diff --git a/ffac-mesh-vpn-wireguard-openwrt19/files/lib/gluon/gluon-mesh-wireguard-vxlan/checkuplink b/ffac-mesh-vpn-wireguard-openwrt19/files/lib/gluon/gluon-mesh-wireguard-vxlan/checkuplink
index 57e399d9..6815ba31 100755
--- a/ffac-mesh-vpn-wireguard-openwrt19/files/lib/gluon/gluon-mesh-wireguard-vxlan/checkuplink
+++ b/ffac-mesh-vpn-wireguard-openwrt19/files/lib/gluon/gluon-mesh-wireguard-vxlan/checkuplink
@@ -1,6 +1,10 @@
 #!/bin/busybox sh
 # shellcheck shell=dash
 
+# fail fast and abort early
+set -eu
+# set -o pipefail # TODO: pipefail needs more rework in the script
+
 if { set -C; true 2>/dev/null >/var/lock/checkuplink.lock; }; then
 	trap "rm -f /var/lock/checkuplink.lock" EXIT
 else
@@ -10,11 +14,14 @@ fi
 
 interface_linklocal() {
 	# We generate a predictable v6 address
-	local macaddr
-	#local macaddr="$(echo $(uci get network.wg_mesh.private_key | wg pubkey) |md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')"
-	macaddr="$(printf "%s" "$(uci get network.wg_mesh.private_key | wg pubkey)"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')"
-	local oldIFS="$IFS"; IFS=':'; set -- "$macaddr"; IFS="$oldIFS"
-	echo "fe80::$1$2:$3ff:fe$4:$5$6"
+	local macaddr oldIFS
+	macaddr="$(uci get network.wg_mesh.privatekey | wg pubkey | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')"
+	oldIFS="$IFS"
+	IFS=':'
+	# shellcheck disable=SC2086 # we need to split macaddr here using IFS
+	set -- $macaddr
+	IFS="$oldIFS"
+	echo "fe80::${1}${2}:${3}ff:fe${4}:${5}${6}"
 }
 
 clean_port() {
@@ -22,25 +29,25 @@ clean_port() {
 }
 
 check_address_family() {
-local peer_endpoint="$1"
-local gateway
-gateway="$(clean_port "$peer_endpoint")"
-# Check if we have a default route for v6 if not fallback to v4
-if ip -6 route show table 1 | grep -q 'default via' > /dev/null
-then
-	local ipv6
-	ipv6="$(gluon-wan nslookup "$gateway" | grep 'Address [0-9]' | grep -E -o '([a-f0-9:]+:+)+[a-f0-9]+')"
-	echo "[$ipv6]$(echo "$peer_endpoint" | grep -E -oe ":[0-9]+$")"
-else
-	local ipv4
-	ipv4="$(gluon-wan nslookup "$gateway" | grep 'Address [0-9]' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")"
-	echo "$ipv4$(echo "$peer_endpoint" | grep -E -oe ":[0-9]+$")"
-fi
+	local peer_endpoint="$1"
+	local gateway
+	gateway="$(clean_port "$peer_endpoint")"
+	# Check if we have a default route for v6 if not fallback to v4
+	if ip -6 route show table 1 | grep -q 'default via'
+	then
+		local ipv6
+		ipv6="$(gluon-wan nslookup "$gateway" | grep 'Address [0-9]' | grep -E -o '([a-f0-9:]+:+)+[a-f0-9]+')"
+		echo "[$ipv6]$(echo "$peer_endpoint" | grep -E -oe ":[0-9]+$")"
+	else
+		local ipv4
+		ipv4="$(gluon-wan nslookup "$gateway" | grep 'Address [0-9]' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")"
+		echo "$ipv4$(echo "$peer_endpoint" | grep -E -oe ":[0-9]+$")"
+	fi
 
 }
 
 # Do we already have a private-key? If not generate one
-if uci -q get network.wg_mesh.private_key > /dev/nul;
+if ! uci -q get network.wg_mesh.private_key > /dev/null
 then
 	uci set network.wg_mesh=interface
 	uci set network.wg_mesh.private_key="$(wg genkey)"
@@ -88,14 +95,18 @@ if [ "$(uci get wireguard.mesh_vpn.enabled)" = "true" ] || [ "$(uci get wireguar
 		logger -t checkuplink "Connecting to $endpoint"
 
 		# Delete Interfaces
-		ip link set nomaster dev mesh-vpn > /dev/null 2>&1
-		ip link delete dev mesh-vpn > /dev/null 2>&1
-		ip link del "$MESH_VPN_IFACE" > /dev/null 2>&1
+		{
+			ip link set nomaster dev mesh-vpn >/dev/null 2>&1
+			ip link delete dev mesh-vpn >/dev/null 2>&1
+		} || true
+		ip link delete dev "${MESH_VPN_IFACE}" >/dev/null 2>&1 || true
+
 		PUBLICKEY=$(uci get network.wg_mesh.private_key | wg pubkey)
 
 		# Push public key to broker, test for https and use if supported
-		wget -q "https://[::1]"
-		if [ $? -eq 1 ]; then
+		ret=0
+		wget -q "https://[::1]" || ret=$?
+		if [ "$ret" -eq 1 ]; then
 			PROTO=http
 		else
 			PROTO=https
@@ -123,11 +134,15 @@ if [ "$(uci get wireguard.mesh_vpn.enabled)" = "true" ] || [ "$(uci get wireguar
 		ip6tables -I INPUT 1 -i "$MESH_VPN_IFACE" -m udp -p udp --dport 4789 -j ACCEPT
 		logger -t checkuplink "vxlan link $(interface_linklocal "$MESH_VPN_IFACE")"
 		# Bring up VXLAN
-		ip link add mesh-vpn type vxlan id "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vxlan", 3), 16))')" local "$(interface_linklocal "$MESH_VPN_IFACE")" remote fe80::1 dstport 4789 dev "$MESH_VPN_IFACE" udp6zerocsumtx udp6zerocsumrx
+		if ! ip link add mesh-vpn type vxlan id "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vxlan", 3), 16))')" local "$(interface_linklocal "$MESH_VPN_IFACE")" remote fe80::1 dstport 4789 dev "$MESH_VPN_IFACE" udp6zerocsumtx udp6zerocsumrx
+		then
+			logger -p err -t checkuplink "Unable to create mesh-vpn interface"
+			exit 2
+		fi
 		ip link set up dev mesh-vpn
 
 		sleep 5
 		# If we have a BATMAN_V env we need to correct the throughput value now
 		batctl hardif mesh-vpn throughput_override 1000mbit;
-		fi
+	fi
 fi