseAddr(fields[1]); err == nil {
+					servers = append(servers, addr)
+				}
+			}
+		}
+	}
+
+	return servers, nil
+}
+
+// applyDNSServers applies DNS server configuration via NetworkManager config file
+func (n *NetworkManagerDNSConfigurator) applyDNSServers(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	// Build DNS server list
+	var dnsServers []string
+	for _, server := range servers {
+		dnsServers = append(dnsServers, server.String())
+	}
+
+	// Create NetworkManager configuration file that sets global DNS
+	// This overrides DNS for all connections
+	configContent := fmt.Sprintf(`# Generated by Olm DNS Manager - DO NOT EDIT
+# This file configures NetworkManager to use Olm's DNS proxy
+
+[global-dns-domain-*]
+servers=%s
+`, strings.Join(dnsServers, ","))
+
+	// Write the configuration file
+	if err := os.WriteFile(n.confPath, []byte(configContent), 0644); err != nil {
+		return fmt.Errorf("write DNS config file: %w", err)
+	}
+
+	// Reload NetworkManager to apply the new configuration
+	if err := n.reloadNetworkManager(); err != nil {
+		// Try to clean up
+		os.Remove(n.confPath)
+		return fmt.Errorf("reload NetworkManager: %w", err)
+	}
+
+	return nil
+}
+
+// reloadNetworkManager tells NetworkManager to reload its configuration
+func (n *NetworkManagerDNSConfigurator) reloadNetworkManager() error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(networkManagerDest, networkManagerDbusObjectNode)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Call Reload method with flags=0 (reload everything)
+	// See: https://networkmanager.dev/docs/api/latest/gdbus-org.freedesktop.NetworkManager.html#gdbus-method-org-freedesktop-NetworkManager.Reload
+	err = obj.CallWithContext(ctx, networkManagerDest+".Reload", 0, uint32(0)).Store()
+	if err != nil {
+		return fmt.Errorf("call Reload: %w", err)
+	}
+
+	return nil
+}
+
+// IsNetworkManagerAvailable checks if NetworkManager is available and responsive
+func IsNetworkManagerAvailable() bool {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false
+	}
+	defer conn.Close()
+
+	obj := conn.Object(networkManagerDest, networkManagerDbusObjectNode)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// Try to ping NetworkManager
+	if err := obj.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0).Store(); err != nil {
+		return false
+	}
+
+	return true
+}
+
+// IsNetworkManagerDNSModeSupported checks if NetworkManager's DNS mode is one we can work with
+// Some DNS modes delegate to other systems (like systemd-resolved) which we should use directly
+func IsNetworkManagerDNSModeSupported() bool {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false
+	}
+	defer conn.Close()
+
+	obj := conn.Object(networkManagerDest, networkManagerDbusDNSManagerObjectNode)
+
+	modeVariant, err := obj.GetProperty(networkManagerDbusDNSManagerModeProperty)
+	if err != nil {
+		// If we can't get the mode, assume it's not supported
+		return false
+	}
+
+	mode, ok := modeVariant.Value().(string)
+	if !ok {
+		return false
+	}
+
+	// If NetworkManager is delegating DNS to systemd-resolved, we should use
+	// systemd-resolved directly for better control
+	switch mode {
+	case "systemd-resolved":
+		// NetworkManager is delegating to systemd-resolved
+		// We should use systemd-resolved configurator instead
+		return false
+	case "dnsmasq", "unbound":
+		// NetworkManager is using a local resolver that it controls
+		// We can configure DNS through NetworkManager
+		return true
+	case "default", "none", "":
+		// NetworkManager is managing DNS directly or not at all
+		// We can configure DNS through NetworkManager
+		return true
+	default:
+		// Unknown mode, try to use it
+		return true
+	}
+}
+
+// GetNetworkManagerDNSMode returns the current DNS mode of NetworkManager
+func GetNetworkManagerDNSMode() (string, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return "", fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(networkManagerDest, networkManagerDbusDNSManagerObjectNode)
+
+	modeVariant, err := obj.GetProperty(networkManagerDbusDNSManagerModeProperty)
+	if err != nil {
+		return "", fmt.Errorf("get DNS mode property: %w", err)
+	}
+
+	mode, ok := modeVariant.Value().(string)
+	if !ok {
+		return "", errors.New("DNS mode is not a string")
+	}
+
+	return mode, nil
+}
+
+// GetNetworkManagerVersion returns the version of NetworkManager
+func GetNetworkManagerVersion() (string, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return "", fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(networkManagerDest, networkManagerDbusObjectNode)
+
+	versionVariant, err := obj.GetProperty(networkManagerDbusVersionProperty)
+	if err != nil {
+		return "", fmt.Errorf("get version property: %w", err)
+	}
+
+	version, ok := versionVariant.Value().(string)
+	if !ok {
+		return "", errors.New("version is not a string")
+	}
+
+	return version, nil
+}
+
+// CleanupStaleNetworkManagerDNS removes any stale DNS configuration left by NetworkManager
+// configurator from a previous unclean shutdown. This is a static function that can be called
+// without creating a configurator instance, useful for cleanup before network operations.
+func CleanupStaleNetworkManagerDNS() error {
+	confPath := networkManagerConfDir + "/" + networkManagerDNSConfFile
+
+	// Check if our config file exists from a previous session
+	if _, err := os.Stat(confPath); os.IsNotExist(err) {
+		// No config file, nothing to clean up
+		return nil
+	}
+
+	// Remove the stale configuration file
+	if err := os.Remove(confPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove stale DNS config file: %w", err)
+	}
+
+	// Try to reload NetworkManager if it's available
+	if IsNetworkManagerAvailable() {
+		conn, err := dbus.SystemBus()
+		if err != nil {
+			return fmt.Errorf("connect to system bus for reload: %w", err)
+		}
+		defer conn.Close()
+
+		obj := conn.Object(networkManagerDest, networkManagerDbusObjectNode)
+
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+
+		if err := obj.CallWithContext(ctx, networkManagerDest+".Reload", 0, uint32(0)).Store(); err != nil {
+			return fmt.Errorf("reload NetworkManager after cleanup: %w", err)
+		}
+	}
+
+	return nil
+}

dns/platform/resolvconf.go

@@ -0,0 +1,255 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import (
+	"bytes"
+	"fmt"
+	"net/netip"
+	"os/exec"
+	"strings"
+)
+
+const resolvconfCommand = "resolvconf"
+
+// ResolvconfDNSConfigurator manages DNS settings using the resolvconf utility
+type ResolvconfDNSConfigurator struct {
+	ifaceName     string
+	implType      string
+	originalState *DNSState
+}
+
+// NewResolvconfDNSConfigurator creates a new resolvconf DNS configurator
+func NewResolvconfDNSConfigurator(ifaceName string) (*ResolvconfDNSConfigurator, error) {
+	if ifaceName == "" {
+		return nil, fmt.Errorf("interface name is required")
+	}
+
+	// Detect resolvconf implementation type
+	implType, err := detectResolvconfType()
+	if err != nil {
+		return nil, fmt.Errorf("detect resolvconf type: %w", err)
+	}
+
+	configurator := &ResolvconfDNSConfigurator{
+		ifaceName: ifaceName,
+		implType:  implType,
+	}
+
+	// Call cleanup function to remove any stale DNS config for this interface
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+
+	return configurator, nil
+}
+
+// Name returns the configurator name
+func (r *ResolvconfDNSConfigurator) Name() string {
+	return fmt.Sprintf("resolvconf-%s", r.implType)
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (r *ResolvconfDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := r.GetCurrentDNS()
+	if err != nil {
+		// If we can't get current DNS, proceed anyway
+		originalServers = []netip.Addr{}
+	}
+
+	// Store original state
+	r.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: r.Name(),
+	}
+
+	// Apply new DNS servers
+	if err := r.applyDNSServers(servers); err != nil {
+		return nil, fmt.Errorf("apply DNS servers: %w", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (r *ResolvconfDNSConfigurator) RestoreDNS() error {
+	var cmd *exec.Cmd
+
+	switch r.implType {
+	case "openresolv":
+		// Force delete with -f
+		cmd = exec.Command(resolvconfCommand, "-f", "-d", r.ifaceName)
+	default:
+		cmd = exec.Command(resolvconfCommand, "-d", r.ifaceName)
+	}
+
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("delete resolvconf config: %w, output: %s", err, out)
+	}
+
+	return nil
+}
+
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For resolvconf, we attempt to delete any entry for the interface name.
+// This ensures that if the process crashed while DNS was configured, the stale
+// entry is removed on the next startup.
+func (r *ResolvconfDNSConfigurator) CleanupUncleanShutdown() error {
+	// Try to delete any existing entry for this interface
+	// This is idempotent - if no entry exists, resolvconf will just return success
+	var cmd *exec.Cmd
+
+	switch r.implType {
+	case "openresolv":
+		cmd = exec.Command(resolvconfCommand, "-f", "-d", r.ifaceName)
+	default:
+		cmd = exec.Command(resolvconfCommand, "-d", r.ifaceName)
+	}
+
+	// Ignore errors - the entry may not exist, which is fine
+	_ = cmd.Run()
+
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers
+func (r *ResolvconfDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	// resolvconf doesn't provide a direct way to query per-interface DNS
+	// We can try to read /etc/resolv.conf but it's merged from all sources
+	content, err := exec.Command(resolvconfCommand, "-l").CombinedOutput()
+	if err != nil {
+		// Fall back to reading resolv.conf
+		return readResolvConfServers()
+	}
+
+	// Parse the output (format varies by implementation)
+	return parseResolvconfOutput(string(content)), nil
+}
+
+// applyDNSServers applies DNS server configuration via resolvconf
+func (r *ResolvconfDNSConfigurator) applyDNSServers(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	// Build resolv.conf content
+	var content bytes.Buffer
+	content.WriteString("# Generated by Olm DNS Manager\n\n")
+
+	for _, server := range servers {
+		content.WriteString("nameserver ")
+		content.WriteString(server.String())
+		content.WriteString("\n")
+	}
+
+	// Apply via resolvconf
+	var cmd *exec.Cmd
+	switch r.implType {
+	case "openresolv":
+		// OpenResolv supports exclusive mode with -x
+		cmd = exec.Command(resolvconfCommand, "-x", "-a", r.ifaceName)
+	default:
+		cmd = exec.Command(resolvconfCommand, "-a", r.ifaceName)
+	}
+
+	cmd.Stdin = &content
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("apply resolvconf config: %w, output: %s", err, out)
+	}
+
+	return nil
+}
+
+// detectResolvconfType detects which resolvconf implementation is being used
+func detectResolvconfType() (string, error) {
+	cmd := exec.Command(resolvconfCommand, "--version")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("detect resolvconf type: %w", err)
+	}
+
+	if strings.Contains(string(out), "openresolv") {
+		return "openresolv", nil
+	}
+
+	return "resolvconf", nil
+}
+
+// parseResolvconfOutput parses resolvconf -l output for DNS servers
+func parseResolvconfOutput(output string) []netip.Addr {
+	var servers []netip.Addr
+
+	lines := strings.Split(output, "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+
+		// Skip comments and empty lines
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		// Look for nameserver lines
+		if strings.HasPrefix(line, "nameserver") {
+			fields := strings.Fields(line)
+			if len(fields) >= 2 {
+				if addr, err := netip.ParseAddr(fields[1]); err == nil {
+					servers = append(servers, addr)
+				}
+			}
+		}
+	}
+
+	return servers
+}
+
+// readResolvConfServers reads DNS servers from /etc/resolv.conf
+func readResolvConfServers() ([]netip.Addr, error) {
+	cmd := exec.Command("cat", "/etc/resolv.conf")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("read resolv.conf: %w", err)
+	}
+
+	return parseResolvconfOutput(string(out)), nil
+}
+
+// IsResolvconfAvailable checks if resolvconf is available
+func IsResolvconfAvailable() bool {
+	cmd := exec.Command(resolvconfCommand, "--version")
+	return cmd.Run() == nil
+}
+
+// CleanupStaleResolvconfDNS removes any stale DNS configuration left by the resolvconf
+// configurator from a previous unclean shutdown. This is a static function that can be
+// called without creating a configurator instance, useful for cleanup before network operations.
+// The interfaceName parameter specifies which interface entry to clean up (typically "olm").
+func CleanupStaleResolvconfDNS(interfaceName string) error {
+	if !IsResolvconfAvailable() {
+		// resolvconf not available, nothing to clean up
+		return nil
+	}
+
+	// Detect resolvconf implementation type
+	implType, err := detectResolvconfType()
+	if err != nil {
+		// Can't detect type, try default
+		implType = "resolvconf"
+	}
+
+	// Try to delete any existing entry for this interface
+	// This is idempotent - if no entry exists, resolvconf will just return success
+	var cmd *exec.Cmd
+
+	switch implType {
+	case "openresolv":
+		cmd = exec.Command(resolvconfCommand, "-f", "-d", interfaceName)
+	default:
+		cmd = exec.Command(resolvconfCommand, "-d", interfaceName)
+	}
+
+	// Ignore errors - the entry may not exist, which is fine
+	_ = cmd.Run()
+
+	return nil
+}

dns/platform/systemd.go

@@ -0,0 +1,304 @@
+//go:build linux && !android
+
+package dns
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"time"
+
+	dbus "github.com/godbus/dbus/v5"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	systemdResolvedDest              = "org.freedesktop.resolve1"
+	systemdDbusObjectNode            = "/org/freedesktop/resolve1"
+	systemdDbusManagerIface          = "org.freedesktop.resolve1.Manager"
+	systemdDbusGetLinkMethod         = systemdDbusManagerIface + ".GetLink"
+	systemdDbusFlushCachesMethod     = systemdDbusManagerIface + ".FlushCaches"
+	systemdDbusLinkInterface         = "org.freedesktop.resolve1.Link"
+	systemdDbusSetDNSMethod          = systemdDbusLinkInterface + ".SetDNS"
+	systemdDbusSetDefaultRouteMethod = systemdDbusLinkInterface + ".SetDefaultRoute"
+	systemdDbusSetDomainsMethod      = systemdDbusLinkInterface + ".SetDomains"
+	systemdDbusSetDNSSECMethod       = systemdDbusLinkInterface + ".SetDNSSEC"
+	systemdDbusSetDNSOverTLSMethod   = systemdDbusLinkInterface + ".SetDNSOverTLS"
+	systemdDbusRevertMethod          = systemdDbusLinkInterface + ".Revert"
+
+	// RootZone is the root DNS zone that matches all queries
+	RootZone = "."
+)
+
+// systemdDbusDNSInput maps to (iay) dbus input for SetDNS method
+type systemdDbusDNSInput struct {
+	Family  int32
+	Address []byte
+}
+
+// systemdDbusDomainsInput maps to (sb) dbus input for SetDomains method
+type systemdDbusDomainsInput struct {
+	Domain    string
+	MatchOnly bool
+}
+
+// SystemdResolvedDNSConfigurator manages DNS settings using systemd-resolved D-Bus API
+type SystemdResolvedDNSConfigurator struct {
+	ifaceName      string
+	dbusLinkObject dbus.ObjectPath
+	originalState  *DNSState
+}
+
+// NewSystemdResolvedDNSConfigurator creates a new systemd-resolved DNS configurator
+func NewSystemdResolvedDNSConfigurator(ifaceName string) (*SystemdResolvedDNSConfigurator, error) {
+	// Get network interface
+	iface, err := net.InterfaceByName(ifaceName)
+	if err != nil {
+		return nil, fmt.Errorf("get interface: %w", err)
+	}
+
+	// Connect to D-Bus
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return nil, fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, systemdDbusObjectNode)
+
+	// Get the link object for this interface
+	var linkPath string
+	if err := obj.Call(systemdDbusGetLinkMethod, 0, iface.Index).Store(&linkPath); err != nil {
+		return nil, fmt.Errorf("get link: %w", err)
+	}
+
+	config := &SystemdResolvedDNSConfigurator{
+		ifaceName:      ifaceName,
+		dbusLinkObject: dbus.ObjectPath(linkPath),
+	}
+
+	// Call cleanup function here
+	if err := config.CleanupUncleanShutdown(); err != nil {
+		fmt.Printf("warning: cleanup unclean shutdown failed: %v\n", err)
+	}
+
+	return config, nil
+}
+
+// Name returns the configurator name
+func (s *SystemdResolvedDNSConfigurator) Name() string {
+	return "systemd-resolved"
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (s *SystemdResolvedDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := s.GetCurrentDNS()
+	if err != nil {
+		// If we can't get current DNS, proceed anyway
+		originalServers = []netip.Addr{}
+	}
+
+	// Store original state
+	s.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: s.Name(),
+	}
+
+	// Apply new DNS servers
+	if err := s.applyDNSServers(servers); err != nil {
+		return nil, fmt.Errorf("apply DNS servers: %w", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (s *SystemdResolvedDNSConfigurator) RestoreDNS() error {
+	// Call Revert method to restore systemd-resolved defaults
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, s.dbusLinkObject)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	if err := obj.CallWithContext(ctx, systemdDbusRevertMethod, 0).Store(); err != nil {
+		return fmt.Errorf("revert DNS settings: %w", err)
+	}
+
+	// Flush DNS cache after reverting
+	if err := s.flushDNSCache(); err != nil {
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return nil
+}
+
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For systemd-resolved, the DNS configuration is tied to the network interface.
+// When the interface is destroyed and recreated, systemd-resolved automatically
+// clears the per-link DNS settings, so there's nothing to clean up.
+func (s *SystemdResolvedDNSConfigurator) CleanupUncleanShutdown() error {
+	// systemd-resolved DNS configuration is per-link and automatically cleared
+	// when the link (interface) is destroyed. Since the WireGuard interface is
+	// recreated on restart, there's no leftover state to clean up.
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers
+// Note: systemd-resolved doesn't easily expose current per-link DNS servers via D-Bus
+// This is a placeholder that returns an empty list
+func (s *SystemdResolvedDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	// systemd-resolved's D-Bus API doesn't have a simple way to query current DNS servers
+	// We would need to parse resolvectl status output or read from /run/systemd/resolve/
+	// For now, return empty list
+	return []netip.Addr{}, nil
+}
+
+// applyDNSServers applies DNS server configuration via systemd-resolved
+func (s *SystemdResolvedDNSConfigurator) applyDNSServers(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	// Convert servers to systemd-resolved format
+	var dnsInputs []systemdDbusDNSInput
+	for _, server := range servers {
+		family := unix.AF_INET
+		if server.Is6() {
+			family = unix.AF_INET6
+		}
+
+		dnsInputs = append(dnsInputs, systemdDbusDNSInput{
+			Family:  int32(family),
+			Address: server.AsSlice(),
+		})
+	}
+
+	// Connect to D-Bus
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, s.dbusLinkObject)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	// Call SetDNS method to set the DNS servers
+	if err := obj.CallWithContext(ctx, systemdDbusSetDNSMethod, 0, dnsInputs).Store(); err != nil {
+		return fmt.Errorf("set DNS servers: %w", err)
+	}
+
+	// Set this interface as the default route for DNS
+	// This ensures all DNS queries prefer this interface
+	if err := s.callLinkMethod(systemdDbusSetDefaultRouteMethod, true); err != nil {
+		return fmt.Errorf("set default route: %w", err)
+	}
+
+	// Set the root zone "." as a match-only domain
+	// This captures ALL DNS queries and routes them through this interface
+	domainsInput := []systemdDbusDomainsInput{
+		{
+			Domain:    RootZone,
+			MatchOnly: true,
+		},
+	}
+	if err := s.callLinkMethod(systemdDbusSetDomainsMethod, domainsInput); err != nil {
+		return fmt.Errorf("set domains: %w", err)
+	}
+
+	// Disable DNSSEC - we don't support it and it may be enabled by default
+	if err := s.callLinkMethod(systemdDbusSetDNSSECMethod, "no"); err != nil {
+		// Log warning but don't fail - this is optional
+		fmt.Printf("warning: failed to disable DNSSEC: %v\n", err)
+	}
+
+	// Disable DNSOverTLS - we don't support it and it may be enabled by default
+	if err := s.callLinkMethod(systemdDbusSetDNSOverTLSMethod, "no"); err != nil {
+		// Log warning but don't fail - this is optional
+		fmt.Printf("warning: failed to disable DNSOverTLS: %v\n", err)
+	}
+
+	// Flush DNS cache to ensure new settings take effect immediately
+	if err := s.flushDNSCache(); err != nil {
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return nil
+}
+
+// callLinkMethod is a helper to call methods on the link object
+func (s *SystemdResolvedDNSConfigurator) callLinkMethod(method string, value any) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, s.dbusLinkObject)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	if value != nil {
+		if err := obj.CallWithContext(ctx, method, 0, value).Store(); err != nil {
+			return fmt.Errorf("call %s: %w", method, err)
+		}
+	} else {
+		if err := obj.CallWithContext(ctx, method, 0).Store(); err != nil {
+			return fmt.Errorf("call %s: %w", method, err)
+		}
+	}
+
+	return nil
+}
+
+// flushDNSCache flushes the systemd-resolved DNS cache
+func (s *SystemdResolvedDNSConfigurator) flushDNSCache() error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connect to system bus: %w", err)
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, systemdDbusObjectNode)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	if err := obj.CallWithContext(ctx, systemdDbusFlushCachesMethod, 0).Store(); err != nil {
+		return fmt.Errorf("flush caches: %w", err)
+	}
+
+	return nil
+}
+
+// IsSystemdResolvedAvailable checks if systemd-resolved is available and responsive
+func IsSystemdResolvedAvailable() bool {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false
+	}
+	defer conn.Close()
+
+	obj := conn.Object(systemdResolvedDest, systemdDbusObjectNode)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// Try to ping systemd-resolved
+	if err := obj.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0).Store(); err != nil {
+		return false
+	}
+
+	return true
+}

dns/platform/types.go

@@ -0,0 +1,45 @@
+package dns
+
+import "net/netip"
+
+// DNSConfigurator provides an interface for managing system DNS settings
+// across different platforms and implementations
+type DNSConfigurator interface {
+	// SetDNS overrides the system DNS servers with the specified ones
+	// Returns the original DNS servers that were replaced
+	SetDNS(servers []netip.Addr) ([]netip.Addr, error)
+
+	// RestoreDNS restores the original DNS servers
+	RestoreDNS() error
+
+	// GetCurrentDNS returns the currently configured DNS servers
+	GetCurrentDNS() ([]netip.Addr, error)
+
+	// Name returns the name of this configurator implementation
+	Name() string
+
+	// CleanupUncleanShutdown removes any DNS configuration left over from
+	// a previous crash or unclean shutdown. This should be called on startup.
+	CleanupUncleanShutdown() error
+}
+
+// DNSConfig contains the configuration for DNS override
+type DNSConfig struct {
+	// Servers is the list of DNS servers to use
+	Servers []netip.Addr
+
+	// SearchDomains is an optional list of search domains
+	SearchDomains []string
+}
+
+// DNSState represents the saved state of DNS configuration
+type DNSState struct {
+	// OriginalServers are the DNS servers before override
+	OriginalServers []netip.Addr
+
+	// OriginalSearchDomains are the search domains before override
+	OriginalSearchDomains []string
+
+	// ConfiguratorName is the name of the configurator that saved this state
+	ConfiguratorName string
+}

dns/platform/windows.go

@@ -0,0 +1,355 @@
+//go:build windows
+
+package dns
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
+)
+
+var (
+	dnsapi                  = syscall.NewLazyDLL("dnsapi.dll")
+	dnsFlushResolverCacheFn = dnsapi.NewProc("DnsFlushResolverCache")
+)
+
+const (
+	interfaceConfigPath           = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
+	interfaceConfigNameServer     = "NameServer"
+	interfaceConfigDhcpNameServer = "DhcpNameServer"
+)
+
+// WindowsDNSConfigurator manages DNS settings on Windows using the registry
+type WindowsDNSConfigurator struct {
+	guid          string
+	originalState *DNSState
+}
+
+// NewWindowsDNSConfigurator creates a new Windows DNS configurator
+// Accepts an interface name and extracts the GUID internally
+func NewWindowsDNSConfigurator(interfaceName string) (*WindowsDNSConfigurator, error) {
+	if interfaceName == "" {
+		return nil, fmt.Errorf("interface name is required")
+	}
+
+	guid, err := getInterfaceGUIDString(interfaceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get interface GUID: %w", err)
+	}
+
+	return &WindowsDNSConfigurator{
+		guid: guid,
+	}, nil
+}
+
+// newWindowsDNSConfiguratorFromGUID creates a configurator from a GUID string
+// This is an internal function for use by DetectBestConfigurator
+func newWindowsDNSConfiguratorFromGUID(guid string) (*WindowsDNSConfigurator, error) {
+	if guid == "" {
+		return nil, fmt.Errorf("interface GUID is required")
+	}
+
+	return &WindowsDNSConfigurator{
+		guid: guid,
+	}, nil
+}
+
+// Name returns the configurator name
+func (w *WindowsDNSConfigurator) Name() string {
+	return "windows-registry"
+}
+
+// SetDNS sets the DNS servers and returns the original servers
+func (w *WindowsDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, error) {
+	// Get current DNS settings before overriding
+	originalServers, err := w.GetCurrentDNS()
+	if err != nil {
+		return nil, fmt.Errorf("get current DNS: %w", err)
+	}
+
+	// Store original state
+	w.originalState = &DNSState{
+		OriginalServers:  originalServers,
+		ConfiguratorName: w.Name(),
+	}
+
+	// Set new DNS servers
+	if err := w.setDNSServers(servers); err != nil {
+		return nil, fmt.Errorf("set DNS servers: %w", err)
+	}
+
+	// Flush DNS cache
+	if err := w.flushDNSCache(); err != nil {
+		// Non-fatal, just log
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return originalServers, nil
+}
+
+// RestoreDNS restores the original DNS configuration
+func (w *WindowsDNSConfigurator) RestoreDNS() error {
+	if w.originalState == nil {
+		return fmt.Errorf("no original state to restore")
+	}
+
+	// Clear the static DNS setting
+	if err := w.clearDNSServers(); err != nil {
+		return fmt.Errorf("clear DNS servers: %w", err)
+	}
+
+	// Flush DNS cache
+	if err := w.flushDNSCache(); err != nil {
+		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
+	}
+
+	return nil
+}
+
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// On Windows, we rely on the registry-based approach which doesn't leave orphaned state
+// in the same way as macOS scutil. The DNS settings are tied to the interface which
+// gets recreated on restart.
+func (w *WindowsDNSConfigurator) CleanupUncleanShutdown() error {
+	// Windows DNS configuration via registry is interface-specific.
+	// When the WireGuard interface is recreated, it gets a new GUID,
+	// so there's no leftover state to clean up from previous sessions.
+	// The old interface's registry keys are effectively orphaned but harmless.
+	return nil
+}
+
+// GetCurrentDNS returns the currently configured DNS servers
+func (w *WindowsDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
+	regKey, err := w.getInterfaceRegistryKey(registry.QUERY_VALUE)
+	if err != nil {
+		return nil, fmt.Errorf("get interface registry key: %w", err)
+	}
+	defer closeKey(regKey)
+
+	// Try to get static DNS first
+	nameServer, _, err := regKey.GetStringValue(interfaceConfigNameServer)
+	if err == nil && nameServer != "" {
+		return w.parseServerList(nameServer), nil
+	}
+
+	// Fall back to DHCP DNS
+	dhcpNameServer, _, err := regKey.GetStringValue(interfaceConfigDhcpNameServer)
+	if err == nil && dhcpNameServer != "" {
+		return w.parseServerList(dhcpNameServer), nil
+	}
+
+	return []netip.Addr{}, nil
+}
+
+// setDNSServers sets the DNS servers in the registry
+func (w *WindowsDNSConfigurator) setDNSServers(servers []netip.Addr) error {
+	if len(servers) == 0 {
+		return fmt.Errorf("no DNS servers provided")
+	}
+
+	regKey, err := w.getInterfaceRegistryKey(registry.SET_VALUE)
+	if err != nil {
+		return fmt.Errorf("get interface registry key: %w", err)
+	}
+	defer closeKey(regKey)
+
+	// Build comma-separated or space-separated list of servers
+	var serverList string
+	for i, server := range servers {
+		if i > 0 {
+			serverList += ","
+		}
+		serverList += server.String()
+	}
+
+	if err := regKey.SetStringValue(interfaceConfigNameServer, serverList); err != nil {
+		return fmt.Errorf("set NameServer: %w", err)
+	}
+
+	return nil
+}
+
+// clearDNSServers clears the static DNS server setting
+func (w *WindowsDNSConfigurator) clearDNSServers() error {
+	regKey, err := w.getInterfaceRegistryKey(registry.SET_VALUE)
+	if err != nil {
+		return fmt.Errorf("get interface registry key: %w", err)
+	}
+	defer closeKey(regKey)
+
+	// Set empty string to revert to DHCP
+	if err := regKey.SetStringValue(interfaceConfigNameServer, ""); err != nil {
+		return fmt.Errorf("clear NameServer: %w", err)
+	}
+
+	return nil
+}
+
+// getInterfaceRegistryKey opens the registry key for the network interface
+func (w *WindowsDNSConfigurator) getInterfaceRegistryKey(access uint32) (registry.Key, error) {
+	regKeyPath := interfaceConfigPath + `\` + w.guid
+
+	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyPath, access)
+	if err != nil {
+		return 0, fmt.Errorf("open HKEY_LOCAL_MACHINE\\%s: %w", regKeyPath, err)
+	}
+
+	return regKey, nil
+}
+
+// parseServerList parses a comma or space-separated list of DNS servers
+func (w *WindowsDNSConfigurator) parseServerList(serverList string) []netip.Addr {
+	var servers []netip.Addr
+
+	// Split by comma or space
+	parts := splitByDelimiters(serverList, []rune{',', ' '})
+
+	for _, part := range parts {
+		if addr, err := netip.ParseAddr(part); err == nil {
+			servers = append(servers, addr)
+		}
+	}
+
+	return servers
+}
+
+// flushDNSCache flushes the Windows DNS resolver cache
+func (w *WindowsDNSConfigurator) flushDNSCache() error {
+	// dnsFlushResolverCacheFn.Call() may panic if the func is not found
+	defer func() {
+		if rec := recover(); rec != nil {
+			fmt.Printf("warning: DnsFlushResolverCache panicked: %v\n", rec)
+		}
+	}()
+
+	ret, _, err := dnsFlushResolverCacheFn.Call()
+	if ret == 0 {
+		if err != nil && !errors.Is(err, syscall.Errno(0)) {
+			return fmt.Errorf("DnsFlushResolverCache failed: %w", err)
+		}
+		return fmt.Errorf("DnsFlushResolverCache failed")
+	}
+
+	return nil
+}
+
+// splitByDelimiters splits a string by multiple delimiters
+func splitByDelimiters(s string, delimiters []rune) []string {
+	var result []string
+	var current []rune
+
+	for _, char := range s {
+		isDelimiter := false
+		for _, delim := range delimiters {
+			if char == delim {
+				isDelimiter = true
+				break
+			}
+		}
+
+		if isDelimiter {
+			if len(current) > 0 {
+				result = append(result, string(current))
+				current = []rune{}
+			}
+		} else {
+			current = append(current, char)
+		}
+	}
+
+	if len(current) > 0 {
+		result = append(result, string(current))
+	}
+
+	return result
+}
+
+// closeKey closes a registry key and logs errors
+func closeKey(closer io.Closer) {
+	if err := closer.Close(); err != nil {
+		fmt.Printf("warning: failed to close registry key: %v\n", err)
+	}
+}
+
+// getInterfaceGUIDString retrieves the GUID string for a Windows TUN interface
+// This is required for registry-based DNS configuration on Windows
+func getInterfaceGUIDString(interfaceName string) (string, error) {
+	if interfaceName == "" {
+		return "", fmt.Errorf("interface name is required")
+	}
+
+	iface, err := net.InterfaceByName(interfaceName)
+	if err != nil {
+		return "", fmt.Errorf("failed to get interface %s: %w", interfaceName, err)
+	}
+
+	luid, err := indexToLUID(uint32(iface.Index))
+	if err != nil {
+		return "", fmt.Errorf("failed to convert index to LUID: %w", err)
+	}
+
+	// Convert LUID to GUID using Windows API
+	guid, err := luidToGUID(luid)
+	if err != nil {
+		return "", fmt.Errorf("failed to convert LUID to GUID: %w", err)
+	}
+
+	return guid, nil
+}
+
+// indexToLUID converts a Windows interface index to a LUID
+func indexToLUID(index uint32) (uint64, error) {
+	var luid uint64
+
+	// Load the iphlpapi.dll and get the ConvertInterfaceIndexToLuid function
+	iphlpapi := windows.NewLazySystemDLL("iphlpapi.dll")
+	convertInterfaceIndexToLuid := iphlpapi.NewProc("ConvertInterfaceIndexToLuid")
+
+	// Call the Windows API
+	ret, _, err := convertInterfaceIndexToLuid.Call(
+		uintptr(index),
+		uintptr(unsafe.Pointer(&luid)),
+	)
+
+	if ret != 0 {
+		return 0, fmt.Errorf("ConvertInterfaceIndexToLuid failed with code %d: %w", ret, err)
+	}
+
+	return luid, nil
+}
+
+// luidToGUID converts a Windows LUID (Locally Unique Identifier) to a GUID string
+// using the Windows ConvertInterface* APIs
+func luidToGUID(luid uint64) (string, error) {
+	var guid windows.GUID
+
+	// Load the iphlpapi.dll and get the ConvertInterfaceLuidToGuid function
+	iphlpapi := windows.NewLazySystemDLL("iphlpapi.dll")
+	convertLuidToGuid := iphlpapi.NewProc("ConvertInterfaceLuidToGuid")
+
+	// Call the Windows API
+	// NET_LUID is a 64-bit value on Windows
+	ret, _, err := convertLuidToGuid.Call(
+		uintptr(unsafe.Pointer(&luid)),
+		uintptr(unsafe.Pointer(&guid)),
+	)
+
+	if ret != 0 {
+		return "", fmt.Errorf("ConvertInterfaceLuidToGuid failed with code %d: %w", ret, err)
+	}
+
+	// Format the GUID as a string with curly braces
+	guidStr := fmt.Sprintf("{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}",
+		guid.Data1, guid.Data2, guid.Data3,
+		guid.Data4[0], guid.Data4[1], guid.Data4[2], guid.Data4[3],
+		guid.Data4[4], guid.Data4[5], guid.Data4[6], guid.Data4[7])
+
+	return guidStr, nil
+}

go.mod

@@ -1,22 +1,35 @@
 module github.com/fosrl/olm
 
-go 1.25
+go 1.25.0
 
 require (
-	github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7
-	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.43.0
-	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
-	golang.org/x/sys v0.37.0
+	github.com/Microsoft/go-winio v0.6.2
+	github.com/fosrl/newt v1.12.0
+	github.com/godbus/dbus/v5 v5.2.2
+	github.com/gorilla/websocket v1.5.3
+	github.com/miekg/dns v1.1.70
+	golang.org/x/sys v0.42.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
+	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
+	software.sslmate.com/src/go-pkcs12 v0.7.0
 )
 
 require (
-	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	golang.org/x/net v0.45.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 // indirect
-	software.sslmate.com/src/go-pkcs12 v0.6.0 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 )
+
+// To be used ONLY for local development
+// replace github.com/fosrl/newt => ../newt

go.sum

@@ -1,34 +1,48 @@
-github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7 h1:6bSU8Efyhx1SR53iSw1Wjk5V8vDfizGAudq/GlE9b+o=
-github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7/go.mod h1:Ac0k2FmAMC+hu21rAK+p7EnnEGrqKO/QZuGTVHA/XDM=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/fosrl/newt v1.12.0 h1:IodzVlsprOYkHvKrXwDfDTh2ZMtXV6IG1rhUj6Jhd44=
+github.com/fosrl/newt v1.12.0/go.mod h1:IJW2sZ4WKKLRuxMz6oBm8PMyAEVkOxZk6d1OUV5/LPM=
+github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
+github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
+github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
+golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
-gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 h1:H+qymc2ndLKNFR5TcaPmsHGiJnhJMqeofBYSRq4oG3c=
-gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56/go.mod h1:i8iCZyAdwRnLZYaIi2NUL1gfNtAveqxkKAe0JfAv9Bs=
-software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
-software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
+software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
+software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

httpserver/httpserver.go

@@ -1,217 +0,0 @@
-package httpserver
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/fosrl/newt/logger"
-)
-
-// ConnectionRequest defines the structure for an incoming connection request
-type ConnectionRequest struct {
-	ID       string `json:"id"`
-	Secret   string `json:"secret"`
-	Endpoint string `json:"endpoint"`
-}
-
-// PeerStatus represents the status of a peer connection
-type PeerStatus struct {
-	SiteID    int           `json:"siteId"`
-	Connected bool          `json:"connected"`
-	RTT       time.Duration `json:"rtt"`
-	LastSeen  time.Time     `json:"lastSeen"`
-	Endpoint  string        `json:"endpoint,omitempty"`
-	IsRelay   bool          `json:"isRelay"`
-}
-
-// StatusResponse is returned by the status endpoint
-type StatusResponse struct {
-	Status       string              `json:"status"`
-	Connected    bool                `json:"connected"`
-	TunnelIP     string              `json:"tunnelIP,omitempty"`
-	Version      string              `json:"version,omitempty"`
-	PeerStatuses map[int]*PeerStatus `json:"peers,omitempty"`
-}
-
-// HTTPServer represents the HTTP server and its state
-type HTTPServer struct {
-	addr           string
-	server         *http.Server
-	connectionChan chan ConnectionRequest
-	statusMu       sync.RWMutex
-	peerStatuses   map[int]*PeerStatus
-	connectedAt    time.Time
-	isConnected    bool
-	tunnelIP       string
-	version        string
-}
-
-// NewHTTPServer creates a new HTTP server
-func NewHTTPServer(addr string) *HTTPServer {
-	s := &HTTPServer{
-		addr:           addr,
-		connectionChan: make(chan ConnectionRequest, 1),
-		peerStatuses:   make(map[int]*PeerStatus),
-	}
-
-	return s
-}
-
-// Start starts the HTTP server
-func (s *HTTPServer) Start() error {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/connect", s.handleConnect)
-	mux.HandleFunc("/status", s.handleStatus)
-
-	s.server = &http.Server{
-		Addr:    s.addr,
-		Handler: mux,
-	}
-
-	logger.Info("Starting HTTP server on %s", s.addr)
-	go func() {
-		if err := s.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			logger.Error("HTTP server error: %v", err)
-		}
-	}()
-
-	return nil
-}
-
-// Stop stops the HTTP server
-func (s *HTTPServer) Stop() error {
-	logger.Info("Stopping HTTP server")
-	return s.server.Close()
-}
-
-// GetConnectionChannel returns the channel for receiving connection requests
-func (s *HTTPServer) GetConnectionChannel() <-chan ConnectionRequest {
-	return s.connectionChan
-}
-
-// UpdatePeerStatus updates the status of a peer including endpoint and relay info
-func (s *HTTPServer) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
-	s.statusMu.Lock()
-	defer s.statusMu.Unlock()
-
-	status, exists := s.peerStatuses[siteID]
-	if !exists {
-		status = &PeerStatus{
-			SiteID: siteID,
-		}
-		s.peerStatuses[siteID] = status
-	}
-
-	status.Connected = connected
-	status.RTT = rtt
-	status.LastSeen = time.Now()
-	status.Endpoint = endpoint
-	status.IsRelay = isRelay
-}
-
-// SetConnectionStatus sets the overall connection status
-func (s *HTTPServer) SetConnectionStatus(isConnected bool) {
-	s.statusMu.Lock()
-	defer s.statusMu.Unlock()
-
-	s.isConnected = isConnected
-
-	if isConnected {
-		s.connectedAt = time.Now()
-	} else {
-		// Clear peer statuses when disconnected
-		s.peerStatuses = make(map[int]*PeerStatus)
-	}
-}
-
-// SetTunnelIP sets the tunnel IP address
-func (s *HTTPServer) SetTunnelIP(tunnelIP string) {
-	s.statusMu.Lock()
-	defer s.statusMu.Unlock()
-	s.tunnelIP = tunnelIP
-}
-
-// SetVersion sets the olm version
-func (s *HTTPServer) SetVersion(version string) {
-	s.statusMu.Lock()
-	defer s.statusMu.Unlock()
-	s.version = version
-}
-
-// UpdatePeerRelayStatus updates only the relay status of a peer
-func (s *HTTPServer) UpdatePeerRelayStatus(siteID int, endpoint string, isRelay bool) {
-	s.statusMu.Lock()
-	defer s.statusMu.Unlock()
-
-	status, exists := s.peerStatuses[siteID]
-	if !exists {
-		status = &PeerStatus{
-			SiteID: siteID,
-		}
-		s.peerStatuses[siteID] = status
-	}
-
-	status.Endpoint = endpoint
-	status.IsRelay = isRelay
-}
-
-// handleConnect handles the /connect endpoint
-func (s *HTTPServer) handleConnect(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-
-	var req ConnectionRequest
-	decoder := json.NewDecoder(r.Body)
-	if err := decoder.Decode(&req); err != nil {
-		http.Error(w, fmt.Sprintf("Invalid request: %v", err), http.StatusBadRequest)
-		return
-	}
-
-	// Validate required fields
-	if req.ID == "" || req.Secret == "" || req.Endpoint == "" {
-		http.Error(w, "Missing required fields: id, secret, and endpoint must be provided", http.StatusBadRequest)
-		return
-	}
-
-	// Send the request to the main goroutine
-	s.connectionChan <- req
-
-	// Return a success response
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusAccepted)
-	json.NewEncoder(w).Encode(map[string]string{
-		"status": "connection request accepted",
-	})
-}
-
-// handleStatus handles the /status endpoint
-func (s *HTTPServer) handleStatus(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-
-	s.statusMu.RLock()
-	defer s.statusMu.RUnlock()
-
-	resp := StatusResponse{
-		Connected:    s.isConnected,
-		TunnelIP:     s.tunnelIP,
-		Version:      s.version,
-		PeerStatuses: s.peerStatuses,
-	}
-
-	if s.isConnected {
-		resp.Status = "connected"
-	} else {
-		resp.Status = "disconnected"
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(resp)
-}

main.go

@@ -2,55 +2,18 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"net"
 	"os"
 	"os/signal"
 	"runtime"
-	"strconv"
-	"strings"
 	"syscall"
-	"time"
 
 	"github.com/fosrl/newt/logger"
 	"github.com/fosrl/newt/updates"
-	"github.com/fosrl/olm/httpserver"
-	"github.com/fosrl/olm/peermonitor"
-	"github.com/fosrl/olm/websocket"
-
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	olmpkg "github.com/fosrl/olm/olm"
 )
 
-// Helper function to format endpoints correctly
-func formatEndpoint(endpoint string) string {
-	if endpoint == "" {
-		return ""
-	}
-	// Check if it's already a valid host:port that SplitHostPort can parse (e.g., [::1]:8080 or 1.2.3.4:8080)
-	_, _, err := net.SplitHostPort(endpoint)
-	if err == nil {
-		return endpoint // Already valid, no change needed
-	}
-
-	// If it failed, it might be our malformed "ipv6:port" string. Let's check and fix it.
-	lastColon := strings.LastIndex(endpoint, ":")
-	if lastColon > 0 { // Ensure there is a colon and it's not the first character
-		hostPart := endpoint[:lastColon]
-		// Check if the host part is a literal IPv6 address
-		if ip := net.ParseIP(hostPart); ip != nil && ip.To4() == nil {
-			// It is! Reformat it with brackets.
-			portPart := endpoint[lastColon+1:]
-			return fmt.Sprintf("[%s]:%s", hostPart, portPart)
-		}
-	}
-
-	// If it's not the specific malformed case, return it as is.
-	return endpoint
-}
+var olmVersion = "version_replaceme"
 
 func main() {
 	// Check if we're running as a Windows service
@@ -193,17 +156,30 @@ func main() {
 		}
 	}
 
+	// Create a context that will be cancelled on interrupt signals
+	signalCtx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	// Create a separate context for programmatic shutdown (e.g., via API exit)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
 	// Run in console mode
-	runOlmMain(context.Background())
+	runOlmMainWithArgs(ctx, cancel, signalCtx, os.Args[1:])
 }
 
-func runOlmMain(ctx context.Context) {
-	runOlmMainWithArgs(ctx, os.Args[1:])
-}
+func runOlmMainWithArgs(ctx context.Context, cancel context.CancelFunc, signalCtx context.Context, args []string) {
+	// Setup Windows event logging if on Windows
+	if runtime.GOOS == "windows" {
+		setupWindowsEventLog()
+	} else {
+		// Initialize logger for non-Windows platforms
+		logger.Init(nil)
+	}
 
-func runOlmMainWithArgs(ctx context.Context, args []string) {
 	// Load configuration from file, env vars, and CLI args
 	// Priority: CLI args > Env vars > Config file > Defaults
+	// Use the passed args parameter instead of os.Args[1:] to support Windows service mode
 	config, showVersion, showConfig, err := LoadConfig(args)
 	if err != nil {
 		fmt.Printf("Failed to load configuration: %v\n", err)
@@ -216,717 +192,79 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		os.Exit(0)
 	}
 
-	// Extract commonly used values from config for convenience
-	var (
-		endpoint      = config.Endpoint
-		id            = config.ID
-		secret        = config.Secret
-		mtu           = config.MTU
-		logLevel      = config.LogLevel
-		interfaceName = config.InterfaceName
-		enableHTTP    = config.EnableHTTP
-		httpAddr      = config.HTTPAddr
-		pingInterval  = config.PingIntervalDuration
-		pingTimeout   = config.PingTimeoutDuration
-		doHolepunch   = config.Holepunch
-		privateKey    wgtypes.Key
-		connected     bool
-	)
-
-	stopHolepunch = make(chan struct{})
-	stopPing = make(chan struct{})
-
-	// Setup Windows event logging if on Windows
-	if runtime.GOOS == "windows" {
-		setupWindowsEventLog()
-	} else {
-		// Initialize logger for non-Windows platforms
-		logger.Init()
-	}
-	loggerLevel := parseLogLevel(logLevel)
-	logger.GetLogger().SetLevel(parseLogLevel(logLevel))
-
-	olmVersion := "version_replaceme"
 	if showVersion {
 		fmt.Println("Olm version " + olmVersion)
 		os.Exit(0)
 	}
-	logger.Info("Olm version " + olmVersion)
+	logger.Info("Olm version %s", olmVersion)
 
-	if err := updates.CheckForUpdate("fosrl", "olm", olmVersion); err != nil {
+	config.Version = olmVersion
+
+	if err := SaveConfig(config); err != nil {
+		logger.Error("Failed to save full olm config: %v", err)
+	} else {
+		logger.Debug("Saved full olm config with all options")
+	}
+
+	if err := updates.CheckForUpdate("fosrl", "olm", config.Version); err != nil {
 		logger.Debug("Failed to check for updates: %v", err)
 	}
 
-	// Log startup information
-	logger.Debug("Olm service starting...")
-	logger.Debug("Parameters: endpoint='%s', id='%s', secret='%s'", endpoint, id, secret)
-	logger.Debug("HTTP enabled: %v, HTTP addr: %s", enableHTTP, httpAddr)
-
-	if doHolepunch {
-		logger.Warn("Hole punching is enabled. This is EXPERIMENTAL and may not work in all environments.")
+	// Create a new olm.Config struct and copy values from the main config
+	olmConfig := olmpkg.OlmConfig{
+		LogLevel:     config.LogLevel,
+		EnableAPI:    config.EnableAPI,
+		HTTPAddr:     config.HTTPAddr,
+		SocketPath:   config.SocketPath,
+		Version:      config.Version,
+		Agent:        "Olm CLI",
+		OnExit:       cancel, // Pass cancel function directly to trigger shutdown
+		OnTerminated: cancel,
+		PprofAddr:    ":4444", // TODO: REMOVE OR MAKE CONFIGURABLE
 	}
 
-	var httpServer *httpserver.HTTPServer
-	if enableHTTP {
-		httpServer = httpserver.NewHTTPServer(httpAddr)
-		httpServer.SetVersion(olmVersion)
-		if err := httpServer.Start(); err != nil {
-			logger.Fatal("Failed to start HTTP server: %v", err)
-		}
-
-		// Use a goroutine to handle connection requests
-		go func() {
-			for req := range httpServer.GetConnectionChannel() {
-				logger.Info("Received connection request via HTTP: id=%s, endpoint=%s", req.ID, req.Endpoint)
-
-				// Set the connection parameters
-				id = req.ID
-				secret = req.Secret
-				endpoint = req.Endpoint
-			}
-		}()
-	}
-
-	// // Check if required parameters are missing and provide helpful guidance
-	// missingParams := []string{}
-	// if id == "" {
-	// 	missingParams = append(missingParams, "id (use -id flag or OLM_ID env var)")
-	// }
-	// if secret == "" {
-	// 	missingParams = append(missingParams, "secret (use -secret flag or OLM_SECRET env var)")
-	// }
-	// if endpoint == "" {
-	// 	missingParams = append(missingParams, "endpoint (use -endpoint flag or PANGOLIN_ENDPOINT env var)")
-	// }
-
-	// if len(missingParams) > 0 {
-	// 	logger.Error("Missing required parameters: %v", missingParams)
-	// 	logger.Error("Either provide them as command line flags or set as environment variables")
-	// 	fmt.Printf("ERROR: Missing required parameters: %v\n", missingParams)
-	// 	fmt.Printf("Please provide them as command line flags or set as environment variables\n")
-	// 	if !enableHTTP {
-	// 		logger.Error("HTTP server is disabled, cannot receive parameters via API")
-	// 		fmt.Printf("HTTP server is disabled, cannot receive parameters via API\n")
-	// 		return
-	// 	}
-	// }
-
-	// Create a new olm
-	olm, err := websocket.NewClient(
-		"olm",
-		id,     // CLI arg takes precedence
-		secret, // CLI arg takes precedence
-		endpoint,
-		pingInterval,
-		pingTimeout,
-	)
+	olm, err := olmpkg.Init(ctx, olmConfig)
 	if err != nil {
-		logger.Fatal("Failed to create olm: %v", err)
+		logger.Fatal("Failed to initialize olm: %v", err)
 	}
 
-	// wait until we have a client id and secret and endpoint
-	waitCount := 0
-	for id == "" || secret == "" || endpoint == "" {
-		select {
-		case <-ctx.Done():
-			logger.Info("Context cancelled while waiting for credentials")
-			return
-		default:
-			missing := []string{}
-			if id == "" {
-				missing = append(missing, "id")
-			}
-			if secret == "" {
-				missing = append(missing, "secret")
-			}
-			if endpoint == "" {
-				missing = append(missing, "endpoint")
-			}
-			waitCount++
-			if waitCount%10 == 1 { // Log every 10 seconds instead of every second
-				logger.Debug("Waiting for missing parameters: %v (waiting %d seconds)", missing, waitCount)
-			}
-			time.Sleep(1 * time.Second)
-		}
+	if err := olm.StartApi(); err != nil {
+		logger.Fatal("Failed to start API server: %v", err)
 	}
 
-	privateKey, err = wgtypes.GeneratePrivateKey()
-	if err != nil {
-		logger.Fatal("Failed to generate private key: %v", err)
+	if config.ID != "" && config.Secret != "" && config.Endpoint != "" {
+		tunnelConfig := olmpkg.TunnelConfig{
+			Endpoint:             config.Endpoint,
+			ID:                   config.ID,
+			Secret:               config.Secret,
+			UserToken:            config.UserToken,
+			MTU:                  config.MTU,
+			DNS:                  config.DNS,
+			UpstreamDNS:          config.UpstreamDNS,
+			InterfaceName:        config.InterfaceName,
+			Holepunch:            !config.DisableHolepunch,
+			TlsClientCert:        config.TlsClientCert,
+			PingIntervalDuration: config.PingIntervalDuration,
+			PingTimeoutDuration:  config.PingTimeoutDuration,
+			OrgID:                config.OrgID,
+			OverrideDNS:          config.OverrideDNS,
+			DisableRelay:         config.DisableRelay,
+			EnableUAPI:           true,
+		}
+		go olm.StartTunnel(tunnelConfig)
+	} else {
+		logger.Info("Incomplete tunnel configuration, not starting tunnel")
 	}
 
-	// Create TUN device and network stack
-	var dev *device.Device
-	var wgData WgData
-	var holePunchData HolePunchData
-	var uapiListener net.Listener
-	var tdev tun.Device
-
-	sourcePort, err := FindAvailableUDPPort(49152, 65535)
-	if err != nil {
-		fmt.Printf("Error finding available port: %v\n", err)
-		os.Exit(1)
-	}
-
-	olm.RegisterHandler("olm/wg/holepunch/all", func(msg websocket.WSMessage) {
-		logger.Debug("Received message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Info("Error marshaling data: %v", err)
-			return
-		}
-
-		if err := json.Unmarshal(jsonData, &holePunchData); err != nil {
-			logger.Info("Error unmarshaling target data: %v", err)
-			return
-		}
-
-		// Create a new stopHolepunch channel for the new set of goroutines
-		stopHolepunch = make(chan struct{})
-
-		// Start a single hole punch goroutine for all exit nodes
-		logger.Info("Starting hole punch for %d exit nodes", len(holePunchData.ExitNodes))
-		go keepSendingUDPHolePunchToMultipleExitNodes(holePunchData.ExitNodes, id, sourcePort)
-	})
-
-	olm.RegisterHandler("olm/wg/holepunch", func(msg websocket.WSMessage) {
-		// THIS ENDPOINT IS FOR BACKWARD COMPATIBILITY
-		logger.Debug("Received message: %v", msg.Data)
-
-		type LegacyHolePunchData struct {
-			ServerPubKey string `json:"serverPubKey"`
-			Endpoint     string `json:"endpoint"`
-		}
-
-		var legacyHolePunchData LegacyHolePunchData
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Info("Error marshaling data: %v", err)
-			return
-		}
-
-		if err := json.Unmarshal(jsonData, &legacyHolePunchData); err != nil {
-			logger.Info("Error unmarshaling target data: %v", err)
-			return
-		}
-
-		// Stop any existing hole punch goroutines by closing the current channel
-		select {
-		case <-stopHolepunch:
-			// Channel already closed
-		default:
-			close(stopHolepunch)
-		}
-
-		// Create a new stopHolepunch channel for the new set of goroutines
-		stopHolepunch = make(chan struct{})
-
-		// Start hole punching for each exit node
-		logger.Info("Starting hole punch for exit node: %s with public key: %s", legacyHolePunchData.Endpoint, legacyHolePunchData.ServerPubKey)
-		go keepSendingUDPHolePunch(legacyHolePunchData.Endpoint, id, sourcePort, legacyHolePunchData.ServerPubKey)
-	})
-
-	olm.RegisterHandler("olm/wg/connect", func(msg websocket.WSMessage) {
-		logger.Debug("Received message: %v", msg.Data)
-
-		if connected {
-			logger.Info("Already connected. Ignoring new connection request.")
-			return
-		}
-
-		if stopRegister != nil {
-			stopRegister()
-			stopRegister = nil
-		}
-
-		close(stopHolepunch)
-
-		// wait 10 milliseconds to ensure the previous connection is closed
-		logger.Debug("Waiting 500 milliseconds to ensure previous connection is closed")
-		time.Sleep(500 * time.Millisecond)
-
-		// if there is an existing tunnel then close it
-		if dev != nil {
-			logger.Info("Got new message. Closing existing tunnel!")
-			dev.Close()
-		}
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Info("Error marshaling data: %v", err)
-			return
-		}
-
-		if err := json.Unmarshal(jsonData, &wgData); err != nil {
-			logger.Info("Error unmarshaling target data: %v", err)
-			return
-		}
-
-		tdev, err = func() (tun.Device, error) {
-			if runtime.GOOS == "darwin" {
-				interfaceName, err := findUnusedUTUN()
-				if err != nil {
-					return nil, err
-				}
-				return tun.CreateTUN(interfaceName, mtu)
-			}
-			if tunFdStr := os.Getenv(ENV_WG_TUN_FD); tunFdStr != "" {
-				return createTUNFromFD(tunFdStr, mtu)
-			}
-			return tun.CreateTUN(interfaceName, mtu)
-		}()
-
-		if err != nil {
-			logger.Error("Failed to create TUN device: %v", err)
-			return
-		}
-
-		if realInterfaceName, err2 := tdev.Name(); err2 == nil {
-			interfaceName = realInterfaceName
-		}
-
-		fileUAPI, err := func() (*os.File, error) {
-			if uapiFdStr := os.Getenv(ENV_WG_UAPI_FD); uapiFdStr != "" {
-				fd, err := strconv.ParseUint(uapiFdStr, 10, 32)
-				if err != nil {
-					return nil, err
-				}
-				return os.NewFile(uintptr(fd), ""), nil
-			}
-			return uapiOpen(interfaceName)
-		}()
-		if err != nil {
-			logger.Error("UAPI listen error: %v", err)
-			os.Exit(1)
-			return
-		}
-
-		dev = device.NewDevice(tdev, NewFixedPortBind(uint16(sourcePort)), device.NewLogger(mapToWireGuardLogLevel(loggerLevel), "wireguard: "))
-
-		uapiListener, err = uapiListen(interfaceName, fileUAPI)
-		if err != nil {
-			logger.Error("Failed to listen on uapi socket: %v", err)
-			os.Exit(1)
-		}
-
-		go func() {
-			for {
-				conn, err := uapiListener.Accept()
-				if err != nil {
-					return
-				}
-				go dev.IpcHandle(conn)
-			}
-		}()
-		logger.Info("UAPI listener started")
-
-		if err = dev.Up(); err != nil {
-			logger.Error("Failed to bring up WireGuard device: %v", err)
-		}
-		if err = ConfigureInterface(interfaceName, wgData); err != nil {
-			logger.Error("Failed to configure interface: %v", err)
-		}
-		if httpServer != nil {
-			httpServer.SetTunnelIP(wgData.TunnelIP)
-		}
-
-		peerMonitor = peermonitor.NewPeerMonitor(
-			func(siteID int, connected bool, rtt time.Duration) {
-				if httpServer != nil {
-					// Find the site config to get endpoint information
-					var endpoint string
-					var isRelay bool
-					for _, site := range wgData.Sites {
-						if site.SiteId == siteID {
-							endpoint = site.Endpoint
-							// TODO: We'll need to track relay status separately
-							// For now, assume not using relay unless we get relay data
-							isRelay = !doHolepunch
-							break
-						}
-					}
-					httpServer.UpdatePeerStatus(siteID, connected, rtt, endpoint, isRelay)
-				}
-				if connected {
-					logger.Info("Peer %d is now connected (RTT: %v)", siteID, rtt)
-				} else {
-					logger.Warn("Peer %d is disconnected", siteID)
-				}
-			},
-			fixKey(privateKey.String()),
-			olm,
-			dev,
-			doHolepunch,
-		)
-
-		for i := range wgData.Sites {
-			site := &wgData.Sites[i] // Use a pointer to modify the struct in the slice
-			if httpServer != nil {
-				httpServer.UpdatePeerStatus(site.SiteId, false, 0, site.Endpoint, false)
-			}
-
-			// Format the endpoint before configuring the peer.
-			site.Endpoint = formatEndpoint(site.Endpoint)
-
-			if err := ConfigurePeer(dev, *site, privateKey, endpoint); err != nil {
-				logger.Error("Failed to configure peer: %v", err)
-				return
-			}
-			if err := addRouteForServerIP(site.ServerIP, interfaceName); err != nil {
-				logger.Error("Failed to add route for peer: %v", err)
-				return
-			}
-			if err := addRoutesForRemoteSubnets(site.RemoteSubnets, interfaceName); err != nil {
-				logger.Error("Failed to add routes for remote subnets: %v", err)
-				return
-			}
-
-			logger.Info("Configured peer %s", site.PublicKey)
-		}
-
-		peerMonitor.Start()
-
-		connected = true
-
-		logger.Info("WireGuard device created.")
-	})
-
-	olm.RegisterHandler("olm/wg/peer/update", func(msg websocket.WSMessage) {
-		logger.Debug("Received update-peer message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Error("Error marshaling data: %v", err)
-			return
-		}
-
-		var updateData UpdatePeerData
-		if err := json.Unmarshal(jsonData, &updateData); err != nil {
-			logger.Error("Error unmarshaling update data: %v", err)
-			return
-		}
-
-		// Convert to SiteConfig
-		siteConfig := SiteConfig{
-			SiteId:        updateData.SiteId,
-			Endpoint:      updateData.Endpoint,
-			PublicKey:     updateData.PublicKey,
-			ServerIP:      updateData.ServerIP,
-			ServerPort:    updateData.ServerPort,
-			RemoteSubnets: updateData.RemoteSubnets,
-		}
-
-		// Update the peer in WireGuard
-		if dev != nil {
-			// Find the existing peer to get old data
-			var oldRemoteSubnets string
-			var oldPublicKey string
-			for _, site := range wgData.Sites {
-				if site.SiteId == updateData.SiteId {
-					oldRemoteSubnets = site.RemoteSubnets
-					oldPublicKey = site.PublicKey
-					break
-				}
-			}
-
-			// If the public key has changed, remove the old peer first
-			if oldPublicKey != "" && oldPublicKey != updateData.PublicKey {
-				logger.Info("Public key changed for site %d, removing old peer with key %s", updateData.SiteId, oldPublicKey)
-				if err := RemovePeer(dev, updateData.SiteId, oldPublicKey); err != nil {
-					logger.Error("Failed to remove old peer: %v", err)
-					return
-				}
-			}
-
-			// Format the endpoint before updating the peer.
-			siteConfig.Endpoint = formatEndpoint(siteConfig.Endpoint)
-
-			if err := ConfigurePeer(dev, siteConfig, privateKey, endpoint); err != nil {
-				logger.Error("Failed to update peer: %v", err)
-				return
-			}
-
-			// Remove old remote subnet routes if they changed
-			if oldRemoteSubnets != siteConfig.RemoteSubnets {
-				if err := removeRoutesForRemoteSubnets(oldRemoteSubnets); err != nil {
-					logger.Error("Failed to remove old remote subnet routes: %v", err)
-					// Continue anyway to add new routes
-				}
-
-				// Add new remote subnet routes
-				if err := addRoutesForRemoteSubnets(siteConfig.RemoteSubnets, interfaceName); err != nil {
-					logger.Error("Failed to add new remote subnet routes: %v", err)
-					return
-				}
-			}
-
-			// Update successful
-			logger.Info("Successfully updated peer for site %d", updateData.SiteId)
-			for i := range wgData.Sites {
-				if wgData.Sites[i].SiteId == updateData.SiteId {
-					wgData.Sites[i] = siteConfig
-					break
-				}
-			}
-		} else {
-			logger.Error("WireGuard device not initialized")
-		}
-	})
-
-	// Handler for adding a new peer
-	olm.RegisterHandler("olm/wg/peer/add", func(msg websocket.WSMessage) {
-		logger.Debug("Received add-peer message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Error("Error marshaling data: %v", err)
-			return
-		}
-
-		var addData AddPeerData
-		if err := json.Unmarshal(jsonData, &addData); err != nil {
-			logger.Error("Error unmarshaling add data: %v", err)
-			return
-		}
-
-		// Convert to SiteConfig
-		siteConfig := SiteConfig{
-			SiteId:        addData.SiteId,
-			Endpoint:      addData.Endpoint,
-			PublicKey:     addData.PublicKey,
-			ServerIP:      addData.ServerIP,
-			ServerPort:    addData.ServerPort,
-			RemoteSubnets: addData.RemoteSubnets,
-		}
-
-		// Add the peer to WireGuard
-		if dev != nil {
-			// Format the endpoint before adding the new peer.
-			siteConfig.Endpoint = formatEndpoint(siteConfig.Endpoint)
-
-			if err := ConfigurePeer(dev, siteConfig, privateKey, endpoint); err != nil {
-				logger.Error("Failed to add peer: %v", err)
-				return
-			}
-			if err := addRouteForServerIP(siteConfig.ServerIP, interfaceName); err != nil {
-				logger.Error("Failed to add route for new peer: %v", err)
-				return
-			}
-			if err := addRoutesForRemoteSubnets(siteConfig.RemoteSubnets, interfaceName); err != nil {
-				logger.Error("Failed to add routes for remote subnets: %v", err)
-				return
-			}
-
-			// Add successful
-			logger.Info("Successfully added peer for site %d", addData.SiteId)
-
-			// Update WgData with the new peer
-			wgData.Sites = append(wgData.Sites, siteConfig)
-		} else {
-			logger.Error("WireGuard device not initialized")
-		}
-	})
-
-	// Handler for removing a peer
-	olm.RegisterHandler("olm/wg/peer/remove", func(msg websocket.WSMessage) {
-		logger.Debug("Received remove-peer message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Error("Error marshaling data: %v", err)
-			return
-		}
-
-		var removeData RemovePeerData
-		if err := json.Unmarshal(jsonData, &removeData); err != nil {
-			logger.Error("Error unmarshaling remove data: %v", err)
-			return
-		}
-
-		// Find the peer to remove
-		var peerToRemove *SiteConfig
-		var newSites []SiteConfig
-
-		for _, site := range wgData.Sites {
-			if site.SiteId == removeData.SiteId {
-				peerToRemove = &site
-			} else {
-				newSites = append(newSites, site)
-			}
-		}
-
-		if peerToRemove == nil {
-			logger.Error("Peer with site ID %d not found", removeData.SiteId)
-			return
-		}
-
-		// Remove the peer from WireGuard
-		if dev != nil {
-			if err := RemovePeer(dev, removeData.SiteId, peerToRemove.PublicKey); err != nil {
-				logger.Error("Failed to remove peer: %v", err)
-				// Send error response if needed
-				return
-			}
-
-			// Remove route for the peer
-			err = removeRouteForServerIP(peerToRemove.ServerIP)
-			if err != nil {
-				logger.Error("Failed to remove route for peer: %v", err)
-				return
-			}
-
-			// Remove routes for remote subnets
-			if err := removeRoutesForRemoteSubnets(peerToRemove.RemoteSubnets); err != nil {
-				logger.Error("Failed to remove routes for remote subnets: %v", err)
-				return
-			}
-
-			// Remove successful
-			logger.Info("Successfully removed peer for site %d", removeData.SiteId)
-
-			// Update WgData to remove the peer
-			wgData.Sites = newSites
-		} else {
-			logger.Error("WireGuard device not initialized")
-		}
-	})
-
-	olm.RegisterHandler("olm/wg/peer/relay", func(msg websocket.WSMessage) {
-		logger.Debug("Received relay-peer message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Error("Error marshaling data: %v", err)
-			return
-		}
-
-		var relayData RelayPeerData
-		if err := json.Unmarshal(jsonData, &relayData); err != nil {
-			logger.Error("Error unmarshaling relay data: %v", err)
-			return
-		}
-
-		primaryRelay, err := resolveDomain(relayData.Endpoint)
-		if err != nil {
-			logger.Warn("Failed to resolve primary relay endpoint: %v", err)
-		}
-
-		// Update HTTP server to mark this peer as using relay
-		if httpServer != nil {
-			httpServer.UpdatePeerRelayStatus(relayData.SiteId, relayData.Endpoint, true)
-		}
-
-		peerMonitor.HandleFailover(relayData.SiteId, primaryRelay)
-	})
-
-	olm.RegisterHandler("olm/register/no-sites", func(msg websocket.WSMessage) {
-		logger.Info("Received no-sites message - no sites available for connection")
-
-		// if stopRegister != nil {
-		// 	stopRegister()
-		// 	stopRegister = nil
-		// }
-
-		// select {
-		// case <-stopHolepunch:
-		// 	// Channel already closed, do nothing
-		// default:
-		// 	close(stopHolepunch)
-		// }
-
-		logger.Info("No sites available - stopped registration and holepunch processes")
-	})
-
-	olm.RegisterHandler("olm/terminate", func(msg websocket.WSMessage) {
-		logger.Info("Received terminate message")
-		olm.Close()
-	})
-
-	olm.OnConnect(func() error {
-		logger.Info("Websocket Connected")
-
-		if httpServer != nil {
-			httpServer.SetConnectionStatus(true)
-		}
-
-		// CRITICAL: Save our full config AFTER websocket saves its limited config
-		// This ensures all 13 fields are preserved, not just the 4 that websocket saves
-		if err := SaveConfig(config); err != nil {
-			logger.Error("Failed to save full olm config: %v", err)
-		} else {
-			logger.Debug("Saved full olm config with all options")
-		}
-
-		if connected {
-			logger.Debug("Already connected, skipping registration")
-			return nil
-		}
-
-		publicKey := privateKey.PublicKey()
-
-		logger.Debug("Sending registration message to server with public key: %s and relay: %v", publicKey, !doHolepunch)
-
-		stopRegister = olm.SendMessageInterval("olm/wg/register", map[string]interface{}{
-			"publicKey":  publicKey.String(),
-			"relay":      !doHolepunch,
-			"olmVersion": olmVersion,
-		}, 1*time.Second)
-
-		go keepSendingPing(olm)
-
-		logger.Info("Sent registration message")
-		return nil
-	})
-
-	olm.OnTokenUpdate(func(token string) {
-		olmToken = token
-	})
-
-	// Connect to the WebSocket server
-	if err := olm.Connect(); err != nil {
-		logger.Fatal("Failed to connect to server: %v", err)
-	}
-	defer olm.Close()
-
-	// Wait for interrupt signal or context cancellation
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-
+	// Wait for either signal or programmatic shutdown
 	select {
-	case <-sigCh:
-		logger.Info("Received interrupt signal")
+	case <-signalCtx.Done():
+		logger.Info("Shutdown signal received, cleaning up...")
 	case <-ctx.Done():
-		logger.Info("Context cancelled")
+		logger.Info("Shutdown requested via API, cleaning up...")
 	}
 
-	select {
-	case <-stopHolepunch:
-		// Channel already closed, do nothing
-	default:
-		close(stopHolepunch)
-	}
-
-	if stopRegister != nil {
-		stopRegister()
-		stopRegister = nil
-	}
-
-	select {
-	case <-stopPing:
-		// Channel already closed
-	default:
-		close(stopPing)
-	}
-
-	if uapiListener != nil {
-		uapiListener.Close()
-	}
-	if dev != nil {
-		dev.Close()
-	}
-
-	logger.Info("runOlmMain() exiting")
-	fmt.Printf("runOlmMain() exiting\n")
+	// Clean up resources
+	olm.Close()
+	logger.Info("Shutdown complete")
 }

namespace.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+
+# Configuration
+NS_NAME="isolated_ns"       # Name of the namespace
+VETH_HOST="veth_host"       # Interface name on host side
+VETH_NS="veth_ns"           # Interface name inside namespace
+HOST_IP="192.168.15.1"      # Gateway IP for the namespace (host side)
+NS_IP="192.168.15.2"        # IP address for the namespace
+SUBNET_CIDR="24"            # Subnet mask
+DNS_SERVER="8.8.8.8"        # DNS to use inside namespace
+
+# Detect the main physical interface (gateway to internet)
+PHY_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}')
+
+# Helper function to check for root
+check_root() {
+    if [ "$EUID" -ne 0 ]; then
+        echo "Error: This script must be run as root."
+        exit 1
+    fi
+}
+
+setup_ns() {
+    echo "Bringing up namespace '$NS_NAME'..."
+
+    # 1. Create the network namespace
+    if ip netns list | grep -q "$NS_NAME"; then
+        echo "Namespace $NS_NAME already exists. Run 'down' first."
+        exit 1
+    fi
+    ip netns add "$NS_NAME"
+
+    # 2. Create veth pair
+    ip link add "$VETH_HOST" type veth peer name "$VETH_NS"
+
+    # 3. Move peer interface to namespace
+    ip link set "$VETH_NS" netns "$NS_NAME"
+
+    # 4. Configure Host Side Interface
+    ip addr add "${HOST_IP}/${SUBNET_CIDR}" dev "$VETH_HOST"
+    ip link set "$VETH_HOST" up
+
+    # 5. Configure Namespace Side Interface
+    ip netns exec "$NS_NAME" ip addr add "${NS_IP}/${SUBNET_CIDR}" dev "$VETH_NS"
+    ip netns exec "$NS_NAME" ip link set "$VETH_NS" up
+    
+    # 6. Bring up loopback inside namespace (crucial for many apps)
+    ip netns exec "$NS_NAME" ip link set lo up
+
+    # 7. Routing: Add default gateway inside namespace pointing to host
+    ip netns exec "$NS_NAME" ip route add default via "$HOST_IP"
+
+    # 8. Enable IP forwarding on host
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    # 9. NAT/Masquerade: Allow traffic from namespace to go out physical interface
+    # We verify rule doesn't exist first to avoid duplicates
+    iptables -t nat -C POSTROUTING -s "${NS_IP}/${SUBNET_CIDR}" -o "$PHY_IFACE" -j MASQUERADE 2>/dev/null || \
+    iptables -t nat -A POSTROUTING -s "${NS_IP}/${SUBNET_CIDR}" -o "$PHY_IFACE" -j MASQUERADE
+
+    # Allow forwarding from host veth to WAN and back
+    iptables -C FORWARD -i "$VETH_HOST" -o "$PHY_IFACE" -j ACCEPT 2>/dev/null || \
+    iptables -A FORWARD -i "$VETH_HOST" -o "$PHY_IFACE" -j ACCEPT
+
+    iptables -C FORWARD -i "$PHY_IFACE" -o "$VETH_HOST" -j ACCEPT 2>/dev/null || \
+    iptables -A FORWARD -i "$PHY_IFACE" -o "$VETH_HOST" -j ACCEPT
+
+    # 10. DNS Setup
+    # Netns uses /etc/netns/<name>/resolv.conf if it exists
+    mkdir -p "/etc/netns/$NS_NAME"
+    echo "nameserver $DNS_SERVER" > "/etc/netns/$NS_NAME/resolv.conf"
+
+    echo "Namespace $NS_NAME is UP."
+    echo "To enter shell: sudo ip netns exec $NS_NAME bash"
+}
+
+teardown_ns() {
+    echo "Tearing down namespace '$NS_NAME'..."
+
+    # 1. Remove Namespace (this automatically deletes the veth pair inside it)
+    # The host side veth usually disappears when the peer is destroyed.
+    if ip netns list | grep -q "$NS_NAME"; then
+        ip netns del "$NS_NAME"
+    else
+        echo "Namespace $NS_NAME does not exist."
+    fi
+
+    # 2. Clean up veth host side if it still lingers
+    if ip link show "$VETH_HOST" > /dev/null 2>&1; then
+        ip link delete "$VETH_HOST"
+    fi
+
+    # 3. Remove iptables rules
+    # We use -D to delete the specific rules we added
+    iptables -t nat -D POSTROUTING -s "${NS_IP}/${SUBNET_CIDR}" -o "$PHY_IFACE" -j MASQUERADE 2>/dev/null
+    iptables -D FORWARD -i "$VETH_HOST" -o "$PHY_IFACE" -j ACCEPT 2>/dev/null
+    iptables -D FORWARD -i "$PHY_IFACE" -o "$VETH_HOST" -j ACCEPT 2>/dev/null
+
+    # 4. Remove DNS config
+    rm -rf "/etc/netns/$NS_NAME"
+
+    echo "Namespace $NS_NAME is DOWN."
+}
+
+test_connectivity() {
+    echo "Testing connectivity inside $NS_NAME..."
+    ip netns exec "$NS_NAME" ping -c 3 8.8.8.8
+}
+
+# Main execution logic
+check_root
+
+case "$1" in
+    up)
+        setup_ns
+        ;;
+    down)
+        teardown_ns
+        ;;
+    test)
+        test_connectivity
+        ;;
+    *)
+        echo "Usage: $0 {up|down|test}"
+        exit 1
+esac

olm.iss

@@ -32,7 +32,7 @@ DefaultGroupName={#MyAppName}
 DisableProgramGroupPage=yes
 ; Uncomment the following line to run in non administrative install mode (install for current user only).
 ;PrivilegesRequired=lowest
-OutputBaseFilename=mysetup
+OutputBaseFilename=olm_windows_installer
 SolidCompression=yes
 WizardStyle=modern
 ; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed
@@ -44,8 +44,8 @@ Name: "english"; MessagesFile: "compiler:Default.isl"
 
 [Files]
 ; The 'DestName' flag ensures that 'olm_windows_amd64.exe' is installed as 'olm.exe'
-Source: "C:\Users\Administrator\Downloads\olm_windows_amd64.exe"; DestDir: "{app}"; DestName: "{#MyAppExeName}"; Flags: ignoreversion
-Source: "C:\Users\Administrator\Downloads\wintun.dll"; DestDir: "{app}"; Flags: ignoreversion
+Source: "Z:\olm_windows_amd64.exe"; DestDir: "{app}"; DestName: "{#MyAppExeName}"; Flags: ignoreversion
+Source: "Z:\wintun.dll"; DestDir: "{app}"; Flags: ignoreversion
 ; NOTE: Don't use "Flags: ignoreversion" on any shared system files
 
 [Icons]
@@ -57,13 +57,13 @@ Name: "{group}\{#MyAppName}"; Filename: "{app}\{#MyAppExeName}"
 ; The 'Path' variable is located under 'SYSTEM\CurrentControlSet\Control\Session Manager\Environment'.
 ; ValueType: expandsz allows for environment variables (like %ProgramFiles%) in the path.
 ; ValueData: "{olddata};{app}" appends the current application directory to the existing PATH.
-; Flags: uninsdeletevalue ensures the entry is removed upon uninstallation.
-; Check: IsWin64 ensures this is applied on 64-bit systems, which matches ArchitecturesAllowed.
+; Note: Removal during uninstallation is handled by CurUninstallStepChanged procedure in [Code] section.
+; Check: NeedsAddPath ensures this is applied only if the path is not already present.
 [Registry]
 ; Add the application's installation directory to the system PATH.
 Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
     ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
-    Flags: uninsdeletevalue; Check: NeedsAddPath(ExpandConstant('{app}'))
+    Check: NeedsAddPath(ExpandConstant('{app}'))
 
 [Code]
 function NeedsAddPath(Path: string): boolean;
@@ -85,4 +85,68 @@ begin
     Result := False
   else
     Result := True;
+end;
+
+procedure RemovePathEntry(PathToRemove: string);
+var
+  OrigPath: string;
+  NewPath: string;
+  PathList: TStringList;
+  I: Integer;
+begin
+  if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
+    'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+    'Path', OrigPath)
+  then begin
+    // Path variable doesn't exist, nothing to remove
+    exit;
+  end;
+
+  // Create a string list to parse the PATH entries
+  PathList := TStringList.Create;
+  try
+    // Split the PATH by semicolons
+    PathList.Delimiter := ';';
+    PathList.StrictDelimiter := True;
+    PathList.DelimitedText := OrigPath;
+    
+    // Find and remove the matching entry (case-insensitive)
+    for I := PathList.Count - 1 downto 0 do
+    begin
+      if CompareText(Trim(PathList[I]), Trim(PathToRemove)) = 0 then
+      begin
+        Log('Found and removing PATH entry: ' + PathList[I]);
+        PathList.Delete(I);
+      end;
+    end;
+    
+    // Reconstruct the PATH
+    NewPath := PathList.DelimitedText;
+    
+    // Write the new PATH back to the registry
+    if RegWriteExpandStringValue(HKEY_LOCAL_MACHINE,
+      'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+      'Path', NewPath)
+    then
+      Log('Successfully removed path entry: ' + PathToRemove)
+    else
+      Log('Failed to write modified PATH to registry');
+  finally
+    PathList.Free;
+  end;
+end;
+
+procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
+var
+  AppPath: string;
+begin
+  if CurUninstallStep = usUninstall then
+  begin
+    // Get the application installation path
+    AppPath := ExpandConstant('{app}');
+    Log('Removing PATH entry for: ' + AppPath);
+    
+    // Remove only our path entry from the system PATH
+    RemovePathEntry(AppPath);
+  end;
 end;

olm/connect.go

@@ -0,0 +1,336 @@
+package olm
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/network"
+	olmDevice "github.com/fosrl/olm/device"
+	"github.com/fosrl/olm/dns"
+	dnsOverride "github.com/fosrl/olm/dns/override"
+	"github.com/fosrl/olm/peers"
+	"github.com/fosrl/olm/websocket"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+// OlmErrorData represents the error data sent from the server
+type OlmErrorData struct {
+	Code    string `json:"code"`
+	Message string `json:"message"`
+}
+
+func (o *Olm) handleConnect(msg websocket.WSMessage) {
+	logger.Debug("Received message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring connect message")
+		return
+	}
+
+	var wgData WgData
+
+	if o.registered {
+		logger.Info("Already connected. Ignoring new connection request.")
+		return
+	}
+
+	if o.stopRegister != nil {
+		o.stopRegister()
+		o.stopRegister = nil
+	}
+
+	if o.updateRegister != nil {
+		o.updateRegister = nil
+	}
+
+	// if there is an existing tunnel then close it
+	if o.dev != nil {
+		logger.Info("Got new message. Closing existing tunnel!")
+		o.dev.Close()
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Info("Error marshaling data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &wgData); err != nil {
+		logger.Info("Error unmarshaling target data: %v", err)
+		return
+	}
+
+	o.tdev, err = func() (tun.Device, error) {
+		if o.tunnelConfig.FileDescriptorTun != 0 {
+			return olmDevice.CreateTUNFromFD(o.tunnelConfig.FileDescriptorTun, o.tunnelConfig.MTU)
+		}
+		ifName := o.tunnelConfig.InterfaceName
+		if runtime.GOOS == "darwin" { // this is if we dont pass a fd
+			ifName, err = network.FindUnusedUTUN()
+			if err != nil {
+				return nil, err
+			}
+		}
+		return tun.CreateTUN(ifName, o.tunnelConfig.MTU)
+	}()
+	if err != nil {
+		logger.Error("Failed to create TUN device: %v", err)
+		return
+	}
+
+	// if config.FileDescriptorTun == 0 {
+	if realInterfaceName, err2 := o.tdev.Name(); err2 == nil { // if the interface is defined then this should not really do anything?
+		o.tunnelConfig.InterfaceName = realInterfaceName
+	}
+	// }
+
+	// Wrap TUN device with packet filter for DNS proxy
+	o.middleDev = olmDevice.NewMiddleDevice(o.tdev)
+
+	wgLogger := logger.GetLogger().GetWireGuardLogger("wireguard: ")
+	// Use filtered device instead of raw TUN device
+	o.dev = device.NewDevice(o.middleDev, o.sharedBind, (*device.Logger)(wgLogger))
+
+	if o.tunnelConfig.EnableUAPI {
+		fileUAPI, err := func() (*os.File, error) {
+			if o.tunnelConfig.FileDescriptorUAPI != 0 {
+				fd, err := strconv.ParseUint(fmt.Sprintf("%d", o.tunnelConfig.FileDescriptorUAPI), 10, 32)
+				if err != nil {
+					return nil, fmt.Errorf("invalid UAPI file descriptor: %v", err)
+				}
+				return os.NewFile(uintptr(fd), ""), nil
+			}
+			return olmDevice.UapiOpen(o.tunnelConfig.InterfaceName)
+		}()
+		if err != nil {
+			logger.Error("UAPI listen error: %v", err)
+			os.Exit(1)
+			return
+		}
+
+		o.uapiListener, err = olmDevice.UapiListen(o.tunnelConfig.InterfaceName, fileUAPI)
+		if err != nil {
+			logger.Error("Failed to listen on uapi socket: %v", err)
+			os.Exit(1)
+		}
+
+		go func() {
+			for {
+				conn, err := o.uapiListener.Accept()
+				if err != nil {
+					return
+				}
+				go o.dev.IpcHandle(conn)
+			}
+		}()
+		logger.Info("UAPI listener started")
+	}
+
+	if err = o.dev.Up(); err != nil {
+		logger.Error("Failed to bring up WireGuard device: %v", err)
+	}
+
+	// Extract interface IP (strip CIDR notation if present)
+	interfaceIP := wgData.TunnelIP
+	if strings.Contains(interfaceIP, "/") {
+		interfaceIP = strings.Split(interfaceIP, "/")[0]
+	}
+
+	// Create and start DNS proxy
+	o.dnsProxy, err = dns.NewDNSProxy(o.middleDev, o.tunnelConfig.MTU, wgData.UtilitySubnet, o.tunnelConfig.UpstreamDNS, o.tunnelConfig.TunnelDNS, interfaceIP)
+	if err != nil {
+		logger.Error("Failed to create DNS proxy: %v", err)
+	}
+
+	if err = network.ConfigureInterface(o.tunnelConfig.InterfaceName, wgData.TunnelIP, o.tunnelConfig.MTU); err != nil {
+		logger.Error("Failed to o.tunnelConfigure interface: %v", err)
+	}
+
+	if network.AddRoutes([]string{wgData.UtilitySubnet}, o.tunnelConfig.InterfaceName); err != nil { // also route the utility subnet
+		logger.Error("Failed to add route for utility subnet: %v", err)
+	}
+
+	// Create peer manager with integrated peer monitoring
+	o.peerManager = peers.NewPeerManager(peers.PeerManagerConfig{
+		Device:        o.dev,
+		DNSProxy:      o.dnsProxy,
+		InterfaceName: o.tunnelConfig.InterfaceName,
+		PrivateKey:    o.privateKey,
+		MiddleDev:     o.middleDev,
+		LocalIP:       interfaceIP,
+		SharedBind:    o.sharedBind,
+		WSClient:      o.websocket,
+		APIServer:     o.apiServer,
+		PublicDNS:     o.tunnelConfig.PublicDNS,
+	})
+
+	for i := range wgData.Sites {
+		site := wgData.Sites[i]
+
+		if site.PublicKey != "" {
+			var siteEndpoint string
+			// here we are going to take the relay endpoint if it exists which means we requested a relay for this peer
+			if site.RelayEndpoint != "" {
+				siteEndpoint = site.RelayEndpoint
+			} else {
+				siteEndpoint = site.Endpoint
+			}
+
+			o.apiServer.AddPeerStatus(site.SiteId, site.Name, false, 0, siteEndpoint, false)
+		}
+
+		// we still call this to add the aliases for jit lookup but we just do that then pass inside. need to skip the above so we dont add to the api
+		if err := o.peerManager.AddPeer(site); err != nil {
+			logger.Error("Failed to add peer: %v", err)
+			return
+		}
+
+		logger.Info("Configured peer %s", site.PublicKey)
+	}
+
+	o.peerManager.Start()
+
+	if err := o.dnsProxy.Start(); err != nil { // start DNS proxy first so there is no downtime
+		logger.Error("Failed to start DNS proxy: %v", err)
+	}
+
+	// Register JIT handler: when the DNS proxy resolves a local record, check whether
+	// the owning site is already connected and, if not, initiate a JIT connection.
+	o.dnsProxy.SetJITHandler(func(siteId int) {
+		pm := o.getPeerManager()
+		if pm == nil || o.websocket == nil {
+			return
+		}
+
+		// Site already has an active peer connection - nothing to do.
+		if _, exists := pm.GetPeer(siteId); exists {
+			return
+		}
+
+		o.peerSendMu.Lock()
+		defer o.peerSendMu.Unlock()
+
+		// A JIT request for this site is already in-flight - avoid duplicate sends.
+		if _, pending := o.jitPendingSites[siteId]; pending {
+			return
+		}
+
+		chainId := generateChainId()
+		logger.Info("DNS-triggered JIT connect for site %d (chainId=%s)", siteId, chainId)
+		stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/init", map[string]interface{}{
+			"siteId":  siteId,
+			"chainId": chainId,
+		}, 2*time.Second, 10)
+		o.stopPeerInits[chainId] = stopFunc
+		o.jitPendingSites[siteId] = chainId
+	})
+
+	if o.tunnelConfig.OverrideDNS {
+		// Set up DNS override to use our DNS proxy
+		if err := dnsOverride.SetupDNSOverride(o.tunnelConfig.InterfaceName, o.dnsProxy.GetProxyIP()); err != nil {
+			logger.Error("Failed to setup DNS override: %v", err)
+			return
+		}
+
+		network.SetDNSServers([]string{o.dnsProxy.GetProxyIP().String()})
+	}
+
+	o.apiServer.SetRegistered(true)
+
+	o.registered = true
+
+	// Start ping monitor now that we are registered and connected
+	o.websocket.StartPingMonitor()
+
+	// Invoke onConnected callback if configured
+	if o.olmConfig.OnConnected != nil {
+		go o.olmConfig.OnConnected()
+	}
+
+	logger.Info("WireGuard device created.")
+}
+
+func (o *Olm) handleOlmError(msg websocket.WSMessage) {
+	logger.Debug("Received olm error message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring olm error message")
+		return
+	}
+
+	var errorData OlmErrorData
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling olm error data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &errorData); err != nil {
+		logger.Error("Error unmarshaling olm error data: %v", err)
+		return
+	}
+
+	logger.Error("Olm error (code: %s): %s", errorData.Code, errorData.Message)
+
+	// Set the olm error in the API server so it can be exposed via status
+	o.apiServer.SetOlmError(errorData.Code, errorData.Message)
+
+	// Invoke onOlmError callback if configured
+	if o.olmConfig.OnOlmError != nil {
+		go o.olmConfig.OnOlmError(errorData.Code, errorData.Message)
+	}
+}
+
+func (o *Olm) handleTerminate(msg websocket.WSMessage) {
+	logger.Info("Received terminate message")
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring terminate message")
+		return
+	}
+
+	var errorData OlmErrorData
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling terminate error data: %v", err)
+	} else {
+		if err := json.Unmarshal(jsonData, &errorData); err != nil {
+			logger.Error("Error unmarshaling terminate error data: %v", err)
+		} else {
+			logger.Info("Terminate reason (code: %s): %s", errorData.Code, errorData.Message)
+
+			if errorData.Code == "TERMINATED_INACTIVITY" {
+				logger.Info("Ignoring...")
+				return
+			}
+
+			// Set the olm error in the API server so it can be exposed via status
+			o.apiServer.SetOlmError(errorData.Code, errorData.Message)
+		}
+	}
+
+	o.apiServer.SetTerminated(true)
+	o.apiServer.SetConnectionStatus(false)
+	o.apiServer.SetRegistered(false)
+	o.apiServer.ClearPeerStatuses()
+
+	network.ClearNetworkSettings()
+
+	o.Close()
+
+	if o.olmConfig.OnTerminated != nil {
+		go o.olmConfig.OnTerminated()
+	}
+}

olm/data.go

@@ -0,0 +1,394 @@
+package olm
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/fosrl/newt/holepunch"
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/olm/peers"
+	"github.com/fosrl/olm/websocket"
+)
+
+func (o *Olm) handleWgPeerAddData(msg websocket.WSMessage) {
+	logger.Debug("Received add-remote-subnets-aliases message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring add-remote-subnets-aliases message")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var addSubnetsData peers.PeerAdd
+	if err := json.Unmarshal(jsonData, &addSubnetsData); err != nil {
+		logger.Error("Error unmarshaling add-remote-subnets data: %v", err)
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring add-remote-subnets-aliases message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	if _, exists := pm.GetPeer(addSubnetsData.SiteId); !exists {
+		logger.Debug("Peer %d not found for removing remote subnets and aliases", addSubnetsData.SiteId)
+		return
+	}
+
+	// Add new subnets
+	for _, subnet := range addSubnetsData.RemoteSubnets {
+		if err := pm.AddRemoteSubnet(addSubnetsData.SiteId, subnet); err != nil {
+			logger.Error("Failed to add allowed IP %s: %v", subnet, err)
+		}
+	}
+
+	// Add new aliases
+	for _, alias := range addSubnetsData.Aliases {
+		if err := pm.AddAlias(addSubnetsData.SiteId, alias); err != nil {
+			logger.Error("Failed to add alias %s: %v", alias.Alias, err)
+		}
+	}
+}
+
+func (o *Olm) handleWgPeerRemoveData(msg websocket.WSMessage) {
+	logger.Debug("Received remove-remote-subnets-aliases message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring remove-remote-subnets-aliases message")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var removeSubnetsData peers.RemovePeerData
+	if err := json.Unmarshal(jsonData, &removeSubnetsData); err != nil {
+		logger.Error("Error unmarshaling remove-remote-subnets data: %v", err)
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring remove-remote-subnets-aliases message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	if _, exists := pm.GetPeer(removeSubnetsData.SiteId); !exists {
+		logger.Debug("Peer %d not found for removing remote subnets and aliases", removeSubnetsData.SiteId)
+		return
+	}
+
+	// Remove subnets
+	for _, subnet := range removeSubnetsData.RemoteSubnets {
+		if err := pm.RemoveRemoteSubnet(removeSubnetsData.SiteId, subnet); err != nil {
+			logger.Error("Failed to remove allowed IP %s: %v", subnet, err)
+		}
+	}
+
+	// Remove aliases
+	for _, alias := range removeSubnetsData.Aliases {
+		if err := pm.RemoveAlias(removeSubnetsData.SiteId, alias.Alias); err != nil {
+			logger.Error("Failed to remove alias %s: %v", alias.Alias, err)
+		}
+	}
+}
+
+func (o *Olm) handleWgPeerUpdateData(msg websocket.WSMessage) {
+	logger.Debug("Received update-remote-subnets-aliases message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring update-remote-subnets-aliases message")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var updateSubnetsData peers.UpdatePeerData
+	if err := json.Unmarshal(jsonData, &updateSubnetsData); err != nil {
+		logger.Error("Error unmarshaling update-remote-subnets data: %v", err)
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring update-remote-subnets-aliases message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	if _, exists := pm.GetPeer(updateSubnetsData.SiteId); !exists {
+		logger.Debug("Peer %d not found for updating remote subnets and aliases", updateSubnetsData.SiteId)
+		return
+	}
+
+	// Add new subnets BEFORE removing old ones to preserve shared subnets
+	// This ensures that if an old and new subnet are the same on different peers,
+	// the route won't be temporarily removed
+	for _, subnet := range updateSubnetsData.NewRemoteSubnets {
+		if err := pm.AddRemoteSubnet(updateSubnetsData.SiteId, subnet); err != nil {
+			logger.Error("Failed to add allowed IP %s: %v", subnet, err)
+		}
+	}
+
+	// Remove old subnets after new ones are added
+	for _, subnet := range updateSubnetsData.OldRemoteSubnets {
+		if err := pm.RemoveRemoteSubnet(updateSubnetsData.SiteId, subnet); err != nil {
+			logger.Error("Failed to remove allowed IP %s: %v", subnet, err)
+		}
+	}
+
+	// Add new aliases BEFORE removing old ones to preserve shared IP addresses
+	// This ensures that if an old and new alias share the same IP, the IP won't be
+	// temporarily removed from the allowed IPs list
+	for _, alias := range updateSubnetsData.NewAliases {
+		if err := pm.AddAlias(updateSubnetsData.SiteId, alias); err != nil {
+			logger.Error("Failed to add alias %s: %v", alias.Alias, err)
+		}
+	}
+
+	// Remove old aliases after new ones are added
+	for _, alias := range updateSubnetsData.OldAliases {
+		if err := pm.RemoveAlias(updateSubnetsData.SiteId, alias.Alias); err != nil {
+			logger.Error("Failed to remove alias %s: %v", alias.Alias, err)
+		}
+	}
+
+	logger.Info("Successfully updated remote subnets and aliases for peer %d", updateSubnetsData.SiteId)
+}
+
+// Handler for syncing peer configuration - reconciles expected state with actual state
+func (o *Olm) handleSync(msg websocket.WSMessage) {
+	logger.Debug("Received sync message: %v", msg.Data)
+
+	if !o.registered {
+		logger.Warn("Not connected, ignoring sync request")
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Warn("Peer manager not initialized, ignoring sync request")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling sync data: %v", err)
+		return
+	}
+
+	var syncData SyncData
+	if err := json.Unmarshal(jsonData, &syncData); err != nil {
+		logger.Error("Error unmarshaling sync data: %v", err)
+		return
+	}
+
+	// Sync exit nodes for hole punching
+	o.syncExitNodes(syncData.ExitNodes)
+
+	// Build a map of expected peers from the incoming data
+	expectedPeers := make(map[int]peers.SiteConfig)
+	for _, site := range syncData.Sites {
+		expectedPeers[site.SiteId] = site
+	}
+
+	// Get all current peers
+	currentPeers := pm.GetAllPeers()
+	currentPeerMap := make(map[int]peers.SiteConfig)
+	for _, peer := range currentPeers {
+		currentPeerMap[peer.SiteId] = peer
+	}
+
+	// Find peers to remove (in current but not in expected)
+	for siteId := range currentPeerMap {
+		if _, exists := expectedPeers[siteId]; !exists {
+			logger.Info("Sync: Removing peer for site %d (no longer in expected config)", siteId)
+			if err := pm.RemovePeer(siteId); err != nil {
+				logger.Error("Sync: Failed to remove peer %d: %v", siteId, err)
+			} else {
+				// Remove any exit nodes associated with this peer from hole punching
+				if o.holePunchManager != nil {
+					removed := o.holePunchManager.RemoveExitNodesByPeer(siteId)
+					if removed > 0 {
+						logger.Info("Sync: Removed %d exit nodes associated with peer %d from hole punch rotation", removed, siteId)
+					}
+				}
+			}
+		}
+	}
+
+	// Find peers to add (in expected but not in current) and peers to update
+	for siteId, expectedSite := range expectedPeers {
+		if _, exists := currentPeerMap[siteId]; !exists {
+			// New peer - add it using the add flow (with holepunch)
+			logger.Info("Sync: Adding new peer for site %d", siteId)
+
+			o.holePunchManager.TriggerHolePunch()
+			o.holePunchManager.ResetServerHolepunchInterval() // start sending immediately again so we fill in the endpoint on the cloud
+
+			// // TODO: do we need to send the message to the cloud to add the peer that way?
+			// if err := o.peerManager.AddPeer(expectedSite); err != nil {
+			// 	logger.Error("Sync: Failed to add peer %d: %v", siteId, err)
+			// } else {
+			// 	logger.Info("Sync: Successfully added peer for site %d", siteId)
+			// }
+
+			// add the peer via the server
+			// this is important because newt needs to get triggered as well to add the peer once the hp is complete
+			chainId := fmt.Sprintf("sync-%d", expectedSite.SiteId)
+			o.peerSendMu.Lock()
+			if stop, ok := o.stopPeerSends[chainId]; ok {
+				stop()
+			}
+			stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
+				"siteId":  expectedSite.SiteId,
+				"chainId": chainId,
+			}, 2*time.Second, 10)
+			o.stopPeerSends[chainId] = stopFunc
+			o.peerSendMu.Unlock()
+
+		} else {
+			// Existing peer - check if update is needed
+			currentSite := currentPeerMap[siteId]
+			needsUpdate := false
+
+			// Check if any fields have changed
+			if expectedSite.Endpoint != "" && expectedSite.Endpoint != currentSite.Endpoint {
+				needsUpdate = true
+			}
+			if expectedSite.RelayEndpoint != "" && expectedSite.RelayEndpoint != currentSite.RelayEndpoint {
+				needsUpdate = true
+			}
+			if expectedSite.PublicKey != "" && expectedSite.PublicKey != currentSite.PublicKey {
+				needsUpdate = true
+			}
+			if expectedSite.ServerIP != "" && expectedSite.ServerIP != currentSite.ServerIP {
+				needsUpdate = true
+			}
+			if expectedSite.ServerPort != 0 && expectedSite.ServerPort != currentSite.ServerPort {
+				needsUpdate = true
+			}
+			// Check remote subnets
+			if expectedSite.RemoteSubnets != nil && !slicesEqual(expectedSite.RemoteSubnets, currentSite.RemoteSubnets) {
+				needsUpdate = true
+			}
+			// Check aliases
+			if expectedSite.Aliases != nil && !aliasesEqual(expectedSite.Aliases, currentSite.Aliases) {
+				needsUpdate = true
+			}
+
+			if needsUpdate {
+				logger.Info("Sync: Updating peer for site %d", siteId)
+
+				// Merge expected data with current data
+				siteConfig := currentSite
+				if expectedSite.Endpoint != "" {
+					siteConfig.Endpoint = expectedSite.Endpoint
+				}
+				if expectedSite.RelayEndpoint != "" {
+					siteConfig.RelayEndpoint = expectedSite.RelayEndpoint
+				}
+				if expectedSite.PublicKey != "" {
+					siteConfig.PublicKey = expectedSite.PublicKey
+				}
+				if expectedSite.ServerIP != "" {
+					siteConfig.ServerIP = expectedSite.ServerIP
+				}
+				if expectedSite.ServerPort != 0 {
+					siteConfig.ServerPort = expectedSite.ServerPort
+				}
+				if expectedSite.RemoteSubnets != nil {
+					siteConfig.RemoteSubnets = expectedSite.RemoteSubnets
+				}
+				if expectedSite.Aliases != nil {
+					siteConfig.Aliases = expectedSite.Aliases
+				}
+
+				if err := pm.UpdatePeer(siteConfig); err != nil {
+					logger.Error("Sync: Failed to update peer %d: %v", siteId, err)
+				} else {
+					// If the endpoint changed, trigger holepunch to refresh NAT mappings
+					if expectedSite.Endpoint != "" && expectedSite.Endpoint != currentSite.Endpoint {
+						logger.Info("Sync: Endpoint changed for site %d, triggering holepunch to refresh NAT mappings", siteId)
+						o.holePunchManager.TriggerHolePunch()
+						o.holePunchManager.ResetServerHolepunchInterval()
+					}
+					logger.Info("Sync: Successfully updated peer for site %d", siteId)
+				}
+			}
+		}
+	}
+
+	logger.Info("Sync completed: processed %d expected peers, had %d current peers", len(expectedPeers), len(currentPeers))
+}
+
+// syncExitNodes reconciles the expected exit nodes with the current ones in the hole punch manager
+func (o *Olm) syncExitNodes(expectedExitNodes []SyncExitNode) {
+	if o.holePunchManager == nil {
+		logger.Warn("Hole punch manager not initialized, skipping exit node sync")
+		return
+	}
+
+	// Build a map of expected exit nodes by endpoint
+	expectedExitNodeMap := make(map[string]SyncExitNode)
+	for _, exitNode := range expectedExitNodes {
+		expectedExitNodeMap[exitNode.Endpoint] = exitNode
+	}
+
+	// Get current exit nodes from hole punch manager
+	currentExitNodes := o.holePunchManager.GetExitNodes()
+	currentExitNodeMap := make(map[string]holepunch.ExitNode)
+	for _, exitNode := range currentExitNodes {
+		currentExitNodeMap[exitNode.Endpoint] = exitNode
+	}
+
+	// Find exit nodes to remove (in current but not in expected)
+	for endpoint := range currentExitNodeMap {
+		if _, exists := expectedExitNodeMap[endpoint]; !exists {
+			logger.Info("Sync: Removing exit node %s (no longer in expected config)", endpoint)
+			o.holePunchManager.RemoveExitNode(endpoint)
+		}
+	}
+
+	// Find exit nodes to add (in expected but not in current)
+	for endpoint, expectedExitNode := range expectedExitNodeMap {
+		if _, exists := currentExitNodeMap[endpoint]; !exists {
+			logger.Info("Sync: Adding new exit node %s", endpoint)
+
+			relayPort := expectedExitNode.RelayPort
+			if relayPort == 0 {
+				relayPort = 21820 // default relay port
+			}
+
+			hpExitNode := holepunch.ExitNode{
+				Endpoint:  expectedExitNode.Endpoint,
+				RelayPort: relayPort,
+				PublicKey: expectedExitNode.PublicKey,
+				SiteIds:   expectedExitNode.SiteIds,
+			}
+
+			if o.holePunchManager.AddExitNode(hpExitNode) {
+				logger.Info("Sync: Successfully added exit node %s", endpoint)
+			}
+			o.holePunchManager.TriggerHolePunch()
+		}
+	}
+
+	logger.Info("Sync exit nodes completed: processed %d expected exit nodes, had %d current exit nodes", len(expectedExitNodeMap), len(currentExitNodeMap))
+}

olm/olm_unix.go

@@ -0,0 +1,10 @@
+//go:build !windows
+
+package olm
+
+import "syscall"
+
+// closeFD closes a file descriptor in a platform-specific way
+func closeFD(fd uint32) error {
+	return syscall.Close(int(fd))
+}

olm/olm_windows.go

@@ -0,0 +1,10 @@
+//go:build windows
+
+package olm
+
+import "syscall"
+
+// closeFD closes a file descriptor in a platform-specific way
+func closeFD(fd uint32) error {
+	return syscall.Close(syscall.Handle(fd))
+}

olm/peer.go

@@ -0,0 +1,427 @@
+package olm
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/fosrl/newt/holepunch"
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/util"
+	"github.com/fosrl/olm/peers"
+	"github.com/fosrl/olm/websocket"
+)
+
+func (o *Olm) handleWgPeerAdd(msg websocket.WSMessage) {
+	logger.Debug("Received add-peer message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring add-peer message")
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring add-peer message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var siteConfigMsg struct {
+		peers.SiteConfig
+		ChainId string `json:"chainId"`
+	}
+	if err := json.Unmarshal(jsonData, &siteConfigMsg); err != nil {
+		logger.Error("Error unmarshaling add data: %v", err)
+		return
+	}
+
+	if siteConfigMsg.ChainId != "" {
+		o.peerSendMu.Lock()
+		if stop, ok := o.stopPeerSends[siteConfigMsg.ChainId]; ok {
+			stop()
+			delete(o.stopPeerSends, siteConfigMsg.ChainId)
+		}
+		o.peerSendMu.Unlock()
+	} else {
+		// stop all of the stopPeerSends
+		o.peerSendMu.Lock()
+		for _, stop := range o.stopPeerSends {
+			stop()
+		}
+		o.stopPeerSends = make(map[string]func())
+		o.peerSendMu.Unlock()
+	}
+
+	if siteConfigMsg.PublicKey == "" {
+		logger.Warn("Skipping add-peer for site %d (%s): no public key available (site may not be connected)", siteConfigMsg.SiteId, siteConfigMsg.Name)
+		return
+	}
+
+	_ = o.holePunchManager.TriggerHolePunch() // Trigger immediate hole punch attempt so that if the peer decides to relay we have already punched close to when we need it
+
+	if err := pm.AddPeer(siteConfigMsg.SiteConfig); err != nil {
+		logger.Error("Failed to add peer: %v", err)
+		return
+	}
+
+	logger.Info("Successfully added peer for site %d", siteConfigMsg.SiteId)
+}
+
+func (o *Olm) handleWgPeerRemove(msg websocket.WSMessage) {
+	logger.Debug("Received remove-peer message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring remove-peer message")
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring remove-peer message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var removeData peers.PeerRemove
+	if err := json.Unmarshal(jsonData, &removeData); err != nil {
+		logger.Error("Error unmarshaling remove data: %v", err)
+		return
+	}
+
+	if err := pm.RemovePeer(removeData.SiteId); err != nil {
+		logger.Error("Failed to remove peer: %v", err)
+		return
+	}
+
+	// Remove any exit nodes associated with this peer from hole punching
+	if o.holePunchManager != nil {
+		removed := o.holePunchManager.RemoveExitNodesByPeer(removeData.SiteId)
+		if removed > 0 {
+			logger.Info("Removed %d exit nodes associated with peer %d from hole punch rotation", removed, removeData.SiteId)
+		}
+	}
+
+	logger.Info("Successfully removed peer for site %d", removeData.SiteId)
+}
+
+func (o *Olm) handleWgPeerUpdate(msg websocket.WSMessage) {
+	logger.Debug("Received update-peer message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring update-peer message")
+		return
+	}
+
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring update-peer message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var updateData peers.SiteConfig
+	if err := json.Unmarshal(jsonData, &updateData); err != nil {
+		logger.Error("Error unmarshaling update data: %v", err)
+		return
+	}
+
+	// Get existing peer from PeerManager
+	existingPeer, exists := pm.GetPeer(updateData.SiteId)
+	if !exists {
+		logger.Warn("Peer with site ID %d not found", updateData.SiteId)
+		return
+	}
+
+	// Create updated site config by merging with existing data
+	siteConfig := existingPeer
+
+	if updateData.Endpoint != "" {
+		siteConfig.Endpoint = updateData.Endpoint
+	}
+	if updateData.RelayEndpoint != "" {
+		siteConfig.RelayEndpoint = updateData.RelayEndpoint
+	}
+	if updateData.PublicKey != "" {
+		siteConfig.PublicKey = updateData.PublicKey
+	}
+	if updateData.ServerIP != "" {
+		siteConfig.ServerIP = updateData.ServerIP
+	}
+	if updateData.ServerPort != 0 {
+		siteConfig.ServerPort = updateData.ServerPort
+	}
+	if updateData.RemoteSubnets != nil {
+		siteConfig.RemoteSubnets = updateData.RemoteSubnets
+	}
+
+	if err := pm.UpdatePeer(siteConfig); err != nil {
+		logger.Error("Failed to update peer: %v", err)
+		return
+	}
+
+	// If the endpoint changed, trigger holepunch to refresh NAT mappings
+	if updateData.Endpoint != "" && updateData.Endpoint != existingPeer.Endpoint {
+		logger.Info("Endpoint changed for site %d, triggering holepunch to refresh NAT mappings", updateData.SiteId)
+		_ = o.holePunchManager.TriggerHolePunch()
+		o.holePunchManager.ResetServerHolepunchInterval()
+	}
+
+	logger.Info("Successfully updated peer for site %d", updateData.SiteId)
+}
+
+func (o *Olm) handleWgPeerRelay(msg websocket.WSMessage) {
+	logger.Debug("Received relay-peer message: %v", msg.Data)
+
+	// Check if peerManager is still valid (may be nil during shutdown)
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring relay message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var relayData struct {
+		peers.RelayPeerData
+		ChainId string `json:"chainId"`
+	}
+	if err := json.Unmarshal(jsonData, &relayData); err != nil {
+		logger.Error("Error unmarshaling relay data: %v", err)
+		return
+	}
+
+	if monitor := pm.GetPeerMonitor(); monitor != nil {
+		monitor.CancelRelaySend(relayData.ChainId)
+	}
+
+	primaryRelay, err := util.ResolveDomainUpstream(relayData.RelayEndpoint, o.tunnelConfig.PublicDNS)
+
+	if err != nil {
+		logger.Error("Failed to resolve primary relay endpoint: %v", err)
+		return
+	}
+
+	// Update HTTP server to mark this peer as using relay
+	o.apiServer.UpdatePeerRelayStatus(relayData.SiteId, relayData.RelayEndpoint, true)
+
+	pm.RelayPeer(relayData.SiteId, primaryRelay, relayData.RelayPort)
+}
+
+func (o *Olm) handleWgPeerUnrelay(msg websocket.WSMessage) {
+	logger.Debug("Received unrelay-peer message: %v", msg.Data)
+
+	// Check if peerManager is still valid (may be nil during shutdown)
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring unrelay message: peerManager is nil (shutdown in progress)")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling data: %v", err)
+		return
+	}
+
+	var relayData struct {
+		peers.UnRelayPeerData
+		ChainId string `json:"chainId"`
+	}
+	if err := json.Unmarshal(jsonData, &relayData); err != nil {
+		logger.Error("Error unmarshaling relay data: %v", err)
+		return
+	}
+
+	if monitor := pm.GetPeerMonitor(); monitor != nil {
+		monitor.CancelRelaySend(relayData.ChainId)
+	}
+
+	primaryRelay, err := util.ResolveDomainUpstream(relayData.Endpoint, o.tunnelConfig.PublicDNS)
+
+	if err != nil {
+		logger.Warn("Failed to resolve primary relay endpoint: %v", err)
+	}
+
+	// Update HTTP server to mark this peer as using relay
+	o.apiServer.UpdatePeerRelayStatus(relayData.SiteId, relayData.Endpoint, false)
+
+	pm.UnRelayPeer(relayData.SiteId, primaryRelay)
+}
+
+func (o *Olm) handleWgPeerHolepunchAddSite(msg websocket.WSMessage) {
+	logger.Debug("Received peer-handshake message: %v", msg.Data)
+
+	// Check if tunnel is still running
+	if !o.tunnelRunning {
+		logger.Debug("Tunnel stopped, ignoring peer-handshake message")
+		return
+	}
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling handshake data: %v", err)
+		return
+	}
+
+	var handshakeData struct {
+		SiteId   int    `json:"siteId"`
+		ChainId  string `json:"chainId"`
+		ExitNode struct {
+			PublicKey string `json:"publicKey"`
+			Endpoint  string `json:"endpoint"`
+			RelayPort uint16 `json:"relayPort"`
+		} `json:"exitNode"`
+	}
+
+	if err := json.Unmarshal(jsonData, &handshakeData); err != nil {
+		logger.Error("Error unmarshaling handshake data: %v", err)
+		return
+	}
+
+	// Stop the peer init sender for this chain, if any
+	if handshakeData.ChainId != "" {
+		o.peerSendMu.Lock()
+		if stop, ok := o.stopPeerInits[handshakeData.ChainId]; ok {
+			stop()
+			delete(o.stopPeerInits, handshakeData.ChainId)
+		}
+		// If this chain was initiated by a DNS-triggered JIT request, clear the
+		// pending entry so the site can be re-triggered if needed in the future.
+		delete(o.jitPendingSites, handshakeData.SiteId)
+		o.peerSendMu.Unlock()
+	} else {
+		// Stop all of the stopPeerInits
+		o.peerSendMu.Lock()
+		for _, stop := range o.stopPeerInits {
+			stop()
+		}
+		o.stopPeerInits = make(map[string]func())
+		o.peerSendMu.Unlock()
+	}
+
+	// Get existing peer from PeerManager
+	pm := o.getPeerManager()
+	if pm == nil {
+		logger.Debug("Ignoring peer-handshake message: peerManager is nil (shutdown in progress)")
+		return
+	}
+	_, exists := pm.GetPeer(handshakeData.SiteId)
+	if exists {
+		logger.Warn("Peer with site ID %d already added", handshakeData.SiteId)
+		return
+	}
+
+	relayPort := handshakeData.ExitNode.RelayPort
+	if relayPort == 0 {
+		relayPort = 21820 // default relay port
+	}
+
+	siteId := handshakeData.SiteId
+	exitNode := holepunch.ExitNode{
+		Endpoint:  handshakeData.ExitNode.Endpoint,
+		RelayPort: relayPort,
+		PublicKey: handshakeData.ExitNode.PublicKey,
+		SiteIds:   []int{siteId},
+	}
+
+	added := o.holePunchManager.AddExitNode(exitNode)
+	if added {
+		logger.Info("Added exit node %s to holepunch rotation for handshake", exitNode.Endpoint)
+	} else {
+		logger.Debug("Exit node %s already in holepunch rotation", exitNode.Endpoint)
+	}
+
+	o.holePunchManager.TriggerHolePunch()             // Trigger immediate hole punch attempt
+	o.holePunchManager.ResetServerHolepunchInterval() // start sending immediately again so we fill in the endpoint on the cloud
+
+	// Send handshake acknowledgment back to server with retry, keyed by chainId
+	chainId := handshakeData.ChainId
+	if chainId == "" {
+		chainId = generateChainId()
+	}
+	o.peerSendMu.Lock()
+	stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
+		"siteId":  handshakeData.SiteId,
+		"chainId": chainId,
+	}, 2*time.Second, 10)
+	o.stopPeerSends[chainId] = stopFunc
+	o.peerSendMu.Unlock()
+
+	logger.Info("Initiated handshake for site %d with exit node %s", handshakeData.SiteId, handshakeData.ExitNode.Endpoint)
+}
+
+func (o *Olm) handleCancelChain(msg websocket.WSMessage) {
+	logger.Debug("Received cancel-chain message: %v", msg.Data)
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling cancel-chain data: %v", err)
+		return
+	}
+
+	var cancelData struct {
+		ChainId string `json:"chainId"`
+	}
+	if err := json.Unmarshal(jsonData, &cancelData); err != nil {
+		logger.Error("Error unmarshaling cancel-chain data: %v", err)
+		return
+	}
+
+	if cancelData.ChainId == "" {
+		logger.Warn("Received cancel-chain message with no chainId")
+		return
+	}
+
+	o.peerSendMu.Lock()
+	defer o.peerSendMu.Unlock()
+
+	found := false
+
+	if stop, ok := o.stopPeerInits[cancelData.ChainId]; ok {
+		stop()
+		delete(o.stopPeerInits, cancelData.ChainId)
+		found = true
+	}
+	// If this chain was a DNS-triggered JIT request, clear the pending entry so
+	// the site can be re-triggered on the next DNS lookup.
+	for siteId, chainId := range o.jitPendingSites {
+		if chainId == cancelData.ChainId {
+			delete(o.jitPendingSites, siteId)
+			break
+		}
+	}
+
+	if stop, ok := o.stopPeerSends[cancelData.ChainId]; ok {
+		stop()
+		delete(o.stopPeerSends, cancelData.ChainId)
+		found = true
+	}
+
+	if found {
+		logger.Info("Cancelled chain %s", cancelData.ChainId)
+	} else {
+		logger.Warn("Cancel-chain: no active sender found for chain %s", cancelData.ChainId)
+	}
+}

olm/types.go

@@ -0,0 +1,90 @@
+package olm
+
+import (
+	"time"
+
+	"github.com/fosrl/olm/peers"
+)
+
+type WgData struct {
+	Sites         []peers.SiteConfig `json:"sites"`
+	TunnelIP      string             `json:"tunnelIP"`
+	UtilitySubnet string             `json:"utilitySubnet"` // this is for things like the DNS server, and alias addresses
+}
+
+type SyncData struct {
+	Sites     []peers.SiteConfig `json:"sites"`
+	ExitNodes []SyncExitNode     `json:"exitNodes"`
+}
+
+type SyncExitNode struct {
+	Endpoint  string `json:"endpoint"`
+	RelayPort uint16 `json:"relayPort"`
+	PublicKey string `json:"publicKey"`
+	SiteIds   []int  `json:"siteIds"`
+}
+
+type OlmConfig struct {
+	// Logging
+	LogLevel    string
+	LogFilePath string
+
+	// HTTP server
+	EnableAPI  bool
+	HTTPAddr   string
+	SocketPath string
+	Version    string
+	Agent      string
+
+	WakeUpDebounce time.Duration
+
+	// Debugging
+	PprofAddr string // Address to serve pprof on (e.g., "localhost:6060")
+
+	// Callbacks
+	OnRegistered func()
+	OnConnected  func()
+	OnTerminated func()
+	OnAuthError  func(statusCode int, message string) // Called when auth fails (401/403)
+	OnOlmError   func(code string, message string)    // Called when registration fails
+	OnExit       func()                               // Called when exit is requested via API
+}
+
+type TunnelConfig struct {
+	// Connection settings
+	Endpoint  string
+	ID        string
+	Secret    string
+	UserToken string
+
+	// Network settings
+	MTU           int
+	DNS           string
+	UpstreamDNS   []string
+	PublicDNS   []string
+	InterfaceName string
+
+	// Advanced
+	Holepunch     bool
+	TlsClientCert string
+
+	// Parsed values (not in JSON)
+	PingIntervalDuration time.Duration
+	PingTimeoutDuration  time.Duration
+
+	OrgID string
+	// DoNotCreateNewClient bool
+
+	FileDescriptorTun  uint32
+	FileDescriptorUAPI uint32
+
+	EnableUAPI bool
+
+	OverrideDNS bool
+	TunnelDNS   bool
+
+	InitialFingerprint map[string]any
+	InitialPostures    map[string]any
+
+	DisableRelay bool
+}

olm/util.go

@@ -0,0 +1,47 @@
+package olm
+
+import (
+	"github.com/fosrl/olm/peers"
+)
+
+// slicesEqual compares two string slices for equality (order-independent)
+func slicesEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	// Create a map to count occurrences in slice a
+	counts := make(map[string]int)
+	for _, v := range a {
+		counts[v]++
+	}
+	// Check if slice b has the same elements
+	for _, v := range b {
+		counts[v]--
+		if counts[v] < 0 {
+			return false
+		}
+	}
+	return true
+}
+
+// aliasesEqual compares two Alias slices for equality (order-independent)
+func aliasesEqual(a, b []peers.Alias) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	// Create a map to count occurrences in slice a (using alias+address as key)
+	counts := make(map[string]int)
+	for _, v := range a {
+		key := v.Alias + "|" + v.AliasAddress
+		counts[key]++
+	}
+	// Check if slice b has the same elements
+	for _, v := range b {
+		key := v.Alias + "|" + v.AliasAddress
+		counts[key]--
+		if counts[key] < 0 {
+			return false
+		}
+	}
+	return true
+}

peermonitor/peermonitor.go

@@ -1,331 +0,0 @@
-package peermonitor
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/fosrl/newt/logger"
-	"github.com/fosrl/olm/websocket"
-	"github.com/fosrl/olm/wgtester"
-	"golang.zx2c4.com/wireguard/device"
-)
-
-// PeerMonitorCallback is the function type for connection status change callbacks
-type PeerMonitorCallback func(siteID int, connected bool, rtt time.Duration)
-
-// WireGuardConfig holds the WireGuard configuration for a peer
-type WireGuardConfig struct {
-	SiteID       int
-	PublicKey    string
-	ServerIP     string
-	Endpoint     string
-	PrimaryRelay string // The primary relay endpoint
-}
-
-// PeerMonitor handles monitoring the connection status to multiple WireGuard peers
-type PeerMonitor struct {
-	monitors          map[int]*wgtester.Client
-	configs           map[int]*WireGuardConfig
-	callback          PeerMonitorCallback
-	mutex             sync.Mutex
-	running           bool
-	interval          time.Duration
-	timeout           time.Duration
-	maxAttempts       int
-	privateKey        string
-	wsClient          *websocket.Client
-	device            *device.Device
-	handleRelaySwitch bool // Whether to handle relay switching
-}
-
-// NewPeerMonitor creates a new peer monitor with the given callback
-func NewPeerMonitor(callback PeerMonitorCallback, privateKey string, wsClient *websocket.Client, device *device.Device, handleRelaySwitch bool) *PeerMonitor {
-	return &PeerMonitor{
-		monitors:          make(map[int]*wgtester.Client),
-		configs:           make(map[int]*WireGuardConfig),
-		callback:          callback,
-		interval:          1 * time.Second, // Default check interval
-		timeout:           2500 * time.Millisecond,
-		maxAttempts:       8,
-		privateKey:        privateKey,
-		wsClient:          wsClient,
-		device:            device,
-		handleRelaySwitch: handleRelaySwitch,
-	}
-}
-
-// SetInterval changes how frequently peers are checked
-func (pm *PeerMonitor) SetInterval(interval time.Duration) {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	pm.interval = interval
-
-	// Update interval for all existing monitors
-	for _, client := range pm.monitors {
-		client.SetPacketInterval(interval)
-	}
-}
-
-// SetTimeout changes the timeout for waiting for responses
-func (pm *PeerMonitor) SetTimeout(timeout time.Duration) {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	pm.timeout = timeout
-
-	// Update timeout for all existing monitors
-	for _, client := range pm.monitors {
-		client.SetTimeout(timeout)
-	}
-}
-
-// SetMaxAttempts changes the maximum number of attempts for TestConnection
-func (pm *PeerMonitor) SetMaxAttempts(attempts int) {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	pm.maxAttempts = attempts
-
-	// Update max attempts for all existing monitors
-	for _, client := range pm.monitors {
-		client.SetMaxAttempts(attempts)
-	}
-}
-
-// AddPeer adds a new peer to monitor
-func (pm *PeerMonitor) AddPeer(siteID int, endpoint string, wgConfig *WireGuardConfig) error {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	// Check if we're already monitoring this peer
-	if _, exists := pm.monitors[siteID]; exists {
-		// Update the endpoint instead of creating a new monitor
-		pm.removePeerUnlocked(siteID)
-	}
-
-	client, err := wgtester.NewClient(endpoint)
-	if err != nil {
-		return err
-	}
-
-	// Configure the client with our settings
-	client.SetPacketInterval(pm.interval)
-	client.SetTimeout(pm.timeout)
-	client.SetMaxAttempts(pm.maxAttempts)
-
-	// Store the client and config
-	pm.monitors[siteID] = client
-	pm.configs[siteID] = wgConfig
-
-	// If monitor is already running, start monitoring this peer
-	if pm.running {
-		siteIDCopy := siteID // Create a copy for the closure
-		err = client.StartMonitor(func(status wgtester.ConnectionStatus) {
-			pm.handleConnectionStatusChange(siteIDCopy, status)
-		})
-	}
-
-	return err
-}
-
-// removePeerUnlocked stops monitoring a peer and removes it from the monitor
-// This function assumes the mutex is already held by the caller
-func (pm *PeerMonitor) removePeerUnlocked(siteID int) {
-	client, exists := pm.monitors[siteID]
-	if !exists {
-		return
-	}
-
-	client.StopMonitor()
-	client.Close()
-	delete(pm.monitors, siteID)
-	delete(pm.configs, siteID)
-}
-
-// RemovePeer stops monitoring a peer and removes it from the monitor
-func (pm *PeerMonitor) RemovePeer(siteID int) {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	pm.removePeerUnlocked(siteID)
-}
-
-// Start begins monitoring all peers
-func (pm *PeerMonitor) Start() {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	if pm.running {
-		return // Already running
-	}
-
-	pm.running = true
-
-	// Start monitoring all peers
-	for siteID, client := range pm.monitors {
-		siteIDCopy := siteID // Create a copy for the closure
-		err := client.StartMonitor(func(status wgtester.ConnectionStatus) {
-			pm.handleConnectionStatusChange(siteIDCopy, status)
-		})
-		if err != nil {
-			logger.Error("Failed to start monitoring peer %d: %v\n", siteID, err)
-			continue
-		}
-		logger.Info("Started monitoring peer %d\n", siteID)
-	}
-}
-
-// handleConnectionStatusChange is called when a peer's connection status changes
-func (pm *PeerMonitor) handleConnectionStatusChange(siteID int, status wgtester.ConnectionStatus) {
-	// Call the user-provided callback first
-	if pm.callback != nil {
-		pm.callback(siteID, status.Connected, status.RTT)
-	}
-
-	// If disconnected, handle failover
-	if !status.Connected {
-		// Send relay message to the server
-		if pm.wsClient != nil {
-			pm.sendRelay(siteID)
-		}
-	}
-}
-
-// handleFailover handles failover to the relay server when a peer is disconnected
-func (pm *PeerMonitor) HandleFailover(siteID int, relayEndpoint string) {
-	pm.mutex.Lock()
-	config, exists := pm.configs[siteID]
-	pm.mutex.Unlock()
-
-	if !exists {
-		return
-	}
-
-	// Check for IPv6 and format the endpoint correctly
-	formattedEndpoint := relayEndpoint
-	if strings.Contains(relayEndpoint, ":") {
-		formattedEndpoint = fmt.Sprintf("[%s]", relayEndpoint)
-	}
-
-	// Configure WireGuard to use the relay
-	wgConfig := fmt.Sprintf(`private_key=%s
-public_key=%s
-allowed_ip=%s/32
-endpoint=%s:21820
-persistent_keepalive_interval=1`, pm.privateKey, config.PublicKey, config.ServerIP, formattedEndpoint)
-
-	err := pm.device.IpcSet(wgConfig)
-	if err != nil {
-		logger.Error("Failed to configure WireGuard device: %v\n", err)
-		return
-	}
-
-	logger.Info("Adjusted peer %d to point to relay!\n", siteID)
-}
-
-// sendRelay sends a relay message to the server
-func (pm *PeerMonitor) sendRelay(siteID int) error {
-	if !pm.handleRelaySwitch {
-		return nil
-	}
-
-	if pm.wsClient == nil {
-		return fmt.Errorf("websocket client is nil")
-	}
-
-	err := pm.wsClient.SendMessage("olm/wg/relay", map[string]interface{}{
-		"siteId": siteID,
-	})
-	if err != nil {
-		logger.Error("Failed to send registration message: %v", err)
-		return err
-	}
-	logger.Info("Sent relay message")
-	return nil
-}
-
-// Stop stops monitoring all peers
-func (pm *PeerMonitor) Stop() {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	if !pm.running {
-		return
-	}
-
-	pm.running = false
-
-	// Stop all monitors
-	for _, client := range pm.monitors {
-		client.StopMonitor()
-	}
-}
-
-// Close stops monitoring and cleans up resources
-func (pm *PeerMonitor) Close() {
-	pm.mutex.Lock()
-	defer pm.mutex.Unlock()
-
-	// Stop and close all clients
-	for siteID, client := range pm.monitors {
-		client.StopMonitor()
-		client.Close()
-		delete(pm.monitors, siteID)
-	}
-
-	pm.running = false
-}
-
-// TestPeer tests connectivity to a specific peer
-func (pm *PeerMonitor) TestPeer(siteID int) (bool, time.Duration, error) {
-	pm.mutex.Lock()
-	client, exists := pm.monitors[siteID]
-	pm.mutex.Unlock()
-
-	if !exists {
-		return false, 0, fmt.Errorf("peer with siteID %d not found", siteID)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), pm.timeout*time.Duration(pm.maxAttempts))
-	defer cancel()
-
-	connected, rtt := client.TestConnection(ctx)
-	return connected, rtt, nil
-}
-
-// TestAllPeers tests connectivity to all peers
-func (pm *PeerMonitor) TestAllPeers() map[int]struct {
-	Connected bool
-	RTT       time.Duration
-} {
-	pm.mutex.Lock()
-	peers := make(map[int]*wgtester.Client, len(pm.monitors))
-	for siteID, client := range pm.monitors {
-		peers[siteID] = client
-	}
-	pm.mutex.Unlock()
-
-	results := make(map[int]struct {
-		Connected bool
-		RTT       time.Duration
-	})
-	for siteID, client := range peers {
-		ctx, cancel := context.WithTimeout(context.Background(), pm.timeout*time.Duration(pm.maxAttempts))
-		connected, rtt := client.TestConnection(ctx)
-		cancel()
-
-		results[siteID] = struct {
-			Connected bool
-			RTT       time.Duration
-		}{
-			Connected: connected,
-			RTT:       rtt,
-		}
-	}
-
-	return results
-}

peers/monitor/wgtester.go

@@ -1,4 +1,4 @@
-package wgtester
+package monitor
 
 import (
 	"context"
@@ -26,17 +26,30 @@ const (
 
 // Client handles checking connectivity to a server
 type Client struct {
-	conn           *net.UDPConn
+	conn           net.Conn
 	serverAddr     string
 	monitorRunning bool
 	monitorLock    sync.Mutex
 	connLock       sync.Mutex // Protects connection operations
 	shutdownCh     chan struct{}
+	updateCh       chan struct{}
 	packetInterval time.Duration
 	timeout        time.Duration
 	maxAttempts    int
+	dialer         Dialer
+
+	// Exponential backoff fields
+	defaultMinInterval   time.Duration // Default minimum interval (initial)
+	defaultMaxInterval   time.Duration // Default maximum interval (cap for backoff)
+	minInterval          time.Duration // Minimum interval (initial)
+	maxInterval          time.Duration // Maximum interval (cap for backoff)
+	backoffMultiplier    float64       // Multiplier for each stable check
+	stableCountToBackoff int           // Number of stable checks before backing off
 }
 
+// Dialer is a function that creates a connection
+type Dialer func(network, addr string) (net.Conn, error)
+
 // ConnectionStatus represents the current connection state
 type ConnectionStatus struct {
 	Connected bool
@@ -44,29 +57,75 @@ type ConnectionStatus struct {
 }
 
 // NewClient creates a new connection test client
-func NewClient(serverAddr string) (*Client, error) {
+func NewClient(serverAddr string, dialer Dialer) (*Client, error) {
 	return &Client{
-		serverAddr:     serverAddr,
-		shutdownCh:     make(chan struct{}),
-		packetInterval: 2 * time.Second,
-		timeout:        500 * time.Millisecond, // Timeout for individual packets
-		maxAttempts:    3,                      // Default max attempts
+		serverAddr:           serverAddr,
+		shutdownCh:           make(chan struct{}),
+		updateCh:             make(chan struct{}, 1),
+		packetInterval:       2 * time.Second,
+		defaultMinInterval:   2 * time.Second,
+		defaultMaxInterval:   30 * time.Second,
+		minInterval:          2 * time.Second,
+		maxInterval:          30 * time.Second,
+		backoffMultiplier:    1.5,
+		stableCountToBackoff: 3,                      // After 3 consecutive same-state results, start backing off
+		timeout:              500 * time.Millisecond, // Timeout for individual packets
+		maxAttempts:          3,                      // Default max attempts
+		dialer:               dialer,
 	}, nil
 }
 
 // SetPacketInterval changes how frequently packets are sent in monitor mode
-func (c *Client) SetPacketInterval(interval time.Duration) {
-	c.packetInterval = interval
+func (c *Client) SetPacketInterval(minInterval, maxInterval time.Duration) {
+	c.monitorLock.Lock()
+	c.packetInterval = minInterval
+	c.minInterval = minInterval
+	c.maxInterval = maxInterval
+	updateCh := c.updateCh
+	monitorRunning := c.monitorRunning
+	c.monitorLock.Unlock()
+
+	// Signal the goroutine to apply the new interval if running
+	if monitorRunning && updateCh != nil {
+		select {
+		case updateCh <- struct{}{}:
+		default:
+			// Channel full or closed, skip
+		}
+	}
 }
 
-// SetTimeout changes the timeout for waiting for responses
-func (c *Client) SetTimeout(timeout time.Duration) {
-	c.timeout = timeout
+func (c *Client) ResetPacketInterval() {
+	c.monitorLock.Lock()
+	c.packetInterval = c.defaultMinInterval
+	c.minInterval = c.defaultMinInterval
+	c.maxInterval = c.defaultMaxInterval
+	updateCh := c.updateCh
+	monitorRunning := c.monitorRunning
+	c.monitorLock.Unlock()
+
+	// Signal the goroutine to apply the new interval if running
+	if monitorRunning && updateCh != nil {
+		select {
+		case updateCh <- struct{}{}:
+		default:
+			// Channel full or closed, skip
+		}
+	}
 }
 
-// SetMaxAttempts changes the maximum number of attempts for TestConnection
-func (c *Client) SetMaxAttempts(attempts int) {
-	c.maxAttempts = attempts
+// UpdateServerAddr updates the server address and resets the connection
+func (c *Client) UpdateServerAddr(serverAddr string) {
+	c.connLock.Lock()
+	defer c.connLock.Unlock()
+
+	// Close existing connection if any
+	if c.conn != nil {
+		c.conn.Close()
+		c.conn = nil
+	}
+
+	c.serverAddr = serverAddr
 }
 
 // Close cleans up client resources
@@ -91,12 +150,14 @@ func (c *Client) ensureConnection() error {
 		return nil
 	}
 
-	serverAddr, err := net.ResolveUDPAddr("udp", c.serverAddr)
-	if err != nil {
-		return err
+	var err error
+	if c.dialer != nil {
+		c.conn, err = c.dialer("udp", c.serverAddr)
+	} else {
+		// Fallback to standard net.Dial
+		c.conn, err = net.Dial("udp", c.serverAddr)
 	}
 
-	c.conn, err = net.DialUDP("udp", nil, serverAddr)
 	if err != nil {
 		return err
 	}
@@ -104,9 +165,10 @@ func (c *Client) ensureConnection() error {
 	return nil
 }
 
-// TestConnection checks if the connection to the server is working
+// TestPeerConnection checks if the connection to the server is working
 // Returns true if connected, false otherwise
-func (c *Client) TestConnection(ctx context.Context) (bool, time.Duration) {
+func (c *Client) TestPeerConnection(ctx context.Context) (bool, time.Duration) {
+	// logger.Debug("wgtester: testing connection to peer %s", c.serverAddr)
 	if err := c.ensureConnection(); err != nil {
 		logger.Warn("Failed to ensure connection: %v", err)
 		return false, 0
@@ -117,6 +179,9 @@ func (c *Client) TestConnection(ctx context.Context) (bool, time.Duration) {
 	binary.BigEndian.PutUint32(packet[0:4], magicHeader)
 	packet[4] = packetTypeRequest
 
+	// Reusable response buffer
+	responseBuffer := make([]byte, packetSize)
+
 	// Send multiple attempts as specified
 	for attempt := 0; attempt < c.maxAttempts; attempt++ {
 		select {
@@ -136,20 +201,17 @@ func (c *Client) TestConnection(ctx context.Context) (bool, time.Duration) {
 				return false, 0
 			}
 
-			logger.Debug("Attempting to send monitor packet to %s", c.serverAddr)
 			_, err := c.conn.Write(packet)
 			if err != nil {
 				c.connLock.Unlock()
 				logger.Info("Error sending packet: %v", err)
 				continue
 			}
-			logger.Debug("Successfully sent monitor packet")
 
 			// Set read deadline
 			c.conn.SetReadDeadline(time.Now().Add(c.timeout))
 
 			// Wait for response
-			responseBuffer := make([]byte, packetSize)
 			n, err := c.conn.Read(responseBuffer)
 			c.connLock.Unlock()
 
@@ -190,7 +252,7 @@ func (c *Client) TestConnection(ctx context.Context) (bool, time.Duration) {
 func (c *Client) TestConnectionWithTimeout(timeout time.Duration) (bool, time.Duration) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-	return c.TestConnection(ctx)
+	return c.TestPeerConnection(ctx)
 }
 
 // MonitorCallback is the function type for connection status change callbacks
@@ -217,28 +279,61 @@ func (c *Client) StartMonitor(callback MonitorCallback) error {
 	go func() {
 		var lastConnected bool
 		firstRun := true
+		stableCount := 0
+		currentInterval := c.minInterval
 
-		ticker := time.NewTicker(c.packetInterval)
-		defer ticker.Stop()
+		timer := time.NewTimer(currentInterval)
+		defer timer.Stop()
 
 		for {
 			select {
 			case <-c.shutdownCh:
 				return
-			case <-ticker.C:
+			case <-c.updateCh:
+				// Interval settings changed, reset to minimum
+				c.monitorLock.Lock()
+				currentInterval = c.minInterval
+				c.monitorLock.Unlock()
+				
+				// Reset backoff state
+				stableCount = 0
+				
+				timer.Reset(currentInterval)
+				logger.Debug("Packet interval updated, reset to %v", currentInterval)
+			case <-timer.C:
 				ctx, cancel := context.WithTimeout(context.Background(), c.timeout)
-				connected, rtt := c.TestConnection(ctx)
+				connected, rtt := c.TestPeerConnection(ctx)
 				cancel()
 
+				statusChanged := connected != lastConnected
+
 				// Callback if status changed or it's the first check
-				if connected != lastConnected || firstRun {
+				if statusChanged || firstRun {
 					callback(ConnectionStatus{
 						Connected: connected,
 						RTT:       rtt,
 					})
 					lastConnected = connected
 					firstRun = false
+					// Reset backoff on status change
+					stableCount = 0
+					currentInterval = c.minInterval
+				} else {
+					// Status is stable, increment counter
+					stableCount++
+
+					// Apply exponential backoff after stable threshold
+					if stableCount >= c.stableCountToBackoff {
+						newInterval := time.Duration(float64(currentInterval) * c.backoffMultiplier)
+						if newInterval > c.maxInterval {
+							newInterval = c.maxInterval
+						}
+						currentInterval = newInterval
+					}
 				}
+
+				// Reset timer with current interval
+				timer.Reset(currentInterval)
 			}
 		}
 	}()

peers/peer.go

@@ -0,0 +1,160 @@
+package peers
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/util"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// ConfigurePeer sets up or updates a peer within the WireGuard device
+func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, relay bool, persistentKeepalive int, publicDNS []string) error {
+	var endpoint string
+	if relay && siteConfig.RelayEndpoint != "" {
+		endpoint = formatEndpoint(siteConfig.RelayEndpoint)
+	} else {
+		endpoint = formatEndpoint(siteConfig.Endpoint)
+	}
+	siteHost, err := util.ResolveDomainUpstream(endpoint, publicDNS)
+	if err != nil {
+		return fmt.Errorf("failed to resolve endpoint for site %d: %v", siteConfig.SiteId, err)
+	}
+
+	// Split off the CIDR of the server IP which is just a string and add /32 for the allowed IP
+	allowedIp := strings.Split(siteConfig.ServerIP, "/")
+	if len(allowedIp) > 1 {
+		allowedIp[1] = "32"
+	} else {
+		allowedIp = append(allowedIp, "32")
+	}
+	allowedIpStr := strings.Join(allowedIp, "/")
+
+	// Collect all allowed IPs in a slice
+	var allowedIPs []string
+	allowedIPs = append(allowedIPs, allowedIpStr)
+
+	// Use AllowedIps if available, otherwise fall back to RemoteSubnets for backwards compatibility
+	subnetsToAdd := siteConfig.AllowedIps
+
+	// If we have anything to add, process them
+	if len(subnetsToAdd) > 0 {
+		// Add each subnet
+		for _, subnet := range subnetsToAdd {
+			subnet = strings.TrimSpace(subnet)
+			if subnet != "" {
+				allowedIPs = append(allowedIPs, subnet)
+			}
+		}
+	}
+
+	// Construct WireGuard config for this peer
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("private_key=%s\n", util.FixKey(privateKey.String())))
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(siteConfig.PublicKey)))
+
+	// Add each allowed IP separately
+	for _, allowedIP := range allowedIPs {
+		configBuilder.WriteString(fmt.Sprintf("allowed_ip=%s\n", allowedIP))
+	}
+
+	configBuilder.WriteString(fmt.Sprintf("endpoint=%s\n", siteHost))
+	configBuilder.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", persistentKeepalive))
+
+	config := configBuilder.String()
+	logger.Debug("Configuring peer with config: %s", config)
+
+	err = dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to configure WireGuard peer: %v", err)
+	}
+
+	return nil
+}
+
+// RemovePeer removes a peer from the WireGuard device
+func RemovePeer(dev *device.Device, siteId int, publicKey string) error {
+	// Construct WireGuard config to remove the peer
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(publicKey)))
+	configBuilder.WriteString("remove=true\n")
+
+	config := configBuilder.String()
+	logger.Debug("Removing peer with config: %s", config)
+
+	err := dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to remove WireGuard peer: %v", err)
+	}
+
+	return nil
+}
+
+// AddAllowedIP adds a single allowed IP to an existing peer without reconfiguring the entire peer
+func AddAllowedIP(dev *device.Device, publicKey string, allowedIP string) error {
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(publicKey)))
+	configBuilder.WriteString("update_only=true\n")
+	configBuilder.WriteString(fmt.Sprintf("allowed_ip=%s\n", allowedIP))
+
+	config := configBuilder.String()
+	logger.Debug("Adding allowed IP to peer with config: %s", config)
+
+	err := dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to add allowed IP to WireGuard peer: %v", err)
+	}
+
+	return nil
+}
+
+// RemoveAllowedIP removes a single allowed IP from an existing peer by replacing the allowed IPs list
+// This requires providing all the allowed IPs that should remain after removal
+func RemoveAllowedIP(dev *device.Device, publicKey string, remainingAllowedIPs []string) error {
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(publicKey)))
+	configBuilder.WriteString("update_only=true\n")
+	configBuilder.WriteString("replace_allowed_ips=true\n")
+
+	// Add each remaining allowed IP
+	for _, allowedIP := range remainingAllowedIPs {
+		configBuilder.WriteString(fmt.Sprintf("allowed_ip=%s\n", allowedIP))
+	}
+
+	config := configBuilder.String()
+	logger.Debug("Removing allowed IP from peer with config: %s", config)
+
+	err := dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to remove allowed IP from WireGuard peer: %v", err)
+	}
+
+	return nil
+}
+
+// UpdatePersistentKeepalive updates the persistent keepalive interval for a peer without recreating it
+func UpdatePersistentKeepalive(dev *device.Device, publicKey string, interval int) error {
+	var configBuilder strings.Builder
+	configBuilder.WriteString(fmt.Sprintf("public_key=%s\n", util.FixKey(publicKey)))
+	configBuilder.WriteString("update_only=true\n")
+	configBuilder.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", interval))
+
+	config := configBuilder.String()
+	logger.Debug("Updating persistent keepalive for peer with config: %s", config)
+
+	err := dev.IpcSet(config)
+	if err != nil {
+		return fmt.Errorf("failed to update persistent keepalive for WireGuard peer: %v", err)
+	}
+
+	return nil
+}
+
+func formatEndpoint(endpoint string) string {
+	if strings.Contains(endpoint, ":") {
+		return endpoint
+	}
+	return endpoint + ":51820"
+}

peers/types.go

@@ -0,0 +1,64 @@
+package peers
+
+// PeerAction represents a request to add, update, or remove a peer
+type PeerAction struct {
+	Action   string     `json:"action"`   // "add", "update", or "remove"
+	SiteInfo SiteConfig `json:"siteInfo"` // Site configuration information
+}
+
+// UpdatePeerData represents the data needed to update a peer
+type SiteConfig struct {
+	SiteId        int      `json:"siteId"`
+	Name          string   `json:"name,omitempty"`
+	Endpoint      string   `json:"endpoint,omitempty"`
+	RelayEndpoint string   `json:"relayEndpoint,omitempty"`
+	PublicKey     string   `json:"publicKey,omitempty"`
+	ServerIP      string   `json:"serverIP,omitempty"`
+	ServerPort    uint16   `json:"serverPort,omitempty"`
+	RemoteSubnets []string `json:"remoteSubnets,omitempty"` // optional, array of subnets that this site can access
+	AllowedIps    []string `json:"allowedIps,omitempty"`    // optional, array of allowed IPs for the peer
+	Aliases       []Alias  `json:"aliases,omitempty"`       // optional, array of alias configurations
+}
+
+type Alias struct {
+	Alias        string `json:"alias"`        // the alias name
+	AliasAddress string `json:"aliasAddress"` // the alias IP address
+}
+
+// RemovePeer represents the data needed to remove a peer
+type PeerRemove struct {
+	SiteId int `json:"siteId"`
+}
+
+type RelayPeerData struct {
+	SiteId        int    `json:"siteId"`
+	RelayEndpoint string `json:"relayEndpoint"`
+	RelayPort     uint16 `json:"relayPort"`
+}
+
+type UnRelayPeerData struct {
+	SiteId   int    `json:"siteId"`
+	Endpoint string `json:"endpoint"`
+}
+
+// PeerAdd represents the data needed to add remote subnets to a peer
+type PeerAdd struct {
+	SiteId        int      `json:"siteId"`
+	RemoteSubnets []string `json:"remoteSubnets"`     // subnets to add
+	Aliases       []Alias  `json:"aliases,omitempty"` // aliases to add
+}
+
+// RemovePeerData represents the data needed to remove remote subnets from a peer
+type RemovePeerData struct {
+	SiteId        int      `json:"siteId"`
+	RemoteSubnets []string `json:"remoteSubnets"`     // subnets to remove
+	Aliases       []Alias  `json:"aliases,omitempty"` // aliases to remove
+}
+
+type UpdatePeerData struct {
+	SiteId           int      `json:"siteId"`
+	OldRemoteSubnets []string `json:"oldRemoteSubnets"`     // old list of remote subnets
+	NewRemoteSubnets []string `json:"newRemoteSubnets"`     // new list of remote subnets
+	OldAliases       []Alias  `json:"oldAliases,omitempty"` // old list of aliases
+	NewAliases       []Alias  `json:"newAliases,omitempty"` // new list of aliases
+}

service_windows.go

@@ -99,15 +99,32 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 		// Continue with empty args if loading fails
 		savedArgs = []string{}
 	}
+	s.elog.Info(1, fmt.Sprintf("Loaded saved service args: %v", savedArgs))
 
 	// Combine service start args with saved args, giving priority to service start args
+	// Note: When the service is started via SCM, args[0] is the service name
+	// When started via s.Start(args...), the args passed are exactly what we provide
 	finalArgs := []string{}
+
+	// Check if we have args passed directly to Execute (from s.Start())
 	if len(args) > 0 {
-		// Skip the first arg which is typically the service name
-		if len(args) > 1 {
+		// The first arg from SCM is the service name, but when we call s.Start(args...),
+		// the args we pass become args[1:] in Execute. However, if started by SCM without
+		// args, args[0] will be the service name.
+		// We need to check if args[0] looks like the service name or a flag
+		if len(args) == 1 && args[0] == serviceName {
+			// Only service name, no actual args
+			s.elog.Info(1, "Only service name in args, checking saved args")
+		} else if len(args) > 1 && args[0] == serviceName {
+			// Service name followed by actual args
 			finalArgs = append(finalArgs, args[1:]...)
+			s.elog.Info(1, fmt.Sprintf("Using service start parameters (after service name): %v", finalArgs))
+		} else {
+			// Args don't start with service name, use them all
+			// This happens when args are passed via s.Start(args...)
+			finalArgs = append(finalArgs, args...)
+			s.elog.Info(1, fmt.Sprintf("Using service start parameters (direct): %v", finalArgs))
 		}
-		s.elog.Info(1, fmt.Sprintf("Using service start parameters: %v", finalArgs))
 	}
 
 	// If no service start parameters, use saved args
@@ -116,6 +133,7 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 		s.elog.Info(1, fmt.Sprintf("Using saved service args: %v", finalArgs))
 	}
 
+	s.elog.Info(1, fmt.Sprintf("Final args to use: %v", finalArgs))
 	s.args = finalArgs
 
 	// Start the main olm functionality
@@ -163,6 +181,9 @@ func (s *olmService) runOlm() {
 	// Create a context that can be cancelled when the service stops
 	s.ctx, s.stop = context.WithCancel(context.Background())
 
+	// Create a separate context for programmatic shutdown (e.g., via API exit)
+	ctx, cancel := context.WithCancel(context.Background())
+
 	// Setup logging for service mode
 	s.elog.Info(1, "Starting Olm main logic")
 
@@ -177,7 +198,8 @@ func (s *olmService) runOlm() {
 		}()
 
 		// Call the main olm function with stored arguments
-		runOlmMainWithArgs(s.ctx, s.args)
+		// Use s.ctx as the signal context since the service manages shutdown
+		runOlmMainWithArgs(ctx, cancel, s.ctx, s.args)
 	}()
 
 	// Wait for either context cancellation or main logic completion
@@ -321,12 +343,15 @@ func removeService() error {
 }
 
 func startService(args []string) error {
-	// Save the service arguments as backup
-	if len(args) > 0 {
-		err := saveServiceArgs(args)
-		if err != nil {
-			return fmt.Errorf("failed to save service args: %v", err)
-		}
+	fmt.Printf("Starting service with args: %v\n", args)
+
+	// Always save the service arguments so they can be loaded on service restart
+	err := saveServiceArgs(args)
+	if err != nil {
+		fmt.Printf("Warning: failed to save service args: %v\n", err)
+		// Continue anyway, args will still be passed directly
+	} else {
+		fmt.Printf("Saved service args to: %s\n", getServiceArgsPath())
 	}
 
 	m, err := mgr.Connect()
@@ -342,6 +367,7 @@ func startService(args []string) error {
 	defer s.Close()
 
 	// Pass arguments directly to the service start call
+	// Note: These args will appear in Execute() after the service name
 	err = s.Start(args...)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)

unix.go

@@ -1,35 +0,0 @@
-//go:build !windows
-
-package main
-
-import (
-	"net"
-	"os"
-	"strconv"
-
-	"golang.org/x/sys/unix"
-	"golang.zx2c4.com/wireguard/ipc"
-	"golang.zx2c4.com/wireguard/tun"
-)
-
-func createTUNFromFD(tunFdStr string, mtuInt int) (tun.Device, error) {
-	fd, err := strconv.ParseUint(tunFdStr, 10, 32)
-	if err != nil {
-		return nil, err
-	}
-
-	err = unix.SetNonblock(int(fd), true)
-	if err != nil {
-		return nil, err
-	}
-
-	file := os.NewFile(uintptr(fd), "")
-	return tun.CreateTUNFromFile(file, mtuInt)
-}
-func uapiOpen(interfaceName string) (*os.File, error) {
-	return ipc.UAPIOpen(interfaceName)
-}
-
-func uapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
-	return ipc.UAPIListen(interfaceName, fileUAPI)
-}

websocket/client.go

@@ -2,9 +2,11 @@ package websocket
 
 import (
 	"bytes"
+	"compress/gzip"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -20,17 +22,43 @@ import (
 	"github.com/gorilla/websocket"
 )
 
+// AuthError represents an authentication/authorization error (401/403)
+type AuthError struct {
+	StatusCode int
+	Message    string
+}
+
+func (e *AuthError) Error() string {
+	return fmt.Sprintf("authentication error (status %d): %s", e.StatusCode, e.Message)
+}
+
+// IsAuthError checks if an error is an authentication error
+func IsAuthError(err error) bool {
+	_, ok := err.(*AuthError)
+	return ok
+}
+
 type TokenResponse struct {
 	Data struct {
-		Token string `json:"token"`
+		Token         string     `json:"token"`
+		ExitNodes     []ExitNode `json:"exitNodes"`
+		ServerVersion string     `json:"serverVersion"`
 	} `json:"data"`
 	Success bool   `json:"success"`
 	Message string `json:"message"`
 }
 
+type ExitNode struct {
+	Endpoint  string `json:"endpoint"`
+	RelayPort uint16 `json:"relayPort"`
+	PublicKey string `json:"publicKey"`
+	SiteIds   []int  `json:"siteIds"`
+}
+
 type WSMessage struct {
-	Type string      `json:"type"`
-	Data interface{} `json:"data"`
+	Type          string      `json:"type"`
+	Data          interface{} `json:"data"`
+	ConfigVersion int         `json:"configVersion,omitempty"`
 }
 
 // this is not json anymore
@@ -39,6 +67,8 @@ type Config struct {
 	Secret        string
 	Endpoint      string
 	TlsClientCert string // legacy PKCS12 file path
+	UserToken     string // optional user token for websocket authentication
+	OrgID         string // optional organization ID for websocket authentication
 }
 
 type Client struct {
@@ -50,15 +80,29 @@ type Client struct {
 	handlersMux       sync.RWMutex
 	reconnectInterval time.Duration
 	isConnected       bool
+	isDisconnected    bool // Flag to track if client is intentionally disconnected
 	reconnectMux      sync.RWMutex
 	pingInterval      time.Duration
-	pingTimeout       time.Duration
 	onConnect         func() error
-	onTokenUpdate     func(token string)
+	onTokenUpdate     func(token string, exitNodes []ExitNode)
+	onAuthError       func(statusCode int, message string) // Callback for auth errors
 	writeMux          sync.Mutex
 	clientType        string // Type of client (e.g., "newt", "olm")
 	tlsConfig         TLSConfig
 	configNeedsSave   bool // Flag to track if config needs to be saved
+	configVersion     int  // Latest config version received from server
+	configVersionMux  sync.RWMutex
+	token             string       // Cached authentication token
+	exitNodes         []ExitNode   // Cached exit nodes from token response
+	tokenMux          sync.RWMutex // Protects token and exitNodes
+	forceNewToken     bool         // Flag to force fetching a new token on next connection
+	processingMessage bool                   // Flag to track if a message is currently being processed
+	processingMux     sync.RWMutex           // Protects processingMessage
+	processingWg      sync.WaitGroup         // WaitGroup to wait for message processing to complete
+	getPingData       func() map[string]any  // Callback to get additional ping data
+	pingStarted       bool                   // Flag to track if ping monitor has been started
+	pingStartedMux    sync.Mutex             // Protects pingStarted
+	pingDone          chan struct{}          // Channel to stop the ping monitor independently
 }
 
 type ClientOption func(*Client)
@@ -94,20 +138,33 @@ func WithTLSConfig(config TLSConfig) ClientOption {
 	}
 }
 
+// WithPingDataProvider sets a callback to provide additional data for ping messages
+func WithPingDataProvider(fn func() map[string]any) ClientOption {
+	return func(c *Client) {
+		c.getPingData = fn
+	}
+}
+
 func (c *Client) OnConnect(callback func() error) {
 	c.onConnect = callback
 }
 
-func (c *Client) OnTokenUpdate(callback func(token string)) {
+func (c *Client) OnTokenUpdate(callback func(token string, exitNodes []ExitNode)) {
 	c.onTokenUpdate = callback
 }
 
+func (c *Client) OnAuthError(callback func(statusCode int, message string)) {
+	c.onAuthError = callback
+}
+
 // NewClient creates a new websocket client
-func NewClient(clientType string, ID, secret string, endpoint string, pingInterval time.Duration, pingTimeout time.Duration, opts ...ClientOption) (*Client, error) {
+func NewClient(ID, secret, userToken, orgId, endpoint string, pingInterval time.Duration, opts ...ClientOption) (*Client, error) {
 	config := &Config{
-		ID:       ID,
-		Secret:   secret,
-		Endpoint: endpoint,
+		ID:        ID,
+		Secret:    secret,
+		Endpoint:  endpoint,
+		UserToken: userToken,
+		OrgID:     orgId,
 	}
 
 	client := &Client{
@@ -118,8 +175,8 @@ func NewClient(clientType string, ID, secret string, endpoint string, pingInterv
 		reconnectInterval: 3 * time.Second,
 		isConnected:       false,
 		pingInterval:      pingInterval,
-		pingTimeout:       pingTimeout,
-		clientType:        clientType,
+		clientType:        "olm",
+		pingDone:          make(chan struct{}),
 	}
 
 	// Apply options before loading config
@@ -139,6 +196,9 @@ func (c *Client) GetConfig() *Config {
 
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
+	if c.isDisconnected {
+		c.isDisconnected = false
+	}
 	go c.connectWithRetry()
 	return nil
 }
@@ -171,9 +231,31 @@ func (c *Client) Close() error {
 	return nil
 }
 
+// Disconnect cleanly closes the websocket connection and suspends message intervals, but allows reconnecting later.
+func (c *Client) Disconnect() error {
+	c.isDisconnected = true
+	c.setConnected(false)
+
+	// Stop the ping monitor
+	c.stopPingMonitor()
+
+	// Wait for any message currently being processed to complete
+	c.processingWg.Wait()
+
+	if c.conn != nil {
+		c.writeMux.Lock()
+		c.conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+		c.writeMux.Unlock()
+		err := c.conn.Close()
+		c.conn = nil
+		return err
+	}
+	return nil
+}
+
 // SendMessage sends a message through the WebSocket connection
 func (c *Client) SendMessage(messageType string, data interface{}) error {
-	if c.conn == nil {
+	if c.isDisconnected || c.conn == nil {
 		return fmt.Errorf("not connected")
 	}
 
@@ -182,47 +264,88 @@ func (c *Client) SendMessage(messageType string, data interface{}) error {
 		Data: data,
 	}
 
-	logger.Debug("Sending message: %s, data: %+v", messageType, data)
+	logger.Debug("websocket: Sending message: %s, data: %+v", messageType, data)
 
 	c.writeMux.Lock()
 	defer c.writeMux.Unlock()
 	return c.conn.WriteJSON(msg)
 }
 
-func (c *Client) SendMessageInterval(messageType string, data interface{}, interval time.Duration) (stop func()) {
+func (c *Client) SendMessageInterval(messageType string, data interface{}, interval time.Duration, maxAttempts int) (stop func(), update func(newData interface{})) {
 	stopChan := make(chan struct{})
+	updateChan := make(chan interface{})
+	var dataMux sync.Mutex
+	currentData := data
+
 	go func() {
 		count := 0
-		maxAttempts := 10
 
-		err := c.SendMessage(messageType, data) // Send immediately
-		if err != nil {
-			logger.Error("Failed to send initial message: %v", err)
+		send := func() {
+			if c.isDisconnected || c.conn == nil {
+				return
+			}
+			err := c.SendMessage(messageType, currentData)
+			if err != nil {
+				logger.Error("websocket: Failed to send message: %v", err)
+			}
+			count++
 		}
-		count++
+
+		send() // Send immediately
 
 		ticker := time.NewTicker(interval)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
-				if count >= maxAttempts {
-					logger.Info("SendMessageInterval timed out after %d attempts for message type: %s", maxAttempts, messageType)
+				if maxAttempts != -1 && count >= maxAttempts {
+					logger.Info("websocket: SendMessageInterval timed out after %d attempts for message type: %s", maxAttempts, messageType)
 					return
 				}
-				err = c.SendMessage(messageType, data)
-				if err != nil {
-					logger.Error("Failed to send message: %v", err)
+				dataMux.Lock()
+				send()
+				dataMux.Unlock()
+			case newData := <-updateChan:
+				dataMux.Lock()
+				// Merge newData into currentData if both are maps
+				if currentMap, ok := currentData.(map[string]interface{}); ok {
+					if newMap, ok := newData.(map[string]interface{}); ok {
+						// Update or add keys from newData
+						for key, value := range newMap {
+							currentMap[key] = value
+						}
+						currentData = currentMap
+					} else {
+						// If newData is not a map, replace entirely
+						currentData = newData
+					}
+				} else {
+					// If currentData is not a map, replace entirely
+					currentData = newData
 				}
-				count++
+				dataMux.Unlock()
 			case <-stopChan:
 				return
 			}
+			// Suspend sending if disconnected
+			for c.isDisconnected {
+				select {
+				case <-stopChan:
+					return
+				case <-time.After(500 * time.Millisecond):
+				}
+			}
 		}
 	}()
 	return func() {
-		close(stopChan)
-	}
+			close(stopChan)
+		}, func(newData interface{}) {
+			select {
+			case updateChan <- newData:
+			case <-stopChan:
+				// Channel is closed, ignore update
+			}
+		}
 }
 
 // RegisterHandler registers a handler for a specific message type
@@ -232,11 +355,11 @@ func (c *Client) RegisterHandler(messageType string, handler MessageHandler) {
 	c.handlers[messageType] = handler
 }
 
-func (c *Client) getToken() (string, error) {
+func (c *Client) getToken() (string, []ExitNode, error) {
 	// Parse the base URL to ensure we have the correct hostname
 	baseURL, err := url.Parse(c.baseURL)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse base URL: %w", err)
+		return "", nil, fmt.Errorf("failed to parse base URL: %w", err)
 	}
 
 	// Ensure we have the base URL without trailing slashes
@@ -248,7 +371,7 @@ func (c *Client) getToken() (string, error) {
 	if c.tlsConfig.ClientCertFile != "" || c.tlsConfig.ClientKeyFile != "" || len(c.tlsConfig.CAFiles) > 0 || c.tlsConfig.PKCS12File != "" {
 		tlsConfig, err = c.setupTLS()
 		if err != nil {
-			return "", fmt.Errorf("failed to setup TLS configuration: %w", err)
+			return "", nil, fmt.Errorf("failed to setup TLS configuration: %w", err)
 		}
 	}
 
@@ -258,27 +381,19 @@ func (c *Client) getToken() (string, error) {
 			tlsConfig = &tls.Config{}
 		}
 		tlsConfig.InsecureSkipVerify = true
-		logger.Debug("TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
+		logger.Debug("websocket: TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
 	}
 
-	var tokenData map[string]interface{}
-
-	// Get a new token
-	if c.clientType == "newt" {
-		tokenData = map[string]interface{}{
-			"newtId": c.config.ID,
-			"secret": c.config.Secret,
-		}
-	} else if c.clientType == "olm" {
-		tokenData = map[string]interface{}{
-			"olmId":  c.config.ID,
-			"secret": c.config.Secret,
-		}
+	tokenData := map[string]interface{}{
+		"olmId":  c.config.ID,
+		"secret": c.config.Secret,
+		"userToken": c.config.UserToken,
+		"orgId":  c.config.OrgID,
 	}
 	jsonData, err := json.Marshal(tokenData)
 
 	if err != nil {
-		return "", fmt.Errorf("failed to marshal token request data: %w", err)
+		return "", nil, fmt.Errorf("failed to marshal token request data: %w", err)
 	}
 
 	// Create a new request
@@ -288,13 +403,16 @@ func (c *Client) getToken() (string, error) {
 		bytes.NewBuffer(jsonData),
 	)
 	if err != nil {
-		return "", fmt.Errorf("failed to create request: %w", err)
+		return "", nil, fmt.Errorf("failed to create request: %w", err)
 	}
 
 	// Set headers
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("X-CSRF-Token", "x-csrf-protection")
 
+	// print out the request for debugging
+	logger.Debug("websocket: Requesting token from %s with body: %s", req.URL.String(), string(jsonData))
+
 	// Make the request
 	client := &http.Client{}
 	if tlsConfig != nil {
@@ -304,33 +422,43 @@ func (c *Client) getToken() (string, error) {
 	}
 	resp, err := client.Do(req)
 	if err != nil {
-		return "", fmt.Errorf("failed to request new token: %w", err)
+		return "", nil, fmt.Errorf("failed to request new token: %w", err)
 	}
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
-		logger.Error("Failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
-		return "", fmt.Errorf("failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
+		logger.Error("websocket: Failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
+
+		// Return AuthError for 401/403 status codes
+		if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
+			return "", nil, &AuthError{
+				StatusCode: resp.StatusCode,
+				Message:    string(body),
+			}
+		}
+
+		// For other errors (5xx, network issues, etc.), return regular error
+		return "", nil, fmt.Errorf("failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
 	}
 
 	var tokenResp TokenResponse
 	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
-		logger.Error("Failed to decode token response.")
-		return "", fmt.Errorf("failed to decode token response: %w", err)
+		logger.Error("websocket: Failed to decode token response.")
+		return "", nil, fmt.Errorf("failed to decode token response: %w", err)
 	}
 
 	if !tokenResp.Success {
-		return "", fmt.Errorf("failed to get token: %s", tokenResp.Message)
+		return "", nil, fmt.Errorf("failed to get token: %s", tokenResp.Message)
 	}
 
 	if tokenResp.Data.Token == "" {
-		return "", fmt.Errorf("received empty token from server")
+		return "", nil, fmt.Errorf("received empty token from server")
 	}
 
-	logger.Debug("Received token: %s", tokenResp.Data.Token)
+	logger.Debug("websocket: Received token: %s", tokenResp.Data.Token)
 
-	return tokenResp.Data.Token, nil
+	return tokenResp.Data.Token, tokenResp.Data.ExitNodes, nil
 }
 
 func (c *Client) connectWithRetry() {
@@ -341,7 +469,20 @@ func (c *Client) connectWithRetry() {
 		default:
 			err := c.establishConnection()
 			if err != nil {
-				logger.Error("Failed to connect: %v. Retrying in %v...", err, c.reconnectInterval)
+				// Check if this is an auth error (401/403)
+				var authErr *AuthError
+				if errors.As(err, &authErr) {
+					logger.Error("Authentication failed: %v. Terminating tunnel and retrying...", authErr)
+					// Trigger auth error callback if set (this should terminate the tunnel)
+					if c.onAuthError != nil {
+						c.onAuthError(authErr.StatusCode, authErr.Message)
+					}
+					// Continue retrying after auth error
+					time.Sleep(c.reconnectInterval)
+					continue
+				}
+				// For other errors (5xx, network issues), continue retrying
+				logger.Error("websocket: Failed to connect: %v. Retrying in %v...", err, c.reconnectInterval)
 				time.Sleep(c.reconnectInterval)
 				continue
 			}
@@ -351,15 +492,25 @@ func (c *Client) connectWithRetry() {
 }
 
 func (c *Client) establishConnection() error {
-	// Get token for authentication
-	token, err := c.getToken()
-	if err != nil {
-		return fmt.Errorf("failed to get token: %w", err)
-	}
+	// Get token for authentication - reuse cached token unless forced to get new one
+	c.tokenMux.Lock()
+	needNewToken := c.token == "" || c.forceNewToken
+	if needNewToken {
+		token, exitNodes, err := c.getToken()
+		if err != nil {
+			c.tokenMux.Unlock()
+			return fmt.Errorf("failed to get token: %w", err)
+		}
+		c.token = token
+		c.exitNodes = exitNodes
+		c.forceNewToken = false
 
-	if c.onTokenUpdate != nil {
-		c.onTokenUpdate(token)
+		if c.onTokenUpdate != nil {
+			c.onTokenUpdate(token, exitNodes)
+		}
 	}
+	token := c.token
+	c.tokenMux.Unlock()
 
 	// Parse the base URL to determine protocol and hostname
 	baseURL, err := url.Parse(c.baseURL)
@@ -384,6 +535,9 @@ func (c *Client) establishConnection() error {
 	q := u.Query()
 	q.Set("token", token)
 	q.Set("clientType", c.clientType)
+	if c.config.UserToken != "" {
+		q.Set("userToken", c.config.UserToken)
+	}
 	u.RawQuery = q.Encode()
 
 	// Connect to WebSocket
@@ -391,7 +545,7 @@ func (c *Client) establishConnection() error {
 
 	// Use new TLS configuration method
 	if c.tlsConfig.ClientCertFile != "" || c.tlsConfig.ClientKeyFile != "" || len(c.tlsConfig.CAFiles) > 0 || c.tlsConfig.PKCS12File != "" {
-		logger.Info("Setting up TLS configuration for WebSocket connection")
+		logger.Info("websocket: Setting up TLS configuration for WebSocket connection")
 		tlsConfig, err := c.setupTLS()
 		if err != nil {
 			return fmt.Errorf("failed to setup TLS configuration: %w", err)
@@ -405,25 +559,38 @@ func (c *Client) establishConnection() error {
 			dialer.TLSClientConfig = &tls.Config{}
 		}
 		dialer.TLSClientConfig.InsecureSkipVerify = true
-		logger.Debug("WebSocket TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
+		logger.Debug("websocket: WebSocket TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
 	}
 
-	conn, _, err := dialer.Dial(u.String(), nil)
+	conn, resp, err := dialer.Dial(u.String(), nil)
 	if err != nil {
+		// Check if this is an unauthorized error (401)
+		if resp != nil && resp.StatusCode == http.StatusUnauthorized {
+			logger.Error("websocket: WebSocket connection rejected with 401 Unauthorized")
+			// Force getting a new token on next reconnect attempt
+			c.tokenMux.Lock()
+			c.forceNewToken = true
+			c.tokenMux.Unlock()
+			return &AuthError{
+				StatusCode: http.StatusUnauthorized,
+				Message:    "WebSocket connection unauthorized",
+			}
+		}
 		return fmt.Errorf("failed to connect to WebSocket: %w", err)
 	}
 
 	c.conn = conn
 	c.setConnected(true)
 
-	// Start the ping monitor
-	go c.pingMonitor()
+	// Note: ping monitor is NOT started here - it will be started when
+	// StartPingMonitor() is called after registration completes
+
 	// Start the read pump with disconnect detection
 	go c.readPumpWithDisconnectDetection()
 
 	if c.onConnect != nil {
 		if err := c.onConnect(); err != nil {
-			logger.Error("OnConnect callback failed: %v", err)
+			logger.Error("websocket: OnConnect callback failed: %v", err)
 		}
 	}
 
@@ -436,9 +603,9 @@ func (c *Client) setupTLS() (*tls.Config, error) {
 
 	// Handle new separate certificate configuration
 	if c.tlsConfig.ClientCertFile != "" && c.tlsConfig.ClientKeyFile != "" {
-		logger.Info("Loading separate certificate files for mTLS")
-		logger.Debug("Client cert: %s", c.tlsConfig.ClientCertFile)
-		logger.Debug("Client key: %s", c.tlsConfig.ClientKeyFile)
+		logger.Info("websocket: Loading separate certificate files for mTLS")
+		logger.Debug("websocket: Client cert: %s", c.tlsConfig.ClientCertFile)
+		logger.Debug("websocket: Client key: %s", c.tlsConfig.ClientKeyFile)
 
 		// Load client certificate and key
 		cert, err := tls.LoadX509KeyPair(c.tlsConfig.ClientCertFile, c.tlsConfig.ClientKeyFile)
@@ -449,7 +616,7 @@ func (c *Client) setupTLS() (*tls.Config, error) {
 
 		// Load CA certificates for remote validation if specified
 		if len(c.tlsConfig.CAFiles) > 0 {
-			logger.Debug("Loading CA certificates: %v", c.tlsConfig.CAFiles)
+			logger.Debug("websocket: Loading CA certificates: %v", c.tlsConfig.CAFiles)
 			caCertPool := x509.NewCertPool()
 			for _, caFile := range c.tlsConfig.CAFiles {
 				caCert, err := os.ReadFile(caFile)
@@ -475,13 +642,13 @@ func (c *Client) setupTLS() (*tls.Config, error) {
 
 	// Fallback to existing PKCS12 implementation for backward compatibility
 	if c.tlsConfig.PKCS12File != "" {
-		logger.Info("Loading PKCS12 certificate for mTLS (deprecated)")
+		logger.Info("websocket: Loading PKCS12 certificate for mTLS (deprecated)")
 		return c.setupPKCS12TLS()
 	}
 
 	// Legacy fallback using config.TlsClientCert
 	if c.config.TlsClientCert != "" {
-		logger.Info("Loading legacy PKCS12 certificate for mTLS (deprecated)")
+		logger.Info("websocket: Loading legacy PKCS12 certificate for mTLS (deprecated)")
 		return loadClientCertificate(c.config.TlsClientCert)
 	}
 
@@ -493,6 +660,59 @@ func (c *Client) setupPKCS12TLS() (*tls.Config, error) {
 	return loadClientCertificate(c.tlsConfig.PKCS12File)
 }
 
+// sendPing sends a single ping message
+func (c *Client) sendPing() {
+	if c.isDisconnected || c.conn == nil {
+		return
+	}
+	// Skip ping if a message is currently being processed
+	c.processingMux.RLock()
+	isProcessing := c.processingMessage
+	c.processingMux.RUnlock()
+	if isProcessing {
+		logger.Debug("websocket: Skipping ping, message is being processed")
+		return
+	}
+	// Send application-level ping with config version
+	c.configVersionMux.RLock()
+	configVersion := c.configVersion
+	c.configVersionMux.RUnlock()
+
+	pingData := map[string]any{
+		"timestamp": time.Now().Unix(),
+		"userToken": c.config.UserToken,
+	}
+	if c.getPingData != nil {
+		for k, v := range c.getPingData() {
+			pingData[k] = v
+		}
+	}
+
+	pingMsg := WSMessage{
+		Type:          "olm/ping",
+		Data:          pingData,
+		ConfigVersion: configVersion,
+	}
+
+	logger.Debug("websocket: Sending ping: %+v", pingMsg)
+
+	c.writeMux.Lock()
+	err := c.conn.WriteJSON(pingMsg)
+	c.writeMux.Unlock()
+	if err != nil {
+		// Check if we're shutting down before logging error and reconnecting
+		select {
+		case <-c.done:
+			// Expected during shutdown
+			return
+		default:
+			logger.Error("websocket: Ping failed: %v", err)
+			c.reconnect()
+			return
+		}
+	}
+}
+
 // pingMonitor sends pings at a short interval and triggers reconnect on failure
 func (c *Client) pingMonitor() {
 	ticker := time.NewTicker(c.pingInterval)
@@ -502,29 +722,65 @@ func (c *Client) pingMonitor() {
 		select {
 		case <-c.done:
 			return
+		case <-c.pingDone:
+			return
 		case <-ticker.C:
-			if c.conn == nil {
-				return
-			}
-			c.writeMux.Lock()
-			err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
-			c.writeMux.Unlock()
-			if err != nil {
-				// Check if we're shutting down before logging error and reconnecting
-				select {
-				case <-c.done:
-					// Expected during shutdown
-					return
-				default:
-					logger.Error("Ping failed: %v", err)
-					c.reconnect()
-					return
-				}
-			}
+			c.sendPing()
 		}
 	}
 }
 
+// StartPingMonitor starts the ping monitor goroutine.
+// This should be called after the client is registered and connected.
+// It is safe to call multiple times - only the first call will start the monitor.
+func (c *Client) StartPingMonitor() {
+	c.pingStartedMux.Lock()
+	defer c.pingStartedMux.Unlock()
+	
+	if c.pingStarted {
+		return
+	}
+	c.pingStarted = true
+	
+	// Create a new pingDone channel for this ping monitor instance
+	c.pingDone = make(chan struct{})
+	
+	// Send an initial ping immediately
+	go func() {
+		c.sendPing()
+		c.pingMonitor()
+	}()
+}
+
+// stopPingMonitor stops the ping monitor goroutine if it's running.
+func (c *Client) stopPingMonitor() {
+	c.pingStartedMux.Lock()
+	defer c.pingStartedMux.Unlock()
+	
+	if !c.pingStarted {
+		return
+	}
+	
+	// Close the pingDone channel to stop the monitor
+	close(c.pingDone)
+	c.pingStarted = false
+}
+
+// GetConfigVersion returns the current config version
+func (c *Client) GetConfigVersion() int {
+	c.configVersionMux.RLock()
+	defer c.configVersionMux.RUnlock()
+	return c.configVersion
+}
+
+// setConfigVersion updates the config version if the new version is higher
+func (c *Client) setConfigVersion(version int) {
+	c.configVersionMux.Lock()
+	defer c.configVersionMux.Unlock()
+	logger.Debug("websocket: setting config version to %d", version)
+	c.configVersion = version
+}
+
 // readPumpWithDisconnectDetection reads messages and triggers reconnect on error
 func (c *Client) readPumpWithDisconnectDetection() {
 	defer func() {
@@ -546,29 +802,73 @@ func (c *Client) readPumpWithDisconnectDetection() {
 		case <-c.done:
 			return
 		default:
-			var msg WSMessage
-			err := c.conn.ReadJSON(&msg)
+			messageType, p, err := c.conn.ReadMessage()
 			if err != nil {
-				// Check if we're shutting down before logging error
+				// Check if we're shutting down or explicitly disconnected before logging error
 				select {
 				case <-c.done:
 					// Expected during shutdown, don't log as error
-					logger.Debug("WebSocket connection closed during shutdown")
+					logger.Debug("websocket: connection closed during shutdown")
 					return
 				default:
+					// Check if explicitly disconnected
+					if c.isDisconnected {
+						logger.Debug("websocket:  connection closed: client was explicitly disconnected")
+						return
+					}
+
 					// Unexpected error during normal operation
 					if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseAbnormalClosure, websocket.CloseNormalClosure) {
-						logger.Error("WebSocket read error: %v", err)
+						logger.Error("websocket: read error: %v", err)
 					} else {
-						logger.Debug("WebSocket connection closed: %v", err)
+						logger.Debug("websocket: connection closed: %v", err)
 					}
 					return // triggers reconnect via defer
 				}
 			}
 
+			// Decompress binary frames (gzip-compressed JSON)
+			var data []byte
+			if messageType == websocket.BinaryMessage {
+				gr, gzErr := gzip.NewReader(bytes.NewReader(p))
+				if gzErr != nil {
+					logger.Error("websocket: failed to create gzip reader: %v", gzErr)
+					continue
+				}
+				data, gzErr = io.ReadAll(gr)
+				gr.Close()
+				if gzErr != nil {
+					logger.Error("websocket: failed to decompress message: %v", gzErr)
+					continue
+				}
+			} else {
+				data = p
+			}
+
+			var msg WSMessage
+			if err = json.Unmarshal(data, &msg); err != nil {
+				logger.Error("websocket: failed to parse message: %v", err)
+				continue
+			}
+
+			// Update config version from incoming message
+			c.setConfigVersion(msg.ConfigVersion)
+
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
+				// Mark that we're processing a message
+				c.processingMux.Lock()
+				c.processingMessage = true
+				c.processingMux.Unlock()
+				c.processingWg.Add(1)
+
 				handler(msg)
+
+				// Mark that we're done processing
+				c.processingWg.Done()
+				c.processingMux.Lock()
+				c.processingMessage = false
+				c.processingMux.Unlock()
 			}
 			c.handlersMux.RUnlock()
 		}
@@ -582,6 +882,12 @@ func (c *Client) reconnect() {
 		c.conn = nil
 	}
 
+	// Don't reconnect if explicitly disconnected
+	if c.isDisconnected {
+		logger.Debug("websocket: websocket: Not reconnecting: client was explicitly disconnected")
+		return
+	}
+
 	// Only reconnect if we're not shutting down
 	select {
 	case <-c.done:
@@ -599,7 +905,7 @@ func (c *Client) setConnected(status bool) {
 
 // LoadClientCertificate Helper method to load client certificates (PKCS12 format)
 func loadClientCertificate(p12Path string) (*tls.Config, error) {
-	logger.Info("Loading tls-client-cert %s", p12Path)
+	logger.Info("websocket: Loading tls-client-cert %s", p12Path)
 	// Read the PKCS12 file
 	p12Data, err := os.ReadFile(p12Path)
 	if err != nil {