From 1cbbe647070abc50e4c5e9c902be8b50c14117c7 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Tue, 24 Feb 2026 23:46:51 -0800
Subject: [PATCH] networking fixes

---
 common/network/pia-vpn/vpn-container.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 1e29e32..4dfd0c8 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -120,6 +120,7 @@ in
           serviceConfig = {
             Type = "simple";
             Restart = "always";
+            RestartSec = "10s";
             RuntimeMaxSec = "30d";
           };
 
@@ -127,6 +128,12 @@ in
             set -euo pipefail
             ${scripts.scriptCommon}
 
+            # Clean up stale state from previous attempts
+            ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
+            ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
+            iptables -t nat -F 2>/dev/null || true
+            iptables -F FORWARD 2>/dev/null || true
+
             proxy="${proxy}"
 
             # 1. Authenticate with PIA via proxy (VPN container has no internet yet)