From 0210bb3944ef9020b2222fa561a42abb2c5ed55d Mon Sep 17 00:00:00 2001
From: Adriano Sela Aviles <adriano@tailscale.com>
Date: Fri, 1 May 2026 15:05:01 -0700
Subject: [PATCH] wgengine: configure WireGuard Device with SetMLKEMEnabled

Signed-off-by: Adriano Sela Aviles <adriano@tailscale.com>
---
 go.mod                | 2 +-
 go.sum                | 4 ++--
 wgengine/userspace.go | 5 +++++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 8adb1f076..b168093cb 100644
--- a/go.mod
+++ b/go.mod
@@ -104,7 +104,7 @@ require (
 	github.com/tailscale/ts-gokrazy v0.0.0-20260429180033-fe741c6deb44
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976
 	github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6
-	github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e
+	github.com/tailscale/wireguard-go v0.0.0-20260502003259-4dd3611a82db
 	github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e
 	github.com/tc-hib/winres v0.2.1
 	github.com/tcnksm/go-httpstat v0.2.0
diff --git a/go.sum b/go.sum
index 2caac328d..e9a96f1b4 100644
--- a/go.sum
+++ b/go.sum
@@ -1157,8 +1157,8 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:U
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e h1:GexFR7ak1iz26fxg8HWCpOEqAOL8UEZJ7J3JxeCalDs=
-github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e/go.mod h1:6SerzcvHWQchKO2BfNdmquA77CHSECZuFl+D9fp4RnI=
+github.com/tailscale/wireguard-go v0.0.0-20260502003259-4dd3611a82db h1:GrOBtnsUXJOMGjUnU0bwRKKnntLw1nuuRh9/y7ge4Z8=
+github.com/tailscale/wireguard-go v0.0.0-20260502003259-4dd3611a82db/go.mod h1:IQSfBc0SJQJppMaCvTDVplVC3Qua6CUaIPvyQYjqkfA=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index 23edf30b3..6d4b21c17 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -925,6 +925,11 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 		}
 	}
 
+	if e.lastCfgFull.MLKEMEnabled != cfg.MLKEMEnabled {
+		e.wgdev.SetMLKEMEnabled(cfg.MLKEMEnabled)
+		e.logf("wgengine: Reconfig: ML-KEM handshake enabled=%v", cfg.MLKEMEnabled)
+	}
+
 	e.lastCfgFull = *cfg.Clone()
 
 	e.magicConn.UpdatePeers(peerSet)