Dont run on v tags

Former-commit-id: 69a00b6231

.github/workflows/cicd.yml

@@ -11,7 +11,9 @@ permissions:
 on:
   push:
     tags:
-      - "*"
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
   workflow_dispatch:
     inputs:
       version:
@@ -273,7 +275,7 @@ jobs:
           tags: |
             type=semver,pattern={{version}},value=${{ env.TAG }}
             type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG }},enable=${{ env.PUBLISH_MINOR == 'true' && env.IS_RC != 'true' }}
-            type=raw,value=latest,enable=${{ env.PUBLISH_LATEST == 'true' && env.IS_RC != 'true' }}
+            type=raw,value=latest,enable=${{ env.IS_RC != 'true' }}
           flavor: |
             latest=false
           labels: |
@@ -586,28 +588,28 @@ jobs:
       #     sarif_file: trivy-ghcr.sarif
       #     category: Image Vulnerability Scan
 
-      # - name: Build binaries
-      #   env:
-      #     CGO_ENABLED: "0"
-      #     GOFLAGS: "-trimpath"
-      #   run: |
-      #     set -euo pipefail
-      #     TAG_VAR="${TAG}"
-      #     make go-build-release tag=$TAG_VAR
-      #   shell: bash
+      - name: Build binaries
+        env:
+          CGO_ENABLED: "0"
+          GOFLAGS: "-trimpath"
+        run: |
+          set -euo pipefail
+          TAG_VAR="${TAG}"
+          make go-build-release tag=$TAG_VAR
+        shell: bash
 
-      # - name: Create GitHub Release
-      #   uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
-      #   with:
-      #     tag_name: ${{ env.TAG }}
-      #     generate_release_notes: true
-      #     prerelease: ${{ env.IS_RC == 'true' }}
-      #     files: |
-      #       bin/*
-      #     fail_on_unmatched_files: true
-      #     draft: true
-      #     body: |
-      #       ## Container Images
-      #       - GHCR: `${{ env.GHCR_REF }}`
-      #       - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
-      #       **Digest:** `${{ steps.build.outputs.digest }}`
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        with:
+          tag_name: ${{ env.TAG }}
+          generate_release_notes: true
+          prerelease: ${{ env.IS_RC == 'true' }}
+          files: |
+            bin/*
+          fail_on_unmatched_files: true
+          draft: true
+          body: |
+            ## Container Images
+            - GHCR: `${{ env.GHCR_REF }}`
+            - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
+            **Digest:** `${{ steps.build.outputs.digest }}`

.github/workflows/test.yml

@@ -11,24 +11,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Clone fosrl/newt
-        uses: actions/checkout@v6
-        with:
-          repository: fosrl/newt
-          path: ../newt
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version: 1.25
 
-      - name: Build go
-        run: go build
-
-      - name: Build Docker image
-        run: make build
-
       - name: Build binaries
         run: make go-build-release
+
+      - name: Build Docker image
+        run: make docker-build-release

Makefile

@@ -1,20 +1,58 @@
+.PHONY: all local docker-build-release
 
-all: local 
+all: local
+
+local:
+	CGO_ENABLED=0 go build -o ./bin/olm
 
 docker-build-release:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make docker-build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:latest -f Dockerfile --push .
-	docker buildx build --platform linux/arm/v7,linux/arm64,linux/amd64 -t fosrl/olm:$(tag) -f Dockerfile --push .
+	docker buildx build . \
+		--platform linux/arm/v7,linux/arm64,linux/amd64 \
+		-t fosrl/olm:latest \
+		-t fosrl/olm:$(tag) \
+		-f Dockerfile \
+		--push
 
-local: 
-	CGO_ENABLED=0 go build -o bin/olm
+.PHONY: go-build-release \
+        go-build-release-linux-arm64 go-build-release-linux-arm32-v7 \
+        go-build-release-linux-arm32-v6 go-build-release-linux-amd64 \
+        go-build-release-linux-riscv64 go-build-release-darwin-arm64 \
+        go-build-release-darwin-amd64 go-build-release-windows-amd64
 
-go-build-release:
+go-build-release: \
+    go-build-release-linux-arm64 \
+    go-build-release-linux-arm32-v7 \
+    go-build-release-linux-arm32-v6 \
+    go-build-release-linux-amd64 \
+    go-build-release-linux-riscv64 \
+    go-build-release-darwin-arm64 \
+    go-build-release-darwin-amd64 \
+    go-build-release-windows-amd64 \
+
+go-build-release-linux-arm64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
+
+go-build-release-linux-arm32-v7:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/olm_linux_arm32
+
+go-build-release-linux-arm32-v6:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/olm_linux_arm32v6
+
+go-build-release-linux-amd64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64
+
+go-build-release-linux-riscv64:
+	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/olm_linux_riscv64
+
+go-build-release-darwin-arm64:
 	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/olm_darwin_arm64
+
+go-build-release-darwin-amd64:
 	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/olm_darwin_amd64
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/olm_windows_amd64.exe
+
+go-build-release-windows-amd64:
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/olm_windows_amd64.exe

README.md

@@ -20,13 +20,7 @@ When Olm receives WireGuard control messages, it will use the information encode
 
 ## Hole Punching
 
-In the default mode, olm uses both relaying through Gerbil and NAT hole punching to connect to newt. If you want to disable hole punching, use the `--disable-holepunch` flag. Hole punching attempts to orchestrate a NAT hole punch between the two sites so that traffic flows directly, which can save data costs and improve speed. If hole punching fails, traffic will fall back to relaying through Gerbil.
-
-Right now, basic NAT hole punching is supported. We plan to add:
-
--   [ ] Birthday paradox
--   [ ] UPnP
--   [ ] LAN detection
+In the default mode, olm uses both relaying through Gerbil and NAT hole punching to connect to Newt. Hole punching attempts to orchestrate a NAT traversal between the two sites so that traffic flows directly, which can save data costs and improve speed. If hole punching fails, traffic will fall back to relaying through Gerbil.
 
 ## Build
 

config.go

@@ -43,6 +43,7 @@ type OlmConfig struct {
 	DisableHolepunch bool   `json:"disableHolepunch"`
 	TlsClientCert    string `json:"tlsClientCert"`
 	OverrideDNS      bool   `json:"overrideDNS"`
+	TunnelDNS        bool   `json:"tunnelDNS"`
 	DisableRelay     bool   `json:"disableRelay"`
 	// DoNotCreateNewClient bool   `json:"doNotCreateNewClient"`
 
@@ -88,6 +89,7 @@ func DefaultConfig() *OlmConfig {
 		PingInterval:     "3s",
 		PingTimeout:      "5s",
 		DisableHolepunch: false,
+		TunnelDNS:        false,
 		// DoNotCreateNewClient: false,
 		sources: make(map[string]string),
 	}
@@ -105,6 +107,7 @@ func DefaultConfig() *OlmConfig {
 	config.sources["pingTimeout"] = string(SourceDefault)
 	config.sources["disableHolepunch"] = string(SourceDefault)
 	config.sources["overrideDNS"] = string(SourceDefault)
+	config.sources["tunnelDNS"] = string(SourceDefault)
 	config.sources["disableRelay"] = string(SourceDefault)
 	// config.sources["doNotCreateNewClient"] = string(SourceDefault)
 
@@ -265,6 +268,10 @@ func loadConfigFromEnv(config *OlmConfig) {
 		config.DisableRelay = true
 		config.sources["disableRelay"] = string(SourceEnv)
 	}
+	if val := os.Getenv("TUNNEL_DNS"); val == "true" {
+		config.TunnelDNS = true
+		config.sources["tunnelDNS"] = string(SourceEnv)
+	}
 	// if val := os.Getenv("DO_NOT_CREATE_NEW_CLIENT"); val == "true" {
 	// 	config.DoNotCreateNewClient = true
 	// 	config.sources["doNotCreateNewClient"] = string(SourceEnv)
@@ -295,6 +302,7 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 		"disableHolepunch": config.DisableHolepunch,
 		"overrideDNS":      config.OverrideDNS,
 		"disableRelay":     config.DisableRelay,
+		"tunnelDNS":        config.TunnelDNS,
 		// "doNotCreateNewClient": config.DoNotCreateNewClient,
 	}
 
@@ -318,6 +326,7 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	serviceFlags.BoolVar(&config.DisableHolepunch, "disable-holepunch", config.DisableHolepunch, "Disable hole punching")
 	serviceFlags.BoolVar(&config.OverrideDNS, "override-dns", config.OverrideDNS, "Override system DNS settings")
 	serviceFlags.BoolVar(&config.DisableRelay, "disable-relay", config.DisableRelay, "Disable relay connections")
+	serviceFlags.BoolVar(&config.TunnelDNS, "tunnel-dns", config.TunnelDNS, "Use tunnel for DNS traffic")
 	// serviceFlags.BoolVar(&config.DoNotCreateNewClient, "do-not-create-new-client", config.DoNotCreateNewClient, "Do not create new client")
 
 	version := serviceFlags.Bool("version", false, "Print the version")
@@ -393,6 +402,9 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	if config.DisableRelay != origValues["disableRelay"].(bool) {
 		config.sources["disableRelay"] = string(SourceCLI)
 	}
+	if config.TunnelDNS != origValues["tunnelDNS"].(bool) {
+		config.sources["tunnelDNS"] = string(SourceCLI)
+	}
 	// if config.DoNotCreateNewClient != origValues["doNotCreateNewClient"].(bool) {
 	// 	config.sources["doNotCreateNewClient"] = string(SourceCLI)
 	// }
@@ -606,6 +618,7 @@ func (c *OlmConfig) ShowConfig() {
 	fmt.Println("\nAdvanced:")
 	fmt.Printf("  disable-holepunch     = %v [%s]\n", c.DisableHolepunch, getSource("disableHolepunch"))
 	fmt.Printf("  override-dns          = %v [%s]\n", c.OverrideDNS, getSource("overrideDNS"))
+	fmt.Printf("  tunnel-dns            = %v [%s]\n", c.TunnelDNS, getSource("tunnelDNS"))
 	fmt.Printf("  disable-relay         = %v [%s]\n", c.DisableRelay, getSource("disableRelay"))
 	// fmt.Printf("  do-not-create-new-client = %v [%s]\n", c.DoNotCreateNewClient, getSource("doNotCreateNewClient"))
 	if c.TlsClientCert != "" {

dns/dns_proxy.go

@@ -34,18 +34,26 @@ type DNSProxy struct {
 	ep           *channel.Endpoint
 	proxyIP      netip.Addr
 	upstreamDNS  []string
+	tunnelDNS    bool                 // Whether to tunnel DNS queries over WireGuard or to spit them out locally
 	mtu          int
 	tunDevice    tun.Device           // Direct reference to underlying TUN device for responses
 	middleDevice *device.MiddleDevice // Reference to MiddleDevice for packet filtering
 	recordStore  *DNSRecordStore      // Local DNS records
 
+	// Tunnel DNS fields - for sending queries over WireGuard
+	tunnelIP         netip.Addr       // WireGuard interface IP (source for tunneled queries)
+	tunnelStack      *stack.Stack     // Separate netstack for outbound tunnel queries
+	tunnelEp         *channel.Endpoint
+	tunnelActivePorts map[uint16]bool
+	tunnelPortsLock  sync.Mutex
+
 	ctx    context.Context
 	cancel context.CancelFunc
 	wg     sync.WaitGroup
 }
 
 // NewDNSProxy creates a new DNS proxy
-func NewDNSProxy(tunDevice tun.Device, middleDevice *device.MiddleDevice, mtu int, utilitySubnet string, upstreamDns []string) (*DNSProxy, error) {
+func NewDNSProxy(tunDevice tun.Device, middleDevice *device.MiddleDevice, mtu int, utilitySubnet string, upstreamDns []string, tunnelDns bool, tunnelIP string) (*DNSProxy, error) {
 	proxyIP, err := PickIPFromSubnet(utilitySubnet)
 	if err != nil {
 		return nil, fmt.Errorf("failed to pick DNS proxy IP from subnet: %v", err)
@@ -58,17 +66,28 @@ func NewDNSProxy(tunDevice tun.Device, middleDevice *device.MiddleDevice, mtu in
 	ctx, cancel := context.WithCancel(context.Background())
 
 	proxy := &DNSProxy{
-		proxyIP:      proxyIP,
-		mtu:          mtu,
-		tunDevice:    tunDevice,
-		middleDevice: middleDevice,
-		upstreamDNS:  upstreamDns,
-		recordStore:  NewDNSRecordStore(),
-		ctx:          ctx,
-		cancel:       cancel,
+		proxyIP:           proxyIP,
+		mtu:               mtu,
+		tunDevice:         tunDevice,
+		middleDevice:      middleDevice,
+		upstreamDNS:       upstreamDns,
+		tunnelDNS:         tunnelDns,
+		recordStore:       NewDNSRecordStore(),
+		tunnelActivePorts: make(map[uint16]bool),
+		ctx:               ctx,
+		cancel:            cancel,
 	}
 
-	// Create gvisor netstack
+	// Parse tunnel IP if provided (needed for tunneled DNS)
+	if tunnelIP != "" {
+		addr, err := netip.ParseAddr(tunnelIP)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse tunnel IP: %v", err)
+		}
+		proxy.tunnelIP = addr
+	}
+
+	// Create gvisor netstack for receiving DNS queries
 	stackOpts := stack.Options{
 		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{udp.NewProtocol},
@@ -101,9 +120,104 @@ func NewDNSProxy(tunDevice tun.Device, middleDevice *device.MiddleDevice, mtu in
 		NIC:         1,
 	})
 
+	// Initialize tunnel netstack if tunnel DNS is enabled
+	if tunnelDns {
+		if !proxy.tunnelIP.IsValid() {
+			return nil, fmt.Errorf("tunnel IP is required when tunnelDNS is enabled")
+		}
+
+		// TODO: DO WE NEED TO ESTABLISH ANOTHER NETSTACK HERE OR CAN WE COMBINE WITH WGTESTER?
+		if err := proxy.initTunnelNetstack(); err != nil {
+			return nil, fmt.Errorf("failed to initialize tunnel netstack: %v", err)
+		}
+	}
+
 	return proxy, nil
 }
 
+// initTunnelNetstack creates a separate netstack for outbound DNS queries through the tunnel
+func (p *DNSProxy) initTunnelNetstack() error {
+	// Create gvisor netstack for outbound tunnel queries
+	stackOpts := stack.Options{
+		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
+		TransportProtocols: []stack.TransportProtocolFactory{udp.NewProtocol},
+		HandleLocal:        true,
+	}
+
+	p.tunnelEp = channel.New(256, uint32(p.mtu), "")
+	p.tunnelStack = stack.New(stackOpts)
+
+	// Create NIC
+	if err := p.tunnelStack.CreateNIC(1, p.tunnelEp); err != nil {
+		return fmt.Errorf("failed to create tunnel NIC: %v", err)
+	}
+
+	// Add tunnel IP address (WireGuard interface IP)
+	ipBytes := p.tunnelIP.As4()
+	protoAddr := tcpip.ProtocolAddress{
+		Protocol:          ipv4.ProtocolNumber,
+		AddressWithPrefix: tcpip.AddrFrom4(ipBytes).WithPrefix(),
+	}
+
+	if err := p.tunnelStack.AddProtocolAddress(1, protoAddr, stack.AddressProperties{}); err != nil {
+		return fmt.Errorf("failed to add tunnel protocol address: %v", err)
+	}
+
+	// Add default route
+	p.tunnelStack.AddRoute(tcpip.Route{
+		Destination: header.IPv4EmptySubnet,
+		NIC:         1,
+	})
+
+	// Register filter rule on MiddleDevice to intercept responses
+	p.middleDevice.AddRule(p.tunnelIP, p.handleTunnelResponse)
+
+	return nil
+}
+
+// handleTunnelResponse handles packets coming back from the tunnel destined for the tunnel IP
+func (p *DNSProxy) handleTunnelResponse(packet []byte) bool {
+	// Check if it's UDP
+	proto, ok := util.GetProtocol(packet)
+	if !ok || proto != 17 { // UDP
+		return false
+	}
+
+	// Check destination port - should be one of our active outbound ports
+	port, ok := util.GetDestPort(packet)
+	if !ok {
+		return false
+	}
+
+	// Check if we are expecting a response on this port
+	p.tunnelPortsLock.Lock()
+	active := p.tunnelActivePorts[uint16(port)]
+	p.tunnelPortsLock.Unlock()
+
+	if !active {
+		return false
+	}
+
+	// Inject into tunnel netstack
+	version := packet[0] >> 4
+	pkb := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(packet),
+	})
+
+	switch version {
+	case 4:
+		p.tunnelEp.InjectInbound(ipv4.ProtocolNumber, pkb)
+	case 6:
+		p.tunnelEp.InjectInbound(ipv6.ProtocolNumber, pkb)
+	default:
+		pkb.DecRef()
+		return false
+	}
+
+	pkb.DecRef()
+	return true // Handled
+}
+
 // Start starts the DNS proxy and registers with the filter
 func (p *DNSProxy) Start() error {
 	// Install packet filter rule
@@ -114,7 +228,13 @@ func (p *DNSProxy) Start() error {
 	go p.runDNSListener()
 	go p.runPacketSender()
 
-	logger.Info("DNS proxy started on %s:%d", p.proxyIP.String(), DNSPort)
+	// Start tunnel packet sender if tunnel DNS is enabled
+	if p.tunnelDNS {
+		p.wg.Add(1)
+		go p.runTunnelPacketSender()
+	}
+
+	logger.Info("DNS proxy started on %s:%d (tunnelDNS=%v)", p.proxyIP.String(), DNSPort, p.tunnelDNS)
 	return nil
 }
 
@@ -122,6 +242,9 @@ func (p *DNSProxy) Start() error {
 func (p *DNSProxy) Stop() {
 	if p.middleDevice != nil {
 		p.middleDevice.RemoveRule(p.proxyIP)
+		if p.tunnelDNS && p.tunnelIP.IsValid() {
+			p.middleDevice.RemoveRule(p.tunnelIP)
+		}
 	}
 	p.cancel()
 
@@ -130,12 +253,21 @@ func (p *DNSProxy) Stop() {
 		p.ep.Close()
 	}
 
+	// Close tunnel endpoint if it exists
+	if p.tunnelEp != nil {
+		p.tunnelEp.Close()
+	}
+
 	p.wg.Wait()
 
 	if p.stack != nil {
 		p.stack.Close()
 	}
 
+	if p.tunnelStack != nil {
+		p.tunnelStack.Close()
+	}
+
 	logger.Info("DNS proxy stopped")
 }
 
@@ -348,8 +480,16 @@ func (p *DNSProxy) forwardToUpstream(query *dns.Msg) *dns.Msg {
 	return response
 }
 
-// queryUpstream sends a DNS query to upstream server using miekg/dns
+// queryUpstream sends a DNS query to upstream server
 func (p *DNSProxy) queryUpstream(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
+	if p.tunnelDNS {
+		return p.queryUpstreamTunnel(server, query, timeout)
+	}
+	return p.queryUpstreamDirect(server, query, timeout)
+}
+
+// queryUpstreamDirect sends a DNS query to upstream server using miekg/dns directly (host networking)
+func (p *DNSProxy) queryUpstreamDirect(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
 	client := &dns.Client{
 		Timeout: timeout,
 	}
@@ -362,6 +502,155 @@ func (p *DNSProxy) queryUpstream(server string, query *dns.Msg, timeout time.Dur
 	return response, nil
 }
 
+// queryUpstreamTunnel sends a DNS query through the WireGuard tunnel
+func (p *DNSProxy) queryUpstreamTunnel(server string, query *dns.Msg, timeout time.Duration) (*dns.Msg, error) {
+	// Dial through the tunnel netstack
+	conn, port, err := p.dialTunnel("udp", server)
+	if err != nil {
+		return nil, fmt.Errorf("failed to dial tunnel: %v", err)
+	}
+	defer func() {
+		conn.Close()
+		p.removeTunnelPort(port)
+	}()
+
+	// Pack the query
+	queryData, err := query.Pack()
+	if err != nil {
+		return nil, fmt.Errorf("failed to pack query: %v", err)
+	}
+
+	// Set deadline
+	conn.SetDeadline(time.Now().Add(timeout))
+
+	// Send the query
+	_, err = conn.Write(queryData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send query: %v", err)
+	}
+
+	// Read the response
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %v", err)
+	}
+
+	// Parse the response
+	response := new(dns.Msg)
+	if err := response.Unpack(buf[:n]); err != nil {
+		return nil, fmt.Errorf("failed to unpack response: %v", err)
+	}
+
+	return response, nil
+}
+
+// dialTunnel creates a UDP connection through the tunnel netstack
+func (p *DNSProxy) dialTunnel(network, addr string) (net.Conn, uint16, error) {
+	if p.tunnelStack == nil {
+		return nil, 0, fmt.Errorf("tunnel netstack not initialized")
+	}
+
+	// Parse remote address
+	raddr, err := net.ResolveUDPAddr("udp", addr)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Use tunnel IP as source
+	ipBytes := p.tunnelIP.As4()
+
+	// Create UDP connection with ephemeral port
+	laddr := &tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.AddrFrom4(ipBytes),
+		Port: 0,
+	}
+
+	raddrTcpip := &tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.AddrFrom4([4]byte(raddr.IP.To4())),
+		Port: uint16(raddr.Port),
+	}
+
+	conn, err := gonet.DialUDP(p.tunnelStack, laddr, raddrTcpip, ipv4.ProtocolNumber)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Get local port
+	localAddr := conn.LocalAddr().(*net.UDPAddr)
+	port := uint16(localAddr.Port)
+
+	// Register port so we can receive responses
+	p.tunnelPortsLock.Lock()
+	p.tunnelActivePorts[port] = true
+	p.tunnelPortsLock.Unlock()
+
+	return conn, port, nil
+}
+
+// removeTunnelPort removes a port from the active ports map
+func (p *DNSProxy) removeTunnelPort(port uint16) {
+	p.tunnelPortsLock.Lock()
+	delete(p.tunnelActivePorts, port)
+	p.tunnelPortsLock.Unlock()
+}
+
+// runTunnelPacketSender reads packets from tunnel netstack and injects them into WireGuard
+func (p *DNSProxy) runTunnelPacketSender() {
+	defer p.wg.Done()
+	logger.Debug("DNS tunnel packet sender goroutine started")
+
+	ticker := time.NewTicker(1 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-p.ctx.Done():
+			logger.Debug("DNS tunnel packet sender exiting")
+			// Drain any remaining packets
+			for {
+				pkt := p.tunnelEp.Read()
+				if pkt == nil {
+					break
+				}
+				pkt.DecRef()
+			}
+			return
+		case <-ticker.C:
+			// Try to read packets
+			for i := 0; i < 10; i++ {
+				pkt := p.tunnelEp.Read()
+				if pkt == nil {
+					break
+				}
+
+				// Extract packet data
+				slices := pkt.AsSlices()
+				if len(slices) > 0 {
+					var totalSize int
+					for _, slice := range slices {
+						totalSize += len(slice)
+					}
+
+					buf := make([]byte, totalSize)
+					pos := 0
+					for _, slice := range slices {
+						copy(buf[pos:], slice)
+						pos += len(slice)
+					}
+
+					// Inject into MiddleDevice (outbound to WG)
+					p.middleDevice.InjectOutbound(buf)
+				}
+
+				pkt.DecRef()
+			}
+		}
+	}
+}
+
 // runPacketSender sends packets from netstack back to TUN
 func (p *DNSProxy) runPacketSender() {
 	defer p.wg.Done()

dns/dns_records.go

@@ -2,6 +2,7 @@ package dns
 
 import (
 	"net"
+	"strings"
 	"sync"
 
 	"github.com/miekg/dns"
@@ -17,21 +18,26 @@ const (
 
 // DNSRecordStore manages local DNS records for A and AAAA queries
 type DNSRecordStore struct {
-	mu          sync.RWMutex
-	aRecords    map[string][]net.IP // domain -> list of IPv4 addresses
-	aaaaRecords map[string][]net.IP // domain -> list of IPv6 addresses
+	mu            sync.RWMutex
+	aRecords      map[string][]net.IP // domain -> list of IPv4 addresses
+	aaaaRecords   map[string][]net.IP // domain -> list of IPv6 addresses
+	aWildcards    map[string][]net.IP // wildcard pattern -> list of IPv4 addresses
+	aaaaWildcards map[string][]net.IP // wildcard pattern -> list of IPv6 addresses
 }
 
 // NewDNSRecordStore creates a new DNS record store
 func NewDNSRecordStore() *DNSRecordStore {
 	return &DNSRecordStore{
-		aRecords:    make(map[string][]net.IP),
-		aaaaRecords: make(map[string][]net.IP),
+		aRecords:      make(map[string][]net.IP),
+		aaaaRecords:   make(map[string][]net.IP),
+		aWildcards:    make(map[string][]net.IP),
+		aaaaWildcards: make(map[string][]net.IP),
 	}
 }
 
 // AddRecord adds a DNS record mapping (A or AAAA)
 // domain should be in FQDN format (e.g., "example.com.")
+// domain can contain wildcards: * (0+ chars) and ? (exactly 1 char)
 // ip should be a valid IPv4 or IPv6 address
 func (s *DNSRecordStore) AddRecord(domain string, ip net.IP) error {
 	s.mu.Lock()
@@ -45,12 +51,23 @@ func (s *DNSRecordStore) AddRecord(domain string, ip net.IP) error {
 	// Normalize domain to lowercase
 	domain = dns.Fqdn(domain)
 
+	// Check if domain contains wildcards
+	isWildcard := strings.ContainsAny(domain, "*?")
+
 	if ip.To4() != nil {
 		// IPv4 address
-		s.aRecords[domain] = append(s.aRecords[domain], ip)
+		if isWildcard {
+			s.aWildcards[domain] = append(s.aWildcards[domain], ip)
+		} else {
+			s.aRecords[domain] = append(s.aRecords[domain], ip)
+		}
 	} else if ip.To16() != nil {
 		// IPv6 address
-		s.aaaaRecords[domain] = append(s.aaaaRecords[domain], ip)
+		if isWildcard {
+			s.aaaaWildcards[domain] = append(s.aaaaWildcards[domain], ip)
+		} else {
+			s.aaaaRecords[domain] = append(s.aaaaRecords[domain], ip)
+		}
 	} else {
 		return &net.ParseError{Type: "IP address", Text: ip.String()}
 	}
@@ -59,7 +76,7 @@ func (s *DNSRecordStore) AddRecord(domain string, ip net.IP) error {
 }
 
 // RemoveRecord removes a specific DNS record mapping
-// If ip is nil, removes all records for the domain
+// If ip is nil, removes all records for the domain (including wildcards)
 func (s *DNSRecordStore) RemoveRecord(domain string, ip net.IP) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -72,33 +89,60 @@ func (s *DNSRecordStore) RemoveRecord(domain string, ip net.IP) {
 	// Normalize domain to lowercase
 	domain = dns.Fqdn(domain)
 
+	// Check if domain contains wildcards
+	isWildcard := strings.ContainsAny(domain, "*?")
+
 	if ip == nil {
 		// Remove all records for this domain
-		delete(s.aRecords, domain)
-		delete(s.aaaaRecords, domain)
+		if isWildcard {
+			delete(s.aWildcards, domain)
+			delete(s.aaaaWildcards, domain)
+		} else {
+			delete(s.aRecords, domain)
+			delete(s.aaaaRecords, domain)
+		}
 		return
 	}
 
 	if ip.To4() != nil {
 		// Remove specific IPv4 address
-		if ips, ok := s.aRecords[domain]; ok {
-			s.aRecords[domain] = removeIP(ips, ip)
-			if len(s.aRecords[domain]) == 0 {
-				delete(s.aRecords, domain)
+		if isWildcard {
+			if ips, ok := s.aWildcards[domain]; ok {
+				s.aWildcards[domain] = removeIP(ips, ip)
+				if len(s.aWildcards[domain]) == 0 {
+					delete(s.aWildcards, domain)
+				}
+			}
+		} else {
+			if ips, ok := s.aRecords[domain]; ok {
+				s.aRecords[domain] = removeIP(ips, ip)
+				if len(s.aRecords[domain]) == 0 {
+					delete(s.aRecords, domain)
+				}
 			}
 		}
 	} else if ip.To16() != nil {
 		// Remove specific IPv6 address
-		if ips, ok := s.aaaaRecords[domain]; ok {
-			s.aaaaRecords[domain] = removeIP(ips, ip)
-			if len(s.aaaaRecords[domain]) == 0 {
-				delete(s.aaaaRecords, domain)
+		if isWildcard {
+			if ips, ok := s.aaaaWildcards[domain]; ok {
+				s.aaaaWildcards[domain] = removeIP(ips, ip)
+				if len(s.aaaaWildcards[domain]) == 0 {
+					delete(s.aaaaWildcards, domain)
+				}
+			}
+		} else {
+			if ips, ok := s.aaaaRecords[domain]; ok {
+				s.aaaaRecords[domain] = removeIP(ips, ip)
+				if len(s.aaaaRecords[domain]) == 0 {
+					delete(s.aaaaRecords, domain)
+				}
 			}
 		}
 	}
 }
 
 // GetRecords returns all IP addresses for a domain and record type
+// First checks for exact matches, then checks wildcard patterns
 func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) []net.IP {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
@@ -109,16 +153,45 @@ func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) []net.
 	var records []net.IP
 	switch recordType {
 	case RecordTypeA:
+		// Check exact match first
 		if ips, ok := s.aRecords[domain]; ok {
 			// Return a copy to prevent external modifications
 			records = make([]net.IP, len(ips))
 			copy(records, ips)
+			return records
 		}
+		// Check wildcard patterns
+		for pattern, ips := range s.aWildcards {
+			if matchWildcard(pattern, domain) {
+				records = append(records, ips...)
+			}
+		}
+		if len(records) > 0 {
+			// Return a copy
+			result := make([]net.IP, len(records))
+			copy(result, records)
+			return result
+		}
+
 	case RecordTypeAAAA:
+		// Check exact match first
 		if ips, ok := s.aaaaRecords[domain]; ok {
 			// Return a copy to prevent external modifications
 			records = make([]net.IP, len(ips))
 			copy(records, ips)
+			return records
+		}
+		// Check wildcard patterns
+		for pattern, ips := range s.aaaaWildcards {
+			if matchWildcard(pattern, domain) {
+				records = append(records, ips...)
+			}
+		}
+		if len(records) > 0 {
+			// Return a copy
+			result := make([]net.IP, len(records))
+			copy(result, records)
+			return result
 		}
 	}
 
@@ -126,6 +199,7 @@ func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) []net.
 }
 
 // HasRecord checks if a domain has any records of the specified type
+// Checks both exact matches and wildcard patterns
 func (s *DNSRecordStore) HasRecord(domain string, recordType RecordType) bool {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
@@ -135,11 +209,27 @@ func (s *DNSRecordStore) HasRecord(domain string, recordType RecordType) bool {
 
 	switch recordType {
 	case RecordTypeA:
-		_, ok := s.aRecords[domain]
-		return ok
+		// Check exact match
+		if _, ok := s.aRecords[domain]; ok {
+			return true
+		}
+		// Check wildcard patterns
+		for pattern := range s.aWildcards {
+			if matchWildcard(pattern, domain) {
+				return true
+			}
+		}
 	case RecordTypeAAAA:
-		_, ok := s.aaaaRecords[domain]
-		return ok
+		// Check exact match
+		if _, ok := s.aaaaRecords[domain]; ok {
+			return true
+		}
+		// Check wildcard patterns
+		for pattern := range s.aaaaWildcards {
+			if matchWildcard(pattern, domain) {
+				return true
+			}
+		}
 	}
 
 	return false
@@ -152,6 +242,8 @@ func (s *DNSRecordStore) Clear() {
 
 	s.aRecords = make(map[string][]net.IP)
 	s.aaaaRecords = make(map[string][]net.IP)
+	s.aWildcards = make(map[string][]net.IP)
+	s.aaaaWildcards = make(map[string][]net.IP)
 }
 
 // removeIP is a helper function to remove a specific IP from a slice
@@ -164,3 +256,70 @@ func removeIP(ips []net.IP, toRemove net.IP) []net.IP {
 	}
 	return result
 }
+
+// matchWildcard checks if a domain matches a wildcard pattern
+// Pattern supports * (0+ chars) and ? (exactly 1 char)
+// Special case: *.domain.com does not match domain.com itself
+func matchWildcard(pattern, domain string) bool {
+	return matchWildcardInternal(pattern, domain, 0, 0)
+}
+
+// matchWildcardInternal performs the actual wildcard matching recursively
+func matchWildcardInternal(pattern, domain string, pi, di int) bool {
+	plen := len(pattern)
+	dlen := len(domain)
+
+	// Base cases
+	if pi == plen && di == dlen {
+		return true
+	}
+	if pi == plen {
+		return false
+	}
+
+	// Handle wildcard characters
+	if pattern[pi] == '*' {
+		// Special case: if pattern starts with "*." and we're at the beginning,
+		// ensure we don't match the domain without a prefix
+		// e.g., *.autoco.internal should not match autoco.internal
+		if pi == 0 && pi+1 < plen && pattern[pi+1] == '.' {
+			// The * must match at least one character
+			if di == dlen {
+				return false
+			}
+			// Try matching 1 or more characters before the dot
+			for i := di + 1; i <= dlen; i++ {
+				if matchWildcardInternal(pattern, domain, pi+1, i) {
+					return true
+				}
+			}
+			return false
+		}
+
+		// Normal * matching (0 or more characters)
+		// Try matching 0 characters (skip the *)
+		if matchWildcardInternal(pattern, domain, pi+1, di) {
+			return true
+		}
+		// Try matching 1+ characters
+		if di < dlen {
+			return matchWildcardInternal(pattern, domain, pi, di+1)
+		}
+		return false
+	}
+
+	if pattern[pi] == '?' {
+		// ? matches exactly one character
+		if di >= dlen {
+			return false
+		}
+		return matchWildcardInternal(pattern, domain, pi+1, di+1)
+	}
+
+	// Regular character - must match exactly
+	if di >= dlen || pattern[pi] != domain[di] {
+		return false
+	}
+
+	return matchWildcardInternal(pattern, domain, pi+1, di+1)
+}

dns/dns_records_test.go

@@ -0,0 +1,350 @@
+package dns
+
+import (
+	"net"
+	"testing"
+)
+
+func TestWildcardMatching(t *testing.T) {
+	tests := []struct {
+		name     string
+		pattern  string
+		domain   string
+		expected bool
+	}{
+		// Basic wildcard tests
+		{
+			name:     "*.autoco.internal matches host.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "host.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal matches longerhost.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "longerhost.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal matches sub.host.autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "sub.host.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.autoco.internal does NOT match autoco.internal",
+			pattern:  "*.autoco.internal.",
+			domain:   "autoco.internal.",
+			expected: false,
+		},
+		
+		// Question mark wildcard tests
+		{
+			name:     "host-0?.autoco.internal matches host-01.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-0?.autoco.internal matches host-0a.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-0a.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-0?.autoco.internal does NOT match host-0.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-0.autoco.internal.",
+			expected: false,
+		},
+		{
+			name:     "host-0?.autoco.internal does NOT match host-012.autoco.internal",
+			pattern:  "host-0?.autoco.internal.",
+			domain:   "host-012.autoco.internal.",
+			expected: false,
+		},
+		
+		// Combined wildcard tests
+		{
+			name:     "*.host-0?.autoco.internal matches sub.host-01.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "sub.host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.host-0?.autoco.internal matches prefix.host-0a.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "prefix.host-0a.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.host-0?.autoco.internal does NOT match host-01.autoco.internal",
+			pattern:  "*.host-0?.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: false,
+		},
+		
+		// Multiple asterisks
+		{
+			name:     "*.*. autoco.internal matches any.thing.autoco.internal",
+			pattern:  "*.*.autoco.internal.",
+			domain:   "any.thing.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "*.*.autoco.internal does NOT match single.autoco.internal",
+			pattern:  "*.*.autoco.internal.",
+			domain:   "single.autoco.internal.",
+			expected: false,
+		},
+		
+		// Asterisk in middle
+		{
+			name:     "host-*.autoco.internal matches host-anything.autoco.internal",
+			pattern:  "host-*.autoco.internal.",
+			domain:   "host-anything.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-*.autoco.internal matches host-.autoco.internal (empty match)",
+			pattern:  "host-*.autoco.internal.",
+			domain:   "host-.autoco.internal.",
+			expected: true,
+		},
+		
+		// Multiple question marks
+		{
+			name:     "host-??.autoco.internal matches host-01.autoco.internal",
+			pattern:  "host-??.autoco.internal.",
+			domain:   "host-01.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "host-??.autoco.internal does NOT match host-1.autoco.internal",
+			pattern:  "host-??.autoco.internal.",
+			domain:   "host-1.autoco.internal.",
+			expected: false,
+		},
+		
+		// Exact match (no wildcards)
+		{
+			name:     "exact.autoco.internal matches exact.autoco.internal",
+			pattern:  "exact.autoco.internal.",
+			domain:   "exact.autoco.internal.",
+			expected: true,
+		},
+		{
+			name:     "exact.autoco.internal does NOT match other.autoco.internal",
+			pattern:  "exact.autoco.internal.",
+			domain:   "other.autoco.internal.",
+			expected: false,
+		},
+		
+		// Edge cases
+		{
+			name:     "* matches anything",
+			pattern:  "*",
+			domain:   "anything.at.all.",
+			expected: true,
+		},
+		{
+			name:     "*.* matches multi.level.",
+			pattern:  "*.*",
+			domain:   "multi.level.",
+			expected: true,
+		},
+	}
+	
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := matchWildcard(tt.pattern, tt.domain)
+			if result != tt.expected {
+				t.Errorf("matchWildcard(%q, %q) = %v, want %v", tt.pattern, tt.domain, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestDNSRecordStoreWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add wildcard records
+	wildcardIP := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", wildcardIP)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+	
+	// Add exact record
+	exactIP := net.ParseIP("10.0.0.2")
+	err = store.AddRecord("exact.autoco.internal", exactIP)
+	if err != nil {
+		t.Fatalf("Failed to add exact record: %v", err)
+	}
+	
+	// Test exact match takes precedence
+	ips := store.GetRecords("exact.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for exact match, got %d", len(ips))
+	}
+	if !ips[0].Equal(exactIP) {
+		t.Errorf("Expected exact IP %v, got %v", exactIP, ips[0])
+	}
+	
+	// Test wildcard match
+	ips = store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for wildcard match, got %d", len(ips))
+	}
+	if !ips[0].Equal(wildcardIP) {
+		t.Errorf("Expected wildcard IP %v, got %v", wildcardIP, ips[0])
+	}
+	
+	// Test non-match (base domain)
+	ips = store.GetRecords("autoco.internal.", RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for base domain, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreComplexWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add complex wildcard pattern
+	ip1 := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.host-0?.autoco.internal", ip1)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+	
+	// Test matching domain
+	ips := store.GetRecords("sub.host-01.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP for complex wildcard match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(ip1) {
+		t.Errorf("Expected IP %v, got %v", ip1, ips[0])
+	}
+	
+	// Test non-matching domain (missing prefix)
+	ips = store.GetRecords("host-01.autoco.internal.", RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for domain without prefix, got %d", len(ips))
+	}
+	
+	// Test non-matching domain (wrong ? position)
+	ips = store.GetRecords("sub.host-012.autoco.internal.", RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs for domain with wrong ? match, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreRemoveWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add wildcard record
+	ip := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", ip)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+	
+	// Verify it exists
+	ips := store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP before removal, got %d", len(ips))
+	}
+	
+	// Remove wildcard record
+	store.RemoveRecord("*.autoco.internal", nil)
+	
+	// Verify it's gone
+	ips = store.GetRecords("host.autoco.internal.", RecordTypeA)
+	if len(ips) != 0 {
+		t.Errorf("Expected 0 IPs after removal, got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreMultipleWildcards(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add multiple wildcard patterns that don't overlap
+	ip1 := net.ParseIP("10.0.0.1")
+	ip2 := net.ParseIP("10.0.0.2")
+	ip3 := net.ParseIP("10.0.0.3")
+	
+	err := store.AddRecord("*.prod.autoco.internal", ip1)
+	if err != nil {
+		t.Fatalf("Failed to add first wildcard: %v", err)
+	}
+	
+	err = store.AddRecord("*.dev.autoco.internal", ip2)
+	if err != nil {
+		t.Fatalf("Failed to add second wildcard: %v", err)
+	}
+	
+	// Add a broader wildcard that matches both
+	err = store.AddRecord("*.autoco.internal", ip3)
+	if err != nil {
+		t.Fatalf("Failed to add third wildcard: %v", err)
+	}
+	
+	// Test domain matching only the prod pattern and the broad pattern
+	ips := store.GetRecords("host.prod.autoco.internal.", RecordTypeA)
+	if len(ips) != 2 {
+		t.Errorf("Expected 2 IPs (prod + broad), got %d", len(ips))
+	}
+	
+	// Test domain matching only the dev pattern and the broad pattern
+	ips = store.GetRecords("service.dev.autoco.internal.", RecordTypeA)
+	if len(ips) != 2 {
+		t.Errorf("Expected 2 IPs (dev + broad), got %d", len(ips))
+	}
+	
+	// Test domain matching only the broad pattern
+	ips = store.GetRecords("host.test.autoco.internal.", RecordTypeA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IP (broad only), got %d", len(ips))
+	}
+}
+
+func TestDNSRecordStoreIPv6Wildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add IPv6 wildcard record
+	ip := net.ParseIP("2001:db8::1")
+	err := store.AddRecord("*.autoco.internal", ip)
+	if err != nil {
+		t.Fatalf("Failed to add IPv6 wildcard record: %v", err)
+	}
+	
+	// Test wildcard match for IPv6
+	ips := store.GetRecords("host.autoco.internal.", RecordTypeAAAA)
+	if len(ips) != 1 {
+		t.Errorf("Expected 1 IPv6 for wildcard match, got %d", len(ips))
+	}
+	if len(ips) > 0 && !ips[0].Equal(ip) {
+		t.Errorf("Expected IPv6 %v, got %v", ip, ips[0])
+	}
+}
+
+func TestHasRecordWildcard(t *testing.T) {
+	store := NewDNSRecordStore()
+	
+	// Add wildcard record
+	ip := net.ParseIP("10.0.0.1")
+	err := store.AddRecord("*.autoco.internal", ip)
+	if err != nil {
+		t.Fatalf("Failed to add wildcard record: %v", err)
+	}
+	
+	// Test HasRecord with wildcard match
+	if !store.HasRecord("host.autoco.internal.", RecordTypeA) {
+		t.Error("Expected HasRecord to return true for wildcard match")
+	}
+	
+	// Test HasRecord with non-match
+	if store.HasRecord("autoco.internal.", RecordTypeA) {
+		t.Error("Expected HasRecord to return false for base domain")
+	}
+}

dns/platform/darwin.go

@@ -5,9 +5,13 @@ package dns
 import (
 	"bufio"
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"net/netip"
+	"os"
 	"os/exec"
+	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 
@@ -28,19 +32,38 @@ const (
 	keyServerPort                       = "ServerPort"
 	arraySymbol                         = "* "
 	digitSymbol                         = "# "
+
+	// State file name for crash recovery
+	dnsStateFileName = "dns_state.json"
 )
 
+// DNSPersistentState represents the state saved to disk for crash recovery
+type DNSPersistentState struct {
+	CreatedKeys []string `json:"created_keys"`
+}
+
 // DarwinDNSConfigurator manages DNS settings on macOS using scutil
 type DarwinDNSConfigurator struct {
 	createdKeys   map[string]struct{}
 	originalState *DNSState
+	stateFilePath string
 }
 
 // NewDarwinDNSConfigurator creates a new macOS DNS configurator
 func NewDarwinDNSConfigurator() (*DarwinDNSConfigurator, error) {
-	return &DarwinDNSConfigurator{
-		createdKeys: make(map[string]struct{}),
-	}, nil
+	stateFilePath := getDNSStateFilePath()
+
+	configurator := &DarwinDNSConfigurator{
+		createdKeys:   make(map[string]struct{}),
+		stateFilePath: stateFilePath,
+	}
+
+	// Clean up any leftover state from a previous crash
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		logger.Warn("Failed to cleanup previous DNS state: %v", err)
+	}
+
+	return configurator, nil
 }
 
 // Name returns the configurator name
@@ -67,6 +90,11 @@ func (d *DarwinDNSConfigurator) SetDNS(servers []netip.Addr) ([]netip.Addr, erro
 		return nil, fmt.Errorf("apply DNS servers: %w", err)
 	}
 
+	// Persist state to disk for crash recovery
+	if err := d.saveState(); err != nil {
+		logger.Warn("Failed to save DNS state for crash recovery: %v", err)
+	}
+
 	// Flush DNS cache
 	if err := d.flushDNSCache(); err != nil {
 		// Non-fatal, just log
@@ -85,6 +113,11 @@ func (d *DarwinDNSConfigurator) RestoreDNS() error {
 		}
 	}
 
+	// Clear state file after successful restoration
+	if err := d.clearState(); err != nil {
+		logger.Warn("Failed to clear DNS state file: %v", err)
+	}
+
 	// Flush DNS cache
 	if err := d.flushDNSCache(); err != nil {
 		fmt.Printf("warning: failed to flush DNS cache: %v\n", err)
@@ -112,6 +145,47 @@ func (d *DarwinDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
 	return servers, nil
 }
 
+// CleanupUncleanShutdown removes any DNS keys left over from a previous crash
+func (d *DarwinDNSConfigurator) CleanupUncleanShutdown() error {
+	state, err := d.loadState()
+	if err != nil {
+		if os.IsNotExist(err) {
+			// No state file, nothing to clean up
+			return nil
+		}
+		return fmt.Errorf("load state: %w", err)
+	}
+
+	if len(state.CreatedKeys) == 0 {
+		// No keys to clean up
+		return nil
+	}
+
+	logger.Info("Found DNS state from previous session, cleaning up %d keys", len(state.CreatedKeys))
+
+	// Remove all keys from previous session
+	var lastErr error
+	for _, key := range state.CreatedKeys {
+		logger.Debug("Removing leftover DNS key: %s", key)
+		if err := d.removeKeyDirect(key); err != nil {
+			logger.Warn("Failed to remove DNS key %s: %v", key, err)
+			lastErr = err
+		}
+	}
+
+	// Clear state file
+	if err := d.clearState(); err != nil {
+		logger.Warn("Failed to clear DNS state file: %v", err)
+	}
+
+	// Flush DNS cache after cleanup
+	if err := d.flushDNSCache(); err != nil {
+		logger.Warn("Failed to flush DNS cache after cleanup: %v", err)
+	}
+
+	return lastErr
+}
+
 // applyDNSServers applies the DNS server configuration
 func (d *DarwinDNSConfigurator) applyDNSServers(servers []netip.Addr) error {
 	if len(servers) == 0 {
@@ -156,15 +230,25 @@ func (d *DarwinDNSConfigurator) addDNSState(state, domains string, dnsServer net
 	return nil
 }
 
-// removeKey removes a DNS configuration key
+// removeKey removes a DNS configuration key and updates internal state
 func (d *DarwinDNSConfigurator) removeKey(key string) error {
+	if err := d.removeKeyDirect(key); err != nil {
+		return err
+	}
+
+	delete(d.createdKeys, key)
+	return nil
+}
+
+// removeKeyDirect removes a DNS configuration key without updating internal state
+// Used for cleanup operations
+func (d *DarwinDNSConfigurator) removeKeyDirect(key string) error {
 	cmd := fmt.Sprintf("remove %s\n", key)
 
 	if _, err := d.runScutil(cmd); err != nil {
 		return fmt.Errorf("remove key: %w", err)
 	}
 
-	delete(d.createdKeys, key)
 	return nil
 }
 
@@ -266,3 +350,70 @@ func (d *DarwinDNSConfigurator) runScutil(commands string) ([]byte, error) {
 
 	return output, nil
 }
+
+// getDNSStateFilePath returns the path to the DNS state file
+func getDNSStateFilePath() string {
+	var stateDir string
+	switch runtime.GOOS {
+	case "darwin":
+		stateDir = filepath.Join(os.Getenv("HOME"), "Library", "Application Support", "olm-client")
+	default:
+		stateDir = filepath.Join(os.Getenv("HOME"), ".config", "olm-client")
+	}
+
+	if err := os.MkdirAll(stateDir, 0755); err != nil {
+		logger.Warn("Failed to create state directory: %v", err)
+	}
+
+	return filepath.Join(stateDir, dnsStateFileName)
+}
+
+// saveState persists the current DNS state to disk
+func (d *DarwinDNSConfigurator) saveState() error {
+	keys := make([]string, 0, len(d.createdKeys))
+	for key := range d.createdKeys {
+		keys = append(keys, key)
+	}
+
+	state := DNSPersistentState{
+		CreatedKeys: keys,
+	}
+
+	data, err := json.MarshalIndent(state, "", "  ")
+	if err != nil {
+		return fmt.Errorf("marshal state: %w", err)
+	}
+
+	if err := os.WriteFile(d.stateFilePath, data, 0644); err != nil {
+		return fmt.Errorf("write state file: %w", err)
+	}
+
+	logger.Debug("Saved DNS state to %s", d.stateFilePath)
+	return nil
+}
+
+// loadState loads the DNS state from disk
+func (d *DarwinDNSConfigurator) loadState() (*DNSPersistentState, error) {
+	data, err := os.ReadFile(d.stateFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	var state DNSPersistentState
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("unmarshal state: %w", err)
+	}
+
+	return &state, nil
+}
+
+// clearState removes the DNS state file
+func (d *DarwinDNSConfigurator) clearState() error {
+	err := os.Remove(d.stateFilePath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove state file: %w", err)
+	}
+
+	logger.Debug("Cleared DNS state file")
+	return nil
+}

dns/platform/file.go

@@ -22,7 +22,11 @@ type FileDNSConfigurator struct {
 
 // NewFileDNSConfigurator creates a new file-based DNS configurator
 func NewFileDNSConfigurator() (*FileDNSConfigurator, error) {
-	return &FileDNSConfigurator{}, nil
+	f := &FileDNSConfigurator{}
+	if err := f.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+	return f, nil
 }
 
 // Name returns the configurator name
@@ -78,6 +82,30 @@ func (f *FileDNSConfigurator) RestoreDNS() error {
 	return nil
 }
 
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For the file-based configurator, we check if a backup file exists (indicating a crash
+// happened while DNS was configured) and restore from it if so.
+func (f *FileDNSConfigurator) CleanupUncleanShutdown() error {
+	// Check if backup file exists from a previous session
+	if !f.isBackupExists() {
+		// No backup file, nothing to clean up
+		return nil
+	}
+
+	// A backup exists, which means we crashed while DNS was configured
+	// Restore the original resolv.conf
+	if err := copyFile(resolvConfBackupPath, resolvConfPath); err != nil {
+		return fmt.Errorf("restore from backup during cleanup: %w", err)
+	}
+
+	// Remove backup file
+	if err := os.Remove(resolvConfBackupPath); err != nil {
+		return fmt.Errorf("remove backup file during cleanup: %w", err)
+	}
+
+	return nil
+}
+
 // GetCurrentDNS returns the currently configured DNS servers
 func (f *FileDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
 	content, err := os.ReadFile(resolvConfPath)

dns/platform/network_manager.go

@@ -50,11 +50,18 @@ func NewNetworkManagerDNSConfigurator(ifaceName string) (*NetworkManagerDNSConfi
 		return nil, fmt.Errorf("NetworkManager conf.d directory not found: %s", networkManagerConfDir)
 	}
 
-	return &NetworkManagerDNSConfigurator{
+	configurator := &NetworkManagerDNSConfigurator{
 		ifaceName:    ifaceName,
 		confPath:     networkManagerConfDir + "/" + networkManagerDNSConfFile,
 		dispatchPath: networkManagerDispatcherDir + "/" + networkManagerDispatcherFile,
-	}, nil
+	}
+
+	// Clean up any stale configuration from a previous unclean shutdown
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+
+	return configurator, nil
 }
 
 // Name returns the configurator name
@@ -100,6 +107,30 @@ func (n *NetworkManagerDNSConfigurator) RestoreDNS() error {
 	return nil
 }
 
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For NetworkManager, we check if our config file exists and remove it if so.
+// This ensures that if the process crashed while DNS was configured, the stale
+// configuration is removed on the next startup.
+func (n *NetworkManagerDNSConfigurator) CleanupUncleanShutdown() error {
+	// Check if our config file exists from a previous session
+	if _, err := os.Stat(n.confPath); os.IsNotExist(err) {
+		// No config file, nothing to clean up
+		return nil
+	}
+
+	// Remove the stale configuration file
+	if err := os.Remove(n.confPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove stale DNS config file: %w", err)
+	}
+
+	// Reload NetworkManager to apply the change
+	if err := n.reloadNetworkManager(); err != nil {
+		return fmt.Errorf("reload NetworkManager after cleanup: %w", err)
+	}
+
+	return nil
+}
+
 // GetCurrentDNS returns the currently configured DNS servers by reading /etc/resolv.conf
 func (n *NetworkManagerDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
 	content, err := os.ReadFile("/etc/resolv.conf")

dns/platform/resolvconf.go

@@ -31,10 +31,17 @@ func NewResolvconfDNSConfigurator(ifaceName string) (*ResolvconfDNSConfigurator,
 		return nil, fmt.Errorf("detect resolvconf type: %w", err)
 	}
 
-	return &ResolvconfDNSConfigurator{
+	configurator := &ResolvconfDNSConfigurator{
 		ifaceName: ifaceName,
 		implType:  implType,
-	}, nil
+	}
+
+	// Call cleanup function to remove any stale DNS config for this interface
+	if err := configurator.CleanupUncleanShutdown(); err != nil {
+		return nil, fmt.Errorf("cleanup unclean shutdown: %w", err)
+	}
+
+	return configurator, nil
 }
 
 // Name returns the configurator name
@@ -84,6 +91,28 @@ func (r *ResolvconfDNSConfigurator) RestoreDNS() error {
 	return nil
 }
 
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For resolvconf, we attempt to delete any entry for the interface name.
+// This ensures that if the process crashed while DNS was configured, the stale
+// entry is removed on the next startup.
+func (r *ResolvconfDNSConfigurator) CleanupUncleanShutdown() error {
+	// Try to delete any existing entry for this interface
+	// This is idempotent - if no entry exists, resolvconf will just return success
+	var cmd *exec.Cmd
+
+	switch r.implType {
+	case "openresolv":
+		cmd = exec.Command(resolvconfCommand, "-f", "-d", r.ifaceName)
+	default:
+		cmd = exec.Command(resolvconfCommand, "-d", r.ifaceName)
+	}
+
+	// Ignore errors - the entry may not exist, which is fine
+	_ = cmd.Run()
+
+	return nil
+}
+
 // GetCurrentDNS returns the currently configured DNS servers
 func (r *ResolvconfDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
 	// resolvconf doesn't provide a direct way to query per-interface DNS

dns/platform/systemd.go

@@ -73,10 +73,17 @@ func NewSystemdResolvedDNSConfigurator(ifaceName string) (*SystemdResolvedDNSCon
 		return nil, fmt.Errorf("get link: %w", err)
 	}
 
-	return &SystemdResolvedDNSConfigurator{
+	config := &SystemdResolvedDNSConfigurator{
 		ifaceName:      ifaceName,
 		dbusLinkObject: dbus.ObjectPath(linkPath),
-	}, nil
+	}
+
+	// Call cleanup function here
+	if err := config.CleanupUncleanShutdown(); err != nil {
+		fmt.Printf("warning: cleanup unclean shutdown failed: %v\n", err)
+	}
+
+	return config, nil
 }
 
 // Name returns the configurator name
@@ -133,6 +140,17 @@ func (s *SystemdResolvedDNSConfigurator) RestoreDNS() error {
 	return nil
 }
 
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// For systemd-resolved, the DNS configuration is tied to the network interface.
+// When the interface is destroyed and recreated, systemd-resolved automatically
+// clears the per-link DNS settings, so there's nothing to clean up.
+func (s *SystemdResolvedDNSConfigurator) CleanupUncleanShutdown() error {
+	// systemd-resolved DNS configuration is per-link and automatically cleared
+	// when the link (interface) is destroyed. Since the WireGuard interface is
+	// recreated on restart, there's no leftover state to clean up.
+	return nil
+}
+
 // GetCurrentDNS returns the currently configured DNS servers
 // Note: systemd-resolved doesn't easily expose current per-link DNS servers via D-Bus
 // This is a placeholder that returns an empty list

dns/platform/types.go

@@ -17,6 +17,10 @@ type DNSConfigurator interface {
 
 	// Name returns the name of this configurator implementation
 	Name() string
+
+	// CleanupUncleanShutdown removes any DNS configuration left over from
+	// a previous crash or unclean shutdown. This should be called on startup.
+	CleanupUncleanShutdown() error
 }
 
 // DNSConfig contains the configuration for DNS override

dns/platform/windows.go

@@ -113,6 +113,18 @@ func (w *WindowsDNSConfigurator) RestoreDNS() error {
 	return nil
 }
 
+// CleanupUncleanShutdown removes any DNS configuration left over from a previous crash
+// On Windows, we rely on the registry-based approach which doesn't leave orphaned state
+// in the same way as macOS scutil. The DNS settings are tied to the interface which
+// gets recreated on restart.
+func (w *WindowsDNSConfigurator) CleanupUncleanShutdown() error {
+	// Windows DNS configuration via registry is interface-specific.
+	// When the WireGuard interface is recreated, it gets a new GUID,
+	// so there's no leftover state to clean up from previous sessions.
+	// The old interface's registry keys are effectively orphaned but harmless.
+	return nil
+}
+
 // GetCurrentDNS returns the currently configured DNS servers
 func (w *WindowsDNSConfigurator) GetCurrentDNS() ([]netip.Addr, error) {
 	regKey, err := w.getInterfaceRegistryKey(registry.QUERY_VALUE)

go.mod

@@ -4,7 +4,7 @@ go 1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
-	github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552
+	github.com/fosrl/newt v0.0.0-20251222211541-80ae03997a06
 	github.com/godbus/dbus/v5 v5.2.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/miekg/dns v1.1.68
@@ -16,17 +16,62 @@ require (
 )
 
 require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/docker v28.5.2+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/otlptranslator v0.0.2 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.60.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
 	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,21 +1,103 @@
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552 h1:51pHUtoqQhYPS9OiBDHLgYV44X/CBzR5J7GuWO3izhU=
-github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552/go.mod h1:pol958CEs0nQmo/35Ltv0CGksheIKCS2hoNvdTVLEcI=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
+github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fosrl/newt v0.0.0-20251222020104-a21a8e90fa01 h1:VpuI42l4enih//6IFFQDln/B7WukfMePxIRIpXsNe/0=
+github.com/fosrl/newt v0.0.0-20251222020104-a21a8e90fa01/go.mod h1:pol958CEs0nQmo/35Ltv0CGksheIKCS2hoNvdTVLEcI=
+github.com/fosrl/newt v0.0.0-20251222211541-80ae03997a06 h1:xWuCn+gzX0W7bHs/cV/ykNBliisNzNomPR76E4M0dtI=
+github.com/fosrl/newt v0.0.0-20251222211541-80ae03997a06/go.mod h1:pol958CEs0nQmo/35Ltv0CGksheIKCS2hoNvdTVLEcI=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/godbus/dbus/v5 v5.2.0 h1:3WexO+U+yg9T70v9FdHr9kCxYlazaAXUhx2VMkbfax8=
 github.com/godbus/dbus/v5 v5.2.0/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
 github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
 github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ=
+github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
+go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
 golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
@@ -30,6 +112,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
@@ -42,6 +126,18 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdI
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13 h1:vlzZttNJGVqTsRFU9AmdnrcO1Znh8Ew9kCD//yjigk0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
 software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=

olm/olm.go

@@ -374,8 +374,14 @@ func StartTunnel(config TunnelConfig) {
 			logger.Error("Failed to bring up WireGuard device: %v", err)
 		}
 
+		// Extract interface IP (strip CIDR notation if present)
+		interfaceIP := wgData.TunnelIP
+		if strings.Contains(interfaceIP, "/") {
+			interfaceIP = strings.Split(interfaceIP, "/")[0]
+		}
+
 		// Create and start DNS proxy
-		dnsProxy, err = dns.NewDNSProxy(tdev, middleDev, config.MTU, wgData.UtilitySubnet, config.UpstreamDNS)
+		dnsProxy, err = dns.NewDNSProxy(tdev, middleDev, config.MTU, wgData.UtilitySubnet, config.UpstreamDNS, config.TunnelDNS, interfaceIP)
 		if err != nil {
 			logger.Error("Failed to create DNS proxy: %v", err)
 		}
@@ -388,12 +394,6 @@ func StartTunnel(config TunnelConfig) {
 			logger.Error("Failed to add route for utility subnet: %v", err)
 		}
 
-		// TODO: seperate adding the callback to this so we can init it above with the interface
-		interfaceIP := wgData.TunnelIP
-		if strings.Contains(interfaceIP, "/") {
-			interfaceIP = strings.Split(interfaceIP, "/")[0]
-		}
-
 		// Create peer manager with integrated peer monitoring
 		peerManager = peers.NewPeerManager(peers.PeerManagerConfig{
 			Device:        dev,
@@ -566,6 +566,14 @@ func StartTunnel(config TunnelConfig) {
 			return
 		}
 
+		// Remove any exit nodes associated with this peer from hole punching
+		if holePunchManager != nil {
+			removed := holePunchManager.RemoveExitNodesByPeer(removeData.SiteId)
+			if removed > 0 {
+				logger.Info("Removed %d exit nodes associated with peer %d from hole punch rotation", removed, removeData.SiteId)
+			}
+		}
+
 		// Remove successful
 		logger.Info("Successfully removed peer for site %d", removeData.SiteId)
 	})
@@ -727,7 +735,7 @@ func StartTunnel(config TunnelConfig) {
 		// Update HTTP server to mark this peer as using relay
 		apiServer.UpdatePeerRelayStatus(relayData.SiteId, relayData.RelayEndpoint, true)
 
-		peerManager.RelayPeer(relayData.SiteId, primaryRelay)
+		peerManager.RelayPeer(relayData.SiteId, primaryRelay, relayData.RelayPort)
 	})
 
 	olm.RegisterHandler("olm/wg/peer/unrelay", func(msg websocket.WSMessage) {
@@ -777,6 +785,7 @@ func StartTunnel(config TunnelConfig) {
 			ExitNode struct {
 				PublicKey string `json:"publicKey"`
 				Endpoint  string `json:"endpoint"`
+				RelayPort uint16 `json:"relayPort"`
 			} `json:"exitNode"`
 		}
 
@@ -792,9 +801,17 @@ func StartTunnel(config TunnelConfig) {
 			return
 		}
 
+		relayPort := handshakeData.ExitNode.RelayPort
+		if relayPort == 0 {
+			relayPort = 21820 // default relay port
+		}
+
+		siteId := handshakeData.SiteId
 		exitNode := holepunch.ExitNode{
 			Endpoint:  handshakeData.ExitNode.Endpoint,
+			RelayPort: relayPort,
 			PublicKey: handshakeData.ExitNode.PublicKey,
+			SiteIds:  []int{siteId},
 		}
 
 		added := holePunchManager.AddExitNode(exitNode)
@@ -878,9 +895,16 @@ func StartTunnel(config TunnelConfig) {
 		// Convert websocket.ExitNode to holepunch.ExitNode
 		hpExitNodes := make([]holepunch.ExitNode, len(exitNodes))
 		for i, node := range exitNodes {
+			relayPort := node.RelayPort
+			if relayPort == 0 {
+				relayPort = 21820 // default relay port
+			}
+
 			hpExitNodes[i] = holepunch.ExitNode{
 				Endpoint:  node.Endpoint,
+				RelayPort: relayPort,
 				PublicKey: node.PublicKey,
+				SiteIds:   node.SiteIds,
 			}
 		}
 

olm/types.go

@@ -61,6 +61,7 @@ type TunnelConfig struct {
 	EnableUAPI bool
 
 	OverrideDNS bool
+	TunnelDNS   bool
 
 	DisableRelay bool
 }

peers/manager.go

@@ -743,7 +743,7 @@ func (pm *PeerManager) RemoveAlias(siteId int, aliasName string) error {
 }
 
 // RelayPeer handles failover to the relay server when a peer is disconnected
-func (pm *PeerManager) RelayPeer(siteId int, relayEndpoint string) {
+func (pm *PeerManager) RelayPeer(siteId int, relayEndpoint string, relayPort uint16) {
 	pm.mu.Lock()
 	peer, exists := pm.peers[siteId]
 	if exists {
@@ -764,10 +764,14 @@ func (pm *PeerManager) RelayPeer(siteId int, relayEndpoint string) {
 		formattedEndpoint = fmt.Sprintf("[%s]", relayEndpoint)
 	}
 
+	if relayPort == 0 {
+		relayPort = 21820 // fall back to 21820 for backward compatibility
+	}
+
 	// Update only the endpoint for this peer (update_only preserves other settings)
 	wgConfig := fmt.Sprintf(`public_key=%s
 update_only=true
-endpoint=%s:21820`, util.FixKey(peer.PublicKey), formattedEndpoint)
+endpoint=%s:%d`, util.FixKey(peer.PublicKey), formattedEndpoint, relayPort)
 
 	err := pm.device.IpcSet(wgConfig)
 	if err != nil {

peers/monitor/monitor.go

@@ -505,7 +505,7 @@ func (pm *PeerMonitor) checkHolepunchEndpoints() {
 	pm.mutex.Unlock()
 
 	for siteID, endpoint := range endpoints {
-		logger.Debug("Testing holepunch endpoint for site %d: %s", siteID, endpoint)
+		// logger.Debug("Testing holepunch endpoint for site %d: %s", siteID, endpoint)
 		result := pm.holepunchTester.TestEndpoint(endpoint, timeout)
 
 		pm.mutex.Lock()

peers/types.go

@@ -33,6 +33,7 @@ type PeerRemove struct {
 type RelayPeerData struct {
 	SiteId        int    `json:"siteId"`
 	RelayEndpoint string `json:"relayEndpoint"`
+	RelayPort     uint16 `json:"relayPort"`
 }
 
 type UnRelayPeerData struct {

websocket/client.go

@@ -48,7 +48,9 @@ type TokenResponse struct {
 
 type ExitNode struct {
 	Endpoint  string `json:"endpoint"`
+	RelayPort uint16 `json:"relayPort"`
 	PublicKey string `json:"publicKey"`
+	SiteIds   []int  `json:"siteIds"`
 }
 
 type WSMessage struct {