From 2cd041481a3c432052c6d8b470f462597a136c31 Mon Sep 17 00:00:00 2001
From: Costin Manolache <costin@gmail.com>
Date: Fri, 21 May 2021 14:32:37 -0700
Subject: [PATCH] More changes and fixes

---
 .github/workflows/go.yml                      |   6 +-
 .ko.yaml                                      |   4 +
 .run/go-ugate.run.xml                         |   2 +-
 .run/push_ko.run.xml                          |   8 +
 .run/ugate-alice.run.xml                      |  16 +
 .run/ugate-bob.run.xml                        |  16 +
 .run/ugate-carol.run.xml                      |  14 +
 .run/ugate-gate.run.xml                       |  14 +
 .run/ugate-s1.run.xml                         |  14 +
 .run/ugate.run.xml                            |   6 +
 .run/ugate_Dockerfile.run.xml                 |   6 +-
 Dockerfile                                    |  30 +-
 Makefile                                      | 112 +++--
 bin/ko-build.sh                               |  67 +++
 cmd/hbone/hbone.go                            |  84 ++++
 cmd/test.sh                                   |  39 +-
 cmd/tun_setup.sh                              |  48 +-
 cmd/ugate/.ko.yaml                            |   4 +
 cmd/ugate/go.mod                              |  19 +-
 cmd/ugate/go.sum                              | 131 +++++
 cmd/ugate/skaffold.yaml                       |  53 ++
 cmd/ugate/testdata/alice/ugate.json           |  18 +
 cmd/ugate/ugate_test.go                       |   7 +-
 cmd/ugatex/go.mod                             |  10 +-
 cmd/wp/wp.go                                  | 466 +-----------------
 docs/dev.md                                   | 106 ++++
 docs/dns_sni.md                               |  51 ++
 docs/oidc.md                                  |  62 +++
 docs/perf.md                                  |   4 +
 ext/bootstrap/go.mod                          |  12 +-
 ext/bootstrapx/go.mod                         |  27 +-
 ext/{bootstrap => bootstrapx}/ugate_quiche.go |   2 +-
 ext/{bootstrap => bootstrapx}/ugate_webrtc.go |   2 +-
 ext/{bootstrap => bootstrapx}/ugate_xds.go    |   2 +-
 ext/envoy/envoy.go                            |  17 +
 ext/envoy/envoy.yaml                          |  57 +++
 ext/envoy/run.sh                              |  11 +
 ext/gvisor/go.mod                             |   4 +-
 ext/gvisor/tun_capture_gvisor.go              |  16 +-
 ext/h2r/h2r.go                                |   2 +-
 ext/quic/go.mod                               |   7 +-
 ext/quic/go.sum                               |   2 -
 ext/quic/mux.go                               |  90 ++--
 ext/quic/quic.go                              | 158 +++---
 ext/ssh/ssh.go                                |   9 +
 manifests/Dockerfile.dbg                      |  73 ---
 manifests/{ugate/charts => }/hpa.yaml         |   8 +-
 manifests/{cr.yaml => knative-ugate.yaml}     |   7 +
 manifests/{ugate/charts => }/pdb.yaml         |  10 +-
 manifests/ugate-dev/Chart.yaml                |   8 +
 manifests/ugate-dev/templates/deployment.yaml |  94 ++++
 manifests/ugate-dev/templates/pd.yaml         |  10 +
 manifests/ugate-istio-system/Chart.yaml       |   8 +
 .../templates/deployment.yaml                 |  89 ++++
 manifests/ugate/Chart.yaml                    |   8 +
 manifests/ugate/charts/service.yaml           |  16 -
 manifests/ugate/kustomization.yaml            |   9 -
 manifests/ugate/lb-service.yaml               |  17 +
 .../ugate/{charts => templates}/istio.yaml    |   0
 manifests/ugate/templates/service.yaml        |  14 +
 .../app.yaml => templates/statefulset.yaml}   | 151 +++---
 manifests/ugate/values.yaml                   |   7 +
 pkg/auth/auth.go                              |  24 +-
 pkg/auth/bootstrap.go                         |  70 +++
 pkg/auth/vapid.go                             |  10 +
 pkg/udp/udpproxy.go                           |  50 +-
 pkg/ugatesvc/accept.go                        | 140 +++++-
 pkg/ugatesvc/handlers.go                      |  36 +-
 pkg/ugatesvc/port_listener.go                 |   4 +-
 pkg/ugatesvc/routing.go                       |  27 +-
 pkg/ugatesvc/tls_conn.go                      |   8 +-
 pkg/ugatesvc/ugate.go                         |  73 ++-
 stream.go                                     |  14 +-
 tools/dev/Dockerfile                          |  72 +++
 tools/dev/dev.sh                              |  14 +
 tools/dev/run.sh                              |  48 ++
 tools/dev/sshd_config                         |  27 +
 .../docker-compose.yaml                       |   0
 tools/genkube.go                              |  21 +
 tools/jwtdecode.go                            |  61 +++
 tools/vapid.go                                |  22 +
 tools/watcher.go                              | 298 +++++++++++
 ugate.go                                      |   2 +-
 83 files changed, 2402 insertions(+), 983 deletions(-)
 create mode 100644 .ko.yaml
 create mode 100644 .run/push_ko.run.xml
 create mode 100644 .run/ugate-alice.run.xml
 create mode 100644 .run/ugate-bob.run.xml
 create mode 100644 .run/ugate-carol.run.xml
 create mode 100644 .run/ugate-gate.run.xml
 create mode 100644 .run/ugate-s1.run.xml
 create mode 100755 bin/ko-build.sh
 create mode 100644 cmd/hbone/hbone.go
 create mode 100644 cmd/ugate/.ko.yaml
 create mode 100644 cmd/ugate/skaffold.yaml
 create mode 100644 docs/dev.md
 create mode 100644 docs/dns_sni.md
 create mode 100644 docs/oidc.md
 rename ext/{bootstrap => bootstrapx}/ugate_quiche.go (91%)
 rename ext/{bootstrap => bootstrapx}/ugate_webrtc.go (94%)
 rename ext/{bootstrap => bootstrapx}/ugate_xds.go (97%)
 create mode 100644 ext/envoy/envoy.go
 create mode 100644 ext/envoy/envoy.yaml
 create mode 100644 ext/envoy/run.sh
 delete mode 100644 manifests/Dockerfile.dbg
 rename manifests/{ugate/charts => }/hpa.yaml (80%)
 rename manifests/{cr.yaml => knative-ugate.yaml} (68%)
 rename manifests/{ugate/charts => }/pdb.yaml (58%)
 create mode 100644 manifests/ugate-dev/Chart.yaml
 create mode 100644 manifests/ugate-dev/templates/deployment.yaml
 create mode 100644 manifests/ugate-dev/templates/pd.yaml
 create mode 100644 manifests/ugate-istio-system/Chart.yaml
 create mode 100644 manifests/ugate-istio-system/templates/deployment.yaml
 create mode 100644 manifests/ugate/Chart.yaml
 delete mode 100644 manifests/ugate/charts/service.yaml
 delete mode 100644 manifests/ugate/kustomization.yaml
 create mode 100644 manifests/ugate/lb-service.yaml
 rename manifests/ugate/{charts => templates}/istio.yaml (100%)
 create mode 100644 manifests/ugate/templates/service.yaml
 rename manifests/ugate/{charts/app.yaml => templates/statefulset.yaml} (52%)
 create mode 100644 manifests/ugate/values.yaml
 create mode 100644 pkg/auth/bootstrap.go
 create mode 100644 tools/dev/Dockerfile
 create mode 100644 tools/dev/dev.sh
 create mode 100755 tools/dev/run.sh
 create mode 100644 tools/dev/sshd_config
 rename docker-compose.yaml => tools/docker-compose.yaml (100%)
 create mode 100644 tools/genkube.go
 create mode 100644 tools/jwtdecode.go
 create mode 100644 tools/vapid.go
 create mode 100644 tools/watcher.go

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 922fdd3..3cfc0dd 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Set up Go 1.14
+    - name: Set up Go 1.16
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.16
       id: go
 
     - name: Check out code into the Go module directory
@@ -39,7 +39,7 @@ jobs:
 
     - name: Build
       run: |
-        go build -o ugate -v ./cmd/ugate
+        cd cmd/ugate && go build -o ../../ugate -v .
 
     - name: Upload ugate
       uses: actions/upload-artifact@v2
diff --git a/.ko.yaml b/.ko.yaml
new file mode 100644
index 0000000..64bba94
--- /dev/null
+++ b/.ko.yaml
@@ -0,0 +1,4 @@
+#defaultBaseImage: docker.io/library/ubuntu:bionic
+
+defaultBaseImage: gcr.io/dmeshgate/ugate-dev:latest
+
diff --git a/.run/go-ugate.run.xml b/.run/go-ugate.run.xml
index 793e8bb..afc5c03 100644
--- a/.run/go-ugate.run.xml
+++ b/.run/go-ugate.run.xml
@@ -8,7 +8,7 @@
     <kind value="DIRECTORY" />
     <package value="github.com/costinm/ugate/cmd/ugate" />
     <directory value="$PROJECT_DIR$/../ugate/cmd/ugate/" />
-    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <filePath value="$PROJECT_DIR$/cmd/ugate/ugate.go" />
     <method v="2">
       <option name="RunConfigurationTask" enabled="true" run_configuration_name="update" run_configuration_type="MAKEFILE_TARGET_RUN_CONFIGURATION" />
     </method>
diff --git a/.run/push_ko.run.xml b/.run/push_ko.run.xml
new file mode 100644
index 0000000..7eb514d
--- /dev/null
+++ b/.run/push_ko.run.xml
@@ -0,0 +1,8 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="push/ko" type="MAKEFILE_TARGET_RUN_CONFIGURATION" factoryName="Makefile" singleton="false">
+    <makefile filename="$PROJECT_DIR$/../ugate/Makefile" target="push/ko" workingDirectory="" arguments="">
+      <envs />
+    </makefile>
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate-alice.run.xml b/.run/ugate-alice.run.xml
new file mode 100644
index 0000000..c0ea592
--- /dev/null
+++ b/.run/ugate-alice.run.xml
@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="ugate-alice" type="GoApplicationRunConfiguration" factoryName="Go Application">
+    <module name="dmesh" />
+    <working_directory value="$PROJECT_DIR$/../ugate/cmd/ugate/testdata/alice" />
+    <go_parameters value="-tags gvisor" />
+    <envs>
+      <env name="xGODEBUG" value="http2debug=2" />
+      <env name="GVISOR" value="dmesh0" />
+    </envs>
+    <kind value="DIRECTORY" />
+    <package value="github.com/costinm/ugate/cmd/ugate" />
+    <directory value="$PROJECT_DIR$/../ugate/cmd/ugatex/" />
+    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate-bob.run.xml b/.run/ugate-bob.run.xml
new file mode 100644
index 0000000..41f4d8a
--- /dev/null
+++ b/.run/ugate-bob.run.xml
@@ -0,0 +1,16 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="ugate-bob" type="GoApplicationRunConfiguration" factoryName="Go Application">
+    <module name="dmesh" />
+    <working_directory value="$PROJECT_DIR$/../ugate/cmd/ugate/testdata/bob" />
+    <go_parameters value="-tags lwip" />
+    <envs>
+      <env name="xGODEBUG" value="http2debug=2" />
+      <env name="LWIP" value="dmesh1" />
+    </envs>
+    <kind value="DIRECTORY" />
+    <package value="github.com/costinm/ugate/cmd/ugate" />
+    <directory value="$PROJECT_DIR$/../ugate/cmd/ugatex/" />
+    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate-carol.run.xml b/.run/ugate-carol.run.xml
new file mode 100644
index 0000000..639327a
--- /dev/null
+++ b/.run/ugate-carol.run.xml
@@ -0,0 +1,14 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="ugate-carol" type="GoApplicationRunConfiguration" factoryName="Go Application">
+    <module name="dmesh" />
+    <working_directory value="$PROJECT_DIR$/../ugate/cmd/ugate/testdata/carol" />
+    <envs>
+      <env name="xGODEBUG" value="http2debug=2" />
+    </envs>
+    <kind value="DIRECTORY" />
+    <package value="github.com/costinm/ugate/cmd/ugate" />
+    <directory value="$PROJECT_DIR$/../ugate/cmd/ugate/" />
+    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate-gate.run.xml b/.run/ugate-gate.run.xml
new file mode 100644
index 0000000..492edb9
--- /dev/null
+++ b/.run/ugate-gate.run.xml
@@ -0,0 +1,14 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="ugate-gate" type="GoApplicationRunConfiguration" factoryName="Go Application">
+    <module name="dmesh" />
+    <working_directory value="$PROJECT_DIR$/../ugate/cmd/ugate/testdata/gate" />
+    <envs>
+      <env name="xGODEBUG" value="http2debug=2" />
+    </envs>
+    <kind value="DIRECTORY" />
+    <package value="github.com/costinm/ugate/cmd/ugate" />
+    <directory value="$PROJECT_DIR$/../ugate/cmd/ugate/" />
+    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate-s1.run.xml b/.run/ugate-s1.run.xml
new file mode 100644
index 0000000..3764101
--- /dev/null
+++ b/.run/ugate-s1.run.xml
@@ -0,0 +1,14 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="ugate-s1" type="GoApplicationRunConfiguration" factoryName="Go Application">
+    <module name="dmesh" />
+    <working_directory value="$PROJECT_DIR$/../ugate/cmd/ugate/testdata/s1" />
+    <envs>
+      <env name="XGODEBUG" value="http2debug=2" />
+    </envs>
+    <kind value="DIRECTORY" />
+    <package value="github.com/costinm/ugate/cmd/ugate" />
+    <directory value="$PROJECT_DIR$/../ugate/cmd/ugate/" />
+    <filePath value="$PROJECT_DIR$/../ugate/cmd/ugate/ugate.go" />
+    <method v="2" />
+  </configuration>
+</component>
\ No newline at end of file
diff --git a/.run/ugate.run.xml b/.run/ugate.run.xml
index 1b27a52..6630763 100644
--- a/.run/ugate.run.xml
+++ b/.run/ugate.run.xml
@@ -1,6 +1,7 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="ugate" type="CloudCodeCloudRunConfigurationType" factoryName="CloudCodeCloudDeployRunConfigurationFactory" show_console_on_std_err="false" show_console_on_std_out="false" gcpProject="{&quot;googleUsername&quot;:&quot;costin@gmail.com&quot;,&quot;projectId&quot;:&quot;dmeshgate&quot;,&quot;projectName&quot;:&quot;dmeshgate&quot;,&quot;projectNumber&quot;:584624515903}" imageBuilder="{&quot;name&quot;:&quot;Docker&quot;,&quot;payload&quot;:{&quot;path&quot;:&quot;Dockerfile&quot;}}">
     <option name="allowRunningInParallel" value="false" />
+    <option name="buildEnvironment" value="Local" />
     <option name="buildpacksEnv">
       <map />
     </option>
@@ -17,6 +18,9 @@
     <option name="environmentVariables">
       <map />
     </option>
+    <option name="gcbSettings">
+      <GoogleCloudBuildSettings />
+    </option>
     <option name="gkeClusterLocation" />
     <option name="gkeClusterName" />
     <option name="gkeClusterNamespace" value="default" />
@@ -29,12 +33,14 @@
     <option name="memoryAllocated" value="MIB_256" />
     <option name="minInstances" value="" />
     <option name="platform" value="FULLY_MANAGED" />
+    <option name="projectPathOnTarget" />
     <option name="selectedOptions">
       <list />
     </option>
     <option name="serviceAccount" value="" />
     <option name="serviceName" value="ugate" />
     <option name="timeout" value="900" />
+    <option name="vpcConnector" value="" />
     <method v="2" />
   </configuration>
 </component>
\ No newline at end of file
diff --git a/.run/ugate_Dockerfile.run.xml b/.run/ugate_Dockerfile.run.xml
index ab066d3..73aa650 100644
--- a/.run/ugate_Dockerfile.run.xml
+++ b/.run/ugate_Dockerfile.run.xml
@@ -2,11 +2,9 @@
   <configuration default="false" name="ugate/Dockerfile" type="docker-deploy" factoryName="dockerfile" server-name="Docker">
     <deployment type="dockerfile">
       <settings>
-        <option name="imageTag" value="costinm/ugate:latest" />
-        <option name="buildCliOptions" value="" />
-        <option name="command" value="" />
+        <option name="imageTag" value="gcr.io/dmeshgate/ugate:latest" />
+        <option name="buildOnly" value="true" />
         <option name="containerName" value="ugate" />
-        <option name="entrypoint" value="" />
         <option name="envVars">
           <list>
             <DockerEnvVarImpl>
diff --git a/Dockerfile b/Dockerfile
index eb12167..5324a56 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,9 @@
-#FROM golang:latest AS build
 FROM golang:alpine AS build
+
 #RUN apk add --no-cache git
 
 RUN env
 
-# Default is /go directory, which is set a GOPATH
-# That doesn't work with go.mod
 WORKDIR /ws
 
 ENV GO111MODULE=on
@@ -13,24 +11,25 @@ ENV CGO_ENABLED=0
 ENV GOOS=linux
 ENV GOPROXY=https://proxy.golang.org
 
-COPY . .
+COPY go.* ./
+COPY cmd cmd
+COPY dns dns
+COPY webpush webpush
+COPY pkg pkg
+COPY ext ext
+COPY *.go ./
+
+# COPY . .
 
 # Runs in /go directory
-RUN go build -a -gcflags='all=-N -l' -ldflags '-extldflags "-static"' \
-  -o ugate ./cmd/ugate
+RUN cd cmd/ugate && go build -a -gcflags='all=-N -l' -ldflags '-extldflags "-static"' \
+  -o ../../ugate ./
 
 FROM alpine:latest
 
-## Same base as Istio debug
-#FROM ubuntu:bionic AS wps
-# Or distroless
-#FROM docker.io/istio/base:default AS wps
-#RUN apt-get update && apt install less net-tools
-
 COPY --from=build /ws/ugate /usr/local/bin/ugate
-COPY --from=build /ws/cmd/ugate/iptables.sh /usr/local/bin/
+COPY --from=build /ws/cmd/iptables.sh /usr/local/bin/
 COPY --from=build /ws/cmd/ugate/run.sh /usr/local/bin/
-#COPY --from=build /ws/dlv /usr/local/bin/dlv
 
 RUN apk add iptables ip6tables make &&\
     mkdir -p /var/lib/istio && \
@@ -49,11 +48,12 @@ RUN mkdir -p /etc/certs && \
     chown -R 1337 /etc/certs /etc/istio /var/lib/istio
 
 EXPOSE 15007
+EXPOSE 8081
 EXPOSE 8080
 EXPOSE 15009
 EXPOSE 15003
 
-ENV PORT=8080
+#ENV PORT=8080
 
 # Defaults
 #COPY ./var/lib/istio /var/lib/istio/
diff --git a/Makefile b/Makefile
index 434a2e6..9efccaf 100644
--- a/Makefile
+++ b/Makefile
@@ -1,29 +1,31 @@
-OUT=${PWD}/build
-
-#include ${HOME}/.hosts.mk
 ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+OUT=${ROOT_DIR}/out
 
-run/home:
-	HOST=ugate $(MAKE) run
+IMAGE ?= gcr.io/dmeshgate/ugate
+KO_DOCKER_REPO ?= gcr.io/dmeshgate/ugate
+#KO_DOCKER_REPO ?= costinm/ugate
+export KO_DOCKER_REPO
 
-run/c1:
-	HOST=v $(MAKE) run
 
-# Must have a $HOME/ugate dir
-run:
-	(cd ./cmd/ugate; CGO_ENABLED=0 go build -o ${OUT}/ugate .)
-	ssh ${HOST} pkill ugate || true
-	scp ${OUT}/ugate ${HOST}:/x/ugate
-	ssh  ${HOST} "cd /x/ugate; HOME=/x/ugate /x/ugate/ugate"
 
-update:
-	yq -j < cmd/ugate/testdata/ugate.yaml > cmd/ugate/testdata/ugate.json
+deploy: deploy/cloudrun deploy/helm
 
-IMAGE ?= gcr.io/dmeshgate/ugate
+deploy/cloudrun: docker push/ugate run/cloudrun
+
+deploy/helm: docker push/ugate run/helm
 
 docker:
 	docker build -t ${IMAGE}:latest .
 
+docker/dev:
+	docker build -t ${IMAGE}-dev:latest -f tools/dev/Dockerfile .
+
+push/dev:
+	docker push ${IMAGE}-dev:latest
+
+run/dev:
+	 docker run -it --entrypoint /bin/bash gcr.io/dmeshgate/ugate-dev:latest
+
 run/docker-image:
 	docker run -P -v /ws/dmesh-src/work/s1:/var/lib/istio \
 		-v ${ROOT_DIR}:/ws \
@@ -43,41 +45,36 @@ run/docker-test:
 	   ${IMAGE}:latest \
 	   /ws/build/run.sh
 
-export KO_DOCKER_REPO=gcr.io/dmeshgate
-#export KO_DOCKER_REPO=costinm
-
-push/ko:
-	ko publish ./cmd/ugate -B
 
 push/docker.ugate: docker push/ugate
 
 push/ugate:
 	docker push ${IMAGE}:latest
 
-build/android:
-	cd android && gomobile bind -a -ldflags '-s -w' -target android -o android/ugate.aar .
-
 
 # Using Intellij plugin: missing manifest features
 # Build with buildpack: 30 sec to deploy
 # Build with docker: 26 sec
 # Both use skaffold
+# Faster than docker.
+push/ko:
+	(cd  cmd/ugate && ko publish . --bare)
 
 # Run ugate in cloudrun.
 # Storage: Env variables, GCP resources (buckets,secrets,k8s)
 # Real cert, OIDC tokens via metadata server.
-cr/run: #push/docker.ugate
-	gcloud beta run services replace k8s/cr.yaml --platform managed --project dmeshgate --region us-central1
+# https://ugate-yydsuf6tpq-uc.a.run.app
+run/cloudrun: #push/docker.ugate
+	gcloud beta run services replace manifests/knative-ugate.yaml --platform managed --project dmeshgate --region us-central1
+	gcloud run services update-traffic ugate --to-latest --platform managed --project dmeshgate --region us-central1
+
+run/cloudrun2: #push/docker.ugate
+	gcloud beta run services replace manifests/knative-ugate.yaml --platform managed --project dmeshgate --region us-central1
 	gcloud run services update-traffic ugate --to-latest --platform managed --project dmeshgate --region us-central1
 
-gcp/secret:
-	# projects/584624515903/secrets/ugate-key
-	gcloud secrets create <SECRET-NAME> \
-		--data-file <PATH-TO-SECRET-FILE> \
-		--replication-policy user-managed \
-		--project dmeshgate \
-		--format json \
-		--quiet
+run/helm:
+	helm upgrade --install --create-namespace ugate --namespace ugate manifests/ugate/
+
 
 test/run-iptables:
 	docker run -P  \
@@ -92,26 +89,45 @@ test/run-iptables:
 
 # Should be run in docker, as root
 test/iptables:
+	mkdir build
 	./cmd/ugate/iptables.sh
-	iptables-save |grep ISTIO > build/iptables_def.out
-	diff build/iptables_def.out cmd/ugate/testdata/iptables/iptables_def.out
+	iptables-save |grep ISTIO > ${OUT}/iptables_def.out
+	diff ${OUT}/iptables_def.out cmd/ugate/testdata/iptables/iptables_def.out
 
 	INBOUND_PORTS_EXCLUDE=1000,1001 OUTBOUND_PORTS_EXCLUDE=2000,2001 ./cmd/ugate/iptables.sh
-	iptables-save |grep ISTIO > build/iptables_ex.out
-	diff build/iptables_ex.out cmd/ugate/testdata/iptables/iptables_ex.out
+	iptables-save |grep ISTIO > ${OUT}/iptables_ex.out
+	diff ${OUT}/iptables_ex.out cmd/ugate/testdata/iptables/iptables_ex.out
 
 	IN=443 ./cmd/ugate/iptables.sh
-	iptables-save |grep ISTIO > build/iptables_443.out
-	diff build/iptables_443.out cmd/ugate/testdata/iptables/iptables_443.out
+	iptables-save |grep ISTIO > ${OUT}/iptables_443.out
+	diff ${OUT}/iptables_443.out cmd/ugate/testdata/iptables/iptables_443.out
 
 	IN=80,443 OUT=5201,5202 ./cmd/ugate/iptables.sh
-	iptables-save |grep ISTIO > build/iptables_443_5201.out
-	diff build/iptables_443_5201.out cmd/ugate/testdata/iptables/iptables_443_5201.out
+	iptables-save |grep ISTIO > ${OUT}/iptables_443_5201.out
+	diff ${OUT}/iptables_443_5201.out cmd/ugate/testdata/iptables/iptables_443_5201.out
+
+okteto:
+	#icurl https://get.okteto.com -sSfL | sh
+	okteto up
+
+HOSTS=c1 home
+
+## For debug
+run/home:
+	HOST=ugate $(MAKE) remote/_run
+
+run/c1:
+	HOST=v $(MAKE) remote/_run
 
+build:
+	(cd ./cmd/ugate; CGO_ENABLED=0 go build -o ${OUT}/ugate .)
+
+# Must have a $HOME/ugate dir
+remote/_run: build
+	ssh ${HOST} pkill ugate || true
+	scp ${OUT}/ugate ${HOST}:/x/ugate
+	ssh  ${HOST} "cd /x/ugate; HOME=/x/ugate /x/ugate/ugate"
+
+update:
+	yq -j < cmd/ugate/testdata/ugate.yaml > cmd/ugate/testdata/ugate.json
 
-image/stargz:
-	#go install github.com/google/crfs/stargz/stargzify@latest
-	#stargzify file:/tmp/input.tgz file:out.tgz
-	#stargzify -insecure ubuntu http://registry:5000:/path/ubuntu:stargz
-	#stargzify -flatten ubuntu gcr.io/costinm/path/ubuntu:flatstargz
-	stargzify -upgrade ${IMAGE}
diff --git a/bin/ko-build.sh b/bin/ko-build.sh
new file mode 100755
index 0000000..90d078b
--- /dev/null
+++ b/bin/ko-build.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+#set -e
+
+if ! [ -x "$(command -v ko)" ]; then
+    GO111MODULE=on go get github.com/google/ko@latest
+fi
+
+export KO_DOCKER_REPO=$(echo $IMAGE | cut -d: -f 1)
+TAG=$(echo $IMAGE | cut -d: -f 2)
+
+
+env
+
+#export GOMAXPROCS=1
+
+# Default
+#export KO_CONFIG_PATH=$BUILD_CONTEXT
+
+export GOROOT=$(go env GOROOT)
+
+# Set by skaffold
+echo IMAGE=$IMAGE
+echo KO_CONFIG_PATH=$KO_CONFIG_PATH
+echo BUILD_CONTEXT=$BUILD_CONTEXT
+echo KUBECONTEXT=$KUBECONTEXT
+echo NAMESPACE=$NAMESPACE
+
+#cd ${HOME}/src/istio
+
+export GGCR_EXPERIMENT_ESTARGZ=1
+
+#output=$(ko publish ./pilot/cmd/pilot-discovery  -t $TAG  | tee)
+# --insecure-registry
+# -B - use the repo + last part of cmd
+output=$(ko publish --bare ./cmd/ugate -t $TAG  | tee)
+
+ref=$(echo $output | tail -n1)
+
+# Doesn't work if image is not local (ko.local)
+#docker tag $ref $IMAGE
+#if $PUSH_IMAGE; then
+#    docker push $IMAGE
+#fi
+
+
+
+# IMAGE: localhost:5001/wps:TAG
+
+# -B - use last component of the name
+
+T=$(echo $IMAGE | cut -d: -f 3)
+TAG=${T:-latest}
+
+echo TAG $TAG
+
+output=$(ko publish ./cmd/wps --insecure-registry \
+ -t $TAG --disable-optimizations -B | tee)
+
+
+ref=$(echo $output | tail -n1)
+
+# Doesn't work - image is not local
+#docker tag $ref $IMAGE
+#if $PUSH_IMAGE; then
+#    docker push $IMAGE
+#fi
diff --git a/cmd/hbone/hbone.go b/cmd/hbone/hbone.go
new file mode 100644
index 0000000..bf7a811
--- /dev/null
+++ b/cmd/hbone/hbone.go
@@ -0,0 +1,84 @@
+package main
+
+import (
+	"flag"
+	"io"
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/costinm/ugate"
+	"github.com/costinm/ugate/pkg/auth"
+	"github.com/costinm/ugate/pkg/ugatesvc"
+)
+
+
+var (
+	verbose = flag.Bool("v", false, "Verbose messages")
+)
+
+var hc *http.Client
+
+// Create a HBONE tunnel to a given URL.
+//
+// Current client is authenticated using local credentials, or a kube.json file. If no kube.json is found, one
+// will be generated.
+//
+//
+//
+// Example:
+// ssh -v -o ProxyCommand='wp -nc https://c1.webinf.info:443/dm/PZ5LWHIYFLSUZB7VHNAMGJICH7YVRU2CNFRT4TXFFQSXEITCJUCQ:22'  root@PZ5LWHIYFLSUZB7VHNAMGJICH7YVRU2CNFRT4TXFFQSXEITCJUCQ
+//
+// Bug: %h:%p doesn't work, ssh uses lower case and confuses the map.
+func main() {
+	flag.Parse()
+
+	config := ugatesvc.NewConf("./", "./var/lib/dmesh/")
+	authz := auth.NewAuth(config, "", "")
+
+	ug := ugatesvc.New(config, authz, nil)
+
+	hc = &http.Client{
+		Transport: ug,
+	}
+
+
+	url := ""
+	if len(os.Args) > 1 {
+		url = os.Args[1]
+	}
+	if url == "" {
+		log.Fatal("Expecting URL")
+	}
+
+	Netcat(ug, url)
+}
+
+func Netcat(ug *ugatesvc.UGate, s string) {
+	i, o := io.Pipe()
+	r, _ := http.NewRequest("POST", s, i)
+	res, err := ug.RoundTrip(r)
+	if err != nil {
+		log.Fatal(err)
+	}
+	nc := ugate.NewStreamRequestOut(r, o, res, nil)
+	go func() {
+		b1 := make([]byte, 1024)
+		for {
+			n, err := nc.Read(b1)
+			if err != nil {
+				log.Fatal("Tun read err", err)
+			}
+			os.Stdout.Write(b1[0:n])
+		}
+	}()
+	b1 := make([]byte, 1024)
+	for {
+		n, err := os.Stdin.Read(b1)
+		if err != nil {
+			log.Fatal("Stding read err", err)
+		}
+		nc.Write(b1[0:n])
+	}
+}
+
diff --git a/cmd/test.sh b/cmd/test.sh
index a859f51..eace4f0 100755
--- a/cmd/test.sh
+++ b/cmd/test.sh
@@ -25,6 +25,7 @@ prepare_root() {
 }
 
 # setup test rig
+# Alice: 6400, gvisor=(10.11.0.x, 10.10.0.x),
 test_setup() {
   _do_start iperf3 ${TOP} iperf3 -s
   _do_start gate ${TOP}/cmd/ugate/testdata/gate ${TOP}/build/ugate
@@ -33,15 +34,39 @@ test_setup() {
 }
 
 test_run() {
-  # Direct access
+  echo Direct access - loopback iperf3 :5201
   iperf3 -c localhost:5201
-  # Via ugate, whitebox TCP capture
-  iperf3 -c localhost:12111
+  iperf3  -c 127.0.0.1 -p 5201 -u -b 4G
+  iperf3  -c 10.1.10.228 -p 5201 -u -b 4G
 
-  # Via routes
-  iperf3 -c 10.13.0.1:12111
-  iperf3 -c 10.15.0.1:12211
-  iperf3 -c 10.17.0.1:15311
+  echo Alice:gvisor, tun network, listener by :port
+  # Also: 10.10.0.2
+  iperf3 -c 10.11.0.3 -p 6412
+
+  echo Alice:gvisor-loopback - using the socket listener
+  iperf3 -c 10.11.0.1 -p 6412
+
+  echo Alice-QUIC-Gate-5201
+  iperf3  -c 127.0.0.1 -p 5411
+  iperf3  -c 127.0.0.1 -p 5411 -R
+
+  echo Gate-RQUIC-Alice-5201
+  iperf3  -c 127.0.0.1 -p 6013
+  iperf3  -c 127.0.0.1 -p 6013 -R
+
+  echo Bob-H2-Gate-5201
+  iperf3  -c 127.0.0.1 -p 5111
+  iperf3  -c 127.0.0.1 -p 5111 -R
+
+  echo Gate-H2R-Bob-5201
+  iperf3  -c 127.0.0.1 -p 6012
+  iperf3  -c 127.0.0.1 -p 6012 -R
+
+  #nuttcp -t -P 8888 -p 9999 -R 20G -u -i1s 127.0.0.1
+  #nuttcp -S  -P 8888
+
+  #iperf3  -c 10.1.10.228 -p 15101 -b 4G #-t 50000
+  #
 }
 
 test_cleanup() {
diff --git a/cmd/tun_setup.sh b/cmd/tun_setup.sh
index 2ab0c0d..4cae497 100755
--- a/cmd/tun_setup.sh
+++ b/cmd/tun_setup.sh
@@ -9,15 +9,17 @@
 export TUNUSER=${TUNUSER:-istio-proxy}
 export N=${N:-0}
 
-echo Create dmesh${N}. owned by ${TUNUSER}
-echo Address: 10.11.${N}.1
-echo 10.10.${N}.0/24 will be routed to dmesh${N}
-
 # Create a TUN device.
 setupTUN() {
+  echo Create dmesh${N}. owned by ${TUNUSER}
+  echo Address: TUN=10.11.${N}.1 GVISOR=10.11.${N}.2
+  echo 10.10.${N}.0/24 will be routed to dmesh${N}
+
   ip tuntap add dev dmesh${N} mode tun user ${TUNUSER} group ${TUNUSER}
   ip addr add 10.11.${N}.1/24 dev dmesh${N}
-  # No IP6 address - confuses linux
+  # IP6 address may confuse linux
+  ip -6 addr add fd::1:${N}/64 dev dmesh${N}
+
   ip link set dmesh${N} up
 
   # Route various ranges to dmesh1 - the gate can't initiate its own
@@ -25,12 +27,32 @@ setupTUN() {
   # ip route add fd::/8 dev ${N}
   ip route add 10.10.${N}.0/24 dev dmesh${N}
 
+
   # Don't remember why this was required
   echo 2 > /proc/sys/net/ipv4/conf/dmesh${N}/rp_filter
   sysctl -w net.ipv4.ip_forward=1
 }
 
-# Setup routes
+cleanup() {
+  # App must be stopped
+  ip tuntap del dev dmesh${N} mode tun
+
+  ip rule delete  fwmark 1{N}1 priority 10  lookup 1{N}1
+  ip route del default dev dmesh${N} table 1{N}1
+
+  ip rule del fwmark 1{N}0 lookup 1{N}0
+  ip rule del iif dmesh${N} lookup 1{N}0
+  ip route del local 0.0.0.0/0 dev lo table 1{N}0
+}
+
+
+# Setup custom rules for egress capture using TUN.
+# Mesh, DNS and VIP addresses should be routed to TUN directly, if
+# DNS provides right modifications this is not needed.
+#
+# This is critical for UDP, where iptables doesn't work.
+# iptables interception for TCP is still faster.
+#
 # - add a routing table (1338) to dmesh
 # - all packets with mark 1338 will use the new routing table
 # - route 10.10.0.0/16 via the tun
@@ -50,17 +72,6 @@ setup() {
   #ip route add local ::/0 dev lo table ${N}0
 }
 
-cleanup() {
-  # App must be stopped
-  ip tuntap del dev dmesh${N} mode tun
-
-  ip rule delete  fwmark 1{N}1 priority 10  lookup 1{N}1
-  ip route del default dev dmesh${N} table 1{N}1
-
-  ip rule del fwmark 1{N}0 lookup 1{N}0
-  ip rule del iif dmesh${N} lookup 1{N}0
-  ip route del local 0.0.0.0/0 dev lo table 1{N}0
-}
 
 
 stop() {
@@ -107,8 +118,9 @@ start() {
   iptables -t mangle -A OUTPUT -j DMESH_MANGLE_OUT${N}
 }
 
-if [ "$1" = "setup" ] ; then
+if [ "$1" = "init" ] ; then
   setupTUN
+elif [ "$1" = "setup" ] ; then
   setup
 elif [ "$1" = "start" ] ; then
   start
diff --git a/cmd/ugate/.ko.yaml b/cmd/ugate/.ko.yaml
new file mode 100644
index 0000000..64bba94
--- /dev/null
+++ b/cmd/ugate/.ko.yaml
@@ -0,0 +1,4 @@
+#defaultBaseImage: docker.io/library/ubuntu:bionic
+
+defaultBaseImage: gcr.io/dmeshgate/ugate-dev:latest
+
diff --git a/cmd/ugate/go.mod b/cmd/ugate/go.mod
index 4656939..05f2cd2 100644
--- a/cmd/ugate/go.mod
+++ b/cmd/ugate/go.mod
@@ -4,30 +4,15 @@ go 1.16
 
 replace github.com/costinm/ugate => ../../
 
-replace github.com/costinm/ugate/ext/webrtc => ../../ext/webrtc
-
 replace github.com/costinm/ugate/dns => ../../dns
 
-//replace github.com/costinm/ugate/ext/bootstrap => ../../ext/bootstrap
-
-replace github.com/costinm/ugate/ext/xds => ../../ext/xds
-
-replace github.com/costinm/ugate/ext/h2r => ../../ext/h2r
-
-//replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
-
-//replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
+replace github.com/costinm/ugate/ext/bootstrap => ../../ext/bootstrap
 
 replace github.com/costinm/ugate/ext/quic => ../../ext/quic
 
-replace github.com/lucas-clemente/quic-go => ../../../quic
-
-//replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425224043-9f67435d0255
-
 require (
 	github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/dns v0.0.0-20210425213441-05024f5e8910
-	github.com/costinm/ugate/ext/bootstrap v0.0.0-20210510001934-3cec7b4617c7 // indirect
-	github.com/lucas-clemente/quic-go v0.20.1 // indirect
+	github.com/costinm/ugate/ext/bootstrap v0.0.0-20210510001934-3cec7b4617c7
 	github.com/miekg/dns v1.1.41 // indirect
 )
diff --git a/cmd/ugate/go.sum b/cmd/ugate/go.sum
index 984d628..79d2a13 100644
--- a/cmd/ugate/go.sum
+++ b/cmd/ugate/go.sum
@@ -1,46 +1,81 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.31.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.37.0 h1:69FNAINiZfsEuwH3fKq8QrAAnHz+2m4XL4kVYi5BX0Q=
 cloud.google.com/go v0.37.0/go.mod h1:TS1dMSSfndXH133OKGwekG838Om/cQT0BUHV3HcBgoo=
+dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3 h1:hJiie5Bf3QucGRa4ymsAUOxyhYwGEz1xrsVk0P8erlw=
 dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU=
+dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0 h1:SPOUaucgtVls75mg+X7CXigS71EnsfVUK/2CgVrwqgw=
 dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU=
+dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412 h1:GvWw74lx5noHocd+f6HBMXK6DuggBB1dhVkuGZbv7qM=
 dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4=
+dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c h1:ivON6cwHK1OH26MZyWDCnbTRZZf0IhNsENoNAKFS1g4=
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
+git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999 h1:OR8VhtwhcAI3U48/rzBsVOuHi0zDPzYI1xASVcdSgR8=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625 h1:ckJgFhFWywOx+YLEMIJsTb+NV6NexWICk5+AMSuz3ss=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
+github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23 h1:D21IyuvjDCshj1/qq+pCNd3VZOAEI9jy6Bi131YlXgI=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
+github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
 github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403 h1:cqQfy1jclcSy/FwLjemeg3SR1yaINm74aQyupQ0Bl8M=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d h1:t5Wuyh53qYyg9eqn4BbnlIT+vmhyww0TatL+zT3uWgI=
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/costinm/ugate/ext/bootstrap v0.0.0-20210510001934-3cec7b4617c7 h1:IaHfE5QgLve2JU7is5ZAr2iyjkuleG67m57z9RGt3zY=
 github.com/costinm/ugate/ext/bootstrap v0.0.0-20210510001934-3cec7b4617c7/go.mod h1:LsvMnoOJ1IKhQhFhT06ArIfCQjpfre6WpoTaJ5Xk7ck=
+github.com/costinm/ugate/ext/h2r v0.0.0-20210425213441-05024f5e8910 h1:VZwVjLnyLJc7DSWrj0ylBX3zU8/RaFfeQNkPCCVViMo=
+github.com/costinm/ugate/ext/h2r v0.0.0-20210425213441-05024f5e8910/go.mod h1:1d8rSNrB60psQhPU3ciwe1z6IWb96+7ugQ08nYtEDsk=
+github.com/costinm/ugate/ext/quic v0.0.0-20210425213441-05024f5e8910 h1:0dacrAzzMXErNprC/DwtZqCKduXGAH6QvOl50YlYerc=
+github.com/costinm/ugate/ext/quic v0.0.0-20210425213441-05024f5e8910/go.mod h1:h/Npcs8NuWA7XUZ4TCF7qjprvnNHtFGQIRJ6k8IuHEw=
+github.com/costinm/ugate/ext/webrtc v0.0.0-20210425213441-05024f5e8910 h1:W1jVbuo/BSet9tumT7qSKOvU+P05oCpKUH56ydmrbwg=
+github.com/costinm/ugate/ext/webrtc v0.0.0-20210425213441-05024f5e8910/go.mod h1:VYvT/VW5e+5wP6FdC1dO1wbi6d09/KS7MLsoLvNaK2I=
+github.com/costinm/ugate/ext/xds v0.0.0-20210425213441-05024f5e8910 h1:z/Dj7eo0f8PQjoCVijl0PBH1f5R0UbmJ/jQiksrFUpo=
+github.com/costinm/ugate/ext/xds v0.0.0-20210425213441-05024f5e8910/go.mod h1:gNg9xkrySEYYmE1q61/1g18+dfnlTS8+N05YA83gpxk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d h1:QyzYnTnPE15SQyUeqU6qLbWxMkwyAyu+vGksa0b7j00=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/gliderlabs/ssh v0.1.1 h1:j3L6gSLQalDETeEg/Jg0mGY0/y/N6zI2xX1978P0Uqw=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/lint v0.0.0-20180702182130-06c8688daad7 h1:2hRPrmiwPrp3fQX967rNJIhQPtiGXdlQWAxKbKw3VHA=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -59,8 +94,11 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.1 h1:jAbXjIeW2ZSW2AwFxlGTDoc2CjI2XujLkV3ArsZFCvc=
+github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c h1:964Od4U6p2jUkFxvCydnIczKteheJEzHRToSGK3Bnlw=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -69,30 +107,54 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
+github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
+github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57 h1:eqyIo2HjKhKe/mJzTG8n4VqvLXIOEG+SLdDqX7xGtkY=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.5/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go v2.0.0+incompatible h1:j0GKcs05QVmm7yesiZq2+9cxHkNK9YM6zKx4D2qucQU=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
+github.com/googleapis/gax-go/v2 v2.0.3 h1:siORttZ36U2R/WjiJuDz8znElWBiAlO9rVt+mqJt0Cc=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/grpc-gateway v1.5.0 h1:WcmKMm43DR7RdtlkEXQJyo5ws8iTp98CyhCCbOHMvNI=
 github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1 h1:ujPKutqRlJtcfWk6toYVYagwra7HQHbXOaS171b4Tg8=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
+github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.3 h1:/Um6a/ZmD5tF7peoOJ5oN5KMQ0DrGVQSXLNwyckutPk=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lucas-clemente/quic-go v0.7.1-0.20210421053939-84e03e59760c h1:IStZo3q+zPJkah6EooTb7QzECGjSlZ5FEmg3k5jcxog=
+github.com/lucas-clemente/quic-go v0.7.1-0.20210421053939-84e03e59760c/go.mod h1:fZq/HUDIM+mW6X6wtzORjC0E/WDBMKe5Hf9bgjISwLk=
+github.com/lucas-clemente/quic-go v0.20.1 h1:hb5m76V8QS/8Nw/suHvXqo3BMHAozvIkcnzpJdpanSk=
+github.com/lucas-clemente/quic-go v0.20.1/go.mod h1:fZq/HUDIM+mW6X6wtzORjC0E/WDBMKe5Hf9bgjISwLk=
+github.com/lunixbochs/vtclean v1.0.0 h1:xu2sLAri4lGiovBDQKxl5mrXyESr3gUr5m5SM5+LVb8=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
+github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe h1:W/GaMY0y69G4cFlmsC6B9sbuo2fP8OFP1ABjt4kPz+w=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/marten-seemann/qpack v0.2.1 h1:jvTsT/HpCn2UZJdP+UUB53FfUUgeOyG5K1ns0OJOGVs=
 github.com/marten-seemann/qpack v0.2.1/go.mod h1:F7Gl5L1jIgN1D11ucXefiuJS9UMVP2opoCp2jDKb7wc=
@@ -100,14 +162,20 @@ github.com/marten-seemann/qtls-go1-15 v0.1.4 h1:RehYMOyRW8hPVEja1KBVsFVNSm35Jj9M
 github.com/marten-seemann/qtls-go1-15 v0.1.4/go.mod h1:GyFwywLKkRt+6mfU99csTEY1joMZz5vmB1WNZH3P81I=
 github.com/marten-seemann/qtls-go1-16 v0.1.3 h1:XEZ1xGorVy9u+lJq+WXNE+hiqRYLNvJGYmwfwKQN2gU=
 github.com/marten-seemann/qtls-go1-16 v0.1.3/go.mod h1:gNpI2Ol+lRS3WwSOtIUUtRwZEQMXjYK+dQSBFbethAk=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/microcosm-cc/bluemonday v1.0.1 h1:SIYunPjnlXcW+gVfvm0IlSeR5U3WZUOLfVmqg85Go44=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.1.40/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY=
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86 h1:D6paGObi5Wud7xg83MaEFyjxQB1W5bz5d0IFppr+ymk=
 github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
+github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab h1:eFXv9Nu1lGbrNbj619aWwZfVF5HBrm9Plte8aNptuTI=
 github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
@@ -123,6 +191,7 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
 github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug=
 github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
+github.com/openzipkin/zipkin-go v0.1.1 h1:A/ADD6HaPnAKj3yS7HjGHRK77qi41Hi0DirOOIQAeIw=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pion/datachannel v1.4.21 h1:3ZvhNyfmxsAqltQrApLPQMhSFNA+aT87RqyCq4OXmf0=
 github.com/pion/datachannel v1.4.21/go.mod h1:oiNyP4gHx2DIwRzX/MFyH0Rz/Gz05OgBlayAI2hAWjg=
@@ -180,38 +249,70 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.8.0 h1:1921Yw9Gc3iSc4VQh3PIoOqgPCZS7G/4xQNVUp8Mda8=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e h1:n/3MEhJQjQxrOUCzh1Y3Re6aJUUWRp2M9+Oc3eVn/54=
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273 h1:agujYaXJSxSo18YNX3jzl+4G6Bstwt+kqv47GS12uL0=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/sclevine/agouti v3.0.0+incompatible h1:8IBJS6PWz3uTlMP3YBIR5f+KAldcGuOeFkFbUWfBgK4=
 github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
+github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4 h1:Fth6mevc5rX7glNLpbAMJnqKlfIkcTjZCSHEeqvKbcI=
 github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY=
+github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48 h1:vabduItPAIz9px5iryD5peyx7O3Ya8TBThapgXim98o=
 github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM=
+github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470 h1:qb9IthCFBmROJ6YBS31BEMeSYjOscSiG+EO+JVNTz64=
 github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470/go.mod h1:2dOwnU2uBioM+SGy2aZoq1f/Sd1l9OkAeAUvjSyvgU0=
+github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e h1:MZM7FHLqUHYI0Y/mQAt3d2aYa0SiNms/hFqC9qJYolM=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
+github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041 h1:llrF3Fs4018ePo4+G/HV/uQUqEI1HMDjCeOf2V6puPc=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
+github.com/shurcooL/gofontwoff v0.0.0-20180329035133-29b52fc0a18d h1:Yoy/IzG4lULT6qZg62sVC+qyBL8DQkmD2zv6i7OImrc=
 github.com/shurcooL/gofontwoff v0.0.0-20180329035133-29b52fc0a18d/go.mod h1:05UtEgK5zq39gLST6uB0cf3NEHjETfB4Fgr3Gx5R9Vw=
+github.com/shurcooL/gopherjslib v0.0.0-20160914041154-feb6d3990c2c h1:UOk+nlt1BJtTcH15CT7iNO7YVWTfTv/DNwEAQHLIaDQ=
 github.com/shurcooL/gopherjslib v0.0.0-20160914041154-feb6d3990c2c/go.mod h1:8d3azKNyqcHP1GaQE/c6dDgjkgSx2BZ4IoEi4F1reUI=
+github.com/shurcooL/highlight_diff v0.0.0-20170515013008-09bb4053de1b h1:vYEG87HxbU6dXj5npkeulCS96Dtz5xg3jcfCgpcvbIw=
 github.com/shurcooL/highlight_diff v0.0.0-20170515013008-09bb4053de1b/go.mod h1:ZpfEhSmds4ytuByIcDnOLkTHGUI6KNqRNPDLHDk+mUU=
+github.com/shurcooL/highlight_go v0.0.0-20181028180052-98c3abbbae20 h1:7pDq9pAMCQgRohFmd25X8hIH8VxmT3TaDm+r9LHxgBk=
 github.com/shurcooL/highlight_go v0.0.0-20181028180052-98c3abbbae20/go.mod h1:UDKB5a1T23gOMUJrI+uSuH0VRDStOiUVSjBTRDVBVag=
+github.com/shurcooL/home v0.0.0-20181020052607-80b7ffcb30f9 h1:MPblCbqA5+z6XARjScMfz1TqtJC7TuTRj0U9VqIBs6k=
 github.com/shurcooL/home v0.0.0-20181020052607-80b7ffcb30f9/go.mod h1:+rgNQw2P9ARFAs37qieuu7ohDNQ3gds9msbT2yn85sg=
+github.com/shurcooL/htmlg v0.0.0-20170918183704-d01228ac9e50 h1:crYRwvwjdVh1biHzzciFHe8DrZcYrVcZFlJtykhRctg=
 github.com/shurcooL/htmlg v0.0.0-20170918183704-d01228ac9e50/go.mod h1:zPn1wHpTIePGnXSHpsVPWEktKXHr6+SS6x/IKRb7cpw=
+github.com/shurcooL/httperror v0.0.0-20170206035902-86b7830d14cc h1:eHRtZoIi6n9Wo1uR+RU44C247msLWwyA89hVKwRLkMk=
 github.com/shurcooL/httperror v0.0.0-20170206035902-86b7830d14cc/go.mod h1:aYMfkZ6DWSJPJ6c4Wwz3QtW22G7mf/PEgaB9k/ik5+Y=
+github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371 h1:SWV2fHctRpRrp49VXJ6UZja7gU9QLHwRpIPBN89SKEo=
 github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
+github.com/shurcooL/httpgzip v0.0.0-20180522190206-b1c53ac65af9 h1:fxoFD0in0/CBzXoyNhMTjvBZYW6ilSnTw7N7y/8vkmM=
 github.com/shurcooL/httpgzip v0.0.0-20180522190206-b1c53ac65af9/go.mod h1:919LwcH0M7/W4fcZ0/jy0qGght1GIhqyS/EgWGH2j5Q=
+github.com/shurcooL/issues v0.0.0-20181008053335-6292fdc1e191 h1:T4wuULTrzCKMFlg3HmKHgXAF8oStFb/+lOIupLV2v+o=
 github.com/shurcooL/issues v0.0.0-20181008053335-6292fdc1e191/go.mod h1:e2qWDig5bLteJ4fwvDAc2NHzqFEthkqn7aOZAOpj+PQ=
+github.com/shurcooL/issuesapp v0.0.0-20180602232740-048589ce2241 h1:Y+TeIabU8sJD10Qwd/zMty2/LEaT9GNDaA6nyZf+jgo=
 github.com/shurcooL/issuesapp v0.0.0-20180602232740-048589ce2241/go.mod h1:NPpHK2TI7iSaM0buivtFUc9offApnI0Alt/K8hcHy0I=
+github.com/shurcooL/notifications v0.0.0-20181007000457-627ab5aea122 h1:TQVQrsyNaimGwF7bIhzoVC9QkKm4KsWd8cECGzFx8gI=
 github.com/shurcooL/notifications v0.0.0-20181007000457-627ab5aea122/go.mod h1:b5uSkrEVM1jQUspwbixRBhaIjIzL2xazXp6kntxYle0=
+github.com/shurcooL/octicon v0.0.0-20181028054416-fa4f57f9efb2 h1:bu666BQci+y4S0tVRVjsHUeRon6vUXmsGBwdowgMrg4=
 github.com/shurcooL/octicon v0.0.0-20181028054416-fa4f57f9efb2/go.mod h1:eWdoE5JD4R5UVWDucdOPg1g2fqQRq78IQa9zlOV1vpQ=
+github.com/shurcooL/reactions v0.0.0-20181006231557-f2e0b4ca5b82 h1:LneqU9PHDsg/AkPDU3AkqMxnMYL+imaqkpflHu73us8=
 github.com/shurcooL/reactions v0.0.0-20181006231557-f2e0b4ca5b82/go.mod h1:TCR1lToEk4d2s07G3XGfz2QrgHXg4RJBvjrOozvoWfk=
+github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95 h1:/vdW8Cb7EXrkqWGufVMES1OH2sU9gKVb2n9/1y5NMBY=
 github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537 h1:YGaxtkYjb8mnTvtufv2LKLwCQu2/C7qFB7UtrOlTWOY=
 github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYEDaXHZDBsXlPCDqdhQuJkuw4NOtaxYe3xii4=
+github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133 h1:JtcyT0rk/9PKOdnKQzuDR+FSjh7SGtJwpgVpfZBRKlQ=
 github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw=
+github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d h1:yKm7XZV6j9Ev6lojP2XaIshpT4ymkqhMeSghO5Ps00E=
 github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
+github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e h1:qpG93cPwA5f7s/ZPBJnGOYQNK/vKsaDaseuKT5Asee8=
 github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -219,13 +320,20 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07 h1:UyzmZLoiDWMRywV4DUYb9Fbt8uiOSooupjTq10vpvnU=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
+github.com/viant/assertly v0.4.8 h1:5x1GzBaRteIwTr5RAGFVG14uNeRFxVNbXPWrK2qAgpc=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
+github.com/viant/toolbox v0.24.0 h1:6TteTDQ68CjgcCe8wH3D3ZhUQQOJXMTbj/D9rkk2a1k=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1 h1:ruQGxdhGHe7FWOJPT0mKs5+pD2Xs1Bm/kdGlHO04FmM=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opencensus.io v0.18.0 h1:Mk5rgZcggtbvtAun5aJzAtjKKN/t0R3jJPlWILlv938=
 go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
+go4.org v0.0.0-20180809161055-417644f6feb5 h1:+hE86LblG4AyDgwMCLTE6FOlM9+qjHSYS+rKqxUVdsM=
 go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
+golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d h1:E2M5QgjZ/Jg+ObCQAudsXxuTsLj7Nl5RV/lZcQZmKSo=
 golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw=
 golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -238,14 +346,17 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b h1:7mWr3k41Qtv8XlltBkDkl8LoP3mpSgBW8BUoxtEdbXg=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4 h1:c2HOrn5iMezYjSlGPncknSEr/8x5LELb/ilJbXi9DEA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3 h1:XQyxROzUlZH+WIQwySDgnISgOivlhjIEwaQaJEJrrN0=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -271,16 +382,20 @@ golang.org/x/net v0.0.0-20201201195509-5d6afe98e0b7/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210420210106-798c2154c571 h1:Q6Bg8xzKzpFPU4Oi1sBnBTHBwlMsLeEXpu4hYBY8rAg=
 golang.org/x/net v0.0.0-20210420210106-798c2154c571/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6 h1:0PC75Fz/kyMGhL0e1QnypqK2kQMqKt9csD1GnMJR+Zk=
 golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852 h1:xYq6+9AtI+xP3M4r0N1hCkHrInHDBohhquRgx9Kk6gI=
 golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -311,24 +426,29 @@ golang.org/x/sys v0.0.0-20201231184435-2d18734c6014/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04 h1:cEhElsAv9LUt9ZUUocxzWe05oFLVd+AA2nstydTeI8g=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe h1:WdX7u8s3yOigWAhHEaDl8r9G+4XwFQEQFtBMYyN+kXQ=
 golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 h1:iGu644GcxtEcrInvDsQRCwJjtCIOlT2V7IRt6ah2Whw=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c h1:fqgJT0MGcGpPgpWU7VRdRjuArfcOvC4AoJmILihzhDg=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -343,6 +463,7 @@ golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a h1:CB3a9Nez8M13wwlr/E2YtwoU+qYHKfC+JrDa45RXXoQ=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -352,10 +473,12 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1N
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
+google.golang.org/api v0.1.0 h1:K6z2u68e86TPdSdefXdzvXgR1zEMa+459vBSfWYAZkI=
 google.golang.org/api v0.1.0/go.mod h1:UGEZY7KEX120AnNLIHFMKIo4obdJhkp2tPbaPlQx13Y=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -363,6 +486,7 @@ google.golang.org/genproto v0.0.0-20181029155118-b69ba1387ce2/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20181202183823-bd91e49a0898/go.mod h1:7Ep/1NZk928CDR8SjdVbjWNpdIf6nzjE3BTgJDr2Atg=
 google.golang.org/genproto v0.0.0-20190306203927-b5d61aea6440/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20210423144448-3a41ef94ed2b h1:Rt15zyw7G2yfLqmsjEa1xICjWEw+topkn7vEAR6bVPk=
 google.golang.org/genproto v0.0.0-20210423144448-3a41ef94ed2b/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
@@ -390,8 +514,11 @@ google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/l
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
@@ -403,10 +530,14 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+grpc.go4.org v0.0.0-20170609214715-11d0a25b4919 h1:tmXTu+dfa+d9Evp8NpJdgOy6+rt8/x4yG7qPBrtNfLY=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc h1:/hemPrYIhOhy8zYrNj+069zDB68us2sMGsfkFJO0iZs=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+sourcegraph.com/sourcegraph/go-diff v0.5.0 h1:eTiIR0CoWjGzJcnQ3OkhIl/b9GJovq4lSAVRt0ZFEG8=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
+sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
diff --git a/cmd/ugate/skaffold.yaml b/cmd/ugate/skaffold.yaml
new file mode 100644
index 0000000..d95d96a
--- /dev/null
+++ b/cmd/ugate/skaffold.yaml
@@ -0,0 +1,53 @@
+apiVersion: skaffold/v2beta14
+kind: Config
+metadata:
+  name:  ugate
+
+build:
+  tagPolicy:
+    dateTime:
+      format: "2006-01-02_15-04"
+
+  artifacts:
+    - image: grc.io/dmeshgate/ugate
+      context: .
+
+      sync:
+        manual:
+          - src: "../../www/**"
+            dest: "www"
+
+      custom:
+        buildCommand: ../../bin/ko-build.sh
+        dependencies:
+          # Explicit - can also guess from Dockerfile
+          paths:
+            - "../../pkg/**"
+            - "../../ext/**"
+            - "."
+            - "go.mod"
+            - "go.sum"
+
+deploy:
+  kubectl:
+    manifests:
+      - ../../k8s/ugate/templates/*
+
+portForward:
+  - resourceType: deployment
+    namespace: wps
+    resourceName: wps
+    port: 5222
+    localPort: 14022
+
+  - resourceType: deployment
+    namespace: wps
+    resourceName: wps
+    port: 5227
+    localPort: 14027
+
+  - resourceType: deployment
+    namespace: wps
+    resourceName: wps
+    port: 15000
+    localPort: 14000
diff --git a/cmd/ugate/testdata/alice/ugate.json b/cmd/ugate/testdata/alice/ugate.json
index 246e842..9eb9915 100644
--- a/cmd/ugate/testdata/alice/ugate.json
+++ b/cmd/ugate/testdata/alice/ugate.json
@@ -3,6 +3,24 @@
   "tunProto": ["h2r"],
   "basePort": 6400,
   "listeners": {
+    "10.10.0.2:6412": {
+      "forwardTo": "127.0.0.1:5201"
+    },
+    "udp://10.10.0.2:6412": {
+      "forwardTo": "127.0.0.1:5201"
+    },
+    ":6414": {
+      "forwardTo": "127.0.0.1:5201"
+    },
+    "udp://:6414": {
+      "forwardTo": "127.0.0.1:5201"
+    },
+    ":6412": {
+      "forwardTo": "127.0.0.1:5201"
+    },
+    ":6413": {
+      "forwardTo": "/echo"
+    },
     ":6411": {
       "forwardTo": "GJU4ACOW36Q3IBL45T2TRQ63M6FNQYEJMLPJNDJETIOVIEFD7MGQ:5201"
     }
diff --git a/cmd/ugate/ugate_test.go b/cmd/ugate/ugate_test.go
index 26c4a18..705e6c9 100644
--- a/cmd/ugate/ugate_test.go
+++ b/cmd/ugate/ugate_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/costinm/ugate"
+	_ "github.com/costinm/ugate/ext/bootstrap"
 	"github.com/costinm/ugate/pkg/cfgfs"
 	"github.com/costinm/ugate/pkg/ugatesvc"
 	"github.com/costinm/ugate/test"
@@ -13,7 +14,7 @@ import (
 
 func TestFull(t *testing.T) {
 	// Fixed key, config from filesystem. Base is 14000
-	alice, err := Run(cfgfs.NewConf("testdata/s1/"), nil)
+	alice, err := Run(cfgfs.NewConf("testdata/alice/"), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -38,13 +39,13 @@ func TestFull(t *testing.T) {
 	cl1 := ugatesvc.New(nil, nil, nil)
 	cl2 := ugatesvc.New(nil, nil, nil)
 
-	con, err := cl1.DialContext(context.Background(), "tcp", "localhost:14011")
+	con, err := cl1.DialContext(context.Background(), "tcp", "127.0.0.1:14011")
 	if err != nil {
 		t.Fatal(err)
 	}
 	_, err = test.CheckEcho(con, con)
 
-	con, err = cl2.DialContext(context.Background(), "tcp", "localhost:14111")
+	con, err = cl2.DialContext(context.Background(), "tcp", "127.0.0.1:14111")
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/cmd/ugatex/go.mod b/cmd/ugatex/go.mod
index 3b1f663..3aab6eb 100644
--- a/cmd/ugatex/go.mod
+++ b/cmd/ugatex/go.mod
@@ -16,15 +16,15 @@ replace github.com/costinm/ugate/ext/xds => ../../ext/xds
 
 replace github.com/costinm/ugate/ext/h2r => ../../ext/h2r
 
-//replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
-
-//replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
-
 replace github.com/costinm/ugate/ext/quic => ../../ext/quic
 
 replace github.com/lucas-clemente/quic-go => ../../../quic
 
-replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
+replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
+replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
+
+//replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
+replace gvisor.dev/gvisor => ../../../gvisor
 
 replace github.com/eycorsican/go-tun2socks => github.com/costinm/go-tun2socks v1.16.12-0.20210328172757-88f6d54235cb
 
diff --git a/cmd/wp/wp.go b/cmd/wp/wp.go
index 91edcd9..36faed9 100644
--- a/cmd/wp/wp.go
+++ b/cmd/wp/wp.go
@@ -1,31 +1,14 @@
-// Command line tool to generate VAPID keys and tokens
-// The subscription can be provided as JSON, or as separate flags
-// The message to be sent must be provided as stdin or 'msg'
-// The VAPID key pair should be set as environment variables, not in commaond line.
 package main
 
 import (
-	"bufio"
 	"bytes"
-	"context"
-	"crypto"
-	"crypto/rsa"
-	"crypto/x509"
 	"encoding/base64"
-	"encoding/binary"
-	"encoding/json"
-	"encoding/pem"
 	"flag"
 	"fmt"
-	"io"
 	"io/ioutil"
-	"log"
-	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
-	"strings"
-	"time"
 
 	"github.com/costinm/ugate"
 	"github.com/costinm/ugate/pkg/auth"
@@ -34,141 +17,33 @@ import (
 )
 
 var (
-	to = flag.String("to", "", "Destination, default to local node")
-
-	addr = flag.String("addr", "127.0.0.1:15007", "address:port for the node")
-
-	// Mesh: currently use .ssh/authorized_keys, known_hosts
-	// Webpush: file under .ssh/webpush/NAME or TO. Inside
-	hostid = flag.String("host", "",
-		"Optional email or URL identifying the sender, to look up the subscription")
-
-	sub = flag.String("sub", "", "Subscribe")
-
-	aud  = flag.String("aud", "", "Generate a VAPID key with the given domain. Defaults to https://fcm.googleapis.com")
-
-	watch      = flag.Bool("watch", false, "Watch")
-	recurse      = flag.Bool("r", false, "Crawl and watch all possible nodes")
-
-	pushService = flag.String("server", "", "Base URL for the dmesh service")
-
-
-	jwt=flag.String("jwt", "", "JWT to decode")
-	data=flag.String("data", "", "Message to send, if empty stdin will be used")
-
-	netcat = flag.String("nc", "", "Netcat")
-
-	kubeconfig = flag.Bool("kubeconfig", false, "Generate a kube config with key/cert")
-
-)
-
-var (
+	to = flag.String("to", "", "Destination. A config file or env variable required")
+	data = flag.String("data", "", "Message to send, if empty stdin will be used")
 	verbose = flag.Bool("v", false, "Verbose messages")
 )
 
 var hc *http.Client
 
-const (
-	Subscription = "TO"
-)
-
+// Send a signed and encrypted message to a node, using Webpush protocol.
+//
+// This is used for control and events.
 func main() {
 	flag.Parse()
 
-	if *hostid == "" {
-		*hostid, _ = os.Hostname()
-	}
-
-	if *kubeconfig {
-		config := ugatesvc.NewConf()
-		_ = auth.NewAuth(config, *hostid, "m.webinf.info")
-		gen, _ := config.Get("kube.json")
-		fmt.Println(string(gen))
-		return
-	}
-
+	config := ugatesvc.NewConf("./", "./var/lib/dmesh/")
+	authz := auth.NewAuth(config, "", "")
 
-	cfgDir := "./"
-	config := ugatesvc.NewConf(cfgDir, "./var/lib/dmesh/")
-
-	authz := auth.NewAuth(config, *hostid, "m.webinf.info")
 	ug := ugatesvc.New(config, authz, nil)
 
 	hc = &http.Client{
 		Transport: ug,
 	}
 
-	if *jwt != "" {
-		decode(*jwt, *aud)
-		return
-	}
-
-	if *aud != "" {
-		fmt.Println(authz.VAPIDToken(*aud))
-		return
-	}
-
-	if *netcat != "" {
-		Netcat(ug, *netcat, *addr)
-	}
-
-	if *watch {
-		watchNodes(ug)
-		return
-	}
-
-	if *sub != "" {
-		// Subscribe will add the given host to the list of nodes allowed to
-		// send messages to this node, and generate a subscription similar with
-		// browsers.
-		// Value is the public key of the sender.
-		subsc := subscribe(ug, *sub)
-		fmt.Println(subsc)
-		return
-	}
-
-	sendMessage(ug, *to, authz, *verbose, *data)
+	sendMessage(*to, authz, *verbose, *data)
 }
 
-func Netcat(ug *ugatesvc.UGate, s string, via string) {
-	i, o := io.Pipe()
-	r, _ := http.NewRequest("POST", s, i)
-	res, err := ug.RoundTrip(r)
-	if err != nil {
-		log.Fatal(err)
-	}
-	nc := ugate.NewStreamRequestOut(r, o, res, nil)
-go func() {
-		b1 := make([]byte, 1024)
-		for {
-			n, err := nc.Read(b1)
-			if err != nil {
-				log.Fatal("Tun read err", err)
-			}
-			os.Stdout.Write(b1[0:n])
-		}
-	}()
-	b1 := make([]byte, 1024)
-	for {
-		n, err := os.Stdin.Read(b1)
-		if err != nil {
-			log.Fatal("Stding read err", err)
-		}
-		nc.Write(b1[0:n])
-	}
-}
-
-func subscribe(ug *ugatesvc.UGate, s string) string {
-	// TODO - create local permission/host, generate one for remote
-	// This doesn't require a running server, creates a file.
-	return ""
-}
-
-
-// Send a message.
-func sendMessage(ug *ugatesvc.UGate, toS string, vapid *auth.Auth, show bool,
-	msg string) {
-
+// Send an encrypted message to a node.
+func sendMessage(toS string, vapid *auth.Auth, show bool,	msg string) {
 	var err error
 	if msg == "" {
 		msgB, err := ioutil.ReadAll(os.Stdin)
@@ -183,10 +58,10 @@ func sendMessage(ug *ugatesvc.UGate, toS string, vapid *auth.Auth, show bool,
 	var destPubK []byte
 	var authk []byte
 
-	// browser sub: real webpush
-	wpSub := os.Getenv(Subscription)
-	if len(wpSub) > 0 {
-		to, err := msgs.SubscriptionFromJSON([]byte(wpSub))
+	// Format expected to be same as the browser sub in webpush
+	subs := ugate.ConfStr(vapid.Config, "sub_"+toS, "")
+	if subs != "" {
+		to, err := msgs.SubscriptionFromJSON([]byte(subs))
 		if err != nil {
 			fmt.Println("Invalid endpoint "+flag.Arg(1), err)
 			os.Exit(3)
@@ -194,44 +69,11 @@ func sendMessage(ug *ugatesvc.UGate, toS string, vapid *auth.Auth, show bool,
 		destURL = to.Endpoint
 		destPubK = to.Key
 		authk = to.Auth
-	} else {
-		subs := ugate.ConfStr(vapid.Config, "sub_"+toS+".json", "")
-		if subs != "" {
-			to, err := msgs.SubscriptionFromJSON([]byte(subs))
-			if err != nil {
-				fmt.Println("Invalid endpoint "+flag.Arg(1), err)
-				os.Exit(3)
-			}
-			destURL = to.Endpoint
-			destPubK = to.Key
-			authk = to.Auth
-			if len(authk) == 0 {
-				authk = []byte{1}
-			}
-		} else {
-			//// DMesh nodes - we only have the public key, auth is not sent !
-			//az := vapid.Known[toS]
-			//if az == nil {
-			//	az = vapid.Authz[toS]
-			//}
-			//if az == nil {
-			log.Println("Not found ", toS)
-			//	return
-			//}
-			//destPubK = az.Public
-			//vip := auth.Pub2VIP(destPubK).String()
-			//destURL = "https://[" + vip + "]:5228/push/"
-			//authk = []byte{1}
+		if len(authk) == 0 {
+			authk = []byte{1}
 		}
 	}
 
-	if *pushService != "" {
-		destURL = *pushService + "/push/"
-		//hc = h2.InsecureHttp()
-	} else {
-		//hc = h2.NewSocksHttpClient("127.0.0.1:5224")
-	}
-
 	ec := auth.NewContextSend(destPubK, authk)
 	c, _ := ec.Encrypt([]byte(msg))
 
@@ -253,7 +95,8 @@ func sendMessage(ug *ugatesvc.UGate, toS string, vapid *auth.Auth, show bool,
 	req.Header.Add("authorization", ah)
 	req.Header.Add("Content-Encoding", "aes128gcm")
 
-	//hc := h2.ProxyHttp("127.0.0.1:5203")
+
+
 	res, err := hc.Do(req)
 
 	if res == nil {
@@ -276,276 +119,3 @@ func sendMessage(ug *ugatesvc.UGate, toS string, vapid *auth.Auth, show bool,
 		fmt.Printf(string(dmp))
 	}
 }
-
-// Known nodes and watchers
-var watchers = map[uint64]*watcher{}
-
-// Track a single node
-type watcher struct {
-	Node *ugate.DMNode
-
-	Path []string
-
-	// For crawling
-	dirty bool
-
-	base string
-	ip6  *net.IPAddr
-
-	idhex    string
-	New      bool
-	watching bool
-}
-
-
-// Connect to all known nodes and watch them.
-// Uses the internal debug endpoint for getting connected nodes,
-// and crawls the mesh.
-func watchNodes(ug *ugatesvc.UGate) {
-	ctx := context.Background()
-
-	if *recurse {
-		// Recursive list of all devices in the mesh.
-		for {
-			crawl() // Get nodes connected to our parent ( all directions )
-
-			if !*watch {
-				return // Just crawl.
-			} else {
-				//if *dev == "*" || *dev == "" {
-				//	go msgs.DefaultMux.MonitorNode(hc, nil, nil)
-				//}
-				for _, w := range watchers {
-					//if w.idhex == *dev || *dev == "*" {
-					if !w.watching {
-						w.watching = true
-
-						go func() {
-							log.Println("Watch: ", w.ip6)
-
-							ug.DialMUX(ctx, "quic", w.Node, nil)
-							w.watching = false
-							log.Println("Watch close: ", w.ip6)
-						}()
-					}
-				}
-			}
-			time.Sleep(10 * time.Second)
-			//select {}
-		}
-		return
-	}
-
-	n0 := &ugate.DMNode{
-		Addr: *addr,
-	}
-
-	ug.DialMUX(ctx, "quic", n0, nil)
-}
-
-// Get neighbors from a node. Side effect: updates the watchers table.
-func neighbors(url string, path []string) map[uint64]*ugate.DMNode {
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		log.Print("HTTP_ERROR1", url, err)
-		return nil
-	}
-	ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
-	req = req.WithContext(ctx)
-
-	hcc := hc
-	if strings.HasPrefix(url, "http://127") {
-		hcc = http.DefaultClient
-	}
-	res, err := hcc.Do(req)
-	if err != nil || res.StatusCode != 200 {
-		log.Println("HTTP_ERROR2", url, err)
-		return nil
-	}
-
-	cnodes, _ := ioutil.ReadAll(res.Body)
-	connectedNodes := map[uint64]*ugate.DMNode{}
-	err = json.Unmarshal(cnodes, &connectedNodes)
-	if err != nil {
-		log.Println("HTTP_ERROR_RES", url, err, string(cnodes))
-		return nil
-	}
-
-	if watchers != nil {
-		peers := []string{}
-		// Any node that is new, not yet found in the current watched list.
-		newConnectedNodes := map[uint64]*watcher{}
-		// Nodes already connected
-		oldmap := map[uint64]*watcher{}
-		for k, v := range connectedNodes {
-			w, f := watchers[k]
-			if !f {
-				ip6 := toIP6(k)
-				w = &watcher{Node: v, dirty: true, ip6: ip6,
-					idhex: fmt.Sprintf("%x", k),
-					Path:  path}
-				w.New = true
-				watchers[k] = w
-				newConnectedNodes[k] = w
-			} else {
-				oldmap[k] = w
-			}
-			peers = append(peers, w.idhex)
-		}
-		if *verbose {
-			log.Println("GET", url, len(connectedNodes), peers)
-		}
-	}
-
-	return connectedNodes
-}
-
-// Scan all nodes for neighbors. Watch them if not watched already.
-//
-// - Will first mark all currently known nodes as 'dirty' and 'old'.
-// - For each known node, get a list of connected nodes.
-// - For each connected node, if still connected update and set dirty=false
-// - If new nodes is found, add it as 'New' and 'dirty'.
-//
-// - repeat until all nodes are !dirty
-// - at the end, the set of nodes that are new will be marked as New.
-// -
-//
-func crawl() {
-	for _, v := range watchers {
-		v.dirty = true
-		v.New = false
-	}
-
-	// Will update watchers
-	neighbors("http://127.0.0.1:5227/dmesh/ip6", nil)
-
-	more := true
-
-	for more {
-		more = false
-		for _, v := range watchers {
-			if !v.dirty {
-				continue
-			}
-			more = true
-			p := "/"
-			for _, pp := range v.Path {
-				p = p + pp + "/"
-			}
-			p = p + v.idhex + "/"
-
-			//neighbors("http://127.0.0.1:5227/dm"+p+"/c/dmesh/ip6", append(v.Path, v.idhex))
-			neighbors("http://"+net.JoinHostPort(v.ip6.String(), "5227")+"/dmesh/ip6", append(v.Path, v.idhex))
-			v.dirty = false
-		}
-	}
-
-	for _, v := range watchers {
-		if v.New {
-			log.Println("Node", v.idhex, v.Path, v.Node.NodeAnnounce.UA, v.Node.GWs())
-		}
-	}
-}
-
-func stdinClient(mux *msgs.Mux) {
-	stdin := &msgs.MsgConnection{
-		Name:                "",
-		SubscriptionsToSend: []string{"*"},
-		SendMessageToRemote: func(ev *msgs.Message) error {
-			ba := ev.MarshalJSON()
-			os.Stdout.Write(ba)
-			os.Stdout.Write([]byte{'\n'})
-			return nil
-		},
-	}
-	mux.AddConnection("stdin", stdin)
-
-	go func() {
-		br := bufio.NewReader(os.Stdin)
-		for {
-			line, _, err := br.ReadLine()
-			if err != nil {
-				break
-			}
-			if len(line) > 0 && line[0] == '{' {
-				ev := msgs.ParseJSON(line)
-				mux.SendMessage(ev)
-			}
-		}
-	}()
-
-
-}
-
-func toIP6(k uint64) *net.IPAddr {
-	ip6, _ := net.ResolveIPAddr("ip6", "fd00::")
-	binary.BigEndian.PutUint64(ip6.IP[8:], k)
-	return ip6
-}
-
-func (w *watcher) monitor(ug *ugatesvc.UGate, addr *net.IPAddr) {
-
-	req, err := http.NewRequest("GET", "http://["+addr.String()+"]:5227/debug/events", nil)
-	if err != nil {
-		return
-	}
-	res, err := hc.Do(req)
-	if err != nil {
-		println(addr, "HTTP_ERROR", err)
-		return
-	}
-	rd := bufio.NewReader(res.Body)
-
-	for {
-		l, _, err := rd.ReadLine()
-		if err != nil {
-			if err.Error() != "EOF" {
-				log.Println(addr, "READ ERR", err)
-			}
-			break
-		}
-		ls := string(l)
-		if ls == "" || ls == "event: message" {
-			continue
-		}
-
-		log.Println(addr, ls)
-	}
-
-}
-
-// Decode a JWT.
-// If crt is specified - verify it using that cert
-func decode(jwt, aud string) {
-	// TODO: verify if it's a VAPID
-	parts := strings.Split(jwt, ".")
-	p1b, err := base64.RawURLEncoding.DecodeString(parts[1])
-	if err != nil {
-		log.Println(err)
-		return
-	}
-	fmt.Println(string(p1b))
-
-	scrt, _ := ioutil.ReadFile("server.crt")
-	block, _ := pem.Decode(scrt)
-	xc, _ := x509.ParseCertificate(block.Bytes)
-	log.Printf("Cert subject: %#v\n", xc.Subject)
-	pubk1 := xc.PublicKey
-
-
-	h, t, txt, sig, _ := auth.JwtRawParse(jwt)
-	log.Printf("%#v %#v\n", h, t)
-
-	if h.Alg == "RS256" {
-		rsak := pubk1.(*rsa.PublicKey)
-		hasher := crypto.SHA256.New()
-		hasher.Write(txt)
-		hashed := hasher.Sum(nil)
-		err = rsa.VerifyPKCS1v15(rsak,crypto.SHA256, hashed, sig)
-		if err != nil {
-			log.Println("Root Certificate not a signer")
-		}
-	}
-
-}
diff --git a/docs/dev.md b/docs/dev.md
new file mode 100644
index 0000000..fdd6457
--- /dev/null
+++ b/docs/dev.md
@@ -0,0 +1,106 @@
+# Dev tools
+
+Few tools that accelerate and simplify the development, and their impact on projects.
+
+
+## Ko
+
+The ko-build.sh script will use 'go build' and push the result as a layer,
+no docker involved. Best used with Skaffold.
+
+Expected env variables:
+- IMAGE - including tag. Set automatically by skaffold
+
+Generally it works great if you have a base image with
+all 'stable' components and you add a single go binary.
+Ko can bundle files from .../kodata/ dir, and make it
+available as $KO_DATA_PATH, including symlinks.
+The example in readme is to include .git/HEAD
+
+Ko creates reproductible builds - date is set.
+
+For local repository or in-cluster with forwarded port -
+it is faster, but requires keeping the port forwards open.
+
+export KO_DOCKER_REPO=localhost:5000
+ko.local == use local docker daemon
+kind.local == use local kind
+
+Can also cross-build, with "--platform=linux/amd64,linux/arm64"
+
+# Skaffold 
+
+It will also check if any file has changed, and in 'dev' mode
+watch for changed files and re-deploy automatically.
+It can also start a debugger and forward ports.
+
+Without certificates and for faster time: deploy in-cluster registry, 
+forward registry port to 5001. In-cluster registry runs on localhost:5001
+
+- use shell script to build - most flexible, easy to plug in ko or other targets
+- schema rewrite/refactoring removes comments.
+
+
+```yaml
+apiVersion: skaffold/v2beta14
+kind: Config
+metadata:
+  name:    istiod
+...
+
+
+build:
+  insecureRegistries:
+    - localhost:5001
+
+...
+
+    # Building real istiod
+    # Due to KO, which uses the image == last component of the go package
+    - image: pilot-discovery
+      context: /ws/istio-stable/src/istio.io/istio
+      custom:
+        buildCommand: /ws/dmesh-src/wpgate/bin/build-istiod.sh
+        dependencies:
+          paths:
+            - "pilot/**"
+
+      context: .
+      custom:
+        buildCommand: ../../bin/build-istiod.sh
+        dependencies:
+          paths:
+            - "../../../istio/pilot/**"
+
+deploy:
+  kubectl:
+    manifests:
+      - ns.yaml
+      - ../helm/istiod/charts/*.yaml
+
+```
+
+Env variables in the build command:
+
+```shell
+PUSH_IMAGE=true
+IMAGE=gcr.io/dmeshgate/istiod:t-2021-05-15_11-23
+IMAGE_REPO=gcr.io/dmeshgate/istiod
+IMAGE_TAG=t-2021-05-15_11-23
+SKAFFOLD_UPDATE_CHECK=false
+
+```
+
+
+## Okteto
+
+Okteto is a remarcable developmet tool, with a model worth emulating in standalone charts to
+build 'debuggable' images.
+
+How it works:
+- start with a base 'tools' image, including all the build tools - similar with the one used
+to build istio.
+- add a 'sshd' binary 
+- add a 'syncthing' binary
+- generate a sshd config - using the public key ~/.okteto/... as authorized
+
diff --git a/docs/dns_sni.md b/docs/dns_sni.md
new file mode 100644
index 0000000..758fc7f
--- /dev/null
+++ b/docs/dns_sni.md
@@ -0,0 +1,51 @@
+# Notes on DNS and SNI
+
+For TLS, the main routing info is the SNI part of ClientHello.
+
+For compatibility with most clients, it must be a hostname - i.e. subject to:
+- max 256 bytes
+- each label max 63B
+- start with letter, contains letter and digits and "-" (not in first or last).
+
+
+Standard convention for IDN is to start with "xn--" prefix to indicate UTF name.
+IPFS/LibP2P also have the convention to start with a byte identifying the syntax of the rest.
+Starting with a 'type' also makes sure it starts with a letter, and the rest can be
+hex or base32.
+
+DNS allows _ and other binary characters - but this is unlikely to work with TLS clients
+and servers.
+
+https://github.com/multiformats/multibase defines some prefixes to identify the base
+encoding of a string. We also want to use a tag to identify what kind of address it is. 
+They use:
+- 'f' = hexadecimal
+- 'b' = base32 (lowercase) - not using 0, 1, 8, 9 or -
+
+For ugate needs, the first label of the domain is used to encode the node ID or dest.
+Since this is a mangled name, we can also use the size for the identifier and presence
+of dashes.
+
+We may support:
+- ugate 32-byte KEY, base32 ( 32 * 8 / 5) = 52 chars, can't be encoded in hex. This is 
+  the primary format, since it can encode a ED25519 public key or SHA.
+- ugate 8-byte ID, hex: 16hex digits = 16 chars. Base32 is 13 chars, not worth it.
+- ipv4 - simplest is 'i80-10-1-1-2'
+- ipv6 - simplest is 'p80-fd--01' ( : replaced with -) - will have double dash or > 3 dashes
+- alternative - all hex, no dashes: 12 chars for IPv4 and port, 36 chars for IPv6 and port
+
+Since first char must be a letter, and hex and base32 can start with digit, prefixes are used:
+- u - for  32-byte base32 ID
+- f - for  8 byte hex 
+- a - for hex IP and port, len determines ipv4 vs ipv6
+- i - for port-ipv4
+- p - for port-ipv6 - max is 36 bytes (16 + 2), leaving 63-36-1=26bytes
+
+The ugate primary port is expected to handle 'BTS'-style communication, with the first 
+component used to identify the mesh address. An optional prefix "nXXX-" may identify 
+the network. We need to keep the net id short - max 24 bytes.
+
+For short namespace/service, we can also use:
+- s[PORT]--SVC-NS - if len > 63, the truncated SHA with prefix -- can be added as suffix
+- s[PORT]-[NUMBER]-SVC-NS for stateful sets
+
diff --git a/docs/oidc.md b/docs/oidc.md
new file mode 100644
index 0000000..7cb45dc
--- /dev/null
+++ b/docs/oidc.md
@@ -0,0 +1,62 @@
+# Support for OIDC auth
+
+## Checking the tokens 
+
+JWT OIDC tokens have a pretty clear format, using public key to verify.
+The key used to verify is downloaded from a well-knwon location.
+
+The main issue is how to map the OIDC token to a mesh identity.
+
+For DMesh, the 'last resort' identity is the based on the SHA(public key) of the node.
+This can be further mapped to a 'canonical service' or spiffee using a map.
+
+If a OIDC identity exists, the following pattern can be used:
+
+- trust domain is the OIDC issuer. If it is registered as an alias - it is trusted by 
+default. Otherwise it must match an explicit Policy.
+  
+- the identified service account is mapped to a NAMESPACE. In practice, k8s namespace
+is the primary unit of isolation. The service account will be 'default'. We can allow 
+the workload to 'claim' a canonical name.
+  
+- if a certain naming pattern is used, like k8s-X-Y - we could also infer the service
+account from the external name - in which case the self-claiming is not allowed.
+  
+## Generating tokens
+
+In K8S we can exchange the audience-less token using the internal API, and implement STS.
+STS appears supported by gRPC and others.
+
+## Identities
+
+Native identity depends on environment.
+
+- K8S SA - system:serviceaccount:ugate:default
+
+- workload identity - 'pool' set to PROJECT_ID.svc.id.goog. Google IAM uses 
+    serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]
+  This is exposed using the metadata API - as well as via mounting. "requests in the first seconds may fail"
+ ```shell
+gcloud iam service-accounts add-iam-policy-binding \
+  --role roles/iam.workloadIdentityUser \
+  --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
+  GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
+
+kubectl annotate serviceaccount \
+  --namespace K8S_NAMESPACE \
+  KSA_NAME \
+  iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
+```
+
+- Metadata server:  http://metadata.google.internal (169.254.169.254:80)
+```shell
+curl -v  -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=foo.com
+
+{"aud":"test.com","azp":"104797399114760319172",
+"email":"584624515903-compute@developer.gserviceaccount.com", or "k8s--ugate--default@dmeshgate.iam.gserviceaccount.com"
+"email_verified":true,
+"exp":1621463417,"iat":1621459817,
+"iss":"https://accounts.google.com",
+"sub":"104797399114760319172"}
+```  
+
diff --git a/docs/perf.md b/docs/perf.md
index f295d7f..93c7aef 100644
--- a/docs/perf.md
+++ b/docs/perf.md
@@ -33,6 +33,10 @@ txqueuelen 10000
 
 https://events.static.linuxfound.org/sites/events/files/slides/LinuxConJapan2016_makita_160712.pdf
 - many optimizations for UDP
+- SO_REUSEPORT
+- SO_ATTACH_REUSEPORT_EBPF
+- disable source IP validation, auditd, iptables, GRO
+- interrupt coalescence
 
 # MTU
 
diff --git a/ext/bootstrap/go.mod b/ext/bootstrap/go.mod
index 4d33e8c..8da412a 100644
--- a/ext/bootstrap/go.mod
+++ b/ext/bootstrap/go.mod
@@ -4,29 +4,19 @@ go 1.16
 
 replace github.com/costinm/ugate => ../../
 
-replace github.com/costinm/ugate/ext/webrtc => ../webrtc
-
 replace github.com/costinm/ugate/dns => ../../dns
 
-replace github.com/costinm/ugate/ext/xds => ../xds
-
 replace github.com/costinm/ugate/ext/h2r => ../h2r
 
 replace github.com/costinm/ugate/ext/quic => ../quic
 
+//Larger buffer, hooks to use the h3 stack
 //replace github.com/lucas-clemente/quic-go => ../../../quic
-
 //replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425224043-9f67435d0255
 
 require (
 	github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/ext/h2r v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/ext/quic v0.0.0-20210425213441-05024f5e8910
-	github.com/costinm/ugate/ext/webrtc v0.0.0-20210425213441-05024f5e8910
-	github.com/costinm/ugate/ext/xds v0.0.0-20210425213441-05024f5e8910
-	github.com/pion/ice/v2 v2.1.6 // indirect
-	github.com/pion/rtp v1.6.5 // indirect
-	github.com/pion/webrtc/v3 v3.0.25 // indirect
 	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b // indirect
-	google.golang.org/grpc v1.37.0
 )
diff --git a/ext/bootstrapx/go.mod b/ext/bootstrapx/go.mod
index a18c9dd..bc5cfa6 100644
--- a/ext/bootstrapx/go.mod
+++ b/ext/bootstrapx/go.mod
@@ -4,25 +4,16 @@ go 1.16
 
 replace github.com/costinm/ugate => ../../
 
-replace github.com/costinm/ugate/ext/webrtc => ../../ext/webrtc
-
-replace github.com/costinm/ugate/dns => ../../dns
-
-replace github.com/costinm/ugate/ext/xds => ../../ext/xds
-
-replace github.com/costinm/ugate/ext/h2r => ../../ext/h2r
-
-//replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
-
-//replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
-
-replace github.com/costinm/ugate/ext/quic => ../../ext/quic
+replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
+replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
 
 replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
-
 replace github.com/eycorsican/go-tun2socks => github.com/costinm/go-tun2socks v1.16.12-0.20210328172757-88f6d54235cb
+replace github.com/costinm/ugate/ext/webrtc => ../webrtc
+
+
+replace github.com/costinm/ugate/ext/xds => ../xds
 
-//replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425224043-9f67435d0255
 
 require (
 	github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910
@@ -32,4 +23,10 @@ require (
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6 // indirect
 	golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 // indirect
+	github.com/costinm/ugate/ext/webrtc v0.0.0-20210425213441-05024f5e8910
+	github.com/pion/ice/v2 v2.1.6 // indirect
+	github.com/pion/rtp v1.6.5 // indirect
+	github.com/pion/webrtc/v3 v3.0.25 // indirect
+	github.com/costinm/ugate/ext/xds v0.0.0-20210425213441-05024f5e8910
+	google.golang.org/grpc v1.37.0
 )
diff --git a/ext/bootstrap/ugate_quiche.go b/ext/bootstrapx/ugate_quiche.go
similarity index 91%
rename from ext/bootstrap/ugate_quiche.go
rename to ext/bootstrapx/ugate_quiche.go
index 9560e9d..ef4e0b6 100644
--- a/ext/bootstrap/ugate_quiche.go
+++ b/ext/bootstrapx/ugate_quiche.go
@@ -1,6 +1,6 @@
 // +build !MIN
 
-package bootstrap
+package bootstrapx
 
 func init() {
 	//initHooks = append(initHooks, func(ug *ugatesvc.UGate) startFunc {
diff --git a/ext/bootstrap/ugate_webrtc.go b/ext/bootstrapx/ugate_webrtc.go
similarity index 94%
rename from ext/bootstrap/ugate_webrtc.go
rename to ext/bootstrapx/ugate_webrtc.go
index 0607569..e13cbe8 100644
--- a/ext/bootstrap/ugate_webrtc.go
+++ b/ext/bootstrapx/ugate_webrtc.go
@@ -1,6 +1,6 @@
 // +build !MIN
 
-package bootstrap
+package bootstrapx
 
 import (
 	"os"
diff --git a/ext/bootstrap/ugate_xds.go b/ext/bootstrapx/ugate_xds.go
similarity index 97%
rename from ext/bootstrap/ugate_xds.go
rename to ext/bootstrapx/ugate_xds.go
index 0be3cf3..92bb96f 100644
--- a/ext/bootstrap/ugate_xds.go
+++ b/ext/bootstrapx/ugate_xds.go
@@ -1,6 +1,6 @@
 // +build !MIN
 
-package bootstrap
+package bootstrapx
 
 import (
 	"net/http"
diff --git a/ext/envoy/envoy.go b/ext/envoy/envoy.go
new file mode 100644
index 0000000..19daf87
--- /dev/null
+++ b/ext/envoy/envoy.go
@@ -0,0 +1,17 @@
+package envoy
+
+import (
+	"os"
+	"os/exec"
+)
+
+// Exec envoy with a custom bootstrap.
+//
+
+func Start(wd, bin string, args []string) {
+	cmd := exec.Command(bin, args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Dir = wd
+
+}
diff --git a/ext/envoy/envoy.yaml b/ext/envoy/envoy.yaml
new file mode 100644
index 0000000..5b52848
--- /dev/null
+++ b/ext/envoy/envoy.yaml
@@ -0,0 +1,57 @@
+static_resources:
+  listeners:
+    - name: listener_0
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - filters:
+            - name: envoy.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                http_filters:
+                  - name: envoy.filters.http.router
+                stat_prefix: ingress_http
+                codec_type: AUTO
+                stream_idle_timeout: 3600s
+                http_protocol_options:
+                  enable_trailers: true
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: local_service
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: worker_endpoint
+                            timeout: 900s
+
+  clusters:
+    - name: worker_endpoint
+      connect_timeout: 5s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: worker_endpoint
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 8081
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+
+layered_runtime:
+  layers:
+    - name: static_layer
+      static_layer:
+        envoy.reloadable_features.preserve_downstream_scheme: false
diff --git a/ext/envoy/run.sh b/ext/envoy/run.sh
new file mode 100644
index 0000000..d6669d8
--- /dev/null
+++ b/ext/envoy/run.sh
@@ -0,0 +1,11 @@
+
+/usr/local/bin/envoy -c /var/lib/envoy.yaml
+
+/usr/local/bin/ugate &
+
+curl localhost:8081
+while [ $? -ne 0 ]
+do
+  sleep 0.2
+  curl localhost:8081
+done
diff --git a/ext/gvisor/go.mod b/ext/gvisor/go.mod
index 8635be0..d678bb1 100644
--- a/ext/gvisor/go.mod
+++ b/ext/gvisor/go.mod
@@ -4,9 +4,9 @@ go 1.16
 
 // go get -d -u   github.com/costinm/gvisor@tungate
 // latest
-replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
+//replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
 
-//replace gvisor.dev/gvisor => ../../../gvisor
+replace gvisor.dev/gvisor => ../../../gvisor
 
 replace github.com/costinm/ugate => ../..
 
diff --git a/ext/gvisor/tun_capture_gvisor.go b/ext/gvisor/tun_capture_gvisor.go
index 4f653e0..556fedb 100644
--- a/ext/gvisor/tun_capture_gvisor.go
+++ b/ext/gvisor/tun_capture_gvisor.go
@@ -369,12 +369,12 @@ func NewGvisorTunCapture(ep *stack.LinkEndpoint, handler TUNHandler, udpNat ugat
 	// NIC 2 - IP4, IP6 - the TUN device
 	t.IPStack.CreateNIC(2, ep1)
 
-	addr2 := "\x0a\x0c\x00\x01"
+	addr2 := "\x0a\x0b\x00\x02"
 	if err := t.IPStack.AddAddress(2, ipv4.ProtocolNumber, tcpip.Address(addr2)); err != nil {
 		log.Print("Can't add address", err)
 		return t
 	}
-	addr3, _ := net.ResolveIPAddr("ip", "fd::01")
+	addr3, _ := net.ResolveIPAddr("ip", "fd::1:2")
 	if err := t.IPStack.AddAddress(2, ipv6.ProtocolNumber, tcpip.Address(addr3.IP)); err != nil {
 		log.Print("Can't add address", err)
 		return t
@@ -405,6 +405,7 @@ func NewGvisorTunCapture(ep *stack.LinkEndpoint, handler TUNHandler, udpNat ugat
 
 func (nt *GvisorTun) WriteTo(data []byte, dst *net.UDPAddr, src *net.UDPAddr) (int, error) {
 	addrb := []byte(dst.IP)
+	srcaddrb := []byte(src.IP)
 	// TODO: how about from ?
 	// TODO: do we need to make a copy ? netstack passes ownership, we may reuse buffers
 	n, err := nt.DefUDP.Write(bytes.NewBuffer(data),
@@ -414,10 +415,10 @@ func (nt *GvisorTun) WriteTo(data []byte, dst *net.UDPAddr, src *net.UDPAddr) (i
 				Addr: tcpip.Address(addrb),
 			},
 			// TODO(costin): PATCH
-			//From: &tcpip.FullAddress{
-			//	Port: uint16(src.Port),
-			//	Addr: tcpip.Address(srcaddrb),
-			//},
+			From: &tcpip.FullAddress{
+				Port: uint16(src.Port),
+				Addr: tcpip.Address(srcaddrb),
+			},
 		})
 	if err != nil {
 		return 0, errors.New(err.String())
@@ -455,7 +456,6 @@ func (nt *GvisorTun) defUdpServer() error {
 	go func() {
 		for {
 			// Will have the peer address
-			add := tcpip.FullAddress{}
 			//ep.SetSockOpt()
 			// Add is send address. Control should include the dest addr ( for raw )
 			bb := &bytes.Buffer{}
@@ -472,7 +472,7 @@ func (nt *GvisorTun) defUdpServer() error {
 			if nt.UDPHandler != nil {
 				nt.UDPHandler.HandleUdp(net.IP(rr.ControlMessages.OriginalDstAddress.Addr),
 					rr.ControlMessages.OriginalDstAddress.Port,
-					net.IP(add.Addr), add.Port,
+					net.IP(rr.RemoteAddr.Addr), rr.RemoteAddr.Port,
 					bb.Bytes())
 			}
 		}
diff --git a/ext/h2r/h2r.go b/ext/h2r/h2r.go
index ece43c4..54805fa 100644
--- a/ext/h2r/h2r.go
+++ b/ext/h2r/h2r.go
@@ -219,7 +219,7 @@ func (t *H2R) HandleH2R(w http.ResponseWriter, r *http.Request) {
 	upData, _ := ioutil.ReadAll(res0.Body)
 	res0.Body.Close()
 
-	log.Println("H2R start on ", t.ug.Auth.ID, "for", n.ID, k, ra, " -> ", string(upData))
+	log.Println(str.StreamId, "H2R start on ", t.ug.Auth.ID, "for", n.ID, k, ra, " -> ", string(upData))
 
 	//go func() {
 	//	for {
diff --git a/ext/quic/go.mod b/ext/quic/go.mod
index 69c4cc3..7aa8d35 100644
--- a/ext/quic/go.mod
+++ b/ext/quic/go.mod
@@ -3,13 +3,14 @@ module github.com/costinm/ugate/ext/quic
 go 1.16
 
 replace github.com/costinm/ugate => ../../
-replace github.com/lucas-clemente/quic-go => ../../../quic
 
-//replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425150008-d8e6379c24ed
+//replace github.com/lucas-clemente/quic-go => ../../../quic
+
+replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425150008-d8e6379c24ed
 
 require (
 	github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910
-	github.com/lucas-clemente/quic-go v0.7.1-0.20210421053939-84e03e59760c
+	github.com/lucas-clemente/quic-go v0.20.1
 	github.com/marten-seemann/qpack v0.2.1
 	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
 	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 // indirect
diff --git a/ext/quic/go.sum b/ext/quic/go.sum
index 34c4b3b..b787b46 100644
--- a/ext/quic/go.sum
+++ b/ext/quic/go.sum
@@ -18,8 +18,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/costinm/quic v0.5.1-0.20210425150008-d8e6379c24ed h1:5XrmfhoSsRDs36a4CgBV+2KcEKulAo/f/PFiTRWzQg8=
 github.com/costinm/quic v0.5.1-0.20210425150008-d8e6379c24ed/go.mod h1:fZq/HUDIM+mW6X6wtzORjC0E/WDBMKe5Hf9bgjISwLk=
-github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910 h1:Li91KjkSnBH3iYxMZfF3YTJnmRoup92UlfCJJkcoAGg=
-github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910/go.mod h1:RkhqsMK4MVwcK7sPt5yjYCp1Z8RPS4ICw/THM1iFVmo=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
diff --git a/ext/quic/mux.go b/ext/quic/mux.go
index 6c132ac..997fdf4 100644
--- a/ext/quic/mux.go
+++ b/ext/quic/mux.go
@@ -2,7 +2,7 @@ package quic
 
 import (
 	"context"
-	"io"
+	//"io"
 	"log"
 	"net"
 	"net/http"
@@ -63,7 +63,7 @@ func (q *Quic) handleRaw(qs quic.Stream) {
 }
 
 func (ugs *QuicMUX) DialStream(ctx context.Context, addr string, inStream *ugate.Stream) (*ugate.Stream, error) {
-	if UseRawStream {
+	//if UseRawStream {
 		s, err := ugs.s.OpenStream()
 		if err != nil {
 			return nil, err
@@ -100,39 +100,39 @@ func (ugs *QuicMUX) DialStream(ctx context.Context, addr string, inStream *ugate
 		log.Println("QUIC out stream res", str.StreamId, addr, str.InHeader)
 
 		return str, nil
-	} else {
-		var in io.Reader
-		var out io.WriteCloser
-		if inStream == nil {
-			in, out = io.Pipe()
-		} else {
-			in = inStream
-		}
-
-		// Regular TCP stream, upgraded to H2.
-		// This is a simple tunnel, so use the right URL
-		r1, err := http.NewRequestWithContext(ctx, "POST",
-			"https://"+ugs.hostname+"/dm/"+addr, in)
-
-		// RoundTrip Transport guarantees this is set
-		if r1.Header == nil {
-			r1.Header = make(http.Header)
-		}
-
-		// RT client - forward the request.
-		res, err := ugs.RoundTrip(r1)
-		if err != nil {
-			log.Println("H2R error", addr, err)
-			return nil, err
-		}
-
-		rs := ugate.NewStreamRequestOut(r1, out, res, nil)
-		if ugate.DebugClose {
-			log.Println("TUN: ", addr, r1.URL)
-		}
-		return rs, nil
-
-	}
+	//} else {
+		//var in io.Reader
+		//var out io.WriteCloser
+		//if inStream == nil {
+		//	in, out = io.Pipe()
+		//} else {
+		//	in = inStream
+		//}
+		//
+		//// Regular TCP stream, upgraded to H2.
+		//// This is a simple tunnel, so use the right URL
+		//r1, err := http.NewRequestWithContext(ctx, "POST",
+		//	"https://"+ugs.hostname+"/dm/"+addr, in)
+		//
+		//// RoundTrip Transport guarantees this is set
+		//if r1.Header == nil {
+		//	r1.Header = make(http.Header)
+		//}
+		//
+		//// RT client - forward the request.
+		//res, err := ugs.RoundTrip(r1)
+		//if err != nil {
+		//	log.Println("H2R error", addr, err)
+		//	return nil, err
+		//}
+		//
+		//rs := ugate.NewStreamRequestOut(r1, out, res, nil)
+		//if ugate.DebugClose {
+		//	log.Println("TUN: ", addr, r1.URL)
+		//}
+		//return rs, nil
+
+	//}
 }
 
 // RoundTrip is used for forwarding HTTP connections back to the client (normal) or
@@ -148,7 +148,25 @@ func (ugs *QuicMUX) RoundTrip(request *http.Request) (*http.Response, error) {
 			log.Println("H3: RT-start", request.URL, ugs.client)
 		}
 	}
-	res, err := ugs.rt.RoundTrip(request)
+	var res *http.Response
+	var err error
+	if ugs.rt != nil {
+		res, err = ugs.rt.RoundTrip(request)
+	} else {
+		// Replacement for the lack of support in QUIC for using the H3 request programmatically.
+		// This only works with h3s servers.
+		s := ugate.NewStream()
+		s.Request = request
+		s.In = request.Body
+		rs, err1 := ugs.DialStream(request.Context(), request.URL.Host, s)
+		if err1 != nil {
+			return nil, err1
+		}
+		res = &http.Response{
+			Body:   rs.In,
+			Header: rs.InHeader,
+		}
+	}
 	if ugate.DebugClose {
 		log.Println("H3: RT-done", request.URL, ugs.client, err)
 		if err == nil {
diff --git a/ext/quic/quic.go b/ext/quic/quic.go
index 3319163..946e119 100644
--- a/ext/quic/quic.go
+++ b/ext/quic/quic.go
@@ -4,12 +4,9 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
-	"os"
-	"strconv"
 	"time"
 
 	"github.com/costinm/ugate"
@@ -17,7 +14,6 @@ import (
 	"github.com/costinm/ugate/pkg/ugatesvc"
 	"github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/http3"
-	"github.com/marten-seemann/qpack"
 )
 
 // Quic is the adapter to QUIC/H3/MASQUE for uGate.
@@ -59,9 +55,9 @@ func New(ug *ugatesvc.UGate) *Quic {
 
 	// We will only register a single QUIC server by default, and a factory for cons
 	port := ug.Config.BasePort + ugate.PORT_BTS
-	if os.Getuid() == 0 {
-		port = 443
-	}
+	//if os.Getuid() == 0 {
+	//	port = 443
+	//}
 
 	qa := &Quic{
 		Port: port,
@@ -92,29 +88,28 @@ func New(ug *ugatesvc.UGate) *Quic {
 
 	qa.tlsServerConfig = mtlsServerConfig
 
-	quicServer := &http3.Server{
-		QuicConfig: &quic.Config{
-			MaxIdleTimeout: 60 * time.Second, // should be very large - but need to test recovery
-			KeepAlive:      true,             // 1/2 idle timeout
-			//Versions:    []quic.VersionNumber{101},
-
-			MaxIncomingStreams:    30000,
-			MaxIncomingUniStreams: 30000,
-
-			EnableDatagrams: true,
-		},
-
-		Server: &http.Server{
-			Addr:        ":" + strconv.Itoa(qa.Port),
-			Handler:     qa.HTTPHandler,
-			TLSConfig:   mtlsServerConfig,
-			ReadTimeout: 5 * time.Second,
-		},
-	}
-
-	qa.server = quicServer
-	// Instead of calling Serve(conn)
-	quicServer.Init()
+	//quicServer := &http3.Server{
+	//	QuicConfig: &quic.Config{
+	//		MaxIdleTimeout: 60 * time.Second, // should be very large - but need to test recovery
+	//		KeepAlive:      true,             // 1/2 idle timeout
+	//		//Versions:    []quic.VersionNumber{101},
+	//
+	//		MaxIncomingStreams:    30000,
+	//		MaxIncomingUniStreams: 30000,
+	//
+	//		EnableDatagrams: true,
+	//	},
+	//
+	//	Server: &http.Server{
+	//		Addr:        ":" + strconv.Itoa(qa.Port),
+	//		Handler:     qa.HTTPHandler,
+	//		TLSConfig:   mtlsServerConfig,
+	//		ReadTimeout: 5 * time.Second,
+	//	},
+	//}
+	//
+	//qa.server = quicServer
+	//quicServer.Init()
 
 	return qa
 }
@@ -182,28 +177,28 @@ func (qd *Quic) DialMux(ctx context.Context, node *ugate.DMNode, meta http.Heade
 
 	session.SendMessage([]byte(tok))
 
-	if !UseRawStream {
-		// Exposed in fork only.
-		// Will call OpenUniStream, AcceptUniStream and OpenStream
-		rt = http3.NewClient(node.ID, session, qd.quicConfig())
-
-		// TODO: use MASQUE ( with extension headers ? )
-		initReq, _ := http.NewRequest("GET", "https://"+node.ID+"/_dm/id/Q/"+qd.Auth.ID, nil)
-		initReq.Header.Add("authorization", tok)
-		res, err := rt.RoundTrip(initReq)
-		if err != nil {
-			return nil, err
-		}
-		// TODO: parse the data, use MASQUE format for handshake
-		_, _ = ioutil.ReadAll(res.Body)
-		res.Body.Close()
-
-		if res != nil && res.StatusCode == 200 {
-			log.Println("H3R: start on ", qd.Auth.ID, "for", node.ID, session.RemoteAddr())
-		} else {
-			log.Println("H3: start on ", qd.Auth.ID, "for", node.ID, session.RemoteAddr())
-		}
-	}
+	//if !UseRawStream {
+	//	// Exposed in fork only.
+	//	// Will call OpenUniStream, AcceptUniStream and OpenStream
+	//	rt = http3.NewClient(node.ID, session, qd.quicConfig())
+	//
+	//	// TODO: use MASQUE ( with extension headers ? )
+	//	initReq, _ := http.NewRequest("GET", "https://"+node.ID+"/_dm/id/Q/"+qd.Auth.ID, nil)
+	//	initReq.Header.Add("authorization", tok)
+	//	res, err := rt.RoundTrip(initReq)
+	//	if err != nil {
+	//		return nil, err
+	//	}
+	//	// TODO: parse the data, use MASQUE format for handshake
+	//	_, _ = ioutil.ReadAll(res.Body)
+	//	res.Body.Close()
+	//
+	//	if res != nil && res.StatusCode == 200 {
+	//		log.Println("H3R: start on ", qd.Auth.ID, "for", node.ID, session.RemoteAddr())
+	//	} else {
+	//		log.Println("H3: start on ", qd.Auth.ID, "for", node.ID, session.RemoteAddr())
+	//	}
+	//}
 	go func() {
 		<- session.Context().Done()
 		log.Println("H3: stop on ", qd.Auth.ID, "for", node.ID, session.RemoteAddr())
@@ -213,7 +208,7 @@ func (qd *Quic) DialMux(ctx context.Context, node *ugate.DMNode, meta http.Heade
 	}()
 
 	ugc := &QuicMUX{s: session, rt: rt, hostname: node.ID, client: true}
-	decoder := qpack.NewDecoder(nil)
+	//decoder := qpack.NewDecoder(nil)
 
 	go func() {
 		for {
@@ -223,15 +218,15 @@ func (qd *Quic) DialMux(ctx context.Context, node *ugate.DMNode, meta http.Heade
 				return
 			}
 
-			if UseRawStream {
+			//if UseRawStream {
 				go qd.handleRaw(str)
-			} else {
-				// Treat the remote (server) originated stream as a H3 reverse request.
-				// The server will process the session and dispatch to a handler.
-				go qd.server.HandleRequest(session, str, decoder, func() {
-					// Called when done
-				})
-			}
+			//} else {
+			//	// Treat the remote (server) originated stream as a H3 reverse request.
+			//	// The server will process the session and dispatch to a handler.
+			//	go qd.server.HandleRequest(session, str, decoder, func() {
+			//		// Called when done
+			//	})
+			//}
 		}
 	}()
 
@@ -276,7 +271,8 @@ func (qd *Quic) Start() error {
 			// not blocking
 			qd.handleMessages(ugc)
 
-			if UseRawStream {
+
+			//if UseRawStream {
 				go func() {
 					for {
 						str, err := s.AcceptStream(context.Background())
@@ -287,24 +283,24 @@ func (qd *Quic) Start() error {
 						go qd.handleRaw(str)
 					}
 				}()
-			} else {
-				// TODO: we need a way to pass the mux on the first
-				// request ( or the ID request ) to associate it with the node.
-				// At this point we don't have the identity.
-				// Currently we use x-quic-session as experiment.
-				go func() {
-					qd.server.HandleConn(s)
-
-					if ugc.n != nil {
-						ugc.n.Muxer = nil
-						log.Println("H3R: stop on ", qd.Auth.ID, "for", ugc.n.ID, s.RemoteAddr())
-						qd.UG.OnMuxClose(ugc.n)
-					} else {
-						log.Println("H3: stop on ", qd.Auth.ID, s.RemoteAddr())
-					}
-
-				}()
-			}
+			//} else {
+			//	// TODO: we need a way to pass the mux on the first
+			//	// request ( or the ID request ) to associate it with the node.
+			//	// At this point we don't have the identity.
+			//	// Currently we use x-quic-session as experiment.
+			//	go func() {
+			//		qd.server.HandleConn(s)
+			//
+			//		if ugc.n != nil {
+			//			ugc.n.Muxer = nil
+			//			log.Println("H3R: stop on ", qd.Auth.ID, "for", ugc.n.ID, s.RemoteAddr())
+			//			qd.UG.OnMuxClose(ugc.n)
+			//		} else {
+			//			log.Println("H3: stop on ", qd.Auth.ID, s.RemoteAddr())
+			//		}
+			//
+			//	}()
+			//}
 
 		}
 	}()
@@ -336,7 +332,7 @@ func (qd *Quic) handleMessages(ugc *QuicMUX) {
 
 					ugc.n = n
 					ugc.hostname = n.ID
-					ugc.rt = http3.NewClient(remoteID, ugc.s, qd.quicConfig())
+					//ugc.rt = http3.NewClient(remoteID, ugc.s, qd.quicConfig())
 
 					n.Muxer = ugc
 				}
diff --git a/ext/ssh/ssh.go b/ext/ssh/ssh.go
index a1a9181..3273edf 100644
--- a/ext/ssh/ssh.go
+++ b/ext/ssh/ssh.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/costinm/ugate"
+	"github.com/costinm/ugate/pkg/auth"
 	"github.com/costinm/ugate/pkg/ugatesvc"
 	"golang.org/x/crypto/ssh"
 )
@@ -105,6 +106,14 @@ func NewSSHTransport(signer ssh.Signer) (*SSHTransport, error) {
 	}, nil
 }
 
+func SignSSHHost(a *auth.Auth, hn string) {
+
+}
+
+func SignSSHUser(a *auth.Auth, hn string) {
+
+}
+
 // NewConn wraps a net.Conn using SSH for MUX and security.
 func (t *SSHTransport) NewConn(nc net.Conn, isServer bool) (*SSHConn, error) {
 	c := &SSHConn{
diff --git a/manifests/Dockerfile.dbg b/manifests/Dockerfile.dbg
deleted file mode 100644
index ac113ab..0000000
--- a/manifests/Dockerfile.dbg
+++ /dev/null
@@ -1,73 +0,0 @@
-FROM golang:latest AS build
-
-#RUN apk add --no-cache git
-RUN env
-
-ENV GO111MODULE=on
-ENV CGO_ENABLED=0
-ENV GOOS=linux
-ENV GOPROXY=https://proxy.golang.org
-
-# Binaries to /go/bin
-RUN go get github.com/githubnemo/CompileDaemon
-# CompileDaemon -log-prefix=false -build="go build -o /app" -command="/app"
-
-RUN go get github.com/go-delve/delve/cmd/dlv
-#dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient exec /app
-#https://www.reddit.com/r/golang/comments/i7hvco/compiledaemon_with_delve_debugging_while_auto/
-
-# Default is /go directory, which is set a GOPATH
-# That doesn't work with go.mod
-WORKDIR /ws
-#WORKDIR /src
-
-COPY go.mod ./
-RUN go mod download
-
-COPY cmd ./cmd/
-COPY pkg ./pkg/
-RUN go build -a -gcflags='all=-N -l' -ldflags '-extldflags "-static"' \
-  -o /go/bin/ugate ./cmd/ugate
-
-#RUN dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient exec /go/bin/ugate
-#RUN CompileDaemon -build="echo 1" \
-# -command="dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient ./cmd/ugate"
-
-### Same base as Istio debug
-#FROM ubuntu:bionic
-##FROM docker.io/istio/base:default AS wps
-##RUN apt-get update && apt install less net-tools
-#
-#COPY --from=build /ws/ugate /usr/local/bin/ugate
-#COPY --from=build /ws/cmd/ugate/iptables.sh /usr/local/bin/
-#COPY --from=build /ws/cmd/ugate/run.sh /usr/local/bin/
-##COPY --from=build /ws/dlv /usr/local/bin/dlv
-#
-#RUN apk add iptables ip6tables make &&\
-#    mkdir -p /var/lib/istio && \
-#    addgroup -g 1337 istio-proxy && \
-#    adduser -S -G istio-proxy istio-proxy -u 1337 && \
-#    mkdir -p /var/lib/istio && \
-#    chown -R 1337:1337 /var/lib/istio
-#
-#WORKDIR /var/lib/istio
-##RUN mkdir -p /etc/certs && \
-##    mkdir -p /etc/istio/proxy && \
-##    mkdir -p /etc/istio/config && \
-##    mkdir -p /var/lib/istio/envoy && \
-##    mkdir -p /var/lib/istio/config && \
-##    mkdir -p /var/lib/istio/proxy && \
-##    chown -R 1337 /etc/certs /etc/istio /var/lib/istio
-#
-#EXPOSE 15007
-#EXPOSE 8080
-#EXPOSE 15009
-#EXPOSE 15003
-#
-#ENV PORT=8080
-#
-## Defaults
-##COPY ./var/lib/istio /var/lib/istio/
-##USER 5228:5228
-##ENTRYPOINT /usr/local/bin/ugate
-#ENTRYPOINT /usr/local/bin/run.sh
diff --git a/manifests/ugate/charts/hpa.yaml b/manifests/hpa.yaml
similarity index 80%
rename from manifests/ugate/charts/hpa.yaml
rename to manifests/hpa.yaml
index eb290e8..2e26eea 100644
--- a/manifests/ugate/charts/hpa.yaml
+++ b/manifests/hpa.yaml
@@ -1,17 +1,17 @@
 apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
-  name: wps
-  namespace: wps
+  name: ugate
+  namespace: ugate
   labels:
-    release: wps
+    release: ugate
 spec:
   maxReplicas: 1
   minReplicas: 1
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: wps
+    name: ugate
   metrics:
     - type: Resource
       resource:
diff --git a/manifests/cr.yaml b/manifests/knative-ugate.yaml
similarity index 68%
rename from manifests/cr.yaml
rename to manifests/knative-ugate.yaml
index 1fbfc1e..57ba695 100644
--- a/manifests/cr.yaml
+++ b/manifests/knative-ugate.yaml
@@ -21,9 +21,16 @@ spec:
       timeoutSeconds: 900
       containers:
         - image: gcr.io/dmeshgate/ugate:latest
+          command: /usr/local/bin/run.sh
           env:
             - name: test
               value: value
+            # Dev version connects to this reverse proxy
+            - name: DOMAIN
+              value: c1.webinf.info
+            # Dev version accepts SSH connections with this key
+            - name: SSH_AUTH
+              value: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/j2SLhiCu+2jueEOMpO1rsjmbZKxWPuivaGMQYyezlcHZvFIrp0liZkjwETsI2KTIuXYhr32lbQClH2vR55QU= costin@costin16"
           ports:
             - name: h2c
               containerPort: 8080
diff --git a/manifests/ugate/charts/pdb.yaml b/manifests/pdb.yaml
similarity index 58%
rename from manifests/ugate/charts/pdb.yaml
rename to manifests/pdb.yaml
index b725b20..2b57758 100644
--- a/manifests/ugate/charts/pdb.yaml
+++ b/manifests/pdb.yaml
@@ -1,13 +1,13 @@
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
-  name: wps
-  namespace: wps
+  name: ugate
+  namespace: ugate
   labels:
-    release: wps
+    release: ugate
 spec:
   minAvailable: 1
   selector:
     matchLabels:
-      app: wps
-      release: wps
+      app: ugate
+      release: ugate
diff --git a/manifests/ugate-dev/Chart.yaml b/manifests/ugate-dev/Chart.yaml
new file mode 100644
index 0000000..e7fdd57
--- /dev/null
+++ b/manifests/ugate-dev/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+name: ugate-dev
+version: 0.7
+tillerVersion: ">=2.7.2"
+description: Developer env for ugate. Includes debug and build tools.
+keywords:
+  - ugate
+engine: gotpl
diff --git a/manifests/ugate-dev/templates/deployment.yaml b/manifests/ugate-dev/templates/deployment.yaml
new file mode 100644
index 0000000..2a53bfb
--- /dev/null
+++ b/manifests/ugate-dev/templates/deployment.yaml
@@ -0,0 +1,94 @@
+---
+# Runs a docker-mounted dev image.
+# Can build images in the node's docker.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dev
+  labels:
+    app: dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dev
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: dev
+      annotations:
+        sidecar.istio.io/proxyImage: gcr.io/istio-testing/proxyv2:latest
+    spec:
+      terminationGracePeriodSeconds: 1
+      securityContext:
+        runAsUser: 1000
+      containers:
+        - name: ubuntu
+          image: gcr.io/dmeshgate/ugate:latest
+          #command: ["/usr/local/bin/run.sh"]
+          #args: ["--auth", "none"]
+          env:
+            - name: PORT
+              value: "8080"
+          volumeMounts:
+            - mountPath: /var/run/docker.sock
+              name: docker-socket-volume
+            - mountPath: /work
+              name: src
+
+            - name: podinfo
+              mountPath: /etc/istio/pod
+
+            # Istio secrets (for istio-system)
+            - mountPath: /var/run/secrets/istio
+              name: istiod-ca-cert
+            - name: istio-token
+              mountPath: /var/run/secrets/tokens
+              readOnly: true
+          securityContext:
+            privileged: true
+          ports:
+            - containerPort: 8080
+              name: https
+              protocol: TCP
+
+      volumes:
+        - name: envcfg
+          configMap:
+            name: codeenv
+            optional: true
+
+        - name: docker-socket-volume
+          hostPath:
+            path: /var/run/docker.sock
+            type: File
+
+        - name: src
+          persistentVolumeClaim:
+            claimName: ugate-dev
+
+        - name: istiod-ca-cert
+          configMap:
+            name: istio-ca-root-cert
+            optional: true
+
+        - name: podinfo
+          downwardAPI:
+            items:
+              - path: "labels"
+                fieldRef:
+                  fieldPath: metadata.labels
+              - path: "annotations"
+                fieldRef:
+                  fieldPath: metadata.annotations
+
+        - name: istio-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: istio-token
+                  expirationSeconds: 43200
+                  audience: istio-ca
+
diff --git a/manifests/ugate-dev/templates/pd.yaml b/manifests/ugate-dev/templates/pd.yaml
new file mode 100644
index 0000000..2742dfe
--- /dev/null
+++ b/manifests/ugate-dev/templates/pd.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ugate-dev
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 30Gi
diff --git a/manifests/ugate-istio-system/Chart.yaml b/manifests/ugate-istio-system/Chart.yaml
new file mode 100644
index 0000000..e7fdd57
--- /dev/null
+++ b/manifests/ugate-istio-system/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+name: ugate-dev
+version: 0.7
+tillerVersion: ">=2.7.2"
+description: Developer env for ugate. Includes debug and build tools.
+keywords:
+  - ugate
+engine: gotpl
diff --git a/manifests/ugate-istio-system/templates/deployment.yaml b/manifests/ugate-istio-system/templates/deployment.yaml
new file mode 100644
index 0000000..bc7a965
--- /dev/null
+++ b/manifests/ugate-istio-system/templates/deployment.yaml
@@ -0,0 +1,89 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev
+  namespace: dev
+spec:
+  ports:
+    - port: 8384
+      name: syncthing
+  selector:
+    app: dev
+---
+# Runs a docker-mounted dev image.
+# Can build images in the node's docker.
+#apiVersion: v1
+#kind: ReplicationController
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dev
+  namespace: dev
+  labels:
+    app: dev
+spec:
+  replicas: 1
+  #  strategy:
+  #    rollingUpdate:
+  #      maxSurge: 1
+  #      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: dev
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: dev
+      annotations:
+        sidecar.istio.io/proxyImage: gcr.io/istio-testing/proxyv2:latest
+        #sidecar.istio.io/proxyImage: costinm/proxyv2:latest
+    spec:
+      terminationGracePeriodSeconds: 1
+      securityContext:
+        runAsUser: 1000
+      containers:
+        - name: ubuntu
+          image: costinm/istio-build-code:latest
+          command: ["/usr/bin/code-server"]
+          args: ["--auth", "none"]
+          volumeMounts:
+            - mountPath: /var/run/docker.sock
+              name: docker-socket-volume
+            - mountPath: /work
+              name: src
+          securityContext:
+            privileged: true
+          ports:
+            - containerPort: 8080
+              name: https
+              protocol: TCP
+
+        - name: sync
+          image: syncthing/syncthing
+          # Entrypoint expects to run as root
+          command: [ "/bin/syncthing", "-home", "/var/syncthing/config"]
+          ports:
+            - containerPort: 22000
+              name: http
+              protocol: TCP
+            - containerPort: 8384
+              name: tcp-sync
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /var/syncthing
+              name: src
+      volumes:
+        - name: envcfg
+          configMap:
+            name: codeenv
+            optional: true
+        - name: docker-socket-volume
+          hostPath:
+            path: /var/run/docker.sock
+            type: File
+        - name: src
+          persistentVolumeClaim:
+            claimName: src
diff --git a/manifests/ugate/Chart.yaml b/manifests/ugate/Chart.yaml
new file mode 100644
index 0000000..023cc0b
--- /dev/null
+++ b/manifests/ugate/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+name: ugate
+version: 0.7
+tillerVersion: ">=2.7.2"
+description: uGate provides a minimal mesh gateway/sidecar
+keywords:
+  - ugate
+engine: gotpl
diff --git a/manifests/ugate/charts/service.yaml b/manifests/ugate/charts/service.yaml
deleted file mode 100644
index 9f72968..0000000
--- a/manifests/ugate/charts/service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: wps
-  namespace: wps
-  labels:
-    release: wps
-spec:
-  ports:
-    - port: 5222
-      name: tcp-ssh
-    - port: 5228
-      name: https
-  selector:
-    app: wps
----
diff --git a/manifests/ugate/kustomization.yaml b/manifests/ugate/kustomization.yaml
deleted file mode 100644
index 53bfbc3..0000000
--- a/manifests/ugate/kustomization.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - charts/app.yaml
-  - charts/pdb.yaml
-  - charts/service.yaml
-  - charts/istio.yaml
-
diff --git a/manifests/ugate/lb-service.yaml b/manifests/ugate/lb-service.yaml
new file mode 100644
index 0000000..382ffa1
--- /dev/null
+++ b/manifests/ugate/lb-service.yaml
@@ -0,0 +1,17 @@
+# External address for ugate.
+apiVersion: v1
+kind: Service
+metadata:
+  name: ugate-lb
+  namespace: ugate
+  labels:
+    release: ugate
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 443
+      targetPort: 15007
+      name: h2-bts
+  selector:
+    app: ugate
+---
diff --git a/manifests/ugate/charts/istio.yaml b/manifests/ugate/templates/istio.yaml
similarity index 100%
rename from manifests/ugate/charts/istio.yaml
rename to manifests/ugate/templates/istio.yaml
diff --git a/manifests/ugate/templates/service.yaml b/manifests/ugate/templates/service.yaml
new file mode 100644
index 0000000..f80f59f
--- /dev/null
+++ b/manifests/ugate/templates/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ugate
+  namespace: ugate
+  labels:
+    release: ugate
+spec:
+  ports:
+    - port: 15007
+      name: h2-bts
+  selector:
+    app: ugate
+---
diff --git a/manifests/ugate/charts/app.yaml b/manifests/ugate/templates/statefulset.yaml
similarity index 52%
rename from manifests/ugate/charts/app.yaml
rename to manifests/ugate/templates/statefulset.yaml
index d1f816a..85c38f1 100644
--- a/manifests/ugate/charts/app.yaml
+++ b/manifests/ugate/templates/statefulset.yaml
@@ -1,22 +1,25 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: wps
-  namespace: wps
+  name: ugate
+#  namespace: ugate
   labels:
-    app: wps
+    app: ugate
 spec:
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
+  podManagementPolicy: Parallel
+  replicas: 1
+  serviceName: ugate
+#  strategy:
+#    rollingUpdate:
+#      maxSurge: 1
+#      maxUnavailable: 1
   selector:
     matchLabels:
-      app: wps
+      app: ugate
   template:
     metadata:
       labels:
-        app: wps
+        app: ugate
     spec:
       serviceAccountName: default
       containers:
@@ -24,8 +27,8 @@ spec:
           #image: costinm/wps:latest
           #image: localhost:5000/wps:2020-05-24
           # For skaffold
-          #image: wps:latest
-          image: gcr.io/dmeshgate/ugate:latest
+          #image: ugate:latest
+          image: {{ .Values.image }}
           imagePullPolicy: Always
           ports:
             - containerPort: 5222
@@ -36,7 +39,7 @@ spec:
               name: tls
           #          envFrom:
           #          - configMapRef:
-          #              name: wps
+          #              name: ugate
           #              optional: true
           env:
             - name: GOTRACEBACK
@@ -47,7 +50,7 @@ spec:
               memory: 256Mi
           volumeMounts:
             # Default 'RO' config source
-            - name: wps
+            - name: ugate
               mountPath: /var/lib/dmesh
               readOnly: true
 
@@ -64,64 +67,64 @@ spec:
               readOnly: true
 
         # Co-located istio Gateway
-        - name: istio-proxy
-          image: costinm/proxyv2:latest
-          args:
-            - "proxy"
-            - "router"
-            - "--serviceCluster"
-            - "wps"
-          env:
-            - name: XDS_SAVE
-              value: /etc/istio/proxy/
-            - name: XDS_LOCAL
-              value: 0.0.0.0:15015
-            # Save the workload secret to file
-            - name: OUTPUT_CERTS
-              value: /etc/istio/proxy/
-            # Override default ca addr - use real istiod
-            # This will save the certs to a dir, available to local istiod
-            #            - name: CA_ADDR
-            #              value: istiod.istio-system.svc:15012
-            - name: PROXY_CONFIG
-              value: |-
-                discoveryAddress: istiod.istio-system.svc:15012
-                zipkin:
-                  address: ""
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
-
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-          ports:
-            # Creates on each host a port forwarder:
-            # -A CNI-DN-78555e74edb8054e88910 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 10.48.0.156:5000
-            - containerPort: 15012
-              name: docker
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/run/secrets/istio
-              name: istiod-ca-cert
-            - name: istio-envoy
-              mountPath: /etc/istio/proxy
-            - name: istio-token
-              mountPath: /var/run/secrets/tokens
-              readOnly: true
-            # Not creating those directories disables Secret watching
-            #            - name: ingressgatewaysdsudspath
-            #              mountPath: /var/run/ingress_gateway
-            - name: podinfo
-              mountPath: /etc/istio/pod
+#        - name: istio-proxy
+#          image: costinm/proxyv2:latest
+#          args:
+#            - "proxy"
+#            - "router"
+#            - "--serviceCluster"
+#            - "wps"
+#          env:
+#            - name: XDS_SAVE
+#              value: /etc/istio/proxy/
+#            - name: XDS_LOCAL
+#              value: 0.0.0.0:15015
+#            # Save the workload secret to file
+#            - name: OUTPUT_CERTS
+#              value: /etc/istio/proxy/
+#            # Override default ca addr - use real istiod
+#            # This will save the certs to a dir, available to local istiod
+#            #            - name: CA_ADDR
+#            #              value: istiod.istio-system.svc:15012
+#            - name: PROXY_CONFIG
+#              value: |-
+#                discoveryAddress: istiod.istio-system.svc:15012
+#                zipkin:
+#                  address: ""
+#            - name: POD_NAME
+#              valueFrom:
+#                fieldRef:
+#                  apiVersion: v1
+#                  fieldPath: metadata.name
+#            - name: POD_NAMESPACE
+#              valueFrom:
+#                fieldRef:
+#                  apiVersion: v1
+#                  fieldPath: metadata.namespace
+#
+#          resources:
+#            requests:
+#              cpu: 10m
+#              memory: 256Mi
+#          ports:
+#            # Creates on each host a port forwarder:
+#            # -A CNI-DN-78555e74edb8054e88910 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 10.48.0.156:5000
+#            - containerPort: 15012
+#              name: docker
+#              protocol: TCP
+#          volumeMounts:
+#            - mountPath: /var/run/secrets/istio
+#              name: istiod-ca-cert
+#            - name: istio-envoy
+#              mountPath: /etc/istio/proxy
+#            - name: istio-token
+#              mountPath: /var/run/secrets/tokens
+#              readOnly: true
+#            # Not creating those directories disables Secret watching
+#            #            - name: ingressgatewaysdsudspath
+#            #              mountPath: /var/run/ingress_gateway
+#            - name: podinfo
+#              mountPath: /etc/istio/pod
 
       securityContext:
         runAsUser: 0
@@ -184,7 +187,7 @@ spec:
                   audience: istio-ca
 
         # WPS Config map
-        - name: wps
+        - name: ugate
           secret:
-            secretName: wps
+            secretName: ugate
             optional: true
diff --git a/manifests/ugate/values.yaml b/manifests/ugate/values.yaml
new file mode 100644
index 0000000..adbf3ce
--- /dev/null
+++ b/manifests/ugate/values.yaml
@@ -0,0 +1,7 @@
+#
+# Install example:
+# helm upgrade --install --create-namespace ugate --namespace ugate k8s/ugate/
+
+image: gcr.io/dmeshgate/ugate-dev:latest
+
+
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 63bdd03..34018cc 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -58,7 +58,7 @@ type Auth struct {
 	// Trust domain, should be 'cluster.local' or a real domain with OIDC keys.
 	Domain string
 
-	// User friendly name - not trusted
+	// User name, based on service account or uid.
 	Name string
 
 	// base64URL encoding of the primary public key.
@@ -81,6 +81,7 @@ type Auth struct {
 	cfg        *KubeConfig
 
 	// Explicit certificates (lego), key is hostname from file
+	//
 	CertMap map[string]*tls.Certificate
 }
 
@@ -120,6 +121,12 @@ func NewAuth(cs ugate.ConfStore, name, domain string) *Auth {
 			name, _ = os.Hostname()
 		}
 	}
+	if domain == "" {
+		domain = os.Getenv("DOMAIN")
+	}
+	if domain == "" {
+		domain = "c1.webinf.info"
+	}
 
 	auth := &Auth{
 		Config: cs,
@@ -199,13 +206,19 @@ func (auth *Auth) GenerateTLSConfigServer() *tls.Config {
 	}
 }
 
-// From a CNI or Host/:authority header, extract a node ID key.
+// Host2ID concerts a Host/:authority or path parameter hostname to a node ID.
+//
 func (auth *Auth) Host2ID(host string) string {
-	col := strings.Index(host, ":")
+	col := strings.Index(host, ".")
 	if col > 0 {
 		host = host[0:col]
+	} else {
+		col = strings.Index(host, ":")
+		if col > 0 {
+			host = host[0:col]
+		}
 	}
-	return host
+	return strings.ToUpper(host)
 }
 
 // Get all known certificates from local files. This is used to support
@@ -908,6 +921,9 @@ func GetSAN(c *x509.Certificate) ([]string, error) {
 // Get an ID token from platform (GCP, etc)
 // curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" \
 //  -H "Metadata-Flavor: Google"
+//
+// May fail and need retry
+// TODO: how to detect if running supported ? env ?
 func GetMDSIDToken(aud string) string {
 	req, _ := http.NewRequest("GET",
 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=" +
diff --git a/pkg/auth/bootstrap.go b/pkg/auth/bootstrap.go
new file mode 100644
index 0000000..1f45707
--- /dev/null
+++ b/pkg/auth/bootstrap.go
@@ -0,0 +1,70 @@
+package auth
+
+import (
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+)
+
+// PlatformInit will attempt to get the identity from the environment.
+//
+// - K8S - /var/run/secrets/kubernetes.io/serviceaccount/token
+// - Istio - extract trust domain from /var/run/secrets/...
+// - GCP/CloudRun/K8S - use metadata server to find the service account
+// - Regular VMs - look for google 'default credentials' and ~/.kube/config
+func PlatformInit() {
+
+}
+
+func (a *Auth) extractMetadata() {
+	tok  := GetMDSIDToken("istiod.istio-system.svc")
+	if tok == "" {
+		return
+	}
+}
+
+// GetMDS returns MDS info on google:
+// instance/hostname - node name.c.PROJECT.internal
+// instance/attributes/cluster-name, cluster-location
+// project/project-id, numeric-project-id
+// instance/service-accounts/ - default, PROJECTID.svc.id.goog
+// instance/service-accounts/default/identity - requires the iam.gke.io/gcp-service-account=gsa@project annotation and IAM
+// instance/service-accounts/default/token - access token for the KSA
+//
+func GetMDS(aud string) string {
+	req, _ := http.NewRequest("GET",
+		"http://metadata.google.internal/computeMetadata/v1/" + aud, nil)
+	req.Header.Add("Metadata-Flavor", "Google")
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return ""
+	}
+	rb, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return ""
+	}
+	return string(rb)
+}
+
+
+func (a *Auth) extractK8sJWT() {
+	for _, tf := range []string{} {
+		if _, err := os.Stat("./var/run/secrets/kubernetes.io/serviceaccount/token"); !os.IsNotExist(err) {
+			data, err := ioutil.ReadFile(tf)
+			if err != nil {
+				continue
+			}
+			_, t, _, _, _ := JwtRawParse(string(data))
+			if t.Iss != "kubernetes/serviceaccount" {
+				log.Println("Unexpected iss", t.Raw)
+				continue
+			}
+			subP := strings.Split(t.Sub, ":")
+			if strings.HasPrefix(t.Sub, "system:serviceaccount") && len(subP) >= 4 {
+				// TODO: use the namespace and KSA
+			}
+		}
+	}
+}
diff --git a/pkg/auth/vapid.go b/pkg/auth/vapid.go
index b066b45..29e29e6 100644
--- a/pkg/auth/vapid.go
+++ b/pkg/auth/vapid.go
@@ -63,6 +63,15 @@ type JWT struct {
 
 	// Max 24h
 	Exp int64 `json:"exp"`
+
+	// Issuer - for example kubernetes/serviceaccount.
+	Iss string `json:"iss"`
+
+	Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
+
+	Name string `json:"kubernetes.io/serviceaccount/service-account.name"`
+
+	Raw string `json:-`
 }
 
 // VAPIDToken creates a token with the specified endpoint, using configured Sub id
@@ -165,6 +174,7 @@ func JwtRawParse(tok string) (*JWTHead, *JWT, []byte, []byte, error) {
 	}
 	b := &JWT{}
 	json.Unmarshal(payload, b)
+	b.Raw = string(payload)
 
 	sig, err := base64.RawURLEncoding.DecodeString(parts[2])
 	if err != nil {
diff --git a/pkg/udp/udpproxy.go b/pkg/udp/udpproxy.go
index 708ac4e..67bc537 100644
--- a/pkg/udp/udpproxy.go
+++ b/pkg/udp/udpproxy.go
@@ -101,7 +101,7 @@ import (
 // - o-o.myaddr.l.google.com. [o-o.myaddr.l.google.com.	60	IN	TXT	"73.158.64.15"]
 
 
-const DumpUdp = false
+const DumpUdp = true
 
 
 var (
@@ -127,14 +127,15 @@ type UdpNat struct {
 	// bound to a local port (on the real network).
 	UDP *net.UDPConn
 
-	Closed    bool
+	Closed bool
 
 	// For captured traffic / NAT
-	LocalIP    net.IP
+	LocalIP   net.IP
 	LocalPort int
 
 	LastRemoteIP    net.IP
 	LastsRemotePort uint16
+	ReverseSrcAddr  *net.UDPAddr
 }
 
 // Capture return - sends packets back to client app.
@@ -231,7 +232,7 @@ func (udpg *UDPGate) HttpUDPNat(w http.ResponseWriter, r *http.Request) {
 // udpN is the 'dialed connection' -
 func remoteConnectionReadLoop(gw *UDPGate, localAddr *net.UDPAddr, acceptConn *net.UDPConn, udpN *UdpNat, writer ugate.UdpWriter) {
 	if DumpUdp {
-		log.Println("Starting read loop for ", localAddr)
+		log.Println("Starting remote loop for ", localAddr, udpN.ReverseSrcAddr, udpN.DestAddr, udpN.Dest)
 	}
 	buffer := bufferPoolUdp.Get().([]byte)
 	defer bufferPoolUdp.Put(buffer)
@@ -252,11 +253,16 @@ func remoteConnectionReadLoop(gw *UDPGate, localAddr *net.UDPAddr, acceptConn *n
 		// TODO: for android dmesh, we may need to take zone into account.
 		if writer != nil {
 			if DumpUdp {
-				log.Println("UDP Res: ", srcAddr, "->", localAddr)
+				log.Println("UDP Reverse: ", srcAddr, "->", localAddr)
 			}
-			n, err := writer.WriteTo(buffer[:size], localAddr, srcAddr)
+			rsa := srcAddr
+			if udpN.ReverseSrcAddr != nil {
+				// For UDP, must match the original address used by client
+				rsa = udpN.ReverseSrcAddr
+			}
+			n, err := writer.WriteTo(buffer[:size], localAddr, rsa)
 			if DumpUdp {
-				log.Println("UDP Res DPME: ", srcAddr, "->", localAddr, n, err)
+				log.Println("UDP Res DPME: ", rsa, "->", localAddr, n, err)
 			}
 		} else {
 			if DumpUdp {
@@ -406,7 +412,6 @@ func (udpg *UDPGate) HandleUdp(dstAddr net.IP, dstPort uint16, localAddr net.IP,
 		udpCon, err := net.ListenUDP("udp", &net.UDPAddr{
 			Port: 0,
 		})
-		setReceiveBuffer(udpCon, bufferSize)
 
 		if err != nil {
 			log.Println("udp proxy failed to listen", err)
@@ -414,12 +419,26 @@ func (udpg *UDPGate) HandleUdp(dstAddr net.IP, dstPort uint16, localAddr net.IP,
 			return
 		}
 
+		setReceiveBuffer(udpCon, bufferSize)
+
 		udpN = &UdpNat{
 			UDP: udpCon,
 		}
-		udpN.DestAddr = &net.UDPAddr{
-			IP: dstAddr,
-			Port: int(dstPort),
+
+		l := udpg.cfg.FindListener(dstAddr, dstPort, "udp://")
+		if l.ForwardTo != "" {
+			udpN.DestAddr, err = net.ResolveUDPAddr("udp", l.ForwardTo)
+			if err != nil {
+				log.Println("Failed to resolve ", l.ForwardTo, err)
+				return
+			}
+			udpN.ReverseSrcAddr = &net.UDPAddr{IP:dstAddr, Port: int(dstPort)}
+		} else {
+			// Original destination
+			udpN.DestAddr = &net.UDPAddr{
+				IP:   dstAddr,
+				Port: int(dstPort),
+			}
 		}
 
 		udpN.LocalPort = udpCon.LocalAddr().(*net.UDPAddr).Port
@@ -435,8 +454,7 @@ func (udpg *UDPGate) HandleUdp(dstAddr net.IP, dstPort uint16, localAddr net.IP,
 		go remoteConnectionReadLoop(udpg, src, udpCon, udpN, w)
 	}
 
-	dst := &net.UDPAddr{Port: int(dstPort), IP: dstAddr}
-	n, err := udpN.UDP.WriteTo(data, dst)
+	n, err := udpN.UDP.WriteTo(data, udpN.DestAddr)
 
 	udpN.LastWrite = time.Now()
 	udpN.SentPackets++
@@ -446,11 +464,11 @@ func (udpg *UDPGate) HandleUdp(dstAddr net.IP, dstPort uint16, localAddr net.IP,
 
 	if DumpUdp {
 		if found {
-			log.Println("UDP OFW ", src, "->", dst, n)
+			log.Println("UDP OFW ", src, "->", udpN.DestAddr, n)
 		} else {
-			log.Println("UDP open ", src, "->", udpN.UDP.LocalAddr(), "->", dst, n, err)
+			log.Println("UDP open ", src, "->", udpN.UDP.LocalAddr(), "->", udpN.DestAddr, n, err)
 		}
-		log.Println("UDP open ", src, "->", udpN.UDP.LocalAddr(), "->", dst, n)
+		log.Println("UDP open ", src, "->", udpN.UDP.LocalAddr(), "->", udpN.DestAddr, n)
 	}
 }
 
diff --git a/pkg/ugatesvc/accept.go b/pkg/ugatesvc/accept.go
index 2ad746a..492121e 100644
--- a/pkg/ugatesvc/accept.go
+++ b/pkg/ugatesvc/accept.go
@@ -47,13 +47,8 @@ func (ug *UGate) HandleTUN(conn net.Conn, ra *net.TCPAddr, la *net.TCPAddr) erro
 
 	bconn.Session = &ugate.Session{RemoteAddr: ra, LocalAddr: la}
 
-	//la := conn.LocalAddr()
-
 	// Testing/debugging - localhost is captured by table local, rule 0.
 	if bconn.Dest == "" {
-			if ra.Port == 5201 {
-				ra.IP = []byte{0x7f, 0, 0, 1}
-			}
 			bconn.Dest = ra.String()
 			log.Println("LTUN ", ra, la, bconn.Dest)
 	}
@@ -115,28 +110,129 @@ func (ug *UGate) handleTLS(l *ugate.Listener, acceptedCon net.Conn) {
 		//if ug.Auth.Config.Get("key/" + dest) {
 		//
 		//}
-		wild := ""
-		for cn, k := range l.Certs {
-			if cn == "*" {
-				wild = k
-			} else {
-				if cn[0] == '*' && len(cn) > 2 {
-					if strings.HasSuffix(sni, cn[2:]) {
+		_, ok := ug.Auth.CertMap[sni]
+		if ok {
+			tlsTerm = true
+			cert = sni
+		} else {
+			// Check certs defined for the listener
+			wild := ""
+			for cn, k := range l.Certs {
+				if cn == "*" {
+					wild = k
+				} else {
+					if cn[0] == '*' && len(cn) > 2 {
+						if strings.HasSuffix(sni, cn[2:]) {
+							tlsTerm = true
+							cert = k
+						}
+					} else if sni == cn {
 						tlsTerm = true
 						cert = k
 					}
-				} else if sni == cn {
-					tlsTerm = true
-					cert = k
 				}
 			}
+			if !tlsTerm && wild != "" {
+				tlsTerm = true
+				cert = wild
+			}
+		}
+	}
+
+	sniCfg := ug.Listeners[rawStream.Dest]
+	if sniCfg != nil {
+		if sniCfg.ForwardTo != "" {
+			rawStream.Dest = sniCfg.ForwardTo
 		}
-		if !tlsTerm && wild != "" {
+	}
+
+	// Terminate TLS if the stream is detected as TLS and the matched config
+	// is configured for termination.
+	// Else it's just a proxied SNI connection.
+	if tlsTerm {
+		tlsCfg := ug.TLSConfig
+		if cert != "" {
+			// explicit cert based on listener config
+			// TODO: tlsCfg = ug.Auth.GetServerConfig(cert)
+		}
+		// TODO: present the right ALPN for the port ( if not set, use default)
+		tc, err := ug.NewTLSConnIn(rawStream.Context(),l, rawStream, tlsCfg)
+		if err != nil {
+			rawStream.ReadErr = err
+			log.Println("TLS: ", rawStream.RemoteAddr(), rawStream.Dest, rawStream.Listener, err)
+			return
+		}
+
+		// Handshake done. Now we have access to the ALPN.
+		rawStream.ReadErr = ug.HandleBTSStream(tc)
+	} else {
+		// Default stream handling is proxy.
+		rawStream.ReadErr = ug.HandleStream(rawStream)
+	}
+}
+
+// Dedicated BTS handler, for accepted connections with TLS.
+// Port 443 (if root or redirected), or BASE + 7
+//
+// curl https://$NAME/ --connect-to $NAME:443:127.0.0.1:15007
+func (ug *UGate) handleBTS(l *ugate.Listener, acceptedCon net.Conn) {
+	// Attempt to determine the Listener and target
+	// Ingress mode, forward to an IP
+
+	rawStream := ugate.GetStream(acceptedCon, acceptedCon)
+
+	// Track the original stream. Report error and bytes on the original.
+	ug.OnStream(rawStream)
+	defer ug.OnStreamDone(rawStream)
+
+	rawStream.Listener = l
+	rawStream.Type = l.Protocol
+
+
+	// Used to present the right cert
+	_, rawStream.ReadErr = ParseTLS(rawStream)
+	if rawStream.ReadErr != nil {
+		return
+	}
+
+	sni := rawStream.Dest
+
+	// 2 main cases:
+	// - terminated here - if we have a cert
+	// - SNI routed - no termination.
+	tlsTerm := false
+	cert := ""
+
+	if rawStream.Dest == "" {
+		// No explicit destination - terminate here
+		tlsTerm = true
+	} else if rawStream.Dest == ug.Auth.ID {
+		tlsTerm = true
+	} else {
+		// Not sure if this is worth it, may be too complex
+		// TODO: try to find certificate for domain or parent.
+		//if ug.Auth.Config.Get("key/" + dest) {
+		//
+		//}
+		_, ok := ug.Auth.CertMap[sni]
+		if ok {
 			tlsTerm = true
-			cert = wild
+			cert = sni
 		}
 	}
 
+	sniCfg := ug.Listeners[rawStream.Dest]
+	if sniCfg == nil {
+		idx :=  strings.Index(rawStream.Dest, ".")
+		if idx > 0 {
+			sniCfg = ug.Listeners[rawStream.Dest[0:idx]]
+		}
+	}
+	if sniCfg != nil {
+		if sniCfg.ForwardTo != "" {
+			rawStream.Dest = sniCfg.ForwardTo
+		}
+	}
 
 	if l.ForwardTo != "" {
 		// Explicit override - this is for listeners with type TLS and explicit
@@ -162,13 +258,13 @@ func (ug *UGate) handleTLS(l *ugate.Listener, acceptedCon net.Conn) {
 			log.Println("TLS: ", rawStream.RemoteAddr(), rawStream.Dest, rawStream.Listener, err)
 			return
 		}
-		// Handshake done. Now we have access to the ALPN
 
-		rawStream.ReadErr = ug.HandleStream(tc)
+		// Handshake done. Now we have access to the ALPN.
+
+		rawStream.ReadErr = ug.HandleBTSStream(tc)
 	} else {
-		// TODO: additional config for SNI proxying - what is allowed, etc - to avoid open relay
-		//
-		rawStream.ReadErr = ug.HandleStream(rawStream)
+		// Default stream handling is proxy.
+		rawStream.ReadErr = ug.HandleSNIStream(rawStream)
 	}
 }
 
diff --git a/pkg/ugatesvc/handlers.go b/pkg/ugatesvc/handlers.go
index 142986a..a1752dd 100644
--- a/pkg/ugatesvc/handlers.go
+++ b/pkg/ugatesvc/handlers.go
@@ -205,6 +205,10 @@ func (gw *UGate) HttpTCP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// HttpNodesFilter returns the list of directly connected nodes.
+//
+// Optional 't' parameter is a timestamp used to filter recently seen nodes.
+// Uses NodeByID table.
 func (gw *UGate) HttpNodesFilter(w http.ResponseWriter, r *http.Request) {
 	gw.m.RLock()
 	defer gw.m.RUnlock()
@@ -264,16 +268,17 @@ func (gw *UGate) HandleID(w http.ResponseWriter, r *http.Request) {
 // HandleTCPPRoxy is called for CONNECT and /dm/ADDRESS
 // TODO: also handle /ipfs/... for compat.
 func (gw *UGate) HandleTCPProxy(w http.ResponseWriter, r *http.Request) {
-	parts := strings.Split(r.RequestURI, "/")
-	//
-	//r1 := CreateUpstreamRequest(w, r)
-	//r1.Host = parts[2]
-	//r1.URL.Scheme = "https"
-	//r1.URL.Host = r1.Host
-	//r1.URL.Path = "/" + strings.Join(parts[3:], "/")
 
+	// Create a stream, used for proxy with caching.
 	str := ugate.NewStreamRequest(r, w, nil)
-	str.Dest = parts[2]
+
+	if r.Method == "CONNECT" {
+		str.Dest = r.Host
+	} else {
+		parts := strings.Split(r.RequestURI, "/")
+		str.Dest = parts[2]
+	}
+
 	str.PostDialHandler = func(conn net.Conn, err error) {
 		if err != nil {
 			w.Header().Add("Error", err.Error())
@@ -281,12 +286,23 @@ func (gw *UGate) HandleTCPProxy(w http.ResponseWriter, r *http.Request) {
 			w.(http.Flusher).Flush()
 			return
 		}
-		w.Header().Set("Trailer", "X-Close")
+		//w.Header().Set("Trailer", "X-Close")
 		w.WriteHeader(200)
 		w.(http.Flusher).Flush()
 	}
-	str.Dest = parts[2]
+	defer func() {
+		// Handler is done - even if it didn't call close, prevent calling it again.
+		if ugate.DebugClose {
+			log.Println("HTTP.Close - handler done, no close ", str.Dest)
+		}
+		str.ServerClose = true
+	}()
 
+	// Treat it as regular stream forwarding
 	gw.HandleVirtualIN(str)
 
+	if ugate.DebugClose {
+		log.Println("Handler closed for ", r.RequestURI)
+	}
+
 }
diff --git a/pkg/ugatesvc/port_listener.go b/pkg/ugatesvc/port_listener.go
index 82c46f9..6e1891e 100644
--- a/pkg/ugatesvc/port_listener.go
+++ b/pkg/ugatesvc/port_listener.go
@@ -159,8 +159,8 @@ func (pl *PortListener) serve(gate *UGate) {
 		switch pl.Protocol {
 		case ugate.ProtoTLS:
 			go gate.handleTLS(&pl.Listener, remoteConn)
-		case ugate.ProtoHTTPS:
-			go gate.handleTLS(&pl.Listener, remoteConn)
+		case ugate.ProtoBTS:
+			go gate.handleBTS(&pl.Listener, remoteConn)
 		case ugate.ProtoHTTP:
 			go gate.H2Handler.handleHTTPListener(&pl.Listener, remoteConn)
 		default:
diff --git a/pkg/ugatesvc/routing.go b/pkg/ugatesvc/routing.go
index 47bf951..26c62a4 100644
--- a/pkg/ugatesvc/routing.go
+++ b/pkg/ugatesvc/routing.go
@@ -7,6 +7,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/costinm/ugate"
@@ -87,6 +88,28 @@ func (ug *UGate) DialAndProxy(str *ugate.Stream) error {
 	return str.ProxyTo(nc)
 }
 
+// Stream received via a BTS SNI route.
+// Similar with dialAndProxy
+func (ug *UGate) HandleSNIStream(str *ugate.Stream) error {
+	idx :=  strings.Index(str.Dest, ".")
+	if idx > 0 {
+		// Only SNI route to mesh nodes, ignore the domain name
+		str.Dest = str.Dest[0:idx]
+	}
+
+	nc, err := ug.dial(context.Background(), str.Dest, str)
+	str.PostDial(nc, err)
+
+	if err != nil {
+		// postDial will take care of sending error code.
+		return err
+	}
+	defer nc.Close()
+
+	return str.ProxyTo(nc)
+}
+
+
 // DialContext creates  connection to the remote addr, implements
 // x.net.proxy.ContextDialer and ugate.ContextDialer.
 //
@@ -207,7 +230,7 @@ func (ug *UGate) dial(ctx context.Context, addr string, s *ugate.Stream) (net.Co
 
 			rs := ugate.NewStreamRequestOut(r1, out, res, nil)
 			if ugate.DebugClose {
-				log.Println("TUN: ", addr, r1.URL)
+				log.Println(rs.StreamId, "dial.TUN: ", addr, r1.URL)
 			}
 			return rs, nil
 		}
@@ -215,8 +238,6 @@ func (ug *UGate) dial(ctx context.Context, addr string, s *ugate.Stream) (net.Co
 		if dmn.Addr != "" {
 			addr = dmn.Addr
 		}
-
-
 	}
 
 	// TODO: if it is a mesh node, create a connection !
diff --git a/pkg/ugatesvc/tls_conn.go b/pkg/ugatesvc/tls_conn.go
index 91edceb..a8fb1a6 100644
--- a/pkg/ugatesvc/tls_conn.go
+++ b/pkg/ugatesvc/tls_conn.go
@@ -212,13 +212,19 @@ const (
 )
 
 
+// TODO: if a session ID is provided, use it as a cookie and attempt
+// to find the corresponding host.
+// On server side generate session IDs !
+//
+// TODO: in mesh, use one cypher suite (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
+// maybe 2 ( since keys are ECDSA )
 func ParseTLS(acc *ugate.Stream) (*clientHelloMsg,error) {
 	buf, err := acc.Fill(5)
 	if err != nil {
 		return nil, err
 	}
 	typ := buf[0] // 22 3 1 2 0
-	if typ != 22 {
+	if typ != 0x16 {
 		return nil, sniErr
 	}
 	vers := uint16(buf[1])<<8 | uint16(buf[2])
diff --git a/pkg/ugatesvc/ugate.go b/pkg/ugatesvc/ugate.go
index 577fa38..f2e4f39 100644
--- a/pkg/ugatesvc/ugate.go
+++ b/pkg/ugatesvc/ugate.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"runtime/debug"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -129,7 +130,7 @@ func New(cs ugate.ConfStore, a *auth.Auth, cfg *ugate.GateCfg) *UGate {
 	Get(cs, "ugate", cfg)
 
 	if cfg.Domain == "" {
-		cfg.Domain = ugate.ConfStr(cs, "DOMAIN", "h.webinf.info")
+		cfg.Domain = ugate.ConfStr(cs, "DOMAIN", "c1.webinf.info")
 		if len(cfg.H2R) == 0 {
 			cfg.H2R[cfg.Domain] = ""
 		}
@@ -155,6 +156,10 @@ func New(cs ugate.ConfStore, a *auth.Auth, cfg *ugate.GateCfg) *UGate {
 		Msg: msgs.DefaultMux,
 	}
 
+	if l, ok := cfg.Listeners["*"]; ok {
+		ug.DefaultListener = l
+	}
+
 
 	ug.TLSConfig = &tls.Config{
 		//MinVersion: tls.VersionTLS13,
@@ -234,6 +239,9 @@ func NewDMNode() *ugate.DMNode {
 	}
 }
 
+// GetNode returns a node, using an encoded id string.
+//
+//
 func (ug *UGate) GetNode(id string) *ugate.DMNode {
 	ug.m.RLock()
 	n := ug.NodesByID[id]
@@ -327,10 +335,10 @@ func (ug *UGate) OnStreamDone(str *ugate.Stream) {
 	}
 
 	if ugate.NoEOF(str.ReadErr) != nil || str.WriteErr != nil {
-		log.Println("AE:", str.StreamId, "Err in:", str.ReadErr, str.WriteErr)
+		log.Println(str.StreamId, "AE:", "Err in:", str.ReadErr, str.WriteErr)
 	}
 	if ugate.NoEOF(str.ProxyReadErr) != nil || str.ProxyWriteErr != nil {
-		log.Println("AE:", str.StreamId, "Err out:", str.ProxyReadErr, str.ProxyWriteErr)
+		log.Println(str.StreamId, "AE:", "Err out:", str.ProxyReadErr, str.ProxyWriteErr)
 	}
 	if !str.Closed {
 		str.Close()
@@ -413,7 +421,7 @@ func (ug *UGate) DefaultPorts(base int) error {
 	// Use iptables to redirect, or an explicit config for port 443 if running as root.
 	ug.Add(&ugate.Listener{
 		Address:  btsAddr,
-		Protocol: ugate.ProtoHTTPS,
+		Protocol: ugate.ProtoBTS,
 		ALPN: []string{"h2","h2r"},
 	})
 
@@ -423,14 +431,51 @@ func (ug *UGate) DefaultPorts(base int) error {
 // Based on the port in the Dest, find the Listener config.
 // Used when the dest IP:port is extracted from the metadata
 func (ug *UGate) FindCfgIptablesIn(m *ugate.Stream) *ugate.Listener {
+	l := ug.Config.Listeners[m.Dest]
+	if l != nil {
+		return l
+	}
+
 	_, p, _ := net.SplitHostPort(m.Dest)
-	l := ug.Config.Listeners["-:"+p]
+	l = ug.Config.Listeners[":"+p]
+	if l != nil {
+		return l
+	}
+
+	l = ug.Config.Listeners["-:"+p]
+	if l != nil {
+		return l
+	}
+	return ug.DefaultListener
+}
+
+func (ug *UGate) FindListener(dstaddr net.IP, p uint16, prefix string) *ugate.Listener {
+	port := ":" + strconv.Itoa(int(p))
+	l := ug.Config.Listeners[prefix + dstaddr.String() + port]
+	if l != nil {
+		return l
+	}
+
+	l = ug.Config.Listeners[prefix + port]
+	if l != nil {
+		return l
+	}
+
+	l = ug.Config.Listeners[prefix + "-" + port]
 	if l != nil {
 		return l
 	}
 	return ug.DefaultListener
 }
 
+func (ug *UGate) HandleBTSStream(str *ugate.Stream) error {
+	if str.Listener == nil {
+		str.Listener = ug.FindCfgIptablesIn(str)
+	}
+
+	str.PostDial(str, nil)
+	return ug.H2Handler.HandleHTTPS(str)
+}
 // HandleStream is called for accepted (incoming) streams.
 //
 // Multiplexed streams ( H2 ) also call this method.
@@ -447,15 +492,26 @@ func (ug *UGate) FindCfgIptablesIn(m *ugate.Stream) *ugate.Listener {
 // This is a blocking method.
 func (ug *UGate) HandleStream(str *ugate.Stream) error {
 	if str.Listener == nil {
-		str.Listener = ug.DefaultListener
+		str.Listener = ug.FindCfgIptablesIn(str)
 	}
 	cfg := str.Listener
 
-	if cfg.Protocol == ugate.ProtoHTTPS {
+	if cfg.Protocol == ugate.ProtoBTS {
 		str.PostDial(str, nil)
 		return ug.H2Handler.HandleHTTPS(str)
 	}
 
+	if cfg.ForwardTo != "" {
+		str.Dest = cfg.ForwardTo
+	}
+
+	if cfg.Handler == nil && strings.HasPrefix(cfg.ForwardTo, "/") {
+		// TODO: register handlers
+		if cfg.ForwardTo == "/echo" {
+			cfg.Handler = &EchoHandler{}
+		}
+	}
+
 	// Config has an in-process handler - not forwarding (or the handler may
 	// forward).
 	if cfg.Handler != nil {
@@ -473,6 +529,7 @@ func (ug *UGate) HandleStream(str *ugate.Stream) error {
 }
 
 
+
 func (gw *UGate) OnMuxClose(dm *ugate.DMNode) {
 	if _, f := gw.Config.H2R[dm.ID]; !f {
 		return
@@ -493,7 +550,7 @@ func (gw *UGate) OnHClose(s string, id string, san string, r *http.Request, sinc
 func (gw *UGate) OnSClose(str *ugate.Stream, addr net.Addr) {
 	if !gw.Config.NoAccessLog {
 		if str.ReadErr != nil || str.WriteErr != nil {
-			log.Printf("AC: %d src=%s://%v dst=%s rcv=%d/%d snd=%d/%d la=%v ra=%v op=%v %v %v",
+			log.Printf("%d AC: src=%s://%v dst=%s rcv=%d/%d snd=%d/%d la=%v ra=%v op=%v %v %v",
 				str.StreamId,
 				str.Type, addr,
 				str.Dest,
diff --git a/stream.go b/stream.go
index 8c291ce..6ac6824 100644
--- a/stream.go
+++ b/stream.go
@@ -515,6 +515,14 @@ func (s *Stream) Close() error {
 		return nil
 	}
 	s.Closed = true
+	if !s.ServerClose {
+		if DebugClose {
+			log.Println(s.StreamId, "Close without out.close() ", s.Dest, s.InHeader)
+		}
+		// For HTTP - this also happens in cleanup, after response is done.
+		//s.CloseWrite()
+	}
+
 	if s.Closer != nil {
 		s.Close()
 	}
@@ -522,9 +530,6 @@ func (s *Stream) Close() error {
 		s.ctxCancel()
 	}
 
-	if !s.ServerClose {
-		s.CloseWrite()
-	}
 	if s.rbuffer != nil {
 		defer func() {
 			s.rbuffer.Recycle()
@@ -573,7 +578,7 @@ func (s *Stream) CloseWrite() error {
 				if DebugClose {
 					log.Println(s.StreamId, "CloseWrite using HTTP trailer ",  s.ReadErr, s.WriteErr, s.ProxyReadErr, s.ProxyWriteErr)
 				}
-				// This works for H2 with the current library.
+				// This works for H2 with the current library - but very tricky, if not set as trailer.
 				rw.Header().Set("X-Close", "0")
 				rw.(http.Flusher).Flush()
 			} else {
@@ -887,6 +892,7 @@ func (s *Stream) ProxyTo(nc net.Conn) error {
 	go s.proxyFromClient(nc, errCh)
 	// Blocking, returns when all data is read from In, or error
 	var err1 error
+
 	if ncs, ok := nc.(*Stream); ok {
 		if ncs.Out != nil {
 			err1 = s.proxyToClient(nc, errCh)
diff --git a/tools/dev/Dockerfile b/tools/dev/Dockerfile
new file mode 100644
index 0000000..f337f61
--- /dev/null
+++ b/tools/dev/Dockerfile
@@ -0,0 +1,72 @@
+FROM golang:latest
+
+# golang latest is based on BUSTER - 317M ( vs 108M for alpine )
+
+ENV GO111MODULE=on
+ENV CGO_ENABLED=0
+ENV GOOS=linux
+ENV GOPROXY=https://proxy.golang.org
+
+RUN apt-get update && \
+    apt install -y --no-install-recommends \
+       less net-tools openssh-server sudo \
+       lsof netcat tcpdump iptables iproute2 git && \
+    apt-get clean && \
+    rm -rf  /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
+
+RUN useradd -u 1000 -U -d /work -s /bin/bash build && \
+     usermod -G users build && \
+      echo "build ALL=NOPASSWD: ALL" >> /etc/sudoers
+
+RUN useradd -u 1337 -U -d /var/run/istio -s /bin/bash istio-proxy && \
+     usermod -G users istio-proxy && \
+      echo "istio-proxy ALL=NOPASSWD: ALL" >> /etc/sudoers
+
+#RUN curl -fsSL https://code-server.dev/install.sh > /tmp/install.sh && \
+#    sh /tmp/install.sh
+
+
+RUN mkdir -p /etc/certs && \
+    mkdir -p /run/ssh && \
+    mkdir -p /etc/istio/proxy && \
+    mkdir -p /etc/istio/config && \
+    mkdir -p /var/lib/istio/envoy && \
+    mkdir -p /var/lib/istio/config && \
+    mkdir -p /var/lib/istio/proxy && \
+    chown -R 1337 /etc/certs /etc/istio /var/lib/istio && \
+    mkdir /run/ugate && \
+    ln -s /ko-app/ugate /usr/local/bin/ugate && \
+    mkdir /run/sshd && \
+    chmod 700 /run/sshd
+
+# Binaries to /go/bin
+#RUN go get github.com/githubnemo/CompileDaemon
+
+RUN go get github.com/google/ko@latest && \
+    go get github.com/go-delve/delve/cmd/dlv && \
+    rm -rf /root/.cache && rm -rf /go/pkg && go clean -cache
+
+# Default is /go directory, which is set a GOPATH
+# That doesn't work with go.mod
+WORKDIR /ws
+
+EXPOSE 8080
+EXPOSE 15007
+
+COPY tools/dev/sshd_config /etc/ssh/sshd_config
+
+# Test only
+RUN echo 'root:test' | chpasswd
+
+RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+COPY tools/dev/run.sh /usr/local/bin/
+
+# Runs in /go directory
+#COPY . .
+#RUN cd cmd/ugate && go build -a -gcflags='all=-N -l' -ldflags '-extldflags "-static"' \
+#  -o /usr/local/bin/ugate ./
+
+# Priv separataion dir
+
+ENTRYPOINT /usr/local/bin/run.sh
diff --git a/tools/dev/dev.sh b/tools/dev/dev.sh
new file mode 100644
index 0000000..d64cd3e
--- /dev/null
+++ b/tools/dev/dev.sh
@@ -0,0 +1,14 @@
+
+function dbg_start() {
+  dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient exec /go/bin/ugate
+}
+
+function compiled() {
+  # CompileDaemon -log-prefix=false -build="go build -o /app" -command="/app"
+  #dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient exec /app
+  #https://www.reddit.com/r/golang/comments/i7hvco/compiledaemon_with_delve_debugging_while_auto/
+
+   CompileDaemon -build="echo 1" \
+     -command="dlv --listen=:40000 --headless=true --api-version=2 --accept-multiclient ./cmd/ugate"
+}
+
diff --git a/tools/dev/run.sh b/tools/dev/run.sh
new file mode 100755
index 0000000..f7d0f22
--- /dev/null
+++ b/tools/dev/run.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Startup for the dev image
+# This includes tools to help debug and even source code to make changes.
+# It includes a sshd server, to allow access even without kube.
+
+set -x
+
+function start_ssh() {
+  # Check if host keys are present, else create them
+  # /etc dir may be RO, use var/run
+
+  mkdir -p /run/ssh /run/sshd
+
+  # TODO: custom call to get a cert for SSH.
+  if ! test -f /run/ssh/ssh_host_rsa_key; then
+      ssh-keygen -q -f /run/ssh/ssh_host_rsa_key -N '' -t rsa
+  fi
+
+  if ! test -f /run/ssh/ssh_host_ecdsa_key; then
+      ssh-keygen -q -f /run/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+  fi
+
+#  if ! test -f /var/run/ssh/ssh_host_ed25519_key; then
+#      ssh-keygen -q -f /var/run/ssh/ssh_host_ed25519_key -N '' -t ed25519
+#  fi
+
+  # TODO: support certificates for client auth
+  echo ${SSH_AUTH} > /run/ssh/authorized_keys
+
+  # Set correct right to ssh keys
+  chown -R root:root /run/ssh /run/sshd
+  chmod 0700 /run/ssh
+  chmod 0600 /run/ssh/*
+
+  chmod 700 /run/sshd
+
+  echo "======== Starting SSHD with ${SSH_AUTH}"
+
+  /usr/sbin/sshd
+}
+
+start_ssh
+
+cd /
+env
+/ko-app/ugate
+
diff --git a/tools/dev/sshd_config b/tools/dev/sshd_config
new file mode 100644
index 0000000..409f8c7
--- /dev/null
+++ b/tools/dev/sshd_config
@@ -0,0 +1,27 @@
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+Protocol 2
+LogLevel INFO
+
+HostKey /run/ssh/ssh_host_rsa_key
+#HostKey /run/ssh/ssh_host_dsa_key
+HostKey /run/ssh/ssh_host_ecdsa_key
+#HostKey /run/ssh/ssh_host_ed25519_key
+
+PermitRootLogin yes
+
+AuthorizedKeysFile	/run/ssh/authorized_keys
+
+PasswordAuthentication no
+PermitUserEnvironment yes
+
+AcceptEnv LANG LC_*
+PrintMotd no
+#UsePAM no
+
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# TODO: use CA certificate, add it in the script
+# Use JWT/IstioCA to get a SSH cert for the 'canonical service'.
diff --git a/docker-compose.yaml b/tools/docker-compose.yaml
similarity index 100%
rename from docker-compose.yaml
rename to tools/docker-compose.yaml
diff --git a/tools/genkube.go b/tools/genkube.go
new file mode 100644
index 0000000..ed79006
--- /dev/null
+++ b/tools/genkube.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/costinm/ugate/pkg/auth"
+	"github.com/costinm/ugate/pkg/ugatesvc"
+)
+
+// Test program to generate a kube config, as used in ugate.
+//
+func main() {
+
+	// In memory
+	config := ugatesvc.NewConf()
+	_ = auth.NewAuth(config, "", "")
+	gen, _ := config.Get("kube.json")
+	fmt.Println(string(gen))
+	return
+
+}
diff --git a/tools/jwtdecode.go b/tools/jwtdecode.go
new file mode 100644
index 0000000..9517cf1
--- /dev/null
+++ b/tools/jwtdecode.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"strings"
+
+	"github.com/costinm/ugate/pkg/auth"
+)
+
+var (
+	jwt  = flag.String("jwt", "", "JWT to decode")
+	aud  = flag.String("aud", "", "Aud to check")
+
+)
+func main() {
+	flag.Parse()
+	decode(*jwt, *aud)
+}
+
+// Decode a JWT.
+// If crt is specified - verify it using that cert
+func decode(jwt, aud string) {
+	// TODO: verify if it's a VAPID
+	parts := strings.Split(jwt, ".")
+	p1b, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	fmt.Println(string(p1b))
+
+	scrt, _ := ioutil.ReadFile("server.crt")
+	block, _ := pem.Decode(scrt)
+	xc, _ := x509.ParseCertificate(block.Bytes)
+	log.Printf("Cert subject: %#v\n", xc.Subject)
+	pubk1 := xc.PublicKey
+
+	h, t, txt, sig, _ := auth.JwtRawParse(jwt)
+	log.Printf("%#v %#v\n", h, t)
+
+	if h.Alg == "RS256" {
+		rsak := pubk1.(*rsa.PublicKey)
+		hasher := crypto.SHA256.New()
+		hasher.Write(txt)
+		hashed := hasher.Sum(nil)
+		err = rsa.VerifyPKCS1v15(rsak, crypto.SHA256, hashed, sig)
+		if err != nil {
+			log.Println("Root Certificate not a signer")
+		}
+	}
+
+}
+
diff --git a/tools/vapid.go b/tools/vapid.go
new file mode 100644
index 0000000..d4b320f
--- /dev/null
+++ b/tools/vapid.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/costinm/ugate/pkg/auth"
+	"github.com/costinm/ugate/pkg/ugatesvc"
+)
+
+// Generate a self-signed VAPID token
+// First param is the audience
+func main() {
+	aud := "example.com"
+	if len(os.Args) > 0 {
+		aud = os.Args[0]
+	}
+
+	config := ugatesvc.NewConf("./", "./var/lib/dmesh/")
+	authz := auth.NewAuth(config, "", "")
+	fmt.Println(authz.VAPIDToken(aud))
+}
diff --git a/tools/watcher.go b/tools/watcher.go
new file mode 100644
index 0000000..184a516
--- /dev/null
+++ b/tools/watcher.go
@@ -0,0 +1,298 @@
+package main
+
+import (
+	"bufio"
+	"context"
+	"encoding/binary"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/costinm/ugate"
+	"github.com/costinm/ugate/pkg/auth"
+	"github.com/costinm/ugate/pkg/ugatesvc"
+	msgs "github.com/costinm/ugate/webpush"
+)
+
+var (
+	addr = flag.String("addr", "127.0.0.1:15007", "address:port for the node")
+
+	watch   = flag.Bool("watch", false, "Watch")
+
+	recurse = flag.Bool("r", false, "Crawl and watch all possible nodes")
+)
+
+var (
+	verbose = flag.Bool("v", false, "Verbose messages")
+)
+
+var hc *http.Client
+
+// Create a HBONE tunnel to a given URL.
+//
+// Current client is authenticated using local credentials, or a kube.json file. If no kube.json is found, one
+// will be generated.
+//
+//
+//
+// Example:
+// ssh -v -o ProxyCommand='wp -nc https://c1.webinf.info:443/dm/PZ5LWHIYFLSUZB7VHNAMGJICH7YVRU2CNFRT4TXFFQSXEITCJUCQ:22'  root@PZ5LWHIYFLSUZB7VHNAMGJICH7YVRU2CNFRT4TXFFQSXEITCJUCQ
+func main() {
+	flag.Parse()
+
+	config := ugatesvc.NewConf("./", "./var/lib/dmesh/")
+	authz := auth.NewAuth(config, "", "")
+
+	ug := ugatesvc.New(config, authz, nil)
+
+	hc = &http.Client{
+		Transport: ug,
+	}
+
+	watchNodes(ug)
+}
+
+
+// Known nodes and watchers
+var watchers = map[uint64]*watcher{}
+
+// Track a single node
+type watcher struct {
+	Node *ugate.DMNode
+
+	Path []string
+
+	// For crawling
+	dirty bool
+
+	base string
+	ip6  *net.IPAddr
+
+	idhex    string
+	New      bool
+	watching bool
+}
+
+// Connect to all known nodes and watch them.
+// Uses the internal debug endpoint for getting connected nodes,
+// and crawls the mesh.
+func watchNodes(ug *ugatesvc.UGate) {
+	ctx := context.Background()
+
+	if *recurse {
+		// Recursive list of all devices in the mesh.
+		for {
+			crawl() // Get nodes connected to our parent ( all directions )
+
+			if !*watch {
+				return // Just crawl.
+			} else {
+				//if *dev == "*" || *dev == "" {
+				//	go msgs.DefaultMux.MonitorNode(hc, nil, nil)
+				//}
+				for _, w := range watchers {
+					//if w.idhex == *dev || *dev == "*" {
+					if !w.watching {
+						w.watching = true
+
+						go func() {
+							log.Println("Watch: ", w.ip6)
+
+							ug.DialMUX(ctx, "quic", w.Node, nil)
+							w.watching = false
+							log.Println("Watch close: ", w.ip6)
+						}()
+					}
+				}
+			}
+			time.Sleep(10 * time.Second)
+			//select {}
+		}
+		return
+	}
+
+	n0 := &ugate.DMNode{
+		Addr: *addr,
+	}
+
+	ug.DialMUX(ctx, "quic", n0, nil)
+}
+
+// Get neighbors from a node. Side effect: updates the watchers table.
+func neighbors(url string, path []string) map[uint64]*ugate.DMNode {
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		log.Print("HTTP_ERROR1", url, err)
+		return nil
+	}
+	ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
+	req = req.WithContext(ctx)
+
+	hcc := hc
+	if strings.HasPrefix(url, "http://127") {
+		hcc = http.DefaultClient
+	}
+	res, err := hcc.Do(req)
+	if err != nil || res.StatusCode != 200 {
+		log.Println("HTTP_ERROR2", url, err)
+		return nil
+	}
+
+	cnodes, _ := ioutil.ReadAll(res.Body)
+	connectedNodes := map[uint64]*ugate.DMNode{}
+	err = json.Unmarshal(cnodes, &connectedNodes)
+	if err != nil {
+		log.Println("HTTP_ERROR_RES", url, err, string(cnodes))
+		return nil
+	}
+
+	if watchers != nil {
+		peers := []string{}
+		// Any node that is new, not yet found in the current watched list.
+		newConnectedNodes := map[uint64]*watcher{}
+		// Nodes already connected
+		oldmap := map[uint64]*watcher{}
+		for k, v := range connectedNodes {
+			w, f := watchers[k]
+			if !f {
+				ip6 := toIP6(k)
+				w = &watcher{Node: v, dirty: true, ip6: ip6,
+					idhex: fmt.Sprintf("%x", k),
+					Path:  path}
+				w.New = true
+				watchers[k] = w
+				newConnectedNodes[k] = w
+			} else {
+				oldmap[k] = w
+			}
+			peers = append(peers, w.idhex)
+		}
+		if *verbose {
+			log.Println("GET", url, len(connectedNodes), peers)
+		}
+	}
+
+	return connectedNodes
+}
+
+// Scan all nodes for neighbors. Watch them if not watched already.
+//
+// - Will first mark all currently known nodes as 'dirty' and 'old'.
+// - For each known node, get a list of connected nodes.
+// - For each connected node, if still connected update and set dirty=false
+// - If new nodes is found, add it as 'New' and 'dirty'.
+//
+// - repeat until all nodes are !dirty
+// - at the end, the set of nodes that are new will be marked as New.
+// -
+//
+func crawl() {
+	for _, v := range watchers {
+		v.dirty = true
+		v.New = false
+	}
+
+	// Will update watchers
+	neighbors("http://127.0.0.1:5227/dmesh/ip6", nil)
+
+	more := true
+
+	for more {
+		more = false
+		for _, v := range watchers {
+			if !v.dirty {
+				continue
+			}
+			more = true
+			p := "/"
+			for _, pp := range v.Path {
+				p = p + pp + "/"
+			}
+			p = p + v.idhex + "/"
+
+			//neighbors("http://127.0.0.1:5227/dm"+p+"/c/dmesh/ip6", append(v.Path, v.idhex))
+			neighbors("http://"+net.JoinHostPort(v.ip6.String(), "5227")+"/dmesh/ip6", append(v.Path, v.idhex))
+			v.dirty = false
+		}
+	}
+
+	for _, v := range watchers {
+		if v.New {
+			log.Println("Node", v.idhex, v.Path, v.Node.NodeAnnounce.UA, v.Node.GWs())
+		}
+	}
+}
+
+func stdinClient(mux *msgs.Mux) {
+	stdin := &msgs.MsgConnection{
+		Name:                "",
+		SubscriptionsToSend: []string{"*"},
+		SendMessageToRemote: func(ev *msgs.Message) error {
+			ba := ev.MarshalJSON()
+			os.Stdout.Write(ba)
+			os.Stdout.Write([]byte{'\n'})
+			return nil
+		},
+	}
+	mux.AddConnection("stdin", stdin)
+
+	go func() {
+		br := bufio.NewReader(os.Stdin)
+		for {
+			line, _, err := br.ReadLine()
+			if err != nil {
+				break
+			}
+			if len(line) > 0 && line[0] == '{' {
+				ev := msgs.ParseJSON(line)
+				mux.SendMessage(ev)
+			}
+		}
+	}()
+
+}
+
+func toIP6(k uint64) *net.IPAddr {
+	ip6, _ := net.ResolveIPAddr("ip6", "fd00::")
+	binary.BigEndian.PutUint64(ip6.IP[8:], k)
+	return ip6
+}
+
+func (w *watcher) monitor(ug *ugatesvc.UGate, addr *net.IPAddr) {
+
+	req, err := http.NewRequest("GET", "http://["+addr.String()+"]:5227/debug/events", nil)
+	if err != nil {
+		return
+	}
+	res, err := hc.Do(req)
+	if err != nil {
+		println(addr, "HTTP_ERROR", err)
+		return
+	}
+	rd := bufio.NewReader(res.Body)
+
+	for {
+		l, _, err := rd.ReadLine()
+		if err != nil {
+			if err.Error() != "EOF" {
+				log.Println(addr, "READ ERR", err)
+			}
+			break
+		}
+		ls := string(l)
+		if ls == "" || ls == "event: message" {
+			continue
+		}
+
+		log.Println(addr, ls)
+	}
+
+}
+
diff --git a/ugate.go b/ugate.go
index 1bd0113..7ed8d4f 100644
--- a/ugate.go
+++ b/ugate.go
@@ -254,7 +254,7 @@ const ProtoTLS = "tls"
 const ProtoH2 = "h2"
 const ProtoHTTP = "http" // 1.1
 const ProtoHTTPTrusted = "httpTrusted" // behind envoy or trusted gateway
-const ProtoHTTPS = "https"
+const ProtoBTS = "bts"
 
 const ProtoHAProxy = "haproxy"