Move hole punch to dedicated port 51941, separate from WireGuard 51940

Hole punch (NAT traversal signaling) and WireGuard (encrypted tunnel)
serve distinct roles and need separate sockets. HolePunch on 51941
collects client source ports for peer-to-peer NAT hole punching.
WireGuard on 51940 handles encrypted tunnel traffic.

Author: Geramy

projects/LemonadeNexus/src/main.cpp

@@ -633,18 +633,11 @@ int main(int argc, char* argv[]) {
     }
 
     // ========================================================================
-    // UDP Hole Punch
-    // ========================================================================
-    // HolePunch shares the UDP port with WireGuard. If WG is active on the
-    // same port, WG handles the UDP socket — skip the standalone HolePunch bind.
-    std::optional<nexus::network::HolePunchService> hole_punch;
-    if (tunnel_bind_ip.empty()) {
-        // No WG interface — start standalone HolePunch on the UDP port
-        hole_punch.emplace(coordinator.io_context(), udp_port);
-        hole_punch->start();
-    } else {
-        spdlog::info("HolePunch: WireGuard active on :{} — hole punch via WG keepalive", udp_port);
-    }
+    // UDP Hole Punch (separate port from WireGuard)
+    // ========================================================================
+    const uint16_t hole_punch_port = 51941;
+    nexus::network::HolePunchService hole_punch{coordinator.io_context(), hole_punch_port};
+    hole_punch.start();
 
     // ========================================================================
     // Run -- blocks until SIGINT/SIGTERM
@@ -771,7 +764,7 @@ int main(int argc, char* argv[]) {
     if (acme_renewal_thread.joinable()) {
         acme_renewal_thread.join();
     }
-    if (hole_punch) hole_punch->stop();
+    hole_punch.stop();
     wireguard_service.stop();
     if (private_http_server) {
         private_http_server->stop();