11 files changed, 177 insertions, 190 deletions

diff --git a/tunnel/tools/CMakeLists.txt b/tunnel/tools/CMakeLists.txt
index 362a409c..b62a163c 100644
--- a/tunnel/tools/CMakeLists.txt
+++ b/tunnel/tools/CMakeLists.txt
@@ -1,34 +1,44 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+# Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
 
 cmake_minimum_required(VERSION 3.4.1)
+project("WireGuard")
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY "${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
-
-# Work around https://github.com/android-ndk/ndk/issues/602
-set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=gold")
+add_link_options(LINKER:--build-id=none)
+add_compile_options(-Wall -Werror)
 
 add_executable(libwg-quick.so wireguard-tools/src/wg-quick/android.c ndk-compat/compat.c)
-target_compile_options(libwg-quick.so PUBLIC -O3 -std=gnu11 -Wall -include ${CMAKE_CURRENT_SOURCE_DIR}/ndk-compat/compat.h -DWG_PACKAGE_NAME=\"${ANDROID_PACKAGE_NAME}\")
+target_compile_options(libwg-quick.so PUBLIC -std=gnu11 -include ${CMAKE_CURRENT_SOURCE_DIR}/ndk-compat/compat.h -DWG_PACKAGE_NAME=\"${ANDROID_PACKAGE_NAME}\")
 target_link_libraries(libwg-quick.so -ldl)
 
 file(GLOB WG_SOURCES wireguard-tools/src/*.c ndk-compat/compat.c)
 add_executable(libwg.so ${WG_SOURCES})
 target_include_directories(libwg.so PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/wireguard-tools/src/uapi/linux/" "${CMAKE_CURRENT_SOURCE_DIR}/wireguard-tools/src/")
-target_compile_options(libwg.so PUBLIC -O3 -std=gnu11 -D_GNU_SOURCE -include ${CMAKE_CURRENT_SOURCE_DIR}/ndk-compat/compat.h -DHAVE_VISIBILITY_HIDDEN -DRUNSTATEDIR=\"/data/data/${ANDROID_PACKAGE_NAME}/cache\")
+target_compile_options(libwg.so PUBLIC -std=gnu11 -include ${CMAKE_CURRENT_SOURCE_DIR}/ndk-compat/compat.h -DRUNSTATEDIR=\"/data/data/${ANDROID_PACKAGE_NAME}/cache\")
 
-add_custom_target(libwg-go.so WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/libwg-go" COMMENT "Building wireguard-go" VERBATIM COMMAND make
+add_custom_target(libwg-go.so WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/libwg-go" COMMENT "Building wireguard-go" VERBATIM COMMAND "${ANDROID_HOST_PREBUILTS}/bin/make"
     ANDROID_ARCH_NAME=${ANDROID_ARCH_NAME}
-    ANDROID_C_COMPILER=${ANDROID_C_COMPILER}
-    ANDROID_TOOLCHAIN_ROOT=${ANDROID_TOOLCHAIN_ROOT}
-    ANDROID_LLVM_TRIPLE=${ANDROID_LLVM_TRIPLE}
-    ANDROID_SYSROOT=${ANDROID_SYSROOT}
     ANDROID_PACKAGE_NAME=${ANDROID_PACKAGE_NAME}
     GRADLE_USER_HOME=${GRADLE_USER_HOME}
-    CFLAGS=${CMAKE_C_FLAGS}\ -Wno-unused-command-line-argument
-    LDFLAGS=${CMAKE_SHARED_LINKER_FLAGS}\ -fuse-ld=gold
+    CC=${CMAKE_C_COMPILER}
+    CFLAGS=${CMAKE_C_FLAGS}
+    LDFLAGS=${CMAKE_SHARED_LINKER_FLAGS}
+    SYSROOT=${CMAKE_SYSROOT}
+    TARGET=${CMAKE_C_COMPILER_TARGET}
     DESTDIR=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}
     BUILDDIR=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/../generated-src
 )
-# Hack to make it actually build as part of the default target
-add_dependencies(libwg.so libwg-go.so)
+
+# Strip unwanted ELF sections to prevent DT_FLAGS_1 warnings on old Android versions
+file(GLOB ELF_CLEANER_SOURCES elf-cleaner/*.c elf-cleaner/*.cpp)
+add_custom_target(elf-cleaner COMMENT "Building elf-cleaner" VERBATIM COMMAND cc
+        -O2 -DPACKAGE_NAME="elf-cleaner" -DPACKAGE_VERSION="" -DCOPYRIGHT=""
+        -o "${CMAKE_CURRENT_BINARY_DIR}/elf-cleaner" ${ELF_CLEANER_SOURCES}
+)
+add_custom_command(TARGET libwg.so POST_BUILD VERBATIM COMMAND "${CMAKE_CURRENT_BINARY_DIR}/elf-cleaner"
+        --api-level "${ANDROID_NATIVE_API_LEVEL}" "$<TARGET_FILE:libwg.so>")
+add_dependencies(libwg.so elf-cleaner)
+add_custom_command(TARGET libwg-quick.so POST_BUILD VERBATIM COMMAND "${CMAKE_CURRENT_BINARY_DIR}/elf-cleaner"
+        --api-level "${ANDROID_NATIVE_API_LEVEL}" "$<TARGET_FILE:libwg-quick.so>")
+add_dependencies(libwg-quick.so elf-cleaner)
diff --git a/tunnel/tools/elf-cleaner b/tunnel/tools/elf-cleaner
new file mode 160000
+Subproject 7efc05090675ec6161b7def862728086a26c3b1
diff --git a/tunnel/tools/libwg-go/Makefile b/tunnel/tools/libwg-go/Makefile
index c52acf7e..5b34355c 100644
--- a/tunnel/tools/libwg-go/Makefile
+++ b/tunnel/tools/libwg-go/Makefile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright © 2017-2019 WireGuard LLC. All Rights Reserved.
+# Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
 
 BUILDDIR ?= $(CURDIR)/build
 DESTDIR ?= $(CURDIR)/out
@@ -12,19 +12,20 @@ NDK_GO_ARCH_MAP_arm64 := arm64
 NDK_GO_ARCH_MAP_mips := mipsx
 NDK_GO_ARCH_MAP_mips64 := mips64x
 
-CLANG_FLAGS := --target=$(ANDROID_LLVM_TRIPLE) --gcc-toolchain=$(ANDROID_TOOLCHAIN_ROOT) --sysroot=$(ANDROID_SYSROOT)
-export CGO_CFLAGS := $(CLANG_FLAGS) $(CFLAGS)
-export CGO_LDFLAGS := $(CLANG_FLAGS) $(LDFLAGS) -Wl,-soname=libwg-go.so
-export CC := $(ANDROID_C_COMPILER)
+comma := ,
+CLANG_FLAGS := --target=$(TARGET) --sysroot=$(SYSROOT)
+export CGO_CFLAGS := $(CLANG_FLAGS) $(subst -mthumb,-marm,$(CFLAGS))
+export CGO_LDFLAGS := $(CLANG_FLAGS) $(patsubst -Wl$(comma)--build-id=%,-Wl$(comma)--build-id=none,$(LDFLAGS)) -Wl,-soname=libwg-go.so
 export GOARCH := $(NDK_GO_ARCH_MAP_$(ANDROID_ARCH_NAME))
 export GOOS := android
 export CGO_ENABLED := 1
 
-GO_VERSION := 1.14.4
+GO_VERSION := 1.24.3
 GO_PLATFORM := $(shell uname -s | tr '[:upper:]' '[:lower:]')-$(NDK_GO_ARCH_MAP_$(shell uname -m))
 GO_TARBALL := go$(GO_VERSION).$(GO_PLATFORM).tar.gz
-GO_HASH_darwin-amd64 := 3fa7ed8dc44fdd50c0bfe72676250cceca527d59950aef20af906a670cf88de2
-GO_HASH_linux-amd64 := aed845e4185a0b2a3c3d5e1d0a35491702c55889192bb9c30e67a3de6849c067
+GO_HASH_darwin-amd64 := 13e6fe3fcf65689d77d40e633de1e31c6febbdbcb846eb05fc2434ed2213e92b
+GO_HASH_darwin-arm64 := 64a3fa22142f627e78fac3018ce3d4aeace68b743eff0afda8aae0411df5e4fb
+GO_HASH_linux-amd64 := 3333f6ea53afa971e9078895eaa4ac7204a8c6b5c68c10e6bc9a33e8e391bdd8
 
 default: $(DESTDIR)/libwg-go.so
 
@@ -46,6 +47,6 @@ $(BUILDDIR)/go-$(GO_VERSION)/.prepared: $(GRADLE_USER_HOME)/caches/golang/$(GO_T
 
 $(DESTDIR)/libwg-go.so: export PATH := $(BUILDDIR)/go-$(GO_VERSION)/bin/:$(PATH)
 $(DESTDIR)/libwg-go.so: $(BUILDDIR)/go-$(GO_VERSION)/.prepared go.mod
-	go build -tags linux -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/$(ANDROID_PACKAGE_NAME)/cache/wireguard" -v -trimpath -o "$@" -buildmode c-shared
+	go build -tags linux -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/$(ANDROID_PACKAGE_NAME)/cache/wireguard -buildid=" -v -trimpath -buildvcs=false -o "$@" -buildmode c-shared
 
 .DELETE_ON_ERROR:
diff --git a/tunnel/tools/libwg-go/api-android.go b/tunnel/tools/libwg-go/api-android.go
index 70c1c0c9..d47c5d76 100644
--- a/tunnel/tools/libwg-go/api-android.go
+++ b/tunnel/tools/libwg-go/api-android.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: Apache-2.0
  *
- * Copyright (C) 2017-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright © 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  */
 
 package main
@@ -10,14 +10,13 @@ package main
 import "C"
 
 import (
-	"bufio"
-	"bytes"
-	"log"
+	"fmt"
 	"math"
 	"net"
 	"os"
 	"os/signal"
 	"runtime"
+	"runtime/debug"
 	"strings"
 	"unsafe"
 
@@ -29,13 +28,21 @@ import (
 )
 
 type AndroidLogger struct {
-	level         C.int
-	interfaceName string
+	level C.int
+	tag   *C.char
 }
 
-func (l AndroidLogger) Write(p []byte) (int, error) {
-	C.__android_log_write(l.level, C.CString("WireGuard/GoBackend/"+l.interfaceName), C.CString(string(p)))
-	return len(p), nil
+func cstring(s string) *C.char {
+	b, err := unix.BytePtrFromString(s)
+	if err != nil {
+		b := [1]C.char{}
+		return &b[0]
+	}
+	return (*C.char)(unsafe.Pointer(b))
+}
+
+func (l AndroidLogger) Printf(format string, args ...interface{}) {
+	C.__android_log_write(l.level, l.tag, cstring(fmt.Sprintf(format, args...)))
 }
 
 type TunnelHandle struct {
@@ -46,7 +53,6 @@ type TunnelHandle struct {
 var tunnelHandles map[int32]TunnelHandle
 
 func init() {
-	device.RoamingDisabled = true
 	tunnelHandles = make(map[int32]TunnelHandle)
 	signals := make(chan os.Signal)
 	signal.Notify(signals, unix.SIGUSR2)
@@ -56,52 +62,52 @@ func init() {
 			select {
 			case <-signals:
 				n := runtime.Stack(buf, true)
+				if n == len(buf) {
+					n--
+				}
 				buf[n] = 0
-				C.__android_log_write(C.ANDROID_LOG_ERROR, C.CString("WireGuard/GoBackend/Stacktrace"), (*C.char)(unsafe.Pointer(&buf[0])))
+				C.__android_log_write(C.ANDROID_LOG_ERROR, cstring("WireGuard/GoBackend/Stacktrace"), (*C.char)(unsafe.Pointer(&buf[0])))
 			}
 		}
 	}()
 }
 
 //export wgTurnOn
-func wgTurnOn(ifnameRef string, tunFd int32, settings string) int32 {
-	interfaceName := string([]byte(ifnameRef))
-
+func wgTurnOn(interfaceName string, tunFd int32, settings string) int32 {
+	tag := cstring("WireGuard/GoBackend/" + interfaceName)
 	logger := &device.Logger{
-		Debug: log.New(&AndroidLogger{level: C.ANDROID_LOG_DEBUG, interfaceName: interfaceName}, "", 0),
-		Info:  log.New(&AndroidLogger{level: C.ANDROID_LOG_INFO, interfaceName: interfaceName}, "", 0),
-		Error: log.New(&AndroidLogger{level: C.ANDROID_LOG_ERROR, interfaceName: interfaceName}, "", 0),
+		Verbosef: AndroidLogger{level: C.ANDROID_LOG_DEBUG, tag: tag}.Printf,
+		Errorf:   AndroidLogger{level: C.ANDROID_LOG_ERROR, tag: tag}.Printf,
 	}
 
-	logger.Debug.Println("Debug log enabled")
-
 	tun, name, err := tun.CreateUnmonitoredTUNFromFD(int(tunFd))
 	if err != nil {
 		unix.Close(int(tunFd))
-		logger.Error.Println(err)
+		logger.Errorf("CreateUnmonitoredTUNFromFD: %v", err)
 		return -1
 	}
 
-	logger.Info.Println("Attaching to interface", name)
-	device := device.NewDevice(tun, logger)
+	logger.Verbosef("Attaching to interface %v", name)
+	device := device.NewDevice(tun, conn.NewStdNetBind(), logger)
 
-	setError := device.IpcSetOperation(bufio.NewReader(strings.NewReader(settings)))
-	if setError != nil {
+	err = device.IpcSet(settings)
+	if err != nil {
 		unix.Close(int(tunFd))
-		logger.Error.Println(setError)
+		logger.Errorf("IpcSet: %v", err)
 		return -1
 	}
+	device.DisableSomeRoamingForBrokenMobileSemantics()
 
 	var uapi net.Listener
 
 	uapiFile, err := ipc.UAPIOpen(name)
 	if err != nil {
-		logger.Error.Println(err)
+		logger.Errorf("UAPIOpen: %v", err)
 	} else {
 		uapi, err = ipc.UAPIListen(name, uapiFile)
 		if err != nil {
 			uapiFile.Close()
-			logger.Error.Println(err)
+			logger.Errorf("UAPIListen: %v", err)
 		} else {
 			go func() {
 				for {
@@ -115,8 +121,14 @@ func wgTurnOn(ifnameRef string, tunFd int32, settings string) int32 {
 		}
 	}
 
-	device.Up()
-	logger.Info.Println("Device started")
+	err = device.Up()
+	if err != nil {
+		logger.Errorf("Unable to bring up device: %v", err)
+		uapiFile.Close()
+		device.Close()
+		return -1
+	}
+	logger.Verbosef("Device started")
 
 	var i int32
 	for i = 0; i < math.MaxInt32; i++ {
@@ -125,7 +137,9 @@ func wgTurnOn(ifnameRef string, tunFd int32, settings string) int32 {
 		}
 	}
 	if i == math.MaxInt32 {
-		unix.Close(int(tunFd))
+		logger.Errorf("Unable to find empty handle")
+		uapiFile.Close()
+		device.Close()
 		return -1
 	}
 	tunnelHandles[i] = TunnelHandle{device: device, uapi: uapi}
@@ -172,7 +186,7 @@ func wgGetSocketV6(tunnelHandle int32) int32 {
 	if bind == nil {
 		return -1
 	}
-	fd, err := bind.PeekLookAtSocketFd4()
+	fd, err := bind.PeekLookAtSocketFd6()
 	if err != nil {
 		return -1
 	}
@@ -185,19 +199,29 @@ func wgGetConfig(tunnelHandle int32) *C.char {
 	if !ok {
 		return nil
 	}
-	settings := new(bytes.Buffer)
-	writer := bufio.NewWriter(settings)
-	err := handle.device.IpcGetOperation(writer)
+	settings, err := handle.device.IpcGet()
 	if err != nil {
 		return nil
 	}
-	writer.Flush()
-	return C.CString(settings.String())
+	return C.CString(settings)
 }
 
 //export wgVersion
 func wgVersion() *C.char {
-	return C.CString(device.WireGuardGoVersion)
+	info, ok := debug.ReadBuildInfo()
+	if !ok {
+		return C.CString("unknown")
+	}
+	for _, dep := range info.Deps {
+		if dep.Path == "golang.zx2c4.com/wireguard" {
+			parts := strings.Split(dep.Version, "-")
+			if len(parts) == 3 && len(parts[2]) == 12 {
+				return C.CString(parts[2][:7])
+			}
+			return C.CString(dep.Version)
+		}
+	}
+	return C.CString("unknown")
 }
 
 func main() {}
diff --git a/tunnel/tools/libwg-go/go.mod b/tunnel/tools/libwg-go/go.mod
index 83339628..f6de8e1f 100644
--- a/tunnel/tools/libwg-go/go.mod
+++ b/tunnel/tools/libwg-go/go.mod
@@ -1,10 +1,14 @@
 module golang.zx2c4.com/wireguard/android
 
-go 1.14
+go 1.23.1
 
 require (
-	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
-	golang.org/x/net v0.0.0-20200602114024-627f9648deb9 // indirect
-	golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980
-	golang.zx2c4.com/wireguard v0.0.20200321-0.20200622004228-b84f1d4db25e
+	golang.org/x/sys v0.33.0
+	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
+)
+
+require (
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 )
diff --git a/tunnel/tools/libwg-go/go.sum b/tunnel/tools/libwg-go/go.sum
index 2ad39e3c..416d266c 100644
--- a/tunnel/tools/libwg-go/go.sum
+++ b/tunnel/tools/libwg-go/go.sum
@@ -1,20 +1,16 @@
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9 h1:pNX+40auqi2JqRfOP1akLGtYcn15TUbkhwuCO3foqqM=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980 h1:OjiUf46hAmXblsZdnoSXsEUSKU8r1UEzcL5RVZ4gO9Y=
-golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.zx2c4.com/wireguard v0.0.20200321-0.20200622004228-b84f1d4db25e h1:f8BS3yEMeIGx/zzJfihxDRedx6lT7EiJlfih4j6LY98=
-golang.zx2c4.com/wireguard v0.0.20200321-0.20200622004228-b84f1d4db25e/go.mod h1:GJvYs5O24/ASlwPiRklVnjMx2xQzrOic0DuU6GvYJL4=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
diff --git a/tunnel/tools/libwg-go/goruntime-boottime-over-monotonic.diff b/tunnel/tools/libwg-go/goruntime-boottime-over-monotonic.diff
index f7918fbe..5d78242b 100644
--- a/tunnel/tools/libwg-go/goruntime-boottime-over-monotonic.diff
+++ b/tunnel/tools/libwg-go/goruntime-boottime-over-monotonic.diff
@@ -1,7 +1,8 @@
-From e44f456f1d0e429e08afed64a161175ff493f3ac Mon Sep 17 00:00:00 2001
+From 61f3ae8298d1c503cbc31539e0f3a73446c7db9d Mon Sep 17 00:00:00 2001
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Wed, 27 Feb 2019 05:05:44 +0100
-Subject: [PATCH] runtime: use CLOCK_BOOTTIME in nanotime on Linux
+Date: Tue, 21 Mar 2023 15:33:56 +0100
+Subject: [PATCH] [release-branch.go1.20] runtime: use CLOCK_BOOTTIME in
+ nanotime on Linux
 
 This makes timers account for having expired while a computer was
 asleep, which is quite common on mobile devices. Note that BOOTTIME is
@@ -21,17 +22,17 @@ Change-Id: I7b2a6ca0c5bc5fce57ec0eeafe7b68270b429321
  src/runtime/sys_linux_amd64.s   | 2 +-
  src/runtime/sys_linux_arm.s     | 4 ++--
  src/runtime/sys_linux_arm64.s   | 4 ++--
- src/runtime/sys_linux_mips64x.s | 2 +-
+ src/runtime/sys_linux_mips64x.s | 4 ++--
  src/runtime/sys_linux_mipsx.s   | 2 +-
  src/runtime/sys_linux_ppc64x.s  | 2 +-
  src/runtime/sys_linux_s390x.s   | 2 +-
- 8 files changed, 11 insertions(+), 11 deletions(-)
+ 8 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/src/runtime/sys_linux_386.s b/src/runtime/sys_linux_386.s
-index 1b28098ad9..46b7071ed8 100644
+index 12a294153d..17e3524b40 100644
 --- a/src/runtime/sys_linux_386.s
 +++ b/src/runtime/sys_linux_386.s
-@@ -317,13 +317,13 @@ noswitch:
+@@ -352,13 +352,13 @@ noswitch:
  
  	LEAL	8(SP), BX	// &ts (struct timespec)
  	MOVL	BX, 4(SP)
@@ -48,20 +49,20 @@ index 1b28098ad9..46b7071ed8 100644
  	INVOKE_SYSCALL
  
 diff --git a/src/runtime/sys_linux_amd64.s b/src/runtime/sys_linux_amd64.s
-index 58d3bc54b4..4bb9bde3d0 100644
+index c7a89ba536..01f0a6a26e 100644
 --- a/src/runtime/sys_linux_amd64.s
 +++ b/src/runtime/sys_linux_amd64.s
-@@ -293,7 +293,7 @@ noswitch:
- 	MOVQ	runtime·vdsoClockgettimeSym(SB), AX
- 	CMPQ	AX, $0
- 	JEQ	fallback
+@@ -255,7 +255,7 @@ noswitch:
+ 	SUBQ	$16, SP		// Space for results
+ 	ANDQ	$~15, SP	// Align for C code
+ 
 -	MOVL	$1, DI // CLOCK_MONOTONIC
 +	MOVL	$7, DI // CLOCK_BOOTTIME
  	LEAQ	0(SP), SI
- 	CALL	AX
- 	MOVQ	0(SP), AX	// sec
+ 	MOVQ	runtime·vdsoClockgettimeSym(SB), AX
+ 	CMPQ	AX, $0
 diff --git a/src/runtime/sys_linux_arm.s b/src/runtime/sys_linux_arm.s
-index e103da56dc..0b872b90a6 100644
+index 7b8c4f0e04..9798a1334e 100644
 --- a/src/runtime/sys_linux_arm.s
 +++ b/src/runtime/sys_linux_arm.s
 @@ -11,7 +11,7 @@
@@ -73,20 +74,20 @@ index e103da56dc..0b872b90a6 100644
  
  // for EABI, as we don't support OABI
  #define SYS_BASE 0x0
-@@ -345,7 +345,7 @@ noswitch:
- 	SUB	$24, R13	// Space for results
- 	BIC	$0x7, R13	// Align for C code
+@@ -374,7 +374,7 @@ finish:
  
+ // func nanotime1() int64
+ TEXT runtime·nanotime1(SB),NOSPLIT,$12-8
 -	MOVW	$CLOCK_MONOTONIC, R0
 +	MOVW	$CLOCK_BOOTTIME, R0
- 	MOVW	$8(R13), R1	// timespec
- 	MOVW	runtime·vdsoClockgettimeSym(SB), R2
- 	CMP	$0, R2
+ 	MOVW	$spec-12(SP), R1	// timespec
+ 
+ 	MOVW	runtime·vdsoClockgettimeSym(SB), R4
 diff --git a/src/runtime/sys_linux_arm64.s b/src/runtime/sys_linux_arm64.s
-index b9588cec30..e444d50df4 100644
+index 38ff6ac330..6b819c5441 100644
 --- a/src/runtime/sys_linux_arm64.s
 +++ b/src/runtime/sys_linux_arm64.s
-@@ -13,7 +13,7 @@
+@@ -14,7 +14,7 @@
  #define AT_FDCWD -100
  
  #define CLOCK_REALTIME 0
@@ -95,7 +96,7 @@ index b9588cec30..e444d50df4 100644
  
  #define SYS_exit		93
  #define SYS_read		63
-@@ -297,7 +297,7 @@ noswitch:
+@@ -338,7 +338,7 @@ noswitch:
  	BIC	$15, R1
  	MOVD	R1, RSP
  
@@ -105,10 +106,10 @@ index b9588cec30..e444d50df4 100644
  	CBZ	R2, fallback
  
 diff --git a/src/runtime/sys_linux_mips64x.s b/src/runtime/sys_linux_mips64x.s
-index 723cfe43d9..edd7a195eb 100644
+index 47f2da524d..a8b387f193 100644
 --- a/src/runtime/sys_linux_mips64x.s
 +++ b/src/runtime/sys_linux_mips64x.s
-@@ -278,7 +278,7 @@ noswitch:
+@@ -326,7 +326,7 @@ noswitch:
  	AND	$~15, R1	// Align for C code
  	MOVV	R1, R29
  
@@ -117,11 +118,20 @@ index 723cfe43d9..edd7a195eb 100644
  	MOVV	$0(R29), R5
  
  	MOVV	runtime·vdsoClockgettimeSym(SB), R25
+@@ -336,7 +336,7 @@ noswitch:
+ 	// see walltime for detail
+ 	BEQ	R2, R0, finish
+ 	MOVV	R0, runtime·vdsoClockgettimeSym(SB)
+-	MOVW	$1, R4 // CLOCK_MONOTONIC
++	MOVW	$7, R4 // CLOCK_BOOTTIME
+ 	MOVV	$0(R29), R5
+ 	JMP	fallback
+ 
 diff --git a/src/runtime/sys_linux_mipsx.s b/src/runtime/sys_linux_mipsx.s
-index 15893a7a28..f3edf9a83a 100644
+index 5e6b6c1504..7f5fd2a80e 100644
 --- a/src/runtime/sys_linux_mipsx.s
 +++ b/src/runtime/sys_linux_mipsx.s
-@@ -235,7 +235,7 @@ TEXT runtime·walltime1(SB),NOSPLIT,$8-12
+@@ -243,7 +243,7 @@ TEXT runtime·walltime(SB),NOSPLIT,$8-12
  	RET
  
  TEXT runtime·nanotime1(SB),NOSPLIT,$8-8
@@ -131,31 +141,31 @@ index 15893a7a28..f3edf9a83a 100644
  	MOVW	$SYS_clock_gettime, R2
  	SYSCALL
 diff --git a/src/runtime/sys_linux_ppc64x.s b/src/runtime/sys_linux_ppc64x.s
-index 8629fe3233..2402e2623a 100644
+index d0427a4807..05ee9fede9 100644
 --- a/src/runtime/sys_linux_ppc64x.s
 +++ b/src/runtime/sys_linux_ppc64x.s
-@@ -233,7 +233,7 @@ fallback:
- 	JMP	finish
+@@ -298,7 +298,7 @@ fallback:
+ 	JMP	return
  
- TEXT runtime·nanotime1(SB),NOSPLIT,$16
+ TEXT runtime·nanotime1(SB),NOSPLIT,$16-8
 -	MOVD	$1, R3		// CLOCK_MONOTONIC
 +	MOVD	$7, R3		// CLOCK_BOOTTIME
  
  	MOVD	R1, R15		// R15 is unchanged by C code
  	MOVD	g_m(g), R21	// R21 = m
 diff --git a/src/runtime/sys_linux_s390x.s b/src/runtime/sys_linux_s390x.s
-index c15a1d5364..f52c4d5098 100644
+index 1448670b91..7d2ee3231c 100644
 --- a/src/runtime/sys_linux_s390x.s
 +++ b/src/runtime/sys_linux_s390x.s
-@@ -207,7 +207,7 @@ TEXT runtime·walltime1(SB),NOSPLIT,$16
+@@ -296,7 +296,7 @@ fallback:
  	RET
  
- TEXT runtime·nanotime1(SB),NOSPLIT,$16
--	MOVW	$1, R2 // CLOCK_MONOTONIC
-+	MOVW	$7, R2 // CLOCK_BOOTTIME
- 	MOVD	$tp-16(SP), R3
- 	MOVW	$SYS_clock_gettime, R1
- 	SYSCALL
+ TEXT runtime·nanotime1(SB),NOSPLIT,$32-8
+-	MOVW	$1, R2			// CLOCK_MONOTONIC
++	MOVW	$7, R2			// CLOCK_BOOTTIME
+ 
+ 	MOVD	R15, R7			// Backup stack pointer
+ 
 -- 
-2.25.1
+2.17.1
 
diff --git a/tunnel/tools/libwg-go/jni.c b/tunnel/tools/libwg-go/jni.c
index 3f877d47..7ad94d35 100644
--- a/tunnel/tools/libwg-go/jni.c
+++ b/tunnel/tools/libwg-go/jni.c
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: Apache-2.0
  *
- * Copyright © 2017-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright © 2017-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  */
 
 #include <jni.h>
diff --git a/tunnel/tools/ndk-compat/compat.c b/tunnel/tools/ndk-compat/compat.c
index 7cc99fc4..3c293e7e 100644
--- a/tunnel/tools/ndk-compat/compat.c
+++ b/tunnel/tools/ndk-compat/compat.c
@@ -1,64 +1,12 @@
 /* SPDX-License-Identifier: BSD
  *
- * Copyright © 2017-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
  *
  */
 
 #define FILE_IS_EMPTY
 
-#if defined(__ANDROID_API__) && __ANDROID_API__ < 18
-#undef FILE_IS_EMPTY
-#include <stdio.h>
-#include <stdlib.h>
-
-ssize_t getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
-{
-	char *ptr, *eptr;
-
-	if (*buf == NULL || *bufsiz == 0) {
-		*bufsiz = BUFSIZ;
-		if ((*buf = malloc(*bufsiz)) == NULL)
-			return -1;
-	}
-
-	for (ptr = *buf, eptr = *buf + *bufsiz;;) {
-		int c = fgetc(fp);
-		if (c == -1) {
-			if (feof(fp)) {
-				ssize_t diff = (ssize_t)(ptr - *buf);
-				if (diff != 0) {
-					*ptr = '\0';
-					return diff;
-				}
-			}
-			return -1;
-		}
-		*ptr++ = c;
-		if (c == delimiter) {
-			*ptr = '\0';
-			return ptr - *buf;
-		}
-		if (ptr + 2 >= eptr) {
-			char *nbuf;
-			size_t nbufsiz = *bufsiz * 2;
-			ssize_t d = ptr - *buf;
-			if ((nbuf = realloc(*buf, nbufsiz)) == NULL)
-				return -1;
-			*buf = nbuf;
-			*bufsiz = nbufsiz;
-			eptr = nbuf + nbufsiz;
-			ptr = nbuf + d;
-		}
-	}
-}
-
-ssize_t getline(char **buf, size_t *bufsiz, FILE *fp)
-{
-	return getdelim(buf, bufsiz, '\n', fp);
-}
-#endif
-
-#if defined(__ANDROID_API__) && __ANDROID_API__ < 24
+#if defined(__ANDROID_MIN_SDK_VERSION__) && __ANDROID_MIN_SDK_VERSION__ < 24
 #undef FILE_IS_EMPTY
 #include <string.h>
 
diff --git a/tunnel/tools/ndk-compat/compat.h b/tunnel/tools/ndk-compat/compat.h
index 52f6c127..9931c70c 100644
--- a/tunnel/tools/ndk-compat/compat.h
+++ b/tunnel/tools/ndk-compat/compat.h
@@ -1,16 +1,10 @@
 /* SPDX-License-Identifier: BSD
  *
- * Copyright © 2017-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
  *
  */
 
-#if defined(__ANDROID_API__) && __ANDROID_API__ < 18
-#include <stdio.h>
-ssize_t getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp);
-ssize_t getline(char **buf, size_t *bufsiz, FILE *fp);
-#endif
-
-#if defined(__ANDROID_API__) && __ANDROID_API__ < 24
+#if defined(__ANDROID_MIN_SDK_VERSION__) && __ANDROID_MIN_SDK_VERSION__ < 24
 char *strchrnul(const char *s, int c);
 #endif
 
diff --git a/tunnel/tools/wireguard-tools b/tunnel/tools/wireguard-tools
-Subproject eb4665ecf082033d986c64453e2becce19bc7af
+Subproject e2ecaaa739144997ccff89d6ad6ec81698ea6ce