feat(private-service): expose NetBird-only services over tunnel peers

Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes. Wire contract - ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed. - ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy. - ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups. - ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip. - ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards. - PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard. Data model - Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns. - DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure. - Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0. Proxy - /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go. - Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack. - proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction. - Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC. - proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level). Identity forwarding - ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request. - CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing). - AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships. OpenAPI/dashboard surface - ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
2026-05-21 08:09:55 +00:00 · 2026-05-20 21:39:22 +02:00
parent 37052fd5bc
commit 167ee08e14
72 changed files with 6584 additions and 2586 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -2896,6 +2896,11 @@ components:
          additionalProperties:
            type: string
          description: "Extra context about the request (e.g. crowdsec_verdict)"
+        user_groups:
+          type: array
+          items:
+            type: string
+          description: "Group IDs the user belonged to when the entry was written"
      required:
        - id
        - service_id
@@ -3067,6 +3072,17 @@ components:
          $ref: '#/components/schemas/AccessRestrictions'
        meta:
          $ref: '#/components/schemas/ServiceMeta'
+        private:
+          type: boolean
+          description: When true, the service is NetBird-only — its target points at a proxy cluster, inbound peers authenticate via their WireGuard tunnel identity (no OIDC), and an ACL policy is auto-generated from access_groups to the cluster's proxy-peer group. Requires mode=http.
+          default: false
+          example: false
+        access_groups:
+          type: array
+          items:
+            type: string
+          description: NetBird group IDs whose peers may reach this private service over the tunnel. Required when private=true; ignored otherwise. Mutually exclusive with bearer auth (SSO).
+          example: ["group-engineering"]
      required:
        - id
        - name
@@ -3147,6 +3163,17 @@ components:
          $ref: '#/components/schemas/ServiceAuthConfig'
        access_restrictions:
          $ref: '#/components/schemas/AccessRestrictions'
+        private:
+          type: boolean
+          description: When true, the service is NetBird-only — its target points at a proxy cluster, inbound peers authenticate via their WireGuard tunnel identity (no OIDC), and an ACL policy is auto-generated from access_groups to the cluster's proxy-peer group. Requires mode=http.
+          default: false
+          example: false
+        access_groups:
+          type: array
+          items:
+            type: string
+          description: NetBird group IDs whose peers may reach this private service over the tunnel. Required when private=true; ignored otherwise. Mutually exclusive with bearer auth (SSO).
+          example: ["group-engineering"]
      required:
        - name
        - domain
@@ -3185,6 +3212,14 @@ components:
          type: string
          description: Idle timeout before a UDP session is reaped, as a Go duration string (e.g. "30s", "2m").
          example: "2m"
+        direct_upstream:
+          type: boolean
+          description: |
+            When true, the proxy dials this target via the host's network stack
+            instead of through its embedded NetBird client. Use for upstreams
+            reachable without WireGuard (public APIs, LAN services, localhost
+            sidecars). Default false.
+          example: false
    ServiceTarget:
      type: object
      properties:
@@ -3195,7 +3230,7 @@ components:
        target_type:
          type: string
          description: Target type
-          enum: [peer, host, domain, subnet]
+          enum: [peer, host, domain, subnet, cluster]
          example: "subnet"
        path:
          type: string
@@ -3439,6 +3474,10 @@ components:
          type: boolean
          description: Whether all active proxies in the cluster have CrowdSec configured
          example: false
+        private:
+          type: boolean
+          description: True when at least one connected proxy in this cluster is running embedded in a netbird client (`netbird proxy`) and serving over a WireGuard tunnel. Lets the dashboard distinguish per-peer / private clusters from centralised ones.
+          example: false
      required:
        - id
        - address
@@ -3494,6 +3533,10 @@ components:
          type: boolean
          description: Whether the proxy cluster has CrowdSec configured
          example: false
+        supports_private:
+          type: boolean
+          description: Whether the proxy cluster supports private (NetBird-only) services. True when at least one connected proxy in the cluster runs embedded in a netbird client.
+          example: false
      required:
        - id
        - domain
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -1063,15 +1063,18 @@ func (e ServiceTargetProtocol) Valid() bool {

 // Defines values for ServiceTargetTargetType.
 const (
-	ServiceTargetTargetTypeDomain ServiceTargetTargetType = "domain"
-	ServiceTargetTargetTypeHost   ServiceTargetTargetType = "host"
-	ServiceTargetTargetTypePeer   ServiceTargetTargetType = "peer"
-	ServiceTargetTargetTypeSubnet ServiceTargetTargetType = "subnet"
+	ServiceTargetTargetTypeCluster ServiceTargetTargetType = "cluster"
+	ServiceTargetTargetTypeDomain  ServiceTargetTargetType = "domain"
+	ServiceTargetTargetTypeHost    ServiceTargetTargetType = "host"
+	ServiceTargetTargetTypePeer    ServiceTargetTargetType = "peer"
+	ServiceTargetTargetTypeSubnet  ServiceTargetTargetType = "subnet"
 )

 // Valid indicates whether the value is a known member of the ServiceTargetTargetType enum.
 func (e ServiceTargetTargetType) Valid() bool {
 	switch e {
+	case ServiceTargetTargetTypeCluster:
+		return true
 	case ServiceTargetTargetTypeDomain:
 		return true
 	case ServiceTargetTargetTypeHost:
@@ -3783,6 +3786,9 @@ type ProxyAccessLog struct {
 	// Timestamp Timestamp when the request was made
 	Timestamp time.Time `json:"timestamp"`

+	// UserGroups Group IDs the user belonged to when the entry was written
+	UserGroups *[]string `json:"user_groups,omitempty"`
+
 	// UserId ID of the authenticated user, if applicable
 	UserId *string `json:"user_id,omitempty"`
 }
@@ -3819,6 +3825,9 @@ type ProxyCluster struct {
 	// Online Whether at least one proxy in the cluster has heartbeated within the active window
 	Online bool `json:"online"`

+	// Private True when at least one connected proxy in this cluster is running embedded in a netbird client (`netbird proxy`) and serving over a WireGuard tunnel. Lets the dashboard distinguish per-peer / private clusters from centralised ones.
+	Private *bool `json:"private,omitempty"`
+
 	// RequireSubdomain Whether services on this cluster must include a subdomain label
 	RequireSubdomain *bool `json:"require_subdomain,omitempty"`

@@ -3896,6 +3905,9 @@ type ReverseProxyDomain struct {
 	// SupportsCustomPorts Whether the cluster supports binding arbitrary TCP/UDP ports
 	SupportsCustomPorts *bool `json:"supports_custom_ports,omitempty"`

+	// SupportsPrivate Whether the proxy cluster supports private (NetBird-only) services. True when at least one connected proxy in the cluster runs embedded in a netbird client.
+	SupportsPrivate *bool `json:"supports_private,omitempty"`
+
 	// TargetCluster The proxy cluster this domain is validated against (only for custom domains)
 	TargetCluster *string `json:"target_cluster,omitempty"`

@@ -4085,6 +4097,9 @@ type SentinelOneMatchAttributesNetworkStatus string

 // Service defines model for Service.
 type Service struct {
+	// AccessGroups NetBird group IDs whose peers may reach this private service over the tunnel. Required when private=true; ignored otherwise. Mutually exclusive with bearer auth (SSO).
+	AccessGroups *[]string `json:"access_groups,omitempty"`
+
 	// AccessRestrictions Connection-level access restrictions based on IP address or geography. Applies to both HTTP and L4 services.
 	AccessRestrictions *AccessRestrictions `json:"access_restrictions,omitempty"`
 	Auth               ServiceAuthConfig   `json:"auth"`
@@ -4114,6 +4129,9 @@ type Service struct {
 	// PortAutoAssigned Whether the listen port was auto-assigned
 	PortAutoAssigned *bool `json:"port_auto_assigned,omitempty"`

+	// Private When true, the service is NetBird-only — its target points at a proxy cluster, inbound peers authenticate via their WireGuard tunnel identity (no OIDC), and an ACL policy is auto-generated from access_groups to the cluster's proxy-peer group. Requires mode=http.
+	Private *bool `json:"private,omitempty"`
+
 	// ProxyCluster The proxy cluster handling this service (derived from domain)
 	ProxyCluster *string `json:"proxy_cluster,omitempty"`

@@ -4156,6 +4174,9 @@ type ServiceMetaStatus string

 // ServiceRequest defines model for ServiceRequest.
 type ServiceRequest struct {
+	// AccessGroups NetBird group IDs whose peers may reach this private service over the tunnel. Required when private=true; ignored otherwise. Mutually exclusive with bearer auth (SSO).
+	AccessGroups *[]string `json:"access_groups,omitempty"`
+
 	// AccessRestrictions Connection-level access restrictions based on IP address or geography. Applies to both HTTP and L4 services.
 	AccessRestrictions *AccessRestrictions `json:"access_restrictions,omitempty"`
 	Auth               *ServiceAuthConfig  `json:"auth,omitempty"`
@@ -4178,6 +4199,9 @@ type ServiceRequest struct {
 	// PassHostHeader When true, the original client Host header is passed through to the backend instead of being rewritten to the backend's address
 	PassHostHeader *bool `json:"pass_host_header,omitempty"`

+	// Private When true, the service is NetBird-only — its target points at a proxy cluster, inbound peers authenticate via their WireGuard tunnel identity (no OIDC), and an ACL policy is auto-generated from access_groups to the cluster's proxy-peer group. Requires mode=http.
+	Private *bool `json:"private,omitempty"`
+
 	// RewriteRedirects When true, Location headers in backend responses are rewritten to replace the backend address with the public-facing domain
 	RewriteRedirects *bool `json:"rewrite_redirects,omitempty"`

@@ -4224,6 +4248,12 @@ type ServiceTargetOptions struct {
 	// CustomHeaders Extra headers sent to the backend. Hop-by-hop and proxy-managed headers (Host, Connection, Transfer-Encoding, etc.) are rejected.
 	CustomHeaders *map[string]string `json:"custom_headers,omitempty"`

+	// DirectUpstream When true, the proxy dials this target via the host's network stack
+	// instead of through its embedded NetBird client. Use for upstreams
+	// reachable without WireGuard (public APIs, LAN services, localhost
+	// sidecars). Default false.
+	DirectUpstream *bool `json:"direct_upstream,omitempty"`
+
 	// PathRewrite Controls how the request path is rewritten before forwarding to the backend. Default strips the matched prefix. "preserve" keeps the full original request path.
 	PathRewrite *ServiceTargetOptionsPathRewrite `json:"path_rewrite,omitempty"`

--- a/shared/management/proto/proxy_service.pb.go
+++ b/shared/management/proto/proxy_service.pb.go
--- a/shared/management/proto/proxy_service.proto
+++ b/shared/management/proto/proxy_service.proto
@@ -12,15 +12,6 @@ import "google/protobuf/timestamp.proto";
 service ProxyService {
  rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);

-  // SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-  // new proxies. The proxy sends an initial SyncMappingsRequest to start the
-  // stream and then sends an ack after each batch is fully processed.
-  // Management waits for the ack before sending the next batch, providing
-  // application-level back-pressure during large initial syncs.
-  // Old proxies continue using GetMappingUpdate; old management servers
-  // return Unimplemented for this RPC and proxies fall back.
-  rpc SyncMappings(stream SyncMappingsRequest) returns (stream SyncMappingsResponse);
-
  rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);

  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
@@ -34,6 +25,15 @@ service ProxyService {
  // ValidateSession validates a session token and checks user access permissions.
  // Called by the proxy after receiving a session token from OIDC callback.
  rpc ValidateSession(ValidateSessionRequest) returns (ValidateSessionResponse);
+
+  // ValidateTunnelPeer resolves an inbound peer by its WireGuard tunnel IP and
+  // checks the resolved user's access against the service's required groups.
+  // Acts as a fast-path equivalent of OIDC for requests originating on the
+  // netbird mesh: when the source IP maps to a known peer in the calling
+  // account and that peer's user is in the service's distribution_groups,
+  // the proxy can issue a session cookie without redirecting through the
+  // OIDC flow. Mirrors ValidateSession's response shape.
+  rpc ValidateTunnelPeer(ValidateTunnelPeerRequest) returns (ValidateTunnelPeerResponse);
 }

 // ProxyCapabilities describes what a proxy can handle.
@@ -45,6 +45,13 @@ message ProxyCapabilities {
  optional bool require_subdomain = 2;
  // Whether the proxy has CrowdSec configured and can enforce IP reputation checks.
  optional bool supports_crowdsec = 3;
+  // Whether the proxy is running embedded in the netbird client and serving
+  // exclusively over the WireGuard tunnel (i.e. `netbird proxy` rather than
+  // the standalone netbird-proxy binary). Surfaces upstream so dashboards can
+  // distinguish per-peer / private clusters from centralised ones.
+  optional bool private = 4;
+  // Whether the proxy enforces ProxyMapping.private (fails closed on ValidateTunnelPeer failure). Management MUST NOT stream private mappings to proxies that don't claim this.
+  optional bool supports_private_service = 5;
 }

 // GetMappingUpdateRequest is sent to initialise a mapping stream.
@@ -86,6 +93,11 @@ message PathTargetOptions {
  bool proxy_protocol = 5;
  // Idle timeout before a UDP session is reaped.
  google.protobuf.Duration session_idle_timeout = 6;
+  // When true, the proxy dials this target via the host's network stack
+  // instead of through the embedded NetBird client. Useful for upstreams
+  // reachable without WireGuard (public APIs, LAN services, localhost
+  // sidecars). Defaults to false — embedded client is the standard path.
+  bool direct_upstream = 7;
 }

 message PathMapping {
@@ -138,6 +150,8 @@ message ProxyMapping {
  // For L4/TLS: the port the proxy listens on.
  int32 listen_port = 11;
  AccessRestrictions access_restrictions = 12;
+  // NetBird-only: the proxy MUST call ValidateTunnelPeer and fail closed; operator auth schemes are bypassed.
+  bool private = 13;
 }

 // SendAccessLogRequest consists of one or more AccessLogs from a Proxy.
@@ -213,6 +227,25 @@ message SendStatusUpdateRequest {
  ProxyStatus status = 3;
  bool certificate_issued = 4;
  optional string error_message = 5;
+  // Per-account inbound listener state for the account that owns
+  // service_id. Populated only when --private-inbound is enabled and the
+  // embedded client for the account is up. Field numbers >=50 reserved
+  // for observability extensions.
+  optional ProxyInboundListener inbound_listener = 50;
+}
+
+// ProxyInboundListener describes a per-account inbound listener that the
+// proxy has bound on the embedded netstack of the account's WireGuard
+// client. Surfaced so dashboards can render "this account is reachable
+// at <tunnel_ip>:<https_port> on this proxy".
+message ProxyInboundListener {
+  // Tunnel IP the embedded netstack listens on. Same address other peers
+  // in the account see for the proxy peer.
+  string tunnel_ip = 1;
+  // TLS port served on tunnel_ip (auto-detected, default 443).
+  uint32 https_port = 2;
+  // Plain-HTTP port served on tunnel_ip (auto-detected, default 80).
+  uint32 http_port = 3;
 }

 // SendStatusUpdateResponse is intentionally empty to allow for future expansion
@@ -254,36 +287,51 @@ message ValidateSessionResponse {
  string user_id = 2;
  string user_email = 3;
  string denied_reason = 4;
+  // peer_group_ids carries the calling user's group memberships so the
+  // proxy can authorise policy-aware middlewares without an additional
+  // management round-trip.
+  repeated string peer_group_ids = 5;
+  // peer_group_names carries the human-readable display names for the
+  // ids in peer_group_ids, ordered identically (positional pairing).
+  // Stamped onto upstream requests as X-NetBird-Groups so downstream
+  // services can read names rather than opaque ids.
+  repeated string peer_group_names = 6;
 }

-// SyncMappingsRequest is sent by the proxy on the bidirectional SyncMappings
-// stream. The first message MUST be an init; all subsequent messages MUST be
-// acks.
-message SyncMappingsRequest {
-  oneof msg {
-    SyncMappingsInit init = 1;
-    SyncMappingsAck ack = 2;
-  }
+// ValidateTunnelPeerRequest carries the inbound peer's tunnel IP and the
+// service domain whose group requirements should gate access. The calling
+// account is inferred from the proxy's gRPC metadata (ProxyToken).
+message ValidateTunnelPeerRequest {
+  string tunnel_ip = 1;
+  string domain = 2;
 }

-// SyncMappingsInit is the first message on the stream, carrying the same
-// identification fields as GetMappingUpdateRequest.
-message SyncMappingsInit {
-  string proxy_id = 1;
-  string version = 2;
-  google.protobuf.Timestamp started_at = 3;
-  string address = 4;
-  ProxyCapabilities capabilities = 5;
+// ValidateTunnelPeerResponse mirrors ValidateSessionResponse plus a freshly
+// minted session_token: when valid is true, the proxy installs the token as
+// a session cookie so subsequent requests skip the management round-trip,
+// matching the OIDC flow's UX. denied_reason values:
+//   "peer_not_found" — no peer with that tunnel IP in the calling account
+//   "no_user"        — peer exists but is not bound to a user
+//   "service_not_found"
+//   "account_mismatch"
+//   "not_in_group"   — user resolved but not in service.distribution_groups
+message ValidateTunnelPeerResponse {
+  bool valid = 1;
+  string user_id = 2;
+  string user_email = 3;
+  string denied_reason = 4;
+  // session_token is set only when valid is true. Same shape as the JWT
+  // the OIDC flow produces — proxy installs it via setSessionCookie so the
+  // tunnel fast-path is indistinguishable from OIDC for subsequent requests.
+  string session_token = 5;
+  // peer_group_ids carries the resolved peer's user group memberships so
+  // the proxy can authorise policy-aware middlewares without an additional
+  // management round-trip.
+  repeated string peer_group_ids = 6;
+  // peer_group_names carries the human-readable display names for the
+  // ids in peer_group_ids, ordered identically (positional pairing).
+  // Stamped onto upstream requests as X-NetBird-Groups so downstream
+  // services can read names rather than opaque ids.
+  repeated string peer_group_names = 7;
 }

-// SyncMappingsAck is sent by the proxy after it has fully processed a batch.
-// Management waits for this before sending the next batch.
-message SyncMappingsAck {}
-
-// SyncMappingsResponse is a batch of mappings sent by management.
-// Identical semantics to GetMappingUpdateResponse.
-message SyncMappingsResponse {
-  repeated ProxyMapping mapping = 1;
-  // initial_sync_complete is set on the last message of the initial snapshot.
-  bool initial_sync_complete = 2;
-}
--- a/shared/management/proto/proxy_service_grpc.pb.go
+++ b/shared/management/proto/proxy_service_grpc.pb.go
@@ -19,14 +19,6 @@ const _ = grpc.SupportPackageIsVersion7
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type ProxyServiceClient interface {
 	GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error)
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error)
 	SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error)
 	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
 	SendStatusUpdate(ctx context.Context, in *SendStatusUpdateRequest, opts ...grpc.CallOption) (*SendStatusUpdateResponse, error)
@@ -35,6 +27,14 @@ type ProxyServiceClient interface {
 	// ValidateSession validates a session token and checks user access permissions.
 	// Called by the proxy after receiving a session token from OIDC callback.
 	ValidateSession(ctx context.Context, in *ValidateSessionRequest, opts ...grpc.CallOption) (*ValidateSessionResponse, error)
+	// ValidateTunnelPeer resolves an inbound peer by its WireGuard tunnel IP and
+	// checks the resolved user's access against the service's required groups.
+	// Acts as a fast-path equivalent of OIDC for requests originating on the
+	// netbird mesh: when the source IP maps to a known peer in the calling
+	// account and that peer's user is in the service's distribution_groups,
+	// the proxy can issue a session cookie without redirecting through the
+	// OIDC flow. Mirrors ValidateSession's response shape.
+	ValidateTunnelPeer(ctx context.Context, in *ValidateTunnelPeerRequest, opts ...grpc.CallOption) (*ValidateTunnelPeerResponse, error)
 }

 type proxyServiceClient struct {
@@ -77,37 +77,6 @@ func (x *proxyServiceGetMappingUpdateClient) Recv() (*GetMappingUpdateResponse,
 	return m, nil
 }

-func (c *proxyServiceClient) SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &ProxyService_ServiceDesc.Streams[1], "/management.ProxyService/SyncMappings", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &proxyServiceSyncMappingsClient{stream}
-	return x, nil
-}
-
-type ProxyService_SyncMappingsClient interface {
-	Send(*SyncMappingsRequest) error
-	Recv() (*SyncMappingsResponse, error)
-	grpc.ClientStream
-}
-
-type proxyServiceSyncMappingsClient struct {
-	grpc.ClientStream
-}
-
-func (x *proxyServiceSyncMappingsClient) Send(m *SyncMappingsRequest) error {
-	return x.ClientStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsClient) Recv() (*SyncMappingsResponse, error) {
-	m := new(SyncMappingsResponse)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func (c *proxyServiceClient) SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error) {
 	out := new(SendAccessLogResponse)
 	err := c.cc.Invoke(ctx, "/management.ProxyService/SendAccessLog", in, out, opts...)
@@ -162,19 +131,20 @@ func (c *proxyServiceClient) ValidateSession(ctx context.Context, in *ValidateSe
 	return out, nil
 }

+func (c *proxyServiceClient) ValidateTunnelPeer(ctx context.Context, in *ValidateTunnelPeerRequest, opts ...grpc.CallOption) (*ValidateTunnelPeerResponse, error) {
+	out := new(ValidateTunnelPeerResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/ValidateTunnelPeer", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ProxyServiceServer is the server API for ProxyService service.
 // All implementations must embed UnimplementedProxyServiceServer
 // for forward compatibility
 type ProxyServiceServer interface {
 	GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ProxyService_SyncMappingsServer) error
 	SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error)
 	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
 	SendStatusUpdate(context.Context, *SendStatusUpdateRequest) (*SendStatusUpdateResponse, error)
@@ -183,6 +153,14 @@ type ProxyServiceServer interface {
 	// ValidateSession validates a session token and checks user access permissions.
 	// Called by the proxy after receiving a session token from OIDC callback.
 	ValidateSession(context.Context, *ValidateSessionRequest) (*ValidateSessionResponse, error)
+	// ValidateTunnelPeer resolves an inbound peer by its WireGuard tunnel IP and
+	// checks the resolved user's access against the service's required groups.
+	// Acts as a fast-path equivalent of OIDC for requests originating on the
+	// netbird mesh: when the source IP maps to a known peer in the calling
+	// account and that peer's user is in the service's distribution_groups,
+	// the proxy can issue a session cookie without redirecting through the
+	// OIDC flow. Mirrors ValidateSession's response shape.
+	ValidateTunnelPeer(context.Context, *ValidateTunnelPeerRequest) (*ValidateTunnelPeerResponse, error)
 	mustEmbedUnimplementedProxyServiceServer()
 }

@@ -193,9 +171,6 @@ type UnimplementedProxyServiceServer struct {
 func (UnimplementedProxyServiceServer) GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error {
 	return status.Errorf(codes.Unimplemented, "method GetMappingUpdate not implemented")
 }
-func (UnimplementedProxyServiceServer) SyncMappings(ProxyService_SyncMappingsServer) error {
-	return status.Errorf(codes.Unimplemented, "method SyncMappings not implemented")
-}
 func (UnimplementedProxyServiceServer) SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendAccessLog not implemented")
 }
@@ -214,6 +189,9 @@ func (UnimplementedProxyServiceServer) GetOIDCURL(context.Context, *GetOIDCURLRe
 func (UnimplementedProxyServiceServer) ValidateSession(context.Context, *ValidateSessionRequest) (*ValidateSessionResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ValidateSession not implemented")
 }
+func (UnimplementedProxyServiceServer) ValidateTunnelPeer(context.Context, *ValidateTunnelPeerRequest) (*ValidateTunnelPeerResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ValidateTunnelPeer not implemented")
+}
 func (UnimplementedProxyServiceServer) mustEmbedUnimplementedProxyServiceServer() {}

 // UnsafeProxyServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -248,32 +226,6 @@ func (x *proxyServiceGetMappingUpdateServer) Send(m *GetMappingUpdateResponse) e
 	return x.ServerStream.SendMsg(m)
 }

-func _ProxyService_SyncMappings_Handler(srv interface{}, stream grpc.ServerStream) error {
-	return srv.(ProxyServiceServer).SyncMappings(&proxyServiceSyncMappingsServer{stream})
-}
-
-type ProxyService_SyncMappingsServer interface {
-	Send(*SyncMappingsResponse) error
-	Recv() (*SyncMappingsRequest, error)
-	grpc.ServerStream
-}
-
-type proxyServiceSyncMappingsServer struct {
-	grpc.ServerStream
-}
-
-func (x *proxyServiceSyncMappingsServer) Send(m *SyncMappingsResponse) error {
-	return x.ServerStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsServer) Recv() (*SyncMappingsRequest, error) {
-	m := new(SyncMappingsRequest)
-	if err := x.ServerStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func _ProxyService_SendAccessLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SendAccessLogRequest)
 	if err := dec(in); err != nil {
@@ -382,6 +334,24 @@ func _ProxyService_ValidateSession_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

+func _ProxyService_ValidateTunnelPeer_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ValidateTunnelPeerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).ValidateTunnelPeer(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/ValidateTunnelPeer",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).ValidateTunnelPeer(ctx, req.(*ValidateTunnelPeerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ProxyService_ServiceDesc is the grpc.ServiceDesc for ProxyService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -413,6 +383,10 @@ var ProxyService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ValidateSession",
 			Handler:    _ProxyService_ValidateSession_Handler,
 		},
+		{
+			MethodName: "ValidateTunnelPeer",
+			Handler:    _ProxyService_ValidateTunnelPeer_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
@@ -420,12 +394,6 @@ var ProxyService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _ProxyService_GetMappingUpdate_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "SyncMappings",
-			Handler:       _ProxyService_SyncMappings_Handler,
-			ServerStreams: true,
-			ClientStreams: true,
-		},
 	},
 	Metadata: "proxy_service.proto",
 }