Allow for updating destinations

fix - dependabot

.dockerignore

@@ -6,4 +6,5 @@ README.md
 Makefile
 public/
 LICENSE
-CONTRIBUTING.md
+CONTRIBUTING.md
+.git

.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"

.github/workflows/cicd.yml

@@ -0,0 +1,52 @@
+name: CI/CD Pipeline
+
+on:
+    push:
+        tags:
+            - "*"
+
+jobs:
+    release:
+        name: Build and Release
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v3
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+            - name: Install Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: 1.23.1
+
+            - name: Build and push Docker images
+              run: |
+                  TAG=${{ env.TAG }}
+                  make docker-build-release tag=$TAG
+
+            - name: Build binaries
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /bin
+              uses: actions/upload-artifact@v4
+              with:
+                  name: binaries
+                  path: bin/
+

.github/workflows/test.yml

@@ -0,0 +1,28 @@
+name: Run Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23'
+
+      - name: Build go
+        run: go build
+
+      - name: Build Docker image
+        run: make build
+
+      - name: Build binaries
+        run: make go-build-release

.gitignore

@@ -1 +1,3 @@
-gerbil
+gerbil
+.DS_Store
+bin/

CONTRIBUTING.md

@@ -1,6 +1,12 @@
 ## Contributing
 
-Contributions are welcome! Please see the following page in our documentation with future plans and feature ideas if you are looking for a place to start.
+Contributions are welcome! 
+
+Please see the contribution and local development guide on the docs page before getting started:
+
+https://docs.fossorial.io/development
+
+For ideas about what features to work on and our future plans, please see the roadmap:
 
 https://docs.fossorial.io/roadmap
 
@@ -15,4 +21,4 @@ By creating this pull request, I grant the project maintainers an unlimited,
 perpetual license to use, modify, and redistribute these contributions under any terms they
 choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
 represent that I have the right to grant this license for all contributed content.
-```
+```

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.1-alpine AS builder
+FROM golang:1.24.3-alpine AS builder
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -16,7 +16,9 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -o /gerbil
 
 # Start a new stage from scratch
-FROM ubuntu:22.04 AS runner
+FROM ubuntu:24.04 AS runner
+
+RUN apt-get update && apt-get install -y iptables iproute2 && rm -rf /var/lib/apt/lists/*
 
 # Copy the pre-built binary file from the previous stage and the entrypoint script
 COPY --from=builder /gerbil /usr/local/bin/

Makefile

@@ -1,6 +1,14 @@
 
 all: build push
 
+docker-build-release:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/gerbil:latest -f Dockerfile --push .
+	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/gerbil:$(tag) -f Dockerfile --push .
+
 build:
 	docker build -t fosrl/gerbil:latest .
 
@@ -13,5 +21,9 @@ test:
 local: 
 	 CGO_ENABLED=0 GOOS=linux go build -o gerbil
 
+go-build-release:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/gerbil_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/gerbil_linux_amd64
+
 clean:
-	rm gerbil
+	rm gerbil

README.md

@@ -4,22 +4,15 @@ Gerbil is a simple [WireGuard](https://www.wireguard.com/) interface management
 
 ### Installation and Documentation
 
-Gerbil can be used stand alone with your own API, a static JSON file, or with Pangolin and Newt as part of the larger system. See documentation below:
+Gerbil works with Pangolin, Newt, and Olm as part of the larger system. See documentation below:
 
--   [Installation Instructions](https://docs.fossorial.io)
 -   [Full Documentation](https://docs.fossorial.io)
 
-## Preview
-
-<img src="public/screenshots/preview.png" alt="Preview"/>
-
-_Sample output of a Gerbil container connected to Pangolin and terminating various peers._
-
 ## Key Functions
 
 ### Setup WireGuard
 
-A WireGuard interface will be created and configured on the local Linux machine or in the Docker container according to the values given in either a JSON config file or via the remote server. If the interface already exists it will be reconfigured.
+A WireGuard interface will be created and configured on the local Linux machine or in the Docker container according to the values given in either a JSON config file or via the remote server. If the interface already exists, it will be reconfigured.
 
 ### Manage Peers
 
@@ -27,7 +20,11 @@ Gerbil will create the peers defined in the config on the WireGuard interface. T
 
 ### Report Bandwidth
 
-Bytes transmitted in and out of each peer is collected every 10 seconds and incremental usage is reported via the "reportBandwidthTo" endpoint. This can be used to track data usage of each peer on the remote server.
+Bytes transmitted in and out of each peer are collected every 10 seconds, and incremental usage is reported via the "reportBandwidthTo" endpoint. This can be used to track data usage of each peer on the remote server.
+
+### Handle client relaying
+
+Gerbil listens on port 21820 for incoming UDP hole punch packets to orchestrate NAT hole punching between olm and newt clients. Additionally, it handles relaying data through the gerbil server down to the newt. This is accomplished by scanning each packet for headers and handling them appropriately.   
 
 ## CLI Args
 
@@ -38,10 +35,26 @@ Bytes transmitted in and out of each peer is collected every 10 seconds and incr
 
 Note: You must use either `config` or `remoteConfig` to configure WireGuard.
 
-- `reportBandwidthTo` (optional): Remote HTTP endpoint to send peer bandwidth data
+- `reportBandwidthTo` (optional): **DEPRECATED** - Use `remoteConfig` instead. Remote HTTP endpoint to send peer bandwidth data
 - `interface` (optional): Name of the WireGuard interface created by Gerbil. Default: `wg0`
-- `listen` (optional): Port to listen on for HTTP server. Default: `3003`
-- `log-level` (optional): The log level to use. Default: INFO
+- `listen` (optional): Port to listen on for HTTP server. Default: `:3003`
+- `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: `INFO`
+- `mtu` (optional): MTU of the WireGuard interface. Default: `1280`
+- `notify` (optional): URL to notify on peer changes
+
+## Environment Variables
+
+All CLI arguments can also be provided via environment variables:
+
+- `INTERFACE`: Name of the WireGuard interface
+- `CONFIG`: Path to local configuration file
+- `REMOTE_CONFIG`: URL of the remote config server
+- `LISTEN`: Address to listen on for HTTP server
+- `GENERATE_AND_SAVE_KEY_TO`: Path to save generated private key
+- `REACHABLE_AT`: Endpoint of the HTTP server to tell remote config about
+- `LOG_LEVEL`: Log level (DEBUG, INFO, WARN, ERROR, FATAL)
+- `MTU`: MTU of the WireGuard interface
+- `NOTIFY_URL`: URL to notify on peer changes
 
 Example:
 
@@ -71,6 +84,7 @@ services:
       - SYS_MODULE
     ports:
       - 51820:51820/udp
+      - 21820:21820/udp
 ```
 
 ## Build
@@ -97,4 +111,4 @@ Gerbil is dual licensed under the AGPLv3 and the Fossorial Commercial license. F
 
 ## Contributions
 
-Please see [CONTRIBUTIONS](./CONTRIBUTING.md) in the repository for guidelines and best practices.
+Please see [CONTRIBUTIONS](./CONTRIBUTING.md) in the repository for guidelines and best practices.

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+- Description and location of the vulnerability.
+- Potential impact of the vulnerability.
+- Steps to reproduce the vulnerability.
+- Potential solutions to fix the vulnerability.
+- Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.

entrypoint.sh

@@ -1,7 +1,5 @@
 #!/bin/sh
 
-# Sample from https://github.com/traefik/traefik-library-image/blob/5070edb25b03cca6802d75d5037576c840f73fdd/v3.1/alpine/entrypoint.sh
-
 set -e
 
 # first arg is `-f` or `--some-option`
@@ -9,13 +7,4 @@ if [ "${1#-}" != "$1" ]; then
     set -- gerbil "$@"
 fi
 
-# if our command is a valid Gerbil subcommand, let's invoke it through Gerbil instead
-# (this allows for "docker run gerbil version", etc)
-if gerbil "$1" --help >/dev/null 2>&1
-then
-    set -- gerbil "$@"
-else
-    echo "= '$1' is not a Gerbil command: assuming shell execution." 1>&2
-fi
-
 exec "$@"

go.mod

@@ -3,8 +3,9 @@ module github.com/fosrl/gerbil
 go 1.23.1
 
 toolchain go1.23.2
+
 require (
-	github.com/vishvananda/netlink v1.3.0
+	github.com/vishvananda/netlink v1.3.1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 )
 
@@ -14,10 +15,10 @@ require (
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.2 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
-	golang.org/x/crypto v0.8.0 // indirect
-	golang.org/x/net v0.9.0 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b // indirect
 )

go.sum

@@ -8,21 +8,22 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
-github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
 golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=

main.go

@@ -9,21 +9,30 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"os/exec"
+	"os/signal"
+	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/fosrl/gerbil/logger"
+	"github.com/fosrl/gerbil/relay"
 	"github.com/vishvananda/netlink"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var (
-	interfaceName = "wg0"
-	listenAddr    = ":3003"
+	interfaceName string
+	listenAddr    string
+	mtuInt        int
 	lastReadings  = make(map[string]PeerReading)
 	mu            sync.Mutex
+	wgMu          sync.Mutex // Protects WireGuard operations
+	notifyURL     string
+	proxyServer   *relay.UDPProxyServer
 )
 
 type WgConfig struct {
@@ -54,6 +63,31 @@ var (
 	wgClient *wgctrl.Client
 )
 
+// Add this new type at the top with other type definitions
+type ClientEndpoint struct {
+	OlmID     string `json:"olmId"`
+	NewtID    string `json:"newtId"`
+	IP        string `json:"ip"`
+	Port      int    `json:"port"`
+	Timestamp int64  `json:"timestamp"`
+}
+
+type HolePunchMessage struct {
+	OlmID  string `json:"olmId"`
+	NewtID string `json:"newtId"`
+}
+
+type ProxyMappingUpdate struct {
+	OldDestination relay.PeerDestination `json:"oldDestination"`
+	NewDestination relay.PeerDestination `json:"newDestination"`
+}
+
+type UpdateDestinationsRequest struct {
+	SourceIP     string                  `json:"sourceIp"`
+	SourcePort   int                     `json:"sourcePort"`
+	Destinations []relay.PeerDestination `json:"destinations"`
+}
+
 func parseLogLevel(level string) logger.LogLevel {
 	switch strings.ToUpper(level) {
 	case "DEBUG":
@@ -72,52 +106,99 @@ func parseLogLevel(level string) logger.LogLevel {
 }
 
 func main() {
-	var err error
-	var wgconfig WgConfig
+	var (
+		err                  error
+		wgconfig             WgConfig
+		configFile           string
+		remoteConfigURL      string
+		generateAndSaveKeyTo string
+		reachableAt          string
+		logLevel             string
+		mtu                  string
+	)
 
-	// Define command line flags
-	interfaceNameArg := flag.String("interface", "wg0", "Name of the WireGuard interface")
-	configFile := flag.String("config", "", "Path to local configuration file")
-	remoteConfigURL := flag.String("remoteConfig", "", "URL to fetch remote configuration")
-	listenAddrArg := flag.String("listen", ":3003", "Address to listen on")
-	reportBandwidthTo := flag.String("reportBandwidthTo", "", "Address to listen on")
-	generateAndSaveKeyTo := flag.String("generateAndSaveKeyTo", "", "Path to save generated private key")
-	reachableAt := flag.String("reachableAt", "", "Endpoint of the http server to tell remote config about")
-	logLevel := flag.String("log-level", "INFO", "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
+	interfaceName = os.Getenv("INTERFACE")
+	configFile = os.Getenv("CONFIG")
+	remoteConfigURL = os.Getenv("REMOTE_CONFIG")
+	listenAddr = os.Getenv("LISTEN")
+	generateAndSaveKeyTo = os.Getenv("GENERATE_AND_SAVE_KEY_TO")
+	reachableAt = os.Getenv("REACHABLE_AT")
+	logLevel = os.Getenv("LOG_LEVEL")
+	mtu = os.Getenv("MTU")
+	notifyURL = os.Getenv("NOTIFY_URL")
 
+	if interfaceName == "" {
+		flag.StringVar(&interfaceName, "interface", "wg0", "Name of the WireGuard interface")
+	}
+	if configFile == "" {
+		flag.StringVar(&configFile, "config", "", "Path to local configuration file")
+	}
+	if remoteConfigURL == "" {
+		flag.StringVar(&remoteConfigURL, "remoteConfig", "", "URL of the Pangolin server")
+	}
+	if listenAddr == "" {
+		flag.StringVar(&listenAddr, "listen", ":3003", "Address to listen on")
+	}
+	// DEPRECATED AND UNSED: reportBandwidthTo
+	// allow reportBandwidthTo to be passed but dont do anything with it just thow it away
+	reportBandwidthTo := ""
+	flag.StringVar(&reportBandwidthTo, "reportBandwidthTo", "", "DEPRECATED: Use remoteConfig instead")
+
+	if generateAndSaveKeyTo == "" {
+		flag.StringVar(&generateAndSaveKeyTo, "generateAndSaveKeyTo", "", "Path to save generated private key")
+	}
+	if reachableAt == "" {
+		flag.StringVar(&reachableAt, "reachableAt", "", "Endpoint of the http server to tell remote config about")
+	}
+	if logLevel == "" {
+		flag.StringVar(&logLevel, "log-level", "INFO", "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
+	}
+	if mtu == "" {
+		flag.StringVar(&mtu, "mtu", "1280", "MTU of the WireGuard interface")
+	}
+	if notifyURL == "" {
+		flag.StringVar(&notifyURL, "notify", "", "URL to notify on peer changes")
+	}
 	flag.Parse()
 
 	logger.Init()
-	logger.GetLogger().SetLevel(parseLogLevel(*logLevel))
+	logger.GetLogger().SetLevel(parseLogLevel(logLevel))
 
-	if *interfaceNameArg != "" {
-		interfaceName = *interfaceNameArg
-	}
-	if *listenAddrArg != "" {
-		listenAddr = *listenAddrArg
+	mtuInt, err = strconv.Atoi(mtu)
+	if err != nil {
+		logger.Fatal("Failed to parse MTU: %v", err)
 	}
 
-	// Validate that only one config option is provided
-	if (*configFile != "" && *remoteConfigURL != "") || (*configFile == "" && *remoteConfigURL == "") {
-		logger.Fatal("Please provide either --config or --remoteConfig, but not both")
+	// are they missing either the config file or the remote config URL?
+	if configFile == "" && remoteConfigURL == "" {
+		logger.Fatal("You must provide either a config file or a remote config URL")
 	}
 
+	// do they have both the config file and the remote config URL?
+	if configFile != "" && remoteConfigURL != "" {
+		logger.Fatal("You must provide either a config file or a remote config URL, not both")
+	}
+
+	// clean up the reomte config URL for backwards compatibility
+	remoteConfigURL = strings.TrimSuffix(remoteConfigURL, "/gerbil/get-config")
+	remoteConfigURL = strings.TrimSuffix(remoteConfigURL, "/")
+
 	var key wgtypes.Key
 	// if generateAndSaveKeyTo is provided, generate a private key and save it to the file. if the file already exists, load the key from the file
-	if *generateAndSaveKeyTo != "" {
-		if _, err := os.Stat(*generateAndSaveKeyTo); os.IsNotExist(err) {
+	if generateAndSaveKeyTo != "" {
+		if _, err := os.Stat(generateAndSaveKeyTo); os.IsNotExist(err) {
 			// generate a new private key
 			key, err = wgtypes.GeneratePrivateKey()
 			if err != nil {
 				logger.Fatal("Failed to generate private key: %v", err)
 			}
 			// save the key to the file
-			err = os.WriteFile(*generateAndSaveKeyTo, []byte(key.String()), 0644)
+			err = os.WriteFile(generateAndSaveKeyTo, []byte(key.String()), 0644)
 			if err != nil {
 				logger.Fatal("Failed to save private key: %v", err)
 			}
 		} else {
-			keyData, err := os.ReadFile(*generateAndSaveKeyTo)
+			keyData, err := os.ReadFile(generateAndSaveKeyTo)
 			if err != nil {
 				logger.Fatal("Failed to read private key: %v", err)
 			}
@@ -138,8 +219,8 @@ func main() {
 	}
 
 	// Load configuration based on provided argument
-	if *configFile != "" {
-		wgconfig, err = loadConfig(*configFile)
+	if configFile != "" {
+		wgconfig, err = loadConfig(configFile)
 		if err != nil {
 			logger.Fatal("Failed to load configuration: %v", err)
 		}
@@ -147,11 +228,17 @@ func main() {
 			wgconfig.PrivateKey = key.String()
 		}
 	} else {
-		wgconfig, err = loadRemoteConfig(*remoteConfigURL, key, *reachableAt)
-		if err != nil {
-			logger.Fatal("Failed to load configuration: %v", err)
+		// loop until we get the config
+		for wgconfig.PrivateKey == "" {
+			logger.Info("Fetching remote config from %s", remoteConfigURL+"/gerbil/get-config")
+			wgconfig, err = loadRemoteConfig(remoteConfigURL+"/gerbil/get-config", key, reachableAt)
+			if err != nil {
+				logger.Error("Failed to load configuration: %v", err)
+				time.Sleep(5 * time.Second)
+				continue
+			}
+			wgconfig.PrivateKey = key.String()
 		}
-		wgconfig.PrivateKey = key.String()
 	}
 
 	wgClient, err = wgctrl.New()
@@ -168,13 +255,34 @@ func main() {
 	// Ensure the WireGuard peers exist
 	ensureWireguardPeers(wgconfig.Peers)
 
-	if *reportBandwidthTo != "" {
-		go periodicBandwidthCheck(*reportBandwidthTo)
-	}
+	go periodicBandwidthCheck(remoteConfigURL + "/gerbil/receive-bandwidth")
 
+	// Start the UDP proxy server
+	proxyServer = relay.NewUDPProxyServer(":21820", remoteConfigURL, key, reachableAt)
+	err = proxyServer.Start()
+	if err != nil {
+		logger.Fatal("Failed to start UDP proxy server: %v", err)
+	}
+	defer proxyServer.Stop()
+
+	// Set up HTTP server
 	http.HandleFunc("/peer", handlePeer)
-	logger.Info("Starting server on %s", listenAddr)
-	logger.Fatal("Failed to start server: %v", http.ListenAndServe(listenAddr, nil))
+	http.HandleFunc("/update-proxy-mapping", handleUpdateProxyMapping)
+	http.HandleFunc("/update-destinations", handleUpdateDestinations)
+	logger.Info("Starting HTTP server on %s", listenAddr)
+
+	// Run HTTP server in a goroutine
+	go func() {
+		if err := http.ListenAndServe(listenAddr, nil); err != nil {
+			logger.Error("HTTP server failed: %v", err)
+		}
+	}()
+
+	// Keep the main goroutine running
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	<-sigCh
+	logger.Info("Shutting down servers...")
 }
 
 func loadRemoteConfig(url string, key wgtypes.Key, reachableAt string) (WgConfig, error) {
@@ -288,10 +396,19 @@ func ensureWireguardInterface(wgconfig WgConfig) error {
 	if err != nil {
 		return fmt.Errorf("failed to get interface: %v", err)
 	}
+
+	if err := netlink.LinkSetMTU(link, mtuInt); err != nil {
+		return fmt.Errorf("failed to set MTU: %v", err)
+	}
+
 	if err := netlink.LinkSetUp(link); err != nil {
 		return fmt.Errorf("failed to bring up interface: %v", err)
 	}
 
+	if err := ensureMSSClamping(); err != nil {
+		logger.Warn("Failed to ensure MSS clamping: %v", err)
+	}
+
 	logger.Info("WireGuard interface %s created and configured", interfaceName)
 
 	return nil
@@ -320,6 +437,9 @@ func assignIPAddress(ipAddress string) error {
 }
 
 func ensureWireguardPeers(peers []Peer) error {
+	wgMu.Lock()
+	defer wgMu.Unlock()
+
 	// get the current peers
 	device, err := wgClient.Device(interfaceName)
 	if err != nil {
@@ -342,8 +462,8 @@ func ensureWireguardPeers(peers []Peer) error {
 			}
 		}
 		if !found {
-			err := removePeer(peer)
-			if err != nil {
+			// Note: We need to call the internal removal logic without re-acquiring the lock
+			if err := removePeerInternal(peer); err != nil {
 				return fmt.Errorf("failed to remove peer: %v", err)
 			}
 		}
@@ -359,8 +479,8 @@ func ensureWireguardPeers(peers []Peer) error {
 			}
 		}
 		if !found {
-			err := addPeer(configPeer)
-			if err != nil {
+			// Note: We need to call the internal addition logic without re-acquiring the lock
+			if err := addPeerInternal(configPeer); err != nil {
 				return fmt.Errorf("failed to add peer: %v", err)
 			}
 		}
@@ -369,6 +489,94 @@ func ensureWireguardPeers(peers []Peer) error {
 	return nil
 }
 
+func ensureMSSClamping() error {
+	// Calculate MSS value (MTU - 40 for IPv4 header (20) and TCP header (20))
+	mssValue := mtuInt - 40
+
+	// Rules to be managed - just the chains, we'll construct the full command separately
+	chains := []string{"INPUT", "OUTPUT", "FORWARD"}
+
+	// First, try to delete any existing rules
+	for _, chain := range chains {
+		deleteCmd := exec.Command("/usr/sbin/iptables",
+			"-t", "mangle",
+			"-D", chain,
+			"-p", "tcp",
+			"--tcp-flags", "SYN,RST", "SYN",
+			"-j", "TCPMSS",
+			"--set-mss", fmt.Sprintf("%d", mssValue))
+
+		logger.Info("Attempting to delete existing MSS clamping rule for chain %s", chain)
+
+		// Try deletion multiple times to handle multiple existing rules
+		for i := 0; i < 3; i++ {
+			out, err := deleteCmd.CombinedOutput()
+			if err != nil {
+				// Convert exit status 1 to string for better logging
+				if exitErr, ok := err.(*exec.ExitError); ok {
+					logger.Debug("Deletion stopped for chain %s: %v (output: %s)",
+						chain, exitErr.String(), string(out))
+				}
+				break // No more rules to delete
+			}
+			logger.Info("Deleted MSS clamping rule for chain %s (attempt %d)", chain, i+1)
+		}
+	}
+
+	// Then add the new rules
+	var errors []error
+	for _, chain := range chains {
+		addCmd := exec.Command("/usr/sbin/iptables",
+			"-t", "mangle",
+			"-A", chain,
+			"-p", "tcp",
+			"--tcp-flags", "SYN,RST", "SYN",
+			"-j", "TCPMSS",
+			"--set-mss", fmt.Sprintf("%d", mssValue))
+
+		logger.Info("Adding MSS clamping rule for chain %s", chain)
+
+		if out, err := addCmd.CombinedOutput(); err != nil {
+			errMsg := fmt.Sprintf("Failed to add MSS clamping rule for chain %s: %v (output: %s)",
+				chain, err, string(out))
+			logger.Error(errMsg)
+			errors = append(errors, fmt.Errorf("%s", errMsg))
+			continue
+		}
+
+		// Verify the rule was added
+		checkCmd := exec.Command("/usr/sbin/iptables",
+			"-t", "mangle",
+			"-C", chain,
+			"-p", "tcp",
+			"--tcp-flags", "SYN,RST", "SYN",
+			"-j", "TCPMSS",
+			"--set-mss", fmt.Sprintf("%d", mssValue))
+
+		if out, err := checkCmd.CombinedOutput(); err != nil {
+			errMsg := fmt.Sprintf("Rule verification failed for chain %s: %v (output: %s)",
+				chain, err, string(out))
+			logger.Error(errMsg)
+			errors = append(errors, fmt.Errorf("%s", errMsg))
+			continue
+		}
+
+		logger.Info("Successfully added and verified MSS clamping rule for chain %s", chain)
+	}
+
+	// If we encountered any errors, return them combined
+	if len(errors) > 0 {
+		var errMsgs []string
+		for _, err := range errors {
+			errMsgs = append(errMsgs, err.Error())
+		}
+		return fmt.Errorf("MSS clamping setup encountered errors:\n%s",
+			strings.Join(errMsgs, "\n"))
+	}
+
+	return nil
+}
+
 func handlePeer(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodPost:
@@ -393,11 +601,20 @@ func handleAddPeer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Notify if notifyURL is set
+	go notifyPeerChange("add", peer.PublicKey)
+
 	w.WriteHeader(http.StatusCreated)
 	json.NewEncoder(w).Encode(map[string]string{"status": "Peer added successfully"})
 }
 
 func addPeer(peer Peer) error {
+	wgMu.Lock()
+	defer wgMu.Unlock()
+	return addPeerInternal(peer)
+}
+
+func addPeerInternal(peer Peer) error {
 	pubKey, err := wgtypes.ParseKey(peer.PublicKey)
 	if err != nil {
 		return fmt.Errorf("failed to parse public key: %v", err)
@@ -405,12 +622,15 @@ func addPeer(peer Peer) error {
 
 	// parse allowed IPs into array of net.IPNet
 	var allowedIPs []net.IPNet
+	var wgIPs []string
 	for _, ipStr := range peer.AllowedIPs {
 		_, ipNet, err := net.ParseCIDR(ipStr)
 		if err != nil {
 			return fmt.Errorf("failed to parse allowed IP: %v", err)
 		}
 		allowedIPs = append(allowedIPs, *ipNet)
+		// Extract the IP address from the CIDR for relay cleanup
+		wgIPs = append(wgIPs, ipNet.IP.String())
 	}
 
 	peerConfig := wgtypes.PeerConfig{
@@ -426,6 +646,13 @@ func addPeer(peer Peer) error {
 		return fmt.Errorf("failed to add peer: %v", err)
 	}
 
+	// Clear relay connections for the peer's WireGuard IPs
+	if proxyServer != nil {
+		for _, wgIP := range wgIPs {
+			proxyServer.OnPeerAdded(wgIP)
+		}
+	}
+
 	logger.Info("Peer %s added successfully", peer.PublicKey)
 
 	return nil
@@ -444,16 +671,42 @@ func handleRemovePeer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Notify if notifyURL is set
+	go notifyPeerChange("remove", publicKey)
+
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(map[string]string{"status": "Peer removed successfully"})
 }
 
 func removePeer(publicKey string) error {
+	wgMu.Lock()
+	defer wgMu.Unlock()
+	return removePeerInternal(publicKey)
+}
+
+func removePeerInternal(publicKey string) error {
 	pubKey, err := wgtypes.ParseKey(publicKey)
 	if err != nil {
 		return fmt.Errorf("failed to parse public key: %v", err)
 	}
 
+	// Get current peer info before removing to clear relay connections
+	var wgIPs []string
+	if proxyServer != nil {
+		device, err := wgClient.Device(interfaceName)
+		if err == nil {
+			for _, peer := range device.Peers {
+				if peer.PublicKey.String() == publicKey {
+					// Extract WireGuard IPs from this peer's allowed IPs
+					for _, allowedIP := range peer.AllowedIPs {
+						wgIPs = append(wgIPs, allowedIP.IP.String())
+					}
+					break
+				}
+			}
+		}
+	}
+
 	peerConfig := wgtypes.PeerConfig{
 		PublicKey: pubKey,
 		Remove:    true,
@@ -467,11 +720,137 @@ func removePeer(publicKey string) error {
 		return fmt.Errorf("failed to remove peer: %v", err)
 	}
 
+	// Clear relay connections for the peer's WireGuard IPs
+	if proxyServer != nil {
+		for _, wgIP := range wgIPs {
+			proxyServer.OnPeerRemoved(wgIP)
+		}
+	}
+
 	logger.Info("Peer %s removed successfully", publicKey)
 
 	return nil
 }
 
+func handleUpdateProxyMapping(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		logger.Error("Invalid method: %s", r.Method)
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var update ProxyMappingUpdate
+	if err := json.NewDecoder(r.Body).Decode(&update); err != nil {
+		logger.Error("Failed to decode request body: %v", err)
+		http.Error(w, fmt.Sprintf("Failed to decode request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate the update request
+	if update.OldDestination.DestinationIP == "" || update.NewDestination.DestinationIP == "" {
+		logger.Error("Both old and new destination IP addresses are required")
+		http.Error(w, "Both old and new destination IP addresses are required", http.StatusBadRequest)
+		return
+	}
+
+	if update.OldDestination.DestinationPort <= 0 || update.NewDestination.DestinationPort <= 0 {
+		logger.Error("Both old and new destination ports must be positive integers")
+		http.Error(w, "Both old and new destination ports must be positive integers", http.StatusBadRequest)
+		return
+	}
+
+	// Update the proxy mappings in the relay server
+	if proxyServer == nil {
+		logger.Error("Proxy server is not available")
+		http.Error(w, "Proxy server is not available", http.StatusInternalServerError)
+		return
+	}
+
+	updatedCount := proxyServer.UpdateDestinationInMappings(update.OldDestination, update.NewDestination)
+
+	logger.Info("Updated %d proxy mappings: %s:%d -> %s:%d",
+		updatedCount,
+		update.OldDestination.DestinationIP, update.OldDestination.DestinationPort,
+		update.NewDestination.DestinationIP, update.NewDestination.DestinationPort)
+
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"status":         "Proxy mappings updated successfully",
+		"updatedCount":   updatedCount,
+		"oldDestination": update.OldDestination,
+		"newDestination": update.NewDestination,
+	})
+}
+
+func handleUpdateDestinations(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		logger.Error("Invalid method: %s", r.Method)
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var request UpdateDestinationsRequest
+	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
+		logger.Error("Failed to decode request body: %v", err)
+		http.Error(w, fmt.Sprintf("Failed to decode request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Validate the request
+	if request.SourceIP == "" {
+		logger.Error("Source IP address is required")
+		http.Error(w, "Source IP address is required", http.StatusBadRequest)
+		return
+	}
+
+	if request.SourcePort <= 0 {
+		logger.Error("Source port must be a positive integer")
+		http.Error(w, "Source port must be a positive integer", http.StatusBadRequest)
+		return
+	}
+
+	if len(request.Destinations) == 0 {
+		logger.Error("At least one destination is required")
+		http.Error(w, "At least one destination is required", http.StatusBadRequest)
+		return
+	}
+
+	// Validate each destination
+	for i, dest := range request.Destinations {
+		if dest.DestinationIP == "" {
+			logger.Error("Destination IP is required for destination %d", i)
+			http.Error(w, fmt.Sprintf("Destination IP is required for destination %d", i), http.StatusBadRequest)
+			return
+		}
+		if dest.DestinationPort <= 0 {
+			logger.Error("Destination port must be a positive integer for destination %d", i)
+			http.Error(w, fmt.Sprintf("Destination port must be a positive integer for destination %d", i), http.StatusBadRequest)
+			return
+		}
+	}
+
+	// Update the proxy mappings in the relay server
+	if proxyServer == nil {
+		logger.Error("Proxy server is not available")
+		http.Error(w, "Proxy server is not available", http.StatusInternalServerError)
+		return
+	}
+
+	proxyServer.UpdateProxyMapping(request.SourceIP, request.SourcePort, request.Destinations)
+
+	logger.Info("Updated proxy mapping for %s:%d with %d destinations",
+		request.SourceIP, request.SourcePort, len(request.Destinations))
+
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"status":           "Destinations updated successfully",
+		"sourceIP":         request.SourceIP,
+		"sourcePort":       request.SourcePort,
+		"destinationCount": len(request.Destinations),
+		"destinations":     request.Destinations,
+	})
+}
+
 func periodicBandwidthCheck(endpoint string) {
 	ticker := time.NewTicker(10 * time.Second)
 	defer ticker.Stop()
@@ -484,7 +863,10 @@ func periodicBandwidthCheck(endpoint string) {
 }
 
 func calculatePeerBandwidth() ([]PeerBandwidth, error) {
+	wgMu.Lock()
 	device, err := wgClient.Device(interfaceName)
+	wgMu.Unlock()
+
 	if err != nil {
 		return nil, fmt.Errorf("failed to get device: %v", err)
 	}
@@ -591,3 +973,28 @@ func reportPeerBandwidth(apiURL string) error {
 
 	return nil
 }
+
+// notifyPeerChange sends a POST request to notifyURL with the action and public key.
+func notifyPeerChange(action, publicKey string) {
+	if notifyURL == "" {
+		return
+	}
+	payload := map[string]string{
+		"action":    action,
+		"publicKey": publicKey,
+	}
+	data, err := json.Marshal(payload)
+	if err != nil {
+		logger.Warn("Failed to marshal notify payload: %v", err)
+		return
+	}
+	resp, err := http.Post(notifyURL, "application/json", bytes.NewBuffer(data))
+	if err != nil {
+		logger.Warn("Failed to notify peer change: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		logger.Warn("Notify server returned non-OK: %s", resp.Status)
+	}
+}

relay/relay.go

@@ -0,0 +1,822 @@
+package relay
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/fosrl/gerbil/logger"
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/curve25519"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+type EncryptedHolePunchMessage struct {
+	EphemeralPublicKey string `json:"ephemeralPublicKey"`
+	Nonce              []byte `json:"nonce"`
+	Ciphertext         []byte `json:"ciphertext"`
+}
+
+type HolePunchMessage struct {
+	OlmID  string `json:"olmId"`
+	NewtID string `json:"newtId"`
+	Token  string `json:"token"`
+}
+
+type ClientEndpoint struct {
+	OlmID       string `json:"olmId"`
+	NewtID      string `json:"newtId"`
+	Token       string `json:"token"`
+	IP          string `json:"ip"`
+	Port        int    `json:"port"`
+	Timestamp   int64  `json:"timestamp"`
+	ReachableAt string `json:"reachableAt"`
+}
+
+// Updated to support multiple destination peers
+type ProxyMapping struct {
+	Destinations []PeerDestination `json:"destinations"`
+	LastUsed     time.Time         `json:"-"` // Not serialized, used for cleanup
+}
+
+type PeerDestination struct {
+	DestinationIP   string `json:"destinationIP"`
+	DestinationPort int    `json:"destinationPort"`
+}
+
+type DestinationConn struct {
+	conn     *net.UDPConn
+	lastUsed time.Time
+}
+
+// Type for storing WireGuard handshake information
+type WireGuardSession struct {
+	ReceiverIndex uint32
+	SenderIndex   uint32
+	DestAddr      *net.UDPAddr
+	LastSeen      time.Time
+}
+
+type InitialMappings struct {
+	Mappings map[string]ProxyMapping `json:"mappings"` // key is "ip:port"
+}
+
+// Packet is a simple struct to hold the packet data and sender info.
+type Packet struct {
+	data       []byte
+	remoteAddr *net.UDPAddr
+	n          int
+}
+
+// WireGuard message types
+const (
+	WireGuardMessageTypeHandshakeInitiation = 1
+	WireGuardMessageTypeHandshakeResponse   = 2
+	WireGuardMessageTypeCookieReply         = 3
+	WireGuardMessageTypeTransportData       = 4
+)
+
+// --- End Types ---
+
+// bufferPool allows reusing buffers to reduce allocations.
+var bufferPool = sync.Pool{
+	New: func() interface{} {
+		return make([]byte, 1500)
+	},
+}
+
+// UDPProxyServer has a channel for incoming packets.
+type UDPProxyServer struct {
+	addr          string
+	serverURL     string
+	conn          *net.UDPConn
+	proxyMappings sync.Map // map[string]ProxyMapping where key is "ip:port"
+	connections   sync.Map // map[string]*DestinationConn where key is destination "ip:port"
+	privateKey    wgtypes.Key
+	packetChan    chan Packet
+
+	// Session tracking for WireGuard peers
+	// Key format: "senderIndex:receiverIndex"
+	wgSessions sync.Map
+	// ReachableAt is the URL where this server can be reached
+	ReachableAt string
+}
+
+// NewUDPProxyServer initializes the server with a buffered packet channel.
+func NewUDPProxyServer(addr, serverURL string, privateKey wgtypes.Key, reachableAt string) *UDPProxyServer {
+	return &UDPProxyServer{
+		addr:        addr,
+		serverURL:   serverURL,
+		privateKey:  privateKey,
+		packetChan:  make(chan Packet, 1000),
+		ReachableAt: reachableAt,
+	}
+}
+
+// Start sets up the UDP listener, worker pool, and begins reading packets.
+func (s *UDPProxyServer) Start() error {
+	// Fetch initial mappings.
+	if err := s.fetchInitialMappings(); err != nil {
+		return fmt.Errorf("failed to fetch initial mappings: %v", err)
+	}
+
+	udpAddr, err := net.ResolveUDPAddr("udp", s.addr)
+	if err != nil {
+		return err
+	}
+	conn, err := net.ListenUDP("udp", udpAddr)
+	if err != nil {
+		return err
+	}
+	s.conn = conn
+	logger.Info("UDP server listening on %s", s.addr)
+
+	// Start a fixed number of worker goroutines.
+	workerCount := 10 // TODO: Make this configurable or pick it better!
+	for i := 0; i < workerCount; i++ {
+		go s.packetWorker()
+	}
+
+	// Start the goroutine that reads packets from the UDP socket.
+	go s.readPackets()
+
+	// Start the idle connection cleanup routine.
+	go s.cleanupIdleConnections()
+
+	// Start the session cleanup routine
+	go s.cleanupIdleSessions()
+
+	// Start the proxy mapping cleanup routine
+	go s.cleanupIdleProxyMappings()
+
+	return nil
+}
+
+func (s *UDPProxyServer) Stop() {
+	s.conn.Close()
+}
+
+// readPackets continuously reads from the UDP socket and pushes packets into the channel.
+func (s *UDPProxyServer) readPackets() {
+	for {
+		buf := bufferPool.Get().([]byte)
+		n, remoteAddr, err := s.conn.ReadFromUDP(buf)
+		if err != nil {
+			logger.Error("Error reading UDP packet: %v", err)
+			continue
+		}
+		s.packetChan <- Packet{data: buf[:n], remoteAddr: remoteAddr, n: n}
+	}
+}
+
+// packetWorker processes incoming packets from the channel.
+func (s *UDPProxyServer) packetWorker() {
+	for packet := range s.packetChan {
+		// Determine packet type by inspecting the first byte.
+		if packet.n > 0 && packet.data[0] >= 1 && packet.data[0] <= 4 {
+			// Process as a WireGuard packet.
+			s.handleWireGuardPacket(packet.data, packet.remoteAddr)
+		} else {
+			// Process as an encrypted hole punch message
+			var encMsg EncryptedHolePunchMessage
+			if err := json.Unmarshal(packet.data, &encMsg); err != nil {
+				logger.Error("Error unmarshaling encrypted message: %v", err)
+				// Return the buffer to the pool for reuse and continue with next packet
+				bufferPool.Put(packet.data[:1500])
+				continue
+			}
+
+			if encMsg.EphemeralPublicKey == "" {
+				logger.Error("Received malformed message without ephemeral key")
+				// Return the buffer to the pool for reuse and continue with next packet
+				bufferPool.Put(packet.data[:1500])
+				continue
+			}
+
+			// This appears to be an encrypted message
+			decryptedData, err := s.decryptMessage(encMsg)
+			if err != nil {
+				logger.Error("Failed to decrypt message: %v", err)
+				// Return the buffer to the pool for reuse and continue with next packet
+				bufferPool.Put(packet.data[:1500])
+				continue
+			}
+
+			// Process the decrypted hole punch message
+			var msg HolePunchMessage
+			if err := json.Unmarshal(decryptedData, &msg); err != nil {
+				logger.Error("Error unmarshaling decrypted message: %v", err)
+				// Return the buffer to the pool for reuse and continue with next packet
+				bufferPool.Put(packet.data[:1500])
+				continue
+			}
+
+			endpoint := ClientEndpoint{
+				NewtID:      msg.NewtID,
+				OlmID:       msg.OlmID,
+				Token:       msg.Token,
+				IP:          packet.remoteAddr.IP.String(),
+				Port:        packet.remoteAddr.Port,
+				Timestamp:   time.Now().Unix(),
+				ReachableAt: s.ReachableAt,
+			}
+			logger.Debug("Created endpoint from packet remoteAddr %s: IP=%s, Port=%d", packet.remoteAddr.String(), endpoint.IP, endpoint.Port)
+			s.notifyServer(endpoint)
+		}
+		// Return the buffer to the pool for reuse.
+		bufferPool.Put(packet.data[:1500])
+	}
+}
+
+// decryptMessage decrypts the message using the server's private key
+func (s *UDPProxyServer) decryptMessage(encMsg EncryptedHolePunchMessage) ([]byte, error) {
+	// Parse the ephemeral public key
+	ephPubKey, err := wgtypes.ParseKey(encMsg.EphemeralPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse ephemeral public key: %v", err)
+	}
+
+	// Use X25519 for key exchange instead of ScalarMult
+	sharedSecret, err := curve25519.X25519(s.privateKey[:], ephPubKey[:])
+	if err != nil {
+		return nil, fmt.Errorf("failed to perform X25519 key exchange: %v", err)
+	}
+
+	// Create the AEAD cipher using the shared secret
+	aead, err := chacha20poly1305.New(sharedSecret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AEAD cipher: %v", err)
+	}
+
+	// Verify nonce size
+	if len(encMsg.Nonce) != aead.NonceSize() {
+		return nil, fmt.Errorf("invalid nonce size")
+	}
+
+	// Decrypt the ciphertext
+	plaintext, err := aead.Open(nil, encMsg.Nonce, encMsg.Ciphertext, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt message: %v", err)
+	}
+
+	return plaintext, nil
+}
+
+func (s *UDPProxyServer) fetchInitialMappings() error {
+	body := bytes.NewBuffer([]byte(fmt.Sprintf(`{"publicKey": "%s"}`, s.privateKey.PublicKey().String())))
+	resp, err := http.Post(s.serverURL+"/gerbil/get-all-relays", "application/json", body)
+	if err != nil {
+		return fmt.Errorf("failed to fetch mappings: %v", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("server returned non-OK status: %d, body: %s",
+			resp.StatusCode, string(body))
+	}
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read response body: %v", err)
+	}
+	logger.Info("Received initial mappings: %s", string(data))
+	var initialMappings InitialMappings
+	if err := json.Unmarshal(data, &initialMappings); err != nil {
+		return fmt.Errorf("failed to unmarshal initial mappings: %v", err)
+	}
+	// Store mappings in our sync.Map.
+	for key, mapping := range initialMappings.Mappings {
+		// Initialize LastUsed timestamp for initial mappings
+		mapping.LastUsed = time.Now()
+		s.proxyMappings.Store(key, mapping)
+	}
+	logger.Info("Loaded %d initial proxy mappings", len(initialMappings.Mappings))
+	return nil
+}
+
+// Extract WireGuard message indices
+func extractWireGuardIndices(packet []byte) (uint32, uint32, bool) {
+	if len(packet) < 12 {
+		return 0, 0, false
+	}
+
+	messageType := packet[0]
+	if messageType == WireGuardMessageTypeHandshakeInitiation {
+		// Handshake initiation: extract sender index at offset 4
+		senderIndex := binary.LittleEndian.Uint32(packet[4:8])
+		return 0, senderIndex, true
+	} else if messageType == WireGuardMessageTypeHandshakeResponse {
+		// Handshake response: extract sender index at offset 4 and receiver index at offset 8
+		senderIndex := binary.LittleEndian.Uint32(packet[4:8])
+		receiverIndex := binary.LittleEndian.Uint32(packet[8:12])
+		return receiverIndex, senderIndex, true
+	} else if messageType == WireGuardMessageTypeTransportData {
+		// Transport data: extract receiver index at offset 4
+		receiverIndex := binary.LittleEndian.Uint32(packet[4:8])
+		return receiverIndex, 0, true
+	}
+
+	return 0, 0, false
+}
+
+// Updated to handle multi-peer WireGuard communication
+func (s *UDPProxyServer) handleWireGuardPacket(packet []byte, remoteAddr *net.UDPAddr) {
+	if len(packet) == 0 {
+		logger.Error("Received empty packet")
+		return
+	}
+
+	messageType := packet[0]
+	receiverIndex, senderIndex, ok := extractWireGuardIndices(packet)
+
+	if !ok {
+		logger.Error("Failed to extract WireGuard indices")
+		return
+	}
+
+	key := remoteAddr.String()
+	mappingObj, ok := s.proxyMappings.Load(key)
+	if !ok {
+		logger.Error("No proxy mapping found for %s", key)
+		return
+	}
+
+	proxyMapping := mappingObj.(ProxyMapping)
+	// Update the last used timestamp and store it back
+	proxyMapping.LastUsed = time.Now()
+	s.proxyMappings.Store(key, proxyMapping)
+
+	// Handle different WireGuard message types
+	switch messageType {
+	case WireGuardMessageTypeHandshakeInitiation:
+		// Initial handshake: forward to all peers
+		logger.Debug("Forwarding handshake initiation from %s (sender index: %d)", remoteAddr, senderIndex)
+
+		for _, dest := range proxyMapping.Destinations {
+			destAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.DestinationIP, dest.DestinationPort))
+			if err != nil {
+				logger.Error("Failed to resolve destination address: %v", err)
+				continue
+			}
+
+			conn, err := s.getOrCreateConnection(destAddr, remoteAddr)
+			if err != nil {
+				logger.Error("Failed to get/create connection: %v", err)
+				continue
+			}
+
+			_, err = conn.Write(packet)
+			if err != nil {
+				logger.Error("Failed to forward handshake initiation: %v", err)
+			}
+		}
+
+	case WireGuardMessageTypeHandshakeResponse:
+		// Received handshake response: establish session mapping
+		logger.Debug("Received handshake response with receiver index %d and sender index %d from %s",
+			receiverIndex, senderIndex, remoteAddr)
+
+		// Create a session key for the peer that sent the initial handshake
+		sessionKey := fmt.Sprintf("%d:%d", receiverIndex, senderIndex)
+
+		// Store the session information
+		s.wgSessions.Store(sessionKey, &WireGuardSession{
+			ReceiverIndex: receiverIndex,
+			SenderIndex:   senderIndex,
+			DestAddr:      remoteAddr,
+			LastSeen:      time.Now(),
+		})
+
+		// Forward the response to the original sender
+		for _, dest := range proxyMapping.Destinations {
+			destAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.DestinationIP, dest.DestinationPort))
+			if err != nil {
+				logger.Error("Failed to resolve destination address: %v", err)
+				continue
+			}
+
+			conn, err := s.getOrCreateConnection(destAddr, remoteAddr)
+			if err != nil {
+				logger.Error("Failed to get/create connection: %v", err)
+				continue
+			}
+
+			_, err = conn.Write(packet)
+			if err != nil {
+				logger.Error("Failed to forward handshake response: %v", err)
+			}
+		}
+
+	case WireGuardMessageTypeTransportData:
+		// Data packet: forward only to the established session peer
+		logger.Debug("Received transport data with receiver index %d from %s", receiverIndex, remoteAddr)
+
+		// Look up the session based on the receiver index
+		var destAddr *net.UDPAddr
+
+		// First check for existing sessions to see if we know where to send this packet
+		s.wgSessions.Range(func(k, v interface{}) bool {
+			session := v.(*WireGuardSession)
+			if session.SenderIndex == receiverIndex {
+				// Found matching session
+				destAddr = session.DestAddr
+
+				// Update last seen time
+				session.LastSeen = time.Now()
+				s.wgSessions.Store(k, session)
+				return false // stop iteration
+			}
+			return true // continue iteration
+		})
+
+		if destAddr != nil {
+			// We found a specific peer to forward to
+			conn, err := s.getOrCreateConnection(destAddr, remoteAddr)
+			if err != nil {
+				logger.Error("Failed to get/create connection: %v", err)
+				return
+			}
+
+			_, err = conn.Write(packet)
+			if err != nil {
+				logger.Debug("Failed to forward transport data: %v", err)
+			}
+		} else {
+			// No known session, fall back to forwarding to all peers
+			logger.Debug("No session found for receiver index %d, forwarding to all destinations", receiverIndex)
+			for _, dest := range proxyMapping.Destinations {
+				destAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.DestinationIP, dest.DestinationPort))
+				if err != nil {
+					logger.Error("Failed to resolve destination address: %v", err)
+					continue
+				}
+
+				conn, err := s.getOrCreateConnection(destAddr, remoteAddr)
+				if err != nil {
+					logger.Error("Failed to get/create connection: %v", err)
+					continue
+				}
+
+				_, err = conn.Write(packet)
+				if err != nil {
+					logger.Debug("Failed to forward transport data: %v", err)
+				}
+			}
+		}
+
+	default:
+		// Other packet types (like cookie reply)
+		logger.Debug("Forwarding WireGuard packet type %d from %s", messageType, remoteAddr)
+
+		// Forward to all peers
+		for _, dest := range proxyMapping.Destinations {
+			destAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.DestinationIP, dest.DestinationPort))
+			if err != nil {
+				logger.Error("Failed to resolve destination address: %v", err)
+				continue
+			}
+
+			conn, err := s.getOrCreateConnection(destAddr, remoteAddr)
+			if err != nil {
+				logger.Error("Failed to get/create connection: %v", err)
+				continue
+			}
+
+			_, err = conn.Write(packet)
+			if err != nil {
+				logger.Error("Failed to forward WireGuard packet: %v", err)
+			}
+		}
+	}
+}
+
+func (s *UDPProxyServer) getOrCreateConnection(destAddr *net.UDPAddr, remoteAddr *net.UDPAddr) (*net.UDPConn, error) {
+	key := destAddr.String() + "-" + remoteAddr.String()
+
+	// Check if we have an existing connection
+	if conn, ok := s.connections.Load(key); ok {
+		destConn := conn.(*DestinationConn)
+		destConn.lastUsed = time.Now()
+		return destConn.conn, nil
+	}
+
+	// Create new connection
+	newConn, err := net.DialUDP("udp", nil, destAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create UDP connection: %v", err)
+	}
+
+	// Store the new connection
+	s.connections.Store(key, &DestinationConn{
+		conn:     newConn,
+		lastUsed: time.Now(),
+	})
+
+	// Start a goroutine to handle responses
+	go s.handleResponses(newConn, destAddr, remoteAddr)
+
+	return newConn, nil
+}
+
+func (s *UDPProxyServer) handleResponses(conn *net.UDPConn, destAddr *net.UDPAddr, remoteAddr *net.UDPAddr) {
+	buffer := make([]byte, 1500)
+	for {
+		n, err := conn.Read(buffer)
+		if err != nil {
+			logger.Debug("Error reading response from %s: %v", destAddr.String(), err)
+			return
+		}
+
+		// Process the response to track sessions if it's a WireGuard packet
+		if n > 0 && buffer[0] >= 1 && buffer[0] <= 4 {
+			receiverIndex, senderIndex, ok := extractWireGuardIndices(buffer[:n])
+			if ok && buffer[0] == WireGuardMessageTypeHandshakeResponse {
+				// Store the session mapping for the handshake response
+				sessionKey := fmt.Sprintf("%d:%d", senderIndex, receiverIndex)
+				s.wgSessions.Store(sessionKey, &WireGuardSession{
+					ReceiverIndex: receiverIndex,
+					SenderIndex:   senderIndex,
+					DestAddr:      destAddr,
+					LastSeen:      time.Now(),
+				})
+				logger.Debug("Stored session mapping: %s -> %s", sessionKey, destAddr.String())
+			}
+		}
+
+		// Forward the response back through the main listener
+		_, err = s.conn.WriteToUDP(buffer[:n], remoteAddr)
+		if err != nil {
+			logger.Error("Failed to forward response: %v", err)
+		}
+	}
+}
+
+// Add a cleanup method to periodically remove idle connections
+func (s *UDPProxyServer) cleanupIdleConnections() {
+	ticker := time.NewTicker(5 * time.Minute)
+	for range ticker.C {
+		now := time.Now()
+		s.connections.Range(func(key, value interface{}) bool {
+			destConn := value.(*DestinationConn)
+			if now.Sub(destConn.lastUsed) > 10*time.Minute {
+				destConn.conn.Close()
+				s.connections.Delete(key)
+			}
+			return true
+		})
+	}
+}
+
+// New method to periodically remove idle sessions
+func (s *UDPProxyServer) cleanupIdleSessions() {
+	ticker := time.NewTicker(5 * time.Minute)
+	for range ticker.C {
+		now := time.Now()
+		s.wgSessions.Range(func(key, value interface{}) bool {
+			session := value.(*WireGuardSession)
+			if now.Sub(session.LastSeen) > 15*time.Minute {
+				s.wgSessions.Delete(key)
+				logger.Debug("Removed idle session: %s", key)
+			}
+			return true
+		})
+	}
+}
+
+// New method to periodically remove idle proxy mappings
+func (s *UDPProxyServer) cleanupIdleProxyMappings() {
+	ticker := time.NewTicker(10 * time.Minute)
+	for range ticker.C {
+		now := time.Now()
+		s.proxyMappings.Range(func(key, value interface{}) bool {
+			mapping := value.(ProxyMapping)
+			// Remove mappings that haven't been used in 30 minutes
+			if now.Sub(mapping.LastUsed) > 30*time.Minute {
+				s.proxyMappings.Delete(key)
+				logger.Debug("Removed idle proxy mapping: %s", key)
+			}
+			return true
+		})
+	}
+}
+
+func (s *UDPProxyServer) notifyServer(endpoint ClientEndpoint) {
+	logger.Debug("notifyServer called with endpoint: IP=%s, Port=%d", endpoint.IP, endpoint.Port)
+
+	jsonData, err := json.Marshal(endpoint)
+	if err != nil {
+		logger.Error("Failed to marshal endpoint data: %v", err)
+		return
+	}
+
+	resp, err := http.Post(s.serverURL+"/gerbil/update-hole-punch", "application/json", bytes.NewBuffer(jsonData))
+	if err != nil {
+		logger.Error("Failed to notify server: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		logger.Error("Server returned non-OK status: %d, body: %s",
+			resp.StatusCode, string(body))
+		return
+	}
+
+	// Parse the proxy mapping response
+	var mapping ProxyMapping
+	if err := json.NewDecoder(resp.Body).Decode(&mapping); err != nil {
+		logger.Error("Failed to decode proxy mapping: %v", err)
+		return
+	}
+
+	logger.Debug("Received proxy mapping from server: %v", mapping)
+
+	// Store the mapping with current timestamp
+	key := fmt.Sprintf("%s:%d", endpoint.IP, endpoint.Port)
+	logger.Debug("About to store proxy mapping with key: %s (from endpoint IP=%s, Port=%d)", key, endpoint.IP, endpoint.Port)
+	mapping.LastUsed = time.Now()
+	s.proxyMappings.Store(key, mapping)
+
+	logger.Debug("Stored proxy mapping for %s with %d destinations (timestamp: %v)", key, len(mapping.Destinations), mapping.LastUsed)
+}
+
+// Updated to support multiple destinations
+func (s *UDPProxyServer) UpdateProxyMapping(sourceIP string, sourcePort int, destinations []PeerDestination) {
+	key := fmt.Sprintf("%s:%d", sourceIP, sourcePort)
+	mapping := ProxyMapping{
+		Destinations: destinations,
+		LastUsed:     time.Now(),
+	}
+	s.proxyMappings.Store(key, mapping)
+}
+
+// OnPeerAdded clears connections and sessions for a specific WireGuard IP to allow re-establishment
+func (s *UDPProxyServer) OnPeerAdded(wgIP string) {
+	logger.Info("Clearing connections for added peer with WG IP: %s", wgIP)
+	s.clearConnectionsForWGIP(wgIP)
+	s.clearSessionsForWGIP(wgIP)
+	// s.clearProxyMappingsForWGIP(wgIP)
+}
+
+// OnPeerRemoved clears connections and sessions for a specific WireGuard IP
+func (s *UDPProxyServer) OnPeerRemoved(wgIP string) {
+	logger.Info("Clearing connections for removed peer with WG IP: %s", wgIP)
+	s.clearConnectionsForWGIP(wgIP)
+	s.clearSessionsForWGIP(wgIP)
+	// s.clearProxyMappingsForWGIP(wgIP)
+}
+
+// clearConnectionsForWGIP removes all connections associated with a specific WireGuard IP
+func (s *UDPProxyServer) clearConnectionsForWGIP(wgIP string) {
+	var keysToDelete []string
+
+	s.connections.Range(func(key, value interface{}) bool {
+		keyStr := key.(string)
+		destConn := value.(*DestinationConn)
+
+		// Connection keys are in format "destAddr-remoteAddr"
+		// Check if either destination or remote address contains the WG IP
+		if containsIP(keyStr, wgIP) {
+			keysToDelete = append(keysToDelete, keyStr)
+			destConn.conn.Close()
+			logger.Debug("Closing connection for WG IP %s: %s", wgIP, keyStr)
+		}
+		return true
+	})
+
+	// Delete the connections
+	for _, key := range keysToDelete {
+		s.connections.Delete(key)
+	}
+
+	logger.Info("Cleared %d connections for WG IP: %s", len(keysToDelete), wgIP)
+}
+
+// clearSessionsForWGIP removes all WireGuard sessions associated with a specific WireGuard IP
+func (s *UDPProxyServer) clearSessionsForWGIP(wgIP string) {
+	var keysToDelete []string
+
+	s.wgSessions.Range(func(key, value interface{}) bool {
+		keyStr := key.(string)
+		session := value.(*WireGuardSession)
+
+		// Check if the session's destination address contains the WG IP
+		if session.DestAddr != nil && session.DestAddr.IP.String() == wgIP {
+			keysToDelete = append(keysToDelete, keyStr)
+			logger.Debug("Marking session for deletion for WG IP %s: %s", wgIP, keyStr)
+		}
+		return true
+	})
+
+	// Delete the sessions
+	for _, key := range keysToDelete {
+		s.wgSessions.Delete(key)
+	}
+
+	logger.Info("Cleared %d sessions for WG IP: %s", len(keysToDelete), wgIP)
+}
+
+// // clearProxyMappingsForWGIP removes all proxy mappings that have destinations pointing to a specific WireGuard IP
+// func (s *UDPProxyServer) clearProxyMappingsForWGIP(wgIP string) {
+// 	var keysToDelete []string
+
+// 	s.proxyMappings.Range(func(key, value interface{}) bool {
+// 		keyStr := key.(string)
+// 		mapping := value.(ProxyMapping)
+
+// 		// Check if any destination in the mapping contains the WG IP
+// 		for _, dest := range mapping.Destinations {
+// 			if dest.DestinationIP == wgIP {
+// 				keysToDelete = append(keysToDelete, keyStr)
+// 				logger.Debug("Marking proxy mapping for deletion for WG IP %s: %s -> %s:%d", wgIP, keyStr, dest.DestinationIP, dest.DestinationPort)
+// 				break // Found one destination, no need to check others in this mapping
+// 			}
+// 		}
+// 		return true
+// 	})
+
+// 	// Delete the proxy mappings
+// 	for _, key := range keysToDelete {
+// 		s.proxyMappings.Delete(key)
+// 		logger.Debug("Deleted proxy mapping: %s", key)
+// 	}
+
+// 	logger.Info("Cleared %d proxy mappings for WG IP: %s", len(keysToDelete), wgIP)
+// }
+
+// containsIP checks if a connection key string contains the specified IP address
+func containsIP(connectionKey, ip string) bool {
+	// Connection keys are in format "destIP:destPort-remoteIP:remotePort"
+	// Check if the IP appears at the beginning (destination) or after the dash (remote)
+	ipWithColon := ip + ":"
+
+	// Check if connection key starts with the IP (destination address)
+	if len(connectionKey) >= len(ipWithColon) && connectionKey[:len(ipWithColon)] == ipWithColon {
+		return true
+	}
+
+	// Check if connection key contains the IP after a dash (remote address)
+	dashIndex := -1
+	for i := 0; i < len(connectionKey); i++ {
+		if connectionKey[i] == '-' {
+			dashIndex = i
+			break
+		}
+	}
+
+	if dashIndex != -1 && dashIndex+1 < len(connectionKey) {
+		remainingPart := connectionKey[dashIndex+1:]
+		if len(remainingPart) >= len(ip)+1 && remainingPart[:len(ip)+1] == ipWithColon {
+			return true
+		}
+	}
+
+	return false
+}
+
+// UpdateDestinationInMappings updates all proxy mappings that contain the old destination with the new destination
+// Returns the number of mappings that were updated
+func (s *UDPProxyServer) UpdateDestinationInMappings(oldDest, newDest PeerDestination) int {
+	updatedCount := 0
+
+	s.proxyMappings.Range(func(key, value interface{}) bool {
+		keyStr := key.(string)
+		mapping := value.(ProxyMapping)
+		updated := false
+
+		// Check each destination in the mapping
+		for i, dest := range mapping.Destinations {
+			if dest.DestinationIP == oldDest.DestinationIP && dest.DestinationPort == oldDest.DestinationPort {
+				// Update this destination
+				mapping.Destinations[i] = newDest
+				updated = true
+				logger.Debug("Updated destination in mapping %s: %s:%d -> %s:%d",
+					keyStr, oldDest.DestinationIP, oldDest.DestinationPort,
+					newDest.DestinationIP, newDest.DestinationPort)
+			}
+		}
+
+		// If we updated any destinations, store the updated mapping back
+		if updated {
+			mapping.LastUsed = time.Now()
+			s.proxyMappings.Store(keyStr, mapping)
+			updatedCount++
+		}
+
+		return true // continue iteration
+	})
+
+	if updatedCount > 0 {
+		logger.Info("Updated %d proxy mappings from %s:%d to %s:%d",
+			updatedCount, oldDest.DestinationIP, oldDest.DestinationPort,
+			newDest.DestinationIP, newDest.DestinationPort)
+	}
+
+	return updatedCount
+}