diff --git a/Cargo.lock b/Cargo.lock
index fc5a572120e..7ff952fdde0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3184,8 +3184,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 [[package]]
 name = "noq"
 version = "0.18.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b969bd157c3bd3bab239a1a8b14f67f2033fa012770367fcbd5b42d71ae3548"
+source = "git+https://github.com/n0-computer/noq?branch=main#9e1f1ad77911fb0c8795d171c26d326c481dce3d"
 dependencies = [
  "bytes",
  "cfg_aliases",
@@ -3206,8 +3205,7 @@ dependencies = [
 [[package]]
 name = "noq-proto"
 version = "0.17.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdec6f5039d98ee5377b2f532d495a555eb664c53161b1b5780dcaeac678b60e"
+source = "git+https://github.com/n0-computer/noq?branch=main#9e1f1ad77911fb0c8795d171c26d326c481dce3d"
 dependencies = [
  "aes-gcm",
  "aws-lc-rs",
@@ -3220,11 +3218,12 @@ dependencies = [
  "lru-slab",
  "n0-qlog",
  "rand 0.10.1",
+ "rand_pcg",
  "ring",
  "rustc-hash",
  "rustls",
  "rustls-pki-types",
- "rustls-platform-verifier 0.6.2",
+ "rustls-platform-verifier 0.7.0",
  "slab",
  "sorted-index-buffer",
  "thiserror 2.0.18",
@@ -3236,8 +3235,7 @@ dependencies = [
 [[package]]
 name = "noq-udp"
 version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee91b05f4f3353290936ba1f3233518868fb4e2da99cb4c90d1f8cebb064e527"
+source = "git+https://github.com/n0-computer/noq?branch=main#9e1f1ad77911fb0c8795d171c26d326c481dce3d"
 dependencies = [
  "cfg_aliases",
  "libc",
@@ -3965,6 +3963,15 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
 
+[[package]]
+name = "rand_pcg"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "caa0f4137e1c0a72f4c651489402276c8e8e1cf081f3b0ba156d2cbeef09e86a"
+dependencies = [
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "rand_xorshift"
 version = "0.4.0"
diff --git a/Cargo.toml b/Cargo.toml
index 9206d2105c3..75cc8ba5cf5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -41,3 +41,8 @@ unexpected_cfgs = { level = "warn", check-cfg = ["cfg(iroh_docsrs)", "cfg(iroh_l
 
 [workspace.lints.clippy]
 unused-async = "warn"
+
+[patch.crates-io]
+noq = { git = "https://github.com/n0-computer/noq", branch = "main" }
+noq-udp = { git = "https://github.com/n0-computer/noq", branch = "main" }
+noq-proto = { git = "https://github.com/n0-computer/noq", branch = "main" }
diff --git a/deny.toml b/deny.toml
index fb93f218860..be4b77d7986 100644
--- a/deny.toml
+++ b/deny.toml
@@ -26,4 +26,6 @@ ignore = [
 ]
 
 [sources]
-allow-git = []
+allow-git = [
+  "https://github.com/n0-computer/noq",
+]
diff --git a/iroh/src/endpoint/quic.rs b/iroh/src/endpoint/quic.rs
index 426f80cb562..788798a1e42 100644
--- a/iroh/src/endpoint/quic.rs
+++ b/iroh/src/endpoint/quic.rs
@@ -83,7 +83,9 @@ pub use noq_proto::{
 };
 use tracing::warn;
 
-use crate::socket::{HEARTBEAT_INTERVAL, MAX_MULTIPATH_PATHS, PATH_MAX_IDLE_TIMEOUT};
+use crate::socket::{
+    HEARTBEAT_INTERVAL, MAX_MULTIPATH_PATHS, MAX_QNT_ADDRESSES, PATH_MAX_IDLE_TIMEOUT,
+};
 
 /// Builder for a [`QuicTransportConfig`].
 #[derive(Debug, Clone)]
@@ -111,7 +113,7 @@ pub struct QuicTransportConfigBuilder(noq::TransportConfig);
 /// - [`QuicTransportConfigBuilder::default_path_keep_alive_interval`]
 /// - [`QuicTransportConfigBuilder::default_path_max_idle_timeout`]
 /// - [`QuicTransportConfigBuilder::max_concurrent_multipath_paths`]
-/// - [`QuicTransportConfigBuilder::set_max_remote_nat_traversal_addresses`]
+/// - [`QuicTransportConfigBuilder::max_remote_nat_traversal_addresses`]
 ///
 /// # Examples
 /// ```
@@ -154,8 +156,8 @@ impl QuicTransportConfigBuilder {
         cfg.keep_alive_interval(Some(HEARTBEAT_INTERVAL));
         cfg.default_path_keep_alive_interval(Some(HEARTBEAT_INTERVAL));
         cfg.default_path_max_idle_timeout(Some(PATH_MAX_IDLE_TIMEOUT));
-        cfg.max_concurrent_multipath_paths(MAX_MULTIPATH_PATHS + 1);
-        cfg.set_max_remote_nat_traversal_addresses(MAX_MULTIPATH_PATHS as u8);
+        cfg.max_concurrent_multipath_paths(MAX_MULTIPATH_PATHS);
+        cfg.max_remote_nat_traversal_addresses(MAX_QNT_ADDRESSES);
         Self(cfg)
     }
 
@@ -528,10 +530,10 @@ impl QuicTransportConfigBuilder {
     ///
     /// This implementation expects the multipath extension to be enabled as well. If not yet
     /// enabled via [`Self::max_concurrent_multipath_paths`], a default value of
-    /// 12 will be used.
+    /// 8 will be used.
     ///
-    /// Note: this method will ignore values less than the recommended 12 and will log a warning.
-    pub fn set_max_remote_nat_traversal_addresses(mut self, max_addresses: u8) -> Self {
+    /// Note: this method will ignore values less than the recommended 8 and will log a warning.
+    pub fn max_remote_nat_traversal_addresses(mut self, max_addresses: u8) -> Self {
         if max_addresses < MAX_MULTIPATH_PATHS as u8 {
             warn!(
                 "QuicTransportConfig::max_remote_nat_traversal_addresses must be at least {}, ignoring user supplied value",
@@ -539,7 +541,7 @@ impl QuicTransportConfigBuilder {
             );
             return self;
         }
-        self.0.set_max_remote_nat_traversal_addresses(max_addresses);
+        self.0.max_remote_nat_traversal_addresses(max_addresses);
         self
     }
 
diff --git a/iroh/src/socket.rs b/iroh/src/socket.rs
index 10b8f2d3d48..592dec85130 100644
--- a/iroh/src/socket.rs
+++ b/iroh/src/socket.rs
@@ -128,8 +128,19 @@ pub(crate) const RELAY_PATH_MAX_IDLE_TIMEOUT: Duration = Duration::from_secs(30)
 
 /// Maximum number of concurrent QUIC multipath paths per connection.
 ///
-/// Pretty arbitrary and high right now.
-pub(crate) const MAX_MULTIPATH_PATHS: u32 = 12;
+/// We expect 1 relay path, and then leave space for ~3 IP and custom transport paths.
+/// On top of that, when we expect a network change, we might be closing these paths
+/// (except for the relay path) and open new ones, and give us 3 more paths to spare.
+/// And finally we round that up to 8 for good measure.
+pub(crate) const MAX_MULTIPATH_PATHS: u32 = 8;
+
+/// Maximum number of n0 QUIC NAT Traversal addresses that the QUIC stack should allow.
+///
+/// This needs to be big enough to accommodate for machines which have lots of network
+/// interfaces enabled. We've seen MacOS machines with >25 interfaces in the wild
+/// (mostly due to VPN TUN and docket interfaces), so this seems like a reasonable
+/// value.
+pub(crate) const MAX_QNT_ADDRESSES: u8 = 32;
 
 /// Error returned when the endpoint state actor stopped while waiting for a reply.
 #[stack_error(add_meta, derive)]