[relay] Update GO version and QUIC version (#4736)

- Go 1.25.5
- QUIC 0.55.0

.devcontainer/Dockerfile

@@ -1,15 +1,15 @@
-FROM golang:1.23-bullseye
+FROM golang:1.25-bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-4 \ 
+        gettext-base=0.21-12 \
-        iptables=1.8.7-1 \
+        iptables=1.8.9-2 \
-        libgl1-mesa-dev=20.3.5-1 \
+        libgl1-mesa-dev=22.3.6-1+deb12u1 \
-        xorg-dev=1:7.7+22 \
+        xorg-dev=1:7.7+23 \
-        libayatana-appindicator3-dev=0.5.5-2+deb11u2 \
+        libayatana-appindicator3-dev=0.5.92-1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
-    && go install -v golang.org/x/tools/gopls@v0.18.1
+    && go install -v golang.org/x/tools/gopls@latest
 
 
 WORKDIR /app

.github/workflows/golang-test-freebsd.yml

@@ -25,7 +25,7 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            

.github/workflows/golang-test-linux.yml

@@ -200,7 +200,7 @@ jobs:
             -e GOCACHE=${CONTAINER_GOCACHE} \
             -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
             -e CONTAINER=${CONTAINER} \
-            golang:1.24-alpine \
+            golang:1.25-alpine \
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
@@ -259,7 +259,7 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           go test ${{ matrix.raceFlag }} \
             -exec 'sudo' \
-            -timeout 10m ./relay/... ./shared/relay/...
+            -timeout 10m -p 1 ./relay/... ./shared/relay/...
 
   test_signal:
     name: "Signal / Unit"

.github/workflows/golangci-lint.yml

@@ -52,7 +52,10 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
-          args: --timeout=12m --out-format colored-line-number
+          skip-cache: true
+          skip-save-cache: true
+          cache-invalidation-interval: 0
+          args: --timeout=12m

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
             pkg install -y git curl portlint go
 
             # Install Go for building
-            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -LO "$GO_URL"
             tar -C /usr/local -xzf "$GO_TARBALL"

.github/workflows/wasm-build-validation.yml

@@ -14,6 +14,9 @@ jobs:
   js_lint:
     name: "JS / Lint"
     runs-on: ubuntu-latest
+    env:
+      GOOS: js
+      GOARCH: wasm
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -24,16 +27,14 @@ jobs:
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
           install-mode: binary
           skip-cache: true
-          skip-pkg-cache: true
+          skip-save-cache: true
-          skip-build-cache: true
+          cache-invalidation-interval: 0
-      - name: Run golangci-lint for WASM
+          working-directory: ./client
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
         continue-on-error: true
 
   js_build:

.golangci.yaml

@@ -1,139 +1,124 @@
-run:
+version: "2"
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 6m
-
-# This file contains only configs which differ from defaults.
-# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
-linters-settings:
-  errcheck:
-    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
-    # Such cases aren't reported by default.
-    # Default: false
-    check-type-assertions: false
-
-  gosec:
-    includes:
-      - G101 # Look for hard coded credentials
-      #- G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      #- G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      #- G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      #- G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      #- G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Poor file permissions used when creating a file with os.Create
-      #- G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      #- G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      #- G404 # Insecure random number source (rand)
-      #- G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      #- G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
-      - G602 # Slice access out of bounds
-
-  gocritic:
-    disabled-checks:
-      - commentFormatting
-      - captLocal
-      - deprecatedComment
-
-  govet:
-    # Enable all analyzers.
-    # Default: false
-    enable-all: false
-    enable:
-      - nilness
-
-  revive:
-    rules:
-      - name: exported
-        severity: warning
-        disabled: false
-        arguments:
-          - "checkPrivateReceivers"
-          - "sayRepetitiveInsteadOfStutters"
-  tenv:
-    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
-    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
-    # Default: false
-    all: true
-
 linters:
-  disable-all: true
+  default: none
   enable:
-    ## enabled by default
+    - bodyclose
-    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
+    - dupword
-    - gosimple # specializes in simplifying a code
+    - durationcheck
-    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
+    - errcheck
-    - ineffassign # detects when assignments to existing variables are not used
+    - forbidigo
-    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
+    - gocritic
-    - tenv # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
+    - gosec
-    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
+    - govet
-    - unused # checks for unused constants, variables, functions and types
+    - ineffassign
-    ## disable by default but the have interesting results so lets add them
+    - mirror
-    - bodyclose # checks whether HTTP response body is closed successfully
+    - misspell
-    - dupword # dupword checks for duplicate words in the source code
+    - nilerr
-    - durationcheck # durationcheck checks for two durations multiplied together
+    - nilnil
-    - forbidigo # forbidigo forbids identifiers
+    - predeclared
-    - gocritic # provides diagnostics that check for bugs, performance and style issues
+    - revive
-    - gosec # inspects source code for security problems
+    - sqlclosecheck
-    - mirror # mirror reports wrong mirror patterns of bytes/strings usage
+    - staticcheck
-    - misspell # misspess finds commonly misspelled English words in comments
+    - unused
-    - nilerr # finds the code that returns nil even if it checks that the error is not nil
+    - wastedassign
-    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
+  settings:
-    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
+    errcheck:
-    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
+      check-type-assertions: false
-    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
+    gocritic:
-    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
+      disabled-checks:
-    - wastedassign # wastedassign finds wasted assignment statements
+        - commentFormatting
+        - captLocal
+        - deprecatedComment
+    gosec:
+      includes:
+        - G101
+        - G103
+        - G104
+        - G106
+        - G108
+        - G109
+        - G110
+        - G111
+        - G201
+        - G202
+        - G203
+        - G301
+        - G302
+        - G303
+        - G304
+        - G305
+        - G306
+        - G307
+        - G403
+        - G502
+        - G503
+        - G504
+        - G601
+        - G602
+    govet:
+      enable:
+        - nilness
+      enable-all: false
+    revive:
+      rules:
+        - name: exported
+          arguments:
+            - checkPrivateReceivers
+            - sayRepetitiveInsteadOfStutters
+          severity: warning
+          disabled: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - forbidigo
+        path: management/cmd/root\.go
+      - linters:
+          - forbidigo
+        path: signal/cmd/root\.go
+      - linters:
+          - unused
+        path: sharedsock/filter\.go
+      - linters:
+          - unused
+        path: client/firewall/iptables/rule\.go
+      - linters:
+          - gosec
+          - mirror
+        path: test\.go
+      - linters:
+          - nilnil
+        path: mock\.go
+      - linters:
+          - staticcheck
+        text: grpc.DialContext is deprecated
+      - linters:
+          - staticcheck
+        text: grpc.WithBlock is deprecated
+      - linters:
+          - staticcheck
+        text: "QF1001"
+      - linters:
+          - staticcheck
+        text: "QF1008"
+      - linters:
+          - staticcheck
+        text: "QF1012"
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # Maximum count of issues with the same text.
-  # Set to 0 to disable.
-  # Default: 3
   max-same-issues: 5
-
+formatters:
-  exclude-rules:
+  exclusions:
-    # allow fmt
+    generated: lax
-    - path: management/cmd/root\.go
+    paths:
-      linters: forbidigo
+      - third_party$
-    - path: signal/cmd/root\.go
+      - builtin$
-      linters: forbidigo
+      - examples$
-    - path: sharedsock/filter\.go
-      linters:
-      - unused
-    - path: client/firewall/iptables/rule\.go
-      linters:
-      - unused
-    - path: test\.go
-      linters:
-      - mirror
-      - gosec
-    - path: mock\.go
-      linters:
-      - nilnil
-    # Exclude specific deprecation warnings for grpc methods
-    - linters:
-       - staticcheck
-      text: "grpc.DialContext is deprecated"
-    - linters:
-        - staticcheck
-      text: "grpc.WithBlock is deprecated"

client/cmd/debug.go

@@ -136,6 +136,7 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
+		//nolint
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
 

client/cmd/login.go

@@ -81,6 +81,7 @@ var loginCmd = &cobra.Command{
 func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -206,6 +207,7 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/pprof.go

@@ -1,5 +1,4 @@
 //go:build pprof
-// +build pprof
 
 package cmd
 

client/cmd/root.go

@@ -390,6 +390,7 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/status.go

@@ -124,6 +124,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/testutil_test.go

@@ -89,9 +89,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	t.Cleanup(cleanUp)
 
 	eventStore := &activity.InMemoryEventStore{}
-	if err != nil {
-		return nil, nil
-	}
 
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)

client/cmd/up.go

@@ -216,6 +216,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/firewall/iptables/acl_linux.go

@@ -386,11 +386,8 @@ func (m *aclManager) updateState() {
 
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
-	matchByIP := true
 	// don't use IP matching if IP is 0.0.0.0
-	if ip.IsUnspecified() {
+	matchByIP := !ip.IsUnspecified()
-		matchByIP = false
-	}
 
 	if matchByIP {
 		if ipsetName != "" {

client/firewall/iptables/manager_linux_test.go

@@ -161,7 +161,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 			t.Logf("  [%d] %s", i, rule)
 		}
 
-		var denyRuleIndex, acceptRuleIndex int = -1, -1
+		var denyRuleIndex, acceptRuleIndex = -1, -1
 		for i, rule := range rules {
 			if strings.Contains(rule, "DROP") {
 				t.Logf("Found DROP rule at index %d: %s", i, rule)

client/firewall/nftables/manager_linux_test.go

@@ -198,7 +198,7 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 	t.Logf("Found %d rules in nftables chain", len(rules))
 
 	// Find the accept and deny rules and verify deny comes before accept
-	var acceptRuleIndex, denyRuleIndex int = -1, -1
+	var acceptRuleIndex, denyRuleIndex = -1, -1
 	for i, rule := range rules {
 		hasAcceptHTTPSet := false
 		hasDenyHTTPSet := false
@@ -208,11 +208,13 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 		for _, e := range rule.Exprs {
 			// Check for set lookup
 			if lookup, ok := e.(*expr.Lookup); ok {
-				if lookup.SetName == "accept-http" {
+				switch lookup.SetName {
+				case "accept-http":
 					hasAcceptHTTPSet = true
-				} else if lookup.SetName == "deny-http" {
+				case "deny-http":
 					hasDenyHTTPSet = true
 				}
+
 			}
 			// Check for port 80
 			if cmp, ok := e.(*expr.Cmp); ok {
@@ -222,9 +224,10 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 			}
 			// Check for verdict
 			if verdict, ok := e.(*expr.Verdict); ok {
-				if verdict.Kind == expr.VerdictAccept {
+				switch verdict.Kind {
+				case expr.VerdictAccept:
 					action = "ACCEPT"
-				} else if verdict.Kind == expr.VerdictDrop {
+				case expr.VerdictDrop:
 					action = "DROP"
 				}
 			}

client/firewall/uspfilter/filter.go

@@ -795,7 +795,7 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	pseudoSum += uint32(d.ip4.Protocol)
 	pseudoSum += uint32(tcpLength)
 
-	var sum uint32 = pseudoSum
+	var sum = pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}

client/firewall/uspfilter/localip.go

@@ -130,6 +130,7 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}
 	for i := 0; i < 8192; i++ {
+		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
 		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
 	}
 

client/firewall/uspfilter/localip_test.go

@@ -218,7 +218,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})
 
@@ -227,7 +227,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})
 }

client/firewall/uspfilter/nat_test.go

@@ -234,9 +234,10 @@ func TestInboundPortDNATNegative(t *testing.T) {
 			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)
 
 			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
+			switch tc.protocol {
+			case layers.IPProtocolTCP:
 				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
+			case layers.IPProtocolUDP:
 				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
 			}
 		})

client/iface/device/device_ios.go

@@ -1,6 +1,3 @@
-//go:build ios
-// +build ios
-
 package device
 
 import (

client/internal/debug/debug_linux.go

@@ -507,15 +507,13 @@ func formatPayloadWithCmp(p *expr.Payload, cmp *expr.Cmp) string {
 	if p.Base == expr.PayloadBaseNetworkHeader {
 		switch p.Offset {
 		case 12:
-			if p.Len == 4 {
+			switch p.Len {
-				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			case 4, 2:
-			} else if p.Len == 2 {
 				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		case 16:
-			if p.Len == 4 {
+			switch p.Len {
-				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			case 4, 2:
-			} else if p.Len == 2 {
 				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		}

client/internal/iface.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package internal
 

client/internal/routemanager/iface/iface.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package iface
 

client/internal/routemanager/systemops/systemops_generic.go

@@ -210,7 +210,8 @@ func (r *SysOps) refreshLocalSubnetsCache() {
 func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}
 
-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		if err := r.addToRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			return err
 		}
@@ -233,7 +234,7 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 		}
 
 		return nil
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			return fmt.Errorf("add unreachable route split 1: %w", err)
 		}
@@ -255,7 +256,8 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}
 
-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -273,7 +275,7 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}
 
 		return nberrors.FormatErrorOrNil(result)
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -283,9 +285,9 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}
 
 		return nberrors.FormatErrorOrNil(result)
+	default:
+		return r.removeFromRouteTable(prefix, nextHop)
 	}
-
-	return r.removeFromRouteTable(prefix, nextHop)
 }
 
 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {

client/ios/NetBirdSDK/client.go

@@ -76,7 +76,7 @@ type Client struct {
 	loginComplete         bool
 	connectClient         *internal.ConnectClient
 	// preloadedConfig holds config loaded from JSON (used on tvOS where file writes are blocked)
-	preloadedConfig       *profilemanager.Config
+	preloadedConfig *profilemanager.Config
 }
 
 // NewClient instantiate a new Client

client/server/panic_windows.go

@@ -1,5 +1,4 @@
 //go:build windows
-// +build windows
 
 package server
 

client/ssh/server/jwt_test.go

@@ -602,12 +602,13 @@ func TestJWTAuthentication(t *testing.T) {
 			require.NoError(t, err)
 
 			var authMethods []cryptossh.AuthMethod
-			if tc.token == "valid" {
+			switch tc.token {
+			case "valid":
 				token := generateValidJWT(t, privateKey, issuer, audience)
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(token),
 				}
-			} else if tc.token == "invalid" {
+			case "invalid":
 				invalidToken := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.invalid"
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(invalidToken),

client/system/info_android.go

@@ -1,6 +1,3 @@
-//go:build android
-// +build android
-
 package system
 
 import (

client/system/info_darwin.go

@@ -1,5 +1,4 @@
 //go:build !ios
-// +build !ios
 
 package system
 

client/system/info_ios.go

@@ -1,6 +1,3 @@
-//go:build ios
-// +build ios
-
 package system
 
 import (

client/ui/client_ui.go

@@ -510,7 +510,7 @@ func (s *serviceClient) saveSettings() {
 		// Continue with default behavior if features can't be retrieved
 	} else if features != nil && features.DisableUpdateSettings {
 		log.Warn("Configuration updates are disabled by daemon")
-		dialog.ShowError(fmt.Errorf("Configuration updates are disabled by daemon"), s.wSettings)
+		dialog.ShowError(fmt.Errorf("configuration updates are disabled by daemon"), s.wSettings)
 		return
 	}
 
@@ -540,7 +540,7 @@ func (s *serviceClient) saveSettings() {
 func (s *serviceClient) validateSettings() error {
 	if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != censoredPreSharedKey {
 		if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
-			return fmt.Errorf("Invalid Pre-shared Key Value")
+			return fmt.Errorf("invalid pre-shared key value")
 		}
 	}
 	return nil
@@ -549,10 +549,10 @@ func (s *serviceClient) validateSettings() error {
 func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	port, err := strconv.ParseInt(s.iInterfacePort.Text, 10, 64)
 	if err != nil {
-		return 0, 0, errors.New("Invalid interface port")
+		return 0, 0, errors.New("invalid interface port")
 	}
 	if port < 1 || port > 65535 {
-		return 0, 0, errors.New("Invalid interface port: out of range 1-65535")
+		return 0, 0, errors.New("invalid interface port: out of range 1-65535")
 	}
 
 	var mtu int64
@@ -560,7 +560,7 @@ func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	if mtuText != "" {
 		mtu, err = strconv.ParseInt(mtuText, 10, 64)
 		if err != nil {
-			return 0, 0, errors.New("Invalid MTU value")
+			return 0, 0, errors.New("invalid MTU value")
 		}
 		if mtu < iface.MinMTU || mtu > iface.MaxMTU {
 			return 0, 0, fmt.Errorf("MTU must be between %d and %d bytes", iface.MinMTU, iface.MaxMTU)
@@ -645,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	if sshJWTCacheTTLText != "" {
 		sshJWTCacheTTL, err := strconv.ParseInt(sshJWTCacheTTLText, 10, 32)
 		if err != nil {
-			return nil, errors.New("Invalid SSH JWT Cache TTL value")
+			return nil, errors.New("invalid SSH JWT Cache TTL value")
 		}
 		if sshJWTCacheTTL < 0 || sshJWTCacheTTL > maxSSHJWTCacheTTL {
 			return nil, fmt.Errorf("SSH JWT Cache TTL must be between 0 and %d seconds", maxSSHJWTCacheTTL)

client/ui/signal_windows.go

@@ -164,7 +164,7 @@ func sendShowWindowSignal(pid int32) error {
 
 	err = windows.SetEvent(eventHandle)
 	if err != nil {
-		return fmt.Errorf("Error setting event: %w", err)
+		return fmt.Errorf("error setting event: %w", err)
 	}
 
 	return nil

go.mod

@@ -1,6 +1,8 @@
 module github.com/netbirdio/netbird
 
-go 1.24.10
+go 1.25
+
+toolchain go1.25.5
 
 require (
 	cunicu.li/go-rosenpass v0.4.0
@@ -81,7 +83,7 @@ require (
 	github.com/pion/turn/v3 v3.0.1
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
-	github.com/quic-go/quic-go v0.49.1
+	github.com/quic-go/quic-go v0.55.0
 	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/xid v1.3.0
 	github.com/shirou/gopsutil/v3 v3.24.4
@@ -103,7 +105,7 @@ require (
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
 	go.opentelemetry.io/otel/metric v1.38.0
 	go.opentelemetry.io/otel/sdk/metric v1.38.0
-	go.uber.org/mock v0.5.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
@@ -186,12 +188,10 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/pprof v0.0.0-20211214055906-6f57359322fd // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect

go.sum

@@ -101,9 +101,6 @@ github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK3
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
@@ -286,7 +283,6 @@ github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -491,8 +487,8 @@ github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9Z
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
 github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
-github.com/quic-go/quic-go v0.49.1 h1:e5JXpUyF0f2uFjckQzD8jTghZrOUK1xxDqqZhlwixo0=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.49.1/go.mod h1:s2wDnmCdooUQBmQfpUSTCYBl1/D4FcqbULMMkASvR6s=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -622,8 +618,8 @@ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lI
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
@@ -717,7 +713,6 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

management/cmd/management.go

@@ -64,7 +64,7 @@ var (
 				config.HttpConfig.IdpSignKeyRefreshEnabled = idpSignKeyRefreshEnabled
 			}
 
-			tlsEnabled := false
+			var tlsEnabled bool
 			if mgmtLetsencryptDomain != "" || (config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "") {
 				tlsEnabled = true
 			}

management/internals/shared/grpc/loginfilter_test.go

@@ -85,6 +85,7 @@ func (s *LoginFilterTestSuite) TestBanDurationIncreasesExponentially() {
 	s.True(s.filter.logged[pubKey].isBanned)
 	s.Equal(2, s.filter.logged[pubKey].banLevel)
 	secondBanDuration := s.filter.logged[pubKey].banExpiresAt.Sub(s.filter.logged[pubKey].lastSeen)
+	// nolint
 	expectedSecondDuration := time.Duration(float64(baseBan) * math.Pow(2, 1))
 	s.InDelta(expectedSecondDuration, secondBanDuration, float64(time.Millisecond))
 }

management/server/account.go

@@ -1006,7 +1006,7 @@ func (am *DefaultAccountManager) isCacheFresh(ctx context.Context, accountUsers
 	for user, loggedInOnce := range accountUsers {
 		if datum, ok := userDataMap[user]; ok {
 			// check if the matching user data has a pending invite and if the user has logged in once, forcing the cache to be refreshed
-			if datum.AppMetadata.WTPendingInvite != nil && *datum.AppMetadata.WTPendingInvite && loggedInOnce == true { //nolint:gosimple
+			if datum.AppMetadata.WTPendingInvite != nil && *datum.AppMetadata.WTPendingInvite && loggedInOnce == true { //nolint
 				log.WithContext(ctx).Infof("user %s has a pending invite and has logged in once, cache invalid", user)
 				return false
 			}

management/server/account_test.go

@@ -753,7 +753,7 @@ func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
 		t.Fatalf("expected to create an account for a user %s", userId)
 	}
 
-	if account != nil && account.Domain != domain {
+	if account.Domain != domain {
 		t.Errorf("setting account domain failed, expected %s, got %s", domain, account.Domain)
 	}
 
@@ -768,7 +768,7 @@ func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
 		t.Fatalf("expected to get an account for a user %s", userId)
 	}
 
-	if account != nil && account.Domain != domain {
+	if account.Domain != domain {
 		t.Errorf("updating domain. expected %s got %s", domain, account.Domain)
 	}
 }

management/server/http/handlers/policies/posture_checks_handler_test.go

@@ -46,7 +46,7 @@ func initPostureChecksTestData(postureChecks ...*posture.Checks) *postureChecksH
 				testPostureChecks[postureChecks.ID] = postureChecks
 
 				if err := postureChecks.Validate(); err != nil {
-					return nil, status.Errorf(status.InvalidArgument, "%s", err.Error()) //nolint
+					return nil, status.Errorf(status.InvalidArgument, "%v", err) //nolint
 				}
 
 				return postureChecks, nil

management/server/http/testing/benchmarks/peers_handler_benchmark_test.go

@@ -1,5 +1,4 @@
 //go:build benchmark
-// +build benchmark
 
 package benchmarks
 

management/server/http/testing/benchmarks/setupkeys_handler_benchmark_test.go

@@ -1,5 +1,4 @@
 //go:build benchmark
-// +build benchmark
 
 package benchmarks
 

management/server/http/testing/benchmarks/users_handler_benchmark_test.go

@@ -1,5 +1,4 @@
 //go:build benchmark
-// +build benchmark
 
 package benchmarks
 

management/server/http/testing/integration/setupkeys_handler_integration_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package integration
 

management/server/idp/pocketid.go

@@ -121,7 +121,7 @@ func NewPocketIdManager(config PocketIdClientConfig, appMetrics telemetry.AppMet
 func (p *PocketIdManager) request(ctx context.Context, method, resource string, query *url.Values, body string) ([]byte, error) {
 	var MethodsWithBody = []string{http.MethodPost, http.MethodPut}
 	if !slices.Contains(MethodsWithBody, method) && body != "" {
-		return nil, fmt.Errorf("Body provided to unsupported method: %s", method)
+		return nil, fmt.Errorf("body provided to unsupported method: %s", method)
 	}
 
 	reqURL := fmt.Sprintf("%s/api/%s", p.managementEndpoint, resource)
@@ -301,7 +301,7 @@ func (p *PocketIdManager) CreateUser(ctx context.Context, email, name, accountID
 	if p.appMetrics != nil {
 		p.appMetrics.IDPMetrics().CountCreateUser()
 	}
-	var pending bool = true
+	pending := true
 	ret := &UserData{
 		Email: email,
 		Name:  name,

management/server/idp/zitadel.go

@@ -357,7 +357,7 @@ func (zm *ZitadelManager) CreateUser(ctx context.Context, email, name, accountID
 		return nil, err
 	}
 
-	var pending bool = true
+	pending := true
 	ret := &UserData{
 		Email: email,
 		Name:  name,

management/server/migration/migration.go

@@ -393,7 +393,7 @@ func CreateIndexIfNotExists[T any](ctx context.Context, db *gorm.DB, indexName s
 		return fmt.Errorf("failed to parse model schema: %w", err)
 	}
 	tableName := stmt.Schema.Table
-	dialect := db.Dialector.Name()
+	dialect := db.Name()
 
 	if db.Migrator().HasIndex(&model, indexName) {
 		log.WithContext(ctx).Infof("index %s already exists on table %s", indexName, tableName)

management/server/nameserver.go

@@ -20,7 +20,7 @@ import (
 
 const domainPattern = `^(?i)[a-z0-9]+([\-\.]{1}[a-z0-9]+)*[*.a-z]{1,}$`
 
-var invalidDomainName = errors.New("invalid domain name")
+var errInvalidDomainName = errors.New("invalid domain name")
 
 // GetNameServerGroup gets a nameserver group object from account and nameserver group IDs
 func (am *DefaultAccountManager) GetNameServerGroup(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error) {
@@ -314,7 +314,7 @@ func validateDomain(domain string) error {
 
 	_, valid := dns.IsDomainName(domain)
 	if !valid {
-		return invalidDomainName
+		return errInvalidDomainName
 	}
 
 	return nil

management/server/posture_checks.go

@@ -158,7 +158,7 @@ func arePostureCheckChangesAffectPeers(ctx context.Context, transaction store.St
 // validatePostureChecks validates the posture checks.
 func validatePostureChecks(ctx context.Context, transaction store.Store, accountID string, postureChecks *posture.Checks) error {
 	if err := postureChecks.Validate(); err != nil {
-		return status.Errorf(status.InvalidArgument, "%s", err.Error()) //nolint
+		return status.Errorf(status.InvalidArgument, "%v", err.Error()) //nolint
 	}
 
 	// If the posture check already has an ID, verify its existence in the store.

management/server/store/sql_store_get_account_test.go

@@ -997,9 +997,10 @@ func TestGetAccount_ComprehensiveFieldValidation(t *testing.T) {
 		// Find posture checks by ID
 		var pc1, pc2 *posture.Checks
 		for _, pc := range retrievedAccount.PostureChecks {
-			if pc.ID == postureCheckID1 {
+			switch pc.ID {
+			case postureCheckID1:
 				pc1 = pc
-			} else if pc.ID == postureCheckID2 {
+			case postureCheckID2:
 				pc2 = pc
 			}
 		}

management/server/store/sql_store_test.go

@@ -30,7 +30,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
 	nbroute "github.com/netbirdio/netbird/route"
-	route2 "github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/status"
 	"github.com/netbirdio/netbird/util/crypt"
 )
@@ -110,12 +109,12 @@ func runLargeTest(t *testing.T, store Store) {
 			AccountID: account.Id,
 		}
 		account.Users[user.Id] = user
-		route := &route2.Route{
+		route := &nbroute.Route{
-			ID:          route2.ID(fmt.Sprintf("network-id-%d", n)),
+			ID:          nbroute.ID(fmt.Sprintf("network-id-%d", n)),
 			Description: "base route",
-			NetID:       route2.NetID(fmt.Sprintf("network-id-%d", n)),
+			NetID:       nbroute.NetID(fmt.Sprintf("network-id-%d", n)),
 			Network:     netip.MustParsePrefix(netIP.String() + "/24"),
-			NetworkType: route2.IPv4Network,
+			NetworkType: nbroute.IPv4Network,
 			Metric:      9999,
 			Masquerade:  false,
 			Enabled:     true,
@@ -689,7 +688,7 @@ func TestMigrate(t *testing.T) {
 	require.NoError(t, err, "Failed to insert Gob data")
 
 	type route struct {
-		route2.Route
+		nbroute.Route
 		Network    netip.Prefix `gorm:"serializer:gob"`
 		PeerGroups []string     `gorm:"serializer:gob"`
 	}
@@ -698,7 +697,7 @@ func TestMigrate(t *testing.T) {
 	rt := &route{
 		Network:    prefix,
 		PeerGroups: []string{"group1", "group2"},
-		Route:      route2.Route{ID: "route1"},
+		Route:      nbroute.Route{ID: "route1"},
 	}
 
 	err = store.(*SqlStore).db.Save(rt).Error
@@ -714,7 +713,7 @@ func TestMigrate(t *testing.T) {
 	require.NoError(t, err, "Failed to delete Gob data")
 
 	prefix = netip.MustParsePrefix("12.0.0.0/24")
-	nRT := &route2.Route{
+	nRT := &nbroute.Route{
 		Network: prefix,
 		ID:      "route2",
 		Peer:    "peer-id",
@@ -3544,13 +3543,13 @@ func TestSqlStore_SaveRoute(t *testing.T) {
 
 	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
 
-	route := &route2.Route{
+	route := &nbroute.Route{
 		ID:                  "route-id",
 		AccountID:           accountID,
 		Network:             netip.MustParsePrefix("10.10.0.0/16"),
 		NetID:               "netID",
 		PeerGroups:          []string{"routeA"},
-		NetworkType:         route2.IPv4Network,
+		NetworkType:         nbroute.IPv4Network,
 		Masquerade:          true,
 		Metric:              9999,
 		Enabled:             true,

management/server/testutil/store.go

@@ -1,5 +1,4 @@
 //go:build !ios
-// +build !ios
 
 package testutil
 

management/server/testutil/store_ios.go

@@ -1,5 +1,4 @@
 //go:build ios
-// +build ios
 
 package testutil
 

relay/cmd/pprof.go

@@ -1,5 +1,4 @@
 //go:build pprof
-// +build pprof
 
 package cmd
 

relay/server/listener/quic/conn.go

@@ -12,14 +12,14 @@ import (
 )
 
 type Conn struct {
-	session   quic.Connection
+	session   *quic.Conn
 	closed    bool
 	closedMu  sync.Mutex
 	ctx       context.Context
 	ctxCancel context.CancelFunc
 }
 
-func NewConn(session quic.Connection) *Conn {
+func NewConn(session *quic.Conn) *Conn {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &Conn{
 		session:   session,

relay/server/listener/ws/conn.go

@@ -88,7 +88,7 @@ func (c *Conn) Close() error {
 	c.closedMu.Lock()
 	c.closed = true
 	c.closedMu.Unlock()
-	return c.Conn.CloseNow()
+	return c.CloseNow()
 }
 
 func (c *Conn) isClosed() bool {

shared/management/client/rest/accounts_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/client.go

@@ -161,7 +161,7 @@ func (c *Client) NewRequest(ctx context.Context, method, path string, body io.Re
 func parseResponse[T any](resp *http.Response) (T, error) {
 	var ret T
 	if resp.Body == nil {
-		return ret, fmt.Errorf("Body missing, HTTP Error code %d", resp.StatusCode)
+		return ret, fmt.Errorf("body missing, HTTP Error code %d", resp.StatusCode)
 	}
 	bs, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -169,7 +169,7 @@ func parseResponse[T any](resp *http.Response) (T, error) {
 	}
 	err = json.Unmarshal(bs, &ret)
 	if err != nil {
-		return ret, fmt.Errorf("Error code %d, error unmarshalling body: %w", resp.StatusCode, err)
+		return ret, fmt.Errorf("error code %d, error unmarshalling body: %w", resp.StatusCode, err)
 	}
 
 	return ret, nil

shared/management/client/rest/client_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/dns_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/events_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/geo_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/groups_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/impersonation_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/networks_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/peers_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/policies_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/posturechecks_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/routes_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/setupkeys_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/tokens_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/management/client/rest/users_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package rest_test
 

shared/relay/client/client_test.go

@@ -19,15 +19,7 @@ import (
 )
 
 var (
-	hmacTokenStore   = &hmac.TokenStore{}
+	hmacTokenStore = &hmac.TokenStore{}
-	serverListenAddr = "127.0.0.1:1234"
-	serverURL        = "rel://127.0.0.1:1234"
-	serverCfg        = server.Config{
-		Meter:          otel.Meter(""),
-		ExposedAddress: serverURL,
-		TLSSupport:     false,
-		AuthValidator:  &allow.Auth{},
-	}
 )
 
 func TestMain(m *testing.M) {
@@ -36,8 +28,20 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }
 
+// newClientTestServerConfig creates a new server config for client testing with the given address
+func newClientTestServerConfig(address string) server.Config {
+	return server.Config{
+		Meter:          otel.Meter(""),
+		ExposedAddress: "rel://" + address,
+		TLSSupport:     false,
+		AuthValidator:  &allow.Auth{},
+	}
+}
+
 func TestClient(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50001"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srv, err := server.NewServer(serverCfg)
 	if err != nil {
@@ -64,7 +68,7 @@ func TestClient(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 	t.Log("alice connecting to server")
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -72,7 +76,7 @@ func TestClient(t *testing.T) {
 	defer clientAlice.Close()
 
 	t.Log("placeholder connecting to server")
-	clientPlaceHolder := NewClient(serverURL, hmacTokenStore, "clientPlaceHolder", iface.DefaultMTU)
+	clientPlaceHolder := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "clientPlaceHolder", iface.DefaultMTU)
 	err = clientPlaceHolder.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -80,7 +84,7 @@ func TestClient(t *testing.T) {
 	defer clientPlaceHolder.Close()
 
 	t.Log("Bob connecting to server")
-	clientBob := NewClient(serverURL, hmacTokenStore, "bob", iface.DefaultMTU)
+	clientBob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "bob", iface.DefaultMTU)
 	err = clientBob.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -120,6 +124,8 @@ func TestClient(t *testing.T) {
 
 func TestRegistration(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50101"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
 	if err != nil {
@@ -138,7 +144,7 @@ func TestRegistration(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		_ = srv.Shutdown(ctx)
@@ -157,7 +163,7 @@ func TestRegistration(t *testing.T) {
 func TestRegistrationTimeout(t *testing.T) {
 	ctx := context.Background()
 	fakeUDPListener, err := net.ListenUDP("udp", &net.UDPAddr{
-		Port: 1234,
+		Port: 50201,
 		IP:   net.ParseIP("0.0.0.0"),
 	})
 	if err != nil {
@@ -168,7 +174,7 @@ func TestRegistrationTimeout(t *testing.T) {
 	}(fakeUDPListener)
 
 	fakeTCPListener, err := net.ListenTCP("tcp", &net.TCPAddr{
-		Port: 1234,
+		Port: 50201,
 		IP:   net.ParseIP("0.0.0.0"),
 	})
 	if err != nil {
@@ -178,7 +184,7 @@ func TestRegistrationTimeout(t *testing.T) {
 		_ = fakeTCPListener.Close()
 	}(fakeTCPListener)
 
-	clientAlice := NewClient("127.0.0.1:1234", hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient("127.0.0.1:50201", hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err == nil {
 		t.Errorf("failed to connect to server: %s", err)
@@ -192,6 +198,8 @@ func TestRegistrationTimeout(t *testing.T) {
 
 func TestEcho(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50301"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 	idAlice := "alice"
 	idBob := "bob"
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
@@ -219,7 +227,7 @@ func TestEcho(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, idAlice, iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idAlice, iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -231,7 +239,7 @@ func TestEcho(t *testing.T) {
 		}
 	}()
 
-	clientBob := NewClient(serverURL, hmacTokenStore, idBob, iface.DefaultMTU)
+	clientBob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idBob, iface.DefaultMTU)
 	err = clientBob.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -282,6 +290,8 @@ func TestEcho(t *testing.T) {
 
 func TestBindToUnavailabePeer(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50401"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
@@ -309,7 +319,7 @@ func TestBindToUnavailabePeer(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Errorf("failed to connect to server: %s", err)
@@ -328,6 +338,8 @@ func TestBindToUnavailabePeer(t *testing.T) {
 
 func TestBindReconnect(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50501"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
@@ -355,13 +367,13 @@ func TestBindReconnect(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
 	}
 
-	clientBob := NewClient(serverURL, hmacTokenStore, "bob", iface.DefaultMTU)
+	clientBob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "bob", iface.DefaultMTU)
 	err = clientBob.Connect(ctx)
 	if err != nil {
 		t.Errorf("failed to connect to server: %s", err)
@@ -383,7 +395,7 @@ func TestBindReconnect(t *testing.T) {
 		t.Errorf("failed to close client: %s", err)
 	}
 
-	clientAlice = NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice = NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Errorf("failed to connect to server: %s", err)
@@ -429,6 +441,8 @@ func TestBindReconnect(t *testing.T) {
 
 func TestCloseConn(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50601"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
@@ -456,13 +470,13 @@ func TestCloseConn(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	bob := NewClient(serverURL, hmacTokenStore, "bob", iface.DefaultMTU)
+	bob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "bob", iface.DefaultMTU)
 	err = bob.Connect(ctx)
 	if err != nil {
 		t.Errorf("failed to connect to server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Errorf("failed to connect to server: %s", err)
@@ -492,6 +506,8 @@ func TestCloseConn(t *testing.T) {
 
 func TestCloseRelayConn(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50701"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
@@ -518,13 +534,13 @@ func TestCloseRelayConn(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	bob := NewClient(serverURL, hmacTokenStore, "bob", iface.DefaultMTU)
+	bob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "bob", iface.DefaultMTU)
 	err = bob.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, "alice", iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, "alice", iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -550,6 +566,8 @@ func TestCloseRelayConn(t *testing.T) {
 
 func TestCloseByServer(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50801"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv1, err := server.NewServer(serverCfg)
@@ -572,7 +590,7 @@ func TestCloseByServer(t *testing.T) {
 
 	idAlice := "alice"
 	log.Debugf("connect by alice")
-	relayClient := NewClient(serverURL, hmacTokenStore, idAlice, iface.DefaultMTU)
+	relayClient := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idAlice, iface.DefaultMTU)
 	if err = relayClient.Connect(ctx); err != nil {
 		log.Fatalf("failed to connect to server: %s", err)
 	}
@@ -607,6 +625,8 @@ func TestCloseByServer(t *testing.T) {
 
 func TestCloseByClient(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:50901"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
 	srv, err := server.NewServer(serverCfg)
@@ -628,7 +648,7 @@ func TestCloseByClient(t *testing.T) {
 
 	idAlice := "alice"
 	log.Debugf("connect by alice")
-	relayClient := NewClient(serverURL, hmacTokenStore, idAlice, iface.DefaultMTU)
+	relayClient := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idAlice, iface.DefaultMTU)
 	err = relayClient.Connect(ctx)
 	if err != nil {
 		log.Fatalf("failed to connect to server: %s", err)
@@ -652,6 +672,8 @@ func TestCloseByClient(t *testing.T) {
 
 func TestCloseNotDrainedChannel(t *testing.T) {
 	ctx := context.Background()
+	serverListenAddr := "127.0.0.1:51001"
+	serverCfg := newClientTestServerConfig(serverListenAddr)
 	idAlice := "alice"
 	idBob := "bob"
 	srvCfg := server.ListenerConfig{Address: serverListenAddr}
@@ -679,7 +701,7 @@ func TestCloseNotDrainedChannel(t *testing.T) {
 		t.Fatalf("failed to start server: %s", err)
 	}
 
-	clientAlice := NewClient(serverURL, hmacTokenStore, idAlice, iface.DefaultMTU)
+	clientAlice := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idAlice, iface.DefaultMTU)
 	err = clientAlice.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)
@@ -691,7 +713,7 @@ func TestCloseNotDrainedChannel(t *testing.T) {
 		}
 	}()
 
-	clientBob := NewClient(serverURL, hmacTokenStore, idBob, iface.DefaultMTU)
+	clientBob := NewClient(serverCfg.ExposedAddress, hmacTokenStore, idBob, iface.DefaultMTU)
 	err = clientBob.Connect(ctx)
 	if err != nil {
 		t.Fatalf("failed to connect to server: %s", err)

shared/relay/client/dialer/quic/conn.go

@@ -30,11 +30,11 @@ func (a Addr) String() string {
 }
 
 type Conn struct {
-	session quic.Connection
+	session *quic.Conn
 	ctx     context.Context
 }
 
-func NewConn(session quic.Connection) net.Conn {
+func NewConn(session *quic.Conn) net.Conn {
 	return &Conn{
 		session: session,
 		ctx:     context.Background(),

shared/relay/client/manager_test.go

@@ -13,6 +13,16 @@ import (
 	"github.com/netbirdio/netbird/shared/relay/auth/allow"
 )
 
+// newManagerTestServerConfig creates a new server config for manager testing with the given address
+func newManagerTestServerConfig(address string) server.Config {
+	return server.Config{
+		Meter:          otel.Meter(""),
+		ExposedAddress: address,
+		TLSSupport:     false,
+		AuthValidator:  &allow.Auth{},
+	}
+}
+
 func TestEmptyURL(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -27,15 +37,10 @@ func TestForeignConn(t *testing.T) {
 	ctx := context.Background()
 
 	lstCfg1 := server.ListenerConfig{
-		Address: "localhost:1234",
+		Address: "localhost:52101",
 	}
 
-	srv1, err := server.NewServer(server.Config{
+	srv1, err := server.NewServer(newManagerTestServerConfig(lstCfg1.Address))
-		Meter:          otel.Meter(""),
-		ExposedAddress: lstCfg1.Address,
-		TLSSupport:     false,
-		AuthValidator:  &allow.Auth{},
-	})
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -59,14 +64,9 @@ func TestForeignConn(t *testing.T) {
 	}
 
 	srvCfg2 := server.ListenerConfig{
-		Address: "localhost:2234",
+		Address: "localhost:52102",
 	}
-	srv2, err := server.NewServer(server.Config{
+	srv2, err := server.NewServer(newManagerTestServerConfig(srvCfg2.Address))
-		Meter:          otel.Meter(""),
-		ExposedAddress: srvCfg2.Address,
-		TLSSupport:     false,
-		AuthValidator:  &allow.Auth{},
-	})
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -144,9 +144,9 @@ func TestForeginConnClose(t *testing.T) {
 	ctx := context.Background()
 
 	srvCfg1 := server.ListenerConfig{
-		Address: "localhost:1234",
+		Address: "localhost:52201",
 	}
-	srv1, err := server.NewServer(serverCfg)
+	srv1, err := server.NewServer(newManagerTestServerConfig(srvCfg1.Address))
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -170,9 +170,9 @@ func TestForeginConnClose(t *testing.T) {
 	}
 
 	srvCfg2 := server.ListenerConfig{
-		Address: "localhost:2234",
+		Address: "localhost:52202",
 	}
-	srv2, err := server.NewServer(serverCfg)
+	srv2, err := server.NewServer(newManagerTestServerConfig(srvCfg2.Address))
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -225,9 +225,9 @@ func TestForeignAutoClose(t *testing.T) {
 	keepUnusedServerTime = 2 * time.Second
 
 	srvCfg1 := server.ListenerConfig{
-		Address: "localhost:1234",
+		Address: "localhost:52301",
 	}
-	srv1, err := server.NewServer(serverCfg)
+	srv1, err := server.NewServer(newManagerTestServerConfig(srvCfg1.Address))
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -252,9 +252,9 @@ func TestForeignAutoClose(t *testing.T) {
 	}
 
 	srvCfg2 := server.ListenerConfig{
-		Address: "localhost:2234",
+		Address: "localhost:52302",
 	}
-	srv2, err := server.NewServer(serverCfg)
+	srv2, err := server.NewServer(newManagerTestServerConfig(srvCfg2.Address))
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -327,9 +327,9 @@ func TestAutoReconnect(t *testing.T) {
 	ctx := context.Background()
 
 	srvCfg := server.ListenerConfig{
-		Address: "localhost:1234",
+		Address: "localhost:52401",
 	}
-	srv, err := server.NewServer(serverCfg)
+	srv, err := server.NewServer(newManagerTestServerConfig(srvCfg.Address))
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}
@@ -397,14 +397,9 @@ func TestNotifierDoubleAdd(t *testing.T) {
 	ctx := context.Background()
 
 	listenerCfg1 := server.ListenerConfig{
-		Address: "localhost:1234",
+		Address: "localhost:52501",
 	}
-	srv, err := server.NewServer(server.Config{
+	srv, err := server.NewServer(newManagerTestServerConfig(listenerCfg1.Address))
-		Meter:          otel.Meter(""),
-		ExposedAddress: listenerCfg1.Address,
-		TLSSupport:     false,
-		AuthValidator:  &allow.Auth{},
-	})
 	if err != nil {
 		t.Fatalf("failed to create server: %s", err)
 	}

signal/cmd/run.go

@@ -73,7 +73,7 @@ var (
 			// detect whether user specified a port
 			userPort := cmd.Flag("port").Changed
 
-			tlsEnabled := false
+			var tlsEnabled bool
 			if signalLetsencryptDomain != "" || (signalCertFile != "" && signalCertKey != "") {
 				tlsEnabled = true
 			}
@@ -259,8 +259,8 @@ func grpcHandlerFunc(grpcServer *grpc.Server, meter metric.Meter) http.Handler {
 	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
+		switch r.URL.Path {
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.SignalComponent:
+		case wsproxy.ProxyPath + wsproxy.SignalComponent:
 			wsProxy.Handler().ServeHTTP(w, r)
 		default:
 			grpcServer.ServeHTTP(w, r)

util/syslog_nonwindows.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package util