Revert "Merge branch 'main' into feature/remote-debug"

This reverts commit 6d6333058c, reversing
changes made to 446aded1f7.

client/internal/peer/conn.go

@@ -6,11 +6,12 @@ import (
 	"math/rand"
 	"net"
 	"net/netip"
+	"os"
 	"runtime"
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
@@ -28,6 +29,10 @@ import (
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )
 
+const (
+	defaultWgKeepAlive = 25 * time.Second
+)
+
 type ServiceDependencies struct {
 	StatusRecorder     *Status
 	Signaler           *Signaler
@@ -113,8 +118,6 @@ type Conn struct {
 
 	// debug purpose
 	dumpState *stateDump
-
-	endpointUpdater *EndpointUpdater
 }
 
 // NewConn creates a new not opened Conn to the remote peer.
@@ -127,18 +130,17 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 	connLog := log.WithField("peer", config.Key)
 
 	var conn = &Conn{
-		Log:             connLog,
-		config:          config,
-		statusRecorder:  services.StatusRecorder,
-		signaler:        services.Signaler,
-		iFaceDiscover:   services.IFaceDiscover,
-		relayManager:    services.RelayManager,
-		srWatcher:       services.SrWatcher,
-		semaphore:       services.Semaphore,
-		statusRelay:     worker.NewAtomicStatus(),
-		statusICE:       worker.NewAtomicStatus(),
-		dumpState:       newStateDump(config.Key, connLog, services.StatusRecorder),
-		endpointUpdater: NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
+		Log:            connLog,
+		config:         config,
+		statusRecorder: services.StatusRecorder,
+		signaler:       services.Signaler,
+		iFaceDiscover:  services.IFaceDiscover,
+		relayManager:   services.RelayManager,
+		srWatcher:      services.SrWatcher,
+		semaphore:      services.Semaphore,
+		statusRelay:    worker.NewAtomicStatus(),
+		statusICE:      worker.NewAtomicStatus(),
+		dumpState:      newStateDump(config.Key, connLog, services.StatusRecorder),
 	}
 
 	return conn, nil
@@ -172,7 +174,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay)
 
 	conn.handshaker.AddOnNewOfferListener(conn.workerRelay.OnNewOffer)
-	if !isForceRelayed() {
+	if os.Getenv("NB_FORCE_RELAY") != "true" {
 		conn.handshaker.AddOnNewOfferListener(conn.workerICE.OnNewOffer)
 	}
 
@@ -248,7 +250,7 @@ func (conn *Conn) Close(signalToRemote bool) {
 		conn.wgProxyICE = nil
 	}
 
-	if err := conn.endpointUpdater.RemoveWgPeer(); err != nil {
+	if err := conn.removeWgPeer(); err != nil {
 		conn.Log.Errorf("failed to remove wg endpoint: %v", err)
 	}
 
@@ -374,19 +376,12 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 		wgProxy.Work()
 	}
 
-	conn.Log.Infof("configure WireGuard endpoint to: %s", ep.String())
-	presharedKey := conn.presharedKey(iceConnInfo.RosenpassPubKey)
-	if err = conn.endpointUpdater.ConfigureWGEndpoint(ep, presharedKey); err != nil {
+	if err = conn.configureWGEndpoint(ep, iceConnInfo.RosenpassPubKey); err != nil {
 		conn.handleConfigurationFailure(err, wgProxy)
 		return
 	}
 	wgConfigWorkaround()
 
-	if conn.wgProxyRelay != nil {
-		conn.Log.Debugf("redirect packets from relayed conn to WireGuard")
-		conn.wgProxyRelay.RedirectAs(ep)
-	}
-
 	conn.currentConnPriority = priority
 	conn.statusICE.SetConnected()
 	conn.updateIceState(iceConnInfo)
@@ -415,8 +410,7 @@ func (conn *Conn) onICEStateDisconnected() {
 		conn.dumpState.SwitchToRelay()
 		conn.wgProxyRelay.Work()
 
-		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.configureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), conn.rosenpassRemoteKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}
 
@@ -425,7 +419,6 @@ func (conn *Conn) onICEStateDisconnected() {
 			defer conn.wgWatcherWg.Done()
 			conn.workerRelay.EnableWgWatcher(conn.ctx)
 		}()
-		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -485,8 +478,7 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	}
 
 	wgProxy.Work()
-	presharedKey := conn.presharedKey(rci.rosenpassPubKey)
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
+	if err := conn.configureWGEndpoint(wgProxy.EndpointAddr(), rci.rosenpassPubKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
@@ -554,6 +546,17 @@ func (conn *Conn) onGuardEvent() {
 	}
 }
 
+func (conn *Conn) configureWGEndpoint(addr *net.UDPAddr, remoteRPKey []byte) error {
+	presharedKey := conn.presharedKey(remoteRPKey)
+	return conn.config.WgConfig.WgInterface.UpdatePeer(
+		conn.config.WgConfig.RemoteKey,
+		conn.config.WgConfig.AllowedIps,
+		defaultWgKeepAlive,
+		addr,
+		presharedKey,
+	)
+}
+
 func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []byte) {
 	peerState := State{
 		PubKey:             conn.config.Key,
@@ -696,6 +699,10 @@ func (conn *Conn) isICEActive() bool {
 	return (conn.currentConnPriority == conntype.ICEP2P || conn.currentConnPriority == conntype.ICETurn) && conn.statusICE.Get() == worker.StatusConnected
 }
 
+func (conn *Conn) removeWgPeer() error {
+	return conn.config.WgConfig.WgInterface.RemovePeer(conn.config.WgConfig.RemoteKey)
+}
+
 func (conn *Conn) handleConfigurationFailure(err error, wgProxy wgproxy.Proxy) {
 	conn.Log.Warnf("Failed to update wg peer configuration: %v", err)
 	if wgProxy != nil {

client/internal/peer/endpoint.go

@@ -1,105 +0,0 @@
-package peer
-
-import (
-	"context"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-const (
-	defaultWgKeepAlive = 25 * time.Second
-	fallbackDelay      = 5 * time.Second
-)
-
-type EndpointUpdater struct {
-	log       *logrus.Entry
-	wgConfig  WgConfig
-	initiator bool
-
-	// mu protects updateWireGuardPeer and cancelFunc
-	mu         sync.Mutex
-	cancelFunc func()
-	updateWg   sync.WaitGroup
-}
-
-func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *EndpointUpdater {
-	return &EndpointUpdater{
-		log:       log,
-		wgConfig:  wgConfig,
-		initiator: initiator,
-	}
-}
-
-// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
-// The initiator immediately configures the endpoint, while the non-initiator
-// waits for a fallback period before configuring to avoid handshake congestion.
-func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiatr")
-		return e.updateWireGuardPeer(addr, presharedKey)
-	}
-
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	return e.updateWireGuardPeer(nil, presharedKey)
-}
-
-func (e *EndpointUpdater) RemoveWgPeer() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
-	if e.cancelFunc == nil {
-		return
-	}
-
-	e.cancelFunc()
-	e.cancelFunc = nil
-	e.updateWg.Wait()
-}
-
-// scheduleDelayedUpdate waits for the fallback period before updating the endpoint
-func (e *EndpointUpdater) scheduleDelayedUpdate(ctx context.Context, addr *net.UDPAddr, presharedKey *wgtypes.Key) {
-	defer e.updateWg.Done()
-	t := time.NewTimer(fallbackDelay)
-	defer t.Stop()
-
-	select {
-	case <-ctx.Done():
-		return
-	case <-t.C:
-		e.mu.Lock()
-		if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-			e.log.Errorf("failed to update WireGuard peer, address: %s, error: %v", addr, err)
-		}
-		e.mu.Unlock()
-	}
-}
-
-func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	return e.wgConfig.WgInterface.UpdatePeer(
-		e.wgConfig.RemoteKey,
-		e.wgConfig.AllowedIps,
-		defaultWgKeepAlive,
-		endpoint,
-		presharedKey,
-	)
-}

client/internal/peer/env.go

@@ -1,14 +0,0 @@
-package peer
-
-import (
-	"os"
-	"strings"
-)
-
-const (
-	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
-)
-
-func isForceRelayed() bool {
-	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
-}

client/internal/peer/guard/ice_monitor.go

@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"

client/internal/peer/handshaker.go

@@ -43,6 +43,13 @@ type OfferAnswer struct {
 	SessionID *ICESessionID
 }
 
+func (oa *OfferAnswer) SessionIDString() string {
+	if oa.SessionID == nil {
+		return "unknown"
+	}
+	return oa.SessionID.String()
+}
+
 type Handshaker struct {
 	mu                  sync.Mutex
 	log                 *log.Entry
@@ -50,7 +57,7 @@ type Handshaker struct {
 	signaler            *Signaler
 	ice                 *WorkerICE
 	relay               *WorkerRelay
-	onNewOfferListeners []*OfferListener
+	onNewOfferListeners []func(*OfferAnswer)
 
 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
@@ -71,8 +78,7 @@ func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *W
 }
 
 func (h *Handshaker) AddOnNewOfferListener(offer func(remoteOfferAnswer *OfferAnswer)) {
-	l := NewOfferListener(offer)
-	h.onNewOfferListeners = append(h.onNewOfferListeners, l)
+	h.onNewOfferListeners = append(h.onNewOfferListeners, offer)
 }
 
 func (h *Handshaker) Listen(ctx context.Context) {
@@ -85,13 +91,13 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				continue
 			}
 			for _, listener := range h.onNewOfferListeners {
-				listener.Notify(&remoteOfferAnswer)
+				listener(&remoteOfferAnswer)
 			}
 			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
 			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 			for _, listener := range h.onNewOfferListeners {
-				listener.Notify(&remoteOfferAnswer)
+				listener(&remoteOfferAnswer)
 			}
 		case <-ctx.Done():
 			h.log.Infof("stop listening for remote offers and answers")

client/internal/peer/handshaker_listener.go

@@ -1,62 +0,0 @@
-package peer
-
-import (
-	"sync"
-)
-
-type callbackFunc func(remoteOfferAnswer *OfferAnswer)
-
-func (oa *OfferAnswer) SessionIDString() string {
-	if oa.SessionID == nil {
-		return "unknown"
-	}
-	return oa.SessionID.String()
-}
-
-type OfferListener struct {
-	fn      callbackFunc
-	running bool
-	latest  *OfferAnswer
-	mu      sync.Mutex
-}
-
-func NewOfferListener(fn callbackFunc) *OfferListener {
-	return &OfferListener{
-		fn: fn,
-	}
-}
-
-func (o *OfferListener) Notify(remoteOfferAnswer *OfferAnswer) {
-	o.mu.Lock()
-	defer o.mu.Unlock()
-
-	// Store the latest offer
-	o.latest = remoteOfferAnswer
-
-	// If already running, the running goroutine will pick up this latest value
-	if o.running {
-		return
-	}
-
-	// Start processing
-	o.running = true
-
-	// Process in a goroutine to avoid blocking the caller
-	go func(remoteOfferAnswer *OfferAnswer) {
-		for {
-			o.fn(remoteOfferAnswer)
-
-			o.mu.Lock()
-			if o.latest == nil {
-				// No more work to do
-				o.running = false
-				o.mu.Unlock()
-				return
-			}
-			remoteOfferAnswer = o.latest
-			// Clear the latest to mark it as being processed
-			o.latest = nil
-			o.mu.Unlock()
-		}
-	}(remoteOfferAnswer)
-}

client/internal/peer/handshaker_listener_test.go

@@ -1,39 +0,0 @@
-package peer
-
-import (
-	"testing"
-	"time"
-)
-
-func Test_newOfferListener(t *testing.T) {
-	dummyOfferAnswer := &OfferAnswer{}
-	runChan := make(chan struct{}, 10)
-
-	longRunningFn := func(remoteOfferAnswer *OfferAnswer) {
-		time.Sleep(1 * time.Second)
-		runChan <- struct{}{}
-	}
-
-	hl := NewOfferListener(longRunningFn)
-
-	hl.Notify(dummyOfferAnswer)
-	hl.Notify(dummyOfferAnswer)
-	hl.Notify(dummyOfferAnswer)
-
-	// Wait for exactly 2 callbacks
-	for i := 0; i < 2; i++ {
-		select {
-		case <-runChan:
-		case <-time.After(3 * time.Second):
-			t.Fatal("Timeout waiting for callback")
-		}
-	}
-
-	// Verify no additional callbacks happen
-	select {
-	case <-runChan:
-		t.Fatal("Unexpected additional callback")
-	case <-time.After(100 * time.Millisecond):
-		t.Log("Correctly received exactly 2 callbacks")
-	}
-}

client/internal/peer/ice/StunTurn.go

@@ -3,7 +3,7 @@ package ice
 import (
 	"sync/atomic"
 
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 )
 
 type StunTurn atomic.Value

client/internal/peer/ice/agent.go

@@ -1,10 +1,9 @@
 package ice
 
 import (
-	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	"github.com/pion/logging"
 	"github.com/pion/randutil"
 	log "github.com/sirupsen/logrus"
@@ -24,20 +23,7 @@ const (
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
 )
 
-type ThreadSafeAgent struct {
-	*ice.Agent
-	once sync.Once
-}
-
-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		err = a.Agent.Close()
-	})
-	return err
-}
-
-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
+func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ice.Agent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
@@ -75,12 +61,7 @@ func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candida
 		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
 	}
 
-	agent, err := ice.NewAgent(agentConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ThreadSafeAgent{Agent: agent}, nil
+	return ice.NewAgent(agentConfig)
 }
 
 func GenerateICECredentials() (string, string, error) {

client/internal/peer/ice/config.go

@@ -1,7 +1,7 @@
 package ice
 
 import (
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 )
 
 type Config struct {

client/internal/peer/signaler.go

@@ -1,7 +1,7 @@
 package peer
 
 import (
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 

client/internal/peer/wg_watcher.go

@@ -30,10 +30,9 @@ type WGWatcher struct {
 	peerKey       string
 	stateDump     *stateDump
 
-	ctx         context.Context
-	ctxCancel   context.CancelFunc
-	ctxLock     sync.Mutex
-	enabledTime time.Time
+	ctx       context.Context
+	ctxCancel context.CancelFunc
+	ctxLock   sync.Mutex
 }
 
 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -49,7 +48,6 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 func (w *WGWatcher) EnableWgWatcher(parentCtx context.Context, onDisconnectedFn func()) {
 	w.log.Debugf("enable WireGuard watcher")
 	w.ctxLock.Lock()
-	w.enabledTime = time.Now()
 
 	if w.ctx != nil && w.ctx.Err() == nil {
 		w.log.Errorf("WireGuard watcher already enabled")
@@ -103,11 +101,6 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, ctxCancel contex
 				onDisconnectedFn()
 				return
 			}
-			if lastHandshake.IsZero() {
-				elapsed := handshake.Sub(w.enabledTime).Seconds()
-				w.log.Infof("first wg handshake detected within: %.2fsec, (%s)", elapsed, handshake)
-			}
-
 			lastHandshake = *handshake
 
 			resetTime := time.Until(handshake.Add(checkPeriod))

client/internal/peer/worker_ice.go

@@ -8,11 +8,12 @@ import (
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
+	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/internal/peer/conntype"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
@@ -41,7 +42,7 @@ type WorkerICE struct {
 	statusRecorder    *Status
 	hasRelayOnLocally bool
 
-	agent             *icemaker.ThreadSafeAgent
+	agent             *ice.Agent
 	agentDialerCancel context.CancelFunc
 	agentConnecting   bool      // while it is true, drop all incoming offers
 	lastSuccess       time.Time // with this avoid the too frequent ICE agent recreation
@@ -54,6 +55,10 @@ type WorkerICE struct {
 	sessionID ICESessionID
 	muxAgent  sync.Mutex
 
+	StunTurn []*stun.URI
+
+	sentExtraSrflx bool
+
 	localUfrag string
 	localPwd   string
 
@@ -116,7 +121,7 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		if err := w.agent.Close(); err != nil {
 			w.log.Warnf("failed to close ICE agent: %s", err)
 		}
-		w.agent = nil
+		// todo consider to switch to Relay connection while establishing a new ICE connection
 	}
 
 	var preferredCandidateTypes []ice.CandidateType
@@ -134,6 +139,7 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		w.muxAgent.Unlock()
 		return
 	}
+	w.sentExtraSrflx = false
 	w.agent = agent
 	w.agentDialerCancel = dialerCancel
 	w.agentConnecting = true
@@ -160,21 +166,6 @@ func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HA
 		w.log.Errorf("error while handling remote candidate")
 		return
 	}
-
-	if shouldAddExtraCandidate(candidate) {
-		// sends an extra server reflexive candidate to the remote peer with our related port (usually the wireguard port)
-		// this is useful when network has an existing port forwarding rule for the wireguard port and this peer
-		extraSrflx, err := extraSrflxCandidate(candidate)
-		if err != nil {
-			w.log.Errorf("failed creating extra server reflexive candidate %s", err)
-			return
-		}
-
-		if err := w.agent.AddRemoteCandidate(extraSrflx); err != nil {
-			w.log.Errorf("error while handling remote candidate")
-			return
-		}
-	}
 }
 
 func (w *WorkerICE) GetLocalUserCredentials() (frag string, pwd string) {
@@ -204,7 +195,7 @@ func (w *WorkerICE) Close() {
 	w.agent = nil
 }
 
-func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
+func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*ice.Agent, error) {
 	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
@@ -218,12 +209,14 @@ func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []
 		return nil, err
 	}
 
-	if err := agent.OnSelectedCandidatePairChange(func(c1, c2 ice.Candidate) {
-		w.onICESelectedCandidatePair(agent, c1, c2)
-	}); err != nil {
+	if err := agent.OnSelectedCandidatePairChange(w.onICESelectedCandidatePair); err != nil {
 		return nil, err
 	}
 
+	if err := agent.OnSuccessfulSelectedPairBindingResponse(w.onSuccessfulSelectedPairBindingResponse); err != nil {
+		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
+	}
+
 	return agent, nil
 }
 
@@ -237,7 +230,7 @@ func (w *WorkerICE) SessionID() ICESessionID {
 // will block until connection succeeded
 // but it won't release if ICE Agent went into Disconnected or Failed state,
 // so we have to cancel it with the provided context once agent detected a broken connection
-func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) {
+func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAnswer *OfferAnswer) {
 	w.log.Debugf("gather candidates")
 	if err := agent.GatherCandidates(); err != nil {
 		w.log.Warnf("failed to gather candidates: %s", err)
@@ -246,7 +239,7 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	}
 
 	w.log.Debugf("turn agent dial")
-	remoteConn, err := w.turnAgentDial(ctx, agent, remoteOfferAnswer)
+	remoteConn, err := w.turnAgentDial(ctx, remoteOfferAnswer)
 	if err != nil {
 		w.log.Debugf("failed to dial the remote peer: %s", err)
 		w.closeAgent(agent, w.agentDialerCancel)
@@ -259,11 +252,6 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
-	if pair == nil {
-		w.log.Warnf("selected candidate pair is nil, cannot proceed")
-		w.closeAgent(agent, w.agentDialerCancel)
-		return
-	}
 
 	if !isRelayCandidate(pair.Local) {
 		// dynamically set remote WireGuard port if other side specified a different one from the default one
@@ -302,14 +290,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }
 
-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
+func (w *WorkerICE) closeAgent(agent *ice.Agent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}
 
 	w.muxAgent.Lock()
-	// todo review does it make sense to generate new session ID all the time when w.agent==agent
 	sessionID, err := NewICESessionID()
 	if err != nil {
 		w.log.Errorf("failed to create new session ID: %s", err)
@@ -338,7 +325,7 @@ func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int)
 		return
 	}
 
-	mux, ok := w.config.ICEConfig.UDPMuxSrflx.(*udpmux.UniversalUDPMuxDefault)
+	mux, ok := w.config.ICEConfig.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
 	if !ok {
 		w.log.Warn("invalid udp mux conversion")
 		return
@@ -365,36 +352,41 @@ func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
 			w.log.Errorf("failed signaling candidate to the remote peer %s %s", w.config.Key, err)
 		}
 	}()
+
+	if !w.shouldSendExtraSrflxCandidate(candidate) {
+		return
+	}
+
+	// sends an extra server reflexive candidate to the remote peer with our related port (usually the wireguard port)
+	// this is useful when network has an existing port forwarding rule for the wireguard port and this peer
+	extraSrflx, err := extraSrflxCandidate(candidate)
+	if err != nil {
+		w.log.Errorf("failed creating extra server reflexive candidate %s", err)
+		return
+	}
+	w.sentExtraSrflx = true
+
+	go func() {
+		err = w.signaler.SignalICECandidate(extraSrflx, w.config.Key)
+		if err != nil {
+			w.log.Errorf("failed signaling the extra server reflexive candidate: %s", err)
+		}
+	}()
 }
 
-func (w *WorkerICE) onICESelectedCandidatePair(agent *icemaker.ThreadSafeAgent, c1, c2 ice.Candidate) {
+func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
 	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
 		w.config.Key)
-
-	pairStat, ok := agent.GetSelectedCandidatePairStats()
-	if !ok {
-		w.log.Warnf("failed to get selected candidate pair stats")
-		return
-	}
-
-	duration := time.Duration(pairStat.CurrentRoundTripTime * float64(time.Second))
-	if err := w.statusRecorder.UpdateLatency(w.config.Key, duration); err != nil {
-		w.log.Debugf("failed to update latency for peer: %s", err)
-		return
-	}
 }
 
-func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
+func (w *WorkerICE) onConnectionStateChange(agent *ice.Agent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
 	return func(state ice.ConnectionState) {
 		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
 		switch state {
 		case ice.ConnectionStateConnected:
 			w.lastKnownState = ice.ConnectionStateConnected
 			return
-		case ice.ConnectionStateFailed, ice.ConnectionStateDisconnected, ice.ConnectionStateClosed:
-			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
-			// notify the conn.onICEStateDisconnected changes to update the current used priority
-
+		case ice.ConnectionStateFailed, ice.ConnectionStateDisconnected:
 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
 				w.conn.onICEStateDisconnected()
@@ -406,34 +398,32 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 	}
 }
 
-func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
-	if isController(w.config) {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
-	} else {
-		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+func (w *WorkerICE) onSuccessfulSelectedPairBindingResponse(pair *ice.CandidatePair) {
+	if err := w.statusRecorder.UpdateLatency(w.config.Key, pair.Latency()); err != nil {
+		w.log.Debugf("failed to update latency for peer: %s", err)
+		return
 	}
 }
 
-func shouldAddExtraCandidate(candidate ice.Candidate) bool {
-	if candidate.Type() != ice.CandidateTypeServerReflexive {
-		return false
+func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
+	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
+		return true
 	}
+	return false
+}
 
-	if candidate.Port() == candidate.RelatedAddress().Port {
-		return false
+func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
+	isControlling := w.config.LocalKey > w.config.Key
+	if isControlling {
+		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+	} else {
+		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
-
-	// in the older version when we didn't set candidate ID extension the remote peer sent the extra candidates
-	// in newer version we generate locally the extra candidate
-	if _, ok := candidate.GetExtension(ice.ExtensionKeyCandidateID); !ok {
-		return false
-	}
-	return true
 }
 
 func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive, error) {
 	relatedAdd := candidate.RelatedAddress()
-	ec, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
+	return ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
 		Network:   candidate.NetworkType().String(),
 		Address:   candidate.Address(),
 		Port:      relatedAdd.Port,
@@ -441,21 +431,6 @@ func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive
 		RelAddr:   relatedAdd.Address,
 		RelPort:   relatedAdd.Port,
 	})
-	if err != nil {
-		return nil, err
-	}
-
-	for _, e := range candidate.Extensions() {
-		// overwrite the original candidate ID with the new one to avoid candidate duplication
-		if e.Key == ice.ExtensionKeyCandidateID {
-			e.Value = candidate.ID()
-		}
-		if err := ec.AddExtension(e); err != nil {
-			return nil, err
-		}
-	}
-
-	return ec, nil
 }
 
 func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {