Olm fails to establish direct connection due to UDP port conflict during NAT holepunching on macOS #16
Description
Description
When using the --holepunch flag on macOS, olm frequently fails to establish a direct peer-to-peer connection and falls back to relay mode due to a race condition between the holepunch goroutine and WireGuard device initialization.
Current Behavior
- Olm starts UDP holepunching on a randomly selected port (e.g., 55704)
- The holepunch goroutine holds this port open to maintain NAT mappings
- WireGuard attempts to bind to the same port for the tunnel
- Binding fails with error:
Unable to update bind: listen udp4 :55704: bind: address already in use - Connection falls back to relay mode after 4 seconds
Expected Behavior
WireGuard should successfully bind to the port after holepunching completes, enabling direct peer-to-peer connectivity without relay.
Root Cause
There's insufficient delay between close(stopHolepunch) and WireGuard's dev.Up() call. The current 10ms delay is not enough for macOS to release the UDP port, causing WireGuard to fail when attempting to bind.
Logs
ERROR: wireguard: 2025/08/29 12:38:01 Unable to update bind: listen udp4 :55704: bind: address already in use
DEBUG: wireguard: 2025/08/29 12:38:01 Interface state was Down, requested Up, now Down
ERROR: 2025/08/29 12:38:01 Failed to bring up WireGuard device: listen udp4 :55704: bind: address already in use
Environment
- OS: macOS 15.6.1 (tested on MacBook Pro with M1 Pro)
- Olm version: 1.1.0
- Using
--holepunchflag
Solution
Increase the delay after closing the holepunch channel from 10ms to 500ms to ensure the OS has released the port before WireGuard attempts to bind.
Reproduction Steps
- Run
sudo -E olm --holepunchon macOS - Observe logs showing port binding failure
- Note fallback to relay mode instead of direct connection
Impact
- Higher latency due to unnecessary relay usage
- Increased bandwidth costs through relay server
- Degraded performance when direct connectivity should be possible