handle virtio header in ctrl messages

* honor remote_allow_ilst in hole punch response

When we receive a "hole punch notification" from a Lighthouse, we send
a hole punch packet to every remote of that host, even if we don't
include those remotes in our "remote_allow_list". Change the logic here
to check if the remote IP is in our allow list before sending the hole
punch packet.

* fix for netip

* cleanup

cert_test/cert.go

@@ -114,6 +114,33 @@ func NewTestCert(v cert.Version, curve cert.Curve, ca cert.Certificate, key []by
 	return c, pub, cert.MarshalPrivateKeyToPEM(curve, priv), pem
 }
 
+func NewTestCertDifferentVersion(c cert.Certificate, v cert.Version, ca cert.Certificate, key []byte) (cert.Certificate, []byte) {
+	nc := &cert.TBSCertificate{
+		Version:        v,
+		Curve:          c.Curve(),
+		Name:           c.Name(),
+		Networks:       c.Networks(),
+		UnsafeNetworks: c.UnsafeNetworks(),
+		Groups:         c.Groups(),
+		NotBefore:      time.Unix(c.NotBefore().Unix(), 0),
+		NotAfter:       time.Unix(c.NotAfter().Unix(), 0),
+		PublicKey:      c.PublicKey(),
+		IsCA:           false,
+	}
+
+	c, err := nc.Sign(ca, ca.Curve(), key)
+	if err != nil {
+		panic(err)
+	}
+
+	pem, err := c.MarshalPEM()
+	if err != nil {
+		panic(err)
+	}
+
+	return c, pem
+}
+
 func X25519Keypair() ([]byte, []byte) {
 	privkey := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {

connection_manager.go

@@ -354,7 +354,6 @@ func (cm *connectionManager) makeTrafficDecision(localIndex uint32, now time.Tim
 
 		if mainHostInfo {
 			decision = tryRehandshake
-
 		} else {
 			if cm.shouldSwapPrimary(hostinfo) {
 				decision = swapPrimary
@@ -461,6 +460,10 @@ func (cm *connectionManager) shouldSwapPrimary(current *HostInfo) bool {
 	}
 
 	crt := cm.intf.pki.getCertState().getCertificate(current.ConnectionState.myCert.Version())
+	if crt == nil {
+		//my cert was reloaded away. We should definitely swap from this tunnel
+		return true
+	}
 	// If this tunnel is using the latest certificate then we should swap it to primary for a bit and see if things
 	// settle down.
 	return bytes.Equal(current.ConnectionState.myCert.Signature(), crt.Signature())
@@ -475,31 +478,34 @@ func (cm *connectionManager) swapPrimary(current, primary *HostInfo) {
 	cm.hostMap.Unlock()
 }
 
-// isInvalidCertificate will check if we should destroy a tunnel if pki.disconnect_invalid is true and
+// isInvalidCertificate decides if we should destroy a tunnel.
-// the certificate is no longer valid. Block listed certificates will skip the pki.disconnect_invalid
+// returns true if pki.disconnect_invalid is true and the certificate is no longer valid.
-// check and return true.
+// Blocklisted certificates will skip the pki.disconnect_invalid check and return true.
 func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostInfo) bool {
 	remoteCert := hostinfo.GetCert()
 	if remoteCert == nil {
-		return false
+		return false //don't tear down tunnels for handshakes in progress
 	}
 
 	caPool := cm.intf.pki.GetCAPool()
 	err := caPool.VerifyCachedCertificate(now, remoteCert)
 	if err == nil {
-		return false
+		return false //cert is still valid! yay!
-	}
+	} else if err == cert.ErrBlockListed { //avoiding errors.Is for speed
-
-	if !cm.intf.disconnectInvalid.Load() && err != cert.ErrBlockListed {
 		// Block listed certificates should always be disconnected
-		return false
+		hostinfo.logger(cm.l).WithError(err).
-	}
+			WithField("fingerprint", remoteCert.Fingerprint).
-
+			Info("Remote certificate is blocked, tearing down the tunnel")
+		return true
+	} else if cm.intf.disconnectInvalid.Load() {
 		hostinfo.logger(cm.l).WithError(err).
 			WithField("fingerprint", remoteCert.Fingerprint).
 			Info("Remote certificate is no longer valid, tearing down the tunnel")
-
 		return true
+	} else {
+		//if we reach here, the cert is no longer valid, but we're configured to keep tunnels from now-invalid certs open
+		return false
+	}
 }
 
 func (cm *connectionManager) sendPunch(hostinfo *HostInfo) {
@@ -530,15 +536,45 @@ func (cm *connectionManager) sendPunch(hostinfo *HostInfo) {
 func (cm *connectionManager) tryRehandshake(hostinfo *HostInfo) {
 	cs := cm.intf.pki.getCertState()
 	curCrt := hostinfo.ConnectionState.myCert
-	myCrt := cs.getCertificate(curCrt.Version())
+	curCrtVersion := curCrt.Version()
-	if curCrt.Version() >= cs.initiatingVersion && bytes.Equal(curCrt.Signature(), myCrt.Signature()) == true {
+	myCrt := cs.getCertificate(curCrtVersion)
-		// The current tunnel is using the latest certificate and version, no need to rehandshake.
+	if myCrt == nil {
+		cm.l.WithField("vpnAddrs", hostinfo.vpnAddrs).
+			WithField("version", curCrtVersion).
+			WithField("reason", "local certificate removed").
+			Info("Re-handshaking with remote")
+		cm.intf.handshakeManager.StartHandshake(hostinfo.vpnAddrs[0], nil)
 		return
 	}
-
+	peerCrt := hostinfo.ConnectionState.peerCert
+	if peerCrt != nil && curCrtVersion < peerCrt.Certificate.Version() {
+		// if our certificate version is less than theirs, and we have a matching version available, rehandshake?
+		if cs.getCertificate(peerCrt.Certificate.Version()) != nil {
+			cm.l.WithField("vpnAddrs", hostinfo.vpnAddrs).
+				WithField("version", curCrtVersion).
+				WithField("peerVersion", peerCrt.Certificate.Version()).
+				WithField("reason", "local certificate version lower than peer, attempting to correct").
+				Info("Re-handshaking with remote")
+			cm.intf.handshakeManager.StartHandshake(hostinfo.vpnAddrs[0], func(hh *HandshakeHostInfo) {
+				hh.initiatingVersionOverride = peerCrt.Certificate.Version()
+			})
+			return
+		}
+	}
+	if !bytes.Equal(curCrt.Signature(), myCrt.Signature()) {
 		cm.l.WithField("vpnAddrs", hostinfo.vpnAddrs).
 			WithField("reason", "local certificate is not current").
 			Info("Re-handshaking with remote")
 
 		cm.intf.handshakeManager.StartHandshake(hostinfo.vpnAddrs[0], nil)
+		return
+	}
+	if curCrtVersion < cs.initiatingVersion {
+		cm.l.WithField("vpnAddrs", hostinfo.vpnAddrs).
+			WithField("reason", "current cert version < pki.initiatingVersion").
+			Info("Re-handshaking with remote")
+
+		cm.intf.handshakeManager.StartHandshake(hostinfo.vpnAddrs[0], nil)
+		return
+	}
 }

e2e/helpers_test.go

@@ -129,6 +129,109 @@ func newSimpleServer(v cert.Version, caCrt cert.Certificate, caKey []byte, name
 	return control, vpnNetworks, udpAddr, c
 }
 
+// newServer creates a nebula instance with fewer assumptions
+func newServer(caCrt []cert.Certificate, certs []cert.Certificate, key []byte, overrides m) (*nebula.Control, []netip.Prefix, netip.AddrPort, *config.C) {
+	l := NewTestLogger()
+
+	vpnNetworks := certs[len(certs)-1].Networks()
+
+	var udpAddr netip.AddrPort
+	if vpnNetworks[0].Addr().Is4() {
+		budpIp := vpnNetworks[0].Addr().As4()
+		budpIp[1] -= 128
+		udpAddr = netip.AddrPortFrom(netip.AddrFrom4(budpIp), 4242)
+	} else {
+		budpIp := vpnNetworks[0].Addr().As16()
+		// beef for funsies
+		budpIp[2] = 190
+		budpIp[3] = 239
+		udpAddr = netip.AddrPortFrom(netip.AddrFrom16(budpIp), 4242)
+	}
+
+	caStr := ""
+	for _, ca := range caCrt {
+		x, err := ca.MarshalPEM()
+		if err != nil {
+			panic(err)
+		}
+		caStr += string(x)
+	}
+	certStr := ""
+	for _, c := range certs {
+		x, err := c.MarshalPEM()
+		if err != nil {
+			panic(err)
+		}
+		certStr += string(x)
+	}
+
+	mc := m{
+		"pki": m{
+			"ca":   caStr,
+			"cert": certStr,
+			"key":  string(key),
+		},
+		//"tun": m{"disabled": true},
+		"firewall": m{
+			"outbound": []m{{
+				"proto": "any",
+				"port":  "any",
+				"host":  "any",
+			}},
+			"inbound": []m{{
+				"proto": "any",
+				"port":  "any",
+				"host":  "any",
+			}},
+		},
+		//"handshakes": m{
+		//	"try_interval": "1s",
+		//},
+		"listen": m{
+			"host": udpAddr.Addr().String(),
+			"port": udpAddr.Port(),
+		},
+		"logging": m{
+			"timestamp_format": fmt.Sprintf("%v 15:04:05.000000", certs[0].Name()),
+			"level":            l.Level.String(),
+		},
+		"timers": m{
+			"pending_deletion_interval": 2,
+			"connection_alive_interval": 2,
+		},
+	}
+
+	if overrides != nil {
+		final := m{}
+		err := mergo.Merge(&final, overrides, mergo.WithAppendSlice)
+		if err != nil {
+			panic(err)
+		}
+		err = mergo.Merge(&final, mc, mergo.WithAppendSlice)
+		if err != nil {
+			panic(err)
+		}
+		mc = final
+	}
+
+	cb, err := yaml.Marshal(mc)
+	if err != nil {
+		panic(err)
+	}
+
+	c := config.NewC(l)
+	cStr := string(cb)
+	c.LoadString(cStr)
+
+	control, err := nebula.Main(c, false, "e2e-test", l, nil)
+
+	if err != nil {
+		panic(err)
+	}
+
+	return control, vpnNetworks, udpAddr, c
+}
+
 type doneCb func()
 
 func deadline(t *testing.T, seconds time.Duration) doneCb {

e2e/tunnels_test.go

@@ -4,12 +4,16 @@
 package e2e
 
 import (
+	"fmt"
+	"net/netip"
 	"testing"
 	"time"
 
 	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/cert_test"
 	"github.com/slackhq/nebula/e2e/router"
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/yaml.v3"
 )
 
 func TestDropInactiveTunnels(t *testing.T) {
@@ -55,3 +59,262 @@ func TestDropInactiveTunnels(t *testing.T) {
 	myControl.Stop()
 	theirControl.Stop()
 }
+
+func TestCertUpgrade(t *testing.T) {
+	// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
+	// under ideal conditions
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	caB, err := ca.MarshalPEM()
+	if err != nil {
+		panic(err)
+	}
+	ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+
+	ca2B, err := ca2.MarshalPEM()
+	if err != nil {
+		panic(err)
+	}
+	caStr := fmt.Sprintf("%s\n%s", caB, ca2B)
+
+	myCert, _, myPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
+	_, myCert2Pem := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
+
+	theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
+	theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
+
+	myControl, myVpnIpNet, myUdpAddr, myC := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert}, myPrivKey, m{})
+	theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
+
+	// Share our underlay information
+	myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
+	theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
+
+	// Start the servers
+	myControl.Start()
+	theirControl.Start()
+
+	r := router.NewR(t, myControl, theirControl)
+	defer r.RenderFlow()
+
+	r.Log("Assert the tunnel between me and them works")
+	assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+	r.Log("yay")
+	//todo ???
+	time.Sleep(1 * time.Second)
+	r.FlushAll()
+
+	mc := m{
+		"pki": m{
+			"ca":   caStr,
+			"cert": string(myCert2Pem),
+			"key":  string(myPrivKey),
+		},
+		//"tun": m{"disabled": true},
+		"firewall": myC.Settings["firewall"],
+		//"handshakes": m{
+		//	"try_interval": "1s",
+		//},
+		"listen":  myC.Settings["listen"],
+		"logging": myC.Settings["logging"],
+		"timers":  myC.Settings["timers"],
+	}
+
+	cb, err := yaml.Marshal(mc)
+	if err != nil {
+		panic(err)
+	}
+
+	r.Logf("reload new v2-only config")
+	err = myC.ReloadConfigString(string(cb))
+	assert.NoError(t, err)
+	r.Log("yay, spin until their sees it")
+	waitStart := time.Now()
+	for {
+		assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+		c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
+		if c == nil {
+			r.Log("nil")
+		} else {
+			version := c.Cert.Version()
+			r.Logf("version %d", version)
+			if version == cert.Version2 {
+				break
+			}
+		}
+		since := time.Since(waitStart)
+		if since > time.Second*10 {
+			t.Fatal("Cert should be new by now")
+		}
+		time.Sleep(time.Second)
+	}
+
+	r.RenderHostmaps("Final hostmaps", myControl, theirControl)
+
+	myControl.Stop()
+	theirControl.Stop()
+}
+
+func TestCertDowngrade(t *testing.T) {
+	// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
+	// under ideal conditions
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	caB, err := ca.MarshalPEM()
+	if err != nil {
+		panic(err)
+	}
+	ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+
+	ca2B, err := ca2.MarshalPEM()
+	if err != nil {
+		panic(err)
+	}
+	caStr := fmt.Sprintf("%s\n%s", caB, ca2B)
+
+	myCert, _, myPrivKey, myCertPem := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
+	myCert2, _ := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
+
+	theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
+	theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
+
+	myControl, myVpnIpNet, myUdpAddr, myC := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert2}, myPrivKey, m{})
+	theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
+
+	// Share our underlay information
+	myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
+	theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
+
+	// Start the servers
+	myControl.Start()
+	theirControl.Start()
+
+	r := router.NewR(t, myControl, theirControl)
+	defer r.RenderFlow()
+
+	r.Log("Assert the tunnel between me and them works")
+	//assertTunnel(t, theirVpnIpNet[0].Addr(), myVpnIpNet[0].Addr(), theirControl, myControl, r)
+	//r.Log("yay")
+	assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+	r.Log("yay")
+	//todo ???
+	time.Sleep(1 * time.Second)
+	r.FlushAll()
+
+	mc := m{
+		"pki": m{
+			"ca":   caStr,
+			"cert": string(myCertPem),
+			"key":  string(myPrivKey),
+		},
+		"firewall": myC.Settings["firewall"],
+		"listen":   myC.Settings["listen"],
+		"logging":  myC.Settings["logging"],
+		"timers":   myC.Settings["timers"],
+	}
+
+	cb, err := yaml.Marshal(mc)
+	if err != nil {
+		panic(err)
+	}
+
+	r.Logf("reload new v1-only config")
+	err = myC.ReloadConfigString(string(cb))
+	assert.NoError(t, err)
+	r.Log("yay, spin until their sees it")
+	waitStart := time.Now()
+	for {
+		assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+		c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
+		c2 := myControl.GetHostInfoByVpnAddr(theirVpnIpNet[0].Addr(), false)
+		if c == nil || c2 == nil {
+			r.Log("nil")
+		} else {
+			version := c.Cert.Version()
+			theirVersion := c2.Cert.Version()
+			r.Logf("version %d,%d", version, theirVersion)
+			if version == cert.Version1 {
+				break
+			}
+		}
+		since := time.Since(waitStart)
+		if since > time.Second*5 {
+			r.Log("it is unusual that the cert is not new yet, but not a failure yet")
+		}
+		if since > time.Second*10 {
+			r.Log("wtf")
+			t.Fatal("Cert should be new by now")
+		}
+		time.Sleep(time.Second)
+	}
+
+	r.RenderHostmaps("Final hostmaps", myControl, theirControl)
+
+	myControl.Stop()
+	theirControl.Stop()
+}
+
+func TestCertMismatchCorrection(t *testing.T) {
+	// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
+	// under ideal conditions
+	ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+	ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
+
+	myCert, _, myPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
+	myCert2, _ := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
+
+	theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
+	theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
+
+	myControl, myVpnIpNet, myUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert2}, myPrivKey, m{})
+	theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
+
+	// Share our underlay information
+	myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
+	theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
+
+	// Start the servers
+	myControl.Start()
+	theirControl.Start()
+
+	r := router.NewR(t, myControl, theirControl)
+	defer r.RenderFlow()
+
+	r.Log("Assert the tunnel between me and them works")
+	//assertTunnel(t, theirVpnIpNet[0].Addr(), myVpnIpNet[0].Addr(), theirControl, myControl, r)
+	//r.Log("yay")
+	assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+	r.Log("yay")
+	//todo ???
+	time.Sleep(1 * time.Second)
+	r.FlushAll()
+
+	waitStart := time.Now()
+	for {
+		assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
+		c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
+		c2 := myControl.GetHostInfoByVpnAddr(theirVpnIpNet[0].Addr(), false)
+		if c == nil || c2 == nil {
+			r.Log("nil")
+		} else {
+			version := c.Cert.Version()
+			theirVersion := c2.Cert.Version()
+			r.Logf("version %d,%d", version, theirVersion)
+			if version == theirVersion {
+				break
+			}
+		}
+		since := time.Since(waitStart)
+		if since > time.Second*5 {
+			r.Log("wtf")
+		}
+		if since > time.Second*10 {
+			r.Log("wtf")
+			t.Fatal("Cert should be new by now")
+		}
+		time.Sleep(time.Second)
+	}
+
+	r.RenderHostmaps("Final hostmaps", myControl, theirControl)
+
+	myControl.Stop()
+	theirControl.Stop()
+}

go.mod

@@ -29,11 +29,11 @@ require (
 	golang.org/x/sys v0.37.0
 	golang.org/x/term v0.36.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
-	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
+	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/protobuf v1.36.8
 	gopkg.in/yaml.v3 v3.0.1
-	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
+	gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe
 )
 
 require (
@@ -49,6 +49,6 @@ require (
 	github.com/vishvananda/netns v0.0.5 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.33.0 // indirect
 )

go.sum

@@ -215,8 +215,8 @@ golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
@@ -230,8 +230,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
+golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
-golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
+golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -257,5 +257,5 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
+gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe h1:fre4i6mv4iBuz5lCMOzHD1rH1ljqHWSICFmZRbbgp3g=
-gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
+gvisor.dev/gvisor v0.0.0-20240423190808-9d7a357edefe/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=

handshake_ix.go

@@ -23,15 +23,19 @@ func ixHandshakeStage0(f *Interface, hh *HandshakeHostInfo) bool {
 		return false
 	}
 
-	// If we're connecting to a v6 address we must use a v2 cert
 	cs := f.pki.getCertState()
 	v := cs.initiatingVersion
+	if hh.initiatingVersionOverride != cert.VersionPre1 {
+		v = hh.initiatingVersionOverride
+	} else if v < cert.Version2 {
+		// If we're connecting to a v6 address we should encourage use of a V2 cert
 		for _, a := range hh.hostinfo.vpnAddrs {
 			if a.Is6() {
 				v = cert.Version2
 				break
 			}
 		}
+	}
 
 	crt := cs.getCertificate(v)
 	if crt == nil {
@@ -48,6 +52,7 @@ func ixHandshakeStage0(f *Interface, hh *HandshakeHostInfo) bool {
 			WithField("handshake", m{"stage": 0, "style": "ix_psk0"}).
 			WithField("certVersion", v).
 			Error("Unable to handshake with host because no certificate handshake bytes is available")
+		return false
 	}
 
 	ci, err := NewConnectionState(f.l, cs, crt, true, noise.HandshakeIX)
@@ -103,6 +108,7 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 			WithField("handshake", m{"stage": 0, "style": "ix_psk0"}).
 			WithField("certVersion", cs.initiatingVersion).
 			Error("Unable to handshake with host because no certificate is available")
+		return
 	}
 
 	ci, err := NewConnectionState(f.l, cs, crt, false, noise.HandshakeIX)
@@ -143,8 +149,8 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 
 	remoteCert, err := f.pki.GetCAPool().VerifyCertificate(time.Now(), rc)
 	if err != nil {
-		fp, err := rc.Fingerprint()
+		fp, fperr := rc.Fingerprint()
-		if err != nil {
+		if fperr != nil {
 			fp = "<error generating certificate fingerprint>"
 		}
 
@@ -163,16 +169,19 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
 
 	if remoteCert.Certificate.Version() != ci.myCert.Version() {
 		// We started off using the wrong certificate version, lets see if we can match the version that was sent to us
-		rc := cs.getCertificate(remoteCert.Certificate.Version())
+		myCertOtherVersion := cs.getCertificate(remoteCert.Certificate.Version())
-		if rc == nil {
+		if myCertOtherVersion == nil {
-			f.l.WithError(err).WithField("udpAddr", addr).
+			if f.l.Level >= logrus.DebugLevel {
-				WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).WithField("cert", remoteCert).
+				f.l.WithError(err).WithFields(m{
-				Info("Unable to handshake with host due to missing certificate version")
+					"udpAddr":   addr,
-			return
+					"handshake": m{"stage": 1, "style": "ix_psk0"},
+					"cert":      remoteCert,
+				}).Debug("Might be unable to handshake with host due to missing certificate version")
 			}
-
+		} else {
 			// Record the certificate we are actually using
-		ci.myCert = rc
+			ci.myCert = myCertOtherVersion
+		}
 	}
 
 	if len(remoteCert.Certificate.Networks()) == 0 {

handshake_manager.go

@@ -70,6 +70,7 @@ type HandshakeHostInfo struct {
 
 	startTime                 time.Time        // Time that we first started trying with this handshake
 	ready                     bool             // Is the handshake ready
+	initiatingVersionOverride cert.Version     // Should we use a non-default cert version for this handshake?
 	counter                   int64            // How many attempts have we made so far
 	lastRemotes               []netip.AddrPort // Remotes that we sent to during the previous attempt
 	packetStore               []*cachedPacket  // A set of packets to be transmitted once the handshake completes

inside.go

@@ -11,6 +11,149 @@ import (
 	"github.com/slackhq/nebula/routing"
 )
 
+// consumeInsidePackets processes multiple packets in a batch for improved performance
+// packets: slice of packet buffers to process
+// sizes: slice of packet sizes
+// count: number of packets to process
+// outs: slice of output buffers (one per packet) with virtio headroom
+// q: queue index
+// localCache: firewall conntrack cache
+// batchPackets: pre-allocated slice for accumulating encrypted packets
+// batchAddrs: pre-allocated slice for accumulating destination addresses
+func (f *Interface) consumeInsidePackets(packets [][]byte, sizes []int, count int, outs [][]byte, nb []byte, q int, localCache firewall.ConntrackCache, batchPackets *[][]byte, batchAddrs *[]netip.AddrPort) {
+	// Reusable per-packet state
+	fwPacket := &firewall.Packet{}
+
+	// Reset batch accumulation slices (reuse capacity)
+	*batchPackets = (*batchPackets)[:0]
+	*batchAddrs = (*batchAddrs)[:0]
+
+	// Process each packet in the batch
+	for i := 0; i < count; i++ {
+		packet := packets[i][:sizes[i]]
+		out := outs[i]
+
+		// Inline the consumeInsidePacket logic for better performance
+		err := newPacket(packet, false, fwPacket)
+		if err != nil {
+			if f.l.Level >= logrus.DebugLevel {
+				f.l.WithField("packet", packet).Debugf("Error while validating outbound packet: %s", err)
+			}
+			continue
+		}
+
+		// Ignore local broadcast packets
+		if f.dropLocalBroadcast {
+			if f.myBroadcastAddrsTable.Contains(fwPacket.RemoteAddr) {
+				continue
+			}
+		}
+
+		if f.myVpnAddrsTable.Contains(fwPacket.RemoteAddr) {
+			// Immediately forward packets from self to self.
+			if immediatelyForwardToSelf {
+				_, err := f.readers[q].Write(packet)
+				if err != nil {
+					f.l.WithError(err).Error("Failed to forward to tun")
+				}
+			}
+			continue
+		}
+
+		// Ignore multicast packets
+		if f.dropMulticast && fwPacket.RemoteAddr.IsMulticast() {
+			continue
+		}
+
+		hostinfo, ready := f.getOrHandshakeConsiderRouting(fwPacket, func(hh *HandshakeHostInfo) {
+			hh.cachePacket(f.l, header.Message, 0, packet, f.sendMessageNow, f.cachedPacketMetrics)
+		})
+
+		if hostinfo == nil {
+			f.rejectInside(packet, out, q)
+			if f.l.Level >= logrus.DebugLevel {
+				f.l.WithField("vpnAddr", fwPacket.RemoteAddr).
+					WithField("fwPacket", fwPacket).
+					Debugln("dropping outbound packet, vpnAddr not in our vpn networks or in unsafe networks")
+			}
+			continue
+		}
+
+		if !ready {
+			continue
+		}
+
+		dropReason := f.firewall.Drop(*fwPacket, false, hostinfo, f.pki.GetCAPool(), localCache)
+		if dropReason != nil {
+			f.rejectInside(packet, out, q)
+			if f.l.Level >= logrus.DebugLevel {
+				hostinfo.logger(f.l).
+					WithField("fwPacket", fwPacket).
+					WithField("reason", dropReason).
+					Debugln("dropping outbound packet")
+			}
+			continue
+		}
+
+		// Encrypt and prepare packet for batch sending
+		ci := hostinfo.ConnectionState
+		if ci.eKey == nil {
+			continue
+		}
+
+		// Check if this needs relay - if so, send immediately and skip batching
+		useRelay := !hostinfo.remote.IsValid()
+		if useRelay {
+			// Handle relay sends individually (less common path)
+			f.sendNoMetrics(header.Message, 0, ci, hostinfo, netip.AddrPort{}, packet, nb, out, q)
+			continue
+		}
+
+		// Encrypt the packet for batch sending
+		if noiseutil.EncryptLockNeeded {
+			ci.writeLock.Lock()
+		}
+		c := ci.messageCounter.Add(1)
+		out = header.Encode(out, header.Version, header.Message, 0, hostinfo.remoteIndexId, c)
+		f.connectionManager.Out(hostinfo)
+
+		// Query lighthouse if needed
+		if hostinfo.lastRebindCount != f.rebindCount {
+			f.lightHouse.QueryServer(hostinfo.vpnAddrs[0])
+			hostinfo.lastRebindCount = f.rebindCount
+			if f.l.Level >= logrus.DebugLevel {
+				f.l.WithField("vpnAddrs", hostinfo.vpnAddrs).Debug("Lighthouse update triggered for punch due to rebind counter")
+			}
+		}
+
+		out, err = ci.eKey.EncryptDanger(out, out, packet, c, nb)
+		if noiseutil.EncryptLockNeeded {
+			ci.writeLock.Unlock()
+		}
+		if err != nil {
+			hostinfo.logger(f.l).WithError(err).
+				WithField("counter", c).
+				Error("Failed to encrypt outgoing packet")
+			continue
+		}
+
+		// Add to batch
+		*batchPackets = append(*batchPackets, out)
+		*batchAddrs = append(*batchAddrs, hostinfo.remote)
+	}
+
+	// Send all accumulated packets in one batch
+	if len(*batchPackets) > 0 {
+		batchSize := len(*batchPackets)
+		f.batchMetrics.udpWriteSize.Update(int64(batchSize))
+
+		n, err := f.writers[q].WriteMulti(*batchPackets, *batchAddrs)
+		if err != nil {
+			f.l.WithError(err).WithField("sent", n).WithField("total", batchSize).Error("Failed to send batch")
+		}
+	}
+}
+
 func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *firewall.Packet, nb, out []byte, q int, localCache firewall.ConntrackCache) {
 	err := newPacket(packet, false, fwPacket)
 	if err != nil {
@@ -33,7 +176,8 @@ func (f *Interface) consumeInsidePacket(packet []byte, fwPacket *firewall.Packet
 		// routes packets from the Nebula addr to the Nebula addr through the Nebula
 		// TUN device.
 		if immediatelyForwardToSelf {
-			if err := f.writeTun(q, packet); err != nil {
+			_, err := f.readers[q].Write(packet)
+			if err != nil {
 				f.l.WithError(err).Error("Failed to forward to tun")
 			}
 		}
@@ -90,7 +234,8 @@ func (f *Interface) rejectInside(packet []byte, out []byte, q int) {
 		return
 	}
 
-	if err := f.writeTun(q, out); err != nil {
+	_, err := f.readers[q].Write(out)
+	if err != nil {
 		f.l.WithError(err).Error("Failed to write to tun")
 	}
 }

interface.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
 	"net/netip"
 	"os"
 	"runtime"
@@ -22,6 +21,7 @@ import (
 )
 
 const mtu = 9001
+const virtioNetHdrLen = overlay.VirtioNetHdrLen
 
 type InterfaceConfig struct {
 	HostMap            *HostMap
@@ -47,10 +47,16 @@ type InterfaceConfig struct {
 	reQueryWait     time.Duration
 
 	ConntrackCacheTimeout time.Duration
-	batchSize             int
 	l                     *logrus.Logger
 }
 
+type batchMetrics struct {
+	udpReadSize   metrics.Histogram
+	tunReadSize   metrics.Histogram
+	udpWriteSize  metrics.Histogram
+	tunWriteSize  metrics.Histogram
+}
+
 type Interface struct {
 	hostMap               *HostMap
 	outside               udp.Conn
@@ -85,14 +91,14 @@ type Interface struct {
 	version     string
 
 	conntrackCacheTimeout time.Duration
-	batchSize             int
 
 	writers []udp.Conn
-	readers []io.ReadWriteCloser
+	readers []overlay.BatchReadWriter
 
 	metricHandshakes    metrics.Histogram
 	messageMetrics      *MessageMetrics
 	cachedPacketMetrics *cachedPacketMetrics
+	batchMetrics        *batchMetrics
 
 	l *logrus.Logger
 }
@@ -112,16 +118,6 @@ type EncWriter interface {
 	GetCertState() *CertState
 }
 
-// BatchReader is an interface for readers that support vectorized packet reading
-type BatchReader interface {
-	BatchRead(buffers [][]byte, sizes []int) (int, error)
-}
-
-// BatchWriter is an interface for writers that support vectorized packet writing
-type BatchWriter interface {
-	BatchWrite([][]byte) (int, error)
-}
-
 type sendRecvErrorConfig uint8
 
 const (
@@ -189,7 +185,7 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 		routines:              c.routines,
 		version:               c.version,
 		writers:               make([]udp.Conn, c.routines),
-		readers:               make([]io.ReadWriteCloser, c.routines),
+		readers:               make([]overlay.BatchReadWriter, c.routines),
 		myVpnNetworks:         cs.myVpnNetworks,
 		myVpnNetworksTable:    cs.myVpnNetworksTable,
 		myVpnAddrs:            cs.myVpnAddrs,
@@ -198,7 +194,6 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 		relayManager:          c.relayManager,
 		connectionManager:     c.connectionManager,
 		conntrackCacheTimeout: c.ConntrackCacheTimeout,
-		batchSize:             c.batchSize,
 
 		metricHandshakes: metrics.GetOrRegisterHistogram("handshakes", nil, metrics.NewExpDecaySample(1028, 0.015)),
 		messageMetrics:   c.MessageMetrics,
@@ -206,6 +201,12 @@ func NewInterface(ctx context.Context, c *InterfaceConfig) (*Interface, error) {
 			sent:    metrics.GetOrRegisterCounter("hostinfo.cached_packets.sent", nil),
 			dropped: metrics.GetOrRegisterCounter("hostinfo.cached_packets.dropped", nil),
 		},
+		batchMetrics: &batchMetrics{
+			udpReadSize:  metrics.GetOrRegisterHistogram("batch.udp_read_size", nil, metrics.NewUniformSample(1024)),
+			tunReadSize:  metrics.GetOrRegisterHistogram("batch.tun_read_size", nil, metrics.NewUniformSample(1024)),
+			udpWriteSize: metrics.GetOrRegisterHistogram("batch.udp_write_size", nil, metrics.NewUniformSample(1024)),
+			tunWriteSize: metrics.GetOrRegisterHistogram("batch.tun_write_size", nil, metrics.NewUniformSample(1024)),
+		},
 
 		l: c.l,
 	}
@@ -238,7 +239,7 @@ func (f *Interface) activate() {
 	metrics.GetOrRegisterGauge("routines", nil).Update(int64(f.routines))
 
 	// Prepare n tun queues
-	var reader io.ReadWriteCloser = f.inside
+	var reader overlay.BatchReadWriter = f.inside
 	for i := 0; i < f.routines; i++ {
 		if i > 0 {
 			reader, err = f.inside.NewMultiQueueReader()
@@ -279,120 +280,70 @@ func (f *Interface) listenOut(i int) {
 
 	ctCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
 	lhh := f.lightHouse.NewRequestHandler()
-	plaintext := make([]byte, udp.MTU)
+
+	// Pre-allocate output buffers for batch processing
+	batchSize := li.BatchSize()
+	outs := make([][]byte, batchSize)
+	for idx := range outs {
+		// Allocate full buffer with virtio header space
+		outs[idx] = make([]byte, virtioNetHdrLen, virtioNetHdrLen+udp.MTU)
+	}
+
 	h := &header.H{}
 	fwPacket := &firewall.Packet{}
 	nb := make([]byte, 12)
 
-	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte) {
+	li.ListenOutBatch(func(addrs []netip.AddrPort, payloads [][]byte, count int) {
-		f.readOutsidePackets(fromUdpAddr, nil, plaintext[:0], payload, h, fwPacket, lhh, nb, i, ctCache.Get(f.l))
+		f.readOutsidePacketsBatch(addrs, payloads, count, outs[:count], nb, i, h, fwPacket, lhh, ctCache.Get(f.l))
 	})
 }
 
-func (f *Interface) listenIn(reader io.ReadWriteCloser, i int) {
+func (f *Interface) listenIn(reader overlay.BatchReadWriter, i int) {
 	runtime.LockOSThread()
 
-	// Check if reader supports batch operations
+	batchSize := reader.BatchSize()
-	if batchReader, ok := reader.(BatchReader); ok {
-		err := f.listenInBatch(batchReader, i)
-		if err != nil {
-			f.l.WithError(err).Error("Fatal error in batch packet reader, exiting goroutine")
-		}
-		return
-	}
 
-	// Fall back to single-packet mode
+	// Allocate buffers for batch reading
-	packet := make([]byte, mtu)
+	bufs := make([][]byte, batchSize)
-	out := make([]byte, mtu)
+	for idx := range bufs {
-	fwPacket := &firewall.Packet{}
+		bufs[idx] = make([]byte, mtu)
-	nb := make([]byte, 12, 12)
-
-	conntrackCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
-
-	for {
-		n, err := reader.Read(packet)
-		if err != nil {
-			if errors.Is(err, os.ErrClosed) && f.closed.Load() {
-				return
 	}
-
-			f.l.WithError(err).Error("Fatal error while reading outbound packet, exiting goroutine")
-			return
-		}
-
-		f.consumeInsidePacket(packet[:n], fwPacket, nb, out, i, conntrackCache.Get(f.l))
-	}
-}
-
-// listenInBatch handles vectorized packet reading for improved performance
-func (f *Interface) listenInBatch(reader BatchReader, i int) error {
-	// Allocate per-packet state and buffers for batch reading
-	batchSize := f.batchSize
-	if batchSize <= 0 {
-		batchSize = 64 // Fallback to default if not configured
-	}
-	fwPackets := make([]*firewall.Packet, batchSize)
-	outBuffers := make([][]byte, batchSize)
-	nbBuffers := make([][]byte, batchSize)
-	packets := make([][]byte, batchSize)
 	sizes := make([]int, batchSize)
 
-	for j := 0; j < batchSize; j++ {
+	// Allocate output buffers for batch processing (one per packet)
-		fwPackets[j] = &firewall.Packet{}
+	// Each has virtio header headroom to avoid copies on write
-		outBuffers[j] = make([]byte, mtu)
+	outs := make([][]byte, batchSize)
-		nbBuffers[j] = make([]byte, 12)
+	for idx := range outs {
-		packets[j] = make([]byte, mtu)
+		outBuf := make([]byte, virtioNetHdrLen+mtu)
+		outs[idx] = outBuf[virtioNetHdrLen:] // Slice starting after headroom
 	}
 
+	// Pre-allocate batch accumulation buffers for sending
+	batchPackets := make([][]byte, 0, batchSize)
+	batchAddrs := make([]netip.AddrPort, 0, batchSize)
+
+	// Pre-allocate nonce buffer (reused for all encryptions)
+	nb := make([]byte, 12)
+
 	conntrackCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
 
 	for {
-		n, err := reader.BatchRead(packets, sizes)
+		n, err := reader.BatchRead(bufs, sizes)
 		if err != nil {
 			if errors.Is(err, os.ErrClosed) && f.closed.Load() {
-				return nil
+				return
 			}
 
-			return fmt.Errorf("error while batch reading outbound packets: %w", err)
+			f.l.WithError(err).Error("Error while batch reading outbound packets")
+			// This only seems to happen when something fatal happens to the fd, so exit.
+			os.Exit(2)
 		}
 
-		// Process each packet in the batch
+		f.batchMetrics.tunReadSize.Update(int64(n))
-		cache := conntrackCache.Get(f.l)
-		for idx := 0; idx < n; idx++ {
-			if sizes[idx] > 0 {
-				// Use modulo to reuse fw packet state if batch is larger than our pre-allocated state
-				stateIdx := idx % len(fwPackets)
-				f.consumeInsidePacket(packets[idx][:sizes[idx]], fwPackets[stateIdx], nbBuffers[stateIdx], outBuffers[stateIdx], i, cache)
-			}
-		}
-	}
-}
 
-// writeTunBatch attempts to write multiple packets to the TUN device using batch operations if supported
+		// Process all packets in the batch at once
-func (f *Interface) writeTunBatch(q int, packets [][]byte) error {
+		f.consumeInsidePackets(bufs, sizes, n, outs, nb, i, conntrackCache.Get(f.l), &batchPackets, &batchAddrs)
-	if len(packets) == 0 {
-		return nil
 	}
-
-	// Check if the reader/writer supports batch operations
-	if batchWriter, ok := f.readers[q].(BatchWriter); ok {
-		_, err := batchWriter.BatchWrite(packets)
-		return err
-	}
-
-	// Fall back to writing packets individually
-	for _, packet := range packets {
-		if _, err := f.readers[q].Write(packet); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// writeTun writes a single packet to the TUN device
-func (f *Interface) writeTun(q int, packet []byte) error {
-	_, err := f.readers[q].Write(packet)
-	return err
 }
 
 func (f *Interface) RegisterConfigChangeCallbacks(c *config.C) {

lighthouse.go

@@ -1337,12 +1337,19 @@ func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, fromVpn
 		}
 	}
 
+	remoteAllowList := lhh.lh.GetRemoteAllowList()
 	for _, a := range n.Details.V4AddrPorts {
-		punch(protoV4AddrPortToNetAddrPort(a), detailsVpnAddr)
+		b := protoV4AddrPortToNetAddrPort(a)
+		if remoteAllowList.Allow(detailsVpnAddr, b.Addr()) {
+			punch(b, detailsVpnAddr)
+		}
 	}
 
 	for _, a := range n.Details.V6AddrPorts {
-		punch(protoV6AddrPortToNetAddrPort(a), detailsVpnAddr)
+		b := protoV6AddrPortToNetAddrPort(a)
+		if remoteAllowList.Allow(detailsVpnAddr, b.Addr()) {
+			punch(b, detailsVpnAddr)
+		}
 	}
 
 	// This sends a nebula test packet to the host trying to contact us. In the case

main.go

@@ -75,7 +75,8 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 	if c.GetBool("sshd.enabled", false) {
 		sshStart, err = configSSH(l, ssh, c)
 		if err != nil {
-			return nil, util.ContextualizeIfNeeded("Error while configuring the sshd", err)
+			l.WithError(err).Warn("Failed to configure sshd, ssh debugging will not be available")
+			sshStart = nil
 		}
 	}
 
@@ -164,7 +165,7 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 
 		for i := 0; i < routines; i++ {
 			l.Infof("listening on %v", netip.AddrPortFrom(listenHost, uint16(port)))
-			udpServer, err := udp.NewListener(l, listenHost, port, routines > 1, c.GetInt("listen.batch", 64))
+			udpServer, err := udp.NewListener(l, listenHost, port, routines > 1, c.GetInt("listen.batch", 128))
 			if err != nil {
 				return nil, util.NewContextualError("Failed to open udp listener", m{"queue": i}, err)
 			}
@@ -242,7 +243,6 @@ func Main(c *config.C, configTest bool, buildVersion string, logger *logrus.Logg
 		relayManager:          NewRelayManager(ctx, l, hostMap, c),
 		punchy:                punchy,
 		ConntrackCacheTimeout: conntrackCacheTimeout,
-		batchSize:             c.GetInt("tun.batch_size", 64),
 		l:                     l,
 	}
 

outside.go

@@ -95,8 +95,7 @@ func (f *Interface) readOutsidePackets(ip netip.AddrPort, via *ViaSender, out []
 			switch relay.Type {
 			case TerminalType:
 				// If I am the target of this relay, process the unwrapped packet
-				// From this recursive point, all these variables are 'burned'. We shouldn't rely on them again.
+				f.readOutsidePackets(netip.AddrPort{}, &ViaSender{relayHI: hostinfo, remoteIdx: relay.RemoteIndex, relay: relay}, out[:virtioNetHdrLen], signedPayload, h, fwPacket, lhf, nb, q, localCache)
-				f.readOutsidePackets(netip.AddrPort{}, &ViaSender{relayHI: hostinfo, remoteIdx: relay.RemoteIndex, relay: relay}, out[:0], signedPayload, h, fwPacket, lhf, nb, q, localCache)
 				return
 			case ForwardingType:
 				// Find the target HostInfo relay object
@@ -138,7 +137,7 @@ func (f *Interface) readOutsidePackets(ip netip.AddrPort, via *ViaSender, out []
 			return
 		}
 
-		lhf.HandleRequest(ip, hostinfo.vpnAddrs, d, f)
+		lhf.HandleRequest(ip, hostinfo.vpnAddrs, d[virtioNetHdrLen:], f)
 
 		// Fallthrough to the bottom to record incoming traffic
 
@@ -160,7 +159,7 @@ func (f *Interface) readOutsidePackets(ip netip.AddrPort, via *ViaSender, out []
 			// This testRequest might be from TryPromoteBest, so we should roam
 			// to the new IP address before responding
 			f.handleHostRoaming(hostinfo, ip)
-			f.send(header.Test, header.TestReply, ci, hostinfo, d, nb, out)
+			f.send(header.Test, header.TestReply, ci, hostinfo, d[virtioNetHdrLen:], nb, out)
 		}
 
 		// Fallthrough to the bottom to record incoming traffic
@@ -203,7 +202,7 @@ func (f *Interface) readOutsidePackets(ip netip.AddrPort, via *ViaSender, out []
 			return
 		}
 
-		f.relayManager.HandleControlMsg(hostinfo, d, f)
+		f.relayManager.HandleControlMsg(hostinfo, d[virtioNetHdrLen:], f)
 
 	default:
 		f.messageMetrics.Rx(h.Type, h.Subtype, 1)
@@ -333,13 +332,12 @@ func parseV6(data []byte, incoming bool, fp *firewall.Packet) error {
 			}
 
 			fp.Protocol = uint8(proto)
-			ports := data[offset : offset+4]
 			if incoming {
-				fp.RemotePort = binary.BigEndian.Uint16(ports[0:2])
+				fp.RemotePort = binary.BigEndian.Uint16(data[offset : offset+2])
-				fp.LocalPort = binary.BigEndian.Uint16(ports[2:4])
+				fp.LocalPort = binary.BigEndian.Uint16(data[offset+2 : offset+4])
 			} else {
-				fp.LocalPort = binary.BigEndian.Uint16(ports[0:2])
+				fp.LocalPort = binary.BigEndian.Uint16(data[offset : offset+2])
-				fp.RemotePort = binary.BigEndian.Uint16(ports[2:4])
+				fp.RemotePort = binary.BigEndian.Uint16(data[offset+2 : offset+4])
 			}
 
 			fp.Fragment = false
@@ -475,9 +473,11 @@ func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out
 		return false
 	}
 
-	err = newPacket(out, true, fwPacket)
+	packetData := out[virtioNetHdrLen:]
+
+	err = newPacket(packetData, true, fwPacket)
 	if err != nil {
-		hostinfo.logger(f.l).WithError(err).WithField("packet", out).
+		hostinfo.logger(f.l).WithError(err).WithField("packet", packetData).
 			Warnf("Error while validating inbound packet")
 		return false
 	}
@@ -492,7 +492,7 @@ func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out
 	if dropReason != nil {
 		// NOTE: We give `packet` as the `out` here since we already decrypted from it and we don't need it anymore
 		// This gives us a buffer to build the reject packet in
-		f.rejectOutside(out, hostinfo.ConnectionState, hostinfo, nb, packet, q)
+		f.rejectOutside(packetData, hostinfo.ConnectionState, hostinfo, nb, packet, q)
 		if f.l.Level >= logrus.DebugLevel {
 			hostinfo.logger(f.l).WithField("fwPacket", fwPacket).
 				WithField("reason", dropReason).
@@ -549,3 +549,108 @@ func (f *Interface) handleRecvError(addr netip.AddrPort, h *header.H) {
 	// We also delete it from pending hostmap to allow for fast reconnect.
 	f.handshakeManager.DeleteHostInfo(hostinfo)
 }
+
+// readOutsidePacketsBatch processes multiple packets received from UDP in a batch
+// and writes all successfully decrypted packets to TUN in a single operation
+func (f *Interface) readOutsidePacketsBatch(addrs []netip.AddrPort, payloads [][]byte, count int, outs [][]byte, nb []byte, q int, h *header.H, fwPacket *firewall.Packet, lhf *LightHouseHandler, localCache firewall.ConntrackCache) {
+	// Pre-allocate slice for accumulating successful decryptions
+	tunPackets := make([][]byte, 0, count)
+
+	for i := 0; i < count; i++ {
+		payload := payloads[i]
+		addr := addrs[i]
+		out := outs[i]
+
+		// Parse header
+		err := h.Parse(payload)
+		if err != nil {
+			if len(payload) > 1 {
+				f.l.WithField("packet", payload).Infof("Error while parsing inbound packet from %s: %s", addr, err)
+			}
+			continue
+		}
+
+		if addr.IsValid() {
+			if f.myVpnNetworksTable.Contains(addr.Addr()) {
+				if f.l.Level >= logrus.DebugLevel {
+					f.l.WithField("udpAddr", addr).Debug("Refusing to process double encrypted packet")
+				}
+				continue
+			}
+		}
+
+		var hostinfo *HostInfo
+		if h.Type == header.Message && h.Subtype == header.MessageRelay {
+			hostinfo = f.hostMap.QueryRelayIndex(h.RemoteIndex)
+		} else {
+			hostinfo = f.hostMap.QueryIndex(h.RemoteIndex)
+		}
+
+		var ci *ConnectionState
+		if hostinfo != nil {
+			ci = hostinfo.ConnectionState
+		}
+
+		switch h.Type {
+		case header.Message:
+			if !f.handleEncrypted(ci, addr, h) {
+				continue
+			}
+
+			switch h.Subtype {
+			case header.MessageNone:
+				// Decrypt packet
+				out, err = hostinfo.ConnectionState.dKey.DecryptDanger(out, payload[:header.Len], payload[header.Len:], h.MessageCounter, nb)
+				if err != nil {
+					hostinfo.logger(f.l).WithError(err).Error("Failed to decrypt packet")
+					continue
+				}
+
+				packetData := out[virtioNetHdrLen:]
+
+				err = newPacket(packetData, true, fwPacket)
+				if err != nil {
+					hostinfo.logger(f.l).WithError(err).WithField("packet", packetData).Warnf("Error while validating inbound packet")
+					continue
+				}
+
+				if !hostinfo.ConnectionState.window.Update(f.l, h.MessageCounter) {
+					hostinfo.logger(f.l).WithField("fwPacket", fwPacket).Debugln("dropping out of window packet")
+					continue
+				}
+
+				dropReason := f.firewall.Drop(*fwPacket, true, hostinfo, f.pki.GetCAPool(), localCache)
+				if dropReason != nil {
+					f.rejectOutside(packetData, hostinfo.ConnectionState, hostinfo, nb, payload, q)
+					if f.l.Level >= logrus.DebugLevel {
+						hostinfo.logger(f.l).WithField("fwPacket", fwPacket).WithField("reason", dropReason).Debugln("dropping inbound packet")
+					}
+					continue
+				}
+
+				f.connectionManager.In(hostinfo)
+				// Add to batch for TUN write
+				tunPackets = append(tunPackets, out)
+
+			case header.MessageRelay:
+				// Skip relay packets in batch mode for now (less common path)
+				f.readOutsidePackets(addr, nil, out, payload, h, fwPacket, lhf, nb, q, localCache)
+
+			default:
+				hostinfo.logger(f.l).Debugf("unexpected message subtype %d", h.Subtype)
+			}
+
+		default:
+			// Handle non-Message types using single-packet path
+			f.readOutsidePackets(addr, nil, out, payload, h, fwPacket, lhf, nb, q, localCache)
+		}
+	}
+
+	if len(tunPackets) > 0 {
+		n, err := f.readers[q].WriteBatch(tunPackets, virtioNetHdrLen)
+		if err != nil {
+			f.l.WithError(err).WithField("sent", n).WithField("total", len(tunPackets)).Error("Failed to batch write to tun")
+		}
+		f.batchMetrics.tunWriteSize.Update(int64(len(tunPackets)))
+	}
+}

overlay/device.go

@@ -7,11 +7,25 @@ import (
 	"github.com/slackhq/nebula/routing"
 )
 
-type Device interface {
+// BatchReadWriter extends io.ReadWriteCloser with batch I/O operations
+type BatchReadWriter interface {
 	io.ReadWriteCloser
+
+	// BatchRead reads multiple packets at once
+	BatchRead(bufs [][]byte, sizes []int) (int, error)
+
+	// WriteBatch writes multiple packets at once
+	WriteBatch(bufs [][]byte, offset int) (int, error)
+
+	// BatchSize returns the optimal batch size for this device
+	BatchSize() int
+}
+
+type Device interface {
+	BatchReadWriter
 	Activate() error
 	Networks() []netip.Prefix
 	Name() string
 	RoutesFor(netip.Addr) routing.Gateways
-	NewMultiQueueReader() (io.ReadWriteCloser, error)
+	NewMultiQueueReader() (BatchReadWriter, error)
 }

overlay/route.go

@@ -3,6 +3,7 @@ package overlay
 import (
 	"fmt"
 	"math"
+	"net"
 	"net/netip"
 	"runtime"
 	"strconv"
@@ -304,3 +305,29 @@ func parseUnsafeRoutes(c *config.C, networks []netip.Prefix) ([]Route, error) {
 
 	return routes, nil
 }
+
+func ipWithin(o *net.IPNet, i *net.IPNet) bool {
+	// Make sure o contains the lowest form of i
+	if !o.Contains(i.IP.Mask(i.Mask)) {
+		return false
+	}
+
+	// Find the max ip in i
+	ip4 := i.IP.To4()
+	if ip4 == nil {
+		return false
+	}
+
+	last := make(net.IP, len(ip4))
+	copy(last, ip4)
+	for x := range ip4 {
+		last[x] |= ^i.Mask[x]
+	}
+
+	// Make sure o contains the max
+	if !o.Contains(last) {
+		return false
+	}
+
+	return true
+}

overlay/route_test.go

@@ -225,7 +225,6 @@ func Test_parseUnsafeRoutes(t *testing.T) {
 	// no mtu
 	c.Settings["tun"] = map[string]any{"unsafe_routes": []any{map[string]any{"via": "127.0.0.1", "route": "1.0.0.0/8"}}}
 	routes, err = parseUnsafeRoutes(c, []netip.Prefix{n})
-	require.NoError(t, err)
 	assert.Len(t, routes, 1)
 	assert.Equal(t, 0, routes[0].MTU)
 
@@ -319,7 +318,7 @@ func Test_makeRouteTree(t *testing.T) {
 
 	ip, err = netip.ParseAddr("1.1.0.1")
 	require.NoError(t, err)
-	_, ok = routeTree.Lookup(ip)
+	r, ok = routeTree.Lookup(ip)
 	assert.False(t, ok)
 }
 

overlay/tun.go

@@ -1,6 +1,8 @@
 package overlay
 
 import (
+	"fmt"
+	"net"
 	"net/netip"
 
 	"github.com/sirupsen/logrus"
@@ -9,6 +11,7 @@ import (
 )
 
 const DefaultMTU = 1300
+const VirtioNetHdrLen = 10 // Size of virtio_net_hdr structure
 
 // TODO: We may be able to remove routines
 type DeviceFactory func(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, routines int) (Device, error)
@@ -70,3 +73,51 @@ func findRemovedRoutes(newRoutes, oldRoutes []Route) []Route {
 
 	return removed
 }
+
+func prefixToMask(prefix netip.Prefix) netip.Addr {
+	pLen := 128
+	if prefix.Addr().Is4() {
+		pLen = 32
+	}
+
+	addr, _ := netip.AddrFromSlice(net.CIDRMask(prefix.Bits(), pLen))
+	return addr
+}
+
+func flipBytes(b []byte) []byte {
+	for i := 0; i < len(b); i++ {
+		b[i] ^= 0xFF
+	}
+	return b
+}
+func orBytes(a []byte, b []byte) []byte {
+	ret := make([]byte, len(a))
+	for i := 0; i < len(a); i++ {
+		ret[i] = a[i] | b[i]
+	}
+	return ret
+}
+
+func getBroadcast(cidr netip.Prefix) netip.Addr {
+	broadcast, _ := netip.AddrFromSlice(
+		orBytes(
+			cidr.Addr().AsSlice(),
+			flipBytes(prefixToMask(cidr).AsSlice()),
+		),
+	)
+	return broadcast
+}
+
+func selectGateway(dest netip.Prefix, gateways []netip.Prefix) (netip.Prefix, error) {
+	for _, gateway := range gateways {
+		if dest.Addr().Is4() && gateway.Addr().Is4() {
+			return gateway, nil
+		}
+
+		if dest.Addr().Is6() && gateway.Addr().Is6() {
+			return gateway, nil
+		}
+	}
+
+	return netip.Prefix{}, fmt.Errorf("no gateway found for %v in the list of vpn networks", dest)
+}

overlay/tun_android.go

@@ -95,6 +95,29 @@ func (t *tun) Name() string {
 	return "android"
 }
 
-func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
 	return nil, fmt.Errorf("TODO: multiqueue not implemented for android")
 }
+
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+func (t *tun) BatchSize() int {
+	return 1
+}

overlay/tun_darwin.go

@@ -1,5 +1,5 @@
-//go:build darwin && !ios && !e2e_testing
+//go:build !ios && !e2e_testing
-// +build darwin,!ios,!e2e_testing
+// +build !ios,!e2e_testing
 
 package overlay
 
@@ -8,27 +8,48 @@ import (
 	"fmt"
 	"io"
 	"net/netip"
+	"os"
+	"sync/atomic"
+	"syscall"
 	"unsafe"
 
+	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
 	netroute "golang.org/x/net/route"
 	"golang.org/x/sys/unix"
-	wgtun "golang.zx2c4.com/wireguard/tun"
 )
 
 type tun struct {
+	io.ReadWriteCloser
+	Device      string
+	vpnNetworks []netip.Prefix
+	DefaultMTU  int
+	Routes      atomic.Pointer[[]Route]
+	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
 	linkAddr    *netroute.LinkAddr
+	l           *logrus.Logger
+
+	// cache out buffer since we need to prepend 4 bytes for tun metadata
+	out []byte
 }
 
-// ioctl structures for Darwin network configuration
 type ifReq struct {
 	Name  [unix.IFNAMSIZ]byte
 	Flags uint16
 	pad   [8]byte
 }
 
+const (
+	_SIOCAIFADDR_IN6 = 2155899162
+	_UTUN_OPT_IFNAME = 2
+	_IN6_IFF_NODAD   = 0x0020
+	_IN6_IFF_SECURED = 0x0400
+	utunControlName  = "com.apple.net.utun_control"
+)
+
 type ifreqMTU struct {
 	Name [16]byte
 	MTU  int32
@@ -58,61 +79,60 @@ type ifreqAlias6 struct {
 	Lifetime   addrLifetime
 }
 
-const (
+func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*tun, error) {
-	_SIOCAIFADDR_IN6 = 2155899162
-	_IN6_IFF_NODAD   = 0x0020
-)
-
-func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*wgTun, error) {
-	return nil, fmt.Errorf("newTunFromFd not supported on Darwin")
-}
-
-func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*wgTun, error) {
 	name := c.GetString("tun.dev", "")
-	deviceName := "utun"
-
-	// Parse device name to handle utun[0-9]+ format
-	if name != "" && name != "utun" {
 	ifIndex := -1
+	if name != "" && name != "utun" {
 		_, err := fmt.Sscanf(name, "utun%d", &ifIndex)
 		if err != nil || ifIndex < 0 {
 			// NOTE: we don't make this error so we don't break existing
 			// configs that set a name before it was used.
 			l.Warn("interface name must be utun[0-9]+ on Darwin, ignoring")
-		} else {
+			ifIndex = -1
-			deviceName = name
 		}
 	}
 
-	mtu := c.GetInt("tun.mtu", DefaultMTU)
+	fd, err := unix.Socket(unix.AF_SYSTEM, unix.SOCK_DGRAM, unix.AF_SYS_CONTROL)
-
-	// Create WireGuard TUN device
-	tunDevice, err := wgtun.CreateTUN(deviceName, mtu)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create TUN device: %w", err)
+		return nil, fmt.Errorf("system socket: %v", err)
 	}
 
-	// Get the actual device name
+	var ctlInfo = &unix.CtlInfo{}
-	actualName, err := tunDevice.Name()
+	copy(ctlInfo.Name[:], utunControlName)
+
+	err = unix.IoctlCtlInfo(fd, ctlInfo)
 	if err != nil {
-		tunDevice.Close()
+		return nil, fmt.Errorf("CTLIOCGINFO: %v", err)
-		return nil, fmt.Errorf("failed to get TUN device name: %w", err)
 	}
 
-	t := &wgTun{
+	err = unix.Connect(fd, &unix.SockaddrCtl{
-		tunDevice:   tunDevice,
+		ID:   ctlInfo.Id,
+		Unit: uint32(ifIndex) + 1,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("SYS_CONNECT: %v", err)
+	}
+
+	name, err = unix.GetsockoptString(fd, unix.AF_SYS_CONTROL, _UTUN_OPT_IFNAME)
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve tun name: %w", err)
+	}
+
+	err = unix.SetNonblock(fd, true)
+	if err != nil {
+		return nil, fmt.Errorf("SetNonblock: %v", err)
+	}
+
+	t := &tun{
+		ReadWriteCloser: os.NewFile(uintptr(fd), ""),
+		Device:          name,
 		vpnNetworks:     vpnNetworks,
-		MaxMTU:      mtu,
+		DefaultMTU:      c.GetInt("tun.mtu", DefaultMTU),
-		DefaultMTU:  mtu,
 		l:               l,
 	}
 
-	// Create Darwin-specific route manager
-	t.routeManager = &tun{}
-
 	err = t.reload(c, true)
 	if err != nil {
-		tunDevice.Close()
 		return nil, err
 	}
 
@@ -123,251 +143,215 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (
 		}
 	})
 
-	l.WithField("name", actualName).Info("Created WireGuard TUN device")
-
 	return t, nil
 }
 
-func (rm *tun) Activate(t *wgTun) error {
+func (t *tun) deviceBytes() (o [16]byte) {
-	name, err := t.tunDevice.Name()
+	for i, c := range t.Device {
-	if err != nil {
+		o[i] = byte(c)
-		return fmt.Errorf("failed to get device name: %w", err)
 	}
+	return
+}
 
-	// Set the MTU
+func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*tun, error) {
-	rm.SetMTU(t, t.MaxMTU)
+	return nil, fmt.Errorf("newTunFromFd not supported in Darwin")
+}
 
-	// Add IP addresses
+func (t *tun) Close() error {
-	for _, network := range t.vpnNetworks {
+	if t.ReadWriteCloser != nil {
-		if err := rm.addIP(t, name, network); err != nil {
+		return t.ReadWriteCloser.Close()
+	}
+	return nil
+}
+
+func (t *tun) Activate() error {
+	devName := t.deviceBytes()
+
+	s, err := unix.Socket(
+		unix.AF_INET,
+		unix.SOCK_DGRAM,
+		unix.IPPROTO_IP,
+	)
+	if err != nil {
 		return err
 	}
+	defer unix.Close(s)
+
+	fd := uintptr(s)
+
+	// Set the MTU on the device
+	ifm := ifreqMTU{Name: devName, MTU: int32(t.DefaultMTU)}
+	if err = ioctl(fd, unix.SIOCSIFMTU, uintptr(unsafe.Pointer(&ifm))); err != nil {
+		return fmt.Errorf("failed to set tun mtu: %v", err)
 	}
 
-	// Bring up the interface using ioctl
+	// Get the device flags
-	if err := rm.bringUpInterface(name); err != nil {
+	ifrf := ifReq{Name: devName}
-		return fmt.Errorf("failed to bring up interface: %w", err)
+	if err = ioctl(fd, unix.SIOCGIFFLAGS, uintptr(unsafe.Pointer(&ifrf))); err != nil {
+		return fmt.Errorf("failed to get tun flags: %s", err)
 	}
 
-	// Get the link address for routing
+	linkAddr, err := getLinkAddr(t.Device)
-	linkAddr, err := getLinkAddr(name)
 	if err != nil {
-		return fmt.Errorf("failed to get link address: %w", err)
+		return err
 	}
 	if linkAddr == nil {
 		return fmt.Errorf("unable to discover link_addr for tun interface")
 	}
-	rm.linkAddr = linkAddr
+	t.linkAddr = linkAddr
 
-	// Set the routes
+	for _, network := range t.vpnNetworks {
-	if err := rm.AddRoutes(t, false); err != nil {
+		if network.Addr().Is4() {
+			err = t.activate4(network)
+			if err != nil {
+				return err
+			}
+		} else {
+			err = t.activate6(network)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	// Run the interface
+	ifrf.Flags = ifrf.Flags | unix.IFF_UP | unix.IFF_RUNNING
+	if err = ioctl(fd, unix.SIOCSIFFLAGS, uintptr(unsafe.Pointer(&ifrf))); err != nil {
+		return fmt.Errorf("failed to run tun device: %s", err)
+	}
+
+	// Unsafe path routes
+	return t.addRoutes(false)
+}
+
+func (t *tun) activate4(network netip.Prefix) error {
+	s, err := unix.Socket(
+		unix.AF_INET,
+		unix.SOCK_DGRAM,
+		unix.IPPROTO_IP,
+	)
+	if err != nil {
+		return err
+	}
+	defer unix.Close(s)
+
+	ifr := ifreqAlias4{
+		Name: t.deviceBytes(),
+		Addr: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   network.Addr().As4(),
+		},
+		DstAddr: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   network.Addr().As4(),
+		},
+		MaskAddr: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   prefixToMask(network).As4(),
+		},
+	}
+
+	if err := ioctl(uintptr(s), unix.SIOCAIFADDR, uintptr(unsafe.Pointer(&ifr))); err != nil {
+		return fmt.Errorf("failed to set tun v4 address: %s", err)
+	}
+
+	err = addRoute(network, t.linkAddr)
+	if err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (rm *tun) bringUpInterface(name string) error {
+func (t *tun) activate6(network netip.Prefix) error {
-	// Open a socket for ioctl
+	s, err := unix.Socket(
-	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
+		unix.AF_INET6,
+		unix.SOCK_DGRAM,
+		unix.IPPROTO_IP,
+	)
 	if err != nil {
-		return fmt.Errorf("failed to create socket: %w", err)
+		return err
-	}
-	defer unix.Close(fd)
-
-	// Get current flags
-	var ifrf ifReq
-	copy(ifrf.Name[:], name)
-
-	if err := ioctl(uintptr(fd), unix.SIOCGIFFLAGS, uintptr(unsafe.Pointer(&ifrf))); err != nil {
-		return fmt.Errorf("failed to get interface flags: %w", err)
-	}
-
-	// Set IFF_UP and IFF_RUNNING flags
-	ifrf.Flags = ifrf.Flags | unix.IFF_UP | unix.IFF_RUNNING
-
-	if err := ioctl(uintptr(fd), unix.SIOCSIFFLAGS, uintptr(unsafe.Pointer(&ifrf))); err != nil {
-		return fmt.Errorf("failed to set interface flags: %w", err)
-	}
-
-	return nil
-}
-
-func (rm *tun) SetMTU(t *wgTun, mtu int) {
-	name, err := t.tunDevice.Name()
-	if err != nil {
-		t.l.WithError(err).Error("Failed to get device name for MTU set")
-		return
-	}
-
-	// Open a socket for ioctl
-	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
-	if err != nil {
-		t.l.WithError(err).Error("Failed to create socket for MTU set")
-		return
-	}
-	defer unix.Close(fd)
-
-	// Prepare the ioctl request
-	var ifr ifreqMTU
-	copy(ifr.Name[:], name)
-	ifr.MTU = int32(mtu)
-
-	// Set the MTU using ioctl
-	if err := ioctl(uintptr(fd), unix.SIOCSIFMTU, uintptr(unsafe.Pointer(&ifr))); err != nil {
-		t.l.WithError(err).Error("Failed to set tun mtu via ioctl")
-	}
-}
-
-func (rm *tun) SetDefaultRoute(t *wgTun, cidr netip.Prefix) error {
-	// On Darwin, routes are set via ifconfig and route commands
-	return nil
-}
-
-func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
-	routes := *t.Routes.Load()
-	for _, r := range routes {
-		if !r.Install {
-			continue
-		}
-
-		err := rm.addRoute(r.Cidr)
-		if err != nil {
-			if errors.Is(err, unix.EEXIST) {
-				t.l.WithField("route", r.Cidr).
-					Warnf("unable to add unsafe_route, identical route already exists")
-			} else {
-				retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
-				if logErrors {
-					retErr.Log(t.l)
-				} else {
-					return retErr
-				}
-			}
-		} else {
-			t.l.WithField("route", r).Info("Added route")
-		}
-	}
-
-	return nil
-}
-
-func (rm *tun) RemoveRoutes(t *wgTun, routes []Route) {
-	for _, r := range routes {
-		if !r.Install {
-			continue
-		}
-
-		err := rm.delRoute(r.Cidr)
-		if err != nil {
-			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
-		} else {
-			t.l.WithField("route", r).Info("Removed route")
-		}
-	}
-}
-
-func (rm *tun) NewMultiQueueReader(t *wgTun) (io.ReadWriteCloser, error) {
-	// Darwin doesn't support multi-queue TUN devices in the same way as Linux
-	// Return a reader that wraps the same device
-	return &wgTunReader{
-		parent:    t,
-		tunDevice: t.tunDevice,
-		offset:    0,
-		l:         t.l,
-	}, nil
-}
-
-func (rm *tun) addIP(t *wgTun, name string, network netip.Prefix) error {
-	addr := network.Addr()
-
-	if addr.Is4() {
-		return rm.addIPv4(name, network)
-	} else {
-		return rm.addIPv6(name, network)
-	}
-}
-
-func (rm *tun) addIPv4(name string, network netip.Prefix) error {
-	// Open an IPv4 socket for ioctl
-	s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
-	if err != nil {
-		return fmt.Errorf("failed to create IPv4 socket: %w", err)
 	}
 	defer unix.Close(s)
 
-	var ifr ifreqAlias4
+	ifr := ifreqAlias6{
-	copy(ifr.Name[:], name)
+		Name: t.deviceBytes(),
-
+		Addr: unix.RawSockaddrInet6{
-	// Set the address
-	ifr.Addr = unix.RawSockaddrInet4{
-		Len:    unix.SizeofSockaddrInet4,
-		Family: unix.AF_INET,
-		Addr:   network.Addr().As4(),
-	}
-
-	// Set the destination address (same as address for point-to-point)
-	ifr.DstAddr = unix.RawSockaddrInet4{
-		Len:    unix.SizeofSockaddrInet4,
-		Family: unix.AF_INET,
-		Addr:   network.Addr().As4(),
-	}
-
-	// Set the netmask
-	ifr.MaskAddr = unix.RawSockaddrInet4{
-		Len:    unix.SizeofSockaddrInet4,
-		Family: unix.AF_INET,
-		Addr:   prefixToMask(network).As4(),
-	}
-
-	if err := ioctl(uintptr(s), unix.SIOCAIFADDR, uintptr(unsafe.Pointer(&ifr))); err != nil {
-		return fmt.Errorf("failed to set IPv4 address via ioctl: %w", err)
-	}
-
-	return nil
-}
-
-func (rm *tun) addIPv6(name string, network netip.Prefix) error {
-	// Open an IPv6 socket for ioctl
-	s, err := unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, unix.IPPROTO_IP)
-	if err != nil {
-		return fmt.Errorf("failed to create IPv6 socket: %w", err)
-	}
-	defer unix.Close(s)
-
-	var ifr ifreqAlias6
-	copy(ifr.Name[:], name)
-
-	// Set the address
-	ifr.Addr = unix.RawSockaddrInet6{
 			Len:    unix.SizeofSockaddrInet6,
 			Family: unix.AF_INET6,
 			Addr:   network.Addr().As16(),
-	}
+		},
-
+		PrefixMask: unix.RawSockaddrInet6{
-	// Set the prefix mask
-	ifr.PrefixMask = unix.RawSockaddrInet6{
 			Len:    unix.SizeofSockaddrInet6,
 			Family: unix.AF_INET6,
 			Addr:   prefixToMask(network).As16(),
-	}
+		},
-
+		Lifetime: addrLifetime{
-	// Set lifetime (never expires)
+			// never expires
-	ifr.Lifetime = addrLifetime{
 			Vltime: 0xffffffff,
 			Pltime: 0xffffffff,
+		},
+		Flags: _IN6_IFF_NODAD,
 	}
 
-	// Set flags (no DAD - Duplicate Address Detection)
-	ifr.Flags = _IN6_IFF_NODAD
-
 	if err := ioctl(uintptr(s), _SIOCAIFADDR_IN6, uintptr(unsafe.Pointer(&ifr))); err != nil {
-		return fmt.Errorf("failed to set IPv6 address via ioctl: %w", err)
+		return fmt.Errorf("failed to set tun address: %s", err)
 	}
 
 	return nil
 }
 
+func (t *tun) reload(c *config.C, initial bool) error {
+	change, routes, err := getAllRoutesFromConfig(c, t.vpnNetworks, initial)
+	if err != nil {
+		return err
+	}
+
+	if !initial && !change {
+		return nil
+	}
+
+	routeTree, err := makeRouteTree(t.l, routes, false)
+	if err != nil {
+		return err
+	}
+
+	// Teach nebula how to handle the routes before establishing them in the system table
+	oldRoutes := t.Routes.Swap(&routes)
+	t.routeTree.Store(routeTree)
+
+	if !initial {
+		// Remove first, if the system removes a wanted route hopefully it will be re-added next
+		err := t.removeRoutes(findRemovedRoutes(routes, *oldRoutes))
+		if err != nil {
+			util.LogWithContextIfNeeded("Failed to remove routes", err, t.l)
+		}
+
+		// Ensure any routes we actually want are installed
+		err = t.addRoutes(true)
+		if err != nil {
+			// Catch any stray logs
+			util.LogWithContextIfNeeded("Failed to add routes", err, t.l)
+		}
+	}
+
+	return nil
+}
+
+func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
+	r, ok := t.routeTree.Load().Lookup(ip)
+	if ok {
+		return r
+	}
+	return routing.Gateways{}
+}
+
+// Get the LinkAddr for the interface of the given name
+// Is there an easier way to fetch this when we create the interface?
+// Maybe SIOCGIFINDEX? but this doesn't appear to exist in the darwin headers.
 func getLinkAddr(name string) (*netroute.LinkAddr, error) {
 	rib, err := netroute.FetchRIB(unix.AF_UNSPEC, unix.NET_RT_IFLIST, 0)
 	if err != nil {
@@ -393,7 +377,53 @@ func getLinkAddr(name string) (*netroute.LinkAddr, error) {
 	return nil, nil
 }
 
-func (rm *tun) addRoute(prefix netip.Prefix) error {
+func (t *tun) addRoutes(logErrors bool) error {
+	routes := *t.Routes.Load()
+
+	for _, r := range routes {
+		if len(r.Via) == 0 || !r.Install {
+			// We don't allow route MTUs so only install routes with a via
+			continue
+		}
+
+		err := addRoute(r.Cidr, t.linkAddr)
+		if err != nil {
+			if errors.Is(err, unix.EEXIST) {
+				t.l.WithField("route", r.Cidr).
+					Warnf("unable to add unsafe_route, identical route already exists")
+			} else {
+				retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
+				if logErrors {
+					retErr.Log(t.l)
+				} else {
+					return retErr
+				}
+			}
+		} else {
+			t.l.WithField("route", r).Info("Added route")
+		}
+	}
+
+	return nil
+}
+
+func (t *tun) removeRoutes(routes []Route) error {
+	for _, r := range routes {
+		if !r.Install {
+			continue
+		}
+
+		err := delRoute(r.Cidr, t.linkAddr)
+		if err != nil {
+			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
+		} else {
+			t.l.WithField("route", r).Info("Removed route")
+		}
+	}
+	return nil
+}
+
+func addRoute(prefix netip.Prefix, gateway netroute.Addr) error {
 	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
 	if err != nil {
 		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
@@ -411,13 +441,13 @@ func (rm *tun) addRoute(prefix netip.Prefix) error {
 		route.Addrs = []netroute.Addr{
 			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
 			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
-			unix.RTAX_GATEWAY: rm.linkAddr,
+			unix.RTAX_GATEWAY: gateway,
 		}
 	} else {
 		route.Addrs = []netroute.Addr{
 			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
 			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
-			unix.RTAX_GATEWAY: rm.linkAddr,
+			unix.RTAX_GATEWAY: gateway,
 		}
 	}
 
@@ -434,7 +464,7 @@ func (rm *tun) addRoute(prefix netip.Prefix) error {
 	return nil
 }
 
-func (rm *tun) delRoute(prefix netip.Prefix) error {
+func delRoute(prefix netip.Prefix, gateway netroute.Addr) error {
 	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
 	if err != nil {
 		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
@@ -451,13 +481,13 @@ func (rm *tun) delRoute(prefix netip.Prefix) error {
 		route.Addrs = []netroute.Addr{
 			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
 			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
-			unix.RTAX_GATEWAY: rm.linkAddr,
+			unix.RTAX_GATEWAY: gateway,
 		}
 	} else {
 		route.Addrs = []netroute.Addr{
 			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
 			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
-			unix.RTAX_GATEWAY: rm.linkAddr,
+			unix.RTAX_GATEWAY: gateway,
 		}
 	}
 
@@ -465,7 +495,6 @@ func (rm *tun) delRoute(prefix netip.Prefix) error {
 	if err != nil {
 		return fmt.Errorf("failed to create route.RouteMessage: %w", err)
 	}
-
 	_, err = unix.Write(sock, data[:])
 	if err != nil {
 		return fmt.Errorf("failed to write route.RouteMessage to socket: %w", err)
@@ -474,34 +503,78 @@ func (rm *tun) delRoute(prefix netip.Prefix) error {
 	return nil
 }
 
-func ioctl(a1, a2, a3 uintptr) error {
+func (t *tun) Read(to []byte) (int, error) {
-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, a1, a2, a3)
+	buf := make([]byte, len(to)+4)
-	if errno != 0 {
+
-		return errno
+	n, err := t.ReadWriteCloser.Read(buf)
-	}
+
-	return nil
+	copy(to, buf[4:])
+	return n - 4, err
 }
 
-func prefixToMask(prefix netip.Prefix) netip.Addr {
+// Write is only valid for single threaded use
-	bits := prefix.Bits()
+func (t *tun) Write(from []byte) (int, error) {
-	if prefix.Addr().Is4() {
+	buf := t.out
-		// Create IPv4 netmask from prefix length
+	if cap(buf) < len(from)+4 {
-		mask := ^uint32(0) << (32 - bits)
+		buf = make([]byte, len(from)+4)
-		return netip.AddrFrom4([4]byte{
+		t.out = buf
-			byte(mask >> 24),
+	}
-			byte(mask >> 16),
+	buf = buf[:len(from)+4]
-			byte(mask >> 8),
+
-			byte(mask),
+	if len(from) == 0 {
-		})
+		return 0, syscall.EIO
+	}
+
+	// Determine the IP Family for the NULL L2 Header
+	ipVer := from[0] >> 4
+	if ipVer == 4 {
+		buf[3] = syscall.AF_INET
+	} else if ipVer == 6 {
+		buf[3] = syscall.AF_INET6
 	} else {
-		// Create IPv6 netmask from prefix length
+		return 0, fmt.Errorf("unable to determine IP version from packet")
-		var mask [16]byte
-		for i := 0; i < bits/8; i++ {
-			mask[i] = 0xff
-		}
-		if bits%8 != 0 {
-			mask[bits/8] = ^byte(0) << (8 - bits%8)
-		}
-		return netip.AddrFrom16(mask)
 	}
+
+	copy(buf[4:], from)
+
+	n, err := t.ReadWriteCloser.Write(buf)
+	return n - 4, err
+}
+
+func (t *tun) Networks() []netip.Prefix {
+	return t.vpnNetworks
+}
+
+func (t *tun) Name() string {
+	return t.Device
+}
+
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
+	return nil, fmt.Errorf("TODO: multiqueue not implemented for darwin")
+}
+
+// BatchRead reads a single packet (batch size 1 for non-Linux platforms)
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+// WriteBatch writes packets individually (no batching for non-Linux platforms)
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+// BatchSize returns 1 for non-Linux platforms (no batching)
+func (t *tun) BatchSize() int {
+	return 1
 }

overlay/tun_disabled.go

@@ -105,10 +105,36 @@ func (t *disabledTun) Write(b []byte) (int, error) {
 	return len(b), nil
 }
 
-func (t *disabledTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (t *disabledTun) NewMultiQueueReader() (BatchReadWriter, error) {
 	return t, nil
 }
 
+// BatchRead reads a single packet (batch size 1 for disabled tun)
+func (t *disabledTun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+// WriteBatch writes packets individually (no batching for disabled tun)
+func (t *disabledTun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+// BatchSize returns 1 for disabled tun (no batching)
+func (t *disabledTun) BatchSize() int {
+	return 1
+}
+
 func (t *disabledTun) Close() error {
 	if t.read != nil {
 		close(t.read)

overlay/tun_freebsd.go

@@ -1,77 +1,284 @@
-//go:build freebsd && !e2e_testing
+//go:build !e2e_testing
-// +build freebsd,!e2e_testing
+// +build !e2e_testing
 
 package overlay
 
 import (
+	"bytes"
+	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"net/netip"
-	"os/exec"
+	"sync/atomic"
-	"strconv"
-	"strings"
 	"syscall"
+	"time"
 	"unsafe"
 
+	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
+	netroute "golang.org/x/net/route"
 	"golang.org/x/sys/unix"
-	wgtun "golang.zx2c4.com/wireguard/tun"
 )
 
-type tun struct{}
+const (
+	// FIODGNAME is defined in sys/sys/filio.h on FreeBSD
+	// For 32-bit systems, use FIODGNAME_32 (not defined in this file: 0x80086678)
+	FIODGNAME        = 0x80106678
+	TUNSIFMODE       = 0x8004745e
+	TUNSIFHEAD       = 0x80047460
+	OSIOCAIFADDR_IN6 = 0x8088691b
+	IN6_IFF_NODAD    = 0x0020
+)
+
+type fiodgnameArg struct {
+	length int32
+	pad    [4]byte
+	buf    unsafe.Pointer
+}
 
-// ifreqRename is used for renaming network interfaces on FreeBSD
 type ifreqRename struct {
 	Name [unix.IFNAMSIZ]byte
 	Data uintptr
 }
 
-func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*wgTun, error) {
+type ifreqDestroy struct {
-	return nil, fmt.Errorf("newTunFromFd not supported on FreeBSD")
+	Name [unix.IFNAMSIZ]byte
+	pad  [16]byte
 }
 
-func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*wgTun, error) {
+type ifReq struct {
-	deviceName := c.GetString("tun.dev", "tun")
+	Name  [unix.IFNAMSIZ]byte
-	mtu := c.GetInt("tun.mtu", DefaultMTU)
+	Flags uint16
+}
 
-	// Create WireGuard TUN device
+type ifreqMTU struct {
-	tunDevice, err := wgtun.CreateTUN(deviceName, mtu)
+	Name [unix.IFNAMSIZ]byte
-	if err != nil {
+	MTU  int32
-		return nil, fmt.Errorf("failed to create TUN device: %w", err)
+}
+
+type addrLifetime struct {
+	Expire    uint64
+	Preferred uint64
+	Vltime    uint32
+	Pltime    uint32
+}
+
+type ifreqAlias4 struct {
+	Name     [unix.IFNAMSIZ]byte
+	Addr     unix.RawSockaddrInet4
+	DstAddr  unix.RawSockaddrInet4
+	MaskAddr unix.RawSockaddrInet4
+	VHid     uint32
+}
+
+type ifreqAlias6 struct {
+	Name       [unix.IFNAMSIZ]byte
+	Addr       unix.RawSockaddrInet6
+	DstAddr    unix.RawSockaddrInet6
+	PrefixMask unix.RawSockaddrInet6
+	Flags      uint32
+	Lifetime   addrLifetime
+	VHid       uint32
+}
+
+type tun struct {
+	Device      string
+	vpnNetworks []netip.Prefix
+	MTU         int
+	Routes      atomic.Pointer[[]Route]
+	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	linkAddr    *netroute.LinkAddr
+	l           *logrus.Logger
+	devFd       int
+}
+
+func (t *tun) Read(to []byte) (int, error) {
+	// use readv() to read from the tunnel device, to eliminate the need for copying the buffer
+	if t.devFd < 0 {
+		return -1, syscall.EINVAL
 	}
 
-	// Get the actual device name
+	// first 4 bytes is protocol family, in network byte order
-	actualName, err := tunDevice.Name()
+	head := make([]byte, 4)
+
+	iovecs := []syscall.Iovec{
+		{&head[0], 4},
+		{&to[0], uint64(len(to))},
+	}
+
+	n, _, errno := syscall.Syscall(syscall.SYS_READV, uintptr(t.devFd), uintptr(unsafe.Pointer(&iovecs[0])), uintptr(2))
+
+	var err error
+	if errno != 0 {
+		err = syscall.Errno(errno)
+	} else {
+		err = nil
+	}
+	// fix bytes read number to exclude header
+	bytesRead := int(n)
+	if bytesRead < 0 {
+		return bytesRead, err
+	} else if bytesRead < 4 {
+		return 0, err
+	} else {
+		return bytesRead - 4, err
+	}
+}
+
+// Write is only valid for single threaded use
+func (t *tun) Write(from []byte) (int, error) {
+	// use writev() to write to the tunnel device, to eliminate the need for copying the buffer
+	if t.devFd < 0 {
+		return -1, syscall.EINVAL
+	}
+
+	if len(from) <= 1 {
+		return 0, syscall.EIO
+	}
+	ipVer := from[0] >> 4
+	var head []byte
+	// first 4 bytes is protocol family, in network byte order
+	if ipVer == 4 {
+		head = []byte{0, 0, 0, syscall.AF_INET}
+	} else if ipVer == 6 {
+		head = []byte{0, 0, 0, syscall.AF_INET6}
+	} else {
+		return 0, fmt.Errorf("unable to determine IP version from packet")
+	}
+	iovecs := []syscall.Iovec{
+		{&head[0], 4},
+		{&from[0], uint64(len(from))},
+	}
+
+	n, _, errno := syscall.Syscall(syscall.SYS_WRITEV, uintptr(t.devFd), uintptr(unsafe.Pointer(&iovecs[0])), uintptr(2))
+
+	var err error
+	if errno != 0 {
+		err = syscall.Errno(errno)
+	} else {
+		err = nil
+	}
+
+	return int(n) - 4, err
+}
+
+func (t *tun) Close() error {
+	if t.devFd >= 0 {
+		err := syscall.Close(t.devFd)
 		if err != nil {
-		tunDevice.Close()
+			t.l.WithError(err).Error("Error closing device")
-		return nil, fmt.Errorf("failed to get TUN device name: %w", err)
+		}
+		t.devFd = -1
+
+		c := make(chan struct{})
+		go func() {
+			// destroying the interface can block if a read() is still pending. Do this asynchronously.
+			defer close(c)
+			s, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_DGRAM, syscall.IPPROTO_IP)
+			if err == nil {
+				defer syscall.Close(s)
+				ifreq := ifreqDestroy{Name: t.deviceBytes()}
+				err = ioctl(uintptr(s), syscall.SIOCIFDESTROY, uintptr(unsafe.Pointer(&ifreq)))
+			}
+			if err != nil {
+				t.l.WithError(err).Error("Error destroying tunnel")
+			}
+		}()
+
+		// wait up to 1 second so we start blocking at the ioctl
+		select {
+		case <-c:
+		case <-time.After(1 * time.Second):
+		}
+	}
+
+	return nil
+}
+
+func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*tun, error) {
+	return nil, fmt.Errorf("newTunFromFd not supported in FreeBSD")
+}
+
+func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*tun, error) {
+	// Try to open existing tun device
+	var fd int
+	var err error
+	deviceName := c.GetString("tun.dev", "")
+	if deviceName != "" {
+		fd, err = syscall.Open("/dev/"+deviceName, syscall.O_RDWR, 0)
+	}
+	if errors.Is(err, fs.ErrNotExist) || deviceName == "" {
+		// If the device doesn't already exist, request a new one and rename it
+		fd, err = syscall.Open("/dev/tun", syscall.O_RDWR, 0)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Read the name of the interface
+	var name [16]byte
+	arg := fiodgnameArg{length: 16, buf: unsafe.Pointer(&name)}
+	ctrlErr := ioctl(uintptr(fd), FIODGNAME, uintptr(unsafe.Pointer(&arg)))
+
+	if ctrlErr == nil {
+		// set broadcast mode and multicast
+		ifmode := uint32(unix.IFF_BROADCAST | unix.IFF_MULTICAST)
+		ctrlErr = ioctl(uintptr(fd), TUNSIFMODE, uintptr(unsafe.Pointer(&ifmode)))
+	}
+
+	if ctrlErr == nil {
+		// turn on link-layer mode, to support ipv6
+		ifhead := uint32(1)
+		ctrlErr = ioctl(uintptr(fd), TUNSIFHEAD, uintptr(unsafe.Pointer(&ifhead)))
+	}
+
+	if ctrlErr != nil {
+		return nil, err
+	}
+
+	ifName := string(bytes.TrimRight(name[:], "\x00"))
+	if deviceName == "" {
+		deviceName = ifName
 	}
 
 	// If the name doesn't match the desired interface name, rename it now
-	if actualName != deviceName && deviceName != "" && deviceName != "tun" {
+	if ifName != deviceName {
-		if err := renameInterface(actualName, deviceName); err != nil {
+		s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
-			tunDevice.Close()
+		if err != nil {
-			return nil, fmt.Errorf("failed to rename interface from %s to %s: %w", actualName, deviceName, err)
+			return nil, err
 		}
-		actualName = deviceName
+		defer syscall.Close(s)
+
+		fd := uintptr(s)
+
+		var fromName [16]byte
+		var toName [16]byte
+		copy(fromName[:], ifName)
+		copy(toName[:], deviceName)
+
+		ifrr := ifreqRename{
+			Name: fromName,
+			Data: uintptr(unsafe.Pointer(&toName)),
 		}
 
-	t := &wgTun{
+		// Set the device name
-		tunDevice:   tunDevice,
+		ioctl(fd, syscall.SIOCSIFNAME, uintptr(unsafe.Pointer(&ifrr)))
+	}
+
+	t := &tun{
+		Device:      deviceName,
 		vpnNetworks: vpnNetworks,
-		MaxMTU:      mtu,
+		MTU:         c.GetInt("tun.mtu", DefaultMTU),
-		DefaultMTU:  mtu,
 		l:           l,
+		devFd:       fd,
 	}
 
-	// Create FreeBSD-specific route manager
-	t.routeManager = &tun{}
-
 	err = t.reload(c, true)
 	if err != nil {
-		tunDevice.Close()
 		return nil, err
 	}
 
@@ -82,86 +289,206 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (
 		}
 	})
 
-	l.WithField("name", actualName).Info("Created WireGuard TUN device")
-
 	return t, nil
 }
 
-func (rm *tun) Activate(t *wgTun) error {
+func (t *tun) addIp(cidr netip.Prefix) error {
-	name, err := t.tunDevice.Name()
+	if cidr.Addr().Is4() {
+		ifr := ifreqAlias4{
+			Name: t.deviceBytes(),
+			Addr: unix.RawSockaddrInet4{
+				Len:    unix.SizeofSockaddrInet4,
+				Family: unix.AF_INET,
+				Addr:   cidr.Addr().As4(),
+			},
+			DstAddr: unix.RawSockaddrInet4{
+				Len:    unix.SizeofSockaddrInet4,
+				Family: unix.AF_INET,
+				Addr:   getBroadcast(cidr).As4(),
+			},
+			MaskAddr: unix.RawSockaddrInet4{
+				Len:    unix.SizeofSockaddrInet4,
+				Family: unix.AF_INET,
+				Addr:   prefixToMask(cidr).As4(),
+			},
+			VHid: 0,
+		}
+		s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
 		if err != nil {
-		return fmt.Errorf("failed to get device name: %w", err)
+			return err
+		}
+		defer syscall.Close(s)
+		// Note: unix.SIOCAIFADDR corresponds to FreeBSD's OSIOCAIFADDR
+		if err := ioctl(uintptr(s), unix.SIOCAIFADDR, uintptr(unsafe.Pointer(&ifr))); err != nil {
+			return fmt.Errorf("failed to set tun address %s: %s", cidr.Addr().String(), err)
+		}
+		return nil
 	}
 
-	// Set the MTU
+	if cidr.Addr().Is6() {
-	rm.SetMTU(t, t.MaxMTU)
+		ifr := ifreqAlias6{
+			Name: t.deviceBytes(),
+			Addr: unix.RawSockaddrInet6{
+				Len:    unix.SizeofSockaddrInet6,
+				Family: unix.AF_INET6,
+				Addr:   cidr.Addr().As16(),
+			},
+			PrefixMask: unix.RawSockaddrInet6{
+				Len:    unix.SizeofSockaddrInet6,
+				Family: unix.AF_INET6,
+				Addr:   prefixToMask(cidr).As16(),
+			},
+			Lifetime: addrLifetime{
+				Expire:    0,
+				Preferred: 0,
+				Vltime:    0xffffffff,
+				Pltime:    0xffffffff,
+			},
+			Flags: IN6_IFF_NODAD,
+		}
+		s, err := syscall.Socket(syscall.AF_INET6, syscall.SOCK_DGRAM, syscall.IPPROTO_IP)
+		if err != nil {
+			return err
+		}
+		defer syscall.Close(s)
 
-	// Add IP addresses
+		if err := ioctl(uintptr(s), OSIOCAIFADDR_IN6, uintptr(unsafe.Pointer(&ifr))); err != nil {
-	for _, network := range t.vpnNetworks {
+			return fmt.Errorf("failed to set tun address %s: %s", cidr.Addr().String(), err)
-		if err := rm.addIP(t, name, network); err != nil {
+		}
+		return nil
+	}
+
+	return fmt.Errorf("unknown address type %v", cidr)
+}
+
+func (t *tun) Activate() error {
+	// Setup our default MTU
+	err := t.setMTU()
+	if err != nil {
+		return err
+	}
+
+	linkAddr, err := getLinkAddr(t.Device)
+	if err != nil {
+		return err
+	}
+	if linkAddr == nil {
+		return fmt.Errorf("unable to discover link_addr for tun interface")
+	}
+	t.linkAddr = linkAddr
+
+	for i := range t.vpnNetworks {
+		err := t.addIp(t.vpnNetworks[i])
+		if err != nil {
 			return err
 		}
 	}
 
-	// Bring up the interface
+	return t.addRoutes(false)
-	if err := runCommandBSD("ifconfig", name, "up"); err != nil {
+}
-		return fmt.Errorf("failed to bring up interface: %w", err)
+
+func (t *tun) setMTU() error {
+	// Set the MTU on the device
+	s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
+	if err != nil {
+		return err
+	}
+	defer syscall.Close(s)
+
+	ifm := ifreqMTU{Name: t.deviceBytes(), MTU: int32(t.MTU)}
+	err = ioctl(uintptr(s), unix.SIOCSIFMTU, uintptr(unsafe.Pointer(&ifm)))
+	return err
+}
+
+func (t *tun) reload(c *config.C, initial bool) error {
+	change, routes, err := getAllRoutesFromConfig(c, t.vpnNetworks, initial)
+	if err != nil {
+		return err
 	}
 
-	// Set the routes
+	if !initial && !change {
-	if err := rm.AddRoutes(t, false); err != nil {
+		return nil
+	}
+
+	routeTree, err := makeRouteTree(t.l, routes, false)
+	if err != nil {
 		return err
 	}
 
+	// Teach nebula how to handle the routes before establishing them in the system table
+	oldRoutes := t.Routes.Swap(&routes)
+	t.routeTree.Store(routeTree)
+
+	if !initial {
+		// Remove first, if the system removes a wanted route hopefully it will be re-added next
+		err := t.removeRoutes(findRemovedRoutes(routes, *oldRoutes))
+		if err != nil {
+			util.LogWithContextIfNeeded("Failed to remove routes", err, t.l)
+		}
+
+		// Ensure any routes we actually want are installed
+		err = t.addRoutes(true)
+		if err != nil {
+			// Catch any stray logs
+			util.LogWithContextIfNeeded("Failed to add routes", err, t.l)
+		}
+	}
+
 	return nil
 }
 
-func (rm *tun) SetMTU(t *wgTun, mtu int) {
+func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
-	name, err := t.tunDevice.Name()
+	r, _ := t.routeTree.Load().Lookup(ip)
-	if err != nil {
+	return r
-		t.l.WithError(err).Error("Failed to get device name for MTU set")
-		return
-	}
-
-	if err := runCommandBSD("ifconfig", name, "mtu", strconv.Itoa(mtu)); err != nil {
-		t.l.WithError(err).Error("Failed to set tun mtu")
-	}
 }
 
-func (rm *tun) SetDefaultRoute(t *wgTun, cidr netip.Prefix) error {
+func (t *tun) Networks() []netip.Prefix {
-	// On FreeBSD, routes are set via ifconfig and route commands
+	return t.vpnNetworks
-	return nil
 }
 
-func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
+func (t *tun) Name() string {
-	name, err := t.tunDevice.Name()
+	return t.Device
-	if err != nil {
+}
-		return fmt.Errorf("failed to get device name: %w", err)
-	}
 
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
+	return nil, fmt.Errorf("TODO: multiqueue not implemented for freebsd")
+}
+
+// BatchRead reads a single packet (batch size 1 for FreeBSD)
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+// WriteBatch writes packets individually (no batching for FreeBSD)
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+// BatchSize returns 1 for FreeBSD (no batching)
+func (t *tun) BatchSize() int {
+	return 1
+}
+
+func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 	for _, r := range routes {
-		if !r.Install {
+		if len(r.Via) == 0 || !r.Install {
+			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
 
-		// Add route using route command
+		err := addRoute(r.Cidr, t.linkAddr)
-		args := []string{"add"}
-
-		if r.Cidr.Addr().Is6() {
-			args = append(args, "-inet6")
-		} else {
-			args = append(args, "-inet")
-		}
-
-		args = append(args, r.Cidr.String(), "-interface", name)
-
-		if r.Metric > 0 {
-			// FreeBSD doesn't support route metrics directly like Linux
-			t.l.WithField("route", r).Warn("Route metrics are not fully supported on FreeBSD")
-		}
-
-		err := runCommandBSD("route", args...)
 		if err != nil {
 			retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
 			if logErrors {
@@ -177,99 +504,142 @@ func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
 	return nil
 }
 
-func (rm *tun) RemoveRoutes(t *wgTun, routes []Route) {
+func (t *tun) removeRoutes(routes []Route) error {
-	name, err := t.tunDevice.Name()
-	if err != nil {
-		t.l.WithError(err).Error("Failed to get device name for route removal")
-		return
-	}
-
 	for _, r := range routes {
 		if !r.Install {
 			continue
 		}
 
-		args := []string{"delete"}
+		err := delRoute(r.Cidr, t.linkAddr)
-
-		if r.Cidr.Addr().Is6() {
-			args = append(args, "-inet6")
-		} else {
-			args = append(args, "-inet")
-		}
-
-		args = append(args, r.Cidr.String(), "-interface", name)
-
-		err := runCommandBSD("route", args...)
 		if err != nil {
 			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
 		} else {
 			t.l.WithField("route", r).Info("Removed route")
 		}
 	}
+	return nil
 }
 
-func (rm *tun) NewMultiQueueReader(t *wgTun) (io.ReadWriteCloser, error) {
+func (t *tun) deviceBytes() (o [16]byte) {
-	// FreeBSD doesn't support multi-queue TUN devices in the same way as Linux
+	for i, c := range t.Device {
-	// Return a reader that wraps the same device
+		o[i] = byte(c)
-	return &wgTunReader{
+	}
-		parent:    t,
+	return
-		tunDevice: t.tunDevice,
-		offset:    0,
-		l:         t.l,
-	}, nil
 }
 
-func (rm *tun) addIP(t *wgTun, name string, network netip.Prefix) error {
+func addRoute(prefix netip.Prefix, gateway netroute.Addr) error {
-	addr := network.Addr()
+	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
+	}
+	defer unix.Close(sock)
 
-	if addr.Is4() {
+	route := &netroute.RouteMessage{
-		// For IPv4: ifconfig tun0 10.0.0.1/24
+		Version: unix.RTM_VERSION,
-		if err := runCommandBSD("ifconfig", name, network.String()); err != nil {
+		Type:    unix.RTM_ADD,
-			return fmt.Errorf("failed to add IPv4 address: %w", err)
+		Flags:   unix.RTF_UP,
+		Seq:     1,
+	}
+
+	if prefix.Addr().Is4() {
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
+			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
+			unix.RTAX_GATEWAY: gateway,
 		}
 	} else {
-		// For IPv6: ifconfig tun0 inet6 add 2001:db8::1/64
+		route.Addrs = []netroute.Addr{
-		if err := runCommandBSD("ifconfig", name, "inet6", "add", network.String()); err != nil {
+			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
-			return fmt.Errorf("failed to add IPv6 address: %w", err)
+			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
+			unix.RTAX_GATEWAY: gateway,
 		}
 	}
 
-	return nil
+	data, err := route.Marshal()
-}
-
-func runCommandBSD(name string, args ...string) error {
-	cmd := exec.Command(name, args...)
-	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("%s %s failed: %w\nOutput: %s", name, strings.Join(args, " "), err, string(output))
+		return fmt.Errorf("failed to create route.RouteMessage: %w", err)
 	}
-	return nil
-}
 
-func renameInterface(fromName, toName string) error {
+	_, err = unix.Write(sock, data[:])
-	s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
 	if err != nil {
-		return fmt.Errorf("failed to create socket: %w", err)
+		if errors.Is(err, unix.EEXIST) {
+			// Try to do a change
+			route.Type = unix.RTM_CHANGE
+			data, err = route.Marshal()
+			if err != nil {
+				return fmt.Errorf("failed to create route.RouteMessage for change: %w", err)
 			}
-	defer syscall.Close(s)
+			_, err = unix.Write(sock, data[:])
-
+			fmt.Println("DOING CHANGE")
-	fd := uintptr(s)
+			return err
-
-	var fromNameBytes [unix.IFNAMSIZ]byte
-	var toNameBytes [unix.IFNAMSIZ]byte
-	copy(fromNameBytes[:], fromName)
-	copy(toNameBytes[:], toName)
-
-	ifrr := ifreqRename{
-		Name: fromNameBytes,
-		Data: uintptr(unsafe.Pointer(&toNameBytes)),
 		}
-
+		return fmt.Errorf("failed to write route.RouteMessage to socket: %w", err)
-	// Set the device name using SIOCSIFNAME ioctl
-	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, fd, syscall.SIOCSIFNAME, uintptr(unsafe.Pointer(&ifrr)))
-	if errno != 0 {
-		return fmt.Errorf("SIOCSIFNAME ioctl failed: %w", errno)
 	}
 
 	return nil
 }
+
+func delRoute(prefix netip.Prefix, gateway netroute.Addr) error {
+	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
+	}
+	defer unix.Close(sock)
+
+	route := netroute.RouteMessage{
+		Version: unix.RTM_VERSION,
+		Type:    unix.RTM_DELETE,
+		Seq:     1,
+	}
+
+	if prefix.Addr().Is4() {
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
+			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
+			unix.RTAX_GATEWAY: gateway,
+		}
+	} else {
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
+			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
+			unix.RTAX_GATEWAY: gateway,
+		}
+	}
+
+	data, err := route.Marshal()
+	if err != nil {
+		return fmt.Errorf("failed to create route.RouteMessage: %w", err)
+	}
+	_, err = unix.Write(sock, data[:])
+	if err != nil {
+		return fmt.Errorf("failed to write route.RouteMessage to socket: %w", err)
+	}
+
+	return nil
+}
+
+// getLinkAddr Gets the link address for the interface of the given name
+func getLinkAddr(name string) (*netroute.LinkAddr, error) {
+	rib, err := netroute.FetchRIB(unix.AF_UNSPEC, unix.NET_RT_IFLIST, 0)
+	if err != nil {
+		return nil, err
+	}
+	msgs, err := netroute.ParseRIB(unix.NET_RT_IFLIST, rib)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, m := range msgs {
+		switch m := m.(type) {
+		case *netroute.InterfaceMessage:
+			if m.Name == name {
+				sa, ok := m.Addrs[unix.RTAX_IFP].(*netroute.LinkAddr)
+				if ok {
+					return sa, nil
+				}
+			}
+		}
+	}
+
+	return nil, nil
+}

overlay/tun_ios.go

@@ -151,6 +151,29 @@ func (t *tun) Name() string {
 	return "iOS"
 }
 
-func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
 	return nil, fmt.Errorf("TODO: multiqueue not implemented for ios")
 }
+
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+func (t *tun) BatchSize() int {
+	return 1
+}

overlay/tun_linux_test.go

@@ -7,26 +7,25 @@ import "testing"
 
 var runAdvMSSTests = []struct {
 	name     string
-	defaultMTU int
+	tun      *tun
-	maxMTU     int
 	r        Route
 	expected int
 }{
 	// Standard case, default MTU is the device max MTU
-	{"default", 1440, 1440, Route{}, 0},
+	{"default", &tun{DefaultMTU: 1440, MaxMTU: 1440}, Route{}, 0},
-	{"default-min", 1440, 1440, Route{MTU: 1440}, 0},
+	{"default-min", &tun{DefaultMTU: 1440, MaxMTU: 1440}, Route{MTU: 1440}, 0},
-	{"default-low", 1440, 1440, Route{MTU: 1200}, 1160},
+	{"default-low", &tun{DefaultMTU: 1440, MaxMTU: 1440}, Route{MTU: 1200}, 1160},
 
 	// Case where we have a route MTU set higher than the default
-	{"route", 1440, 8941, Route{}, 1400},
+	{"route", &tun{DefaultMTU: 1440, MaxMTU: 8941}, Route{}, 1400},
-	{"route-min", 1440, 8941, Route{MTU: 1440}, 1400},
+	{"route-min", &tun{DefaultMTU: 1440, MaxMTU: 8941}, Route{MTU: 1440}, 1400},
-	{"route-high", 1440, 8941, Route{MTU: 8941}, 0},
+	{"route-high", &tun{DefaultMTU: 1440, MaxMTU: 8941}, Route{MTU: 8941}, 0},
 }
 
 func TestTunAdvMSS(t *testing.T) {
 	for _, tt := range runAdvMSSTests {
 		t.Run(tt.name, func(t *testing.T) {
-			o := advMSS(tt.r, tt.defaultMTU, tt.maxMTU)
+			o := tt.tun.advMSS(tt.r)
 			if o != tt.expected {
 				t.Errorf("got %d, want %d", o, tt.expected)
 			}

overlay/tun_netbsd.go

@@ -390,10 +390,33 @@ func (t *tun) Name() string {
 	return t.Device
 }
 
-func (t *tun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
 	return nil, fmt.Errorf("TODO: multiqueue not implemented for netbsd")
 }
 
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+func (t *tun) BatchSize() int {
+	return 1
+}
+
 func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
 
@@ -547,41 +570,3 @@ func delRoute(prefix netip.Prefix, gateways []netip.Prefix) error {
 
 	return nil
 }
-
-func ioctl(a1, a2, a3 uintptr) error {
-	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, a1, a2, a3)
-	if errno != 0 {
-		return errno
-	}
-	return nil
-}
-
-func prefixToMask(prefix netip.Prefix) netip.Addr {
-	bits := prefix.Bits()
-	if prefix.Addr().Is4() {
-		mask := ^uint32(0) << (32 - bits)
-		return netip.AddrFrom4([4]byte{
-			byte(mask >> 24),
-			byte(mask >> 16),
-			byte(mask >> 8),
-			byte(mask),
-		})
-	}
-	var mask [16]byte
-	for i := 0; i < bits/8; i++ {
-		mask[i] = 0xff
-	}
-	if bits%8 != 0 {
-		mask[bits/8] = ^byte(0) << (8 - bits%8)
-	}
-	return netip.AddrFrom16(mask)
-}
-
-func selectGateway(prefix netip.Prefix, gateways []netip.Prefix) (netip.Prefix, error) {
-	for _, gw := range gateways {
-		if prefix.Addr().Is4() == gw.Addr().Is4() {
-			return gw, nil
-		}
-	}
-	return netip.Prefix{}, fmt.Errorf("no suitable gateway found for prefix %v", prefix)
-}

overlay/tun_notwin.go

@@ -0,0 +1,14 @@
+//go:build !windows
+// +build !windows
+
+package overlay
+
+import "syscall"
+
+func ioctl(a1, a2, a3 uintptr) error {
+	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, a1, a2, a3)
+	if errno != 0 {
+		return errno
+	}
+	return nil
+}

overlay/tun_openbsd.go

@@ -1,59 +1,104 @@
-//go:build openbsd && !e2e_testing
+//go:build !e2e_testing
-// +build openbsd,!e2e_testing
+// +build !e2e_testing
 
 package overlay
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"net/netip"
-	"os/exec"
+	"os"
-	"strconv"
+	"regexp"
-	"strings"
+	"sync/atomic"
+	"syscall"
+	"unsafe"
 
+	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
-	wgtun "golang.zx2c4.com/wireguard/tun"
+	netroute "golang.org/x/net/route"
+	"golang.org/x/sys/unix"
 )
 
-type tun struct{}
+const (
+	SIOCAIFADDR_IN6 = 0x8080691a
+)
 
-func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*wgTun, error) {
+type ifreqAlias4 struct {
-	return nil, fmt.Errorf("newTunFromFd not supported on OpenBSD")
+	Name     [unix.IFNAMSIZ]byte
+	Addr     unix.RawSockaddrInet4
+	DstAddr  unix.RawSockaddrInet4
+	MaskAddr unix.RawSockaddrInet4
 }
 
-func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*wgTun, error) {
+type ifreqAlias6 struct {
-	deviceName := c.GetString("tun.dev", "tun")
+	Name       [unix.IFNAMSIZ]byte
-	mtu := c.GetInt("tun.mtu", DefaultMTU)
+	Addr       unix.RawSockaddrInet6
+	DstAddr    unix.RawSockaddrInet6
+	PrefixMask unix.RawSockaddrInet6
+	Flags      uint32
+	Lifetime   [2]uint32
+}
 
-	// Create WireGuard TUN device
+type ifreq struct {
-	tunDevice, err := wgtun.CreateTUN(deviceName, mtu)
+	Name [unix.IFNAMSIZ]byte
-	if err != nil {
+	data int
-		return nil, fmt.Errorf("failed to create TUN device: %w", err)
+}
+
+type tun struct {
+	Device      string
+	vpnNetworks []netip.Prefix
+	MTU         int
+	Routes      atomic.Pointer[[]Route]
+	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	l           *logrus.Logger
+	f           *os.File
+	fd          int
+	// cache out buffer since we need to prepend 4 bytes for tun metadata
+	out []byte
+}
+
+var deviceNameRE = regexp.MustCompile(`^tun[0-9]+$`)
+
+func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*tun, error) {
+	return nil, fmt.Errorf("newTunFromFd not supported in openbsd")
+}
+
+func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*tun, error) {
+	// Try to open tun device
+	var err error
+	deviceName := c.GetString("tun.dev", "")
+	if deviceName == "" {
+		return nil, fmt.Errorf("a device name in the format of /dev/tunN must be specified")
+	}
+	if !deviceNameRE.MatchString(deviceName) {
+		return nil, fmt.Errorf("a device name in the format of /dev/tunN must be specified")
 	}
 
-	// Get the actual device name
+	fd, err := unix.Open("/dev/"+deviceName, os.O_RDWR, 0)
-	actualName, err := tunDevice.Name()
 	if err != nil {
-		tunDevice.Close()
+		return nil, err
-		return nil, fmt.Errorf("failed to get TUN device name: %w", err)
 	}
 
-	t := &wgTun{
+	err = unix.SetNonblock(fd, true)
-		tunDevice:   tunDevice,
+	if err != nil {
+		l.WithError(err).Warn("Failed to set the tun device as nonblocking")
+	}
+
+	t := &tun{
+		f:           os.NewFile(uintptr(fd), ""),
+		fd:          fd,
+		Device:      deviceName,
 		vpnNetworks: vpnNetworks,
-		MaxMTU:      mtu,
+		MTU:         c.GetInt("tun.mtu", DefaultMTU),
-		DefaultMTU:  mtu,
 		l:           l,
 	}
 
-	// Create OpenBSD-specific route manager
-	t.routeManager = &tun{}
-
 	err = t.reload(c, true)
 	if err != nil {
-		tunDevice.Close()
 		return nil, err
 	}
 
@@ -64,86 +109,244 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (
 		}
 	})
 
-	l.WithField("name", actualName).Info("Created WireGuard TUN device")
-
 	return t, nil
 }
 
-func (rm *tun) Activate(t *wgTun) error {
+func (t *tun) Close() error {
-	name, err := t.tunDevice.Name()
+	if t.f != nil {
+		if err := t.f.Close(); err != nil {
+			return fmt.Errorf("error closing tun file: %w", err)
+		}
+
+		// t.f.Close should have handled it for us but let's be extra sure
+		_ = unix.Close(t.fd)
+	}
+	return nil
+}
+
+func (t *tun) Read(to []byte) (int, error) {
+	buf := make([]byte, len(to)+4)
+
+	n, err := t.f.Read(buf)
+
+	copy(to, buf[4:])
+	return n - 4, err
+}
+
+// Write is only valid for single threaded use
+func (t *tun) Write(from []byte) (int, error) {
+	buf := t.out
+	if cap(buf) < len(from)+4 {
+		buf = make([]byte, len(from)+4)
+		t.out = buf
+	}
+	buf = buf[:len(from)+4]
+
+	if len(from) == 0 {
+		return 0, syscall.EIO
+	}
+
+	// Determine the IP Family for the NULL L2 Header
+	ipVer := from[0] >> 4
+	if ipVer == 4 {
+		buf[3] = syscall.AF_INET
+	} else if ipVer == 6 {
+		buf[3] = syscall.AF_INET6
+	} else {
+		return 0, fmt.Errorf("unable to determine IP version from packet")
+	}
+
+	copy(buf[4:], from)
+
+	n, err := t.f.Write(buf)
+	return n - 4, err
+}
+
+func (t *tun) addIp(cidr netip.Prefix) error {
+	if cidr.Addr().Is4() {
+		var req ifreqAlias4
+		req.Name = t.deviceBytes()
+		req.Addr = unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   cidr.Addr().As4(),
+		}
+		req.DstAddr = unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   cidr.Addr().As4(),
+		}
+		req.MaskAddr = unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   prefixToMask(cidr).As4(),
+		}
+
+		s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
 		if err != nil {
-		return fmt.Errorf("failed to get device name: %w", err)
+			return err
+		}
+		defer syscall.Close(s)
+
+		if err := ioctl(uintptr(s), unix.SIOCAIFADDR, uintptr(unsafe.Pointer(&req))); err != nil {
+			return fmt.Errorf("failed to set tun address %s: %s", cidr.Addr(), err)
 		}
 
-	// Set the MTU
+		err = addRoute(cidr, t.vpnNetworks)
-	rm.SetMTU(t, t.MaxMTU)
+		if err != nil {
+			return fmt.Errorf("failed to set route for vpn network %v: %w", cidr, err)
+		}
 
-	// Add IP addresses
+		return nil
-	for _, network := range t.vpnNetworks {
+	}
-		if err := rm.addIP(t, name, network); err != nil {
+
+	if cidr.Addr().Is6() {
+		var req ifreqAlias6
+		req.Name = t.deviceBytes()
+		req.Addr = unix.RawSockaddrInet6{
+			Len:    unix.SizeofSockaddrInet6,
+			Family: unix.AF_INET6,
+			Addr:   cidr.Addr().As16(),
+		}
+		req.PrefixMask = unix.RawSockaddrInet6{
+			Len:    unix.SizeofSockaddrInet6,
+			Family: unix.AF_INET6,
+			Addr:   prefixToMask(cidr).As16(),
+		}
+		req.Lifetime[0] = 0xffffffff
+		req.Lifetime[1] = 0xffffffff
+
+		s, err := unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, unix.IPPROTO_IP)
+		if err != nil {
+			return err
+		}
+		defer syscall.Close(s)
+
+		if err := ioctl(uintptr(s), SIOCAIFADDR_IN6, uintptr(unsafe.Pointer(&req))); err != nil {
+			return fmt.Errorf("failed to set tun address %s: %s", cidr.Addr().String(), err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("unknown address type %v", cidr)
+}
+
+func (t *tun) Activate() error {
+	err := t.doIoctlByName(unix.SIOCSIFMTU, uint32(t.MTU))
+	if err != nil {
+		return fmt.Errorf("failed to set tun mtu: %w", err)
+	}
+
+	for i := range t.vpnNetworks {
+		err = t.addIp(t.vpnNetworks[i])
+		if err != nil {
 			return err
 		}
 	}
 
-	// Bring up the interface
+	return t.addRoutes(false)
-	if err := runCommandBSD("ifconfig", name, "up"); err != nil {
+}
-		return fmt.Errorf("failed to bring up interface: %w", err)
+
+func (t *tun) doIoctlByName(ctl uintptr, value uint32) error {
+	s, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
+	if err != nil {
+		return err
+	}
+	defer syscall.Close(s)
+
+	ir := ifreq{Name: t.deviceBytes(), data: int(value)}
+	err = ioctl(uintptr(s), ctl, uintptr(unsafe.Pointer(&ir)))
+	return err
+}
+
+func (t *tun) reload(c *config.C, initial bool) error {
+	change, routes, err := getAllRoutesFromConfig(c, t.vpnNetworks, initial)
+	if err != nil {
+		return err
 	}
 
-	// Set the routes
+	if !initial && !change {
-	if err := rm.AddRoutes(t, false); err != nil {
+		return nil
+	}
+
+	routeTree, err := makeRouteTree(t.l, routes, false)
+	if err != nil {
 		return err
 	}
 
+	// Teach nebula how to handle the routes before establishing them in the system table
+	oldRoutes := t.Routes.Swap(&routes)
+	t.routeTree.Store(routeTree)
+
+	if !initial {
+		// Remove first, if the system removes a wanted route hopefully it will be re-added next
+		err := t.removeRoutes(findRemovedRoutes(routes, *oldRoutes))
+		if err != nil {
+			util.LogWithContextIfNeeded("Failed to remove routes", err, t.l)
+		}
+
+		// Ensure any routes we actually want are installed
+		err = t.addRoutes(true)
+		if err != nil {
+			// Catch any stray logs
+			util.LogWithContextIfNeeded("Failed to add routes", err, t.l)
+		}
+	}
+
 	return nil
 }
 
-func (rm *tun) SetMTU(t *wgTun, mtu int) {
+func (t *tun) RoutesFor(ip netip.Addr) routing.Gateways {
-	name, err := t.tunDevice.Name()
+	r, _ := t.routeTree.Load().Lookup(ip)
-	if err != nil {
+	return r
-		t.l.WithError(err).Error("Failed to get device name for MTU set")
-		return
-	}
-
-	if err := runCommandBSD("ifconfig", name, "mtu", strconv.Itoa(mtu)); err != nil {
-		t.l.WithError(err).Error("Failed to set tun mtu")
-	}
 }
 
-func (rm *tun) SetDefaultRoute(t *wgTun, cidr netip.Prefix) error {
+func (t *tun) Networks() []netip.Prefix {
-	// On OpenBSD, routes are set via ifconfig and route commands
+	return t.vpnNetworks
-	return nil
 }
 
-func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
+func (t *tun) Name() string {
-	name, err := t.tunDevice.Name()
+	return t.Device
-	if err != nil {
+}
-		return fmt.Errorf("failed to get device name: %w", err)
-	}
 
+func (t *tun) NewMultiQueueReader() (BatchReadWriter, error) {
+	return nil, fmt.Errorf("TODO: multiqueue not implemented for openbsd")
+}
+
+func (t *tun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *tun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+func (t *tun) BatchSize() int {
+	return 1
+}
+
+func (t *tun) addRoutes(logErrors bool) error {
 	routes := *t.Routes.Load()
+
 	for _, r := range routes {
-		if !r.Install {
+		if len(r.Via) == 0 || !r.Install {
+			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
 
-		// Add route using route command
+		err := addRoute(r.Cidr, t.vpnNetworks)
-		args := []string{"add"}
-
-		if r.Cidr.Addr().Is6() {
-			args = append(args, "-inet6")
-		} else {
-			args = append(args, "-inet")
-		}
-
-		args = append(args, r.Cidr.String(), "-interface", name)
-
-		if r.Metric > 0 {
-			// OpenBSD doesn't support route metrics directly like Linux
-			t.l.WithField("route", r).Warn("Route metrics are not fully supported on OpenBSD")
-		}
-
-		err := runCommandBSD("route", args...)
 		if err != nil {
 			retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
 			if logErrors {
@@ -159,71 +362,131 @@ func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
 	return nil
 }
 
-func (rm *tun) RemoveRoutes(t *wgTun, routes []Route) {
+func (t *tun) removeRoutes(routes []Route) error {
-	name, err := t.tunDevice.Name()
-	if err != nil {
-		t.l.WithError(err).Error("Failed to get device name for route removal")
-		return
-	}
-
 	for _, r := range routes {
 		if !r.Install {
 			continue
 		}
 
-		args := []string{"delete"}
+		err := delRoute(r.Cidr, t.vpnNetworks)
-
-		if r.Cidr.Addr().Is6() {
-			args = append(args, "-inet6")
-		} else {
-			args = append(args, "-inet")
-		}
-
-		args = append(args, r.Cidr.String(), "-interface", name)
-
-		err := runCommandBSD("route", args...)
 		if err != nil {
 			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
 		} else {
 			t.l.WithField("route", r).Info("Removed route")
 		}
 	}
+	return nil
 }
 
-func (rm *tun) NewMultiQueueReader(t *wgTun) (io.ReadWriteCloser, error) {
+func (t *tun) deviceBytes() (o [16]byte) {
-	// OpenBSD doesn't support multi-queue TUN devices in the same way as Linux
+	for i, c := range t.Device {
-	// Return a reader that wraps the same device
+		o[i] = byte(c)
-	return &wgTunReader{
+	}
-		parent:    t,
+	return
-		tunDevice: t.tunDevice,
-		offset:    0,
-		l:         t.l,
-	}, nil
 }
 
-func (rm *tun) addIP(t *wgTun, name string, network netip.Prefix) error {
+func addRoute(prefix netip.Prefix, gateways []netip.Prefix) error {
-	addr := network.Addr()
+	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
+	}
+	defer unix.Close(sock)
 
-	if addr.Is4() {
+	route := &netroute.RouteMessage{
-		// For IPv4: ifconfig tun0 10.0.0.1/24
+		Version: unix.RTM_VERSION,
-		if err := runCommandBSD("ifconfig", name, network.String()); err != nil {
+		Type:    unix.RTM_ADD,
-			return fmt.Errorf("failed to add IPv4 address: %w", err)
+		Flags:   unix.RTF_UP | unix.RTF_GATEWAY,
+		Seq:     1,
+	}
+
+	if prefix.Addr().Is4() {
+		gw, err := selectGateway(prefix, gateways)
+		if err != nil {
+			return err
+		}
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
+			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
+			unix.RTAX_GATEWAY: &netroute.Inet4Addr{IP: gw.Addr().As4()},
 		}
 	} else {
-		// For IPv6: ifconfig tun0 inet6 add 2001:db8::1/64
+		gw, err := selectGateway(prefix, gateways)
-		if err := runCommandBSD("ifconfig", name, "inet6", "add", network.String()); err != nil {
-			return fmt.Errorf("failed to add IPv6 address: %w", err)
-		}
-	}
-
-	return nil
-}
-
-func runCommandBSD(name string, args ...string) error {
-	cmd := exec.Command(name, args...)
-	output, err := cmd.CombinedOutput()
 		if err != nil {
-		return fmt.Errorf("%s %s failed: %w\nOutput: %s", name, strings.Join(args, " "), err, string(output))
+			return err
 		}
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
+			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
+			unix.RTAX_GATEWAY: &netroute.Inet6Addr{IP: gw.Addr().As16()},
+		}
+	}
+
+	data, err := route.Marshal()
+	if err != nil {
+		return fmt.Errorf("failed to create route.RouteMessage: %w", err)
+	}
+
+	_, err = unix.Write(sock, data[:])
+	if err != nil {
+		if errors.Is(err, unix.EEXIST) {
+			// Try to do a change
+			route.Type = unix.RTM_CHANGE
+			data, err = route.Marshal()
+			if err != nil {
+				return fmt.Errorf("failed to create route.RouteMessage for change: %w", err)
+			}
+			_, err = unix.Write(sock, data[:])
+			return err
+		}
+		return fmt.Errorf("failed to write route.RouteMessage to socket: %w", err)
+	}
+
+	return nil
+}
+
+func delRoute(prefix netip.Prefix, gateways []netip.Prefix) error {
+	sock, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, unix.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("unable to create AF_ROUTE socket: %v", err)
+	}
+	defer unix.Close(sock)
+
+	route := netroute.RouteMessage{
+		Version: unix.RTM_VERSION,
+		Type:    unix.RTM_DELETE,
+		Seq:     1,
+	}
+
+	if prefix.Addr().Is4() {
+		gw, err := selectGateway(prefix, gateways)
+		if err != nil {
+			return err
+		}
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet4Addr{IP: prefix.Masked().Addr().As4()},
+			unix.RTAX_NETMASK: &netroute.Inet4Addr{IP: prefixToMask(prefix).As4()},
+			unix.RTAX_GATEWAY: &netroute.Inet4Addr{IP: gw.Addr().As4()},
+		}
+	} else {
+		gw, err := selectGateway(prefix, gateways)
+		if err != nil {
+			return err
+		}
+		route.Addrs = []netroute.Addr{
+			unix.RTAX_DST:     &netroute.Inet6Addr{IP: prefix.Masked().Addr().As16()},
+			unix.RTAX_NETMASK: &netroute.Inet6Addr{IP: prefixToMask(prefix).As16()},
+			unix.RTAX_GATEWAY: &netroute.Inet6Addr{IP: gw.Addr().As16()},
+		}
+	}
+
+	data, err := route.Marshal()
+	if err != nil {
+		return fmt.Errorf("failed to create route.RouteMessage: %w", err)
+	}
+	_, err = unix.Write(sock, data[:])
+	if err != nil {
+		return fmt.Errorf("failed to write route.RouteMessage to socket: %w", err)
+	}
+
 	return nil
 }

overlay/tun_tester.go

@@ -132,6 +132,29 @@ func (t *TestTun) Read(b []byte) (int, error) {
 	return len(p), nil
 }
 
-func (t *TestTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (t *TestTun) NewMultiQueueReader() (BatchReadWriter, error) {
 	return nil, fmt.Errorf("TODO: multiqueue not implemented")
 }
+
+func (t *TestTun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+func (t *TestTun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+func (t *TestTun) BatchSize() int {
+	return 1
+}

overlay/tun_wg.go

@@ -1,242 +0,0 @@
-//go:build !android && !netbsd && !e2e_testing
-// +build !android,!netbsd,!e2e_testing
-
-package overlay
-
-import (
-	"fmt"
-	"io"
-	"net/netip"
-	"sync/atomic"
-
-	"github.com/gaissmai/bart"
-	"github.com/sirupsen/logrus"
-	"github.com/slackhq/nebula/config"
-	"github.com/slackhq/nebula/routing"
-	"github.com/slackhq/nebula/util"
-	wgtun "golang.zx2c4.com/wireguard/tun"
-)
-
-// wgTun wraps a WireGuard TUN device and implements the overlay.Device interface
-type wgTun struct {
-	tunDevice   wgtun.Device
-	vpnNetworks []netip.Prefix
-	MaxMTU      int
-	DefaultMTU  int
-
-	Routes    atomic.Pointer[[]Route]
-	routeTree atomic.Pointer[bart.Table[routing.Gateways]]
-	routeChan chan struct{}
-
-	// Platform-specific route management
-	routeManager *tun
-
-	l *logrus.Logger
-}
-
-// BatchReader interface for readers that support vectorized I/O
-type BatchReader interface {
-	BatchRead(buffers [][]byte, sizes []int) (int, error)
-}
-
-// BatchWriter interface for writers that support vectorized I/O
-type BatchWriter interface {
-	BatchWrite(packets [][]byte) (int, error)
-}
-
-// wgTunReader wraps a single TUN queue for multi-queue support
-type wgTunReader struct {
-	parent    *wgTun
-	tunDevice wgtun.Device
-	offset    int
-	l         *logrus.Logger
-}
-
-func (t *wgTun) Networks() []netip.Prefix {
-	return t.vpnNetworks
-}
-
-func (t *wgTun) Name() string {
-	name, err := t.tunDevice.Name()
-	if err != nil {
-		t.l.WithError(err).Error("Failed to get TUN device name")
-		return "unknown"
-	}
-	return name
-}
-
-func (t *wgTun) RoutesFor(ip netip.Addr) routing.Gateways {
-	r, _ := t.routeTree.Load().Lookup(ip)
-	return r
-}
-
-func (t *wgTun) Activate() error {
-	if t.routeManager == nil {
-		return fmt.Errorf("route manager not initialized")
-	}
-	return t.routeManager.Activate(t)
-}
-
-// Read implements single-packet read for backward compatibility
-func (t *wgTun) Read(b []byte) (int, error) {
-	bufs := [][]byte{b}
-	sizes := []int{0}
-	n, err := t.tunDevice.Read(bufs, sizes, 0)
-	if err != nil {
-		return 0, err
-	}
-	if n == 0 {
-		return 0, io.ErrNoProgress
-	}
-	return sizes[0], nil
-}
-
-// Write implements single-packet write for backward compatibility
-func (t *wgTun) Write(b []byte) (int, error) {
-	bufs := [][]byte{b}
-	offset := 0
-
-	// WireGuard TUN expects the packet data to start at offset 0
-	n, err := t.tunDevice.Write(bufs, offset)
-	if err != nil {
-		return 0, err
-	}
-	if n == 0 {
-		return 0, io.ErrShortWrite
-	}
-	return len(b), nil
-}
-
-func (t *wgTun) Close() error {
-	if t.routeChan != nil {
-		close(t.routeChan)
-	}
-
-	if t.tunDevice != nil {
-		return t.tunDevice.Close()
-	}
-
-	return nil
-}
-
-func (t *wgTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
-	// For WireGuard TUN, we need to create separate TUN device instances for multi-queue
-	// The platform-specific implementation will handle this
-	if t.routeManager == nil {
-		return nil, fmt.Errorf("route manager not initialized for multi-queue reader")
-	}
-
-	return t.routeManager.NewMultiQueueReader(t)
-}
-
-func (t *wgTun) reload(c *config.C, initial bool) error {
-	routeChange, routes, err := getAllRoutesFromConfig(c, t.vpnNetworks, initial)
-	if err != nil {
-		return err
-	}
-
-	if !initial && !routeChange && !c.HasChanged("tun.mtu") {
-		return nil
-	}
-
-	routeTree, err := makeRouteTree(t.l, routes, true)
-	if err != nil {
-		return err
-	}
-
-	oldDefaultMTU := t.DefaultMTU
-	oldMaxMTU := t.MaxMTU
-	newDefaultMTU := c.GetInt("tun.mtu", DefaultMTU)
-	newMaxMTU := newDefaultMTU
-	for i, r := range routes {
-		if r.MTU == 0 {
-			routes[i].MTU = newDefaultMTU
-		}
-
-		if r.MTU > t.MaxMTU {
-			newMaxMTU = r.MTU
-		}
-	}
-
-	t.MaxMTU = newMaxMTU
-	t.DefaultMTU = newDefaultMTU
-
-	// Teach nebula how to handle the routes before establishing them in the system table
-	oldRoutes := t.Routes.Swap(&routes)
-	t.routeTree.Store(routeTree)
-
-	if !initial && t.routeManager != nil {
-		if oldMaxMTU != newMaxMTU {
-			t.routeManager.SetMTU(t, t.MaxMTU)
-			t.l.Infof("Set max MTU to %v was %v", t.MaxMTU, oldMaxMTU)
-		}
-
-		if oldDefaultMTU != newDefaultMTU {
-			for i := range t.vpnNetworks {
-				err := t.routeManager.SetDefaultRoute(t, t.vpnNetworks[i])
-				if err != nil {
-					t.l.Warn(err)
-				} else {
-					t.l.Infof("Set default MTU to %v was %v", t.DefaultMTU, oldDefaultMTU)
-				}
-			}
-		}
-
-		// Remove first, if the system removes a wanted route hopefully it will be re-added next
-		t.routeManager.RemoveRoutes(t, findRemovedRoutes(routes, *oldRoutes))
-
-		// Ensure any routes we actually want are installed
-		err = t.routeManager.AddRoutes(t, true)
-		if err != nil {
-			// This should never be called since AddRoutes should log its own errors in a reload condition
-			util.LogWithContextIfNeeded("Failed to refresh routes", err, t.l)
-		}
-	}
-
-	return nil
-}
-
-// BatchRead reads multiple packets from the TUN device using vectorized I/O
-// The caller provides buffers and sizes slices, and this function returns the number of packets read.
-func (r *wgTunReader) BatchRead(buffers [][]byte, sizes []int) (int, error) {
-	return r.tunDevice.Read(buffers, sizes, r.offset)
-}
-
-// Read implements io.Reader for wgTunReader (single packet for compatibility)
-func (r *wgTunReader) Read(b []byte) (int, error) {
-	bufs := [][]byte{b}
-	sizes := []int{0}
-	n, err := r.tunDevice.Read(bufs, sizes, r.offset)
-	if err != nil {
-		return 0, err
-	}
-	if n == 0 {
-		return 0, io.ErrNoProgress
-	}
-	return sizes[0], nil
-}
-
-// Write implements io.Writer for wgTunReader
-func (r *wgTunReader) Write(b []byte) (int, error) {
-	bufs := [][]byte{b}
-	n, err := r.tunDevice.Write(bufs, r.offset)
-	if err != nil {
-		return 0, err
-	}
-	if n == 0 {
-		return 0, io.ErrShortWrite
-	}
-	return len(b), nil
-}
-
-// BatchWrite writes multiple packets to the TUN device using vectorized I/O
-func (r *wgTunReader) BatchWrite(packets [][]byte) (int, error) {
-	return r.tunDevice.Write(packets, r.offset)
-}
-
-func (r *wgTunReader) Close() error {
-	if r.tunDevice != nil {
-		return r.tunDevice.Close()
-	}
-	return nil
-}

overlay/tun_windows.go

@@ -1,77 +1,83 @@
-//go:build windows && !e2e_testing
+//go:build !e2e_testing
-// +build windows,!e2e_testing
+// +build !e2e_testing
 
 package overlay
 
 import (
 	"crypto"
-	"encoding/binary"
 	"fmt"
-	"io"
 	"net/netip"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync/atomic"
+	"syscall"
+	"unsafe"
 
+	"github.com/gaissmai/bart"
 	"github.com/sirupsen/logrus"
 	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/routing"
 	"github.com/slackhq/nebula/util"
+	"github.com/slackhq/nebula/wintun"
 	"golang.org/x/sys/windows"
-	wgtun "golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 const tunGUIDLabel = "Fixed Nebula Windows GUID v1"
 
-type tun struct {
+type winTun struct {
-	luid winipcfg.LUID
+	Device      string
+	vpnNetworks []netip.Prefix
+	MTU         int
+	Routes      atomic.Pointer[[]Route]
+	routeTree   atomic.Pointer[bart.Table[routing.Gateways]]
+	l           *logrus.Logger
+
+	tun *wintun.NativeTun
 }
 
-func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (*wgTun, error) {
+func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix) (Device, error) {
 	return nil, fmt.Errorf("newTunFromFd not supported in Windows")
 }
 
-func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*wgTun, error) {
+func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (*winTun, error) {
-	deviceName := c.GetString("tun.dev", "Nebula")
+	err := checkWinTunExists()
-	mtu := c.GetInt("tun.mtu", DefaultMTU)
-
-	// Create WireGuard TUN device
-	tunDevice, err := wgtun.CreateTUN(deviceName, mtu)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create TUN device: %w", err)
+		return nil, fmt.Errorf("can not load the wintun driver: %w", err)
 	}
 
-	// Get the actual device name
+	deviceName := c.GetString("tun.dev", "")
-	actualName, err := tunDevice.Name()
+	guid, err := generateGUIDByDeviceName(deviceName)
 	if err != nil {
-		tunDevice.Close()
+		return nil, fmt.Errorf("generate GUID failed: %w", err)
-		return nil, fmt.Errorf("failed to get TUN device name: %w", err)
 	}
 
-	t := &wgTun{
+	t := &winTun{
-		tunDevice:   tunDevice,
+		Device:      deviceName,
 		vpnNetworks: vpnNetworks,
-		MaxMTU:      mtu,
+		MTU:         c.GetInt("tun.mtu", DefaultMTU),
-		DefaultMTU:  mtu,
 		l:           l,
 	}
 
-	// Create Windows-specific route manager
-	rm := &tun{}
-
-	// Get LUID from the TUN device
-	// The WireGuard TUN device on Windows should provide a LUID() method
-	if nativeTun, ok := tunDevice.(interface{ LUID() uint64 }); ok {
-		rm.luid = winipcfg.LUID(nativeTun.LUID())
-	} else {
-		tunDevice.Close()
-		return nil, fmt.Errorf("failed to get LUID from TUN device")
-	}
-	t.routeManager = rm
-
 	err = t.reload(c, true)
 	if err != nil {
-		tunDevice.Close()
 		return nil, err
 	}
 
+	var tunDevice wintun.Device
+	tunDevice, err = wintun.CreateTUNWithRequestedGUID(deviceName, guid, t.MTU)
+	if err != nil {
+		// Windows 10 has an issue with unclean shutdowns not fully cleaning up the wintun device.
+		// Trying a second time resolves the issue.
+		l.WithError(err).Debug("Failed to create wintun device, retrying")
+		tunDevice, err = wintun.CreateTUNWithRequestedGUID(deviceName, guid, t.MTU)
+		if err != nil {
+			return nil, fmt.Errorf("create TUN device failed: %w", err)
+		}
+	}
+	t.tun = tunDevice.(*wintun.NativeTun)
+
 	c.RegisterReloadCallback(func(c *config.C) {
 		err := t.reload(c, false)
 		if err != nil {
@@ -79,140 +85,232 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, _ bool) (
 		}
 	})
 
-	l.WithField("name", actualName).Info("Created WireGuard TUN device")
-
 	return t, nil
 }
 
-func (rm *tun) Activate(t *wgTun) error {
+func (t *winTun) reload(c *config.C, initial bool) error {
-	// Set MTU
+	change, routes, err := getAllRoutesFromConfig(c, t.vpnNetworks, initial)
-	err := rm.setMTU(t, t.MaxMTU)
 	if err != nil {
-		return fmt.Errorf("failed to set MTU: %w", err)
-	}
-
-	// Add IP addresses
-	for _, network := range t.vpnNetworks {
-		if err := rm.addIP(t, network); err != nil {
 		return err
 	}
+
+	if !initial && !change {
+		return nil
 	}
 
-	// Add routes
+	routeTree, err := makeRouteTree(t.l, routes, false)
-	if err := rm.AddRoutes(t, false); err != nil {
+	if err != nil {
+		return err
+	}
+
+	// Teach nebula how to handle the routes before establishing them in the system table
+	oldRoutes := t.Routes.Swap(&routes)
+	t.routeTree.Store(routeTree)
+
+	if !initial {
+		// Remove first, if the system removes a wanted route hopefully it will be re-added next
+		err := t.removeRoutes(findRemovedRoutes(routes, *oldRoutes))
+		if err != nil {
+			util.LogWithContextIfNeeded("Failed to remove routes", err, t.l)
+		}
+
+		// Ensure any routes we actually want are installed
+		err = t.addRoutes(true)
+		if err != nil {
+			// Catch any stray logs
+			util.LogWithContextIfNeeded("Failed to add routes", err, t.l)
+		}
+	}
+
+	return nil
+}
+
+func (t *winTun) Activate() error {
+	luid := winipcfg.LUID(t.tun.LUID())
+
+	err := luid.SetIPAddresses(t.vpnNetworks)
+	if err != nil {
+		return fmt.Errorf("failed to set address: %w", err)
+	}
+
+	err = t.addRoutes(false)
+	if err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (rm *tun) SetMTU(t *wgTun, mtu int) {
+func (t *winTun) addRoutes(logErrors bool) error {
-	if err := rm.setMTU(t, mtu); err != nil {
+	luid := winipcfg.LUID(t.tun.LUID())
-		t.l.WithError(err).Error("Failed to set MTU")
-	}
-}
-
-func (rm *tun) setMTU(t *wgTun, mtu int) error {
-	// Set MTU using winipcfg
-	// Note: MTU setting on Windows TUN devices may be handled by the driver
-	// For now, we'll skip explicit MTU setting as the WireGuard TUN handles it
-	return nil
-}
-
-func (rm *tun) SetDefaultRoute(t *wgTun, cidr netip.Prefix) error {
-	// On Windows, routes are managed differently
-	return nil
-}
-
-func (rm *tun) AddRoutes(t *wgTun, logErrors bool) error {
 	routes := *t.Routes.Load()
+	foundDefault4 := false
+
 	for _, r := range routes {
-		if !r.Install {
+		if len(r.Via) == 0 || !r.Install {
+			// We don't allow route MTUs so only install routes with a via
 			continue
 		}
 
-		if r.MTU > 0 {
+		// Add our unsafe route
-			// Windows route MTU is not directly supported
+		// Windows does not support multipath routes natively, so we install only a single route.
-			t.l.WithField("route", r).Debug("Route MTU is not supported on Windows")
+		// This is not a problem as traffic will always be sent to Nebula which handles the multipath routing internally.
-		}
+		// In effect this provides multipath routing support to windows supporting loadbalancing and redundancy.
-
+		err := luid.AddRoute(r.Cidr, r.Via[0].Addr(), uint32(r.Metric))
-		// Use winipcfg to add the route
-		// The rm.luid should have the AddRoute method from winipcfg
-		if len(r.Via) == 0 {
-			t.l.WithField("route", r).Warn("Route has no via address, skipping")
-			continue
-		}
-
-		err := rm.luid.AddRoute(r.Cidr, r.Via[0].Addr(), uint32(r.Metric))
 		if err != nil {
 			retErr := util.NewContextualError("Failed to add route", map[string]any{"route": r}, err)
 			if logErrors {
 				retErr.Log(t.l)
+				continue
 			} else {
 				return retErr
 			}
 		} else {
 			t.l.WithField("route", r).Info("Added route")
 		}
+
+		if !foundDefault4 {
+			if r.Cidr.Bits() == 0 && r.Cidr.Addr().BitLen() == 32 {
+				foundDefault4 = true
+			}
+		}
 	}
 
+	ipif, err := luid.IPInterface(windows.AF_INET)
+	if err != nil {
+		return fmt.Errorf("failed to get ip interface: %w", err)
+	}
+
+	ipif.NLMTU = uint32(t.MTU)
+	if foundDefault4 {
+		ipif.UseAutomaticMetric = false
+		ipif.Metric = 0
+	}
+
+	if err := ipif.Set(); err != nil {
+		return fmt.Errorf("failed to set ip interface: %w", err)
+	}
 	return nil
 }
 
-func (rm *tun) RemoveRoutes(t *wgTun, routes []Route) {
+func (t *winTun) removeRoutes(routes []Route) error {
+	luid := winipcfg.LUID(t.tun.LUID())
+
 	for _, r := range routes {
 		if !r.Install {
 			continue
 		}
 
-		if len(r.Via) == 0 {
+		// See comment on luid.AddRoute
-			continue
+		err := luid.DeleteRoute(r.Cidr, r.Via[0].Addr())
-		}
-
-		err := rm.luid.DeleteRoute(r.Cidr, r.Via[0].Addr())
 		if err != nil {
 			t.l.WithError(err).WithField("route", r).Error("Failed to remove route")
 		} else {
 			t.l.WithField("route", r).Info("Removed route")
 		}
 	}
-}
-
-func (rm *tun) NewMultiQueueReader(t *wgTun) (io.ReadWriteCloser, error) {
-	// Windows doesn't support multi-queue TUN devices
-	// Return a reader that wraps the same device
-	return &wgTunReader{
-		parent:    t,
-		tunDevice: t.tunDevice,
-		offset:    0,
-		l:         t.l,
-	}, nil
-}
-
-func (rm *tun) addIP(t *wgTun, network netip.Prefix) error {
-	// Add IP address using winipcfg
-	// SetIPAddresses expects a slice of prefixes
-	err := rm.luid.SetIPAddresses([]netip.Prefix{network})
-	if err != nil {
-		return fmt.Errorf("failed to add IP address %s: %w", network, err)
-	}
 	return nil
 }
 
-// generateGUIDByDeviceName generates a GUID based on the device name
+func (t *winTun) RoutesFor(ip netip.Addr) routing.Gateways {
-func generateGUIDByDeviceName(deviceName string) (*windows.GUID, error) {
+	r, _ := t.routeTree.Load().Lookup(ip)
-	// Hash the device name to create a deterministic GUID
+	return r
-	h := crypto.SHA256.New()
+}
-	h.Write([]byte(tunGUIDLabel))
+
-	h.Write([]byte(deviceName))
+func (t *winTun) Networks() []netip.Prefix {
-	sum := h.Sum(nil)
+	return t.vpnNetworks
-
+}
-	guid := &windows.GUID{
+
-		Data1: binary.LittleEndian.Uint32(sum[0:4]),
+func (t *winTun) Name() string {
-		Data2: binary.LittleEndian.Uint16(sum[4:6]),
+	return t.Device
-		Data3: binary.LittleEndian.Uint16(sum[6:8]),
+}
-	}
+
-	copy(guid.Data4[:], sum[8:16])
+func (t *winTun) Read(b []byte) (int, error) {
-
+	return t.tun.Read(b, 0)
-	return guid, nil
+}
+
+func (t *winTun) Write(b []byte) (int, error) {
+	return t.tun.Write(b, 0)
+}
+
+func (t *winTun) NewMultiQueueReader() (BatchReadWriter, error) {
+	return nil, fmt.Errorf("TODO: multiqueue not implemented for windows")
+}
+
+// BatchRead reads a single packet (batch size 1 for Windows)
+func (t *winTun) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := t.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+// WriteBatch writes packets individually (no batching for Windows)
+func (t *winTun) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := t.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+// BatchSize returns 1 for Windows (no batching)
+func (t *winTun) BatchSize() int {
+	return 1
+}
+
+func (t *winTun) Close() error {
+	// It seems that the Windows networking stack doesn't like it when we destroy interfaces that have active routes,
+	// so to be certain, just remove everything before destroying.
+	luid := winipcfg.LUID(t.tun.LUID())
+	_ = luid.FlushRoutes(windows.AF_INET)
+	_ = luid.FlushIPAddresses(windows.AF_INET)
+
+	_ = luid.FlushRoutes(windows.AF_INET6)
+	_ = luid.FlushIPAddresses(windows.AF_INET6)
+
+	_ = luid.FlushDNS(windows.AF_INET)
+	_ = luid.FlushDNS(windows.AF_INET6)
+
+	return t.tun.Close()
+}
+
+func generateGUIDByDeviceName(name string) (*windows.GUID, error) {
+	// GUID is 128 bit
+	hash := crypto.MD5.New()
+
+	_, err := hash.Write([]byte(tunGUIDLabel))
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = hash.Write([]byte(name))
+	if err != nil {
+		return nil, err
+	}
+
+	sum := hash.Sum(nil)
+
+	return (*windows.GUID)(unsafe.Pointer(&sum[0])), nil
+}
+
+func checkWinTunExists() error {
+	myPath, err := os.Executable()
+	if err != nil {
+		return err
+	}
+
+	arch := runtime.GOARCH
+	switch arch {
+	case "386":
+		//NOTE: wintun bundles 386 as x86
+		arch = "x86"
+	}
+
+	_, err = syscall.LoadDLL(filepath.Join(filepath.Dir(myPath), "dist", "windows", "wintun", "bin", arch, "wintun.dll"))
+	return err
 }

overlay/user.go

@@ -46,10 +46,36 @@ func (d *UserDevice) RoutesFor(ip netip.Addr) routing.Gateways {
 	return routing.Gateways{routing.NewGateway(ip, 1)}
 }
 
-func (d *UserDevice) NewMultiQueueReader() (io.ReadWriteCloser, error) {
+func (d *UserDevice) NewMultiQueueReader() (BatchReadWriter, error) {
 	return d, nil
 }
 
+// BatchRead reads a single packet (batch size 1 for UserDevice)
+func (d *UserDevice) BatchRead(bufs [][]byte, sizes []int) (int, error) {
+	n, err := d.Read(bufs[0])
+	if err != nil {
+		return 0, err
+	}
+	sizes[0] = n
+	return 1, nil
+}
+
+// WriteBatch writes packets individually (no batching for UserDevice)
+func (d *UserDevice) WriteBatch(bufs [][]byte, offset int) (int, error) {
+	for i, buf := range bufs {
+		_, err := d.Write(buf[offset:])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(bufs), nil
+}
+
+// BatchSize returns 1 for UserDevice (no batching)
+func (d *UserDevice) BatchSize() int {
+	return 1
+}
+
 func (d *UserDevice) Pipe() (*io.PipeReader, *io.PipeWriter) {
 	return d.inboundReader, d.outboundWriter
 }

pki.go

@@ -100,41 +100,36 @@ func (p *PKI) reloadCerts(c *config.C, initial bool) *util.ContextualError {
 		currentState := p.cs.Load()
 		if newState.v1Cert != nil {
 			if currentState.v1Cert == nil {
-				return util.NewContextualError("v1 certificate was added, restart required", nil, err)
+				//adding certs is fine, actually. Networks-in-common confirmed in newCertState().
-			}
+			} else {
-
 				// did IP in cert change? if so, don't set
 				if !slices.Equal(currentState.v1Cert.Networks(), newState.v1Cert.Networks()) {
 					return util.NewContextualError(
 						"Networks in new cert was different from old",
-					m{"new_networks": newState.v1Cert.Networks(), "old_networks": currentState.v1Cert.Networks()},
+						m{"new_networks": newState.v1Cert.Networks(), "old_networks": currentState.v1Cert.Networks(), "cert_version": cert.Version1},
 						nil,
 					)
 				}
 
 				if currentState.v1Cert.Curve() != newState.v1Cert.Curve() {
 					return util.NewContextualError(
-					"Curve in new cert was different from old",
+						"Curve in new v1 cert was different from old",
-					m{"new_curve": newState.v1Cert.Curve(), "old_curve": currentState.v1Cert.Curve()},
+						m{"new_curve": newState.v1Cert.Curve(), "old_curve": currentState.v1Cert.Curve(), "cert_version": cert.Version1},
 						nil,
 					)
 				}
-
+			}
-		} else if currentState.v1Cert != nil {
-			//TODO: CERT-V2 we should be able to tear this down
-			return util.NewContextualError("v1 certificate was removed, restart required", nil, err)
 		}
 
 		if newState.v2Cert != nil {
 			if currentState.v2Cert == nil {
-				return util.NewContextualError("v2 certificate was added, restart required", nil, err)
+				//adding certs is fine, actually
-			}
+			} else {
-
 				// did IP in cert change? if so, don't set
 				if !slices.Equal(currentState.v2Cert.Networks(), newState.v2Cert.Networks()) {
 					return util.NewContextualError(
 						"Networks in new cert was different from old",
-					m{"new_networks": newState.v2Cert.Networks(), "old_networks": currentState.v2Cert.Networks()},
+						m{"new_networks": newState.v2Cert.Networks(), "old_networks": currentState.v2Cert.Networks(), "cert_version": cert.Version2},
 						nil,
 					)
 				}
@@ -142,13 +137,25 @@ func (p *PKI) reloadCerts(c *config.C, initial bool) *util.ContextualError {
 				if currentState.v2Cert.Curve() != newState.v2Cert.Curve() {
 					return util.NewContextualError(
 						"Curve in new cert was different from old",
-					m{"new_curve": newState.v2Cert.Curve(), "old_curve": currentState.v2Cert.Curve()},
+						m{"new_curve": newState.v2Cert.Curve(), "old_curve": currentState.v2Cert.Curve(), "cert_version": cert.Version2},
 						nil,
 					)
 				}
+			}
 
 		} else if currentState.v2Cert != nil {
-			return util.NewContextualError("v2 certificate was removed, restart required", nil, err)
+			//newState.v1Cert is non-nil bc empty certstates aren't permitted
+			if newState.v1Cert == nil {
+				return util.NewContextualError("v1 and v2 certs are nil, this should be impossible", nil, err)
+			}
+			//if we're going to v1-only, we need to make sure we didn't orphan any v2-cert vpnaddrs
+			if !slices.Equal(currentState.v2Cert.Networks(), newState.v1Cert.Networks()) {
+				return util.NewContextualError(
+					"Removing a V2 cert is not permitted unless it has identical networks to the new V1 cert",
+					m{"new_v1_networks": newState.v1Cert.Networks(), "old_v2_networks": currentState.v2Cert.Networks()},
+					nil,
+				)
+			}
 		}
 
 		// Cipher cant be hot swapped so just leave it at what it was before

stats.go

@@ -6,6 +6,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	_ "net/http/pprof"
 	"runtime"
 	"strconv"
 	"time"

udp/conn.go

@@ -13,12 +13,21 @@ type EncReader func(
 	payload []byte,
 )
 
+type EncBatchReader func(
+	addrs []netip.AddrPort,
+	payloads [][]byte,
+	count int,
+)
+
 type Conn interface {
 	Rebind() error
 	LocalAddr() (netip.AddrPort, error)
 	ListenOut(r EncReader)
+	ListenOutBatch(r EncBatchReader)
 	WriteTo(b []byte, addr netip.AddrPort) error
+	WriteMulti(packets [][]byte, addrs []netip.AddrPort) (int, error)
 	ReloadConfig(c *config.C)
+	BatchSize() int
 	Close() error
 }
 
@@ -33,12 +42,21 @@ func (NoopConn) LocalAddr() (netip.AddrPort, error) {
 func (NoopConn) ListenOut(_ EncReader) {
 	return
 }
+func (NoopConn) ListenOutBatch(_ EncBatchReader) {
+	return
+}
 func (NoopConn) WriteTo(_ []byte, _ netip.AddrPort) error {
 	return nil
 }
+func (NoopConn) WriteMulti(_ [][]byte, _ []netip.AddrPort) (int, error) {
+	return 0, nil
+}
 func (NoopConn) ReloadConfig(_ *config.C) {
 	return
 }
+func (NoopConn) BatchSize() int {
+	return 1
+}
 func (NoopConn) Close() error {
 	return nil
 }

udp/udp_darwin.go

@@ -140,6 +140,17 @@ func (u *StdConn) WriteTo(b []byte, ap netip.AddrPort) error {
 	}
 }
 
+// WriteMulti sends multiple packets - fallback implementation without sendmmsg
+func (u *StdConn) WriteMulti(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	for i := range packets {
+		err := u.WriteTo(packets[i], addrs[i])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(packets), nil
+}
+
 func (u *StdConn) LocalAddr() (netip.AddrPort, error) {
 	a := u.UDPConn.LocalAddr()
 
@@ -184,6 +195,34 @@ func (u *StdConn) ListenOut(r EncReader) {
 	}
 }
 
+// ListenOutBatch - fallback to single-packet reads for Darwin
+func (u *StdConn) ListenOutBatch(r EncBatchReader) {
+	buffer := make([]byte, MTU)
+	addrs := make([]netip.AddrPort, 1)
+	payloads := make([][]byte, 1)
+
+	for {
+		// Just read one packet at a time and call batch callback with count=1
+		n, rua, err := u.ReadFromUDPAddrPort(buffer)
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				u.l.WithError(err).Debug("udp socket is closed, exiting read loop")
+				return
+			}
+
+			u.l.WithError(err).Error("unexpected udp socket receive error")
+		}
+
+		addrs[0] = netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port())
+		payloads[0] = buffer[:n]
+		r(addrs, payloads, 1)
+	}
+}
+
+func (u *StdConn) BatchSize() int {
+	return 1
+}
+
 func (u *StdConn) Rebind() error {
 	var err error
 	if u.isV4 {

udp/udp_generic.go

@@ -85,3 +85,42 @@ func (u *GenericConn) ListenOut(r EncReader) {
 		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n])
 	}
 }
+
+// ListenOutBatch - fallback to single-packet reads for generic platforms
+func (u *GenericConn) ListenOutBatch(r EncBatchReader) {
+	buffer := make([]byte, MTU)
+	addrs := make([]netip.AddrPort, 1)
+	payloads := make([][]byte, 1)
+
+	for {
+		// Just read one packet at a time and call batch callback with count=1
+		n, rua, err := u.ReadFromUDPAddrPort(buffer)
+		if err != nil {
+			u.l.WithError(err).Debug("udp socket is closed, exiting read loop")
+			return
+		}
+
+		addrs[0] = netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port())
+		payloads[0] = buffer[:n]
+		r(addrs, payloads, 1)
+	}
+}
+
+// WriteMulti sends multiple packets - fallback implementation
+func (u *GenericConn) WriteMulti(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	for i := range packets {
+		err := u.WriteTo(packets[i], addrs[i])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(packets), nil
+}
+
+func (u *GenericConn) BatchSize() int {
+	return 1
+}
+
+func (u *GenericConn) Rebind() error {
+	return nil
+}

udp/udp_linux.go

@@ -22,6 +22,11 @@ type StdConn struct {
 	isV4  bool
 	l     *logrus.Logger
 	batch int
+
+	// Pre-allocated buffers for batch writes (sized for IPv6, works for both)
+	writeMsgs   []rawMessage
+	writeIovecs []iovec
+	writeNames  [][]byte
 }
 
 func maybeIPV4(ip net.IP) (net.IP, bool) {
@@ -69,7 +74,26 @@ func NewListener(l *logrus.Logger, ip netip.Addr, port int, multi bool, batch in
 		return nil, fmt.Errorf("unable to bind to socket: %s", err)
 	}
 
-	return &StdConn{sysFd: fd, isV4: ip.Is4(), l: l, batch: batch}, err
+	c := &StdConn{sysFd: fd, isV4: ip.Is4(), l: l, batch: batch}
+
+	// Pre-allocate write message structures for batching (sized for IPv6, works for both)
+	c.writeMsgs = make([]rawMessage, batch)
+	c.writeIovecs = make([]iovec, batch)
+	c.writeNames = make([][]byte, batch)
+
+	for i := range c.writeMsgs {
+		// Allocate for IPv6 size (larger than IPv4, works for both)
+		c.writeNames[i] = make([]byte, unix.SizeofSockaddrInet6)
+
+		// Point to the iovec in the slice
+		c.writeMsgs[i].Hdr.Iov = &c.writeIovecs[i]
+		c.writeMsgs[i].Hdr.Iovlen = 1
+
+		c.writeMsgs[i].Hdr.Name = &c.writeNames[i][0]
+		// Namelen will be set appropriately in writeMulti4/writeMulti6
+	}
+
+	return c, err
 }
 
 func (u *StdConn) Rebind() error {
@@ -127,6 +151,8 @@ func (u *StdConn) ListenOut(r EncReader) {
 		read = u.ReadSingle
 	}
 
+	udpBatchHist := metrics.GetOrRegisterHistogram("batch.udp_read_size", nil, metrics.NewUniformSample(1024))
+
 	for {
 		n, err := read(msgs)
 		if err != nil {
@@ -134,6 +160,8 @@ func (u *StdConn) ListenOut(r EncReader) {
 			return
 		}
 
+		udpBatchHist.Update(int64(n))
+
 		for i := 0; i < n; i++ {
 			// Its ok to skip the ok check here, the slicing is the only error that can occur and it will panic
 			if u.isV4 {
@@ -146,6 +174,46 @@ func (u *StdConn) ListenOut(r EncReader) {
 	}
 }
 
+func (u *StdConn) ListenOutBatch(r EncBatchReader) {
+	var ip netip.Addr
+
+	msgs, buffers, names := u.PrepareRawMessages(u.batch)
+	read := u.ReadMulti
+	if u.batch == 1 {
+		read = u.ReadSingle
+	}
+
+	udpBatchHist := metrics.GetOrRegisterHistogram("batch.udp_read_size", nil, metrics.NewUniformSample(1024))
+
+	// Pre-allocate slices for batch callback
+	addrs := make([]netip.AddrPort, u.batch)
+	payloads := make([][]byte, u.batch)
+
+	for {
+		n, err := read(msgs)
+		if err != nil {
+			u.l.WithError(err).Debug("udp socket is closed, exiting read loop")
+			return
+		}
+
+		udpBatchHist.Update(int64(n))
+
+		// Prepare batch data
+		for i := 0; i < n; i++ {
+			if u.isV4 {
+				ip, _ = netip.AddrFromSlice(names[i][4:8])
+			} else {
+				ip, _ = netip.AddrFromSlice(names[i][8:24])
+			}
+			addrs[i] = netip.AddrPortFrom(ip.Unmap(), binary.BigEndian.Uint16(names[i][2:4]))
+			payloads[i] = buffers[i][:msgs[i].Len]
+		}
+
+		// Call batch callback with all packets
+		r(addrs, payloads, n)
+	}
+}
+
 func (u *StdConn) ReadSingle(msgs []rawMessage) (int, error) {
 	for {
 		n, _, err := unix.Syscall6(
@@ -194,6 +262,19 @@ func (u *StdConn) WriteTo(b []byte, ip netip.AddrPort) error {
 	return u.writeTo6(b, ip)
 }
 
+func (u *StdConn) WriteMulti(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	if len(packets) != len(addrs) {
+		return 0, fmt.Errorf("packets and addrs length mismatch")
+	}
+	if len(packets) == 0 {
+		return 0, nil
+	}
+	if u.isV4 {
+		return u.writeMulti4(packets, addrs)
+	}
+	return u.writeMulti6(packets, addrs)
+}
+
 func (u *StdConn) writeTo6(b []byte, ip netip.AddrPort) error {
 	var rsa unix.RawSockaddrInet6
 	rsa.Family = unix.AF_INET6
@@ -248,6 +329,123 @@ func (u *StdConn) writeTo4(b []byte, ip netip.AddrPort) error {
 	}
 }
 
+func (u *StdConn) writeMulti4(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	sent := 0
+	for sent < len(packets) {
+		// Determine batch size based on remaining packets and buffer capacity
+		batchSize := len(packets) - sent
+		if batchSize > len(u.writeMsgs) {
+			batchSize = len(u.writeMsgs)
+		}
+
+		// Use pre-allocated buffers
+		msgs := u.writeMsgs[:batchSize]
+		iovecs := u.writeIovecs[:batchSize]
+		names := u.writeNames[:batchSize]
+
+		// Setup message structures for this batch
+		for i := 0; i < batchSize; i++ {
+			pktIdx := sent + i
+			if !addrs[pktIdx].Addr().Is4() {
+				return sent + i, ErrInvalidIPv6RemoteForSocket
+			}
+
+			// Setup the packet buffer
+			iovecs[i].Base = &packets[pktIdx][0]
+			iovecs[i].Len = uint(len(packets[pktIdx]))
+
+			// Setup the destination address
+			rsa := (*unix.RawSockaddrInet4)(unsafe.Pointer(&names[i][0]))
+			rsa.Family = unix.AF_INET
+			rsa.Addr = addrs[pktIdx].Addr().As4()
+			binary.BigEndian.PutUint16((*[2]byte)(unsafe.Pointer(&rsa.Port))[:], addrs[pktIdx].Port())
+
+			// Set the appropriate address length for IPv4
+			msgs[i].Hdr.Namelen = unix.SizeofSockaddrInet4
+		}
+
+		// Send this batch
+		nsent, _, err := unix.Syscall6(
+			unix.SYS_SENDMMSG,
+			uintptr(u.sysFd),
+			uintptr(unsafe.Pointer(&msgs[0])),
+			uintptr(batchSize),
+			0,
+			0,
+			0,
+		)
+
+		if err != 0 {
+			return sent + int(nsent), &net.OpError{Op: "sendmmsg", Err: err}
+		}
+
+		sent += int(nsent)
+		if int(nsent) < batchSize {
+			// Couldn't send all packets in batch, return what we sent
+			return sent, nil
+		}
+	}
+
+	return sent, nil
+}
+
+func (u *StdConn) writeMulti6(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	sent := 0
+	for sent < len(packets) {
+		// Determine batch size based on remaining packets and buffer capacity
+		batchSize := len(packets) - sent
+		if batchSize > len(u.writeMsgs) {
+			batchSize = len(u.writeMsgs)
+		}
+
+		// Use pre-allocated buffers
+		msgs := u.writeMsgs[:batchSize]
+		iovecs := u.writeIovecs[:batchSize]
+		names := u.writeNames[:batchSize]
+
+		// Setup message structures for this batch
+		for i := 0; i < batchSize; i++ {
+			pktIdx := sent + i
+
+			// Setup the packet buffer
+			iovecs[i].Base = &packets[pktIdx][0]
+			iovecs[i].Len = uint(len(packets[pktIdx]))
+
+			// Setup the destination address
+			rsa := (*unix.RawSockaddrInet6)(unsafe.Pointer(&names[i][0]))
+			rsa.Family = unix.AF_INET6
+			rsa.Addr = addrs[pktIdx].Addr().As16()
+			binary.BigEndian.PutUint16((*[2]byte)(unsafe.Pointer(&rsa.Port))[:], addrs[pktIdx].Port())
+
+			// Set the appropriate address length for IPv6
+			msgs[i].Hdr.Namelen = unix.SizeofSockaddrInet6
+		}
+
+		// Send this batch
+		nsent, _, err := unix.Syscall6(
+			unix.SYS_SENDMMSG,
+			uintptr(u.sysFd),
+			uintptr(unsafe.Pointer(&msgs[0])),
+			uintptr(batchSize),
+			0,
+			0,
+			0,
+		)
+
+		if err != 0 {
+			return sent + int(nsent), &net.OpError{Op: "sendmmsg", Err: err}
+		}
+
+		sent += int(nsent)
+		if int(nsent) < batchSize {
+			// Couldn't send all packets in batch, return what we sent
+			return sent, nil
+		}
+	}
+
+	return sent, nil
+}
+
 func (u *StdConn) ReloadConfig(c *config.C) {
 	b := c.GetInt("listen.read_buffer", 0)
 	if b > 0 {
@@ -305,6 +503,10 @@ func (u *StdConn) getMemInfo(meminfo *[unix.SK_MEMINFO_VARS]uint32) error {
 	return nil
 }
 
+func (u *StdConn) BatchSize() int {
+	return u.batch
+}
+
 func (u *StdConn) Close() error {
 	return syscall.Close(u.sysFd)
 }

udp/udp_linux_32.go

@@ -12,7 +12,7 @@ import (
 
 type iovec struct {
 	Base *byte
-	Len  uint32
+	Len  uint
 }
 
 type msghdr struct {
@@ -40,7 +40,7 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte) {
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
 		vs := []iovec{
-			{Base: &buffers[i][0], Len: uint32(len(buffers[i]))},
+			{Base: &buffers[i][0], Len: uint(len(buffers[i]))},
 		}
 
 		msgs[i].Hdr.Iov = &vs[0]

udp/udp_linux_64.go

@@ -12,7 +12,7 @@ import (
 
 type iovec struct {
 	Base *byte
-	Len  uint64
+	Len  uint
 }
 
 type msghdr struct {
@@ -43,7 +43,7 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte) {
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
 		vs := []iovec{
-			{Base: &buffers[i][0], Len: uint64(len(buffers[i]))},
+			{Base: &buffers[i][0], Len: uint(len(buffers[i]))},
 		}
 
 		msgs[i].Hdr.Iov = &vs[0]

udp/udp_tester.go

@@ -116,6 +116,31 @@ func (u *TesterConn) ListenOut(r EncReader) {
 	}
 }
 
+func (u *TesterConn) ListenOutBatch(r EncBatchReader) {
+	addrs := make([]netip.AddrPort, 1)
+	payloads := make([][]byte, 1)
+
+	for {
+		p, ok := <-u.RxPackets
+		if !ok {
+			return
+		}
+		addrs[0] = p.From
+		payloads[0] = p.Data
+		r(addrs, payloads, 1)
+	}
+}
+
+func (u *TesterConn) WriteMulti(packets [][]byte, addrs []netip.AddrPort) (int, error) {
+	for i := range packets {
+		err := u.WriteTo(packets[i], addrs[i])
+		if err != nil {
+			return i, err
+		}
+	}
+	return len(packets), nil
+}
+
 func (u *TesterConn) ReloadConfig(*config.C) {}
 
 func NewUDPStatsEmitter(_ []Conn) func() {
@@ -127,6 +152,10 @@ func (u *TesterConn) LocalAddr() (netip.AddrPort, error) {
 	return u.Addr, nil
 }
 
+func (u *TesterConn) BatchSize() int {
+	return 1
+}
+
 func (u *TesterConn) Rebind() error {
 	return nil
 }