Fix ipv6 issue

Former-commit-id: 8c71647802

.github/dependabot.yml

@@ -0,0 +1,40 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"
+          
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/cicd.yml

@@ -12,26 +12,42 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v3
+              uses: actions/checkout@v5
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@v3
+              with:
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
             - name: Install Go
-              uses: actions/setup-go@v4
+              uses: actions/setup-go@v5
               with:
-                  go-version: 1.23.1
+                  go-version: 1.25
 
-            # - name: Update version in main.go
-            #   run: |
-            #       TAG=${{ env.TAG }}
-            #       if [ -f main.go ]; then
-            #         sed -i 's/Olm version replaceme/Olm version '"$TAG"'/' main.go
-            #         echo "Updated main.go with version $TAG"
-            #       else
-            #         echo "main.go not found"
-            #       fi
+            - name: Update version in main.go
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ -f main.go ]; then
+                    sed -i 's/version_replaceme/'"$TAG"'/' main.go
+                    echo "Updated main.go with version $TAG"
+                  else
+                    echo "main.go not found"
+                  fi
+            - name: Build and push Docker images
+              run: |
+                  TAG=${{ env.TAG }}
+                  make docker-build-release tag=$TAG
 
             - name: Build binaries
               run: |

.github/workflows/test.yml

@@ -0,0 +1,28 @@
+name: Run Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.25
+
+      - name: Build go
+        run: go build
+
+      - name: Build Docker image
+        run: make build
+
+      - name: Build binaries
+        run: make go-build-release

.go-version

@@ -0,0 +1 @@
+1.25

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.1-alpine AS builder
+FROM golang:1.25-alpine AS builder
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -16,9 +16,9 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
 
 # Start a new stage from scratch
-FROM ubuntu:22.04 AS runner
+FROM alpine:3.22 AS runner
 
-RUN apt-get update && apt-get install ca-certificates -y  && rm -rf /var/lib/apt/lists/*
+RUN apk --no-cache add ca-certificates
 
 # Copy the pre-built binary file from the previous stage and the entrypoint script
 COPY --from=builder /olm /usr/local/bin/

Makefile

@@ -1,9 +1,20 @@
 
 all: go-build-release 
 
+docker-build-release:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:latest -f Dockerfile --push .
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:$(tag) -f Dockerfile --push .
+
 local: 
 	CGO_ENABLED=0 go build -o olm
 
+build:
+	docker build -t fosrl/olm:latest .
+
 go-build-release:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64

README.md

@@ -1,6 +1,6 @@
 # Olm
 
-Olm is a [WireGuard](https://www.wireguard.com/) tunnel client designed to securely connect you computer to Newt sites running on remote networks.
+Olm is a [WireGuard](https://www.wireguard.com/) tunnel client designed to securely connect your computer to Newt sites running on remote networks.
 
 ### Installation and Documentation
 
@@ -48,8 +48,9 @@ All CLI arguments can also be set via environment variables:
 -   `PING_INTERVAL`: Equivalent to `--ping-interval`
 -   `PING_TIMEOUT`: Equivalent to `--ping-timeout`
 -   `HOLEPUNCH`: Set to "true" to enable hole punching (equivalent to `--holepunch`)
+-   `CONFIG_FILE`: Set to the location of a JSON file to load secret values
 
-Example:
+Examples:
 
 ```bash
 olm \
@@ -58,6 +59,67 @@ olm \
 --endpoint https://example.com
 ```
 
+You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        environment:
+            - PANGOLIN_ENDPOINT=https://example.com
+            - OLM_ID=31frd0uzbjvp721
+            - OLM_SECRET=h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+```
+
+You can also pass the CLI args to the container:
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        command:
+            - --id 31frd0uzbjvp721
+            - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+            - --endpoint https://example.com
+```
+
+**Docker Configuration Notes:**
+
+- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
+- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
+
+## Loading secrets from files
+
+You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
+
+```
+$ cat ~/.config/olm-client/config.json
+{
+  "id": "spmzu8rbpzj1qq6",
+  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
+  "endpoint": "https://pangolin.fossorial.io",
+  "tlsClientCert": ""
+}
+```
+
+This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once! 
+
+Default locations: 
+
+- **macOS**: `~/Library/Application Support/olm-client/config.json`
+- **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
+- **Linux/Others**: `~/.config/olm-client/config.json`
+
 ## Hole Punching
 
 In the default mode, olm "relays" traffic through Gerbil in the cloud to get down to newt. This is a little more reliable. Support for NAT hole punching is also EXPERIMENTAL right now using the `--holepunch` flag. This will attempt to orchestrate a NAT hole punch between the two sites so that traffic flows directly. This will save data costs and speed. If it fails it should fall back to relaying.
@@ -97,15 +159,14 @@ olm.exe debug
 olm.exe help
 ```
 
+Note running the service requires credentials in `%PROGRAMDATA%\olm\olm-client\config.json`.
+
 ### Service Configuration
 
 When running as a service, Olm will read configuration from environment variables or you can modify the service to include command-line arguments:
 
 1. Install the service: `olm.exe install`
-2. Configure the service with your credentials using Windows Service Manager or by setting system environment variables:
-    - `PANGOLIN_ENDPOINT=https://example.com`
-    - `OLM_ID=your_olm_id`
-    - `OLM_SECRET=your_secret`
+2. Set the credentials in `%PROGRAMDATA%\olm\olm-client\config.json`. Hint: if you run olm once with --id and --secret this file will be populated! 
 3. Start the service: `olm.exe start`
 
 ### Service Logs
@@ -121,16 +182,111 @@ You can view the Windows Event Log using Event Viewer or PowerShell:
 Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10
 ```
 
-## Build
+## HTTP Endpoints
 
-### Container
+Olm can be controlled with an embedded http server when using `--enable-http`. This allows you to start it as a daemon and trigger it with the following endpoints:
 
-Ensure Docker is installed.
+### POST /connect
+Initiates a new connection request.
 
-```bash
-make
+**Request Body:**
+```json
+{
+  "id": "string",
+  "secret": "string", 
+  "endpoint": "string"
+}
 ```
 
+**Required Fields:**
+- `id`: Connection identifier
+- `secret`: Authentication secret
+- `endpoint`: Target endpoint URL
+
+**Response:**
+- **Status Code:** `202 Accepted`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "connection request accepted"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `400 Bad Request` - Invalid JSON or missing required fields
+
+### GET /status
+Returns the current connection status and peer information.
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "connected",
+  "connected": true,
+  "tunnelIP": "100.89.128.3/20",
+  "version": "version_replaceme",
+  "peers": {
+    "10": {
+      "siteId": 10,
+      "connected": true,
+      "rtt": 145338339,
+      "lastSeen": "2025-08-13T14:39:17.208334428-07:00",
+      "endpoint": "p.fosrl.io:21820",
+      "isRelay": true
+    },
+    "8": {
+      "siteId": 8,
+      "connected": false,
+      "rtt": 0,
+      "lastSeen": "2025-08-13T14:39:19.663823645-07:00",
+      "endpoint": "p.fosrl.io:21820",
+      "isRelay": true
+    }
+  }
+}
+```
+
+**Fields:**
+- `status`: Overall connection status ("connected" or "disconnected")
+- `connected`: Boolean connection state
+- `tunnelIP`: IP address and subnet of the tunnel (when connected)
+- `version`: Olm version string
+- `peers`: Map of peer statuses by site ID
+  - `siteId`: Peer site identifier
+  - `connected`: Boolean peer connection state
+  - `rtt`: Peer round-trip time (integer, nanoseconds)
+  - `lastSeen`: Last time peer was seen (RFC3339 timestamp)
+  - `endpoint`: Peer endpoint address
+  - `isRelay`: Whether the peer is relayed (true) or direct (false)
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-GET requests
+
+## Usage Examples
+
+### Connect to a peer
+```bash
+curl -X POST http://localhost:8080/connect \
+  -H "Content-Type: application/json" \
+  -d '{
+    "id": "31frd0uzbjvp721",
+    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
+    "endpoint": "https://example.com"
+  }'
+```
+
+### Check connection status
+```bash
+curl http://localhost:8080/status
+```
+
+## Build
+
 ### Binary
 
 Make sure to have Go 1.23.1 installed.

common.go

@@ -52,9 +52,13 @@ type HolePunchMessage struct {
 	NewtID string `json:"newtId"`
 }
 
+type ExitNode struct {
+	Endpoint  string `json:"endpoint"`
+	PublicKey string `json:"publicKey"`
+}
+
 type HolePunchData struct {
-	ServerPubKey string `json:"serverPubKey"`
-	Endpoint     string `json:"endpoint"`
+	ExitNodes []ExitNode `json:"exitNodes"`
 }
 
 type EncryptedHolePunchMessage struct {
@@ -64,13 +68,12 @@ type EncryptedHolePunchMessage struct {
 }
 
 var (
-	peerMonitor        *peermonitor.PeerMonitor
-	stopHolepunch      chan struct{}
-	stopRegister       func()
-	stopPing           chan struct{}
-	olmToken           string
-	gerbilServerPubKey string
-	holePunchRunning   bool
+	peerMonitor      *peermonitor.PeerMonitor
+	stopHolepunch    chan struct{}
+	stopRegister     func()
+	stopPing         chan struct{}
+	olmToken         string
+	holePunchRunning bool
 )
 
 const (
@@ -226,8 +229,8 @@ func resolveDomain(domain string) (string, error) {
 	return ipAddr, nil
 }
 
-func sendUDPHolePunchWithConn(conn *net.UDPConn, remoteAddr *net.UDPAddr, olmID string) error {
-	if gerbilServerPubKey == "" || olmToken == "" {
+func sendUDPHolePunchWithConn(conn *net.UDPConn, remoteAddr *net.UDPAddr, olmID string, serverPubKey string) error {
+	if serverPubKey == "" || olmToken == "" {
 		return nil
 	}
 
@@ -246,7 +249,7 @@ func sendUDPHolePunchWithConn(conn *net.UDPConn, remoteAddr *net.UDPAddr, olmID
 	}
 
 	// Encrypt the payload using the server's WireGuard public key
-	encryptedPayload, err := encryptPayload(payloadBytes, gerbilServerPubKey)
+	encryptedPayload, err := encryptPayload(payloadBytes, serverPubKey)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt payload: %v", err)
 	}
@@ -319,7 +322,12 @@ func encryptPayload(payload []byte, serverPublicKey string) (interface{}, error)
 	return encryptedMsg, nil
 }
 
-func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16) {
+func keepSendingUDPHolePunchToMultipleExitNodes(exitNodes []ExitNode, olmID string, sourcePort uint16) {
+	if len(exitNodes) == 0 {
+		logger.Warn("No exit nodes provided for hole punching")
+		return
+	}
+
 	// Check if hole punching is already running
 	if holePunchRunning {
 		logger.Debug("UDP hole punch already running, skipping new request")
@@ -333,13 +341,108 @@ func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16) {
 		logger.Info("UDP hole punch goroutine ended")
 	}()
 
+	logger.Info("Starting UDP hole punch to %d exit nodes", len(exitNodes))
+	defer logger.Info("UDP hole punch goroutine ended for all exit nodes")
+
+	// Create the UDP connection once and reuse it for all exit nodes
+	localAddr := &net.UDPAddr{
+		Port: int(sourcePort),
+		IP:   net.IPv4zero,
+	}
+
+	conn, err := net.ListenUDP("udp", localAddr)
+	if err != nil {
+		logger.Error("Failed to bind UDP socket: %v", err)
+		return
+	}
+	defer conn.Close()
+
+	// Resolve all endpoints upfront
+	type resolvedExitNode struct {
+		remoteAddr   *net.UDPAddr
+		publicKey    string
+		endpointName string
+	}
+
+	var resolvedNodes []resolvedExitNode
+	for _, exitNode := range exitNodes {
+		host, err := resolveDomain(exitNode.Endpoint)
+		if err != nil {
+			logger.Error("Failed to resolve endpoint %s: %v", exitNode.Endpoint, err)
+			continue
+		}
+
+		serverAddr := net.JoinHostPort(host, "21820")
+		remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
+		if err != nil {
+			logger.Error("Failed to resolve UDP address for %s: %v", exitNode.Endpoint, err)
+			continue
+		}
+
+		resolvedNodes = append(resolvedNodes, resolvedExitNode{
+			remoteAddr:   remoteAddr,
+			publicKey:    exitNode.PublicKey,
+			endpointName: exitNode.Endpoint,
+		})
+		logger.Info("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String())
+	}
+
+	if len(resolvedNodes) == 0 {
+		logger.Error("No exit nodes could be resolved")
+		return
+	}
+
+	// Send initial hole punch to all exit nodes
+	for _, node := range resolvedNodes {
+		if err := sendUDPHolePunchWithConn(conn, node.remoteAddr, olmID, node.publicKey); err != nil {
+			logger.Error("Failed to send initial UDP hole punch to %s: %v", node.endpointName, err)
+		}
+	}
+
+	ticker := time.NewTicker(250 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-stopHolepunch:
+			logger.Info("Stopping UDP holepunch for all exit nodes")
+			return
+		case <-ticker.C:
+			// Send hole punch to all exit nodes
+			for _, node := range resolvedNodes {
+				if err := sendUDPHolePunchWithConn(conn, node.remoteAddr, olmID, node.publicKey); err != nil {
+					logger.Error("Failed to send UDP hole punch to %s: %v", node.endpointName, err)
+				}
+			}
+		}
+	}
+}
+
+func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16, serverPubKey string) {
+
+	// Check if hole punching is already running
+	if holePunchRunning {
+		logger.Debug("UDP hole punch already running, skipping new request")
+		return
+	}
+
+	// Set the flag to indicate hole punching is running
+	holePunchRunning = true
+	defer func() {
+		holePunchRunning = false
+		logger.Info("UDP hole punch goroutine ended")
+	}()
+
+	logger.Info("Starting UDP hole punch to %s", endpoint)
+	defer logger.Info("UDP hole punch goroutine ended for %s", endpoint)
+
 	host, err := resolveDomain(endpoint)
 	if err != nil {
 		logger.Error("Failed to resolve endpoint: %v", err)
 		return
 	}
 
-	serverAddr := host + ":21820"
+	serverAddr := net.JoinHostPort(host, "21820")
 
 	// Create the UDP connection once and reuse it
 	localAddr := &net.UDPAddr{
@@ -361,7 +464,7 @@ func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16) {
 	defer conn.Close()
 
 	// Execute once immediately before starting the loop
-	if err := sendUDPHolePunchWithConn(conn, remoteAddr, olmID); err != nil {
+	if err := sendUDPHolePunchWithConn(conn, remoteAddr, olmID, serverPubKey); err != nil {
 		logger.Error("Failed to send UDP hole punch: %v", err)
 	}
 
@@ -374,7 +477,7 @@ func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16) {
 			logger.Info("Stopping UDP holepunch")
 			return
 		case <-ticker.C:
-			if err := sendUDPHolePunchWithConn(conn, remoteAddr, olmID); err != nil {
+			if err := sendUDPHolePunchWithConn(conn, remoteAddr, olmID, serverPubKey); err != nil {
 				logger.Error("Failed to send UDP hole punch: %v", err)
 			}
 		}
@@ -510,7 +613,7 @@ func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes
 	// Set up peer monitoring
 	if peerMonitor != nil {
 		monitorAddress := strings.Split(siteConfig.ServerIP, "/")[0]
-		monitorPeer := fmt.Sprintf("%s:%d", monitorAddress, siteConfig.ServerPort+1) // +1 for the monitor port
+		monitorPeer := net.JoinHostPort(monitorAddress, strconv.Itoa(int(siteConfig.ServerPort+1))) // +1 for the monitor port
 		logger.Debug("Setting up peer monitor for site %d at %s", siteConfig.SiteId, monitorPeer)
 
 		primaryRelay, err := resolveDomain(endpoint) // Using global endpoint variable

docker-compose.yml

@@ -5,6 +5,11 @@ services:
     restart: unless-stopped
     environment:
       - PANGOLIN_ENDPOINT=https://example.com
-      - OLM_ID=2ix2t8xk22ubpfy 
-      - OLM_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
-      - LOG_LEVEL=DEBUG
+      - OLM_ID=vdqnz8rwgb95cnp 
+      - OLM_SECRET=1sw05qv1tkfdb1k81zpw05nahnnjvmhxjvf746umwagddmdg 
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    network_mode: host

go.mod

@@ -1,55 +1,22 @@
 module github.com/fosrl/olm
 
-go 1.23.1
-
-toolchain go1.23.2
+go 1.25
 
 require (
-	github.com/fosrl/newt v0.0.0-20250724194014-008be54c554a
+	github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.40.0
+	golang.org/x/crypto v0.41.0
 	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
-	golang.org/x/net v0.42.0
-	golang.org/x/sys v0.34.0
+	golang.org/x/sys v0.35.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v28.3.2+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/btree v1.1.3 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/gopacket v1.1.19 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
-	github.com/josharian/native v1.1.0 // indirect
-	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 // indirect
-	software.sslmate.com/src/go-pkcs12 v0.5.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.6.0 // indirect
 )

go.sum

@@ -1,120 +1,27 @@
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.3.2+incompatible h1:wn66NJ6pWB1vBZIilP8G3qQPqHy5XymfYn5vsqeA5oA=
-github.com/docker/docker v28.3.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fosrl/newt v0.0.0-20250717220102-cd86e6b6de83 h1:jI6tP2sJNNb70Y+Ixq+oI06fDPnGUbarz/r67g7KvB8=
-github.com/fosrl/newt v0.0.0-20250717220102-cd86e6b6de83/go.mod h1:oqHsCx1rsEc8hAVGVXemfeolIwlr19biJSQiLYi7Mvo=
-github.com/fosrl/newt v0.0.0-20250718235538-510e78437ca4 h1:bK/MQyTOLGthrXZ7ExvOCdW0EH0o9b5vwk/+UKnNdg0=
-github.com/fosrl/newt v0.0.0-20250718235538-510e78437ca4/go.mod h1:oqHsCx1rsEc8hAVGVXemfeolIwlr19biJSQiLYi7Mvo=
-github.com/fosrl/newt v0.0.0-20250724190153-64c22a94a47a h1:Jgd60yfFJxb5z6L3LcoraaosHjiRgKLnMz6T3mv3D4Q=
-github.com/fosrl/newt v0.0.0-20250724190153-64c22a94a47a/go.mod h1:oqHsCx1rsEc8hAVGVXemfeolIwlr19biJSQiLYi7Mvo=
-github.com/fosrl/newt v0.0.0-20250724194014-008be54c554a h1:17r/Uhef6aIxpO0xYGI3771LJx7cTyc1WziDOgghc54=
-github.com/fosrl/newt v0.0.0-20250724194014-008be54c554a/go.mod h1:oqHsCx1rsEc8hAVGVXemfeolIwlr19biJSQiLYi7Mvo=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a h1:bUGN4piHlcqgfdRLrwqiLZZxgcitzBzNDQS1+CHSmJI=
+github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a/go.mod h1:PbiPYp1hbL07awrmbqTSTz7lTenieTHN6cIkUVCGD3I=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
-github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
-github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
@@ -123,5 +30,5 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdI
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
 gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 h1:H+qymc2ndLKNFR5TcaPmsHGiJnhJMqeofBYSRq4oG3c=
 gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56/go.mod h1:i8iCZyAdwRnLZYaIi2NUL1gfNtAveqxkKAe0JfAv9Bs=
-software.sslmate.com/src/go-pkcs12 v0.5.0 h1:EC6R394xgENTpZ4RltKydeDUjtlM5drOYIG9c6TVj2M=
-software.sslmate.com/src/go-pkcs12 v0.5.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
+software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

httpserver/httpserver.go

@@ -23,6 +23,8 @@ type PeerStatus struct {
 	Connected bool          `json:"connected"`
 	RTT       time.Duration `json:"rtt"`
 	LastSeen  time.Time     `json:"lastSeen"`
+	Endpoint  string        `json:"endpoint,omitempty"`
+	IsRelay   bool          `json:"isRelay"`
 }
 
 // StatusResponse is returned by the status endpoint
@@ -30,6 +32,7 @@ type StatusResponse struct {
 	Status       string              `json:"status"`
 	Connected    bool                `json:"connected"`
 	TunnelIP     string              `json:"tunnelIP,omitempty"`
+	Version      string              `json:"version,omitempty"`
 	PeerStatuses map[int]*PeerStatus `json:"peers,omitempty"`
 }
 
@@ -42,6 +45,8 @@ type HTTPServer struct {
 	peerStatuses   map[int]*PeerStatus
 	connectedAt    time.Time
 	isConnected    bool
+	tunnelIP       string
+	version        string
 }
 
 // NewHTTPServer creates a new HTTP server
@@ -87,8 +92,8 @@ func (s *HTTPServer) GetConnectionChannel() <-chan ConnectionRequest {
 	return s.connectionChan
 }
 
-// UpdatePeerStatus updates the status of a peer
-func (s *HTTPServer) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration) {
+// UpdatePeerStatus updates the status of a peer including endpoint and relay info
+func (s *HTTPServer) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
 	s.statusMu.Lock()
 	defer s.statusMu.Unlock()
 
@@ -103,6 +108,8 @@ func (s *HTTPServer) UpdatePeerStatus(siteID int, connected bool, rtt time.Durat
 	status.Connected = connected
 	status.RTT = rtt
 	status.LastSeen = time.Now()
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
 }
 
 // SetConnectionStatus sets the overall connection status
@@ -120,6 +127,37 @@ func (s *HTTPServer) SetConnectionStatus(isConnected bool) {
 	}
 }
 
+// SetTunnelIP sets the tunnel IP address
+func (s *HTTPServer) SetTunnelIP(tunnelIP string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.tunnelIP = tunnelIP
+}
+
+// SetVersion sets the olm version
+func (s *HTTPServer) SetVersion(version string) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+	s.version = version
+}
+
+// UpdatePeerRelayStatus updates only the relay status of a peer
+func (s *HTTPServer) UpdatePeerRelayStatus(siteID int, endpoint string, isRelay bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
+}
+
 // handleConnect handles the /connect endpoint
 func (s *HTTPServer) handleConnect(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
@@ -163,6 +201,8 @@ func (s *HTTPServer) handleStatus(w http.ResponseWriter, r *http.Request) {
 
 	resp := StatusResponse{
 		Connected:    s.isConnected,
+		TunnelIP:     s.tunnelIP,
+		Version:      s.version,
 		PeerStatuses: s.peerStatuses,
 	}
 

main.go

@@ -197,7 +197,11 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	httpAddr = os.Getenv("HTTP_ADDR")
 	pingIntervalStr := os.Getenv("PING_INTERVAL")
 	pingTimeoutStr := os.Getenv("PING_TIMEOUT")
-	doHolepunch = os.Getenv("HOLEPUNCH") == "true" // Default to true, can be overridden by flag
+	enableHTTPEnv := os.Getenv("ENABLE_HTTP")
+	holepunchEnv := os.Getenv("HOLEPUNCH")
+
+	enableHTTP = enableHTTPEnv == "true"
+	doHolepunch = holepunchEnv == "true"
 
 	if endpoint == "" {
 		serviceFlags.StringVar(&endpoint, "endpoint", "", "Endpoint of your Pangolin server")
@@ -229,8 +233,14 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	if pingTimeoutStr == "" {
 		serviceFlags.StringVar(&pingTimeoutStr, "ping-timeout", "5s", "	Timeout for each ping (default 3s)")
 	}
-	serviceFlags.BoolVar(&enableHTTP, "enable-http", false, "Enable HTT server for receiving connection requests")
-	serviceFlags.BoolVar(&doHolepunch, "holepunch", false, "Enable hole punching (default false)")
+	if enableHTTPEnv == "" {
+		serviceFlags.BoolVar(&enableHTTP, "enable-http", false, "Enable HTT server for receiving connection requests")
+	}
+	if holepunchEnv == "" {
+		serviceFlags.BoolVar(&doHolepunch, "holepunch", false, "Enable hole punching (default false)")
+	}
+
+	version := serviceFlags.Bool("version", false, "Print the version")
 
 	// Parse the service arguments
 	if err := serviceFlags.Parse(args); err != nil {
@@ -272,6 +282,14 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	loggerLevel := parseLogLevel(logLevel)
 	logger.GetLogger().SetLevel(parseLogLevel(logLevel))
 
+	olmVersion := "version_replaceme"
+	if *version {
+		fmt.Println("Olm version " + olmVersion)
+		os.Exit(0)
+	} else {
+		logger.Info("Olm version " + olmVersion)
+	}
+
 	// Log startup information
 	logger.Debug("Olm service starting...")
 	logger.Debug("Parameters: endpoint='%s', id='%s', secret='%s'", endpoint, id, secret)
@@ -313,6 +331,7 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	var httpServer *httpserver.HTTPServer
 	if enableHTTP {
 		httpServer = httpserver.NewHTTPServer(httpAddr)
+		httpServer.SetVersion(olmVersion)
 		if err := httpServer.Start(); err != nil {
 			logger.Fatal("Failed to start HTTP server: %v", err)
 		}
@@ -354,31 +373,31 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	// 	}
 	// }
 
-	// // wait until we have a client id and secret and endpoint
-	// waitCount := 0
-	// for id == "" || secret == "" || endpoint == "" {
-	// 	select {
-	// 	case <-ctx.Done():
-	// 		logger.Info("Context cancelled while waiting for credentials")
-	// 		return
-	// 	default:
-	// 		missing := []string{}
-	// 		if id == "" {
-	// 			missing = append(missing, "id")
-	// 		}
-	// 		if secret == "" {
-	// 			missing = append(missing, "secret")
-	// 		}
-	// 		if endpoint == "" {
-	// 			missing = append(missing, "endpoint")
-	// 		}
-	// 		waitCount++
-	// 		if waitCount%10 == 1 { // Log every 10 seconds instead of every second
-	// 			logger.Debug("Waiting for missing parameters: %v (waiting %d seconds)", missing, waitCount)
-	// 		}
-	// 		time.Sleep(1 * time.Second)
-	// 	}
-	// }
+	// wait until we have a client id and secret and endpoint
+	waitCount := 0
+	for id == "" || secret == "" || endpoint == "" {
+		select {
+		case <-ctx.Done():
+			logger.Info("Context cancelled while waiting for credentials")
+			return
+		default:
+			missing := []string{}
+			if id == "" {
+				missing = append(missing, "id")
+			}
+			if secret == "" {
+				missing = append(missing, "secret")
+			}
+			if endpoint == "" {
+				missing = append(missing, "endpoint")
+			}
+			waitCount++
+			if waitCount%10 == 1 { // Log every 10 seconds instead of every second
+				logger.Debug("Waiting for missing parameters: %v (waiting %d seconds)", missing, waitCount)
+			}
+			time.Sleep(1 * time.Second)
+		}
+	}
 
 	// parse the mtu string into an int
 	mtuInt, err = strconv.Atoi(mtu)
@@ -419,7 +438,7 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		os.Exit(1)
 	}
 
-	olm.RegisterHandler("olm/wg/holepunch", func(msg websocket.WSMessage) {
+	olm.RegisterHandler("olm/wg/holepunch/all", func(msg websocket.WSMessage) {
 		logger.Debug("Received message: %v", msg.Data)
 
 		jsonData, err := json.Marshal(msg.Data)
@@ -433,9 +452,72 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			return
 		}
 
-		gerbilServerPubKey = holePunchData.ServerPubKey
+		// Create a new stopHolepunch channel for the new set of goroutines
+		stopHolepunch = make(chan struct{})
 
-		go keepSendingUDPHolePunch(holePunchData.Endpoint, id, sourcePort)
+		// Start a single hole punch goroutine for all exit nodes
+		logger.Info("Starting hole punch for %d exit nodes", len(holePunchData.ExitNodes))
+		go keepSendingUDPHolePunchToMultipleExitNodes(holePunchData.ExitNodes, id, sourcePort)
+	})
+
+	olm.RegisterHandler("olm/wg/holepunch", func(msg websocket.WSMessage) {
+		// THIS ENDPOINT IS FOR BACKWARD COMPATIBILITY
+		logger.Debug("Received message: %v", msg.Data)
+
+		type LegacyHolePunchData struct {
+			ServerPubKey string `json:"serverPubKey"`
+			Endpoint     string `json:"endpoint"`
+		}
+
+		var legacyHolePunchData LegacyHolePunchData
+
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Info("Error marshaling data: %v", err)
+			return
+		}
+
+		if err := json.Unmarshal(jsonData, &legacyHolePunchData); err != nil {
+			logger.Info("Error unmarshaling target data: %v", err)
+			return
+		}
+
+		// Stop any existing hole punch goroutines by closing the current channel
+		select {
+		case <-stopHolepunch:
+			// Channel already closed
+		default:
+			close(stopHolepunch)
+		}
+
+		// Create a new stopHolepunch channel for the new set of goroutines
+		stopHolepunch = make(chan struct{})
+
+		// Start hole punching for each exit node
+		logger.Info("Starting hole punch for exit node: %s with public key: %s", legacyHolePunchData.Endpoint, legacyHolePunchData.ServerPubKey)
+		go keepSendingUDPHolePunch(legacyHolePunchData.Endpoint, id, sourcePort, legacyHolePunchData.ServerPubKey)
+	})
+
+	olm.RegisterHandler("olm/wg/holepunch/all", func(msg websocket.WSMessage) {
+		logger.Debug("Received message: %v", msg.Data)
+
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Info("Error marshaling data: %v", err)
+			return
+		}
+
+		if err := json.Unmarshal(jsonData, &holePunchData); err != nil {
+			logger.Info("Error unmarshaling target data: %v", err)
+			return
+		}
+
+		// Create a new stopHolepunch channel for the new set of goroutines
+		stopHolepunch = make(chan struct{})
+
+		// Start a single hole punch goroutine for all exit nodes
+		logger.Info("Starting hole punch for %d exit nodes", len(holePunchData.ExitNodes))
+		go keepSendingUDPHolePunchToMultipleExitNodes(holePunchData.ExitNodes, id, sourcePort)
 	})
 
 	// Register handlers for different message types
@@ -455,7 +537,8 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		close(stopHolepunch)
 
 		// wait 10 milliseconds to ensure the previous connection is closed
-		time.Sleep(10 * time.Millisecond)
+		logger.Debug("Waiting 500 milliseconds to ensure previous connection is closed")
+		time.Sleep(500 * time.Millisecond)
 
 		// if there is an existing tunnel then close it
 		if dev != nil {
@@ -563,10 +646,27 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			logger.Error("Failed to configure interface: %v", err)
 		}
 
+		// Set tunnel IP in HTTP server
+		if httpServer != nil {
+			httpServer.SetTunnelIP(wgData.TunnelIP)
+		}
+
 		peerMonitor = peermonitor.NewPeerMonitor(
 			func(siteID int, connected bool, rtt time.Duration) {
 				if httpServer != nil {
-					httpServer.UpdatePeerStatus(siteID, connected, rtt)
+					// Find the site config to get endpoint information
+					var endpoint string
+					var isRelay bool
+					for _, site := range wgData.Sites {
+						if site.SiteId == siteID {
+							endpoint = site.Endpoint
+							// TODO: We'll need to track relay status separately
+							// For now, assume not using relay unless we get relay data
+							isRelay = !doHolepunch
+							break
+						}
+					}
+					httpServer.UpdatePeerStatus(siteID, connected, rtt, endpoint, isRelay)
 				}
 				if connected {
 					logger.Info("Peer %d is now connected (RTT: %v)", siteID, rtt)
@@ -583,7 +683,7 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		// loop over the sites and call ConfigurePeer for each one
 		for _, site := range wgData.Sites {
 			if httpServer != nil {
-				httpServer.UpdatePeerStatus(site.SiteId, false, 0)
+				httpServer.UpdatePeerStatus(site.SiteId, false, 0, site.Endpoint, false)
 			}
 			err = ConfigurePeer(dev, site, privateKey, endpoint)
 			if err != nil {
@@ -812,18 +912,23 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			return
 		}
 
-		var removeData RelayPeerData
-		if err := json.Unmarshal(jsonData, &removeData); err != nil {
-			logger.Error("Error unmarshaling remove data: %v", err)
+		var relayData RelayPeerData
+		if err := json.Unmarshal(jsonData, &relayData); err != nil {
+			logger.Error("Error unmarshaling relay data: %v", err)
 			return
 		}
 
-		primaryRelay, err := resolveDomain(removeData.Endpoint)
+		primaryRelay, err := resolveDomain(relayData.Endpoint)
 		if err != nil {
 			logger.Warn("Failed to resolve primary relay endpoint: %v", err)
 		}
 
-		peerMonitor.HandleFailover(removeData.SiteId, primaryRelay)
+		// Update HTTP server to mark this peer as using relay
+		if httpServer != nil {
+			httpServer.UpdatePeerRelayStatus(relayData.SiteId, relayData.Endpoint, true)
+		}
+
+		peerMonitor.HandleFailover(relayData.SiteId, primaryRelay)
 	})
 
 	olm.RegisterHandler("olm/register/no-sites", func(msg websocket.WSMessage) {
@@ -866,8 +971,9 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		logger.Debug("Sending registration message to server with public key: %s and relay: %v", publicKey, !doHolepunch)
 
 		stopRegister = olm.SendMessageInterval("olm/wg/register", map[string]interface{}{
-			"publicKey": publicKey.String(),
-			"relay":     !doHolepunch,
+			"publicKey":  publicKey.String(),
+			"relay":      !doHolepunch,
+			"olmVersion": olmVersion,
 		}, 1*time.Second)
 
 		go keepSendingPing(olm)