Add update checks, log rotation, and message timeouts (#42)

* Add update checker

* Add timeouts to hp

* Try to fix log rotation and service args

* Dont delete service args file

* GO update

Former-commit-id: 9f3eddbc9c

.github/DISCUSSION_TEMPLATE/feature-requests.yml

@@ -0,0 +1,47 @@
+body:
+    - type: textarea
+      attributes:
+          label: Summary
+          description: A clear and concise summary of the requested feature.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Motivation
+          description: |
+              Why is this feature important?
+              Explain the problem this feature would solve or what use case it would enable.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Proposed Solution
+          description: |
+              How would you like to see this feature implemented?
+              Provide as much detail as possible about the desired behavior, configuration, or changes.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Alternatives Considered
+          description: Describe any alternative solutions or workarounds you've thought about.
+      validations:
+          required: false
+
+    - type: textarea
+      attributes:
+          label: Additional Context
+          description: Add any other context, mockups, or screenshots about the feature request here.
+      validations:
+          required: false
+
+    - type: markdown
+      attributes:
+          value: |
+              Before submitting, please:
+              - Check if there is an existing issue for this feature.
+              - Clearly explain the benefit and use case.
+              - Be as specific as possible to help contributors evaluate and implement.

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -0,0 +1,51 @@
+name: Bug Report
+description: Create a bug report
+labels: []
+body:
+    - type: textarea
+      attributes:
+          label: Describe the Bug
+          description: A clear and concise description of what the bug is.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Environment
+          description: Please fill out the relevant details below for your environment.
+          value: |
+              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - Pangolin Version:
+              - Gerbil Version:
+              - Traefik Version:
+              - Newt Version:
+              - Olm Version: (if applicable)
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: To Reproduce
+          description: |
+              Steps to reproduce the behavior, please provide a clear description of how to reproduce the issue, based on the linked minimal reproduction. Screenshots can be provided in the issue body below.
+
+              If using code blocks, make sure syntax highlighting is correct and double-check that the rendered preview is not broken.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Expected Behavior
+          description: A clear and concise description of what you expected to happen.
+      validations:
+          required: true
+
+    - type: markdown
+      attributes:
+          value: |
+              Before posting the issue go through the steps you've written down to make sure the steps provided are detailed and clear.
+
+    - type: markdown
+      attributes:
+          value: |
+              Contributors should be able to follow the steps provided in order to reproduce the bug.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+    - name: Need help or have questions?
+      url: https://github.com/orgs/fosrl/discussions
+      about: Ask questions, get help, and discuss with other community members
+    - name: Request a Feature
+      url: https://github.com/orgs/fosrl/discussions/new?category=feature-requests
+      about: Feature requests should be opened as discussions so others can upvote and comment

.github/dependabot.yml

@@ -33,3 +33,8 @@ updates:
       minor-updates:
         update-types:
           - "minor"
+          
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/cicd.yml

@@ -12,16 +12,28 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v3
+              uses: actions/checkout@v5
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@v3
+              with:
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
             - name: Install Go
-              uses: actions/setup-go@v4
+              uses: actions/setup-go@v6
               with:
-                  go-version: 1.24
+                  go-version: 1.25
 
             - name: Update version in main.go
               run: |
@@ -32,6 +44,10 @@ jobs:
                   else
                     echo "main.go not found"
                   fi
+            - name: Build and push Docker images
+              run: |
+                  TAG=${{ env.TAG }}
+                  make docker-build-release tag=$TAG
 
             - name: Build binaries
               run: |

.github/workflows/test.yml

@@ -11,15 +11,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: 1.25
 
       - name: Build go
         run: go build
 
+      - name: Build Docker image
+        run: make build
+
       - name: Build binaries
         run: make go-build-release

.go-version

@@ -1 +1 @@
-1.24
+1.25

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine AS builder
+FROM golang:1.25-alpine AS builder
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -16,9 +16,9 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
 
 # Start a new stage from scratch
-FROM ubuntu:24.04 AS runner
+FROM alpine:3.22 AS runner
 
-RUN apt-get update && apt-get install ca-certificates -y  && rm -rf /var/lib/apt/lists/*
+RUN apk --no-cache add ca-certificates
 
 # Copy the pre-built binary file from the previous stage and the entrypoint script
 COPY --from=builder /olm /usr/local/bin/

Makefile

@@ -1,9 +1,20 @@
 
 all: go-build-release 
 
+docker-build-release:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:latest -f Dockerfile --push .
+	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:$(tag) -f Dockerfile --push .
+
 local: 
 	CGO_ENABLED=0 go build -o olm
 
+build:
+	docker build -t fosrl/olm:latest .
+
 go-build-release:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64

README.md

@@ -48,8 +48,9 @@ All CLI arguments can also be set via environment variables:
 -   `PING_INTERVAL`: Equivalent to `--ping-interval`
 -   `PING_TIMEOUT`: Equivalent to `--ping-timeout`
 -   `HOLEPUNCH`: Set to "true" to enable hole punching (equivalent to `--holepunch`)
+-   `CONFIG_FILE`: Set to the location of a JSON file to load secret values
 
-Example:
+Examples:
 
 ```bash
 olm \
@@ -58,6 +59,67 @@ olm \
 --endpoint https://example.com
 ```
 
+You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        environment:
+            - PANGOLIN_ENDPOINT=https://example.com
+            - OLM_ID=31frd0uzbjvp721
+            - OLM_SECRET=h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+```
+
+You can also pass the CLI args to the container:
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        command:
+            - --id 31frd0uzbjvp721
+            - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+            - --endpoint https://example.com
+```
+
+**Docker Configuration Notes:**
+
+- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
+- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
+
+## Loading secrets from files
+
+You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
+
+```
+$ cat ~/.config/olm-client/config.json
+{
+  "id": "spmzu8rbpzj1qq6",
+  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
+  "endpoint": "https://pangolin.fossorial.io",
+  "tlsClientCert": ""
+}
+```
+
+This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once! 
+
+Default locations: 
+
+- **macOS**: `~/Library/Application Support/olm-client/config.json`
+- **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
+- **Linux/Others**: `~/.config/olm-client/config.json`
+
 ## Hole Punching
 
 In the default mode, olm "relays" traffic through Gerbil in the cloud to get down to newt. This is a little more reliable. Support for NAT hole punching is also EXPERIMENTAL right now using the `--holepunch` flag. This will attempt to orchestrate a NAT hole punch between the two sites so that traffic flows directly. This will save data costs and speed. If it fails it should fall back to relaying.
@@ -97,15 +159,14 @@ olm.exe debug
 olm.exe help
 ```
 
+Note running the service requires credentials in `%PROGRAMDATA%\olm\olm-client\config.json`.
+
 ### Service Configuration
 
 When running as a service, Olm will read configuration from environment variables or you can modify the service to include command-line arguments:
 
 1. Install the service: `olm.exe install`
-2. Configure the service with your credentials using Windows Service Manager or by setting system environment variables:
-    - `PANGOLIN_ENDPOINT=https://example.com`
-    - `OLM_ID=your_olm_id`
-    - `OLM_SECRET=your_secret`
+2. Set the credentials in `%PROGRAMDATA%\olm\olm-client\config.json`. Hint: if you run olm once with --id and --secret this file will be populated! 
 3. Start the service: `olm.exe start`
 
 ### Service Logs

common.go

@@ -372,7 +372,7 @@ func keepSendingUDPHolePunchToMultipleExitNodes(exitNodes []ExitNode, olmID stri
 			continue
 		}
 
-		serverAddr := host + ":21820"
+		serverAddr := net.JoinHostPort(host, "21820")
 		remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr)
 		if err != nil {
 			logger.Error("Failed to resolve UDP address for %s: %v", exitNode.Endpoint, err)
@@ -402,11 +402,17 @@ func keepSendingUDPHolePunchToMultipleExitNodes(exitNodes []ExitNode, olmID stri
 	ticker := time.NewTicker(250 * time.Millisecond)
 	defer ticker.Stop()
 
+	timeout := time.NewTimer(15 * time.Second)
+	defer timeout.Stop()
+
 	for {
 		select {
 		case <-stopHolepunch:
 			logger.Info("Stopping UDP holepunch for all exit nodes")
 			return
+		case <-timeout.C:
+			logger.Info("UDP holepunch routine timed out after 15 seconds for all exit nodes")
+			return
 		case <-ticker.C:
 			// Send hole punch to all exit nodes
 			for _, node := range resolvedNodes {
@@ -442,7 +448,7 @@ func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16, s
 		return
 	}
 
-	serverAddr := host + ":21820"
+	serverAddr := net.JoinHostPort(host, "21820")
 
 	// Create the UDP connection once and reuse it
 	localAddr := &net.UDPAddr{
@@ -471,11 +477,17 @@ func keepSendingUDPHolePunch(endpoint string, olmID string, sourcePort uint16, s
 	ticker := time.NewTicker(250 * time.Millisecond)
 	defer ticker.Stop()
 
+	timeout := time.NewTimer(15 * time.Second)
+	defer timeout.Stop()
+
 	for {
 		select {
 		case <-stopHolepunch:
 			logger.Info("Stopping UDP holepunch")
 			return
+		case <-timeout.C:
+			logger.Info("UDP holepunch routine timed out after 15 seconds")
+			return
 		case <-ticker.C:
 			if err := sendUDPHolePunchWithConn(conn, remoteAddr, olmID, serverPubKey); err != nil {
 				logger.Error("Failed to send UDP hole punch: %v", err)
@@ -613,7 +625,7 @@ func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes
 	// Set up peer monitoring
 	if peerMonitor != nil {
 		monitorAddress := strings.Split(siteConfig.ServerIP, "/")[0]
-		monitorPeer := fmt.Sprintf("%s:%d", monitorAddress, siteConfig.ServerPort+1) // +1 for the monitor port
+		monitorPeer := net.JoinHostPort(monitorAddress, strconv.Itoa(int(siteConfig.ServerPort+1))) // +1 for the monitor port
 		logger.Debug("Setting up peer monitor for site %d at %s", siteConfig.SiteId, monitorPeer)
 
 		primaryRelay, err := resolveDomain(endpoint) // Using global endpoint variable

docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  olm:
+    image: fosrl/olm:latest
+    container_name: olm
+    restart: unless-stopped
+    environment:
+      - PANGOLIN_ENDPOINT=https://example.com
+      - OLM_ID=vdqnz8rwgb95cnp 
+      - OLM_SECRET=1sw05qv1tkfdb1k81zpw05nahnnjvmhxjvf746umwagddmdg 
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    network_mode: host

get-olm.sh

@@ -0,0 +1,279 @@
+#!/bin/bash
+
+# Get Olm - Cross-platform installation script
+# Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/olm/refs/heads/main/get-olm.sh | bash
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# GitHub repository info
+REPO="fosrl/olm"
+GITHUB_API_URL="https://api.github.com/repos/${REPO}/releases/latest"
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Function to get latest version from GitHub API
+get_latest_version() {
+    local latest_info
+    
+    if command -v curl >/dev/null 2>&1; then
+        latest_info=$(curl -fsSL "$GITHUB_API_URL" 2>/dev/null)
+    elif command -v wget >/dev/null 2>&1; then
+        latest_info=$(wget -qO- "$GITHUB_API_URL" 2>/dev/null)
+    else
+        print_error "Neither curl nor wget is available. Please install one of them." >&2
+        exit 1
+    fi
+    
+    if [ -z "$latest_info" ]; then
+        print_error "Failed to fetch latest version information" >&2
+        exit 1
+    fi
+    
+    # Extract version from JSON response (works without jq)
+    local version=$(echo "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
+    
+    if [ -z "$version" ]; then
+        print_error "Could not parse version from GitHub API response" >&2
+        exit 1
+    fi
+    
+    # Remove 'v' prefix if present
+    version=$(echo "$version" | sed 's/^v//')
+    
+    echo "$version"
+}
+
+# Detect OS and architecture
+detect_platform() {
+    local os arch
+    
+    # Detect OS
+    case "$(uname -s)" in
+        Linux*)     os="linux" ;;
+        Darwin*)    os="darwin" ;;
+        MINGW*|MSYS*|CYGWIN*) os="windows" ;;
+        FreeBSD*)   os="freebsd" ;;
+        *)
+            print_error "Unsupported operating system: $(uname -s)"
+            exit 1
+            ;;
+    esac
+    
+    # Detect architecture
+    case "$(uname -m)" in
+        x86_64|amd64)   arch="amd64" ;;
+        arm64|aarch64)  arch="arm64" ;;
+        armv7l|armv6l)  
+            if [ "$os" = "linux" ]; then
+                if [ "$(uname -m)" = "armv6l" ]; then
+                    arch="arm32v6"
+                else
+                    arch="arm32"
+                fi
+            else
+                arch="arm64"  # Default for non-Linux ARM
+            fi
+            ;;
+        riscv64)        
+            if [ "$os" = "linux" ]; then
+                arch="riscv64"
+            else
+                print_error "RISC-V architecture only supported on Linux"
+                exit 1
+            fi
+            ;;
+        *)
+            print_error "Unsupported architecture: $(uname -m)"
+            exit 1
+            ;;
+    esac
+    
+    echo "${os}_${arch}"
+}
+
+# Get installation directory
+get_install_dir() {
+    local platform="$1"
+    
+    if [[ "$platform" == *"windows"* ]]; then
+        echo "$HOME/bin"
+    else
+        # For Unix-like systems, prioritize system-wide directories for sudo access
+        # Check in order of preference: /usr/local/bin, /usr/bin, ~/.local/bin
+        if [ -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin"
+        elif [ -d "/usr/bin" ]; then
+            echo "/usr/bin"
+        else
+            # Fallback to user directory if system directories don't exist
+            echo "$HOME/.local/bin"
+        fi
+    fi
+}
+
+# Check if we need sudo for installation
+need_sudo() {
+    local install_dir="$1"
+    
+    # If installing to system directory and we don't have write permission, need sudo
+    if [[ "$install_dir" == "/usr/local/bin" || "$install_dir" == "/usr/bin" ]]; then
+        if [ ! -w "$install_dir" ] 2>/dev/null; then
+            return 0  # Need sudo
+        fi
+    fi
+    return 1  # Don't need sudo
+}
+
+# Download and install olm
+install_olm() {
+    local platform="$1"
+    local install_dir="$2"
+    local binary_name="olm_${platform}"
+    local exe_suffix=""
+    
+    # Add .exe suffix for Windows
+    if [[ "$platform" == *"windows"* ]]; then
+        binary_name="${binary_name}.exe"
+        exe_suffix=".exe"
+    fi
+    
+    local download_url="${BASE_URL}/${binary_name}"
+    local temp_file="/tmp/olm${exe_suffix}"
+    local final_path="${install_dir}/olm${exe_suffix}"
+    
+    print_status "Downloading olm from ${download_url}"
+    
+    # Download the binary
+    if command -v curl >/dev/null 2>&1; then
+        curl -fsSL "$download_url" -o "$temp_file"
+    elif command -v wget >/dev/null 2>&1; then
+        wget -q "$download_url" -O "$temp_file"
+    else
+        print_error "Neither curl nor wget is available. Please install one of them."
+        exit 1
+    fi
+    
+    # Check if we need sudo for installation
+    local use_sudo=""
+    if need_sudo "$install_dir"; then
+        print_status "Administrator privileges required for system-wide installation"
+        if command -v sudo >/dev/null 2>&1; then
+            use_sudo="sudo"
+        else
+            print_error "sudo is required for system-wide installation but not available"
+            exit 1
+        fi
+    fi
+    
+    # Create install directory if it doesn't exist
+    if [ -n "$use_sudo" ]; then
+        $use_sudo mkdir -p "$install_dir"
+    else
+        mkdir -p "$install_dir"
+    fi
+    
+    # Move binary to install directory
+    if [ -n "$use_sudo" ]; then
+        $use_sudo mv "$temp_file" "$final_path"
+        $use_sudo chmod +x "$final_path"
+    else
+        mv "$temp_file" "$final_path"
+        chmod +x "$final_path"
+    fi
+    
+    print_status "olm installed to ${final_path}"
+    
+    # Check if install directory is in PATH (only warn for non-system directories)
+    if [[ "$install_dir" != "/usr/local/bin" && "$install_dir" != "/usr/bin" ]]; then
+        if ! echo "$PATH" | grep -q "$install_dir"; then
+            print_warning "Install directory ${install_dir} is not in your PATH."
+            print_warning "Add it to your PATH by adding this line to your shell profile:"
+            print_warning "  export PATH=\"${install_dir}:\$PATH\""
+        fi
+    fi
+}
+
+# Verify installation
+verify_installation() {
+    local install_dir="$1"
+    local exe_suffix=""
+    
+    if [[ "$PLATFORM" == *"windows"* ]]; then
+        exe_suffix=".exe"
+    fi
+    
+    local olm_path="${install_dir}/olm${exe_suffix}"
+    
+    if [ -f "$olm_path" ] && [ -x "$olm_path" ]; then
+        print_status "Installation successful!"
+        print_status "olm version: $("$olm_path" --version 2>/dev/null || echo "unknown")"
+        return 0
+    else
+        print_error "Installation failed. Binary not found or not executable."
+        return 1
+    fi
+}
+
+# Main installation process
+main() {
+    print_status "Installing latest version of olm..."
+    
+    # Get latest version
+    print_status "Fetching latest version from GitHub..."
+    VERSION=$(get_latest_version)
+    print_status "Latest version: v${VERSION}"
+    
+    # Set base URL with the fetched version
+    BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
+    
+    # Detect platform
+    PLATFORM=$(detect_platform)
+    print_status "Detected platform: ${PLATFORM}"
+    
+    # Get install directory
+    INSTALL_DIR=$(get_install_dir "$PLATFORM")
+    print_status "Install directory: ${INSTALL_DIR}"
+    
+    # Inform user about system-wide installation
+    if [[ "$INSTALL_DIR" == "/usr/local/bin" || "$INSTALL_DIR" == "/usr/bin" ]]; then
+        print_status "Installing system-wide for sudo access"
+    fi
+    
+    # Install olm
+    install_olm "$PLATFORM" "$INSTALL_DIR"
+    
+    # Verify installation
+    if verify_installation "$INSTALL_DIR"; then
+        print_status "olm is ready to use!"
+        if [[ "$INSTALL_DIR" == "/usr/local/bin" || "$INSTALL_DIR" == "/usr/bin" ]]; then
+            print_status "olm is installed system-wide and accessible via sudo"
+        fi
+        if [[ "$PLATFORM" == *"windows"* ]]; then
+            print_status "Run 'olm --help' to get started"
+        else
+            print_status "Run 'olm --help' or 'sudo olm --help' to get started"
+        fi
+    else
+        exit 1
+    fi
+}
+
+# Run main function
+main "$@"

go.mod

@@ -1,22 +1,51 @@
 module github.com/fosrl/olm
 
-go 1.24
+go 1.25
 
 require (
-	github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a
+	github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.41.0
+	golang.org/x/crypto v0.42.0
 	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
-	golang.org/x/sys v0.35.0
+	golang.org/x/sys v0.36.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 )
 
 require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/docker v28.4.0+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/mdlayher/genetlink v1.3.2 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	golang.org/x/net v0.42.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 // indirect
 	software.sslmate.com/src/go-pkcs12 v0.6.0 // indirect
 )

go.sum

@@ -1,33 +1,103 @@
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v28.4.0+incompatible h1:KVC7bz5zJY/4AZe/78BIvCnPsLaC9T/zh72xnlrTTOk=
+github.com/docker/docker v28.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a h1:bUGN4piHlcqgfdRLrwqiLZZxgcitzBzNDQS1+CHSmJI=
 github.com/fosrl/newt v0.0.0-20250730062419-3ccd755d557a/go.mod h1:PbiPYp1hbL07awrmbqTSTz7lTenieTHN6cIkUVCGD3I=
+github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7 h1:6bSU8Efyhx1SR53iSw1Wjk5V8vDfizGAudq/GlE9b+o=
+github.com/fosrl/newt v0.0.0-20250929233849-71c5bf7e65f7/go.mod h1:Ac0k2FmAMC+hu21rAK+p7EnnEGrqKO/QZuGTVHA/XDM=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
+github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56 h1:H+qymc2ndLKNFR5TcaPmsHGiJnhJMqeofBYSRq4oG3c=
 gvisor.dev/gvisor v0.0.0-20250718192347-d7830d968c56/go.mod h1:i8iCZyAdwRnLZYaIi2NUL1gfNtAveqxkKAe0JfAv9Bs=
 software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=

main.go

@@ -10,10 +10,12 @@ import (
 	"os/signal"
 	"runtime"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 
 	"github.com/fosrl/newt/logger"
+	"github.com/fosrl/newt/updates"
 	"github.com/fosrl/newt/websocket"
 	"github.com/fosrl/olm/httpserver"
 	"github.com/fosrl/olm/peermonitor"
@@ -25,6 +27,33 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+// Helper function to format endpoints correctly
+func formatEndpoint(endpoint string) string {
+	if endpoint == "" {
+		return ""
+	}
+	// Check if it's already a valid host:port that SplitHostPort can parse (e.g., [::1]:8080 or 1.2.3.4:8080)
+	_, _, err := net.SplitHostPort(endpoint)
+	if err == nil {
+		return endpoint // Already valid, no change needed
+	}
+
+	// If it failed, it might be our malformed "ipv6:port" string. Let's check and fix it.
+	lastColon := strings.LastIndex(endpoint, ":")
+	if lastColon > 0 { // Ensure there is a colon and it's not the first character
+		hostPart := endpoint[:lastColon]
+		// Check if the host part is a literal IPv6 address
+		if ip := net.ParseIP(hostPart); ip != nil && ip.To4() == nil {
+			// It is! Reformat it with brackets.
+			portPart := endpoint[lastColon+1:]
+			return fmt.Sprintf("[%s]:%s", hostPart, portPart)
+		}
+	}
+
+	// If it's not the specific malformed case, return it as is.
+	return endpoint
+}
+
 func main() {
 	// Check if we're running as a Windows service
 	if isWindowsService() {
@@ -34,8 +63,15 @@ func main() {
 	}
 
 	// Handle service management commands on Windows
-	if runtime.GOOS == "windows" && len(os.Args) > 1 {
-		switch os.Args[1] {
+	if runtime.GOOS == "windows" {
+		var command string
+		if len(os.Args) > 1 {
+			command = os.Args[1]
+		} else {
+			command = "default"
+		}
+
+		switch command {
 		case "install":
 			err := installService()
 			if err != nil {
@@ -109,15 +145,27 @@ func main() {
 				os.Exit(1)
 			}
 			return
+		case "config":
+			if runtime.GOOS == "windows" {
+				showServiceConfig()
+			} else {
+				fmt.Println("Service configuration is only available on Windows")
+			}
+			return
 		case "help", "--help", "-h":
 			fmt.Println("Olm WireGuard VPN Client")
 			fmt.Println("\nWindows Service Management:")
 			fmt.Println("  install     Install the service")
 			fmt.Println("  remove      Remove the service")
-			fmt.Println("  start       Start the service")
+			fmt.Println("  start [args]   Start the service with optional arguments")
 			fmt.Println("  stop        Stop the service")
 			fmt.Println("  status      Show service status")
-			fmt.Println("  debug       Run service in debug mode")
+			fmt.Println("  debug [args]   Run service in debug mode with optional arguments")
+			fmt.Println("  logs        Tail the service log file")
+			fmt.Println("  config      Show current service configuration")
+			fmt.Println("\nExamples:")
+			fmt.Println("  olm start --enable-http --http-addr :9452")
+			fmt.Println("  olm debug --endpoint https://example.com --id myid --secret mysecret")
 			fmt.Println("\nFor console mode, run without arguments or with standard flags.")
 			return
 		default:
@@ -290,6 +338,10 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		logger.Info("Olm version " + olmVersion)
 	}
 
+	if err := updates.CheckForUpdate("fosrl", "olm", olmVersion); err != nil {
+		logger.Debug("Failed to check for updates: %v", err)
+	}
+
 	// Log startup information
 	logger.Debug("Olm service starting...")
 	logger.Debug("Parameters: endpoint='%s', id='%s', secret='%s'", endpoint, id, secret)
@@ -373,6 +425,22 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 	// 	}
 	// }
 
+	// Create a new olm
+	olm, err := websocket.NewClient(
+		"olm",
+		id,     // CLI arg takes precedence
+		secret, // CLI arg takes precedence
+		endpoint,
+		pingInterval,
+		pingTimeout,
+	)
+	if err != nil {
+		logger.Fatal("Failed to create olm: %v", err)
+	}
+	endpoint = olm.GetConfig().Endpoint // Update endpoint from config
+	id = olm.GetConfig().ID             // Update ID from config
+	secret = olm.GetConfig().Secret     // Update secret from config
+
 	// wait until we have a client id and secret and endpoint
 	waitCount := 0
 	for id == "" || secret == "" || endpoint == "" {
@@ -410,21 +478,6 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		logger.Fatal("Failed to generate private key: %v", err)
 	}
 
-	// Create a new olm
-	olm, err := websocket.NewClient(
-		"olm",
-		id,     // CLI arg takes precedence
-		secret, // CLI arg takes precedence
-		endpoint,
-		pingInterval,
-		pingTimeout,
-	)
-	if err != nil {
-		logger.Fatal("Failed to create olm: %v", err)
-	}
-	endpoint = olm.GetConfig().Endpoint // Update endpoint from config
-	id = olm.GetConfig().ID             // Update ID from config
-
 	// Create TUN device and network stack
 	var dev *device.Device
 	var wgData WgData
@@ -498,29 +551,6 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		go keepSendingUDPHolePunch(legacyHolePunchData.Endpoint, id, sourcePort, legacyHolePunchData.ServerPubKey)
 	})
 
-	olm.RegisterHandler("olm/wg/holepunch/all", func(msg websocket.WSMessage) {
-		logger.Debug("Received message: %v", msg.Data)
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Info("Error marshaling data: %v", err)
-			return
-		}
-
-		if err := json.Unmarshal(jsonData, &holePunchData); err != nil {
-			logger.Info("Error unmarshaling target data: %v", err)
-			return
-		}
-
-		// Create a new stopHolepunch channel for the new set of goroutines
-		stopHolepunch = make(chan struct{})
-
-		// Start a single hole punch goroutine for all exit nodes
-		logger.Info("Starting hole punch for %d exit nodes", len(holePunchData.ExitNodes))
-		go keepSendingUDPHolePunchToMultipleExitNodes(holePunchData.ExitNodes, id, sourcePort)
-	})
-
-	// Register handlers for different message types
 	olm.RegisterHandler("olm/wg/connect", func(msg websocket.WSMessage) {
 		logger.Debug("Received message: %v", msg.Data)
 
@@ -537,7 +567,8 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		close(stopHolepunch)
 
 		// wait 10 milliseconds to ensure the previous connection is closed
-		time.Sleep(10 * time.Millisecond)
+		logger.Debug("Waiting 500 milliseconds to ensure previous connection is closed")
+		time.Sleep(500 * time.Millisecond)
 
 		// if there is an existing tunnel then close it
 		if dev != nil {
@@ -557,9 +588,6 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 		}
 
 		tdev, err = func() (tun.Device, error) {
-			tunFdStr := os.Getenv(ENV_WG_TUN_FD)
-
-			// if on macOS, call findUnusedUTUN to get a new utun device
 			if runtime.GOOS == "darwin" {
 				interfaceName, err := findUnusedUTUN()
 				if err != nil {
@@ -567,12 +595,10 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 				}
 				return tun.CreateTUN(interfaceName, mtuInt)
 			}
-
-			if tunFdStr == "" {
-				return tun.CreateTUN(interfaceName, mtuInt)
+			if tunFdStr := os.Getenv(ENV_WG_TUN_FD); tunFdStr != "" {
+				return createTUNFromFD(tunFdStr, mtuInt)
 			}
-
-			return createTUNFromFD(tunFdStr, mtuInt)
+			return tun.CreateTUN(interfaceName, mtuInt)
 		}()
 
 		if err != nil {
@@ -580,26 +606,19 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			return
 		}
 
-		realInterfaceName, err2 := tdev.Name()
-		if err2 == nil {
+		if realInterfaceName, err2 := tdev.Name(); err2 == nil {
 			interfaceName = realInterfaceName
 		}
 
-		// open UAPI file (or use supplied fd)
 		fileUAPI, err := func() (*os.File, error) {
-			uapiFdStr := os.Getenv(ENV_WG_UAPI_FD)
-			if uapiFdStr == "" {
-				return uapiOpen(interfaceName)
+			if uapiFdStr := os.Getenv(ENV_WG_UAPI_FD); uapiFdStr != "" {
+				fd, err := strconv.ParseUint(uapiFdStr, 10, 32)
+				if err != nil {
+					return nil, err
+				}
+				return os.NewFile(uintptr(fd), ""), nil
 			}
-
-			// use supplied fd
-
-			fd, err := strconv.ParseUint(uapiFdStr, 10, 32)
-			if err != nil {
-				return nil, err
-			}
-
-			return os.NewFile(uintptr(fd), ""), nil
+			return uapiOpen(interfaceName)
 		}()
 		if err != nil {
 			logger.Error("UAPI listen error: %v", err)
@@ -607,12 +626,7 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			return
 		}
 
-		dev = device.NewDevice(tdev, NewFixedPortBind(uint16(sourcePort)), device.NewLogger(
-			mapToWireGuardLogLevel(loggerLevel),
-			"wireguard: ",
-		))
-
-		errs := make(chan error)
+		dev = device.NewDevice(tdev, NewFixedPortBind(uint16(sourcePort)), device.NewLogger(mapToWireGuardLogLevel(loggerLevel), "wireguard: "))
 
 		uapiListener, err = uapiListen(interfaceName, fileUAPI)
 		if err != nil {
@@ -624,28 +638,19 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			for {
 				conn, err := uapiListener.Accept()
 				if err != nil {
-					errs <- err
 					return
 				}
 				go dev.IpcHandle(conn)
 			}
 		}()
-
 		logger.Info("UAPI listener started")
 
-		// Bring up the device
-		err = dev.Up()
-		if err != nil {
+		if err = dev.Up(); err != nil {
 			logger.Error("Failed to bring up WireGuard device: %v", err)
 		}
-
-		// configure the interface
-		err = ConfigureInterface(realInterfaceName, wgData)
-		if err != nil {
+		if err = ConfigureInterface(interfaceName, wgData); err != nil {
 			logger.Error("Failed to configure interface: %v", err)
 		}
-
-		// Set tunnel IP in HTTP server
 		if httpServer != nil {
 			httpServer.SetTunnelIP(wgData.TunnelIP)
 		}
@@ -679,24 +684,23 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 			doHolepunch,
 		)
 
-		// loop over the sites and call ConfigurePeer for each one
-		for _, site := range wgData.Sites {
+		for i := range wgData.Sites {
+			site := &wgData.Sites[i] // Use a pointer to modify the struct in the slice
 			if httpServer != nil {
 				httpServer.UpdatePeerStatus(site.SiteId, false, 0, site.Endpoint, false)
 			}
-			err = ConfigurePeer(dev, site, privateKey, endpoint)
-			if err != nil {
+
+			// Format the endpoint before configuring the peer.
+			site.Endpoint = formatEndpoint(site.Endpoint)
+
+			if err := ConfigurePeer(dev, *site, privateKey, endpoint); err != nil {
 				logger.Error("Failed to configure peer: %v", err)
 				return
 			}
-
-			err = addRouteForServerIP(site.ServerIP, interfaceName)
-			if err != nil {
+			if err := addRouteForServerIP(site.ServerIP, interfaceName); err != nil {
 				logger.Error("Failed to add route for peer: %v", err)
 				return
 			}
-
-			// Add routes for remote subnets
 			if err := addRoutesForRemoteSubnets(site.RemoteSubnets, interfaceName); err != nil {
 				logger.Error("Failed to add routes for remote subnets: %v", err)
 				return
@@ -739,18 +743,31 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 
 		// Update the peer in WireGuard
 		if dev != nil {
-			// Find the existing peer to get old RemoteSubnets
+			// Find the existing peer to get old data
 			var oldRemoteSubnets string
+			var oldPublicKey string
 			for _, site := range wgData.Sites {
 				if site.SiteId == updateData.SiteId {
 					oldRemoteSubnets = site.RemoteSubnets
+					oldPublicKey = site.PublicKey
 					break
 				}
 			}
 
+			// If the public key has changed, remove the old peer first
+			if oldPublicKey != "" && oldPublicKey != updateData.PublicKey {
+				logger.Info("Public key changed for site %d, removing old peer with key %s", updateData.SiteId, oldPublicKey)
+				if err := RemovePeer(dev, updateData.SiteId, oldPublicKey); err != nil {
+					logger.Error("Failed to remove old peer: %v", err)
+					return
+				}
+			}
+
+			// Format the endpoint before updating the peer.
+			siteConfig.Endpoint = formatEndpoint(siteConfig.Endpoint)
+
 			if err := ConfigurePeer(dev, siteConfig, privateKey, endpoint); err != nil {
 				logger.Error("Failed to update peer: %v", err)
-				// Send error response if needed
 				return
 			}
 
@@ -770,9 +787,8 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 
 			// Update successful
 			logger.Info("Successfully updated peer for site %d", updateData.SiteId)
-			// If this is part of a WgData structure, update it
-			for i, site := range wgData.Sites {
-				if site.SiteId == updateData.SiteId {
+			for i := range wgData.Sites {
+				if wgData.Sites[i].SiteId == updateData.SiteId {
 					wgData.Sites[i] = siteConfig
 					break
 				}
@@ -810,19 +826,17 @@ func runOlmMainWithArgs(ctx context.Context, args []string) {
 
 		// Add the peer to WireGuard
 		if dev != nil {
+			// Format the endpoint before adding the new peer.
+			siteConfig.Endpoint = formatEndpoint(siteConfig.Endpoint)
+
 			if err := ConfigurePeer(dev, siteConfig, privateKey, endpoint); err != nil {
 				logger.Error("Failed to add peer: %v", err)
 				return
 			}
-
-			// Add route for the new peer
-			err = addRouteForServerIP(siteConfig.ServerIP, interfaceName)
-			if err != nil {
+			if err := addRouteForServerIP(siteConfig.ServerIP, interfaceName); err != nil {
 				logger.Error("Failed to add route for new peer: %v", err)
 				return
 			}
-
-			// Add routes for remote subnets
 			if err := addRoutesForRemoteSubnets(siteConfig.RemoteSubnets, interfaceName); err != nil {
 				logger.Error("Failed to add routes for remote subnets: %v", err)
 				return

olm.iss

@@ -0,0 +1,88 @@
+; Script generated by the Inno Setup Script Wizard.
+; SEE THE DOCUMENTATION FOR DETAILS ON CREATING INNO SETUP SCRIPT FILES!
+
+#define MyAppName "olm"
+#define MyAppVersion "1.0.0"
+#define MyAppPublisher "Fossorial Inc."
+#define MyAppURL "https://fossorial.io"
+#define MyAppExeName "olm.exe"
+
+[Setup]
+; NOTE: The value of AppId uniquely identifies this application. Do not use the same AppId value in installers for other applications.
+; (To generate a new GUID, click Tools | Generate GUID inside the IDE.)
+AppId={{44A24E4C-B616-476F-ADE7-8D56B930959E}
+AppName={#MyAppName}
+AppVersion={#MyAppVersion}
+;AppVerName={#MyAppName} {#MyAppVersion}
+AppPublisher={#MyAppPublisher}
+AppPublisherURL={#MyAppURL}
+AppSupportURL={#MyAppURL}
+AppUpdatesURL={#MyAppURL}
+DefaultDirName={autopf}\{#MyAppName}
+UninstallDisplayIcon={app}\{#MyAppExeName}
+; "ArchitecturesAllowed=x64compatible" specifies that Setup cannot run
+; on anything but x64 and Windows 11 on Arm.
+ArchitecturesAllowed=x64compatible
+; "ArchitecturesInstallIn64BitMode=x64compatible" requests that the
+; install be done in "64-bit mode" on x64 or Windows 11 on Arm,
+; meaning it should use the native 64-bit Program Files directory and
+; the 64-bit view of the registry.
+ArchitecturesInstallIn64BitMode=x64compatible
+DefaultGroupName={#MyAppName}
+DisableProgramGroupPage=yes
+; Uncomment the following line to run in non administrative install mode (install for current user only).
+;PrivilegesRequired=lowest
+OutputBaseFilename=mysetup
+SolidCompression=yes
+WizardStyle=modern
+; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed
+RestartIfNeededByRun=no
+ChangesEnvironment=true
+
+[Languages]
+Name: "english"; MessagesFile: "compiler:Default.isl"
+
+[Files]
+; The 'DestName' flag ensures that 'olm_windows_amd64.exe' is installed as 'olm.exe'
+Source: "C:\Users\Administrator\Downloads\olm_windows_amd64.exe"; DestDir: "{app}"; DestName: "{#MyAppExeName}"; Flags: ignoreversion
+Source: "C:\Users\Administrator\Downloads\wintun.dll"; DestDir: "{app}"; Flags: ignoreversion
+; NOTE: Don't use "Flags: ignoreversion" on any shared system files
+
+[Icons]
+Name: "{group}\{#MyAppName}"; Filename: "{app}\{#MyAppExeName}"
+
+[Registry]
+; Add the application's installation directory to the system PATH environment variable.
+; HKLM (HKEY_LOCAL_MACHINE) is used for system-wide changes.
+; The 'Path' variable is located under 'SYSTEM\CurrentControlSet\Control\Session Manager\Environment'.
+; ValueType: expandsz allows for environment variables (like %ProgramFiles%) in the path.
+; ValueData: "{olddata};{app}" appends the current application directory to the existing PATH.
+; Flags: uninsdeletevalue ensures the entry is removed upon uninstallation.
+; Check: IsWin64 ensures this is applied on 64-bit systems, which matches ArchitecturesAllowed.
+[Registry]
+; Add the application's installation directory to the system PATH.
+Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
+    ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
+    Flags: uninsdeletevalue; Check: NeedsAddPath(ExpandConstant('{app}'))
+
+[Code]
+function NeedsAddPath(Path: string): boolean;
+var
+  OrigPath: string;
+begin
+  if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
+    'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+    'Path', OrigPath)
+  then begin
+    // Path variable doesn't exist at all, so we definitely need to add it.
+    Result := True;
+    exit;
+  end;
+  
+  // Perform a case-insensitive check to see if the path is already present.
+  // We add semicolons to prevent partial matches (e.g., matching C:\App in C:\App2).
+  if Pos(';' + UpperCase(Path) + ';', ';' + UpperCase(OrigPath) + ';') > 0 then
+    Result := False
+  else
+    Result := True;
+end;

peermonitor/peermonitor.go

@@ -3,6 +3,7 @@ package peermonitor
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -204,12 +205,18 @@ func (pm *PeerMonitor) HandleFailover(siteID int, relayEndpoint string) {
 		return
 	}
 
+    // Check for IPv6 and format the endpoint correctly
+    formattedEndpoint := relayEndpoint
+    if strings.Contains(relayEndpoint, ":") {
+        formattedEndpoint = fmt.Sprintf("[%s]", relayEndpoint)
+    }
+
 	// Configure WireGuard to use the relay
 	wgConfig := fmt.Sprintf(`private_key=%s
 public_key=%s
 allowed_ip=%s/32
 endpoint=%s:21820
-persistent_keepalive_interval=1`, pm.privateKey, config.PublicKey, config.ServerIP, relayEndpoint)
+persistent_keepalive_interval=1`, pm.privateKey, config.PublicKey, config.ServerIP, formattedEndpoint)
 
 	err := pm.device.IpcSet(wgConfig)
 	if err != nil {

service_unix.go

@@ -48,3 +48,7 @@ func setupWindowsEventLog() {
 func watchLogFile(end bool) error {
 	return fmt.Errorf("watching log file is only available on Windows")
 }
+
+func showServiceConfig() {
+	fmt.Println("Service configuration is only available on Windows")
+}

service_windows.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"time"
 
@@ -69,12 +70,6 @@ func loadServiceArgs() ([]string, error) {
 		return nil, fmt.Errorf("failed to read service args: %v", err)
 	}
 
-	// delete the file after reading
-	err = os.Remove(argsPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to delete service args file: %v", err)
-	}
-
 	var args []string
 	err = json.Unmarshal(data, &args)
 	if err != nil {
@@ -95,7 +90,7 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 	const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown
 	changes <- svc.Status{State: svc.StartPending}
 
-	s.elog.Info(1, "Service Execute called, starting main logic")
+	s.elog.Info(1, fmt.Sprintf("Service Execute called with args: %v", args))
 
 	// Load saved service arguments
 	savedArgs, err := loadServiceArgs()
@@ -104,7 +99,24 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 		// Continue with empty args if loading fails
 		savedArgs = []string{}
 	}
-	s.args = savedArgs
+
+	// Combine service start args with saved args, giving priority to service start args
+	finalArgs := []string{}
+	if len(args) > 0 {
+		// Skip the first arg which is typically the service name
+		if len(args) > 1 {
+			finalArgs = append(finalArgs, args[1:]...)
+		}
+		s.elog.Info(1, fmt.Sprintf("Using service start parameters: %v", finalArgs))
+	}
+
+	// If no service start parameters, use saved args
+	if len(finalArgs) == 0 && len(savedArgs) > 0 {
+		finalArgs = savedArgs
+		s.elog.Info(1, fmt.Sprintf("Using saved service args: %v", finalArgs))
+	}
+
+	s.args = finalArgs
 
 	// Start the main olm functionality
 	olmDone := make(chan struct{})
@@ -309,7 +321,7 @@ func removeService() error {
 }
 
 func startService(args []string) error {
-	// Save the service arguments before starting
+	// Save the service arguments as backup
 	if len(args) > 0 {
 		err := saveServiceArgs(args)
 		if err != nil {
@@ -329,7 +341,8 @@ func startService(args []string) error {
 	}
 	defer s.Close()
 
-	err = s.Start()
+	// Pass arguments directly to the service start call
+	err = s.Start(args...)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)
 	}
@@ -379,17 +392,12 @@ func debugService(args []string) error {
 		}
 	}
 
-	// fmt.Printf("Starting service in debug mode...\n")
-
-	// Start the service
-	err := startService([]string{}) // Pass empty args since we already saved them
+	// Start the service with the provided arguments
+	err := startService(args)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)
 	}
 
-	// fmt.Printf("Service started. Watching logs (Press Ctrl+C to stop watching)...\n")
-	// fmt.Printf("================================================================================\n")
-
 	// Watch the log file
 	return watchLogFile(true)
 }
@@ -509,11 +517,89 @@ func getServiceStatus() (string, error) {
 	}
 }
 
+// showServiceConfig displays current saved service configuration
+func showServiceConfig() {
+	configPath := getServiceArgsPath()
+	fmt.Printf("Service configuration file: %s\n", configPath)
+
+	args, err := loadServiceArgs()
+	if err != nil {
+		fmt.Printf("No saved configuration found or error loading: %v\n", err)
+		return
+	}
+
+	if len(args) == 0 {
+		fmt.Println("No saved service arguments found")
+	} else {
+		fmt.Printf("Saved service arguments: %v\n", args)
+	}
+}
+
 func isWindowsService() bool {
 	isWindowsService, err := svc.IsWindowsService()
 	return err == nil && isWindowsService
 }
 
+// rotateLogFile handles daily log rotation
+func rotateLogFile(logDir string, logFile string) error {
+	// Get current log file info
+	info, err := os.Stat(logFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil // No current log file to rotate
+		}
+		return fmt.Errorf("failed to stat log file: %v", err)
+	}
+
+	// Check if log file is from today
+	now := time.Now()
+	fileTime := info.ModTime()
+
+	// If the log file is from today, no rotation needed
+	if now.Year() == fileTime.Year() && now.YearDay() == fileTime.YearDay() {
+		return nil
+	}
+
+	// Create rotated filename with date
+	rotatedName := fmt.Sprintf("olm-%s.log", fileTime.Format("2006-01-02"))
+	rotatedPath := filepath.Join(logDir, rotatedName)
+
+	// Rename current log file to dated filename
+	err = os.Rename(logFile, rotatedPath)
+	if err != nil {
+		return fmt.Errorf("failed to rotate log file: %v", err)
+	}
+
+	// Clean up old log files (keep last 30 days)
+	cleanupOldLogFiles(logDir, 30)
+
+	return nil
+}
+
+// cleanupOldLogFiles removes log files older than specified days
+func cleanupOldLogFiles(logDir string, daysToKeep int) {
+	cutoff := time.Now().AddDate(0, 0, -daysToKeep)
+
+	files, err := os.ReadDir(logDir)
+	if err != nil {
+		return
+	}
+
+	for _, file := range files {
+		if !file.IsDir() && strings.HasPrefix(file.Name(), "olm-") && strings.HasSuffix(file.Name(), ".log") {
+			filePath := filepath.Join(logDir, file.Name())
+			info, err := file.Info()
+			if err != nil {
+				continue
+			}
+
+			if info.ModTime().Before(cutoff) {
+				os.Remove(filePath)
+			}
+		}
+	}
+}
+
 func setupWindowsEventLog() {
 	// Create log directory if it doesn't exist
 	logDir := filepath.Join(os.Getenv("PROGRAMDATA"), "olm", "logs")
@@ -524,6 +610,14 @@ func setupWindowsEventLog() {
 	}
 
 	logFile := filepath.Join(logDir, "olm.log")
+
+	// Rotate log file if needed
+	err = rotateLogFile(logDir, logFile)
+	if err != nil {
+		fmt.Printf("Failed to rotate log file: %v\n", err)
+		// Continue anyway to create new log file
+	}
+
 	file, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
 	if err != nil {
 		fmt.Printf("Failed to open log file: %v\n", err)