diff --git a/src/cookies.h b/src/cookies.h
index 369dfd84..486c182e 100644
--- a/src/cookies.h
+++ b/src/cookies.h
@@ -1,7 +1,7 @@
 #ifndef COOKIES_H
 #define COOKIES_H
 
-#include <main.h>
+#include <vpn.h>
 
 struct __attribute__ ((__packed__)) stored_cookie_st {
 	char username[MAX_USERNAME_SIZE];
@@ -12,7 +12,6 @@ struct __attribute__ ((__packed__)) stored_cookie_st {
 
 int store_cookie(const struct cfg_st *, const void* cookie, unsigned cookie_size, 
  		 const struct stored_cookie_st* sc);
-void expire_cookies(main_server_st* s);
 
 int retrieve_cookie(const struct cfg_st *, const void* cookie, unsigned cookie_size, 
 			struct stored_cookie_st* sc);
diff --git a/src/log.c b/src/log.c
index 0892e46e..686e105b 100644
--- a/src/log.c
+++ b/src/log.c
@@ -26,6 +26,7 @@
 #include <stdarg.h>
 
 #include <vpn.h>
+#include <worker.h>
 
 const char *human_addr(const struct sockaddr *sa, socklen_t salen,
 		       void *_buf, size_t buflen)
diff --git a/src/main.c b/src/main.c
index 2c4477ee..d02e0a1e 100644
--- a/src/main.c
+++ b/src/main.c
@@ -38,7 +38,7 @@
 #include "ipc.h"
 
 #include <main.h>
-#include <vpn.h>
+#include <worker.h>
 #include <cookies.h>
 #include <tun.h>
 #include <list.h>
diff --git a/src/main.h b/src/main.h
index 83f7367d..ec5dd3e2 100644
--- a/src/main.h
+++ b/src/main.h
@@ -1,12 +1,12 @@
 #ifndef MAIN_H
 # define MAIN_H
 
-#include <vpn.h>
-#include <tlslib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <unistd.h>
 #include <net/if.h>
+#include <vpn.h>
+#include <tlslib.h>
 #include "ipc.h"
 
 int cmd_parser (int argc, char **argv, struct cfg_st* config);
@@ -62,4 +62,6 @@ int handle_resume_fetch_req(main_server_st* s, struct proc_list_st* proc,
 int handle_resume_store_req(main_server_st* s, struct proc_list_st *proc,
   			   const struct cmd_resume_store_req_st * req);
 
+void expire_cookies(main_server_st* s);
+
 #endif
diff --git a/src/tlslib.h b/src/tlslib.h
index 10d2dfa8..d524e5b3 100644
--- a/src/tlslib.h
+++ b/src/tlslib.h
@@ -1,12 +1,10 @@
-#ifndef TLS_H
-#define TLS_H
+#ifndef TLSLIB_H
+#define TLSLIB_H
 
 #include <gnutls/gnutls.h>
 #include <vpn.h>
 #include <hashtable.h>
 
-#define MAX_SESSION_DATA_SIZE (4*1024)
-
 #define tls_puts(s, str) tls_send(s, str, sizeof(str)-1)
 	
 int __attribute__ ((format(printf, 2, 3)))
@@ -32,8 +30,6 @@ void tls_close(gnutls_session_t session);
 void tls_fatal_close(gnutls_session_t session,
 			    gnutls_alert_description_t a);
 
-#define MAX_SESSION_DATA_SIZE (4*1024)
-
 typedef struct
 {
   /* does not allow resumption from different address
diff --git a/src/vpn.h b/src/vpn.h
index 58759b65..a5485b21 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -77,81 +77,13 @@ struct cfg_st {
 #define MAX_USERNAME_SIZE 64
 #define MAX_PASSWORD_SIZE 64
 #define TLS_MASTER_SIZE 48
-#define COOKIE_SIZE 32
-
-struct tls_st {
-	gnutls_certificate_credentials_t xcred;
-	gnutls_priority_t cprio;
-};
-
-typedef enum {
-	UP_DISABLED,
-	UP_SETUP,
-	UP_HANDSHAKE,
-	UP_INACTIVE,
-	UP_ACTIVE
-} udp_port_state_t;
-
 #define MAX_HOSTNAME_SIZE MAX_USERNAME_SIZE
-
-typedef struct worker_st {
-	struct tls_st *creds;
-	gnutls_session_t session;
-	gnutls_session_t dtls_session;
-	int cmd_fd;
-	int conn_fd;
-	
-	http_parser *parser;
-	struct cfg_st *config;
-
-	struct sockaddr_storage remote_addr;	/* peer's address */
-	socklen_t remote_addr_len;
-
-	/* set after authentication */
-	int udp_fd;
-	udp_port_state_t udp_state;
-	unsigned int udp_port;
-	int udp_port_proto;
-
-	/* the following are set only if authentication is complete */
-	char tun_name[IFNAMSIZ];
-	char username[MAX_USERNAME_SIZE];
-	char hostname[MAX_HOSTNAME_SIZE];
-	uint8_t cookie[COOKIE_SIZE];
-	uint8_t master_secret[TLS_MASTER_SIZE];
-	uint8_t session_id[GNUTLS_MAX_SESSION_ID];
-	unsigned auth_ok;
-	int tun_fd;
-} worker_st;
-
-
-enum {
-	HEADER_COOKIE = 1,
-	HEADER_MASTER_SECRET,
-	HEADER_HOSTNAME,
-};
-
-struct req_data_st {
-	char url[256];
-	char hostname[MAX_HOSTNAME_SIZE];
-	unsigned int next_header;
-	unsigned char cookie[COOKIE_SIZE];
-	unsigned int cookie_set;
-	unsigned char master_secret[TLS_MASTER_SIZE];
-	unsigned int master_secret_set;
-	char *body;
-	unsigned int headers_complete;
-	unsigned int message_complete;
-};
-
-void vpn_server(struct worker_st* ws);
+#define COOKIE_SIZE 32
+#define MAX_SESSION_DATA_SIZE (4*1024)
 
 const char *human_addr(const struct sockaddr *sa, socklen_t salen,
 		       void *buf, size_t buflen);
 
-void __attribute__ ((format(printf, 3, 4)))
-    oclog(const worker_st * server, int priority, const char *fmt, ...);
-
 /* Helper casts */
 #define SA_IN_P(p) (&((struct sockaddr_in *)(p))->sin_addr)
 #define SA_IN_U8_P(p) ((uint8_t*)(&((struct sockaddr_in *)(p))->sin_addr))
diff --git a/src/worker-resume.c b/src/worker-resume.c
index 1e81f57a..026cc3a5 100644
--- a/src/worker-resume.c
+++ b/src/worker-resume.c
@@ -33,6 +33,7 @@
 #include <limits.h>
 
 #include <vpn.h>
+#include <worker.h>
 #include "ipc.h"
 #include <cookies.h>
 #include <tlslib.h>
diff --git a/src/worker.h b/src/worker.h
index f91ac706..788bd5dd 100644
--- a/src/worker.h
+++ b/src/worker.h
@@ -11,6 +11,64 @@
 #include <cookies.h>
 #include <tlslib.h>
 
+
+struct tls_st {
+	gnutls_certificate_credentials_t xcred;
+	gnutls_priority_t cprio;
+};
+
+
+typedef enum {
+	UP_DISABLED,
+	UP_SETUP,
+	UP_HANDSHAKE,
+	UP_INACTIVE,
+	UP_ACTIVE
+} udp_port_state_t;
+
+enum {
+	HEADER_COOKIE = 1,
+	HEADER_MASTER_SECRET,
+	HEADER_HOSTNAME,
+};
+
+typedef struct worker_st {
+	struct tls_st *creds;
+	gnutls_session_t session;
+	gnutls_session_t dtls_session;
+	int cmd_fd;
+	int conn_fd;
+	
+	http_parser *parser;
+	struct cfg_st *config;
+
+	struct sockaddr_storage remote_addr;	/* peer's address */
+	socklen_t remote_addr_len;
+
+	/* set after authentication */
+	int udp_fd;
+	udp_port_state_t udp_state;
+	unsigned int udp_port;
+	int udp_port_proto;
+	
+	/* for mtu trials */
+	unsigned last_good_mtu;
+	unsigned last_bad_mtu;
+
+	/* the following are set only if authentication is complete */
+	char tun_name[IFNAMSIZ];
+	char username[MAX_USERNAME_SIZE];
+	char hostname[MAX_HOSTNAME_SIZE];
+	uint8_t cookie[COOKIE_SIZE];
+	uint8_t master_secret[TLS_MASTER_SIZE];
+	uint8_t session_id[GNUTLS_MAX_SESSION_ID];
+	unsigned auth_ok;
+	int tun_fd;
+} worker_st;
+
+
+void vpn_server(struct worker_st* ws);
+
 int auth_cookie(worker_st *ws, void* cookie, size_t cookie_size);
 
 int get_auth_handler(worker_st *server);
@@ -19,4 +77,20 @@ int post_new_auth_handler(worker_st *server);
 
 void set_resume_db_funcs(gnutls_session_t);
 
+struct req_data_st {
+	char url[256];
+	char hostname[MAX_HOSTNAME_SIZE];
+	unsigned int next_header;
+	unsigned char cookie[COOKIE_SIZE];
+	unsigned int cookie_set;
+	unsigned char master_secret[TLS_MASTER_SIZE];
+	unsigned int master_secret_set;
+	char *body;
+	unsigned int headers_complete;
+	unsigned int message_complete;
+};
+
+void __attribute__ ((format(printf, 3, 4)))
+    oclog(const worker_st * server, int priority, const char *fmt, ...);
+
 #endif