Merge branch 'dev' of github.com:fosrl/olm into dev

Former-commit-id: ea05ac9c71
Use local websocket without config or otel
2026-02-15 17:36:40 +00:00 · 2025-10-27 21:42:52 -07:00 · 2025-10-27 21:42:41 -07:00 · 2025-10-27 21:39:54 -07:00 · 2025-10-27 21:27:21 -07:00 · 2025-10-25 17:31:25 -07:00
38 changed files with 5438 additions and 1251 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,6 @@
 .gitignore
 .dockerignore
-newt
+olm
 *.json
 README.md
 Makefile
--- a/.github/DISCUSSION_TEMPLATE/feature-requests.yml
+++ b/.github/DISCUSSION_TEMPLATE/feature-requests.yml
@@ -0,0 +1,47 @@
 body:
    - type: textarea
      attributes:
          label: Summary
          description: A clear and concise summary of the requested feature.
      validations:
          required: true
    - type: textarea
      attributes:
          label: Motivation
          description: |
              Why is this feature important?
              Explain the problem this feature would solve or what use case it would enable.
      validations:
          required: true
    - type: textarea
      attributes:
          label: Proposed Solution
          description: |
              How would you like to see this feature implemented?
              Provide as much detail as possible about the desired behavior, configuration, or changes.
      validations:
          required: true
    - type: textarea
      attributes:
          label: Alternatives Considered
          description: Describe any alternative solutions or workarounds you've thought about.
      validations:
          required: false
    - type: textarea
      attributes:
          label: Additional Context
          description: Add any other context, mockups, or screenshots about the feature request here.
      validations:
          required: false
    - type: markdown
      attributes:
          value: |
              Before submitting, please:
              - Check if there is an existing issue for this feature.
              - Clearly explain the benefit and use case.
              - Be as specific as possible to help contributors evaluate and implement.
--- a/.github/ISSUE_TEMPLATE/1.bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.bug_report.yml
@@ -0,0 +1,51 @@
 name: Bug Report
 description: Create a bug report
 labels: []
 body:
    - type: textarea
      attributes:
          label: Describe the Bug
          description: A clear and concise description of what the bug is.
      validations:
          required: true
    - type: textarea
      attributes:
          label: Environment
          description: Please fill out the relevant details below for your environment.
          value: |
              - OS Type & Version: (e.g., Ubuntu 22.04)
              - Pangolin Version:
              - Gerbil Version:
              - Traefik Version:
              - Newt Version:
              - Olm Version: (if applicable)
      validations:
          required: true
    - type: textarea
      attributes:
          label: To Reproduce
          description: |
              Steps to reproduce the behavior, please provide a clear description of how to reproduce the issue, based on the linked minimal reproduction. Screenshots can be provided in the issue body below.
              If using code blocks, make sure syntax highlighting is correct and double-check that the rendered preview is not broken.
      validations:
          required: true
    - type: textarea
      attributes:
          label: Expected Behavior
          description: A clear and concise description of what you expected to happen.
      validations:
          required: true
    - type: markdown
      attributes:
          value: |
              Before posting the issue go through the steps you've written down to make sure the steps provided are detailed and clear.
    - type: markdown
      attributes:
          value: |
              Contributors should be able to follow the steps provided in order to reproduce the bug.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
 blank_issues_enabled: false
 contact_links:
    - name: Need help or have questions?
      url: https://github.com/orgs/fosrl/discussions
      about: Ask questions, get help, and discuss with other community members
    - name: Request a Feature
      url: https://github.com/orgs/fosrl/discussions/new?category=feature-requests
      about: Feature requests should be opened as discussions so others can upvote and comment
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,40 @@
 version: 2
 updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "daily"
    groups:
      dev-patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
      dev-minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
    groups:
      patch-updates:
        update-types:
          - "patch"
      minor-updates:
        update-types:
          - "minor"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -0,0 +1,60 @@
 name: CI/CD Pipeline
 on:
    push:
        tags:
            - "*"
 jobs:
    release:
        name: Build and Release
        runs-on: amd64-runner
        steps:
            - name: Checkout code
              uses: actions/checkout@v5
            - name: Set up QEMU
              uses: docker/setup-qemu-action@v3
            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v3
            - name: Log in to Docker Hub
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
            - name: Install Go
              uses: actions/setup-go@v6
              with:
                  go-version: 1.25
            - name: Update version in main.go
              run: |
                  TAG=${{ env.TAG }}
                  if [ -f main.go ]; then
                    sed -i 's/version_replaceme/'"$TAG"'/' main.go
                    echo "Updated main.go with version $TAG"
                  else
                    echo "main.go not found"
                  fi
            - name: Build and push Docker images
              run: |
                  TAG=${{ env.TAG }}
                  make docker-build-release tag=$TAG
            - name: Build binaries
              run: |
                  make go-build-release
            - name: Upload artifacts from /bin
              uses: actions/upload-artifact@v4
              with:
                  name: binaries
                  path: bin/
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -0,0 +1,132 @@
 name: Mirror & Sign (Docker Hub to GHCR)
 on:
  workflow_dispatch: {}
 permissions:
  contents: read
  packages: write
  id-token: write   # for keyless OIDC
 env:
  SOURCE_IMAGE: docker.io/fosrl/olm
  DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
 jobs:
  mirror-and-dual-sign:
    runs-on: amd64-runner
    steps:
      - name: Install skopeo + jq
        run: |
          sudo apt-get update -y
          sudo apt-get install -y skopeo jq
          skopeo --version
      - name: Install cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - name: Input check
        run: |
          test -n "${SOURCE_IMAGE}" || (echo "SOURCE_IMAGE is empty" && exit 1)
          echo "Source : ${SOURCE_IMAGE}"
          echo "Target : ${DEST_IMAGE}"
      # Auth for skopeo (containers-auth)
      - name: Skopeo login to GHCR
        run: |
          skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
      # Auth for cosign (docker-config)
      - name: Docker login to GHCR (for cosign)
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
      - name: List source tags
        run: |
          set -euo pipefail
          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
            | jq -r '.Tags[]' | sort -u > src-tags.txt
          echo "Found source tags: $(wc -l < src-tags.txt)"
          head -n 20 src-tags.txt || true
      - name: List destination tags (skip existing)
        run: |
          set -euo pipefail
          if skopeo list-tags --retry-times 3 docker://"${DEST_IMAGE}" >/tmp/dst.json 2>/dev/null; then
            jq -r '.Tags[]' /tmp/dst.json | sort -u > dst-tags.txt
          else
            : > dst-tags.txt
          fi
          echo "Existing destination tags: $(wc -l < dst-tags.txt)"
      - name: Mirror, dual-sign, and verify
        env:
          # keyless
          COSIGN_YES: "true"
          # key-based
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
          # verify
          COSIGN_PUBLIC_KEY:  ${{ secrets.COSIGN_PUBLIC_KEY }}
        run: |
          set -euo pipefail
          copied=0; skipped=0; v_ok=0; errs=0
          issuer="https://token.actions.githubusercontent.com"
          id_regex="^https://github.com/${{ github.repository }}/.+"
          while read -r tag; do
            [ -z "$tag" ] && continue
            if grep -Fxq "$tag" dst-tags.txt; then
              echo "::notice ::Skip (exists) ${DEST_IMAGE}:${tag}"
              skipped=$((skipped+1))
              continue
            fi
            echo "==> Copy ${SOURCE_IMAGE}:${tag} → ${DEST_IMAGE}:${tag}"
            if ! skopeo copy --all --retry-times 3 \
                 docker://"${SOURCE_IMAGE}:${tag}" docker://"${DEST_IMAGE}:${tag}"; then
              echo "::warning title=Copy failed::${SOURCE_IMAGE}:${tag}"
              errs=$((errs+1)); continue
            fi
            copied=$((copied+1))
            digest="$(skopeo inspect --retry-times 3 docker://"${DEST_IMAGE}:${tag}" | jq -r '.Digest')"
            ref="${DEST_IMAGE}@${digest}"
            echo "==> cosign sign (keyless) --recursive ${ref}"
            if ! cosign sign --recursive "${ref}"; then
              echo "::warning title=Keyless sign failed::${ref}"
              errs=$((errs+1))
            fi
            echo "==> cosign sign (key) --recursive ${ref}"
            if ! cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${ref}"; then
              echo "::warning title=Key sign failed::${ref}"
              errs=$((errs+1))
            fi
            echo "==> cosign verify (public key) ${ref}"
            if ! cosign verify --key env://COSIGN_PUBLIC_KEY "${ref}" -o text; then
              echo "::warning title=Verify(pubkey) failed::${ref}"
              errs=$((errs+1))
            fi
            echo "==> cosign verify (keyless policy) ${ref}"
            if ! cosign verify \
                 --certificate-oidc-issuer "${issuer}" \
                 --certificate-identity-regexp "${id_regex}" \
                 "${ref}" -o text; then
              echo "::warning title=Verify(keyless) failed::${ref}"
              errs=$((errs+1))
            else
              v_ok=$((v_ok+1))
            fi
          done < src-tags.txt
          echo "---- Summary ----"
          echo "Copied        : $copied"
          echo "Skipped       : $skipped"
          echo "Verified OK   : $v_ok"
          echo "Errors        : $errs"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,28 @@
 name: Run Tests
 on:
  pull_request:
    branches:
      - main
      - dev
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: 1.25
      - name: Build go
        run: go build
      - name: Build Docker image
        run: make build
      - name: Build binaries
        run: make go-build-release
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-newt
+olm
 .DS_Store
 bin/
--- a/.go-version
+++ b/.go-version
@@ -0,0 +1 @@
 1.25
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,11 +4,7 @@ Contributions are welcome!
 Please see the contribution and local development guide on the docs page before getting started:
-https://docs.fossorial.io/development
+https://docs.pangolin.net/development/contributing
 For ideas about what features to work on and our future plans, please see the roadmap:
 https://docs.fossorial.io/roadmap
 ### Licensing Considerations
--- a/12
+++ b/12
@@ -1,4 +1,4 @@
-FROM golang:1.23.1-alpine AS builder
+FROM golang:1.25-alpine AS builder
 # Set the working directory inside the container
 WORKDIR /app
@@ -13,15 +13,15 @@ RUN go mod download
 COPY . .
 # Build the application
-RUN CGO_ENABLED=0 GOOS=linux go build -o /newt
+RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
 # Start a new stage from scratch
-FROM ubuntu:22.04 AS runner
+FROM alpine:3.22 AS runner
-RUN apt-get update && apt-get install ca-certificates -y  && rm -rf /var/lib/apt/lists/*
+RUN apk --no-cache add ca-certificates
 # Copy the pre-built binary file from the previous stage and the entrypoint script
-COPY --from=builder /newt /usr/local/bin/
+COPY --from=builder /olm /usr/local/bin/
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
@@ -30,4 +30,4 @@ RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 # Command to run the executable
-CMD ["newt"]
+CMD ["olm"]
--- a/38
+++ b/38
@@ -1,26 +1,26 @@
-all: build push
+all: go-build-release 
-build:
+docker-build-release:
-	docker build -t fosrl/newt:latest .
+	@if [ -z "$(tag)" ]; then \
-
+		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
-push:
+		exit 1; \
-	docker push fosrl/newt:latest
+	fi
-
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:latest -f Dockerfile --push .
-test:
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:$(tag) -f Dockerfile --push .
 	docker run fosrl/newt:latest
 local: 
-	CGO_ENABLED=0 go build -o newt
+	CGO_ENABLED=0 go build -o olm
-release:
+build:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
+	docker build -t fosrl/olm:latest .
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/newt_linux_amd64
 	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/newt_darwin_arm64
 	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/newt_darwin_amd64
 	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o newt_windows_amd64.bin/exe
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o bin/newt_freebsd_amd64
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64
 go-build-release:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64
 	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/olm_darwin_arm64
 	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/olm_darwin_amd64
 	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/olm_windows_amd64.exe
 clean:
-	rm newt
+	rm olm
--- a/README.md
+++ b/README.md
@@ -1,46 +1,59 @@
-# Newt
+# Olm
-Newt is a fully user space [WireGuard](https://www.wireguard.com/) tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing.
+Olm is a [WireGuard](https://www.wireguard.com/) tunnel client designed to securely connect your computer to Newt sites running on remote networks.
 ### Installation and Documentation
-Newt is used with Pangolin and Gerbil as part of the larger system. See documentation below:
+Olm is used with Pangolin and Newt as part of the larger system. See documentation below:
-   [Installation Instructions](https://docs.fossorial.io)
+-   [Full Documentation](https://docs.pangolin.net)
 -   [Full Documentation](https://docs.fossorial.io)
 ## Preview
 <img src="public/screenshots/preview.png" alt="Preview"/>
 _Sample output of a Newt container connected to Pangolin and hosting various resource target proxies._
 ## Key Functions
 ### Registers with Pangolin
-Using the Newt ID and a secret, the client will make HTTP requests to Pangolin to receive a session token. Using that token, it will connect to a websocket and maintain that connection. Control messages will be sent over the websocket.
+Using the Olm ID and a secret, the olm will make HTTP requests to Pangolin to receive a session token. Using that token, it will connect to a websocket and maintain that connection. Control messages will be sent over the websocket.
 ### Receives WireGuard Control Messages
-When Newt receives WireGuard control messages, it will use the information encoded (endpoint, public key) to bring up a WireGuard tunnel using [netstack](https://github.com/WireGuard/wireguard-go/blob/master/tun/netstack/examples/http_server.go) fully in user space. It will ping over the tunnel to ensure the peer on the Gerbil side is brought up. 
+When Olm receives WireGuard control messages, it will use the information encoded (endpoint, public key) to bring up a WireGuard tunnel on your computer to a remote Newt. It will ping over the tunnel to ensure the peer is brought up.
 ### Receives Proxy Control Messages
 When Newt receives WireGuard control messages, it will use the information encoded to create a local low level TCP and UDP proxies attached to the virtual tunnel in order to relay traffic to programmed targets.
 ## CLI Args
- `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
+-   `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
- `id`: Newt ID generated by Pangolin to identify the client.
+-   `id`: Olm ID generated by Pangolin to identify the olm.
- `secret`: A unique secret (not shared and kept private) used to authenticate the client ID with the websocket in order to receive commands. 
+-   `secret`: A unique secret (not shared and kept private) used to authenticate the olm ID with the websocket in order to receive commands.
- `dns`: DNS server to use to resolve the endpoint
+-   `mtu` (optional): MTU for the internal WG interface. Default: 1280
- `log-level` (optional): The log level to use. Default: INFO
+-   `dns` (optional): DNS server to use to resolve the endpoint. Default: 8.8.8.8
 -   `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO
 -   `ping-interval` (optional): Interval for pinging the server. Default: 3s
 -   `ping-timeout` (optional): Timeout for each ping. Default: 5s
 -   `interface` (optional): Name of the WireGuard interface. Default: olm
 -   `enable-http` (optional): Enable HTTP server for receiving connection requests. Default: false
 -   `http-addr` (optional): HTTP server address (e.g., ':9452'). Default: :9452
 -   `holepunch` (optional): Enable hole punching. Default: false
-Example:
+## Environment Variables
 All CLI arguments can also be set via environment variables:
 -   `PANGOLIN_ENDPOINT`: Equivalent to `--endpoint`
 -   `OLM_ID`: Equivalent to `--id`
 -   `OLM_SECRET`: Equivalent to `--secret`
 -   `MTU`: Equivalent to `--mtu`
 -   `DNS`: Equivalent to `--dns`
 -   `LOG_LEVEL`: Equivalent to `--log-level`
 -   `INTERFACE`: Equivalent to `--interface`
 -   `HTTP_ADDR`: Equivalent to `--http-addr`
 -   `PING_INTERVAL`: Equivalent to `--ping-interval`
 -   `PING_TIMEOUT`: Equivalent to `--ping-timeout`
 -   `HOLEPUNCH`: Set to "true" to enable hole punching (equivalent to `--holepunch`)
 -   `CONFIG_FILE`: Set to the location of a JSON file to load secret values
 Examples:
 ```bash
-./newt \
+olm \
 --id 31frd0uzbjvp721 \
 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
 --endpoint https://example.com
@@ -50,40 +63,230 @@ You can also run it with Docker compose. For example, a service in your `docker-
 ```yaml
 services:
-  newt:
+    olm:
-    image: fosrl/newt
+        image: fosrl/olm
-    container_name: newt
+        container_name: olm
-    restart: unless-stopped
+        restart: unless-stopped
-    environment:
+        network_mode: host
-      - PANGOLIN_ENDPOINT=https://example.com
+        devices:
-      - NEWT_ID=2ix2t8xk22ubpfy 
+            - /dev/net/tun:/dev/net/tun
-      - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
+        environment:
            - PANGOLIN_ENDPOINT=https://example.com
            - OLM_ID=31frd0uzbjvp721
            - OLM_SECRET=h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
 ```
 You can also pass the CLI args to the container:
 ```yaml
 services:
-  newt:
+    olm:
-    image: fosrl/newt
+        image: fosrl/olm
-    container_name: newt
+        container_name: olm
-    restart: unless-stopped
+        restart: unless-stopped
-    command:
+        network_mode: host
-        - --id 31frd0uzbjvp721
+        devices:
-        - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+            - /dev/net/tun:/dev/net/tun
-        - --endpoint https://example.com
+        command:
            - --id 31frd0uzbjvp721
            - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
            - --endpoint https://example.com
 ```
 **Docker Configuration Notes:**
 - `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
 - `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
 ## Loading secrets from files
 You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
 ```
 $ cat ~/.config/olm-client/config.json
 {
  "id": "spmzu8rbpzj1qq6",
  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
  "endpoint": "https://app.pangolin.net",
  "tlsClientCert": ""
 }
 ```
 This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once! 
 Default locations: 
 - **macOS**: `~/Library/Application Support/olm-client/config.json`
 - **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
 - **Linux/Others**: `~/.config/olm-client/config.json`
 ## Hole Punching
 In the default mode, olm "relays" traffic through Gerbil in the cloud to get down to newt. This is a little more reliable. Support for NAT hole punching is also EXPERIMENTAL right now using the `--holepunch` flag. This will attempt to orchestrate a NAT hole punch between the two sites so that traffic flows directly. This will save data costs and speed. If it fails it should fall back to relaying.
 Right now, basic NAT hole punching is supported. We plan to add:
 -   [ ] Birthday paradox
 -   [ ] UPnP
 -   [ ] LAN detection
 ## Windows Service
 On Windows, olm has to be installed and run as a Windows service. When running it with the cli args live above it will attempt to install and run the service to function like a cli tool. You can also run the following:
 ### Service Management Commands
 ```
 # Install the service
 olm.exe install
 # Start the service
 olm.exe start
 # Stop the service
 olm.exe stop
 # Check service status
 olm.exe status
 # Remove the service
 olm.exe remove
 # Run in debug mode (console output) with our without id & secret
 olm.exe debug
 # Show help
 olm.exe help
 ```
 Note running the service requires credentials in `%PROGRAMDATA%\olm\olm-client\config.json`.
 ### Service Configuration
 When running as a service, Olm will read configuration from environment variables or you can modify the service to include command-line arguments:
 1. Install the service: `olm.exe install`
 2. Set the credentials in `%PROGRAMDATA%\olm\olm-client\config.json`. Hint: if you run olm once with --id and --secret this file will be populated! 
 3. Start the service: `olm.exe start`
 ### Service Logs
 When running as a service, logs are written to:
 -   Windows Event Log (Application log, source: "OlmWireguardService")
 -   Log files in: `%PROGRAMDATA%\olm\logs\olm.log`
 You can view the Windows Event Log using Event Viewer or PowerShell:
 ```powershell
 Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10
 ```
 ## HTTP Endpoints
 Olm can be controlled with an embedded http server when using `--enable-http`. This allows you to start it as a daemon and trigger it with the following endpoints:
 ### POST /connect
 Initiates a new connection request.
 **Request Body:**
 ```json
 {
  "id": "string",
  "secret": "string", 
  "endpoint": "string"
 }
 ```
 **Required Fields:**
 - `id`: Connection identifier
 - `secret`: Authentication secret
 - `endpoint`: Target endpoint URL
 **Response:**
 - **Status Code:** `202 Accepted`
 - **Content-Type:** `application/json`
 ```json
 {
  "status": "connection request accepted"
 }
 ```
 **Error Responses:**
 - `405 Method Not Allowed` - Non-POST requests
 - `400 Bad Request` - Invalid JSON or missing required fields
 ### GET /status
 Returns the current connection status and peer information.
 **Response:**
 - **Status Code:** `200 OK`
 - **Content-Type:** `application/json`
 ```json
 {
  "status": "connected",
  "connected": true,
  "tunnelIP": "100.89.128.3/20",
  "version": "version_replaceme",
  "peers": {
    "10": {
      "siteId": 10,
      "connected": true,
      "rtt": 145338339,
      "lastSeen": "2025-08-13T14:39:17.208334428-07:00",
      "endpoint": "p.fosrl.io:21820",
      "isRelay": true
    },
    "8": {
      "siteId": 8,
      "connected": false,
      "rtt": 0,
      "lastSeen": "2025-08-13T14:39:19.663823645-07:00",
      "endpoint": "p.fosrl.io:21820",
      "isRelay": true
    }
  }
 }
 ```
 **Fields:**
 - `status`: Overall connection status ("connected" or "disconnected")
 - `connected`: Boolean connection state
 - `tunnelIP`: IP address and subnet of the tunnel (when connected)
 - `version`: Olm version string
 - `peers`: Map of peer statuses by site ID
  - `siteId`: Peer site identifier
  - `connected`: Boolean peer connection state
  - `rtt`: Peer round-trip time (integer, nanoseconds)
  - `lastSeen`: Last time peer was seen (RFC3339 timestamp)
  - `endpoint`: Peer endpoint address
  - `isRelay`: Whether the peer is relayed (true) or direct (false)
 **Error Responses:**
 - `405 Method Not Allowed` - Non-GET requests
 ## Usage Examples
 ### Connect to a peer
 ```bash
 curl -X POST http://localhost:8080/connect \
  -H "Content-Type: application/json" \
  -d '{
    "id": "31frd0uzbjvp721",
    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
    "endpoint": "https://example.com"
  }'
 ```
 ### Check connection status
 ```bash
 curl http://localhost:8080/status
 ```
 ## Build
 ### Container 
 Ensure Docker is installed.
 ```bash
 make
 ```
 ### Binary
 Make sure to have Go 1.23.1 installed.
@@ -94,7 +297,7 @@ make local
 ## Licensing
-Newt is dual licensed under the AGPLv3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us.
+Olm is dual licensed under the AGPLv3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us.
 ## Contributions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
 - Description and location of the vulnerability.
 - Potential impact of the vulnerability.
--- a/common.go
+++ b/common.go
--- a/config.go
+++ b/config.go
@@ -0,0 +1,484 @@
 package main
 import (
 	"encoding/json"
 	"flag"
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"time"
 )
 // OlmConfig holds all configuration options for the Olm client
 type OlmConfig struct {
 	// Connection settings
 	Endpoint string `json:"endpoint"`
 	ID       string `json:"id"`
 	Secret   string `json:"secret"`
 	// Network settings
 	MTU           int    `json:"mtu"`
 	DNS           string `json:"dns"`
 	InterfaceName string `json:"interface"`
 	// Logging
 	LogLevel string `json:"logLevel"`
 	// HTTP server
 	EnableHTTP bool   `json:"enableHttp"`
 	HTTPAddr   string `json:"httpAddr"`
 	// Ping settings
 	PingInterval string `json:"pingInterval"`
 	PingTimeout  string `json:"pingTimeout"`
 	// Advanced
 	Holepunch     bool   `json:"holepunch"`
 	TlsClientCert string `json:"tlsClientCert"`
 	// Parsed values (not in JSON)
 	PingIntervalDuration time.Duration `json:"-"`
 	PingTimeoutDuration  time.Duration `json:"-"`
 	// Source tracking (not in JSON)
 	sources map[string]string `json:"-"`
 }
 // ConfigSource tracks where each config value came from
 type ConfigSource string
 const (
 	SourceDefault ConfigSource = "default"
 	SourceFile    ConfigSource = "file"
 	SourceEnv     ConfigSource = "environment"
 	SourceCLI     ConfigSource = "cli"
 )
 // DefaultConfig returns a config with default values
 func DefaultConfig() *OlmConfig {
 	config := &OlmConfig{
 		MTU:           1280,
 		DNS:           "8.8.8.8",
 		LogLevel:      "INFO",
 		InterfaceName: "olm",
 		EnableHTTP:    false,
 		HTTPAddr:      ":9452",
 		PingInterval:  "3s",
 		PingTimeout:   "5s",
 		Holepunch:     false,
 		sources:       make(map[string]string),
 	}
 	// Track default sources
 	config.sources["mtu"] = string(SourceDefault)
 	config.sources["dns"] = string(SourceDefault)
 	config.sources["logLevel"] = string(SourceDefault)
 	config.sources["interface"] = string(SourceDefault)
 	config.sources["enableHttp"] = string(SourceDefault)
 	config.sources["httpAddr"] = string(SourceDefault)
 	config.sources["pingInterval"] = string(SourceDefault)
 	config.sources["pingTimeout"] = string(SourceDefault)
 	config.sources["holepunch"] = string(SourceDefault)
 	return config
 }
 // getOlmConfigPath returns the path to the olm config file
 func getOlmConfigPath() string {
 	configFile := os.Getenv("CONFIG_FILE")
 	if configFile != "" {
 		return configFile
 	}
 	var configDir string
 	switch runtime.GOOS {
 	case "darwin":
 		configDir = filepath.Join(os.Getenv("HOME"), "Library", "Application Support", "olm-client")
 	case "windows":
 		configDir = filepath.Join(os.Getenv("PROGRAMDATA"), "olm", "olm-client")
 	default: // linux and others
 		configDir = filepath.Join(os.Getenv("HOME"), ".config", "olm-client")
 	}
 	if err := os.MkdirAll(configDir, 0755); err != nil {
 		fmt.Printf("Warning: Failed to create config directory: %v\n", err)
 	}
 	return filepath.Join(configDir, "config.json")
 }
 // LoadConfig loads configuration from file, env vars, and CLI args
 // Priority: CLI args > Env vars > Config file > Defaults
 // Returns: (config, showVersion, showConfig, error)
 func LoadConfig(args []string) (*OlmConfig, bool, bool, error) {
 	// Start with defaults
 	config := DefaultConfig()
 	// Load from config file (if exists)
 	fileConfig, err := loadConfigFromFile()
 	if err != nil {
 		return nil, false, false, fmt.Errorf("failed to load config file: %w", err)
 	}
 	if fileConfig != nil {
 		mergeConfigs(config, fileConfig)
 	}
 	// Override with environment variables
 	loadConfigFromEnv(config)
 	// Override with CLI arguments
 	showVersion, showConfig, err := loadConfigFromCLI(config, args)
 	if err != nil {
 		return nil, false, false, err
 	}
 	// Parse duration strings
 	if err := config.parseDurations(); err != nil {
 		return nil, false, false, err
 	}
 	return config, showVersion, showConfig, nil
 }
 // loadConfigFromFile loads configuration from the JSON config file
 func loadConfigFromFile() (*OlmConfig, error) {
 	configPath := getOlmConfigPath()
 	data, err := os.ReadFile(configPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil // File doesn't exist, not an error
 		}
 		return nil, err
 	}
 	var config OlmConfig
 	if err := json.Unmarshal(data, &config); err != nil {
 		return nil, fmt.Errorf("failed to parse config file: %w", err)
 	}
 	return &config, nil
 }
 // loadConfigFromEnv loads configuration from environment variables
 func loadConfigFromEnv(config *OlmConfig) {
 	if val := os.Getenv("PANGOLIN_ENDPOINT"); val != "" {
 		config.Endpoint = val
 		config.sources["endpoint"] = string(SourceEnv)
 	}
 	if val := os.Getenv("OLM_ID"); val != "" {
 		config.ID = val
 		config.sources["id"] = string(SourceEnv)
 	}
 	if val := os.Getenv("OLM_SECRET"); val != "" {
 		config.Secret = val
 		config.sources["secret"] = string(SourceEnv)
 	}
 	if val := os.Getenv("MTU"); val != "" {
 		if mtu, err := strconv.Atoi(val); err == nil {
 			config.MTU = mtu
 			config.sources["mtu"] = string(SourceEnv)
 		} else {
 			fmt.Printf("Invalid MTU value: %s, keeping current value\n", val)
 		}
 	}
 	if val := os.Getenv("DNS"); val != "" {
 		config.DNS = val
 		config.sources["dns"] = string(SourceEnv)
 	}
 	if val := os.Getenv("LOG_LEVEL"); val != "" {
 		config.LogLevel = val
 		config.sources["logLevel"] = string(SourceEnv)
 	}
 	if val := os.Getenv("INTERFACE"); val != "" {
 		config.InterfaceName = val
 		config.sources["interface"] = string(SourceEnv)
 	}
 	if val := os.Getenv("HTTP_ADDR"); val != "" {
 		config.HTTPAddr = val
 		config.sources["httpAddr"] = string(SourceEnv)
 	}
 	if val := os.Getenv("PING_INTERVAL"); val != "" {
 		config.PingInterval = val
 		config.sources["pingInterval"] = string(SourceEnv)
 	}
 	if val := os.Getenv("PING_TIMEOUT"); val != "" {
 		config.PingTimeout = val
 		config.sources["pingTimeout"] = string(SourceEnv)
 	}
 	if val := os.Getenv("ENABLE_HTTP"); val == "true" {
 		config.EnableHTTP = true
 		config.sources["enableHttp"] = string(SourceEnv)
 	}
 	if val := os.Getenv("HOLEPUNCH"); val == "true" {
 		config.Holepunch = true
 		config.sources["holepunch"] = string(SourceEnv)
 	}
 }
 // loadConfigFromCLI loads configuration from command-line arguments
 func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	serviceFlags := flag.NewFlagSet("service", flag.ContinueOnError)
 	// Store original values to detect changes
 	origValues := map[string]interface{}{
 		"endpoint":     config.Endpoint,
 		"id":           config.ID,
 		"secret":       config.Secret,
 		"mtu":          config.MTU,
 		"dns":          config.DNS,
 		"logLevel":     config.LogLevel,
 		"interface":    config.InterfaceName,
 		"httpAddr":     config.HTTPAddr,
 		"pingInterval": config.PingInterval,
 		"pingTimeout":  config.PingTimeout,
 		"enableHttp":   config.EnableHTTP,
 		"holepunch":    config.Holepunch,
 	}
 	// Define flags
 	serviceFlags.StringVar(&config.Endpoint, "endpoint", config.Endpoint, "Endpoint of your Pangolin server")
 	serviceFlags.StringVar(&config.ID, "id", config.ID, "Olm ID")
 	serviceFlags.StringVar(&config.Secret, "secret", config.Secret, "Olm secret")
 	serviceFlags.IntVar(&config.MTU, "mtu", config.MTU, "MTU to use")
 	serviceFlags.StringVar(&config.DNS, "dns", config.DNS, "DNS server to use")
 	serviceFlags.StringVar(&config.LogLevel, "log-level", config.LogLevel, "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
 	serviceFlags.StringVar(&config.InterfaceName, "interface", config.InterfaceName, "Name of the WireGuard interface")
 	serviceFlags.StringVar(&config.HTTPAddr, "http-addr", config.HTTPAddr, "HTTP server address (e.g., ':9452')")
 	serviceFlags.StringVar(&config.PingInterval, "ping-interval", config.PingInterval, "Interval for pinging the server")
 	serviceFlags.StringVar(&config.PingTimeout, "ping-timeout", config.PingTimeout, "Timeout for each ping")
 	serviceFlags.BoolVar(&config.EnableHTTP, "enable-http", config.EnableHTTP, "Enable HTTP server for receiving connection requests")
 	serviceFlags.BoolVar(&config.Holepunch, "holepunch", config.Holepunch, "Enable hole punching")
 	version := serviceFlags.Bool("version", false, "Print the version")
 	showConfig := serviceFlags.Bool("show-config", false, "Show configuration sources and exit")
 	// Parse the arguments
 	if err := serviceFlags.Parse(args); err != nil {
 		return false, false, err
 	}
 	// Track which values were changed by CLI args
 	if config.Endpoint != origValues["endpoint"].(string) {
 		config.sources["endpoint"] = string(SourceCLI)
 	}
 	if config.ID != origValues["id"].(string) {
 		config.sources["id"] = string(SourceCLI)
 	}
 	if config.Secret != origValues["secret"].(string) {
 		config.sources["secret"] = string(SourceCLI)
 	}
 	if config.MTU != origValues["mtu"].(int) {
 		config.sources["mtu"] = string(SourceCLI)
 	}
 	if config.DNS != origValues["dns"].(string) {
 		config.sources["dns"] = string(SourceCLI)
 	}
 	if config.LogLevel != origValues["logLevel"].(string) {
 		config.sources["logLevel"] = string(SourceCLI)
 	}
 	if config.InterfaceName != origValues["interface"].(string) {
 		config.sources["interface"] = string(SourceCLI)
 	}
 	if config.HTTPAddr != origValues["httpAddr"].(string) {
 		config.sources["httpAddr"] = string(SourceCLI)
 	}
 	if config.PingInterval != origValues["pingInterval"].(string) {
 		config.sources["pingInterval"] = string(SourceCLI)
 	}
 	if config.PingTimeout != origValues["pingTimeout"].(string) {
 		config.sources["pingTimeout"] = string(SourceCLI)
 	}
 	if config.EnableHTTP != origValues["enableHttp"].(bool) {
 		config.sources["enableHttp"] = string(SourceCLI)
 	}
 	if config.Holepunch != origValues["holepunch"].(bool) {
 		config.sources["holepunch"] = string(SourceCLI)
 	}
 	return *version, *showConfig, nil
 }
 // parseDurations parses the duration strings into time.Duration
 func (c *OlmConfig) parseDurations() error {
 	var err error
 	// Parse ping interval
 	if c.PingInterval != "" {
 		c.PingIntervalDuration, err = time.ParseDuration(c.PingInterval)
 		if err != nil {
 			fmt.Printf("Invalid PING_INTERVAL value: %s, using default 3 seconds\n", c.PingInterval)
 			c.PingIntervalDuration = 3 * time.Second
 			c.PingInterval = "3s"
 		}
 	} else {
 		c.PingIntervalDuration = 3 * time.Second
 		c.PingInterval = "3s"
 	}
 	// Parse ping timeout
 	if c.PingTimeout != "" {
 		c.PingTimeoutDuration, err = time.ParseDuration(c.PingTimeout)
 		if err != nil {
 			fmt.Printf("Invalid PING_TIMEOUT value: %s, using default 5 seconds\n", c.PingTimeout)
 			c.PingTimeoutDuration = 5 * time.Second
 			c.PingTimeout = "5s"
 		}
 	} else {
 		c.PingTimeoutDuration = 5 * time.Second
 		c.PingTimeout = "5s"
 	}
 	return nil
 }
 // mergeConfigs merges source config into destination (only non-empty values)
 // Also tracks that these values came from a file
 func mergeConfigs(dest, src *OlmConfig) {
 	if src.Endpoint != "" {
 		dest.Endpoint = src.Endpoint
 		dest.sources["endpoint"] = string(SourceFile)
 	}
 	if src.ID != "" {
 		dest.ID = src.ID
 		dest.sources["id"] = string(SourceFile)
 	}
 	if src.Secret != "" {
 		dest.Secret = src.Secret
 		dest.sources["secret"] = string(SourceFile)
 	}
 	if src.MTU != 0 && src.MTU != 1280 {
 		dest.MTU = src.MTU
 		dest.sources["mtu"] = string(SourceFile)
 	}
 	if src.DNS != "" && src.DNS != "8.8.8.8" {
 		dest.DNS = src.DNS
 		dest.sources["dns"] = string(SourceFile)
 	}
 	if src.LogLevel != "" && src.LogLevel != "INFO" {
 		dest.LogLevel = src.LogLevel
 		dest.sources["logLevel"] = string(SourceFile)
 	}
 	if src.InterfaceName != "" && src.InterfaceName != "olm" {
 		dest.InterfaceName = src.InterfaceName
 		dest.sources["interface"] = string(SourceFile)
 	}
 	if src.HTTPAddr != "" && src.HTTPAddr != ":9452" {
 		dest.HTTPAddr = src.HTTPAddr
 		dest.sources["httpAddr"] = string(SourceFile)
 	}
 	if src.PingInterval != "" && src.PingInterval != "3s" {
 		dest.PingInterval = src.PingInterval
 		dest.sources["pingInterval"] = string(SourceFile)
 	}
 	if src.PingTimeout != "" && src.PingTimeout != "5s" {
 		dest.PingTimeout = src.PingTimeout
 		dest.sources["pingTimeout"] = string(SourceFile)
 	}
 	if src.TlsClientCert != "" {
 		dest.TlsClientCert = src.TlsClientCert
 		dest.sources["tlsClientCert"] = string(SourceFile)
 	}
 	// For booleans, we always take the source value if explicitly set
 	if src.EnableHTTP {
 		dest.EnableHTTP = src.EnableHTTP
 		dest.sources["enableHttp"] = string(SourceFile)
 	}
 	if src.Holepunch {
 		dest.Holepunch = src.Holepunch
 		dest.sources["holepunch"] = string(SourceFile)
 	}
 }
 // SaveConfig saves the current configuration to the config file
 func SaveConfig(config *OlmConfig) error {
 	configPath := getOlmConfigPath()
 	data, err := json.MarshalIndent(config, "", "  ")
 	if err != nil {
 		return fmt.Errorf("failed to marshal config: %w", err)
 	}
 	return os.WriteFile(configPath, data, 0644)
 }
 // ShowConfig prints the configuration and the source of each value
 func (c *OlmConfig) ShowConfig() {
 	configPath := getOlmConfigPath()
 	fmt.Println("\n=== Olm Configuration ===\n")
 	fmt.Printf("Config File: %s\n", configPath)
 	// Check if config file exists
 	if _, err := os.Stat(configPath); err == nil {
 		fmt.Printf("Config File Status: ✓ exists\n")
 	} else {
 		fmt.Printf("Config File Status: ✗ not found\n")
 	}
 	fmt.Println("\n--- Configuration Values ---")
 	fmt.Println("(Format: Setting = Value [source])\n")
 	// Helper to get source or default
 	getSource := func(key string) string {
 		if source, ok := c.sources[key]; ok {
 			return source
 		}
 		return string(SourceDefault)
 	}
 	// Helper to format value (mask secrets)
 	formatValue := func(key, value string) string {
 		if key == "secret" && value != "" {
 			if len(value) > 8 {
 				return value[:4] + "****" + value[len(value)-4:]
 			}
 			return "****"
 		}
 		if value == "" {
 			return "(not set)"
 		}
 		return value
 	}
 	// Connection settings
 	fmt.Println("Connection:")
 	fmt.Printf("  endpoint     = %s [%s]\n", formatValue("endpoint", c.Endpoint), getSource("endpoint"))
 	fmt.Printf("  id           = %s [%s]\n", formatValue("id", c.ID), getSource("id"))
 	fmt.Printf("  secret       = %s [%s]\n", formatValue("secret", c.Secret), getSource("secret"))
 	// Network settings
 	fmt.Println("\nNetwork:")
 	fmt.Printf("  mtu          = %d [%s]\n", c.MTU, getSource("mtu"))
 	fmt.Printf("  dns          = %s [%s]\n", c.DNS, getSource("dns"))
 	fmt.Printf("  interface    = %s [%s]\n", c.InterfaceName, getSource("interface"))
 	// Logging
 	fmt.Println("\nLogging:")
 	fmt.Printf("  log-level    = %s [%s]\n", c.LogLevel, getSource("logLevel"))
 	// HTTP server
 	fmt.Println("\nHTTP Server:")
 	fmt.Printf("  enable-http  = %v [%s]\n", c.EnableHTTP, getSource("enableHttp"))
 	fmt.Printf("  http-addr    = %s [%s]\n", c.HTTPAddr, getSource("httpAddr"))
 	// Timing
 	fmt.Println("\nTiming:")
 	fmt.Printf("  ping-interval = %s [%s]\n", c.PingInterval, getSource("pingInterval"))
 	fmt.Printf("  ping-timeout  = %s [%s]\n", c.PingTimeout, getSource("pingTimeout"))
 	// Advanced
 	fmt.Println("\nAdvanced:")
 	fmt.Printf("  holepunch    = %v [%s]\n", c.Holepunch, getSource("holepunch"))
 	if c.TlsClientCert != "" {
 		fmt.Printf("  tls-cert     = %s [%s]\n", c.TlsClientCert, getSource("tlsClientCert"))
 	}
 	// Source legend
 	fmt.Println("\n--- Source Legend ---")
 	fmt.Println("  default     = Built-in default value")
 	fmt.Println("  file        = Loaded from config file")
 	fmt.Println("  environment = Set via environment variable")
 	fmt.Println("  cli         = Provided as command-line argument")
 	fmt.Println("\nPriority: cli > environment > file > default")
 	fmt.Println()
 }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,10 +1,15 @@
 services:
-  newt:
+  olm:
-    image: fosrl/newt:latest
+    image: fosrl/olm:latest
-    container_name: newt
+    container_name: olm
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=https://example.com
-      - NEWT_ID=2ix2t8xk22ubpfy 
+      - OLM_ID=vdqnz8rwgb95cnp 
-      - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
+      - OLM_SECRET=1sw05qv1tkfdb1k81zpw05nahnnjvmhxjvf746umwagddmdg 
-      - LOG_LEVEL=DEBUG
+    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    devices:
      - /dev/net/tun:/dev/net/tun
    network_mode: host
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -4,7 +4,7 @@ set -e
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
-    set -- newt "$@"
+    set -- olm "$@"
 fi
 exec "$@"
--- a/get-olm.sh
+++ b/get-olm.sh
@@ -0,0 +1,279 @@
 #!/bin/bash
 # Get Olm - Cross-platform installation script
 # Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/olm/refs/heads/main/get-olm.sh | bash
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # GitHub repository info
 REPO="fosrl/olm"
 GITHUB_API_URL="https://api.github.com/repos/${REPO}/releases/latest"
 # Function to print colored output
 print_status() {
    echo -e "${GREEN}[INFO]${NC} $1"
 }
 print_warning() {
    echo -e "${YELLOW}[WARN]${NC} $1"
 }
 print_error() {
    echo -e "${RED}[ERROR]${NC} $1"
 }
 # Function to get latest version from GitHub API
 get_latest_version() {
    local latest_info
    if command -v curl >/dev/null 2>&1; then
        latest_info=$(curl -fsSL "$GITHUB_API_URL" 2>/dev/null)
    elif command -v wget >/dev/null 2>&1; then
        latest_info=$(wget -qO- "$GITHUB_API_URL" 2>/dev/null)
    else
        print_error "Neither curl nor wget is available. Please install one of them." >&2
        exit 1
    fi
    if [ -z "$latest_info" ]; then
        print_error "Failed to fetch latest version information" >&2
        exit 1
    fi
    # Extract version from JSON response (works without jq)
    local version=$(echo "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
    if [ -z "$version" ]; then
        print_error "Could not parse version from GitHub API response" >&2
        exit 1
    fi
    # Remove 'v' prefix if present
    version=$(echo "$version" | sed 's/^v//')
    echo "$version"
 }
 # Detect OS and architecture
 detect_platform() {
    local os arch
    # Detect OS
    case "$(uname -s)" in
        Linux*)     os="linux" ;;
        Darwin*)    os="darwin" ;;
        MINGW*|MSYS*|CYGWIN*) os="windows" ;;
        FreeBSD*)   os="freebsd" ;;
        *)
            print_error "Unsupported operating system: $(uname -s)"
            exit 1
            ;;
    esac
    # Detect architecture
    case "$(uname -m)" in
        x86_64|amd64)   arch="amd64" ;;
        arm64|aarch64)  arch="arm64" ;;
        armv7l|armv6l)  
            if [ "$os" = "linux" ]; then
                if [ "$(uname -m)" = "armv6l" ]; then
                    arch="arm32v6"
                else
                    arch="arm32"
                fi
            else
                arch="arm64"  # Default for non-Linux ARM
            fi
            ;;
        riscv64)        
            if [ "$os" = "linux" ]; then
                arch="riscv64"
            else
                print_error "RISC-V architecture only supported on Linux"
                exit 1
            fi
            ;;
        *)
            print_error "Unsupported architecture: $(uname -m)"
            exit 1
            ;;
    esac
    echo "${os}_${arch}"
 }
 # Get installation directory
 get_install_dir() {
    local platform="$1"
    if [[ "$platform" == *"windows"* ]]; then
        echo "$HOME/bin"
    else
        # For Unix-like systems, prioritize system-wide directories for sudo access
        # Check in order of preference: /usr/local/bin, /usr/bin, ~/.local/bin
        if [ -d "/usr/local/bin" ]; then
            echo "/usr/local/bin"
        elif [ -d "/usr/bin" ]; then
            echo "/usr/bin"
        else
            # Fallback to user directory if system directories don't exist
            echo "$HOME/.local/bin"
        fi
    fi
 }
 # Check if we need sudo for installation
 need_sudo() {
    local install_dir="$1"
    # If installing to system directory and we don't have write permission, need sudo
    if [[ "$install_dir" == "/usr/local/bin" || "$install_dir" == "/usr/bin" ]]; then
        if [ ! -w "$install_dir" ] 2>/dev/null; then
            return 0  # Need sudo
        fi
    fi
    return 1  # Don't need sudo
 }
 # Download and install olm
 install_olm() {
    local platform="$1"
    local install_dir="$2"
    local binary_name="olm_${platform}"
    local exe_suffix=""
    # Add .exe suffix for Windows
    if [[ "$platform" == *"windows"* ]]; then
        binary_name="${binary_name}.exe"
        exe_suffix=".exe"
    fi
    local download_url="${BASE_URL}/${binary_name}"
    local temp_file="/tmp/olm${exe_suffix}"
    local final_path="${install_dir}/olm${exe_suffix}"
    print_status "Downloading olm from ${download_url}"
    # Download the binary
    if command -v curl >/dev/null 2>&1; then
        curl -fsSL "$download_url" -o "$temp_file"
    elif command -v wget >/dev/null 2>&1; then
        wget -q "$download_url" -O "$temp_file"
    else
        print_error "Neither curl nor wget is available. Please install one of them."
        exit 1
    fi
    # Check if we need sudo for installation
    local use_sudo=""
    if need_sudo "$install_dir"; then
        print_status "Administrator privileges required for system-wide installation"
        if command -v sudo >/dev/null 2>&1; then
            use_sudo="sudo"
        else
            print_error "sudo is required for system-wide installation but not available"
            exit 1
        fi
    fi
    # Create install directory if it doesn't exist
    if [ -n "$use_sudo" ]; then
        $use_sudo mkdir -p "$install_dir"
    else
        mkdir -p "$install_dir"
    fi
    # Move binary to install directory
    if [ -n "$use_sudo" ]; then
        $use_sudo mv "$temp_file" "$final_path"
        $use_sudo chmod +x "$final_path"
    else
        mv "$temp_file" "$final_path"
        chmod +x "$final_path"
    fi
    print_status "olm installed to ${final_path}"
    # Check if install directory is in PATH (only warn for non-system directories)
    if [[ "$install_dir" != "/usr/local/bin" && "$install_dir" != "/usr/bin" ]]; then
        if ! echo "$PATH" | grep -q "$install_dir"; then
            print_warning "Install directory ${install_dir} is not in your PATH."
            print_warning "Add it to your PATH by adding this line to your shell profile:"
            print_warning "  export PATH=\"${install_dir}:\$PATH\""
        fi
    fi
 }
 # Verify installation
 verify_installation() {
    local install_dir="$1"
    local exe_suffix=""
    if [[ "$PLATFORM" == *"windows"* ]]; then
        exe_suffix=".exe"
    fi
    local olm_path="${install_dir}/olm${exe_suffix}"
    if [ -f "$olm_path" ] && [ -x "$olm_path" ]; then
        print_status "Installation successful!"
        print_status "olm version: $("$olm_path" --version 2>/dev/null || echo "unknown")"
        return 0
    else
        print_error "Installation failed. Binary not found or not executable."
        return 1
    fi
 }
 # Main installation process
 main() {
    print_status "Installing latest version of olm..."
    # Get latest version
    print_status "Fetching latest version from GitHub..."
    VERSION=$(get_latest_version)
    print_status "Latest version: v${VERSION}"
    # Set base URL with the fetched version
    BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
    # Detect platform
    PLATFORM=$(detect_platform)
    print_status "Detected platform: ${PLATFORM}"
    # Get install directory
    INSTALL_DIR=$(get_install_dir "$PLATFORM")
    print_status "Install directory: ${INSTALL_DIR}"
    # Inform user about system-wide installation
    if [[ "$INSTALL_DIR" == "/usr/local/bin" || "$INSTALL_DIR" == "/usr/bin" ]]; then
        print_status "Installing system-wide for sudo access"
    fi
    # Install olm
    install_olm "$PLATFORM" "$INSTALL_DIR"
    # Verify installation
    if verify_installation "$INSTALL_DIR"; then
        print_status "olm is ready to use!"
        if [[ "$INSTALL_DIR" == "/usr/local/bin" || "$INSTALL_DIR" == "/usr/bin" ]]; then
            print_status "olm is installed system-wide and accessible via sudo"
        fi
        if [[ "$PLATFORM" == *"windows"* ]]; then
            print_status "Run 'olm --help' to get started"
        else
            print_status "Run 'olm --help' or 'sudo olm --help' to get started"
        fi
    else
        exit 1
    fi
 }
 # Run main function
 main "$@"
--- a/go.mod
+++ b/go.mod
@@ -1,20 +1,22 @@
-module github.com/fosrl/newt
+module github.com/fosrl/olm
-go 1.23.1
+go 1.25
 toolchain go1.23.2
 require golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 require (
-	github.com/google/btree v1.1.2 // indirect
+	github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7
-	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/crypto v0.43.0
-	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sys v0.37.0
-	golang.org/x/sys v0.26.0 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
-	golang.org/x/time v0.7.0 // indirect
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+)
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 // indirect
+
-	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 // indirect
+require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	golang.org/x/net v0.45.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 // indirect
 	software.sslmate.com/src/go-pkcs12 v0.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,22 +1,34 @@
-github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7 h1:6bSU8Efyhx1SR53iSw1Wjk5V8vDfizGAudq/GlE9b+o=
-github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7/go.mod h1:Ac0k2FmAMC+hu21rAK+p7EnnEGrqKO/QZuGTVHA/XDM=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
-golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
-gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
+gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 h1:H+qymc2ndLKNFR5TcaPmsHGiJnhJMqeofBYSRq4oG3c=
-gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
+gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56/go.mod h1:i8iCZyAdwRnLZYaIi2NUL1gfNtAveqxkKAe0JfAv9Bs=
 software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
 software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
--- a/httpserver/httpserver.go
+++ b/httpserver/httpserver.go
@@ -0,0 +1,217 @@
 package httpserver
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"sync"
 	"time"
 	"github.com/fosrl/newt/logger"
 )
 // ConnectionRequest defines the structure for an incoming connection request
 type ConnectionRequest struct {
 	ID       string `json:"id"`
 	Secret   string `json:"secret"`
 	Endpoint string `json:"endpoint"`
 }
 // PeerStatus represents the status of a peer connection
 type PeerStatus struct {
 	SiteID    int           `json:"siteId"`
 	Connected bool          `json:"connected"`
 	RTT       time.Duration `json:"rtt"`
 	LastSeen  time.Time     `json:"lastSeen"`
 	Endpoint  string        `json:"endpoint,omitempty"`
 	IsRelay   bool          `json:"isRelay"`
 }
 // StatusResponse is returned by the status endpoint
 type StatusResponse struct {
 	Status       string              `json:"status"`
 	Connected    bool                `json:"connected"`
 	TunnelIP     string              `json:"tunnelIP,omitempty"`
 	Version      string              `json:"version,omitempty"`
 	PeerStatuses map[int]*PeerStatus `json:"peers,omitempty"`
 }
 // HTTPServer represents the HTTP server and its state
 type HTTPServer struct {
 	addr           string
 	server         *http.Server
 	connectionChan chan ConnectionRequest
 	statusMu       sync.RWMutex
 	peerStatuses   map[int]*PeerStatus
 	connectedAt    time.Time
 	isConnected    bool
 	tunnelIP       string
 	version        string
 }
 // NewHTTPServer creates a new HTTP server
 func NewHTTPServer(addr string) *HTTPServer {
 	s := &HTTPServer{
 		addr:           addr,
 		connectionChan: make(chan ConnectionRequest, 1),
 		peerStatuses:   make(map[int]*PeerStatus),
 	}
 	return s
 }
 // Start starts the HTTP server
 func (s *HTTPServer) Start() error {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/connect", s.handleConnect)
 	mux.HandleFunc("/status", s.handleStatus)
 	s.server = &http.Server{
 		Addr:    s.addr,
 		Handler: mux,
 	}
 	logger.Info("Starting HTTP server on %s", s.addr)
 	go func() {
 		if err := s.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 			logger.Error("HTTP server error: %v", err)
 		}
 	}()
 	return nil
 }
 // Stop stops the HTTP server
 func (s *HTTPServer) Stop() error {
 	logger.Info("Stopping HTTP server")
 	return s.server.Close()
 }
 // GetConnectionChannel returns the channel for receiving connection requests
 func (s *HTTPServer) GetConnectionChannel() <-chan ConnectionRequest {
 	return s.connectionChan
 }
 // UpdatePeerStatus updates the status of a peer including endpoint and relay info
 func (s *HTTPServer) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 	status, exists := s.peerStatuses[siteID]
 	if !exists {
 		status = &PeerStatus{
 			SiteID: siteID,
 		}
 		s.peerStatuses[siteID] = status
 	}
 	status.Connected = connected
 	status.RTT = rtt
 	status.LastSeen = time.Now()
 	status.Endpoint = endpoint
 	status.IsRelay = isRelay
 }
 // SetConnectionStatus sets the overall connection status
 func (s *HTTPServer) SetConnectionStatus(isConnected bool) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 	s.isConnected = isConnected
 	if isConnected {
 		s.connectedAt = time.Now()
 	} else {
 		// Clear peer statuses when disconnected
 		s.peerStatuses = make(map[int]*PeerStatus)
 	}
 }
 // SetTunnelIP sets the tunnel IP address
 func (s *HTTPServer) SetTunnelIP(tunnelIP string) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 	s.tunnelIP = tunnelIP
 }
 // SetVersion sets the olm version
 func (s *HTTPServer) SetVersion(version string) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 	s.version = version
 }
 // UpdatePeerRelayStatus updates only the relay status of a peer
 func (s *HTTPServer) UpdatePeerRelayStatus(siteID int, endpoint string, isRelay bool) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 	status, exists := s.peerStatuses[siteID]
 	if !exists {
 		status = &PeerStatus{
 			SiteID: siteID,
 		}
 		s.peerStatuses[siteID] = status
 	}
 	status.Endpoint = endpoint
 	status.IsRelay = isRelay
 }
 // handleConnect handles the /connect endpoint
 func (s *HTTPServer) handleConnect(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 	var req ConnectionRequest
 	decoder := json.NewDecoder(r.Body)
 	if err := decoder.Decode(&req); err != nil {
 		http.Error(w, fmt.Sprintf("Invalid request: %v", err), http.StatusBadRequest)
 		return
 	}
 	// Validate required fields
 	if req.ID == "" || req.Secret == "" || req.Endpoint == "" {
 		http.Error(w, "Missing required fields: id, secret, and endpoint must be provided", http.StatusBadRequest)
 		return
 	}
 	// Send the request to the main goroutine
 	s.connectionChan <- req
 	// Return a success response
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusAccepted)
 	json.NewEncoder(w).Encode(map[string]string{
 		"status": "connection request accepted",
 	})
 }
 // handleStatus handles the /status endpoint
 func (s *HTTPServer) handleStatus(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 	s.statusMu.RLock()
 	defer s.statusMu.RUnlock()
 	resp := StatusResponse{
 		Connected:    s.isConnected,
 		TunnelIP:     s.tunnelIP,
 		Version:      s.version,
 		PeerStatuses: s.peerStatuses,
 	}
 	if s.isConnected {
 		resp.Status = "connected"
 	} else {
 		resp.Status = "disconnected"
 	}
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(resp)
 }
--- a/logger/level.go
+++ b/logger/level.go
@@ -1,27 +0,0 @@
 package logger
 type LogLevel int
 const (
 	DEBUG LogLevel = iota
 	INFO
 	WARN
 	ERROR
 	FATAL
 )
 var levelStrings = map[LogLevel]string{
 	DEBUG: "DEBUG",
 	INFO:  "INFO",
 	WARN:  "WARN",
 	ERROR: "ERROR",
 	FATAL: "FATAL",
 }
 // String returns the string representation of the log level
 func (l LogLevel) String() string {
 	if s, ok := levelStrings[l]; ok {
 		return s
 	}
 	return "UNKNOWN"
 }
--- a/logger/logger.go
+++ b/logger/logger.go
@@ -1,106 +0,0 @@
 package logger
 import (
 	"fmt"
 	"log"
 	"os"
 	"sync"
 	"time"
 )
 // Logger struct holds the logger instance
 type Logger struct {
 	logger *log.Logger
 	level  LogLevel
 }
 var (
 	defaultLogger *Logger
 	once          sync.Once
 )
 // NewLogger creates a new logger instance
 func NewLogger() *Logger {
 	return &Logger{
 		logger: log.New(os.Stdout, "", 0),
 		level:  DEBUG,
 	}
 }
 // Init initializes the default logger
 func Init() *Logger {
 	once.Do(func() {
 		defaultLogger = NewLogger()
 	})
 	return defaultLogger
 }
 // GetLogger returns the default logger instance
 func GetLogger() *Logger {
 	if defaultLogger == nil {
 		Init()
 	}
 	return defaultLogger
 }
 // SetLevel sets the minimum logging level
 func (l *Logger) SetLevel(level LogLevel) {
 	l.level = level
 }
 // log handles the actual logging
 func (l *Logger) log(level LogLevel, format string, args ...interface{}) {
 	if level < l.level {
 		return
 	}
 	timestamp := time.Now().Format("2006/01/02 15:04:05")
 	message := fmt.Sprintf(format, args...)
 	l.logger.Printf("%s: %s %s", level.String(), timestamp, message)
 }
 // Debug logs debug level messages
 func (l *Logger) Debug(format string, args ...interface{}) {
 	l.log(DEBUG, format, args...)
 }
 // Info logs info level messages
 func (l *Logger) Info(format string, args ...interface{}) {
 	l.log(INFO, format, args...)
 }
 // Warn logs warning level messages
 func (l *Logger) Warn(format string, args ...interface{}) {
 	l.log(WARN, format, args...)
 }
 // Error logs error level messages
 func (l *Logger) Error(format string, args ...interface{}) {
 	l.log(ERROR, format, args...)
 }
 // Fatal logs fatal level messages and exits
 func (l *Logger) Fatal(format string, args ...interface{}) {
 	l.log(FATAL, format, args...)
 	os.Exit(1)
 }
 // Global helper functions
 func Debug(format string, args ...interface{}) {
 	GetLogger().Debug(format, args...)
 }
 func Info(format string, args ...interface{}) {
 	GetLogger().Info(format, args...)
 }
 func Warn(format string, args ...interface{}) {
 	GetLogger().Warn(format, args...)
 }
 func Error(format string, args ...interface{}) {
 	GetLogger().Error(format, args...)
 }
 func Fatal(format string, args ...interface{}) {
 	GetLogger().Fatal(format, args...)
 }
--- a/main.go
+++ b/main.go
--- a/olm.iss
+++ b/olm.iss
@@ -0,0 +1,88 @@
 ; Script generated by the Inno Setup Script Wizard.
 ; SEE THE DOCUMENTATION FOR DETAILS ON CREATING INNO SETUP SCRIPT FILES!
 #define MyAppName "olm"
 #define MyAppVersion "1.0.0"
 #define MyAppPublisher "Fossorial Inc."
 #define MyAppURL "https://pangolin.net"
 #define MyAppExeName "olm.exe"
 [Setup]
 ; NOTE: The value of AppId uniquely identifies this application. Do not use the same AppId value in installers for other applications.
 ; (To generate a new GUID, click Tools | Generate GUID inside the IDE.)
 AppId={{44A24E4C-B616-476F-ADE7-8D56B930959E}
 AppName={#MyAppName}
 AppVersion={#MyAppVersion}
 ;AppVerName={#MyAppName} {#MyAppVersion}
 AppPublisher={#MyAppPublisher}
 AppPublisherURL={#MyAppURL}
 AppSupportURL={#MyAppURL}
 AppUpdatesURL={#MyAppURL}
 DefaultDirName={autopf}\{#MyAppName}
 UninstallDisplayIcon={app}\{#MyAppExeName}
 ; "ArchitecturesAllowed=x64compatible" specifies that Setup cannot run
 ; on anything but x64 and Windows 11 on Arm.
 ArchitecturesAllowed=x64compatible
 ; "ArchitecturesInstallIn64BitMode=x64compatible" requests that the
 ; install be done in "64-bit mode" on x64 or Windows 11 on Arm,
 ; meaning it should use the native 64-bit Program Files directory and
 ; the 64-bit view of the registry.
 ArchitecturesInstallIn64BitMode=x64compatible
 DefaultGroupName={#MyAppName}
 DisableProgramGroupPage=yes
 ; Uncomment the following line to run in non administrative install mode (install for current user only).
 ;PrivilegesRequired=lowest
 OutputBaseFilename=mysetup
 SolidCompression=yes
 WizardStyle=modern
 ; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed
 RestartIfNeededByRun=no
 ChangesEnvironment=true
 [Languages]
 Name: "english"; MessagesFile: "compiler:Default.isl"
 [Files]
 ; The 'DestName' flag ensures that 'olm_windows_amd64.exe' is installed as 'olm.exe'
 Source: "C:\Users\Administrator\Downloads\olm_windows_amd64.exe"; DestDir: "{app}"; DestName: "{#MyAppExeName}"; Flags: ignoreversion
 Source: "C:\Users\Administrator\Downloads\wintun.dll"; DestDir: "{app}"; Flags: ignoreversion
 ; NOTE: Don't use "Flags: ignoreversion" on any shared system files
 [Icons]
 Name: "{group}\{#MyAppName}"; Filename: "{app}\{#MyAppExeName}"
 [Registry]
 ; Add the application's installation directory to the system PATH environment variable.
 ; HKLM (HKEY_LOCAL_MACHINE) is used for system-wide changes.
 ; The 'Path' variable is located under 'SYSTEM\CurrentControlSet\Control\Session Manager\Environment'.
 ; ValueType: expandsz allows for environment variables (like %ProgramFiles%) in the path.
 ; ValueData: "{olddata};{app}" appends the current application directory to the existing PATH.
 ; Flags: uninsdeletevalue ensures the entry is removed upon uninstallation.
 ; Check: IsWin64 ensures this is applied on 64-bit systems, which matches ArchitecturesAllowed.
 [Registry]
 ; Add the application's installation directory to the system PATH.
 Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
    ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
    Flags: uninsdeletevalue; Check: NeedsAddPath(ExpandConstant('{app}'))
 [Code]
 function NeedsAddPath(Path: string): boolean;
 var
  OrigPath: string;
 begin
  if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
    'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
    'Path', OrigPath)
  then begin
    // Path variable doesn't exist at all, so we definitely need to add it.
    Result := True;
    exit;
  end;
  // Perform a case-insensitive check to see if the path is already present.
  // We add semicolons to prevent partial matches (e.g., matching C:\App in C:\App2).
  if Pos(';' + UpperCase(Path) + ';', ';' + UpperCase(OrigPath) + ';') > 0 then
    Result := False
  else
    Result := True;
 end;
--- a/peermonitor/peermonitor.go
+++ b/peermonitor/peermonitor.go
@@ -0,0 +1,331 @@
 package peermonitor
 import (
 	"context"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 	"github.com/fosrl/newt/logger"
 	"github.com/fosrl/olm/websocket"
 	"github.com/fosrl/olm/wgtester"
 	"golang.zx2c4.com/wireguard/device"
 )
 // PeerMonitorCallback is the function type for connection status change callbacks
 type PeerMonitorCallback func(siteID int, connected bool, rtt time.Duration)
 // WireGuardConfig holds the WireGuard configuration for a peer
 type WireGuardConfig struct {
 	SiteID       int
 	PublicKey    string
 	ServerIP     string
 	Endpoint     string
 	PrimaryRelay string // The primary relay endpoint
 }
 // PeerMonitor handles monitoring the connection status to multiple WireGuard peers
 type PeerMonitor struct {
 	monitors          map[int]*wgtester.Client
 	configs           map[int]*WireGuardConfig
 	callback          PeerMonitorCallback
 	mutex             sync.Mutex
 	running           bool
 	interval          time.Duration
 	timeout           time.Duration
 	maxAttempts       int
 	privateKey        string
 	wsClient          *websocket.Client
 	device            *device.Device
 	handleRelaySwitch bool // Whether to handle relay switching
 }
 // NewPeerMonitor creates a new peer monitor with the given callback
 func NewPeerMonitor(callback PeerMonitorCallback, privateKey string, wsClient *websocket.Client, device *device.Device, handleRelaySwitch bool) *PeerMonitor {
 	return &PeerMonitor{
 		monitors:          make(map[int]*wgtester.Client),
 		configs:           make(map[int]*WireGuardConfig),
 		callback:          callback,
 		interval:          1 * time.Second, // Default check interval
 		timeout:           2500 * time.Millisecond,
 		maxAttempts:       8,
 		privateKey:        privateKey,
 		wsClient:          wsClient,
 		device:            device,
 		handleRelaySwitch: handleRelaySwitch,
 	}
 }
 // SetInterval changes how frequently peers are checked
 func (pm *PeerMonitor) SetInterval(interval time.Duration) {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	pm.interval = interval
 	// Update interval for all existing monitors
 	for _, client := range pm.monitors {
 		client.SetPacketInterval(interval)
 	}
 }
 // SetTimeout changes the timeout for waiting for responses
 func (pm *PeerMonitor) SetTimeout(timeout time.Duration) {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	pm.timeout = timeout
 	// Update timeout for all existing monitors
 	for _, client := range pm.monitors {
 		client.SetTimeout(timeout)
 	}
 }
 // SetMaxAttempts changes the maximum number of attempts for TestConnection
 func (pm *PeerMonitor) SetMaxAttempts(attempts int) {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	pm.maxAttempts = attempts
 	// Update max attempts for all existing monitors
 	for _, client := range pm.monitors {
 		client.SetMaxAttempts(attempts)
 	}
 }
 // AddPeer adds a new peer to monitor
 func (pm *PeerMonitor) AddPeer(siteID int, endpoint string, wgConfig *WireGuardConfig) error {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	// Check if we're already monitoring this peer
 	if _, exists := pm.monitors[siteID]; exists {
 		// Update the endpoint instead of creating a new monitor
 		pm.removePeerUnlocked(siteID)
 	}
 	client, err := wgtester.NewClient(endpoint)
 	if err != nil {
 		return err
 	}
 	// Configure the client with our settings
 	client.SetPacketInterval(pm.interval)
 	client.SetTimeout(pm.timeout)
 	client.SetMaxAttempts(pm.maxAttempts)
 	// Store the client and config
 	pm.monitors[siteID] = client
 	pm.configs[siteID] = wgConfig
 	// If monitor is already running, start monitoring this peer
 	if pm.running {
 		siteIDCopy := siteID // Create a copy for the closure
 		err = client.StartMonitor(func(status wgtester.ConnectionStatus) {
 			pm.handleConnectionStatusChange(siteIDCopy, status)
 		})
 	}
 	return err
 }
 // removePeerUnlocked stops monitoring a peer and removes it from the monitor
 // This function assumes the mutex is already held by the caller
 func (pm *PeerMonitor) removePeerUnlocked(siteID int) {
 	client, exists := pm.monitors[siteID]
 	if !exists {
 		return
 	}
 	client.StopMonitor()
 	client.Close()
 	delete(pm.monitors, siteID)
 	delete(pm.configs, siteID)
 }
 // RemovePeer stops monitoring a peer and removes it from the monitor
 func (pm *PeerMonitor) RemovePeer(siteID int) {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	pm.removePeerUnlocked(siteID)
 }
 // Start begins monitoring all peers
 func (pm *PeerMonitor) Start() {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	if pm.running {
 		return // Already running
 	}
 	pm.running = true
 	// Start monitoring all peers
 	for siteID, client := range pm.monitors {
 		siteIDCopy := siteID // Create a copy for the closure
 		err := client.StartMonitor(func(status wgtester.ConnectionStatus) {
 			pm.handleConnectionStatusChange(siteIDCopy, status)
 		})
 		if err != nil {
 			logger.Error("Failed to start monitoring peer %d: %v\n", siteID, err)
 			continue
 		}
 		logger.Info("Started monitoring peer %d\n", siteID)
 	}
 }
 // handleConnectionStatusChange is called when a peer's connection status changes
 func (pm *PeerMonitor) handleConnectionStatusChange(siteID int, status wgtester.ConnectionStatus) {
 	// Call the user-provided callback first
 	if pm.callback != nil {
 		pm.callback(siteID, status.Connected, status.RTT)
 	}
 	// If disconnected, handle failover
 	if !status.Connected {
 		// Send relay message to the server
 		if pm.wsClient != nil {
 			pm.sendRelay(siteID)
 		}
 	}
 }
 // handleFailover handles failover to the relay server when a peer is disconnected
 func (pm *PeerMonitor) HandleFailover(siteID int, relayEndpoint string) {
 	pm.mutex.Lock()
 	config, exists := pm.configs[siteID]
 	pm.mutex.Unlock()
 	if !exists {
 		return
 	}
 	// Check for IPv6 and format the endpoint correctly
 	formattedEndpoint := relayEndpoint
 	if strings.Contains(relayEndpoint, ":") {
 		formattedEndpoint = fmt.Sprintf("[%s]", relayEndpoint)
 	}
 	// Configure WireGuard to use the relay
 	wgConfig := fmt.Sprintf(`private_key=%s
 public_key=%s
 allowed_ip=%s/32
 endpoint=%s:21820
 persistent_keepalive_interval=1`, pm.privateKey, config.PublicKey, config.ServerIP, formattedEndpoint)
 	err := pm.device.IpcSet(wgConfig)
 	if err != nil {
 		logger.Error("Failed to configure WireGuard device: %v\n", err)
 		return
 	}
 	logger.Info("Adjusted peer %d to point to relay!\n", siteID)
 }
 // sendRelay sends a relay message to the server
 func (pm *PeerMonitor) sendRelay(siteID int) error {
 	if !pm.handleRelaySwitch {
 		return nil
 	}
 	if pm.wsClient == nil {
 		return fmt.Errorf("websocket client is nil")
 	}
 	err := pm.wsClient.SendMessage("olm/wg/relay", map[string]interface{}{
 		"siteId": siteID,
 	})
 	if err != nil {
 		logger.Error("Failed to send registration message: %v", err)
 		return err
 	}
 	logger.Info("Sent relay message")
 	return nil
 }
 // Stop stops monitoring all peers
 func (pm *PeerMonitor) Stop() {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	if !pm.running {
 		return
 	}
 	pm.running = false
 	// Stop all monitors
 	for _, client := range pm.monitors {
 		client.StopMonitor()
 	}
 }
 // Close stops monitoring and cleans up resources
 func (pm *PeerMonitor) Close() {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	// Stop and close all clients
 	for siteID, client := range pm.monitors {
 		client.StopMonitor()
 		client.Close()
 		delete(pm.monitors, siteID)
 	}
 	pm.running = false
 }
 // TestPeer tests connectivity to a specific peer
 func (pm *PeerMonitor) TestPeer(siteID int) (bool, time.Duration, error) {
 	pm.mutex.Lock()
 	client, exists := pm.monitors[siteID]
 	pm.mutex.Unlock()
 	if !exists {
 		return false, 0, fmt.Errorf("peer with siteID %d not found", siteID)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), pm.timeout*time.Duration(pm.maxAttempts))
 	defer cancel()
 	connected, rtt := client.TestConnection(ctx)
 	return connected, rtt, nil
 }
 // TestAllPeers tests connectivity to all peers
 func (pm *PeerMonitor) TestAllPeers() map[int]struct {
 	Connected bool
 	RTT       time.Duration
 } {
 	pm.mutex.Lock()
 	peers := make(map[int]*wgtester.Client, len(pm.monitors))
 	for siteID, client := range pm.monitors {
 		peers[siteID] = client
 	}
 	pm.mutex.Unlock()
 	results := make(map[int]struct {
 		Connected bool
 		RTT       time.Duration
 	})
 	for siteID, client := range peers {
 		ctx, cancel := context.WithTimeout(context.Background(), pm.timeout*time.Duration(pm.maxAttempts))
 		connected, rtt := client.TestConnection(ctx)
 		cancel()
 		results[siteID] = struct {
 			Connected bool
 			RTT       time.Duration
 		}{
 			Connected: connected,
 			RTT:       rtt,
 		}
 	}
 	return results
 }
--- a/proxy/manager.go
+++ b/proxy/manager.go
@@ -1,335 +0,0 @@
 package proxy
 import (
 	"fmt"
 	"io"
 	"net"
 	"sync"
 	"time"
 	"github.com/fosrl/newt/logger"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 )
 // Target represents a proxy target with its address and port
 type Target struct {
 	Address string
 	Port    int
 }
 // ProxyManager handles the creation and management of proxy connections
 type ProxyManager struct {
 	tnet       *netstack.Net
 	tcpTargets map[string]map[int]string // map[listenIP]map[port]targetAddress
 	udpTargets map[string]map[int]string
 	listeners  []*gonet.TCPListener
 	udpConns   []*gonet.UDPConn
 	running    bool
 	mutex      sync.RWMutex
 }
 // NewProxyManager creates a new proxy manager instance
 func NewProxyManager(tnet *netstack.Net) *ProxyManager {
 	return &ProxyManager{
 		tnet:       tnet,
 		tcpTargets: make(map[string]map[int]string),
 		udpTargets: make(map[string]map[int]string),
 		listeners:  make([]*gonet.TCPListener, 0),
 		udpConns:   make([]*gonet.UDPConn, 0),
 	}
 }
 // AddTarget adds a new target for proxying
 func (pm *ProxyManager) AddTarget(proto, listenIP string, port int, targetAddr string) error {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	switch proto {
 	case "tcp":
 		if pm.tcpTargets[listenIP] == nil {
 			pm.tcpTargets[listenIP] = make(map[int]string)
 		}
 		pm.tcpTargets[listenIP][port] = targetAddr
 	case "udp":
 		if pm.udpTargets[listenIP] == nil {
 			pm.udpTargets[listenIP] = make(map[int]string)
 		}
 		pm.udpTargets[listenIP][port] = targetAddr
 	default:
 		return fmt.Errorf("unsupported protocol: %s", proto)
 	}
 	if pm.running {
 		return pm.startTarget(proto, listenIP, port, targetAddr)
 	} else {
 		logger.Info("Not adding target because not running")
 	}
 	return nil
 }
 func (pm *ProxyManager) RemoveTarget(proto, listenIP string, port int) error {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	switch proto {
 	case "tcp":
 		if targets, ok := pm.tcpTargets[listenIP]; ok {
 			delete(targets, port)
 			// Remove and close the corresponding TCP listener
 			for i, listener := range pm.listeners {
 				if addr, ok := listener.Addr().(*net.TCPAddr); ok && addr.Port == port {
 					listener.Close()
 					time.Sleep(50 * time.Millisecond)
 					// Remove from slice
 					pm.listeners = append(pm.listeners[:i], pm.listeners[i+1:]...)
 					break
 				}
 			}
 		} else {
 			return fmt.Errorf("target not found: %s:%d", listenIP, port)
 		}
 	case "udp":
 		if targets, ok := pm.udpTargets[listenIP]; ok {
 			delete(targets, port)
 			// Remove and close the corresponding UDP connection
 			for i, conn := range pm.udpConns {
 				if addr, ok := conn.LocalAddr().(*net.UDPAddr); ok && addr.Port == port {
 					conn.Close()
 					time.Sleep(50 * time.Millisecond)
 					// Remove from slice
 					pm.udpConns = append(pm.udpConns[:i], pm.udpConns[i+1:]...)
 					break
 				}
 			}
 		} else {
 			return fmt.Errorf("target not found: %s:%d", listenIP, port)
 		}
 	default:
 		return fmt.Errorf("unsupported protocol: %s", proto)
 	}
 	return nil
 }
 // Start begins listening for all configured proxy targets
 func (pm *ProxyManager) Start() error {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	if pm.running {
 		return nil
 	}
 	// Start TCP targets
 	for listenIP, targets := range pm.tcpTargets {
 		for port, targetAddr := range targets {
 			if err := pm.startTarget("tcp", listenIP, port, targetAddr); err != nil {
 				return fmt.Errorf("failed to start TCP target: %v", err)
 			}
 		}
 	}
 	// Start UDP targets
 	for listenIP, targets := range pm.udpTargets {
 		for port, targetAddr := range targets {
 			if err := pm.startTarget("udp", listenIP, port, targetAddr); err != nil {
 				return fmt.Errorf("failed to start UDP target: %v", err)
 			}
 		}
 	}
 	pm.running = true
 	return nil
 }
 func (pm *ProxyManager) Stop() error {
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 	if !pm.running {
 		return nil
 	}
 	// Set running to false first to signal handlers to stop
 	pm.running = false
 	// Close TCP listeners
 	for i := len(pm.listeners) - 1; i >= 0; i-- {
 		listener := pm.listeners[i]
 		if err := listener.Close(); err != nil {
 			logger.Error("Error closing TCP listener: %v", err)
 		}
 		// Remove from slice
 		pm.listeners = append(pm.listeners[:i], pm.listeners[i+1:]...)
 	}
 	// Close UDP connections
 	for i := len(pm.udpConns) - 1; i >= 0; i-- {
 		conn := pm.udpConns[i]
 		if err := conn.Close(); err != nil {
 			logger.Error("Error closing UDP connection: %v", err)
 		}
 		// Remove from slice
 		pm.udpConns = append(pm.udpConns[:i], pm.udpConns[i+1:]...)
 	}
 	// Clear the target maps
 	for k := range pm.tcpTargets {
 		delete(pm.tcpTargets, k)
 	}
 	for k := range pm.udpTargets {
 		delete(pm.udpTargets, k)
 	}
 	// Give active connections a chance to close gracefully
 	time.Sleep(100 * time.Millisecond)
 	return nil
 }
 func (pm *ProxyManager) startTarget(proto, listenIP string, port int, targetAddr string) error {
 	switch proto {
 	case "tcp":
 		listener, err := pm.tnet.ListenTCP(&net.TCPAddr{Port: port})
 		if err != nil {
 			return fmt.Errorf("failed to create TCP listener: %v", err)
 		}
 		pm.listeners = append(pm.listeners, listener)
 		go pm.handleTCPProxy(listener, targetAddr)
 	case "udp":
 		addr := &net.UDPAddr{Port: port}
 		conn, err := pm.tnet.ListenUDP(addr)
 		if err != nil {
 			return fmt.Errorf("failed to create UDP listener: %v", err)
 		}
 		pm.udpConns = append(pm.udpConns, conn)
 		go pm.handleUDPProxy(conn, targetAddr)
 	default:
 		return fmt.Errorf("unsupported protocol: %s", proto)
 	}
 	logger.Info("Started %s proxy from %s:%d to %s", proto, listenIP, port, targetAddr)
 	return nil
 }
 func (pm *ProxyManager) handleTCPProxy(listener net.Listener, targetAddr string) {
 	for {
 		conn, err := listener.Accept()
 		if err != nil {
 			// Check if we're shutting down or the listener was closed
 			if !pm.running {
 				return
 			}
 			// Check for specific network errors that indicate the listener is closed
 			if ne, ok := err.(net.Error); ok && !ne.Temporary() {
 				logger.Info("TCP listener closed, stopping proxy handler for %v", listener.Addr())
 				return
 			}
 			logger.Error("Error accepting TCP connection: %v", err)
 			// Don't hammer the CPU if we hit a temporary error
 			time.Sleep(100 * time.Millisecond)
 			continue
 		}
 		go func() {
 			target, err := net.Dial("tcp", targetAddr)
 			if err != nil {
 				logger.Error("Error connecting to target: %v", err)
 				conn.Close()
 				return
 			}
 			// Create a WaitGroup to ensure both copy operations complete
 			var wg sync.WaitGroup
 			wg.Add(2)
 			go func() {
 				defer wg.Done()
 				io.Copy(target, conn)
 				target.Close()
 			}()
 			go func() {
 				defer wg.Done()
 				io.Copy(conn, target)
 				conn.Close()
 			}()
 			// Wait for both copies to complete
 			wg.Wait()
 		}()
 	}
 }
 func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
 	buffer := make([]byte, 65507) // Max UDP packet size
 	clientConns := make(map[string]*net.UDPConn)
 	var clientsMutex sync.RWMutex
 	for {
 		n, remoteAddr, err := conn.ReadFrom(buffer)
 		if err != nil {
 			if !pm.running {
 				return
 			}
 			logger.Error("Error reading UDP packet: %v", err)
 			continue
 		}
 		clientKey := remoteAddr.String()
 		clientsMutex.RLock()
 		targetConn, exists := clientConns[clientKey]
 		clientsMutex.RUnlock()
 		if !exists {
 			targetUDPAddr, err := net.ResolveUDPAddr("udp", targetAddr)
 			if err != nil {
 				logger.Error("Error resolving target address: %v", err)
 				continue
 			}
 			targetConn, err = net.DialUDP("udp", nil, targetUDPAddr)
 			if err != nil {
 				logger.Error("Error connecting to target: %v", err)
 				continue
 			}
 			clientsMutex.Lock()
 			clientConns[clientKey] = targetConn
 			clientsMutex.Unlock()
 			go func() {
 				buffer := make([]byte, 65507)
 				for {
 					n, _, err := targetConn.ReadFromUDP(buffer)
 					if err != nil {
 						logger.Error("Error reading from target: %v", err)
 						return
 					}
 					_, err = conn.WriteTo(buffer[:n], remoteAddr)
 					if err != nil {
 						logger.Error("Error writing to client: %v", err)
 						return
 					}
 				}
 			}()
 		}
 		_, err = targetConn.Write(buffer[:n])
 		if err != nil {
 			logger.Error("Error writing to target: %v", err)
 			targetConn.Close()
 			clientsMutex.Lock()
 			delete(clientConns, clientKey)
 			clientsMutex.Unlock()
 		}
 	}
 }
--- a/public/screenshots/preview.png
+++ b/public/screenshots/preview.png
--- a/service_unix.go
+++ b/service_unix.go
@@ -0,0 +1,54 @@
 //go:build !windows
 package main
 import (
 	"fmt"
 )
 // Service management functions are not available on non-Windows platforms
 func installService() error {
 	return fmt.Errorf("service management is only available on Windows")
 }
 func removeService() error {
 	return fmt.Errorf("service management is only available on Windows")
 }
 func startService(args []string) error {
 	_ = args // unused on Unix platforms
 	return fmt.Errorf("service management is only available on Windows")
 }
 func stopService() error {
 	return fmt.Errorf("service management is only available on Windows")
 }
 func getServiceStatus() (string, error) {
 	return "", fmt.Errorf("service management is only available on Windows")
 }
 func debugService(args []string) error {
 	_ = args // unused on Unix platforms
 	return fmt.Errorf("debug service is only available on Windows")
 }
 func isWindowsService() bool {
 	return false
 }
 func runService(name string, isDebug bool, args []string) {
 	// No-op on non-Windows platforms
 }
 func setupWindowsEventLog() {
 	// No-op on non-Windows platforms
 }
 func watchLogFile(end bool) error {
 	return fmt.Errorf("watching log file is only available on Windows")
 }
 func showServiceConfig() {
 	fmt.Println("Service configuration is only available on Windows")
 }
--- a/service_windows.go
+++ b/service_windows.go
@@ -0,0 +1,631 @@
 //go:build windows
 package main
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"syscall"
 	"time"
 	"github.com/fosrl/newt/logger"
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/debug"
 	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.org/x/sys/windows/svc/mgr"
 )
 const (
 	serviceName        = "OlmWireguardService"
 	serviceDisplayName = "Olm WireGuard VPN Service"
 	serviceDescription = "Olm WireGuard VPN client service for secure network connectivity"
 )
 // Global variable to store service arguments
 var serviceArgs []string
 // getServiceArgsPath returns the path where service arguments are stored
 func getServiceArgsPath() string {
 	logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "olm")
 	return filepath.Join(logDir, "service_args.json")
 }
 // saveServiceArgs saves the service arguments to a file
 func saveServiceArgs(args []string) error {
 	logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "olm")
 	err := os.MkdirAll(logDir, 0755)
 	if err != nil {
 		return fmt.Errorf("failed to create config directory: %v", err)
 	}
 	argsPath := getServiceArgsPath()
 	data, err := json.Marshal(args)
 	if err != nil {
 		return fmt.Errorf("failed to marshal service args: %v", err)
 	}
 	err = os.WriteFile(argsPath, data, 0644)
 	if err != nil {
 		return fmt.Errorf("failed to write service args: %v", err)
 	}
 	return nil
 }
 // loadServiceArgs loads the service arguments from a file
 func loadServiceArgs() ([]string, error) {
 	argsPath := getServiceArgsPath()
 	data, err := os.ReadFile(argsPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return []string{}, nil // Return empty args if file doesn't exist
 		}
 		return nil, fmt.Errorf("failed to read service args: %v", err)
 	}
 	var args []string
 	err = json.Unmarshal(data, &args)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal service args: %v", err)
 	}
 	return args, nil
 }
 type olmService struct {
 	elog debug.Log
 	ctx  context.Context
 	stop context.CancelFunc
 	args []string
 }
 func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
 	const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown
 	changes <- svc.Status{State: svc.StartPending}
 	s.elog.Info(1, fmt.Sprintf("Service Execute called with args: %v", args))
 	// Load saved service arguments
 	savedArgs, err := loadServiceArgs()
 	if err != nil {
 		s.elog.Error(1, fmt.Sprintf("Failed to load service args: %v", err))
 		// Continue with empty args if loading fails
 		savedArgs = []string{}
 	}
 	// Combine service start args with saved args, giving priority to service start args
 	finalArgs := []string{}
 	if len(args) > 0 {
 		// Skip the first arg which is typically the service name
 		if len(args) > 1 {
 			finalArgs = append(finalArgs, args[1:]...)
 		}
 		s.elog.Info(1, fmt.Sprintf("Using service start parameters: %v", finalArgs))
 	}
 	// If no service start parameters, use saved args
 	if len(finalArgs) == 0 && len(savedArgs) > 0 {
 		finalArgs = savedArgs
 		s.elog.Info(1, fmt.Sprintf("Using saved service args: %v", finalArgs))
 	}
 	s.args = finalArgs
 	// Start the main olm functionality
 	olmDone := make(chan struct{})
 	go func() {
 		s.runOlm()
 		close(olmDone)
 	}()
 	changes <- svc.Status{State: svc.Running, Accepts: cmdsAccepted}
 	s.elog.Info(1, "Service status set to Running")
 	for {
 		select {
 		case c := <-r:
 			switch c.Cmd {
 			case svc.Interrogate:
 				changes <- c.CurrentStatus
 			case svc.Stop, svc.Shutdown:
 				s.elog.Info(1, "Service stopping")
 				changes <- svc.Status{State: svc.StopPending}
 				if s.stop != nil {
 					s.stop()
 				}
 				// Wait for main logic to finish or timeout
 				select {
 				case <-olmDone:
 					s.elog.Info(1, "Main logic finished gracefully")
 				case <-time.After(10 * time.Second):
 					s.elog.Info(1, "Timeout waiting for main logic to finish")
 				}
 				return false, 0
 			default:
 				s.elog.Error(1, fmt.Sprintf("Unexpected control request #%d", c))
 			}
 		case <-olmDone:
 			s.elog.Info(1, "Main olm logic completed, stopping service")
 			changes <- svc.Status{State: svc.StopPending}
 			return false, 0
 		}
 	}
 }
 func (s *olmService) runOlm() {
 	// Create a context that can be cancelled when the service stops
 	s.ctx, s.stop = context.WithCancel(context.Background())
 	// Setup logging for service mode
 	s.elog.Info(1, "Starting Olm main logic")
 	// Run the main olm logic and wait for it to complete
 	done := make(chan struct{})
 	go func() {
 		defer func() {
 			if r := recover(); r != nil {
 				s.elog.Error(1, fmt.Sprintf("Olm panic: %v", r))
 			}
 			close(done)
 		}()
 		// Call the main olm function with stored arguments
 		runOlmMainWithArgs(s.ctx, s.args)
 	}()
 	// Wait for either context cancellation or main logic completion
 	select {
 	case <-s.ctx.Done():
 		s.elog.Info(1, "Olm service context cancelled")
 	case <-done:
 		s.elog.Info(1, "Olm main logic completed")
 	}
 }
 func runService(name string, isDebug bool, args []string) {
 	var err error
 	var elog debug.Log
 	if isDebug {
 		elog = debug.New(name)
 		fmt.Printf("Starting %s service in debug mode\n", name)
 	} else {
 		elog, err = eventlog.Open(name)
 		if err != nil {
 			fmt.Printf("Failed to open event log: %v\n", err)
 			return
 		}
 	}
 	defer elog.Close()
 	elog.Info(1, fmt.Sprintf("Starting %s service", name))
 	run := svc.Run
 	if isDebug {
 		run = debug.Run
 	}
 	service := &olmService{elog: elog, args: args}
 	err = run(name, service)
 	if err != nil {
 		elog.Error(1, fmt.Sprintf("%s service failed: %v", name, err))
 		if isDebug {
 			fmt.Printf("Service failed: %v\n", err)
 		}
 		return
 	}
 	elog.Info(1, fmt.Sprintf("%s service stopped", name))
 	if isDebug {
 		fmt.Printf("%s service stopped\n", name)
 	}
 }
 func installService() error {
 	exepath, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to get executable path: %v", err)
 	}
 	m, err := mgr.Connect()
 	if err != nil {
 		return fmt.Errorf("failed to connect to service manager: %v", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(serviceName)
 	if err == nil {
 		s.Close()
 		return fmt.Errorf("service %s already exists", serviceName)
 	}
 	config := mgr.Config{
 		ServiceType:    0x10, // SERVICE_WIN32_OWN_PROCESS
 		StartType:      mgr.StartManual,
 		ErrorControl:   mgr.ErrorNormal,
 		DisplayName:    serviceDisplayName,
 		Description:    serviceDescription,
 		BinaryPathName: exepath,
 	}
 	s, err = m.CreateService(serviceName, exepath, config)
 	if err != nil {
 		return fmt.Errorf("failed to create service: %v", err)
 	}
 	defer s.Close()
 	err = eventlog.InstallAsEventCreate(serviceName, eventlog.Error|eventlog.Warning|eventlog.Info)
 	if err != nil {
 		s.Delete()
 		return fmt.Errorf("failed to install event log: %v", err)
 	}
 	return nil
 }
 func removeService() error {
 	m, err := mgr.Connect()
 	if err != nil {
 		return fmt.Errorf("failed to connect to service manager: %v", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(serviceName)
 	if err != nil {
 		return fmt.Errorf("service %s is not installed", serviceName)
 	}
 	defer s.Close()
 	// Stop the service if it's running
 	status, err := s.Query()
 	if err != nil {
 		return fmt.Errorf("failed to query service status: %v", err)
 	}
 	if status.State != svc.Stopped {
 		_, err = s.Control(svc.Stop)
 		if err != nil {
 			return fmt.Errorf("failed to stop service: %v", err)
 		}
 		// Wait for service to stop
 		timeout := time.Now().Add(30 * time.Second)
 		for status.State != svc.Stopped {
 			if timeout.Before(time.Now()) {
 				return fmt.Errorf("timeout waiting for service to stop")
 			}
 			time.Sleep(300 * time.Millisecond)
 			status, err = s.Query()
 			if err != nil {
 				return fmt.Errorf("failed to query service status: %v", err)
 			}
 		}
 	}
 	err = s.Delete()
 	if err != nil {
 		return fmt.Errorf("failed to delete service: %v", err)
 	}
 	err = eventlog.Remove(serviceName)
 	if err != nil {
 		return fmt.Errorf("failed to remove event log: %v", err)
 	}
 	return nil
 }
 func startService(args []string) error {
 	// Save the service arguments as backup
 	if len(args) > 0 {
 		err := saveServiceArgs(args)
 		if err != nil {
 			return fmt.Errorf("failed to save service args: %v", err)
 		}
 	}
 	m, err := mgr.Connect()
 	if err != nil {
 		return fmt.Errorf("failed to connect to service manager: %v", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(serviceName)
 	if err != nil {
 		return fmt.Errorf("service %s is not installed", serviceName)
 	}
 	defer s.Close()
 	// Pass arguments directly to the service start call
 	err = s.Start(args...)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)
 	}
 	return nil
 }
 func stopService() error {
 	m, err := mgr.Connect()
 	if err != nil {
 		return fmt.Errorf("failed to connect to service manager: %v", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(serviceName)
 	if err != nil {
 		return fmt.Errorf("service %s is not installed", serviceName)
 	}
 	defer s.Close()
 	status, err := s.Control(svc.Stop)
 	if err != nil {
 		return fmt.Errorf("failed to stop service: %v", err)
 	}
 	timeout := time.Now().Add(30 * time.Second)
 	for status.State != svc.Stopped {
 		if timeout.Before(time.Now()) {
 			return fmt.Errorf("timeout waiting for service to stop")
 		}
 		time.Sleep(300 * time.Millisecond)
 		status, err = s.Query()
 		if err != nil {
 			return fmt.Errorf("failed to query service status: %v", err)
 		}
 	}
 	return nil
 }
 func debugService(args []string) error {
 	// Save the service arguments before starting
 	if len(args) > 0 {
 		err := saveServiceArgs(args)
 		if err != nil {
 			return fmt.Errorf("failed to save service args: %v", err)
 		}
 	}
 	// Start the service with the provided arguments
 	err := startService(args)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)
 	}
 	// Watch the log file
 	return watchLogFile(true)
 }
 func watchLogFile(end bool) error {
 	logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "olm", "logs")
 	logPath := filepath.Join(logDir, "olm.log")
 	// Ensure the log directory exists
 	err := os.MkdirAll(logDir, 0755)
 	if err != nil {
 		return fmt.Errorf("failed to create log directory: %v", err)
 	}
 	// Wait for the log file to be created if it doesn't exist
 	var file *os.File
 	for i := 0; i < 30; i++ { // Wait up to 15 seconds
 		file, err = os.Open(logPath)
 		if err == nil {
 			break
 		}
 		if i == 0 {
 			fmt.Printf("Waiting for log file to be created...\n")
 		}
 		time.Sleep(500 * time.Millisecond)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to open log file after waiting: %v", err)
 	}
 	defer file.Close()
 	// Seek to the end of the file to only show new logs
 	_, err = file.Seek(0, 2)
 	if err != nil {
 		return fmt.Errorf("failed to seek to end of file: %v", err)
 	}
 	// Set up signal handling for graceful exit
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
 	// Create a ticker to check for new content
 	ticker := time.NewTicker(500 * time.Millisecond)
 	defer ticker.Stop()
 	buffer := make([]byte, 4096)
 	for {
 		select {
 		case <-sigCh:
 			fmt.Printf("\n\nStopping log watch...\n")
 			// stop the service if needed
 			if end {
 				if err := stopService(); err != nil {
 					fmt.Printf("Failed to stop service: %v\n", err)
 				}
 			}
 			fmt.Printf("Log watch stopped.\n")
 			return nil
 		case <-ticker.C:
 			// Read new content
 			n, err := file.Read(buffer)
 			if err != nil && err != io.EOF {
 				// Try to reopen the file in case it was recreated
 				file.Close()
 				file, err = os.Open(logPath)
 				if err != nil {
 					return fmt.Errorf("error reopening log file: %v", err)
 				}
 				continue
 			}
 			if n > 0 {
 				// Print the new content
 				fmt.Print(string(buffer[:n]))
 			}
 		}
 	}
 }
 func getServiceStatus() (string, error) {
 	m, err := mgr.Connect()
 	if err != nil {
 		return "", fmt.Errorf("failed to connect to service manager: %v", err)
 	}
 	defer m.Disconnect()
 	s, err := m.OpenService(serviceName)
 	if err != nil {
 		return "Not Installed", nil
 	}
 	defer s.Close()
 	status, err := s.Query()
 	if err != nil {
 		return "", fmt.Errorf("failed to query service status: %v", err)
 	}
 	switch status.State {
 	case svc.Stopped:
 		return "Stopped", nil
 	case svc.StartPending:
 		return "Starting", nil
 	case svc.StopPending:
 		return "Stopping", nil
 	case svc.Running:
 		return "Running", nil
 	case svc.ContinuePending:
 		return "Continue Pending", nil
 	case svc.PausePending:
 		return "Pause Pending", nil
 	case svc.Paused:
 		return "Paused", nil
 	default:
 		return "Unknown", nil
 	}
 }
 // showServiceConfig displays current saved service configuration
 func showServiceConfig() {
 	configPath := getServiceArgsPath()
 	fmt.Printf("Service configuration file: %s\n", configPath)
 	args, err := loadServiceArgs()
 	if err != nil {
 		fmt.Printf("No saved configuration found or error loading: %v\n", err)
 		return
 	}
 	if len(args) == 0 {
 		fmt.Println("No saved service arguments found")
 	} else {
 		fmt.Printf("Saved service arguments: %v\n", args)
 	}
 }
 func isWindowsService() bool {
 	isWindowsService, err := svc.IsWindowsService()
 	return err == nil && isWindowsService
 }
 // rotateLogFile handles daily log rotation
 func rotateLogFile(logDir string, logFile string) error {
 	// Get current log file info
 	info, err := os.Stat(logFile)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil // No current log file to rotate
 		}
 		return fmt.Errorf("failed to stat log file: %v", err)
 	}
 	// Check if log file is from today
 	now := time.Now()
 	fileTime := info.ModTime()
 	// If the log file is from today, no rotation needed
 	if now.Year() == fileTime.Year() && now.YearDay() == fileTime.YearDay() {
 		return nil
 	}
 	// Create rotated filename with date
 	rotatedName := fmt.Sprintf("olm-%s.log", fileTime.Format("2006-01-02"))
 	rotatedPath := filepath.Join(logDir, rotatedName)
 	// Rename current log file to dated filename
 	err = os.Rename(logFile, rotatedPath)
 	if err != nil {
 		return fmt.Errorf("failed to rotate log file: %v", err)
 	}
 	// Clean up old log files (keep last 30 days)
 	cleanupOldLogFiles(logDir, 30)
 	return nil
 }
 // cleanupOldLogFiles removes log files older than specified days
 func cleanupOldLogFiles(logDir string, daysToKeep int) {
 	cutoff := time.Now().AddDate(0, 0, -daysToKeep)
 	files, err := os.ReadDir(logDir)
 	if err != nil {
 		return
 	}
 	for _, file := range files {
 		if !file.IsDir() && strings.HasPrefix(file.Name(), "olm-") && strings.HasSuffix(file.Name(), ".log") {
 			filePath := filepath.Join(logDir, file.Name())
 			info, err := file.Info()
 			if err != nil {
 				continue
 			}
 			if info.ModTime().Before(cutoff) {
 				os.Remove(filePath)
 			}
 		}
 	}
 }
 func setupWindowsEventLog() {
 	// Create log directory if it doesn't exist
 	logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "olm", "logs")
 	err := os.MkdirAll(logDir, 0755)
 	if err != nil {
 		fmt.Printf("Failed to create log directory: %v\n", err)
 		return
 	}
 	logFile := filepath.Join(logDir, "olm.log")
 	// Rotate log file if needed
 	err = rotateLogFile(logDir, logFile)
 	if err != nil {
 		fmt.Printf("Failed to rotate log file: %v\n", err)
 		// Continue anyway to create new log file
 	}
 	file, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
 	if err != nil {
 		fmt.Printf("Failed to open log file: %v\n", err)
 		return
 	}
 	// Set the custom logger output
 	logger.GetLogger().SetOutput(file)
 	log.Printf("Olm service logging initialized - log file: %s", logFile)
 }
--- a/unix.go
+++ b/unix.go
@@ -0,0 +1,35 @@
 //go:build !windows
 package main
 import (
 	"net"
 	"os"
 	"strconv"
 	"golang.org/x/sys/unix"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 )
 func createTUNFromFD(tunFdStr string, mtuInt int) (tun.Device, error) {
 	fd, err := strconv.ParseUint(tunFdStr, 10, 32)
 	if err != nil {
 		return nil, err
 	}
 	err = unix.SetNonblock(int(fd), true)
 	if err != nil {
 		return nil, err
 	}
 	file := os.NewFile(uintptr(fd), "")
 	return tun.CreateTUNFromFile(file, mtuInt)
 }
 func uapiOpen(interfaceName string) (*os.File, error) {
 	return ipc.UAPIOpen(interfaceName)
 }
 func uapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
 	return ipc.UAPIListen(interfaceName, fileUAPI)
 }
--- a/websocket/client.go
+++ b/websocket/client.go
@@ -2,38 +2,80 @@ package websocket
 import (
 	"bytes"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"sync"
 	"time"
-	"github.com/fosrl/newt/logger"
+	"software.sslmate.com/src/go-pkcs12"
 	"github.com/fosrl/newt/logger"
 	"github.com/gorilla/websocket"
 )
-type Client struct {
+type TokenResponse struct {
-	conn        *websocket.Conn
+	Data struct {
-	config      *Config
+		Token string `json:"token"`
-	baseURL     string
+	} `json:"data"`
-	handlers    map[string]MessageHandler
+	Success bool   `json:"success"`
-	done        chan struct{}
+	Message string `json:"message"`
-	handlersMux sync.RWMutex
+}
 type WSMessage struct {
 	Type string      `json:"type"`
 	Data interface{} `json:"data"`
 }
 // this is not json anymore
 type Config struct {
 	ID            string
 	Secret        string
 	Endpoint      string
 	TlsClientCert string // legacy PKCS12 file path
 }
 type Client struct {
 	config            *Config
 	conn              *websocket.Conn
 	baseURL           string
 	handlers          map[string]MessageHandler
 	done              chan struct{}
 	handlersMux       sync.RWMutex
 	reconnectInterval time.Duration
 	isConnected       bool
 	reconnectMux      sync.RWMutex
-
+	pingInterval      time.Duration
-	onConnect func() error
+	pingTimeout       time.Duration
 	onConnect         func() error
 	onTokenUpdate     func(token string)
 	writeMux          sync.Mutex
 	clientType        string // Type of client (e.g., "newt", "olm")
 	tlsConfig         TLSConfig
 	configNeedsSave   bool // Flag to track if config needs to be saved
 }
 type ClientOption func(*Client)
 type MessageHandler func(message WSMessage)
 // TLSConfig holds TLS configuration options
 type TLSConfig struct {
 	// New separate certificate support
 	ClientCertFile string
 	ClientKeyFile  string
 	CAFiles        []string
 	// Existing PKCS12 support (deprecated)
 	PKCS12File string
 }
 // WithBaseURL sets the base URL for the client
 func WithBaseURL(url string) ClientOption {
 	return func(c *Client) {
@@ -41,14 +83,29 @@ func WithBaseURL(url string) ClientOption {
 	}
 }
 // WithTLSConfig sets the TLS configuration for the client
 func WithTLSConfig(config TLSConfig) ClientOption {
 	return func(c *Client) {
 		c.tlsConfig = config
 		// For backward compatibility, also set the legacy field
 		if config.PKCS12File != "" {
 			c.config.TlsClientCert = config.PKCS12File
 		}
 	}
 }
 func (c *Client) OnConnect(callback func() error) {
 	c.onConnect = callback
 }
-// NewClient creates a new Newt client
+func (c *Client) OnTokenUpdate(callback func(token string)) {
-func NewClient(newtID, secret string, endpoint string, opts ...ClientOption) (*Client, error) {
+	c.onTokenUpdate = callback
 }
 // NewClient creates a new websocket client
 func NewClient(clientType string, ID, secret string, endpoint string, pingInterval time.Duration, pingTimeout time.Duration, opts ...ClientOption) (*Client, error) {
 	config := &Config{
-		NewtID:   newtID,
+		ID:       ID,
 		Secret:   secret,
 		Endpoint: endpoint,
 	}
@@ -58,39 +115,59 @@ func NewClient(newtID, secret string, endpoint string, opts ...ClientOption) (*C
 		baseURL:           endpoint, // default value
 		handlers:          make(map[string]MessageHandler),
 		done:              make(chan struct{}),
-		reconnectInterval: 10 * time.Second,
+		reconnectInterval: 3 * time.Second,
 		isConnected:       false,
 		pingInterval:      pingInterval,
 		pingTimeout:       pingTimeout,
 		clientType:        clientType,
 	}
 	// Apply options before loading config
 	for _, opt := range opts {
 		if opt == nil {
 			continue
 		}
 		opt(client)
 	}
 	// Load existing config if available
 	if err := client.loadConfig(); err != nil {
 		return nil, fmt.Errorf("failed to load config: %w", err)
 	}
 	return client, nil
 }
 func (c *Client) GetConfig() *Config {
 	return c.config
 }
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
 	go c.connectWithRetry()
 	return nil
 }
-// Close closes the WebSocket connection
+// Close closes the WebSocket connection gracefully
 func (c *Client) Close() error {
-	close(c.done)
+	// Signal shutdown to all goroutines first
-	if c.conn != nil {
+	select {
-		return c.conn.Close()
+	case <-c.done:
 		// Already closed
 		return nil
 	default:
 		close(c.done)
 	}
-	// stop the ping monitor
+	// Set connection status to false
 	c.setConnected(false)
 	// Close the WebSocket connection gracefully
 	if c.conn != nil {
 		// Send close message
 		c.writeMux.Lock()
 		c.conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
 		c.writeMux.Unlock()
 		// Close the connection
 		return c.conn.Close()
 	}
 	return nil
 }
@@ -105,9 +182,49 @@ func (c *Client) SendMessage(messageType string, data interface{}) error {
 		Data: data,
 	}
 	logger.Debug("Sending message: %s, data: %+v", messageType, data)
 	c.writeMux.Lock()
 	defer c.writeMux.Unlock()
 	return c.conn.WriteJSON(msg)
 }
 func (c *Client) SendMessageInterval(messageType string, data interface{}, interval time.Duration) (stop func()) {
 	stopChan := make(chan struct{})
 	go func() {
 		count := 0
 		maxAttempts := 10
 		err := c.SendMessage(messageType, data) // Send immediately
 		if err != nil {
 			logger.Error("Failed to send initial message: %v", err)
 		}
 		count++
 		ticker := time.NewTicker(interval)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				if count >= maxAttempts {
 					logger.Info("SendMessageInterval timed out after %d attempts for message type: %s", maxAttempts, messageType)
 					return
 				}
 				err = c.SendMessage(messageType, data)
 				if err != nil {
 					logger.Error("Failed to send message: %v", err)
 				}
 				count++
 			case <-stopChan:
 				return
 			}
 		}
 	}()
 	return func() {
 		close(stopChan)
 	}
 }
 // RegisterHandler registers a handler for a specific message type
 func (c *Client) RegisterHandler(messageType string, handler MessageHandler) {
 	c.handlersMux.Lock()
@@ -115,30 +232,6 @@ func (c *Client) RegisterHandler(messageType string, handler MessageHandler) {
 	c.handlers[messageType] = handler
 }
 // readPump pumps messages from the WebSocket connection
 func (c *Client) readPump() {
 	defer c.conn.Close()
 	for {
 		select {
 		case <-c.done:
 			return
 		default:
 			var msg WSMessage
 			err := c.conn.ReadJSON(&msg)
 			if err != nil {
 				return
 			}
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
 				handler(msg)
 			}
 			c.handlersMux.RUnlock()
 		}
 	}
 }
 func (c *Client) getToken() (string, error) {
 	// Parse the base URL to ensure we have the correct hostname
 	baseURL, err := url.Parse(c.baseURL)
@@ -149,57 +242,41 @@ func (c *Client) getToken() (string, error) {
 	// Ensure we have the base URL without trailing slashes
 	baseEndpoint := strings.TrimRight(baseURL.String(), "/")
-	// If we already have a token, try to use it
+	var tlsConfig *tls.Config = nil
-	if c.config.Token != "" {
+
-		tokenCheckData := map[string]interface{}{
+	// Use new TLS configuration method
-			"newtId": c.config.NewtID,
+	if c.tlsConfig.ClientCertFile != "" || c.tlsConfig.ClientKeyFile != "" || len(c.tlsConfig.CAFiles) > 0 || c.tlsConfig.PKCS12File != "" {
-			"secret": c.config.Secret,
+		tlsConfig, err = c.setupTLS()
 			"token":  c.config.Token,
 		}
 		jsonData, err := json.Marshal(tokenCheckData)
 		if err != nil {
-			return "", fmt.Errorf("failed to marshal token check data: %w", err)
+			return "", fmt.Errorf("failed to setup TLS configuration: %w", err)
 		}
 		// Create a new request
 		req, err := http.NewRequest(
 			"POST",
 			baseEndpoint+"/api/v1/auth/newt/get-token",
 			bytes.NewBuffer(jsonData),
 		)
 		if err != nil {
 			return "", fmt.Errorf("failed to create request: %w", err)
 		}
 		// Set headers
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("X-CSRF-Token", "x-csrf-protection")
 		// Make the request
 		client := &http.Client{}
 		resp, err := client.Do(req)
 		if err != nil {
 			return "", fmt.Errorf("failed to check token validity: %w", err)
 		}
 		defer resp.Body.Close()
 		var tokenResp TokenResponse
 		if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
 			return "", fmt.Errorf("failed to decode token check response: %w", err)
 		}
 		// If token is still valid, return it
 		if tokenResp.Success && tokenResp.Message == "Token session already valid" {
 			return c.config.Token, nil
 		}
 	}
 	// Check for environment variable to skip TLS verification
 	if os.Getenv("SKIP_TLS_VERIFY") == "true" {
 		if tlsConfig == nil {
 			tlsConfig = &tls.Config{}
 		}
 		tlsConfig.InsecureSkipVerify = true
 		logger.Debug("TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
 	}
 	var tokenData map[string]interface{}
 	// Get a new token
-	tokenData := map[string]interface{}{
+	if c.clientType == "newt" {
-		"newtId": c.config.NewtID,
+		tokenData = map[string]interface{}{
-		"secret": c.config.Secret,
+			"newtId": c.config.ID,
 			"secret": c.config.Secret,
 		}
 	} else if c.clientType == "olm" {
 		tokenData = map[string]interface{}{
 			"olmId":  c.config.ID,
 			"secret": c.config.Secret,
 		}
 	}
 	jsonData, err := json.Marshal(tokenData)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal token request data: %w", err)
 	}
@@ -207,7 +284,7 @@ func (c *Client) getToken() (string, error) {
 	// Create a new request
 	req, err := http.NewRequest(
 		"POST",
-		baseEndpoint+"/api/v1/auth/newt/get-token",
+		baseEndpoint+"/api/v1/auth/"+c.clientType+"/get-token",
 		bytes.NewBuffer(jsonData),
 	)
 	if err != nil {
@@ -220,14 +297,26 @@ func (c *Client) getToken() (string, error) {
 	// Make the request
 	client := &http.Client{}
 	if tlsConfig != nil {
 		client.Transport = &http.Transport{
 			TLSClientConfig: tlsConfig,
 		}
 	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("failed to request new token: %w", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
 		logger.Error("Failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
 		return "", fmt.Errorf("failed to get token with status code: %d, body: %s", resp.StatusCode, string(body))
 	}
 	var tokenResp TokenResponse
 	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
 		logger.Error("Failed to decode token response.")
 		return "", fmt.Errorf("failed to decode token response: %w", err)
 	}
@@ -239,6 +328,8 @@ func (c *Client) getToken() (string, error) {
 		return "", fmt.Errorf("received empty token from server")
 	}
 	logger.Debug("Received token: %s", tokenResp.Data.Token)
 	return tokenResp.Data.Token, nil
 }
@@ -266,6 +357,10 @@ func (c *Client) establishConnection() error {
 		return fmt.Errorf("failed to get token: %w", err)
 	}
 	if c.onTokenUpdate != nil {
 		c.onTokenUpdate(token)
 	}
 	// Parse the base URL to determine protocol and hostname
 	baseURL, err := url.Parse(c.baseURL)
 	if err != nil {
@@ -288,10 +383,32 @@ func (c *Client) establishConnection() error {
 	// Add token to query parameters
 	q := u.Query()
 	q.Set("token", token)
 	q.Set("clientType", c.clientType)
 	u.RawQuery = q.Encode()
 	// Connect to WebSocket
-	conn, _, err := websocket.DefaultDialer.Dial(u.String(), nil)
+	dialer := websocket.DefaultDialer
 	// Use new TLS configuration method
 	if c.tlsConfig.ClientCertFile != "" || c.tlsConfig.ClientKeyFile != "" || len(c.tlsConfig.CAFiles) > 0 || c.tlsConfig.PKCS12File != "" {
 		logger.Info("Setting up TLS configuration for WebSocket connection")
 		tlsConfig, err := c.setupTLS()
 		if err != nil {
 			return fmt.Errorf("failed to setup TLS configuration: %w", err)
 		}
 		dialer.TLSClientConfig = tlsConfig
 	}
 	// Check for environment variable to skip TLS verification for WebSocket connection
 	if os.Getenv("SKIP_TLS_VERIFY") == "true" {
 		if dialer.TLSClientConfig == nil {
 			dialer.TLSClientConfig = &tls.Config{}
 		}
 		dialer.TLSClientConfig.InsecureSkipVerify = true
 		logger.Debug("WebSocket TLS certificate verification disabled via SKIP_TLS_VERIFY environment variable")
 	}
 	conn, _, err := dialer.Dial(u.String(), nil)
 	if err != nil {
 		return fmt.Errorf("failed to connect to WebSocket: %w", err)
 	}
@@ -301,8 +418,8 @@ func (c *Client) establishConnection() error {
 	// Start the ping monitor
 	go c.pingMonitor()
-	// Start the read pump
+	// Start the read pump with disconnect detection
-	go c.readPump()
+	go c.readPumpWithDisconnectDetection()
 	if c.onConnect != nil {
 		if err := c.onConnect(); err != nil {
@@ -313,8 +430,72 @@ func (c *Client) establishConnection() error {
 	return nil
 }
 // setupTLS configures TLS based on the TLS configuration
 func (c *Client) setupTLS() (*tls.Config, error) {
 	tlsConfig := &tls.Config{}
 	// Handle new separate certificate configuration
 	if c.tlsConfig.ClientCertFile != "" && c.tlsConfig.ClientKeyFile != "" {
 		logger.Info("Loading separate certificate files for mTLS")
 		logger.Debug("Client cert: %s", c.tlsConfig.ClientCertFile)
 		logger.Debug("Client key: %s", c.tlsConfig.ClientKeyFile)
 		// Load client certificate and key
 		cert, err := tls.LoadX509KeyPair(c.tlsConfig.ClientCertFile, c.tlsConfig.ClientKeyFile)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load client certificate pair: %w", err)
 		}
 		tlsConfig.Certificates = []tls.Certificate{cert}
 		// Load CA certificates for remote validation if specified
 		if len(c.tlsConfig.CAFiles) > 0 {
 			logger.Debug("Loading CA certificates: %v", c.tlsConfig.CAFiles)
 			caCertPool := x509.NewCertPool()
 			for _, caFile := range c.tlsConfig.CAFiles {
 				caCert, err := os.ReadFile(caFile)
 				if err != nil {
 					return nil, fmt.Errorf("failed to read CA file %s: %w", caFile, err)
 				}
 				// Try to parse as PEM first, then DER
 				if !caCertPool.AppendCertsFromPEM(caCert) {
 					// If PEM parsing failed, try DER
 					cert, err := x509.ParseCertificate(caCert)
 					if err != nil {
 						return nil, fmt.Errorf("failed to parse CA certificate from %s: %w", caFile, err)
 					}
 					caCertPool.AddCert(cert)
 				}
 			}
 			tlsConfig.RootCAs = caCertPool
 		}
 		return tlsConfig, nil
 	}
 	// Fallback to existing PKCS12 implementation for backward compatibility
 	if c.tlsConfig.PKCS12File != "" {
 		logger.Info("Loading PKCS12 certificate for mTLS (deprecated)")
 		return c.setupPKCS12TLS()
 	}
 	// Legacy fallback using config.TlsClientCert
 	if c.config.TlsClientCert != "" {
 		logger.Info("Loading legacy PKCS12 certificate for mTLS (deprecated)")
 		return loadClientCertificate(c.config.TlsClientCert)
 	}
 	return nil, nil
 }
 // setupPKCS12TLS loads TLS configuration from PKCS12 file
 func (c *Client) setupPKCS12TLS() (*tls.Config, error) {
 	return loadClientCertificate(c.tlsConfig.PKCS12File)
 }
 // pingMonitor sends pings at a short interval and triggers reconnect on failure
 func (c *Client) pingMonitor() {
-	ticker := time.NewTicker(30 * time.Second)
+	ticker := time.NewTicker(c.pingInterval)
 	defer ticker.Stop()
 	for {
@@ -322,11 +503,74 @@ func (c *Client) pingMonitor() {
 		case <-c.done:
 			return
 		case <-ticker.C:
-			if err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(10*time.Second)); err != nil {
+			if c.conn == nil {
 				logger.Error("Ping failed: %v", err)
 				c.reconnect()
 				return
 			}
 			c.writeMux.Lock()
 			err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
 			c.writeMux.Unlock()
 			if err != nil {
 				// Check if we're shutting down before logging error and reconnecting
 				select {
 				case <-c.done:
 					// Expected during shutdown
 					return
 				default:
 					logger.Error("Ping failed: %v", err)
 					c.reconnect()
 					return
 				}
 			}
 		}
 	}
 }
 // readPumpWithDisconnectDetection reads messages and triggers reconnect on error
 func (c *Client) readPumpWithDisconnectDetection() {
 	defer func() {
 		if c.conn != nil {
 			c.conn.Close()
 		}
 		// Only attempt reconnect if we're not shutting down
 		select {
 		case <-c.done:
 			// Shutting down, don't reconnect
 			return
 		default:
 			c.reconnect()
 		}
 	}()
 	for {
 		select {
 		case <-c.done:
 			return
 		default:
 			var msg WSMessage
 			err := c.conn.ReadJSON(&msg)
 			if err != nil {
 				// Check if we're shutting down before logging error
 				select {
 				case <-c.done:
 					// Expected during shutdown, don't log as error
 					logger.Debug("WebSocket connection closed during shutdown")
 					return
 				default:
 					// Unexpected error during normal operation
 					if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseAbnormalClosure, websocket.CloseNormalClosure) {
 						logger.Error("WebSocket read error: %v", err)
 					} else {
 						logger.Debug("WebSocket connection closed: %v", err)
 					}
 					return // triggers reconnect via defer
 				}
 			}
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
 				handler(msg)
 			}
 			c.handlersMux.RUnlock()
 		}
 	}
 }
@@ -335,9 +579,16 @@ func (c *Client) reconnect() {
 	c.setConnected(false)
 	if c.conn != nil {
 		c.conn.Close()
 		c.conn = nil
 	}
-	go c.connectWithRetry()
+	// Only reconnect if we're not shutting down
 	select {
 	case <-c.done:
 		return
 	default:
 		go c.connectWithRetry()
 	}
 }
 func (c *Client) setConnected(status bool) {
@@ -345,3 +596,42 @@ func (c *Client) setConnected(status bool) {
 	defer c.reconnectMux.Unlock()
 	c.isConnected = status
 }
 // LoadClientCertificate Helper method to load client certificates (PKCS12 format)
 func loadClientCertificate(p12Path string) (*tls.Config, error) {
 	logger.Info("Loading tls-client-cert %s", p12Path)
 	// Read the PKCS12 file
 	p12Data, err := os.ReadFile(p12Path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read PKCS12 file: %w", err)
 	}
 	// Parse PKCS12 with empty password for non-encrypted files
 	privateKey, certificate, caCerts, err := pkcs12.DecodeChain(p12Data, "")
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode PKCS12: %w", err)
 	}
 	// Create certificate
 	cert := tls.Certificate{
 		Certificate: [][]byte{certificate.Raw},
 		PrivateKey:  privateKey,
 	}
 	// Optional: Add CA certificates if present
 	rootCAs, err := x509.SystemCertPool()
 	if err != nil {
 		return nil, fmt.Errorf("failed to load system cert pool: %w", err)
 	}
 	if len(caCerts) > 0 {
 		for _, caCert := range caCerts {
 			rootCAs.AddCert(caCert)
 		}
 	}
 	// Create TLS configuration
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      rootCAs,
 	}, nil
 }
--- a/websocket/config.go
+++ b/websocket/config.go
@@ -1,72 +0,0 @@
 package websocket
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 func getConfigPath() string {
 	var configDir string
 	switch runtime.GOOS {
 	case "darwin":
 		configDir = filepath.Join(os.Getenv("HOME"), "Library", "Application Support", "newt-client")
 	case "windows":
 		configDir = filepath.Join(os.Getenv("APPDATA"), "newt-client")
 	default: // linux and others
 		configDir = filepath.Join(os.Getenv("HOME"), ".config", "newt-client")
 	}
 	if err := os.MkdirAll(configDir, 0755); err != nil {
 		log.Printf("Failed to create config directory: %v", err)
 	}
 	return filepath.Join(configDir, "config.json")
 }
 func (c *Client) loadConfig() error {
 	if c.config.NewtID != "" && c.config.Secret != "" && c.config.Endpoint != "" {
 		return nil
 	}
 	configPath := getConfigPath()
 	data, err := os.ReadFile(configPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 		return err
 	}
 	var config Config
 	if err := json.Unmarshal(data, &config); err != nil {
 		return err
 	}
 	if c.config.NewtID == "" {
 		c.config.NewtID = config.NewtID
 	}
 	if c.config.Token == "" {
 		c.config.Token = config.Token
 	}
 	if c.config.Secret == "" {
 		c.config.Secret = config.Secret
 	}
 	if c.config.Endpoint == "" {
 		c.config.Endpoint = config.Endpoint
 		c.baseURL = config.Endpoint
 	}
 	return nil
 }
 func (c *Client) saveConfig() error {
 	configPath := getConfigPath()
 	data, err := json.MarshalIndent(c.config, "", "  ")
 	if err != nil {
 		return err
 	}
 	return os.WriteFile(configPath, data, 0644)
 }
--- a/websocket/types.go
+++ b/websocket/types.go
@@ -1,21 +0,0 @@
 package websocket
 type Config struct {
 	NewtID   string `json:"newtId"`
 	Secret   string `json:"secret"`
 	Token    string `json:"token"`
 	Endpoint string `json:"endpoint"`
 }
 type TokenResponse struct {
 	Data struct {
 		Token string `json:"token"`
 	} `json:"data"`
 	Success bool   `json:"success"`
 	Message string `json:"message"`
 }
 type WSMessage struct {
 	Type string      `json:"type"`
 	Data interface{} `json:"data"`
 }
--- a/wgtester/wgtester.go
+++ b/wgtester/wgtester.go
@@ -0,0 +1,260 @@
 package wgtester
 import (
 	"context"
 	"encoding/binary"
 	"net"
 	"sync"
 	"time"
 	"github.com/fosrl/newt/logger"
 )
 const (
 	// Magic bytes to identify our packets
 	magicHeader uint32 = 0xDEADBEEF
 	// Request packet type
 	packetTypeRequest uint8 = 1
 	// Response packet type
 	packetTypeResponse uint8 = 2
 	// Packet format:
 	// - 4 bytes: magic header (0xDEADBEEF)
 	// - 1 byte: packet type (1 = request, 2 = response)
 	// - 8 bytes: timestamp (for round-trip timing)
 	packetSize = 13
 )
 // Client handles checking connectivity to a server
 type Client struct {
 	conn           *net.UDPConn
 	serverAddr     string
 	monitorRunning bool
 	monitorLock    sync.Mutex
 	connLock       sync.Mutex // Protects connection operations
 	shutdownCh     chan struct{}
 	packetInterval time.Duration
 	timeout        time.Duration
 	maxAttempts    int
 }
 // ConnectionStatus represents the current connection state
 type ConnectionStatus struct {
 	Connected bool
 	RTT       time.Duration
 }
 // NewClient creates a new connection test client
 func NewClient(serverAddr string) (*Client, error) {
 	return &Client{
 		serverAddr:     serverAddr,
 		shutdownCh:     make(chan struct{}),
 		packetInterval: 2 * time.Second,
 		timeout:        500 * time.Millisecond, // Timeout for individual packets
 		maxAttempts:    3,                      // Default max attempts
 	}, nil
 }
 // SetPacketInterval changes how frequently packets are sent in monitor mode
 func (c *Client) SetPacketInterval(interval time.Duration) {
 	c.packetInterval = interval
 }
 // SetTimeout changes the timeout for waiting for responses
 func (c *Client) SetTimeout(timeout time.Duration) {
 	c.timeout = timeout
 }
 // SetMaxAttempts changes the maximum number of attempts for TestConnection
 func (c *Client) SetMaxAttempts(attempts int) {
 	c.maxAttempts = attempts
 }
 // Close cleans up client resources
 func (c *Client) Close() {
 	c.StopMonitor()
 	c.connLock.Lock()
 	defer c.connLock.Unlock()
 	if c.conn != nil {
 		c.conn.Close()
 		c.conn = nil
 	}
 }
 // ensureConnection makes sure we have an active UDP connection
 func (c *Client) ensureConnection() error {
 	c.connLock.Lock()
 	defer c.connLock.Unlock()
 	if c.conn != nil {
 		return nil
 	}
 	serverAddr, err := net.ResolveUDPAddr("udp", c.serverAddr)
 	if err != nil {
 		return err
 	}
 	c.conn, err = net.DialUDP("udp", nil, serverAddr)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // TestConnection checks if the connection to the server is working
 // Returns true if connected, false otherwise
 func (c *Client) TestConnection(ctx context.Context) (bool, time.Duration) {
 	if err := c.ensureConnection(); err != nil {
 		logger.Warn("Failed to ensure connection: %v", err)
 		return false, 0
 	}
 	// Prepare packet buffer
 	packet := make([]byte, packetSize)
 	binary.BigEndian.PutUint32(packet[0:4], magicHeader)
 	packet[4] = packetTypeRequest
 	// Send multiple attempts as specified
 	for attempt := 0; attempt < c.maxAttempts; attempt++ {
 		select {
 		case <-ctx.Done():
 			return false, 0
 		default:
 			// Add current timestamp to packet
 			timestamp := time.Now().UnixNano()
 			binary.BigEndian.PutUint64(packet[5:13], uint64(timestamp))
 			// Lock the connection for the entire send/receive operation
 			c.connLock.Lock()
 			// Check if connection is still valid after acquiring lock
 			if c.conn == nil {
 				c.connLock.Unlock()
 				return false, 0
 			}
 			logger.Debug("Attempting to send monitor packet to %s", c.serverAddr)
 			_, err := c.conn.Write(packet)
 			if err != nil {
 				c.connLock.Unlock()
 				logger.Info("Error sending packet: %v", err)
 				continue
 			}
 			logger.Debug("Successfully sent monitor packet")
 			// Set read deadline
 			c.conn.SetReadDeadline(time.Now().Add(c.timeout))
 			// Wait for response
 			responseBuffer := make([]byte, packetSize)
 			n, err := c.conn.Read(responseBuffer)
 			c.connLock.Unlock()
 			if err != nil {
 				if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
 					// Timeout, try next attempt
 					time.Sleep(100 * time.Millisecond) // Brief pause between attempts
 					continue
 				}
 				logger.Error("Error reading response: %v", err)
 				continue
 			}
 			if n != packetSize {
 				continue // Malformed packet
 			}
 			// Verify response
 			magic := binary.BigEndian.Uint32(responseBuffer[0:4])
 			packetType := responseBuffer[4]
 			if magic != magicHeader || packetType != packetTypeResponse {
 				continue // Not our response
 			}
 			// Extract the original timestamp and calculate RTT
 			sentTimestamp := int64(binary.BigEndian.Uint64(responseBuffer[5:13]))
 			rtt := time.Duration(time.Now().UnixNano() - sentTimestamp)
 			return true, rtt
 		}
 	}
 	return false, 0
 }
 // TestConnectionWithTimeout tries to test connection with a timeout
 // Returns true if connected, false otherwise
 func (c *Client) TestConnectionWithTimeout(timeout time.Duration) (bool, time.Duration) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 	return c.TestConnection(ctx)
 }
 // MonitorCallback is the function type for connection status change callbacks
 type MonitorCallback func(status ConnectionStatus)
 // StartMonitor begins monitoring the connection and calls the callback
 // when the connection status changes
 func (c *Client) StartMonitor(callback MonitorCallback) error {
 	c.monitorLock.Lock()
 	defer c.monitorLock.Unlock()
 	if c.monitorRunning {
 		logger.Info("Monitor already running")
 		return nil // Already running
 	}
 	if err := c.ensureConnection(); err != nil {
 		return err
 	}
 	c.monitorRunning = true
 	c.shutdownCh = make(chan struct{})
 	go func() {
 		var lastConnected bool
 		firstRun := true
 		ticker := time.NewTicker(c.packetInterval)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-c.shutdownCh:
 				return
 			case <-ticker.C:
 				ctx, cancel := context.WithTimeout(context.Background(), c.timeout)
 				connected, rtt := c.TestConnection(ctx)
 				cancel()
 				// Callback if status changed or it's the first check
 				if connected != lastConnected || firstRun {
 					callback(ConnectionStatus{
 						Connected: connected,
 						RTT:       rtt,
 					})
 					lastConnected = connected
 					firstRun = false
 				}
 			}
 		}
 	}()
 	return nil
 }
 // StopMonitor stops the connection monitoring
 func (c *Client) StopMonitor() {
 	c.monitorLock.Lock()
 	defer c.monitorLock.Unlock()
 	if !c.monitorRunning {
 		return
 	}
 	close(c.shutdownCh)
 	c.monitorRunning = false
 }
--- a/windows.go
+++ b/windows.go
@@ -0,0 +1,25 @@
 //go:build windows
 package main
 import (
 	"errors"
 	"net"
 	"os"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 )
 func createTUNFromFD(tunFdStr string, mtuInt int) (tun.Device, error) {
 	return nil, errors.New("CreateTUNFromFile not supported on Windows")
 }
 func uapiOpen(interfaceName string) (*os.File, error) {
 	return nil, nil
 }
 func uapiListen(interfaceName string, fileUAPI *os.File) (net.Listener, error) {
 	// On Windows, UAPIListen only takes one parameter
 	return ipc.UAPIListen(interfaceName)
 }