debug

common/network/pia-vpn/scripts.nix

@@ -140,15 +140,22 @@ in
       local interfaceName=$2
 
       echo "Applying WireGuard config to $interfaceName..."
+      echo "Running: wg setconf $interfaceName $wgFile"
       wg setconf "$interfaceName" "$wgFile"
+      echo "Running: ip -4 address add $MY_IP dev $interfaceName"
       ip -4 address add "$MY_IP" dev "$interfaceName"
+      echo "Running: ip link set mtu 1420 up dev $interfaceName"
       ip link set mtu 1420 up dev "$interfaceName"
       echo "WireGuard interface $interfaceName is up with IP $MY_IP"
     }
 
     reservePortForward() {
       local payload_and_signature
-      echo "Requesting port forward signature from $WG_HOSTNAME..."
+      if [[ -z "''${PIA_TOKEN:-}" ]]; then
+        echo "ERROR: PIA_TOKEN is empty" >&2
+        return 1
+      fi
+      echo "Requesting port forward signature from $WG_HOSTNAME (token length: ''${#PIA_TOKEN})..."
       payload_and_signature=$(curl -s -m 5 $(proxy_args) \
         --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
         --cacert "${caPath}" \

common/network/pia-vpn/vpn-container.nix

@@ -132,11 +132,16 @@ in
               ${scripts.scriptCommon}
 
               # Clean up stale state from previous attempts
+              echo "Cleanup: resetting WG listen port..."
               wg set ${cfg.interfaceName} listen-port 0 2>/dev/null || true
+              echo "Cleanup: flushing addresses on ${cfg.interfaceName}..."
               ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
+              echo "Cleanup: removing default route..."
               ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
+              echo "Cleanup: flushing iptables..."
               iptables -t nat -F 2>/dev/null || true
               iptables -F FORWARD 2>/dev/null || true
+              echo "Cleanup done"
 
               proxy="${proxy}"