diff --git a/pkg/netcfg/netcfg.go b/pkg/netcfg/netcfg.go
index d937729..df5bfcd 100644
--- a/pkg/netcfg/netcfg.go
+++ b/pkg/netcfg/netcfg.go
@@ -30,6 +30,7 @@ func ConfigureTAP(ifname string, lease *dhcp.Lease, acceptDefaultGW, acceptStati
 	ones, _ := lease.SubnetMask.Size()
 	addr := fmt.Sprintf("%s/%d", lease.ClientIP, ones)
 
+	log.Printf("tap %s: adding address %s", ifname, addr)
 	if err := run("ip", "addr", "add", addr, "dev", ifname); err != nil {
 		return noop, fmt.Errorf("ip addr add: %w", err)
 	}
@@ -39,12 +40,16 @@ func ConfigureTAP(ifname string, lease *dhcp.Lease, acceptDefaultGW, acceptStati
 			dest := r.Dest.String()
 			if dest == "0.0.0.0/0" {
 				if acceptDefaultGW {
+					log.Printf("tap %s: adding static default route via %s", ifname, r.Gateway)
 					if err := run("ip", "route", "add", "default", "via", r.Gateway.String(), "dev", ifname, "metric", "50"); err != nil {
 						log.Printf("warning: static default route: %v", err)
 					}
+				} else {
+					log.Printf("tap %s: skipping static default route via %s (accept-default-gateway not set)", ifname, r.Gateway)
 				}
 				continue
 			}
+			log.Printf("tap %s: adding static route %s via %s", ifname, dest, r.Gateway)
 			if err := run("ip", "route", "add", dest, "via", r.Gateway.String(), "dev", ifname); err != nil {
 				log.Printf("warning: static route %s via %s: %v", dest, r.Gateway, err)
 			}
@@ -52,6 +57,7 @@ func ConfigureTAP(ifname string, lease *dhcp.Lease, acceptDefaultGW, acceptStati
 	}
 
 	if acceptDefaultGW && lease.Gateway != nil && !hasDefaultRoute(lease.Routes) {
+		log.Printf("tap %s: adding default route via %s", ifname, lease.Gateway)
 		if err := run("ip", "route", "add", "default", "via", lease.Gateway.String(), "dev", ifname, "metric", "50"); err != nil {
 			log.Printf("warning: default route: %v", err)
 		}
@@ -59,11 +65,13 @@ func ConfigureTAP(ifname string, lease *dhcp.Lease, acceptDefaultGW, acceptStati
 
 	var savedResolv []byte
 	if acceptDNS && len(lease.DNS) > 0 {
+		log.Printf("tap %s: setting DNS servers %v", ifname, lease.DNS)
 		savedResolv = backupResolv()
 		writeResolv(lease.DNS)
 	}
 
 	cleanup := func() {
+		log.Printf("tap %s: flushing addresses", ifname)
 		run("ip", "addr", "flush", "dev", ifname)
 		if savedResolv != nil {
 			restoreResolv(savedResolv)