[client] Refactor/iface pkg (#2646)

Refactor the flat code structure

client/iface/device/adapter.go

@@ -0,0 +1,8 @@
+package device
+
+// TunAdapter is an interface for create tun device from external service
+type TunAdapter interface {
+	ConfigureInterface(address string, mtu int, dns string, searchDomains string, routes string) (int, error)
+	UpdateAddr(address string) error
+	ProtectSocket(fd int32) bool
+}

client/iface/device/address.go

@@ -0,0 +1,29 @@
+package device
+
+import (
+	"fmt"
+	"net"
+)
+
+// WGAddress WireGuard parsed address
+type WGAddress struct {
+	IP      net.IP
+	Network *net.IPNet
+}
+
+// ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
+func ParseWGAddress(address string) (WGAddress, error) {
+	ip, network, err := net.ParseCIDR(address)
+	if err != nil {
+		return WGAddress{}, err
+	}
+	return WGAddress{
+		IP:      ip,
+		Network: network,
+	}, nil
+}
+
+func (addr WGAddress) String() string {
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
+}

client/iface/device/args.go

@@ -0,0 +1,6 @@
+package device
+
+type MobileIFaceArguments struct {
+	TunAdapter TunAdapter // only for Android
+	TunFd      int        // only for iOS
+}

client/iface/device/device_android.go

@@ -0,0 +1,140 @@
+//go:build android
+
+package device
+
+import (
+	"strings"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+// WGTunDevice ignore the WGTunDevice interface on Android because the creation of the tun device is different on this platform
+type WGTunDevice struct {
+	address    WGAddress
+	port       int
+	key        string
+	mtu        int
+	iceBind    *bind.ICEBind
+	tunAdapter TunAdapter
+
+	name           string
+	device         *device.Device
+	filteredDevice *FilteredDevice
+	udpMux         *bind.UniversalUDPMuxDefault
+	configurer     WGConfigurer
+}
+
+func NewTunDevice(address WGAddress, port int, key string, mtu int, transportNet transport.Net, tunAdapter TunAdapter, filterFn bind.FilterFn) *WGTunDevice {
+	return &WGTunDevice{
+		address:    address,
+		port:       port,
+		key:        key,
+		mtu:        mtu,
+		iceBind:    bind.NewICEBind(transportNet, filterFn),
+		tunAdapter: tunAdapter,
+	}
+}
+
+func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
+	log.Info("create tun interface")
+
+	routesString := routesToString(routes)
+	searchDomainsToString := searchDomainsToString(searchDomains)
+
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
+	if err != nil {
+		log.Errorf("failed to create Android interface: %s", err)
+		return nil, err
+	}
+
+	tunDevice, name, err := tun.CreateUnmonitoredTUNFromFD(fd)
+	if err != nil {
+		_ = unix.Close(fd)
+		log.Errorf("failed to create Android interface: %s", err)
+		return nil, err
+	}
+	t.name = name
+	t.filteredDevice = newDeviceFilter(tunDevice)
+
+	log.Debugf("attaching to interface %v", name)
+	t.device = device.NewDevice(t.filteredDevice, t.iceBind, device.NewLogger(wgLogLevel(), "[wiretrustee] "))
+	// without this property mobile devices can discover remote endpoints if the configured one was wrong.
+	// this helps with support for the older NetBird clients that had a hardcoded direct mode
+	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		t.device.Close()
+		t.configurer.Close()
+		return nil, err
+	}
+	return t.configurer, nil
+}
+func (t *WGTunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+	log.Debugf("device is ready to use: %s", t.name)
+	return udpMux, nil
+}
+
+func (t *WGTunDevice) UpdateAddr(addr WGAddress) error {
+	// todo implement
+	return nil
+}
+
+func (t *WGTunDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+		t.device = nil
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+
+	}
+	return nil
+}
+
+func (t *WGTunDevice) Device() *device.Device {
+	return t.device
+}
+
+func (t *WGTunDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *WGTunDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}
+
+func routesToString(routes []string) string {
+	return strings.Join(routes, ";")
+}
+
+func searchDomainsToString(searchDomains []string) string {
+	return strings.Join(searchDomains, ";")
+}

client/iface/device/device_darwin.go

@@ -0,0 +1,141 @@
+//go:build !ios
+
+package device
+
+import (
+	"fmt"
+	"os/exec"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+type TunDevice struct {
+	name    string
+	address WGAddress
+	port    int
+	key     string
+	mtu     int
+	iceBind *bind.ICEBind
+
+	device         *device.Device
+	filteredDevice *FilteredDevice
+	udpMux         *bind.UniversalUDPMuxDefault
+	configurer     WGConfigurer
+}
+
+func NewTunDevice(name string, address WGAddress, port int, key string, mtu int, transportNet transport.Net, filterFn bind.FilterFn) *TunDevice {
+	return &TunDevice{
+		name:    name,
+		address: address,
+		port:    port,
+		key:     key,
+		mtu:     mtu,
+		iceBind: bind.NewICEBind(transportNet, filterFn),
+	}
+}
+
+func (t *TunDevice) Create() (WGConfigurer, error) {
+	tunDevice, err := tun.CreateTUN(t.name, t.mtu)
+	if err != nil {
+		return nil, fmt.Errorf("error creating tun device: %s", err)
+	}
+	t.filteredDevice = newDeviceFilter(tunDevice)
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	t.device = device.NewDevice(
+		t.filteredDevice,
+		t.iceBind,
+		device.NewLogger(wgLogLevel(), "[netbird] "),
+	)
+
+	err = t.assignAddr()
+	if err != nil {
+		t.device.Close()
+		return nil, fmt.Errorf("error assigning ip: %s", err)
+	}
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		t.device.Close()
+		t.configurer.Close()
+		return nil, fmt.Errorf("error configuring interface: %s", err)
+	}
+	return t.configurer, nil
+}
+
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+	log.Debugf("device is ready to use: %s", t.name)
+	return udpMux, nil
+}
+
+func (t *TunDevice) UpdateAddr(address WGAddress) error {
+	t.address = address
+	return t.assignAddr()
+}
+
+func (t *TunDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+		t.device = nil
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+	}
+	return nil
+}
+
+func (t *TunDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *TunDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *TunDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}
+
+// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
+func (t *TunDevice) assignAddr() error {
+	cmd := exec.Command("ifconfig", t.name, "inet", t.address.IP.String(), t.address.IP.String())
+	if out, err := cmd.CombinedOutput(); err != nil {
+		log.Errorf("adding address command '%v' failed with output: %s", cmd.String(), out)
+		return err
+	}
+
+	// dummy ipv6 so routing works
+	cmd = exec.Command("ifconfig", t.name, "inet6", "fe80::/64")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		log.Debugf("adding address command '%v' failed with output: %s", cmd.String(), out)
+	}
+
+	routeCmd := exec.Command("route", "add", "-net", t.address.Network.String(), "-interface", t.name)
+	if out, err := routeCmd.CombinedOutput(); err != nil {
+		log.Errorf("adding route command '%v' failed with output: %s", routeCmd.String(), out)
+		return err
+	}
+	return nil
+}

client/iface/device/device_filter.go

@@ -0,0 +1,100 @@
+package device
+
+import (
+	"net"
+	"sync"
+
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+// PacketFilter interface for firewall abilities
+type PacketFilter interface {
+	// DropOutgoing filter outgoing packets from host to external destinations
+	DropOutgoing(packetData []byte) bool
+
+	// DropIncoming filter incoming packets from external sources to host
+	DropIncoming(packetData []byte) bool
+
+	// AddUDPPacketHook calls hook when UDP packet from given direction matched
+	//
+	// Hook function returns flag which indicates should be the matched package dropped or not.
+	// Hook function receives raw network packet data as argument.
+	AddUDPPacketHook(in bool, ip net.IP, dPort uint16, hook func(packet []byte) bool) string
+
+	// RemovePacketHook removes hook by ID
+	RemovePacketHook(hookID string) error
+
+	// SetNetwork of the wireguard interface to which filtering applied
+	SetNetwork(*net.IPNet)
+}
+
+// FilteredDevice to override Read or Write of packets
+type FilteredDevice struct {
+	tun.Device
+
+	filter PacketFilter
+	mutex  sync.RWMutex
+}
+
+// newDeviceFilter constructor function
+func newDeviceFilter(device tun.Device) *FilteredDevice {
+	return &FilteredDevice{
+		Device: device,
+	}
+}
+
+// Read wraps read method with filtering feature
+func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
+	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
+		return 0, err
+	}
+	d.mutex.RLock()
+	filter := d.filter
+	d.mutex.RUnlock()
+
+	if filter == nil {
+		return
+	}
+
+	for i := 0; i < n; i++ {
+		if filter.DropOutgoing(bufs[i][offset : offset+sizes[i]]) {
+			bufs = append(bufs[:i], bufs[i+1:]...)
+			sizes = append(sizes[:i], sizes[i+1:]...)
+			n--
+			i--
+		}
+	}
+
+	return n, nil
+}
+
+// Write wraps write method with filtering feature
+func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
+	d.mutex.RLock()
+	filter := d.filter
+	d.mutex.RUnlock()
+
+	if filter == nil {
+		return d.Device.Write(bufs, offset)
+	}
+
+	filteredBufs := make([][]byte, 0, len(bufs))
+	dropped := 0
+	for _, buf := range bufs {
+		if !filter.DropIncoming(buf[offset:]) {
+			filteredBufs = append(filteredBufs, buf)
+			dropped++
+		}
+	}
+
+	n, err := d.Device.Write(filteredBufs, offset)
+	n += dropped
+	return n, err
+}
+
+// SetFilter sets packet filter to device
+func (d *FilteredDevice) SetFilter(filter PacketFilter) {
+	d.mutex.Lock()
+	d.filter = filter
+	d.mutex.Unlock()
+}

client/iface/device/device_filter_test.go

@@ -0,0 +1,223 @@
+package device
+
+import (
+	"net"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+
+	mocks "github.com/netbirdio/netbird/client/iface/mocks"
+)
+
+func TestDeviceWrapperRead(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	t.Run("read ICMP", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{192, 168, 0, 1},
+			DstIP:    net.IP{100, 200, 0, 1},
+		}
+
+		icmpLayer := &layers.ICMPv4{
+			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+			Id:       1,
+			Seq:      1,
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			icmpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs := [][]byte{{}}
+		mockSizes := []int{0}
+		mockOffset := 0
+
+		tun := mocks.NewMockDevice(ctrl)
+		tun.EXPECT().Read(mockBufs, mockSizes, mockOffset).
+			DoAndReturn(func(bufs [][]byte, sizes []int, offset int) (int, error) {
+				bufs[0] = buffer.Bytes()
+				sizes[0] = len(bufs[0])
+				return 1, nil
+			})
+
+		wrapped := newDeviceFilter(tun)
+
+		bufs := [][]byte{{}}
+		sizes := []int{0}
+		offset := 0
+
+		n, err := wrapped.Read(bufs, sizes, offset)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+			return
+		}
+		if n != 1 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("write TCP", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 9},
+			DstIP:    net.IP{100, 200, 0, 10},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.TCP{
+			SrcPort: layers.TCPPort(34423),
+			DstPort: layers.TCPPort(8080),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs := [][]byte{buffer.Bytes()}
+
+		mockBufs[0] = buffer.Bytes()
+		tun := mocks.NewMockDevice(ctrl)
+		tun.EXPECT().Write(mockBufs, 0).Return(1, nil)
+
+		wrapped := newDeviceFilter(tun)
+
+		bufs := [][]byte{buffer.Bytes()}
+
+		n, err := wrapped.Write(bufs, 0)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+			return
+		}
+		if n != 1 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("drop write UDP package", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 11},
+			DstIP:    net.IP{100, 200, 0, 20},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.UDP{
+			SrcPort: layers.UDPPort(27278),
+			DstPort: layers.UDPPort(53),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs := [][]byte{}
+
+		tun := mocks.NewMockDevice(ctrl)
+		tun.EXPECT().Write(mockBufs, 0).Return(0, nil)
+
+		filter := mocks.NewMockPacketFilter(ctrl)
+		filter.EXPECT().DropIncoming(gomock.Any()).Return(true)
+
+		wrapped := newDeviceFilter(tun)
+		wrapped.filter = filter
+
+		bufs := [][]byte{buffer.Bytes()}
+
+		n, err := wrapped.Write(bufs, 0)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+			return
+		}
+		if n != 0 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("drop read UDP package", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 11},
+			DstIP:    net.IP{100, 200, 0, 20},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.UDP{
+			SrcPort: layers.UDPPort(19243),
+			DstPort: layers.UDPPort(1024),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs := [][]byte{{}}
+		mockSizes := []int{0}
+		mockOffset := 0
+
+		tun := mocks.NewMockDevice(ctrl)
+		tun.EXPECT().Read(mockBufs, mockSizes, mockOffset).
+			DoAndReturn(func(bufs [][]byte, sizes []int, offset int) (int, error) {
+				bufs[0] = buffer.Bytes()
+				sizes[0] = len(bufs[0])
+				return 1, nil
+			})
+		filter := mocks.NewMockPacketFilter(ctrl)
+		filter.EXPECT().DropOutgoing(gomock.Any()).Return(true)
+
+		wrapped := newDeviceFilter(tun)
+		wrapped.filter = filter
+
+		bufs := [][]byte{{}}
+		sizes := []int{0}
+		offset := 0
+
+		n, err := wrapped.Read(bufs, sizes, offset)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+			return
+		}
+		if n != 0 {
+			t.Errorf("expected n=0, got %d", n)
+			return
+		}
+	})
+}

client/iface/device/device_ios.go

@@ -0,0 +1,134 @@
+//go:build ios
+// +build ios
+
+package device
+
+import (
+	"os"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+type TunDevice struct {
+	name    string
+	address WGAddress
+	port    int
+	key     string
+	iceBind *bind.ICEBind
+	tunFd   int
+
+	device         *device.Device
+	filteredDevice *FilteredDevice
+	udpMux         *bind.UniversalUDPMuxDefault
+	configurer     WGConfigurer
+}
+
+func NewTunDevice(name string, address WGAddress, port int, key string, transportNet transport.Net, tunFd int, filterFn bind.FilterFn) *TunDevice {
+	return &TunDevice{
+		name:    name,
+		address: address,
+		port:    port,
+		key:     key,
+		iceBind: bind.NewICEBind(transportNet, filterFn),
+		tunFd:   tunFd,
+	}
+}
+
+func (t *TunDevice) Create() (WGConfigurer, error) {
+	log.Infof("create tun interface")
+
+	dupTunFd, err := unix.Dup(t.tunFd)
+	if err != nil {
+		log.Errorf("Unable to dup tun fd: %v", err)
+		return nil, err
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		log.Errorf("Unable to set tun fd as non blocking: %v", err)
+		_ = unix.Close(dupTunFd)
+		return nil, err
+	}
+	tunDevice, err := tun.CreateTUNFromFile(os.NewFile(uintptr(dupTunFd), "/dev/tun"), 0)
+	if err != nil {
+		log.Errorf("Unable to create new tun device from fd: %v", err)
+		_ = unix.Close(dupTunFd)
+		return nil, err
+	}
+
+	t.filteredDevice = newDeviceFilter(tunDevice)
+	log.Debug("Attaching to interface")
+	t.device = device.NewDevice(t.filteredDevice, t.iceBind, device.NewLogger(wgLogLevel(), "[wiretrustee] "))
+	// without this property mobile devices can discover remote endpoints if the configured one was wrong.
+	// this helps with support for the older NetBird clients that had a hardcoded direct mode
+	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		t.device.Close()
+		t.configurer.Close()
+		return nil, err
+	}
+	return t.configurer, nil
+}
+
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+	log.Debugf("device is ready to use: %s", t.name)
+	return udpMux, nil
+}
+
+func (t *TunDevice) Device() *device.Device {
+	return t.device
+}
+
+func (t *TunDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *TunDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+		t.device = nil
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+
+	}
+	return nil
+}
+
+func (t *TunDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *TunDevice) UpdateAddr(addr WGAddress) error {
+	// todo implement
+	return nil
+}
+
+func (t *TunDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}

client/iface/device/device_kernel_unix.go

@@ -0,0 +1,163 @@
+//go:build (linux && !android) || freebsd
+
+package device
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/sharedsock"
+)
+
+type TunKernelDevice struct {
+	name         string
+	address      WGAddress
+	wgPort       int
+	key          string
+	mtu          int
+	ctx          context.Context
+	ctxCancel    context.CancelFunc
+	transportNet transport.Net
+
+	link       *wgLink
+	udpMuxConn net.PacketConn
+	udpMux     *bind.UniversalUDPMuxDefault
+
+	filterFn bind.FilterFn
+}
+
+func NewKernelDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net) *TunKernelDevice {
+	checkUser()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	return &TunKernelDevice{
+		ctx:          ctx,
+		ctxCancel:    cancel,
+		name:         name,
+		address:      address,
+		wgPort:       wgPort,
+		key:          key,
+		mtu:          mtu,
+		transportNet: transportNet,
+	}
+}
+
+func (t *TunKernelDevice) Create() (WGConfigurer, error) {
+	link := newWGLink(t.name)
+
+	if err := link.recreate(); err != nil {
+		return nil, fmt.Errorf("recreate: %w", err)
+	}
+
+	t.link = link
+
+	if err := t.assignAddr(); err != nil {
+		return nil, fmt.Errorf("assign addr: %w", err)
+	}
+
+	// TODO: do a MTU discovery
+	log.Debugf("setting MTU: %d interface: %s", t.mtu, t.name)
+
+	if err := link.setMTU(t.mtu); err != nil {
+		return nil, fmt.Errorf("set mtu: %w", err)
+	}
+
+	configurer := configurer.NewKernelConfigurer(t.name)
+
+	if err := configurer.ConfigureInterface(t.key, t.wgPort); err != nil {
+		return nil, fmt.Errorf("error configuring interface: %s", err)
+	}
+
+	return configurer, nil
+}
+
+func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	if t.udpMux != nil {
+		return t.udpMux, nil
+	}
+
+	if t.link == nil {
+		return nil, fmt.Errorf("device is not ready yet")
+	}
+
+	log.Debugf("bringing up interface: %s", t.name)
+
+	if err := t.link.up(); err != nil {
+		log.Errorf("error bringing up interface: %s", t.name)
+
+		return nil, err
+	}
+
+	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter())
+	if err != nil {
+		return nil, err
+	}
+	bindParams := bind.UniversalUDPMuxParams{
+		UDPConn:  rawSock,
+		Net:      t.transportNet,
+		FilterFn: t.filterFn,
+	}
+	mux := bind.NewUniversalUDPMuxDefault(bindParams)
+	go mux.ReadFromConn(t.ctx)
+	t.udpMuxConn = rawSock
+	t.udpMux = mux
+
+	log.Debugf("device is ready to use: %s", t.name)
+	return t.udpMux, nil
+}
+
+func (t *TunKernelDevice) UpdateAddr(address WGAddress) error {
+	t.address = address
+	return t.assignAddr()
+}
+
+func (t *TunKernelDevice) Close() error {
+	if t.link == nil {
+		return nil
+	}
+
+	t.ctxCancel()
+
+	var closErr error
+	if err := t.link.Close(); err != nil {
+		log.Debugf("failed to close link: %s", err)
+		closErr = err
+	}
+
+	if t.udpMux != nil {
+		if err := t.udpMux.Close(); err != nil {
+			log.Debugf("failed to close udp mux: %s", err)
+			closErr = err
+		}
+
+		if err := t.udpMuxConn.Close(); err != nil {
+			log.Debugf("failed to close udp mux connection: %s", err)
+			closErr = err
+		}
+	}
+
+	return closErr
+}
+
+func (t *TunKernelDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *TunKernelDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *TunKernelDevice) FilteredDevice() *FilteredDevice {
+	return nil
+}
+
+// assignAddr Adds IP address to the tunnel interface
+func (t *TunKernelDevice) assignAddr() error {
+	return t.link.assignAddr(t.address)
+}

client/iface/device/device_netstack.go

@@ -0,0 +1,120 @@
+//go:build !android
+// +build !android
+
+package device
+
+import (
+	"fmt"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/device"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/netstack"
+)
+
+type TunNetstackDevice struct {
+	name          string
+	address       WGAddress
+	port          int
+	key           string
+	mtu           int
+	listenAddress string
+	iceBind       *bind.ICEBind
+
+	device         *device.Device
+	filteredDevice *FilteredDevice
+	nsTun          *netstack.NetStackTun
+	udpMux         *bind.UniversalUDPMuxDefault
+	configurer     WGConfigurer
+}
+
+func NewNetstackDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net, listenAddress string, filterFn bind.FilterFn) *TunNetstackDevice {
+	return &TunNetstackDevice{
+		name:          name,
+		address:       address,
+		port:          wgPort,
+		key:           key,
+		mtu:           mtu,
+		listenAddress: listenAddress,
+		iceBind:       bind.NewICEBind(transportNet, filterFn),
+	}
+}
+
+func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
+	log.Info("create netstack tun interface")
+	t.nsTun = netstack.NewNetStackTun(t.listenAddress, t.address.IP.String(), t.mtu)
+	tunIface, err := t.nsTun.Create()
+	if err != nil {
+		return nil, fmt.Errorf("error creating tun device: %s", err)
+	}
+	t.filteredDevice = newDeviceFilter(tunIface)
+
+	t.device = device.NewDevice(
+		t.filteredDevice,
+		t.iceBind,
+		device.NewLogger(wgLogLevel(), "[netbird] "),
+	)
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		_ = tunIface.Close()
+		return nil, fmt.Errorf("error configuring interface: %s", err)
+	}
+
+	log.Debugf("device has been created: %s", t.name)
+	return t.configurer, nil
+}
+
+func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	if t.device == nil {
+		return nil, fmt.Errorf("device is not ready yet")
+	}
+
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+	log.Debugf("netstack device is ready to use")
+	return udpMux, nil
+}
+
+func (t *TunNetstackDevice) UpdateAddr(WGAddress) error {
+	return nil
+}
+
+func (t *TunNetstackDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+	}
+	return nil
+}
+
+func (t *TunNetstackDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *TunNetstackDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *TunNetstackDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}

client/iface/device/device_usp_unix.go

@@ -0,0 +1,145 @@
+//go:build (linux && !android) || freebsd
+
+package device
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+type USPDevice struct {
+	name    string
+	address WGAddress
+	port    int
+	key     string
+	mtu     int
+	iceBind *bind.ICEBind
+
+	device         *device.Device
+	filteredDevice *FilteredDevice
+	udpMux         *bind.UniversalUDPMuxDefault
+	configurer     WGConfigurer
+}
+
+func NewUSPDevice(name string, address WGAddress, port int, key string, mtu int, transportNet transport.Net, filterFn bind.FilterFn) *USPDevice {
+	log.Infof("using userspace bind mode")
+
+	checkUser()
+
+	return &USPDevice{
+		name:    name,
+		address: address,
+		port:    port,
+		key:     key,
+		mtu:     mtu,
+		iceBind: bind.NewICEBind(transportNet, filterFn)}
+}
+
+func (t *USPDevice) Create() (WGConfigurer, error) {
+	log.Info("create tun interface")
+	tunIface, err := tun.CreateTUN(t.name, t.mtu)
+	if err != nil {
+		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, t.mtu, err)
+		return nil, fmt.Errorf("error creating tun device: %s", err)
+	}
+	t.filteredDevice = newDeviceFilter(tunIface)
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	t.device = device.NewDevice(
+		t.filteredDevice,
+		t.iceBind,
+		device.NewLogger(wgLogLevel(), "[netbird] "),
+	)
+
+	err = t.assignAddr()
+	if err != nil {
+		t.device.Close()
+		return nil, fmt.Errorf("error assigning ip: %s", err)
+	}
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		t.device.Close()
+		t.configurer.Close()
+		return nil, fmt.Errorf("error configuring interface: %s", err)
+	}
+	return t.configurer, nil
+}
+
+func (t *USPDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	if t.device == nil {
+		return nil, fmt.Errorf("device is not ready yet")
+	}
+
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+
+	log.Debugf("device is ready to use: %s", t.name)
+	return udpMux, nil
+}
+
+func (t *USPDevice) UpdateAddr(address WGAddress) error {
+	t.address = address
+	return t.assignAddr()
+}
+
+func (t *USPDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+	}
+	return nil
+}
+
+func (t *USPDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *USPDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *USPDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}
+
+// assignAddr Adds IP address to the tunnel interface
+func (t *USPDevice) assignAddr() error {
+	link := newWGLink(t.name)
+
+	return link.assignAddr(t.address)
+}
+
+func checkUser() {
+	if runtime.GOOS == "freebsd" {
+		euid := os.Geteuid()
+		if euid != 0 {
+			log.Warn("newTunUSPDevice: on netbird must run as root to be able to assign address to the tun interface with ifconfig")
+		}
+	}
+}

client/iface/device/device_windows.go

@@ -0,0 +1,172 @@
+package device
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/pion/transport/v3"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+const defaultWindowsGUIDSTring = "{f2f29e61-d91f-4d76-8151-119b20c4bdeb}"
+
+type TunDevice struct {
+	name    string
+	address WGAddress
+	port    int
+	key     string
+	mtu     int
+	iceBind *bind.ICEBind
+
+	device          *device.Device
+	nativeTunDevice *tun.NativeTun
+	filteredDevice  *FilteredDevice
+	udpMux          *bind.UniversalUDPMuxDefault
+	configurer      WGConfigurer
+}
+
+func NewTunDevice(name string, address WGAddress, port int, key string, mtu int, transportNet transport.Net, filterFn bind.FilterFn) *TunDevice {
+	return &TunDevice{
+		name:    name,
+		address: address,
+		port:    port,
+		key:     key,
+		mtu:     mtu,
+		iceBind: bind.NewICEBind(transportNet, filterFn),
+	}
+}
+
+func getGUID() (windows.GUID, error) {
+	guidString := defaultWindowsGUIDSTring
+	if CustomWindowsGUIDString != "" {
+		guidString = CustomWindowsGUIDString
+	}
+	return windows.GUIDFromString(guidString)
+}
+
+func (t *TunDevice) Create() (WGConfigurer, error) {
+	guid, err := getGUID()
+	if err != nil {
+		log.Errorf("failed to get GUID: %s", err)
+		return nil, err
+	}
+	log.Info("create tun interface")
+	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, t.mtu)
+	if err != nil {
+		return nil, fmt.Errorf("error creating tun device: %s", err)
+	}
+	t.nativeTunDevice = tunDevice.(*tun.NativeTun)
+	t.filteredDevice = newDeviceFilter(tunDevice)
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	t.device = device.NewDevice(
+		t.filteredDevice,
+		t.iceBind,
+		device.NewLogger(wgLogLevel(), "[netbird] "),
+	)
+
+	luid := winipcfg.LUID(t.nativeTunDevice.LUID())
+
+	nbiface, err := luid.IPInterface(windows.AF_INET)
+	if err != nil {
+		t.device.Close()
+		return nil, fmt.Errorf("got error when getting ip interface %s", err)
+	}
+
+	nbiface.NLMTU = uint32(t.mtu)
+
+	err = nbiface.Set()
+	if err != nil {
+		t.device.Close()
+		return nil, fmt.Errorf("got error when getting setting the interface mtu: %s", err)
+	}
+	err = t.assignAddr()
+	if err != nil {
+		t.device.Close()
+		return nil, fmt.Errorf("error assigning ip: %s", err)
+	}
+
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	err = t.configurer.ConfigureInterface(t.key, t.port)
+	if err != nil {
+		t.device.Close()
+		t.configurer.Close()
+		return nil, fmt.Errorf("error configuring interface: %s", err)
+	}
+	return t.configurer, nil
+}
+
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+	err := t.device.Up()
+	if err != nil {
+		return nil, err
+	}
+
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
+		return nil, err
+	}
+	t.udpMux = udpMux
+	log.Debugf("device is ready to use: %s", t.name)
+	return udpMux, nil
+}
+
+func (t *TunDevice) UpdateAddr(address WGAddress) error {
+	t.address = address
+	return t.assignAddr()
+}
+
+func (t *TunDevice) Close() error {
+	if t.configurer != nil {
+		t.configurer.Close()
+	}
+
+	if t.device != nil {
+		t.device.Close()
+		t.device = nil
+	}
+
+	if t.udpMux != nil {
+		return t.udpMux.Close()
+
+	}
+	return nil
+}
+func (t *TunDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *TunDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *TunDevice) FilteredDevice() *FilteredDevice {
+	return t.filteredDevice
+}
+
+func (t *TunDevice) GetInterfaceGUIDString() (string, error) {
+	if t.nativeTunDevice == nil {
+		return "", fmt.Errorf("interface has not been initialized yet")
+	}
+
+	luid := winipcfg.LUID(t.nativeTunDevice.LUID())
+	guid, err := luid.GUID()
+	if err != nil {
+		return "", err
+	}
+	return guid.String(), nil
+}
+
+// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
+func (t *TunDevice) assignAddr() error {
+	luid := winipcfg.LUID(t.nativeTunDevice.LUID())
+	log.Debugf("adding address %s to interface: %s", t.address.IP, t.name)
+	return luid.SetIPAddresses([]netip.Prefix{netip.MustParsePrefix(t.address.String())})
+}

client/iface/device/interface.go

@@ -0,0 +1,20 @@
+package device
+
+import (
+	"net"
+	"time"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/iface/configurer"
+)
+
+type WGConfigurer interface {
+	ConfigureInterface(privateKey string, port int) error
+	UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	RemovePeer(peerKey string) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
+	Close()
+	GetStats(peerKey string) (configurer.WGStats, error)
+}

client/iface/device/kernel_module.go

@@ -0,0 +1,8 @@
+//go:build (!linux && !freebsd) || android
+
+package device
+
+// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
+func WireGuardModuleIsLoaded() bool {
+	return false
+}

client/iface/device/kernel_module_freebsd.go

@@ -0,0 +1,18 @@
+package device
+
+// WireGuardModuleIsLoaded check if kernel support wireguard
+func WireGuardModuleIsLoaded() bool {
+	// Despite the fact FreeBSD natively support Wireguard (https://github.com/WireGuard/wireguard-freebsd)
+	//  we are currently do not use it, since it is required to add wireguard kernel support to
+	//   - https://github.com/netbirdio/netbird/tree/main/sharedsock
+	//   - https://github.com/mdlayher/socket
+	// TODO: implement kernel space
+	return false
+}
+
+// ModuleTunIsLoaded check if tun module exist, if is not attempt to load it
+func ModuleTunIsLoaded() bool {
+	// Assume tun supported by freebsd kernel by default
+	// TODO: implement check for module loaded in kernel or build-it
+	return true
+}

client/iface/device/kernel_module_linux.go

@@ -0,0 +1,360 @@
+//go:build linux && !android
+
+// Package iface provides wireguard network interface creation and management
+package device
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"math"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Holds logic to check existence of kernel modules used by wireguard interfaces
+// Copied from https://github.com/paultag/go-modprobe and
+// https://github.com/pmorjan/kmod
+
+type status int
+
+const (
+	defaultModuleDir        = "/lib/modules"
+	unknown          status = iota
+	unloaded
+	unloading
+	loading
+	live
+	inuse
+	envDisableWireGuardKernel = "NB_WG_KERNEL_DISABLED"
+)
+
+type module struct {
+	name string
+	path string
+}
+
+var (
+	// ErrModuleNotFound is the error resulting if a module can't be found.
+	ErrModuleNotFound = errors.New("module not found")
+	moduleLibDir      = defaultModuleDir
+	// get the root directory for the kernel modules. If this line panics,
+	// it's because getModuleRoot has failed to get the uname of the running
+	// kernel (likely a non-POSIX system, but maybe a broken kernel?)
+	moduleRoot = getModuleRoot()
+)
+
+// Get the module root (/lib/modules/$(uname -r)/)
+func getModuleRoot() string {
+	uname := unix.Utsname{}
+	if err := unix.Uname(&uname); err != nil {
+		panic(err)
+	}
+
+	i := 0
+	for ; uname.Release[i] != 0; i++ {
+	}
+
+	return filepath.Join(moduleLibDir, string(uname.Release[:i]))
+}
+
+// ModuleTunIsLoaded check if tun module exist, if is not attempt to load it
+func ModuleTunIsLoaded() bool {
+	_, err := os.Stat("/dev/net/tun")
+	if err == nil {
+		return true
+	}
+
+	log.Infof("couldn't access device /dev/net/tun, go error %v, "+
+		"will attempt to load tun module, if running on container add flag --cap-add=NET_ADMIN", err)
+
+	tunLoaded, err := tryToLoadModule("tun")
+	if err != nil {
+		log.Errorf("unable to find or load tun module, got error: %v", err)
+	}
+	return tunLoaded
+}
+
+// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
+func WireGuardModuleIsLoaded() bool {
+
+	if os.Getenv(envDisableWireGuardKernel) == "true" {
+		log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
+		return false
+	}
+
+	if canCreateFakeWireGuardInterface() {
+		return true
+	}
+
+	loaded, err := tryToLoadModule("wireguard")
+	if err != nil {
+		log.Info(err)
+		return false
+	}
+
+	return loaded
+}
+
+func canCreateFakeWireGuardInterface() bool {
+	link := newWGLink("mustnotexist")
+
+	// We willingly try to create a device with an invalid
+	// MTU here as the validation of the MTU will be performed after
+	// the validation of the link kind and hence allows us to check
+	// for the existence of the wireguard module without actually
+	// creating a link.
+	//
+	// As a side-effect, this will also let the kernel lazy-load
+	// the wireguard module.
+	link.attrs.MTU = math.MaxInt
+
+	err := netlink.LinkAdd(link)
+
+	return errors.Is(err, syscall.EINVAL)
+}
+
+func tryToLoadModule(moduleName string) (bool, error) {
+	if isModuleEnabled(moduleName) {
+		return true, nil
+	}
+	modulePath, err := getModulePath(moduleName)
+	if err != nil {
+		return false, fmt.Errorf("couldn't find module path for %s, error: %v", moduleName, err)
+	}
+	if modulePath == "" {
+		return false, nil
+	}
+
+	log.Infof("trying to load %s module", moduleName)
+
+	err = loadModuleWithDependencies(moduleName, modulePath)
+	if err != nil {
+		return false, fmt.Errorf("couldn't load %s module, error: %v", moduleName, err)
+	}
+	return true, nil
+}
+
+func isModuleEnabled(name string) bool {
+	builtin, builtinErr := isBuiltinModule(name)
+	state, statusErr := moduleStatus(name)
+	return (builtinErr == nil && builtin) || (statusErr == nil && state >= loading)
+}
+
+func getModulePath(name string) (string, error) {
+	var foundPath string
+	skipRemainingDirs := false
+
+	err := filepath.WalkDir(
+		moduleRoot,
+		func(path string, info fs.DirEntry, err error) error {
+			if skipRemainingDirs {
+				return fs.SkipDir
+			}
+			if err != nil {
+				// skip broken files
+				return nil //nolint:nilerr
+			}
+
+			if !info.Type().IsRegular() {
+				return nil
+			}
+
+			nameFromPath := pathToName(path)
+			if nameFromPath == name {
+				foundPath = path
+				skipRemainingDirs = true
+			}
+
+			return nil
+		})
+
+	if err != nil {
+		return "", err
+	}
+
+	return foundPath, nil
+}
+
+func pathToName(s string) string {
+	s = filepath.Base(s)
+	for ext := filepath.Ext(s); ext != ""; ext = filepath.Ext(s) {
+		s = strings.TrimSuffix(s, ext)
+	}
+	return cleanName(s)
+}
+
+func cleanName(s string) string {
+	return strings.ReplaceAll(strings.TrimSpace(s), "-", "_")
+}
+
+func isBuiltinModule(name string) (bool, error) {
+	f, err := os.Open(filepath.Join(moduleRoot, "/modules.builtin"))
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			log.Errorf("failed closing modules.builtin file, %v", err)
+		}
+	}()
+
+	var found bool
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if pathToName(line) == name {
+			found = true
+			break
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return false, err
+	}
+	return found, nil
+}
+
+// /proc/modules
+//
+//	     name | memory size | reference count | references | state: <Live|Loading|Unloading>
+//			macvlan 28672 1 macvtap, Live 0x0000000000000000
+func moduleStatus(name string) (status, error) {
+	state := unknown
+	f, err := os.Open("/proc/modules")
+	if err != nil {
+		return state, err
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			log.Errorf("failed closing /proc/modules file, %v", err)
+		}
+	}()
+
+	state = unloaded
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		fields := strings.Fields(scanner.Text())
+		if fields[0] == name {
+			if fields[2] != "0" {
+				state = inuse
+				break
+			}
+			switch fields[4] {
+			case "Live":
+				state = live
+			case "Loading":
+				state = loading
+			case "Unloading":
+				state = unloading
+			}
+			break
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return state, err
+	}
+
+	return state, nil
+}
+
+func loadModuleWithDependencies(name, path string) error {
+	deps, err := getModuleDependencies(name)
+	if err != nil {
+		return fmt.Errorf("couldn't load list of module %s dependencies", name)
+	}
+	for _, dep := range deps {
+		err = loadModule(dep.name, dep.path)
+		if err != nil {
+			return fmt.Errorf("couldn't load dependency module %s for %s", dep.name, name)
+		}
+	}
+	return loadModule(name, path)
+}
+
+func loadModule(name, path string) error {
+	state, err := moduleStatus(name)
+	if err != nil {
+		return err
+	}
+	if state >= loading {
+		return nil
+	}
+
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			log.Errorf("failed closing %s file, %v", path, err)
+		}
+	}()
+
+	// first try finit_module(2), then init_module(2)
+	err = unix.FinitModule(int(f.Fd()), "", 0)
+	if errors.Is(err, unix.ENOSYS) {
+		buf, err := io.ReadAll(f)
+		if err != nil {
+			return err
+		}
+		return unix.InitModule(buf, "")
+	}
+	return err
+}
+
+// getModuleDependencies returns a module dependencies
+func getModuleDependencies(name string) ([]module, error) {
+	f, err := os.Open(filepath.Join(moduleRoot, "/modules.dep"))
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			log.Errorf("failed closing modules.dep file, %v", err)
+		}
+	}()
+
+	var deps []string
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Fields(line)
+		if pathToName(strings.TrimSuffix(fields[0], ":")) == name {
+			deps = fields
+			break
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	if len(deps) == 0 {
+		return nil, ErrModuleNotFound
+	}
+	deps[0] = strings.TrimSuffix(deps[0], ":")
+
+	var modules []module
+	for _, v := range deps {
+		if pathToName(v) != name {
+			modules = append(modules, module{
+				name: pathToName(v),
+				path: filepath.Join(moduleRoot, v),
+			})
+		}
+	}
+
+	return modules, nil
+}

client/iface/device/kernel_module_linux_test.go

@@ -0,0 +1,225 @@
+//go:build linux && !android
+
+package device
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/unix"
+)
+
+func TestGetModuleDependencies(t *testing.T) {
+	testCases := []struct {
+		name     string
+		module   string
+		expected []module
+	}{
+		{
+			name:   "Get Single Dependency",
+			module: "bar",
+			expected: []module{
+				{name: "foo", path: "kernel/a/foo.ko"},
+			},
+		},
+		{
+			name:   "Get Multiple Dependencies",
+			module: "baz",
+			expected: []module{
+				{name: "foo", path: "kernel/a/foo.ko"},
+				{name: "bar", path: "kernel/a/bar.ko"},
+			},
+		},
+		{
+			name:     "Get No Dependencies",
+			module:   "foo",
+			expected: []module{},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer resetGlobals()
+			_, _ = createFiles(t)
+			modules, err := getModuleDependencies(testCase.module)
+			require.NoError(t, err)
+
+			expected := testCase.expected
+			for i := range expected {
+				expected[i].path = moduleRoot + "/" + expected[i].path
+			}
+
+			require.ElementsMatchf(t, modules, expected, "returned modules should match")
+		})
+	}
+}
+
+func TestIsBuiltinModule(t *testing.T) {
+	testCases := []struct {
+		name     string
+		module   string
+		expected bool
+	}{
+		{
+			name:     "Built In Should Return True",
+			module:   "foo_bi",
+			expected: true,
+		},
+		{
+			name:     "Not Built In Should Return False",
+			module:   "not_built_in",
+			expected: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer resetGlobals()
+			_, _ = createFiles(t)
+
+			isBuiltIn, err := isBuiltinModule(testCase.module)
+			require.NoError(t, err)
+			require.Equal(t, testCase.expected, isBuiltIn)
+		})
+	}
+}
+
+func TestModuleStatus(t *testing.T) {
+	random, err := getRandomLoadedModule(t)
+	if err != nil {
+		t.Fatal("should be able to get random module")
+	}
+	testCases := []struct {
+		name           string
+		module         string
+		shouldBeLoaded bool
+	}{
+		{
+			name:           "Should Return Module Loading Or Greater Status",
+			module:         random,
+			shouldBeLoaded: true,
+		},
+		{
+			name:           "Should Return Module Unloaded Or Lower Status",
+			module:         "not_loaded_module",
+			shouldBeLoaded: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer resetGlobals()
+			_, _ = createFiles(t)
+
+			state, err := moduleStatus(testCase.module)
+			require.NoError(t, err)
+			if testCase.shouldBeLoaded {
+				require.GreaterOrEqual(t, loading, state, "moduleStatus for %s should return state loading", testCase.module)
+			} else {
+				require.Less(t, state, loading, "module should return state unloading or lower")
+			}
+		})
+	}
+}
+
+func resetGlobals() {
+	moduleLibDir = defaultModuleDir
+	moduleRoot = getModuleRoot()
+}
+
+func createFiles(t *testing.T) (string, []module) {
+	t.Helper()
+	writeFile := func(path, text string) {
+		if err := os.WriteFile(path, []byte(text), 0644); err != nil {
+			t.Fatal(err)
+		}
+	}
+	var u unix.Utsname
+	if err := unix.Uname(&u); err != nil {
+		t.Fatal(err)
+	}
+
+	moduleLibDir = t.TempDir()
+
+	moduleRoot = getModuleRoot()
+	if err := os.Mkdir(moduleRoot, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	text := "kernel/a/foo.ko:\n"
+	text += "kernel/a/bar.ko: kernel/a/foo.ko\n"
+	text += "kernel/a/baz.ko: kernel/a/bar.ko kernel/a/foo.ko\n"
+	writeFile(filepath.Join(moduleRoot, "/modules.dep"), text)
+
+	text = "kernel/a/foo_bi.ko\n"
+	text += "kernel/a/bar-bi.ko.gz\n"
+	writeFile(filepath.Join(moduleRoot, "/modules.builtin"), text)
+
+	modules := []module{
+		{name: "foo", path: "kernel/a/foo.ko"},
+		{name: "bar", path: "kernel/a/bar.ko"},
+		{name: "baz", path: "kernel/a/baz.ko"},
+	}
+	return moduleLibDir, modules
+}
+
+func getRandomLoadedModule(t *testing.T) (string, error) {
+	t.Helper()
+	f, err := os.Open("/proc/modules")
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			t.Logf("failed closing /proc/modules file, %v", err)
+		}
+	}()
+	lines, err := lineCounter(f)
+	if err != nil {
+		return "", err
+	}
+	counter := 1
+	midLine := lines / 2
+	modName := ""
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		fields := strings.Fields(scanner.Text())
+		if counter == midLine {
+			if fields[4] == "Unloading" {
+				continue
+			}
+			modName = fields[0]
+			break
+		}
+		counter++
+	}
+	if scanner.Err() != nil {
+		return "", scanner.Err()
+	}
+	return modName, nil
+}
+func lineCounter(r io.Reader) (int, error) {
+	buf := make([]byte, 32*1024)
+	count := 0
+	lineSep := []byte{'\n'}
+
+	for {
+		c, err := r.Read(buf)
+		count += bytes.Count(buf[:c], lineSep)
+
+		switch {
+		case err == io.EOF:
+			return count, nil
+
+		case err != nil:
+			return count, err
+		}
+	}
+}

client/iface/device/wg_link_freebsd.go

@@ -0,0 +1,81 @@
+package device
+
+import (
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/iface/freebsd"
+)
+
+type wgLink struct {
+	name string
+	link *freebsd.Link
+}
+
+func newWGLink(name string) *wgLink {
+	link := freebsd.NewLink(name)
+
+	return &wgLink{
+		name: name,
+		link: link,
+	}
+}
+
+// Type returns the interface type
+func (l *wgLink) Type() string {
+	return "wireguard"
+}
+
+// Close deletes the link interface
+func (l *wgLink) Close() error {
+	return l.link.Del()
+}
+
+func (l *wgLink) recreate() error {
+	if err := l.link.Recreate(); err != nil {
+		return fmt.Errorf("recreate: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) setMTU(mtu int) error {
+	if err := l.link.SetMTU(mtu); err != nil {
+		return fmt.Errorf("set mtu: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) up() error {
+	if err := l.link.Up(); err != nil {
+		return fmt.Errorf("up: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) assignAddr(address WGAddress) error {
+	link, err := freebsd.LinkByName(l.name)
+	if err != nil {
+		return fmt.Errorf("link by name: %w", err)
+	}
+
+	ip := address.IP.String()
+	mask := "0x" + address.Network.Mask.String()
+
+	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
+
+	err = link.AssignAddr(ip, mask)
+	if err != nil {
+		return fmt.Errorf("assign addr: %w", err)
+	}
+
+	err = link.Up()
+	if err != nil {
+		return fmt.Errorf("up: %w", err)
+	}
+
+	return nil
+}

client/iface/device/wg_link_linux.go

@@ -0,0 +1,133 @@
+//go:build linux && !android
+
+package device
+
+import (
+	"fmt"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+)
+
+type wgLink struct {
+	attrs *netlink.LinkAttrs
+}
+
+func newWGLink(name string) *wgLink {
+	attrs := netlink.NewLinkAttrs()
+	attrs.Name = name
+
+	return &wgLink{
+		attrs: &attrs,
+	}
+}
+
+// Attrs returns the Wireguard's default attributes
+func (l *wgLink) Attrs() *netlink.LinkAttrs {
+	return l.attrs
+}
+
+// Type returns the interface type
+func (l *wgLink) Type() string {
+	return "wireguard"
+}
+
+// Close deletes the link interface
+func (l *wgLink) Close() error {
+	return netlink.LinkDel(l)
+}
+
+func (l *wgLink) recreate() error {
+	name := l.attrs.Name
+
+	// check if interface exists
+	link, err := netlink.LinkByName(name)
+	if err != nil {
+		switch err.(type) {
+		case netlink.LinkNotFoundError:
+			break
+		default:
+			return fmt.Errorf("link by name: %w", err)
+		}
+	}
+
+	// remove if interface exists
+	if link != nil {
+		err = netlink.LinkDel(l)
+		if err != nil {
+			return err
+		}
+	}
+
+	log.Debugf("adding device: %s", name)
+	err = netlink.LinkAdd(l)
+	if os.IsExist(err) {
+		log.Infof("interface %s already exists. Will reuse.", name)
+	} else if err != nil {
+		return fmt.Errorf("link add: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) setMTU(mtu int) error {
+	if err := netlink.LinkSetMTU(l, mtu); err != nil {
+		log.Errorf("error setting MTU on interface: %s", l.attrs.Name)
+
+		return fmt.Errorf("link set mtu: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) up() error {
+	if err := netlink.LinkSetUp(l); err != nil {
+		log.Errorf("error bringing up interface: %s", l.attrs.Name)
+		return fmt.Errorf("link setup: %w", err)
+	}
+
+	return nil
+}
+
+func (l *wgLink) assignAddr(address WGAddress) error {
+	//delete existing addresses
+	list, err := netlink.AddrList(l, 0)
+	if err != nil {
+		return fmt.Errorf("list addr: %w", err)
+	}
+
+	if len(list) > 0 {
+		for _, a := range list {
+			addr := a
+			err = netlink.AddrDel(l, &addr)
+			if err != nil {
+				return fmt.Errorf("del addr: %w", err)
+			}
+		}
+	}
+
+	name := l.attrs.Name
+	addrStr := address.String()
+
+	log.Debugf("adding address %s to interface: %s", addrStr, name)
+
+	addr, err := netlink.ParseAddr(addrStr)
+	if err != nil {
+		return fmt.Errorf("parse addr: %w", err)
+	}
+
+	err = netlink.AddrAdd(l, addr)
+	if os.IsExist(err) {
+		log.Infof("interface %s already has the address: %s", name, addrStr)
+	} else if err != nil {
+		return fmt.Errorf("add addr: %w", err)
+	}
+
+	// On linux, the link must be brought up
+	if err := netlink.LinkSetUp(l); err != nil {
+		return fmt.Errorf("link setup: %w", err)
+	}
+
+	return nil
+}

client/iface/device/wg_log.go

@@ -0,0 +1,15 @@
+package device
+
+import (
+	"os"
+
+	"golang.zx2c4.com/wireguard/device"
+)
+
+func wgLogLevel() int {
+	if os.Getenv("NB_WG_DEBUG") == "true" {
+		return device.LogLevelVerbose
+	} else {
+		return device.LogLevelSilent
+	}
+}

client/iface/device/windows_guid.go

@@ -0,0 +1,4 @@
+package device
+
+// CustomWindowsGUIDString is a custom GUID string for the interface
+var CustomWindowsGUIDString string