fixes

interface.go

@@ -827,6 +827,15 @@ func (f *Interface) writePacketToTun(q int, pkt *overlay.Packet) {
 		pkt.Release()
 		return
 	}
+	if bw, ok := writer.(interface {
+		WriteBatch([]*overlay.Packet) (int, error)
+	}); ok {
+		if _, err := bw.WriteBatch([]*overlay.Packet{pkt}); err != nil {
+			f.l.WithError(err).WithField("queue", q).Warn("Failed to write tun packet via batch writer")
+			pkt.Release()
+		}
+		return
+	}
 	if _, err := writer.Write(pkt.Payload()[:pkt.Len]); err != nil {
 		f.l.WithError(err).Error("Failed to write to tun")
 	}

outside.go

@@ -62,7 +62,7 @@ func (f *Interface) readOutsidePackets(ip netip.AddrPort, via *ViaSender, out []
 
 		switch h.Subtype {
 		case header.MessageNone:
-			if !f.decryptToTun(hostinfo, h.MessageCounter, out, packet, fwPacket, nb, q, localCache) {
+			if !f.decryptToTun(hostinfo, h.MessageCounter, out, packet, fwPacket, nb, q, localCache, ip, h.RemoteIndex) {
 				return
 			}
 		case header.MessageRelay:
@@ -466,7 +466,7 @@ func (f *Interface) decrypt(hostinfo *HostInfo, mc uint64, out []byte, packet []
 	return out, nil
 }
 
-func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out []byte, packet []byte, fwPacket *firewall.Packet, nb []byte, q int, localCache firewall.ConntrackCache) bool {
+func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out []byte, packet []byte, fwPacket *firewall.Packet, nb []byte, q int, localCache firewall.ConntrackCache, addr netip.AddrPort, recvIndex uint32) bool {
 	var (
 		err error
 		pkt *overlay.Packet
@@ -485,6 +485,9 @@ func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out
 			pkt.Release()
 		}
 		hostinfo.logger(f.l).WithError(err).Error("Failed to decrypt packet")
+		if addr.IsValid() {
+			f.maybeSendRecvError(addr, recvIndex)
+		}
 		return false
 	}