Fix docker ignore

Former-commit-id: f24add4f72

.dockerignore

@@ -1,9 +1,9 @@
 .gitignore
 .dockerignore
-olm
 *.json
 README.md
 Makefile
 public/
 LICENSE
-CONTRIBUTING.md
+CONTRIBUTING.md
+bin/

.github/workflows/cicd.yml

@@ -12,7 +12,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@v6
 
             - name: Set up QEMU
               uses: docker/setup-qemu-action@v3
@@ -54,7 +54,7 @@ jobs:
                   make go-build-release
 
             - name: Upload artifacts from /bin
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@v5
               with:
                   name: binaries
                   path: bin/

.github/workflows/test.yml

@@ -11,7 +11,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
+
+      - name: Clone fosrl/newt
+        uses: actions/checkout@v6
+        with:
+          repository: fosrl/newt
+          path: ../newt
 
       - name: Set up Go
         uses: actions/setup-go@v6

Dockerfile

@@ -16,7 +16,7 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
 
 # Start a new stage from scratch
-FROM alpine:3.22 AS runner
+FROM alpine:3.23 AS runner
 
 RUN apk --no-cache add ca-certificates
 

README.md

@@ -23,15 +23,21 @@ When Olm receives WireGuard control messages, it will use the information encode
 -   `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
 -   `id`: Olm ID generated by Pangolin to identify the olm.
 -   `secret`: A unique secret (not shared and kept private) used to authenticate the olm ID with the websocket in order to receive commands.
+-   `org` (optional): Organization ID to connect to.
+-   `user-token` (optional): User authentication token.
 -   `mtu` (optional): MTU for the internal WG interface. Default: 1280
 -   `dns` (optional): DNS server to use to resolve the endpoint. Default: 8.8.8.8
+-   `upstream-dns` (optional): Upstream DNS server(s), comma-separated. Default: 8.8.8.8:53
 -   `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO
 -   `ping-interval` (optional): Interval for pinging the server. Default: 3s
 -   `ping-timeout` (optional): Timeout for each ping. Default: 5s
 -   `interface` (optional): Name of the WireGuard interface. Default: olm
--   `enable-http` (optional): Enable HTTP server for receiving connection requests. Default: false
+-   `enable-api` (optional): Enable API server for receiving connection requests. Default: false
 -   `http-addr` (optional): HTTP server address (e.g., ':9452'). Default: :9452
--   `holepunch` (optional): Enable hole punching. Default: false
+-   `socket-path` (optional): Unix socket path (or named pipe on Windows). Default: /var/run/olm.sock (Linux/macOS) or olm (Windows)
+-   `disable-holepunch` (optional): Disable hole punching. Default: false
+-   `override-dns` (optional): Override system DNS settings. Default: false
+-   `disable-relay` (optional): Disable relay connections. Default: false
 
 ## Environment Variables
 
@@ -40,14 +46,21 @@ All CLI arguments can also be set via environment variables:
 -   `PANGOLIN_ENDPOINT`: Equivalent to `--endpoint`
 -   `OLM_ID`: Equivalent to `--id`
 -   `OLM_SECRET`: Equivalent to `--secret`
+-   `ORG`: Equivalent to `--org`
+-   `USER_TOKEN`: Equivalent to `--user-token`
 -   `MTU`: Equivalent to `--mtu`
 -   `DNS`: Equivalent to `--dns`
+-   `UPSTREAM_DNS`: Equivalent to `--upstream-dns`
 -   `LOG_LEVEL`: Equivalent to `--log-level`
 -   `INTERFACE`: Equivalent to `--interface`
+-   `ENABLE_API`: Set to "true" to enable API server (equivalent to `--enable-api`)
 -   `HTTP_ADDR`: Equivalent to `--http-addr`
+-   `SOCKET_PATH`: Equivalent to `--socket-path`
 -   `PING_INTERVAL`: Equivalent to `--ping-interval`
 -   `PING_TIMEOUT`: Equivalent to `--ping-timeout`
--   `HOLEPUNCH`: Set to "true" to enable hole punching (equivalent to `--holepunch`)
+-   `DISABLE_HOLEPUNCH`: Set to "true" to disable hole punching (equivalent to `--disable-holepunch`)
+-   `OVERRIDE_DNS`: Set to "true" to override system DNS settings (equivalent to `--override-dns`)
+-   `DISABLE_RELAY`: Set to "true" to disable relay connections (equivalent to `--disable-relay`)
 -   `CONFIG_FILE`: Set to the location of a JSON file to load secret values
 
 Examples:
@@ -108,11 +121,26 @@ $ cat ~/.config/olm-client/config.json
   "id": "spmzu8rbpzj1qq6",
   "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
   "endpoint": "https://app.pangolin.net",
+  "org": "",
+  "userToken": "",
+  "mtu": 1280,
+  "dns": "8.8.8.8",
+  "upstreamDNS": ["8.8.8.8:53"],
+  "interface": "olm",
+  "logLevel": "INFO",
+  "enableApi": false,
+  "httpAddr": "",
+  "socketPath": "/var/run/olm.sock",
+  "pingInterval": "3s",
+  "pingTimeout": "5s",
+  "disableHolepunch": false,
+  "overrideDNS": false,
+  "disableRelay": false,
   "tlsClientCert": ""
 }
 ```
 
-This file is also written to when newt first starts up. So you do not need to run every time with --id and secret if you have run it once! 
+This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once! 
 
 Default locations: 
 
@@ -122,7 +150,7 @@ Default locations:
 
 ## Hole Punching
 
-In the default mode, olm "relays" traffic through Gerbil in the cloud to get down to newt. This is a little more reliable. Support for NAT hole punching is also EXPERIMENTAL right now using the `--holepunch` flag. This will attempt to orchestrate a NAT hole punch between the two sites so that traffic flows directly. This will save data costs and speed. If it fails it should fall back to relaying.
+In the default mode, olm uses both relaying through Gerbil and NAT hole punching to connect to newt. If you want to disable hole punching, use the `--disable-holepunch` flag. Hole punching attempts to orchestrate a NAT hole punch between the two sites so that traffic flows directly, which can save data costs and improve speed. If hole punching fails, traffic will fall back to relaying through Gerbil.
 
 Right now, basic NAT hole punching is supported. We plan to add:
 
@@ -182,26 +210,75 @@ You can view the Windows Event Log using Event Viewer or PowerShell:
 Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10
 ```
 
-## HTTP Endpoints
+## HTTP API
 
-Olm can be controlled with an embedded http server when using `--enable-http`. This allows you to start it as a daemon and trigger it with the following endpoints:
+Olm can be controlled with an embedded HTTP server when using `--enable-http`. This allows you to start it as a daemon and trigger it with the following endpoints. The API can listen on either a TCP address or a Unix socket/Windows named pipe.
+
+### Socket vs TCP
+
+By default, when `--enable-http` is used, Olm listens on a TCP address (configured via `--http-addr`, default `:9452`). Alternatively, Olm can listen on a Unix socket (Linux/macOS) or Windows named pipe for local-only communication with better security.
+
+**Unix Socket (Linux/macOS):**
+- Socket path example: `/var/run/olm/olm.sock`
+- The directory is created automatically if it doesn't exist
+- Socket permissions are set to `0666` to allow access
+- Existing socket files are automatically removed on startup
+- Socket file is cleaned up when Olm stops
+
+**Windows Named Pipe:**
+- Pipe path example: `\\.\pipe\olm`
+- If the path doesn't start with `\`, it's automatically prefixed with `\\.\pipe\`
+- Security descriptor grants full access to Everyone and the current owner
+- Named pipes are automatically cleaned up by Windows
+
+**Connecting to the Socket:**
+
+```bash
+# Linux/macOS - using curl with Unix socket
+curl --unix-socket /var/run/olm/olm.sock http://localhost/status
+
+---
 
 ### POST /connect
-Initiates a new connection request.
+Initiates a new connection request to a Pangolin server.
 
 **Request Body:**
 ```json
 {
   "id": "string",
-  "secret": "string", 
-  "endpoint": "string"
+  "secret": "string",
+  "endpoint": "string",
+  "userToken": "string",
+  "mtu": 1280,
+  "dns": "8.8.8.8",
+  "dnsProxyIP": "string",
+  "upstreamDNS": ["8.8.8.8:53", "1.1.1.1:53"],
+  "interfaceName": "olm",
+  "holepunch": false,
+  "tlsClientCert": "string",
+  "pingInterval": "3s",
+  "pingTimeout": "5s",
+  "orgId": "string"
 }
 ```
 
 **Required Fields:**
-- `id`: Connection identifier
-- `secret`: Authentication secret
-- `endpoint`: Target endpoint URL
+- `id`: Olm ID generated by Pangolin
+- `secret`: Authentication secret for the Olm ID
+- `endpoint`: Target Pangolin endpoint URL
+
+**Optional Fields:**
+- `userToken`: User authentication token
+- `mtu`: MTU for the internal WireGuard interface (default: 1280)
+- `dns`: DNS server to use for resolving the endpoint
+- `dnsProxyIP`: DNS proxy IP address
+- `upstreamDNS`: Array of upstream DNS servers
+- `interfaceName`: Name of the WireGuard interface (default: olm)
+- `holepunch`: Enable NAT hole punching (default: false)
+- `tlsClientCert`: TLS client certificate
+- `pingInterval`: Interval for pinging the server (default: 3s)
+- `pingTimeout`: Timeout for each ping (default: 5s)
+- `orgId`: Organization ID to connect to
 
 **Response:**
 - **Status Code:** `202 Accepted`
@@ -216,9 +293,12 @@ Initiates a new connection request.
 **Error Responses:**
 - `405 Method Not Allowed` - Non-POST requests
 - `400 Bad Request` - Invalid JSON or missing required fields
+- `409 Conflict` - Already connected to a server (disconnect first)
+
+---
 
 ### GET /status
-Returns the current connection status and peer information.
+Returns the current connection status, registration state, and peer information.
 
 **Response:**
 - **Status Code:** `200 OK`
@@ -226,52 +306,162 @@ Returns the current connection status and peer information.
 
 ```json
 {
-  "status": "connected",
   "connected": true,
-  "tunnelIP": "100.89.128.3/20",
-  "version": "version_replaceme",
+  "registered": true,
+  "terminated": false,
+  "version": "1.0.0",
+  "agent": "olm",
+  "orgId": "org_123",
   "peers": {
     "10": {
       "siteId": 10,
+      "name": "Site A",
       "connected": true,
       "rtt": 145338339,
       "lastSeen": "2025-08-13T14:39:17.208334428-07:00",
       "endpoint": "p.fosrl.io:21820",
-      "isRelay": true
+      "isRelay": true,
+      "peerAddress": "100.89.128.5",
+      "holepunchConnected": false
     },
     "8": {
       "siteId": 8,
+      "name": "Site B",
       "connected": false,
       "rtt": 0,
       "lastSeen": "2025-08-13T14:39:19.663823645-07:00",
       "endpoint": "p.fosrl.io:21820",
-      "isRelay": true
+      "isRelay": true,
+      "peerAddress": "100.89.128.10",
+      "holepunchConnected": false
     }
+  },
+  "networkSettings": {
+    "tunnelIP": "100.89.128.3/20"
   }
 }
 ```
 
 **Fields:**
-- `status`: Overall connection status ("connected" or "disconnected")
-- `connected`: Boolean connection state
-- `tunnelIP`: IP address and subnet of the tunnel (when connected)
+- `connected`: Boolean indicating if connected to Pangolin
+- `registered`: Boolean indicating if registered with the server
+- `terminated`: Boolean indicating if the connection was terminated
 - `version`: Olm version string
+- `agent`: Agent identifier
+- `orgId`: Current organization ID
 - `peers`: Map of peer statuses by site ID
   - `siteId`: Peer site identifier
+  - `name`: Site name
   - `connected`: Boolean peer connection state
   - `rtt`: Peer round-trip time (integer, nanoseconds)
   - `lastSeen`: Last time peer was seen (RFC3339 timestamp)
   - `endpoint`: Peer endpoint address
   - `isRelay`: Whether the peer is relayed (true) or direct (false)
+  - `peerAddress`: Peer's IP address in the tunnel
+  - `holepunchConnected`: Whether holepunch connection is established
+- `networkSettings`: Current network configuration including tunnel IP
 
 **Error Responses:**
 - `405 Method Not Allowed` - Non-GET requests
 
+---
+
+### POST /disconnect
+Disconnects from the current Pangolin server and tears down the WireGuard tunnel.
+
+**Request Body:** None required
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "disconnect initiated"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `409 Conflict` - Not currently connected to a server
+
+---
+
+### POST /switch-org
+Switches to a different organization while maintaining the connection.
+
+**Request Body:**
+```json
+{
+  "orgId": "string"
+}
+```
+
+**Required Fields:**
+- `orgId`: The organization ID to switch to
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "org switch request accepted"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+- `400 Bad Request` - Invalid JSON or missing orgId field
+- `500 Internal Server Error` - Org switch failed
+
+---
+
+### POST /exit
+Initiates a graceful shutdown of the Olm process.
+
+**Request Body:** None required
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "shutdown initiated"
+}
+```
+
+**Note:** The response is sent before shutdown begins. There is a 100ms delay before the actual shutdown to ensure the response is delivered.
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-POST requests
+
+---
+
+### GET /health
+Simple health check endpoint to verify the API server is running.
+
+**Response:**
+- **Status Code:** `200 OK`
+- **Content-Type:** `application/json`
+
+```json
+{
+  "status": "ok"
+}
+```
+
+**Error Responses:**
+- `405 Method Not Allowed` - Non-GET requests
+
+---
+
 ## Usage Examples
 
 ### Connect to a peer
 ```bash
-curl -X POST http://localhost:8080/connect \
+curl -X POST http://localhost:9452/connect \
   -H "Content-Type: application/json" \
   -d '{
     "id": "31frd0uzbjvp721",
@@ -280,9 +470,51 @@ curl -X POST http://localhost:8080/connect \
   }'
 ```
 
+### Connect with additional options
+```bash
+curl -X POST http://localhost:9452/connect \
+  -H "Content-Type: application/json" \
+  -d '{
+    "id": "31frd0uzbjvp721",
+    "secret": "h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6",
+    "endpoint": "https://example.com",
+    "mtu": 1400,
+    "holepunch": true,
+    "pingInterval": "5s"
+  }'
+```
+
 ### Check connection status
 ```bash
-curl http://localhost:8080/status
+curl http://localhost:9452/status
+```
+
+### Switch organization
+```bash
+curl -X POST http://localhost:9452/switch-org \
+  -H "Content-Type: application/json" \
+  -d '{"orgId": "org_456"}'
+```
+
+### Disconnect from server
+```bash
+curl -X POST http://localhost:9452/disconnect
+```
+
+### Health check
+```bash
+curl http://localhost:9452/health
+```
+
+### Shutdown Olm
+```bash
+curl -X POST http://localhost:9452/exit
+```
+
+### Using Unix socket (Linux/macOS)
+```bash
+curl --unix-socket /var/run/olm/olm.sock http://localhost/status
+curl --unix-socket /var/run/olm/olm.sock -X POST http://localhost/disconnect
 ```
 
 ## Build

api/api.go

@@ -38,6 +38,7 @@ type SwitchOrgRequest struct {
 // PeerStatus represents the status of a peer connection
 type PeerStatus struct {
 	SiteID             int           `json:"siteId"`
+	Name               string        `json:"name"`
 	Connected          bool          `json:"connected"`
 	RTT                time.Duration `json:"rtt"`
 	LastSeen           time.Time     `json:"lastSeen"`
@@ -170,6 +171,26 @@ func (s *API) Stop() error {
 	return nil
 }
 
+func (s *API) AddPeerStatus(siteID int, siteName string, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
+	s.statusMu.Lock()
+	defer s.statusMu.Unlock()
+
+	status, exists := s.peerStatuses[siteID]
+	if !exists {
+		status = &PeerStatus{
+			SiteID: siteID,
+		}
+		s.peerStatuses[siteID] = status
+	}
+
+	status.Name = siteName
+	status.Connected = connected
+	status.RTT = rtt
+	status.LastSeen = time.Now()
+	status.Endpoint = endpoint
+	status.IsRelay = isRelay
+}
+
 // UpdatePeerStatus updates the status of a peer including endpoint and relay info
 func (s *API) UpdatePeerStatus(siteID int, connected bool, rtt time.Duration, endpoint string, isRelay bool) {
 	s.statusMu.Lock()

config.go

@@ -40,10 +40,10 @@ type OlmConfig struct {
 	PingTimeout  string `json:"pingTimeout"`
 
 	// Advanced
-	Holepunch     bool   `json:"holepunch"`
-	TlsClientCert string `json:"tlsClientCert"`
-	OverrideDNS   bool   `json:"overrideDNS"`
-	DisableRelay  bool   `json:"disableRelay"`
+	DisableHolepunch bool   `json:"disableHolepunch"`
+	TlsClientCert    string `json:"tlsClientCert"`
+	OverrideDNS      bool   `json:"overrideDNS"`
+	DisableRelay     bool   `json:"disableRelay"`
 	// DoNotCreateNewClient bool   `json:"doNotCreateNewClient"`
 
 	// Parsed values (not in JSON)
@@ -78,16 +78,16 @@ func DefaultConfig() *OlmConfig {
 	}
 
 	config := &OlmConfig{
-		MTU:           1280,
-		DNS:           "8.8.8.8",
-		UpstreamDNS:   []string{"8.8.8.8:53"},
-		LogLevel:      "INFO",
-		InterfaceName: "olm",
-		EnableAPI:     false,
-		SocketPath:    socketPath,
-		PingInterval:  "3s",
-		PingTimeout:   "5s",
-		Holepunch:     false,
+		MTU:              1280,
+		DNS:              "8.8.8.8",
+		UpstreamDNS:      []string{"8.8.8.8:53"},
+		LogLevel:         "INFO",
+		InterfaceName:    "olm",
+		EnableAPI:        false,
+		SocketPath:       socketPath,
+		PingInterval:     "3s",
+		PingTimeout:      "5s",
+		DisableHolepunch: false,
 		// DoNotCreateNewClient: false,
 		sources: make(map[string]string),
 	}
@@ -103,7 +103,7 @@ func DefaultConfig() *OlmConfig {
 	config.sources["socketPath"] = string(SourceDefault)
 	config.sources["pingInterval"] = string(SourceDefault)
 	config.sources["pingTimeout"] = string(SourceDefault)
-	config.sources["holepunch"] = string(SourceDefault)
+	config.sources["disableHolepunch"] = string(SourceDefault)
 	config.sources["overrideDNS"] = string(SourceDefault)
 	config.sources["disableRelay"] = string(SourceDefault)
 	// config.sources["doNotCreateNewClient"] = string(SourceDefault)
@@ -253,9 +253,9 @@ func loadConfigFromEnv(config *OlmConfig) {
 		config.SocketPath = val
 		config.sources["socketPath"] = string(SourceEnv)
 	}
-	if val := os.Getenv("HOLEPUNCH"); val == "true" {
-		config.Holepunch = true
-		config.sources["holepunch"] = string(SourceEnv)
+	if val := os.Getenv("DISABLE_HOLEPUNCH"); val == "true" {
+		config.DisableHolepunch = true
+		config.sources["disableHolepunch"] = string(SourceEnv)
 	}
 	if val := os.Getenv("OVERRIDE_DNS"); val == "true" {
 		config.OverrideDNS = true
@@ -277,24 +277,24 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 
 	// Store original values to detect changes
 	origValues := map[string]interface{}{
-		"endpoint":     config.Endpoint,
-		"id":           config.ID,
-		"secret":       config.Secret,
-		"org":          config.OrgID,
-		"userToken":    config.UserToken,
-		"mtu":          config.MTU,
-		"dns":          config.DNS,
-		"upstreamDNS":  fmt.Sprintf("%v", config.UpstreamDNS),
-		"logLevel":     config.LogLevel,
-		"interface":    config.InterfaceName,
-		"httpAddr":     config.HTTPAddr,
-		"socketPath":   config.SocketPath,
-		"pingInterval": config.PingInterval,
-		"pingTimeout":  config.PingTimeout,
-		"enableApi":    config.EnableAPI,
-		"holepunch":    config.Holepunch,
-		"overrideDNS":  config.OverrideDNS,
-		"disableRelay": config.DisableRelay,
+		"endpoint":         config.Endpoint,
+		"id":               config.ID,
+		"secret":           config.Secret,
+		"org":              config.OrgID,
+		"userToken":        config.UserToken,
+		"mtu":              config.MTU,
+		"dns":              config.DNS,
+		"upstreamDNS":      fmt.Sprintf("%v", config.UpstreamDNS),
+		"logLevel":         config.LogLevel,
+		"interface":        config.InterfaceName,
+		"httpAddr":         config.HTTPAddr,
+		"socketPath":       config.SocketPath,
+		"pingInterval":     config.PingInterval,
+		"pingTimeout":      config.PingTimeout,
+		"enableApi":        config.EnableAPI,
+		"disableHolepunch": config.DisableHolepunch,
+		"overrideDNS":      config.OverrideDNS,
+		"disableRelay":     config.DisableRelay,
 		// "doNotCreateNewClient": config.DoNotCreateNewClient,
 	}
 
@@ -315,7 +315,7 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	serviceFlags.StringVar(&config.PingInterval, "ping-interval", config.PingInterval, "Interval for pinging the server")
 	serviceFlags.StringVar(&config.PingTimeout, "ping-timeout", config.PingTimeout, "Timeout for each ping")
 	serviceFlags.BoolVar(&config.EnableAPI, "enable-api", config.EnableAPI, "Enable API server for receiving connection requests")
-	serviceFlags.BoolVar(&config.Holepunch, "holepunch", config.Holepunch, "Enable hole punching")
+	serviceFlags.BoolVar(&config.DisableHolepunch, "disable-holepunch", config.DisableHolepunch, "Disable hole punching")
 	serviceFlags.BoolVar(&config.OverrideDNS, "override-dns", config.OverrideDNS, "Override system DNS settings")
 	serviceFlags.BoolVar(&config.DisableRelay, "disable-relay", config.DisableRelay, "Disable relay connections")
 	// serviceFlags.BoolVar(&config.DoNotCreateNewClient, "do-not-create-new-client", config.DoNotCreateNewClient, "Do not create new client")
@@ -384,8 +384,8 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	if config.EnableAPI != origValues["enableApi"].(bool) {
 		config.sources["enableApi"] = string(SourceCLI)
 	}
-	if config.Holepunch != origValues["holepunch"].(bool) {
-		config.sources["holepunch"] = string(SourceCLI)
+	if config.DisableHolepunch != origValues["disableHolepunch"].(bool) {
+		config.sources["disableHolepunch"] = string(SourceCLI)
 	}
 	if config.OverrideDNS != origValues["overrideDNS"].(bool) {
 		config.sources["overrideDNS"] = string(SourceCLI)
@@ -505,9 +505,9 @@ func mergeConfigs(dest, src *OlmConfig) {
 		dest.EnableAPI = src.EnableAPI
 		dest.sources["enableApi"] = string(SourceFile)
 	}
-	if src.Holepunch {
-		dest.Holepunch = src.Holepunch
-		dest.sources["holepunch"] = string(SourceFile)
+	if src.DisableHolepunch {
+		dest.DisableHolepunch = src.DisableHolepunch
+		dest.sources["disableHolepunch"] = string(SourceFile)
 	}
 	if src.OverrideDNS {
 		dest.OverrideDNS = src.OverrideDNS
@@ -604,7 +604,7 @@ func (c *OlmConfig) ShowConfig() {
 
 	// Advanced
 	fmt.Println("\nAdvanced:")
-	fmt.Printf("  holepunch             = %v [%s]\n", c.Holepunch, getSource("holepunch"))
+	fmt.Printf("  disable-holepunch     = %v [%s]\n", c.DisableHolepunch, getSource("disableHolepunch"))
 	fmt.Printf("  override-dns          = %v [%s]\n", c.OverrideDNS, getSource("overrideDNS"))
 	fmt.Printf("  disable-relay         = %v [%s]\n", c.DisableRelay, getSource("disableRelay"))
 	// fmt.Printf("  do-not-create-new-client = %v [%s]\n", c.DoNotCreateNewClient, getSource("doNotCreateNewClient"))

go.mod

@@ -4,23 +4,23 @@ go 1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
-	github.com/fosrl/newt v0.0.0
+	github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552
 	github.com/godbus/dbus/v5 v5.2.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/miekg/dns v1.1.68
-	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/sys v0.38.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	golang.zx2c4.com/wireguard/windows v0.5.3
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
 	software.sslmate.com/src/go-pkcs12 v0.6.0
 )
 
 require (
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	golang.org/x/crypto v0.44.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
 	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
@@ -28,6 +28,5 @@ require (
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 )
-
-replace github.com/fosrl/newt => ../newt

go.sum

@@ -1,5 +1,7 @@
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552 h1:51pHUtoqQhYPS9OiBDHLgYV44X/CBzR5J7GuWO3izhU=
+github.com/fosrl/newt v0.0.0-20251208171729-6d7985689552/go.mod h1:pol958CEs0nQmo/35Ltv0CGksheIKCS2hoNvdTVLEcI=
 github.com/godbus/dbus/v5 v5.2.0 h1:3WexO+U+yg9T70v9FdHr9kCxYlazaAXUhx2VMkbfax8=
 github.com/godbus/dbus/v5 v5.2.0/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
@@ -14,8 +16,8 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=

main.go

@@ -177,7 +177,8 @@ func runOlmMainWithArgs(ctx context.Context, cancel context.CancelFunc, signalCt
 
 	// Load configuration from file, env vars, and CLI args
 	// Priority: CLI args > Env vars > Config file > Defaults
-	config, showVersion, showConfig, err := LoadConfig(os.Args[1:])
+	// Use the passed args parameter instead of os.Args[1:] to support Windows service mode
+	config, showVersion, showConfig, err := LoadConfig(args)
 	if err != nil {
 		fmt.Printf("Failed to load configuration: %v\n", err)
 		return
@@ -235,7 +236,7 @@ func runOlmMainWithArgs(ctx context.Context, cancel context.CancelFunc, signalCt
 			DNS:                  config.DNS,
 			UpstreamDNS:          config.UpstreamDNS,
 			InterfaceName:        config.InterfaceName,
-			Holepunch:            config.Holepunch,
+			Holepunch:            !config.DisableHolepunch,
 			TlsClientCert:        config.TlsClientCert,
 			PingIntervalDuration: config.PingIntervalDuration,
 			PingTimeoutDuration:  config.PingTimeoutDuration,

olm.iss

@@ -57,13 +57,13 @@ Name: "{group}\{#MyAppName}"; Filename: "{app}\{#MyAppExeName}"
 ; The 'Path' variable is located under 'SYSTEM\CurrentControlSet\Control\Session Manager\Environment'.
 ; ValueType: expandsz allows for environment variables (like %ProgramFiles%) in the path.
 ; ValueData: "{olddata};{app}" appends the current application directory to the existing PATH.
-; Flags: uninsdeletevalue ensures the entry is removed upon uninstallation.
-; Check: IsWin64 ensures this is applied on 64-bit systems, which matches ArchitecturesAllowed.
+; Note: Removal during uninstallation is handled by CurUninstallStepChanged procedure in [Code] section.
+; Check: NeedsAddPath ensures this is applied only if the path is not already present.
 [Registry]
 ; Add the application's installation directory to the system PATH.
 Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
     ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
-    Flags: uninsdeletevalue; Check: NeedsAddPath(ExpandConstant('{app}'))
+    Check: NeedsAddPath(ExpandConstant('{app}'))
 
 [Code]
 function NeedsAddPath(Path: string): boolean;
@@ -85,4 +85,68 @@ begin
     Result := False
   else
     Result := True;
+end;
+
+procedure RemovePathEntry(PathToRemove: string);
+var
+  OrigPath: string;
+  NewPath: string;
+  PathList: TStringList;
+  I: Integer;
+begin
+  if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
+    'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+    'Path', OrigPath)
+  then begin
+    // Path variable doesn't exist, nothing to remove
+    exit;
+  end;
+
+  // Create a string list to parse the PATH entries
+  PathList := TStringList.Create;
+  try
+    // Split the PATH by semicolons
+    PathList.Delimiter := ';';
+    PathList.StrictDelimiter := True;
+    PathList.DelimitedText := OrigPath;
+    
+    // Find and remove the matching entry (case-insensitive)
+    for I := PathList.Count - 1 downto 0 do
+    begin
+      if CompareText(Trim(PathList[I]), Trim(PathToRemove)) = 0 then
+      begin
+        Log('Found and removing PATH entry: ' + PathList[I]);
+        PathList.Delete(I);
+      end;
+    end;
+    
+    // Reconstruct the PATH
+    NewPath := PathList.DelimitedText;
+    
+    // Write the new PATH back to the registry
+    if RegWriteExpandStringValue(HKEY_LOCAL_MACHINE,
+      'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+      'Path', NewPath)
+    then
+      Log('Successfully removed path entry: ' + PathToRemove)
+    else
+      Log('Failed to write modified PATH to registry');
+  finally
+    PathList.Free;
+  end;
+end;
+
+procedure CurUninstallStepChanged(CurUninstallStep: TUninstallStep);
+var
+  AppPath: string;
+begin
+  if CurUninstallStep = usUninstall then
+  begin
+    // Get the application installation path
+    AppPath := ExpandConstant('{app}');
+    Log('Removing PATH entry for: ' + AppPath);
+    
+    // Remove only our path entry from the system PATH
+    RemovePathEntry(AppPath);
+  end;
 end;

olm/olm.go

@@ -417,7 +417,7 @@ func StartTunnel(config TunnelConfig) {
 				siteEndpoint = site.Endpoint
 			}
 
-			apiServer.UpdatePeerStatus(site.SiteId, false, 0, siteEndpoint, false)
+			apiServer.AddPeerStatus(site.SiteId, site.Name, false, 0, siteEndpoint, false)
 
 			if err := peerManager.AddPeer(site); err != nil {
 				logger.Error("Failed to add peer: %v", err)
@@ -778,23 +778,21 @@ func StartTunnel(config TunnelConfig) {
 			return
 		}
 
-		// Add exit node to holepunch rotation if we have a holepunch manager
-		if holePunchManager != nil {
-			exitNode := holepunch.ExitNode{
-				Endpoint:  handshakeData.ExitNode.Endpoint,
-				PublicKey: handshakeData.ExitNode.PublicKey,
-			}
-
-			added := holePunchManager.AddExitNode(exitNode)
-			if added {
-				logger.Info("Added exit node %s to holepunch rotation for handshake", exitNode.Endpoint)
-			} else {
-				logger.Debug("Exit node %s already in holepunch rotation", exitNode.Endpoint)
-			}
-
-			holePunchManager.ResetInterval() // start sending immediately again so we fill in the endpoint on the cloud
+		exitNode := holepunch.ExitNode{
+			Endpoint:  handshakeData.ExitNode.Endpoint,
+			PublicKey: handshakeData.ExitNode.PublicKey,
 		}
 
+		added := holePunchManager.AddExitNode(exitNode)
+		if added {
+			logger.Info("Added exit node %s to holepunch rotation for handshake", exitNode.Endpoint)
+		} else {
+			logger.Debug("Exit node %s already in holepunch rotation", exitNode.Endpoint)
+		}
+
+		holePunchManager.TriggerHolePunch() // Trigger immediate hole punch attempt
+		holePunchManager.ResetInterval()    // start sending immediately again so we fill in the endpoint on the cloud
+
 		// Send handshake acknowledgment back to server with retry
 		stopPeerSend, _ = olm.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
 			"siteId": handshakeData.SiteId,
@@ -859,27 +857,25 @@ func StartTunnel(config TunnelConfig) {
 	})
 
 	olm.OnTokenUpdate(func(token string, exitNodes []websocket.ExitNode) {
-		if holePunchManager != nil {
-			holePunchManager.SetToken(token)
+		holePunchManager.SetToken(token)
 
-			logger.Debug("Got exit nodes for hole punching: %v", exitNodes)
+		logger.Debug("Got exit nodes for hole punching: %v", exitNodes)
 
-			// Convert websocket.ExitNode to holepunch.ExitNode
-			hpExitNodes := make([]holepunch.ExitNode, len(exitNodes))
-			for i, node := range exitNodes {
-				hpExitNodes[i] = holepunch.ExitNode{
-					Endpoint:  node.Endpoint,
-					PublicKey: node.PublicKey,
-				}
+		// Convert websocket.ExitNode to holepunch.ExitNode
+		hpExitNodes := make([]holepunch.ExitNode, len(exitNodes))
+		for i, node := range exitNodes {
+			hpExitNodes[i] = holepunch.ExitNode{
+				Endpoint:  node.Endpoint,
+				PublicKey: node.PublicKey,
 			}
+		}
 
-			logger.Debug("Updated hole punch exit nodes: %v", hpExitNodes)
+		logger.Debug("Updated hole punch exit nodes: %v", hpExitNodes)
 
-			// Start hole punching using the manager
-			logger.Info("Starting hole punch for %d exit nodes", len(exitNodes))
-			if err := holePunchManager.StartMultipleExitNodes(hpExitNodes); err != nil {
-				logger.Warn("Failed to start hole punch: %v", err)
-			}
+		// Start hole punching using the manager
+		logger.Info("Starting hole punch for %d exit nodes", len(exitNodes))
+		if err := holePunchManager.StartMultipleExitNodes(hpExitNodes); err != nil {
+			logger.Warn("Failed to start hole punch: %v", err)
 		}
 	})
 

peers/manager.go

@@ -150,6 +150,8 @@ func (pm *PeerManager) AddPeer(siteConfig SiteConfig) error {
 
 	pm.peers[siteConfig.SiteId] = siteConfig
 
+	pm.APIServer.AddPeerStatus(siteConfig.SiteId, siteConfig.Name, false, 0, siteConfig.Endpoint, false)
+
 	// Perform rapid initial holepunch test (outside of lock to avoid blocking)
 	// This quickly determines if holepunch is viable and triggers relay if not
 	go pm.performRapidInitialTest(siteConfig.SiteId, siteConfig.Endpoint)

peers/types.go

@@ -9,6 +9,7 @@ type PeerAction struct {
 // UpdatePeerData represents the data needed to update a peer
 type SiteConfig struct {
 	SiteId        int      `json:"siteId"`
+	Name          string   `json:"name,omitempty"`
 	Endpoint      string   `json:"endpoint,omitempty"`
 	RelayEndpoint string   `json:"relayEndpoint,omitempty"`
 	PublicKey     string   `json:"publicKey,omitempty"`

service_windows.go

@@ -99,15 +99,32 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 		// Continue with empty args if loading fails
 		savedArgs = []string{}
 	}
+	s.elog.Info(1, fmt.Sprintf("Loaded saved service args: %v", savedArgs))
 
 	// Combine service start args with saved args, giving priority to service start args
+	// Note: When the service is started via SCM, args[0] is the service name
+	// When started via s.Start(args...), the args passed are exactly what we provide
 	finalArgs := []string{}
+
+	// Check if we have args passed directly to Execute (from s.Start())
 	if len(args) > 0 {
-		// Skip the first arg which is typically the service name
-		if len(args) > 1 {
+		// The first arg from SCM is the service name, but when we call s.Start(args...),
+		// the args we pass become args[1:] in Execute. However, if started by SCM without
+		// args, args[0] will be the service name.
+		// We need to check if args[0] looks like the service name or a flag
+		if len(args) == 1 && args[0] == serviceName {
+			// Only service name, no actual args
+			s.elog.Info(1, "Only service name in args, checking saved args")
+		} else if len(args) > 1 && args[0] == serviceName {
+			// Service name followed by actual args
 			finalArgs = append(finalArgs, args[1:]...)
+			s.elog.Info(1, fmt.Sprintf("Using service start parameters (after service name): %v", finalArgs))
+		} else {
+			// Args don't start with service name, use them all
+			// This happens when args are passed via s.Start(args...)
+			finalArgs = append(finalArgs, args...)
+			s.elog.Info(1, fmt.Sprintf("Using service start parameters (direct): %v", finalArgs))
 		}
-		s.elog.Info(1, fmt.Sprintf("Using service start parameters: %v", finalArgs))
 	}
 
 	// If no service start parameters, use saved args
@@ -116,6 +133,7 @@ func (s *olmService) Execute(args []string, r <-chan svc.ChangeRequest, changes
 		s.elog.Info(1, fmt.Sprintf("Using saved service args: %v", finalArgs))
 	}
 
+	s.elog.Info(1, fmt.Sprintf("Final args to use: %v", finalArgs))
 	s.args = finalArgs
 
 	// Start the main olm functionality
@@ -325,12 +343,15 @@ func removeService() error {
 }
 
 func startService(args []string) error {
-	// Save the service arguments as backup
-	if len(args) > 0 {
-		err := saveServiceArgs(args)
-		if err != nil {
-			return fmt.Errorf("failed to save service args: %v", err)
-		}
+	fmt.Printf("Starting service with args: %v\n", args)
+
+	// Always save the service arguments so they can be loaded on service restart
+	err := saveServiceArgs(args)
+	if err != nil {
+		fmt.Printf("Warning: failed to save service args: %v\n", err)
+		// Continue anyway, args will still be passed directly
+	} else {
+		fmt.Printf("Saved service args to: %s\n", getServiceArgsPath())
 	}
 
 	m, err := mgr.Connect()
@@ -346,6 +367,7 @@ func startService(args []string) error {
 	defer s.Close()
 
 	// Pass arguments directly to the service start call
+	// Note: These args will appear in Execute() after the service name
 	err = s.Start(args...)
 	if err != nil {
 		return fmt.Errorf("failed to start service: %v", err)

websocket/client.go

@@ -38,8 +38,9 @@ func IsAuthError(err error) bool {
 
 type TokenResponse struct {
 	Data struct {
-		Token     string     `json:"token"`
-		ExitNodes []ExitNode `json:"exitNodes"`
+		Token         string     `json:"token"`
+		ExitNodes     []ExitNode `json:"exitNodes"`
+		ServerVersion string     `json:"serverVersion"`
 	} `json:"data"`
 	Success bool   `json:"success"`
 	Message string `json:"message"`
@@ -348,6 +349,9 @@ func (c *Client) getToken() (string, []ExitNode, error) {
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("X-CSRF-Token", "x-csrf-protection")
 
+	// print out the request for debugging
+	logger.Debug("Requesting token from %s with body: %s", req.URL.String(), string(jsonData))
+
 	// Make the request
 	client := &http.Client{}
 	if tlsConfig != nil {