Preresolve domains

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.20"
+  SIGN_PIPE_VER: "v0.0.18"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.github/workflows/test-infrastructure-files.yml

@@ -134,7 +134,6 @@ jobs:
           NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
           CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
-          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
 
         run: |
           set -x
@@ -181,7 +180,6 @@ jobs:
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
           grep DisablePromptLogin management.json | grep 'true'
           grep LoginFlag management.json | grep 0
-          grep DisableDefaultPolicy management.json | grep "$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY"
 
       - name: Install modules
         run: go mod tidy

.goreleaser.yaml

@@ -149,7 +149,6 @@ nfpms:
 dockers:
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
     ids:
       - netbird
     goarch: amd64
@@ -165,7 +164,6 @@ dockers:
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
     ids:
       - netbird
     goarch: arm64

client/Dockerfile

@@ -1,9 +1,6 @@
 FROM alpine:3.21.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
-
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
-
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
+COPY netbird /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -1,7 +1,6 @@
 FROM alpine:3.21.0
 
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
+COPY netbird /usr/local/bin/netbird
 
 RUN apk add --no-cache ca-certificates \
     && adduser -D -h /var/lib/netbird netbird

client/android/client.go

@@ -59,8 +59,6 @@ type Client struct {
 	deviceName            string
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
-
-	connectClient *internal.ConnectClient
 }
 
 // NewClient instantiate a new Client
@@ -108,8 +106,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -134,8 +132,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -176,53 +174,6 @@ func (c *Client) PeersList() *PeerInfoArray {
 	return &PeerInfoArray{items: peerInfos}
 }
 
-func (c *Client) Networks() *NetworkArray {
-	if c.connectClient == nil {
-		log.Error("not connected")
-		return nil
-	}
-
-	engine := c.connectClient.Engine()
-	if engine == nil {
-		log.Error("could not get engine")
-		return nil
-	}
-
-	routeManager := engine.GetRouteManager()
-	if routeManager == nil {
-		log.Error("could not get route manager")
-		return nil
-	}
-
-	networkArray := &NetworkArray{
-		items: make([]Network, 0),
-	}
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
-		if len(routes) == 0 {
-			continue
-		}
-
-		if routes[0].IsDynamic() {
-			continue
-		}
-
-		peer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
-			continue
-		}
-		network := Network{
-			Name:    string(id),
-			Network: routes[0].Network.String(),
-			Peer:    peer.FQDN,
-			Status:  peer.ConnStatus.String(),
-		}
-		networkArray.Add(network)
-	}
-	return networkArray
-}
-
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()

client/android/networks.go

@@ -1,27 +0,0 @@
-//go:build android
-
-package android
-
-type Network struct {
-	Name    string
-	Network string
-	Peer    string
-	Status  string
-}
-
-type NetworkArray struct {
-	items []Network
-}
-
-func (array *NetworkArray) Add(s Network) *NetworkArray {
-	array.items = append(array.items, s)
-	return array
-}
-
-func (array *NetworkArray) Get(i int) *Network {
-	return &array.items[i]
-}
-
-func (array *NetworkArray) Size() int {
-	return len(array.items)
-}

client/android/peer_notifier.go

@@ -7,23 +7,30 @@ type PeerInfo struct {
 	ConnStatus string // Todo replace to enum
 }
 
-// PeerInfoArray is a wrapper of []PeerInfo
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+// PeerInfoArray is the implementation of the PeerInfoCollection
 type PeerInfoArray struct {
 	items []PeerInfo
 }
 
 // Add new PeerInfo to the collection
-func (array *PeerInfoArray) Add(s PeerInfo) *PeerInfoArray {
+func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
 	array.items = append(array.items, s)
 	return array
 }
 
 // Get return an element of the collection
-func (array *PeerInfoArray) Get(i int) *PeerInfo {
+func (array PeerInfoArray) Get(i int) *PeerInfo {
 	return &array.items[i]
 }
 
 // Size return with the size of the collection
-func (array *PeerInfoArray) Size() int {
+func (array PeerInfoArray) Size() int {
 	return len(array.items)
 }

client/android/preferences.go

@@ -4,12 +4,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )
 
-// Preferences exports a subset of the internal config for gomobile
+// Preferences export a subset of the internal config for gomobile
 type Preferences struct {
 	configInput internal.ConfigInput
 }
 
-// NewPreferences creates a new Preferences instance
+// NewPreferences create new Preferences instance
 func NewPreferences(configPath string) *Preferences {
 	ci := internal.ConfigInput{
 		ConfigPath: configPath,
@@ -17,7 +17,7 @@ func NewPreferences(configPath string) *Preferences {
 	return &Preferences{ci}
 }
 
-// GetManagementURL reads URL from config file
+// GetManagementURL read url from config file
 func (p *Preferences) GetManagementURL() (string, error) {
 	if p.configInput.ManagementURL != "" {
 		return p.configInput.ManagementURL, nil
@@ -30,12 +30,12 @@ func (p *Preferences) GetManagementURL() (string, error) {
 	return cfg.ManagementURL.String(), err
 }
 
-// SetManagementURL stores the given URL and waits for commit
+// SetManagementURL store the given url and wait for commit
 func (p *Preferences) SetManagementURL(url string) {
 	p.configInput.ManagementURL = url
 }
 
-// GetAdminURL reads URL from config file
+// GetAdminURL read url from config file
 func (p *Preferences) GetAdminURL() (string, error) {
 	if p.configInput.AdminURL != "" {
 		return p.configInput.AdminURL, nil
@@ -48,12 +48,12 @@ func (p *Preferences) GetAdminURL() (string, error) {
 	return cfg.AdminURL.String(), err
 }
 
-// SetAdminURL stores the given URL and waits for commit
+// SetAdminURL store the given url and wait for commit
 func (p *Preferences) SetAdminURL(url string) {
 	p.configInput.AdminURL = url
 }
 
-// GetPreSharedKey reads pre-shared key from config file
+// GetPreSharedKey read preshared key from config file
 func (p *Preferences) GetPreSharedKey() (string, error) {
 	if p.configInput.PreSharedKey != nil {
 		return *p.configInput.PreSharedKey, nil
@@ -66,17 +66,17 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 	return cfg.PreSharedKey, err
 }
 
-// SetPreSharedKey stores the given key and waits for commit
+// SetPreSharedKey store the given key and wait for commit
 func (p *Preferences) SetPreSharedKey(key string) {
 	p.configInput.PreSharedKey = &key
 }
 
-// SetRosenpassEnabled stores whether Rosenpass is enabled
+// SetRosenpassEnabled store if rosenpass is enabled
 func (p *Preferences) SetRosenpassEnabled(enabled bool) {
 	p.configInput.RosenpassEnabled = &enabled
 }
 
-// GetRosenpassEnabled reads Rosenpass enabled status from config file
+// GetRosenpassEnabled read rosenpass enabled from config file
 func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 	if p.configInput.RosenpassEnabled != nil {
 		return *p.configInput.RosenpassEnabled, nil
@@ -89,12 +89,12 @@ func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 	return cfg.RosenpassEnabled, err
 }
 
-// SetRosenpassPermissive stores the given permissive setting and waits for commit
+// SetRosenpassPermissive store the given permissive and wait for commit
 func (p *Preferences) SetRosenpassPermissive(permissive bool) {
 	p.configInput.RosenpassPermissive = &permissive
 }
 
-// GetRosenpassPermissive reads Rosenpass permissive setting from config file
+// GetRosenpassPermissive read rosenpass permissive from config file
 func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 	if p.configInput.RosenpassPermissive != nil {
 		return *p.configInput.RosenpassPermissive, nil
@@ -107,119 +107,7 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 	return cfg.RosenpassPermissive, err
 }
 
-// GetDisableClientRoutes reads disable client routes setting from config file
-func (p *Preferences) GetDisableClientRoutes() (bool, error) {
-	if p.configInput.DisableClientRoutes != nil {
-		return *p.configInput.DisableClientRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableClientRoutes, err
-}
-
-// SetDisableClientRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableClientRoutes(disable bool) {
-	p.configInput.DisableClientRoutes = &disable
-}
-
-// GetDisableServerRoutes reads disable server routes setting from config file
-func (p *Preferences) GetDisableServerRoutes() (bool, error) {
-	if p.configInput.DisableServerRoutes != nil {
-		return *p.configInput.DisableServerRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableServerRoutes, err
-}
-
-// SetDisableServerRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableServerRoutes(disable bool) {
-	p.configInput.DisableServerRoutes = &disable
-}
-
-// GetDisableDNS reads disable DNS setting from config file
-func (p *Preferences) GetDisableDNS() (bool, error) {
-	if p.configInput.DisableDNS != nil {
-		return *p.configInput.DisableDNS, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableDNS, err
-}
-
-// SetDisableDNS stores the given value and waits for commit
-func (p *Preferences) SetDisableDNS(disable bool) {
-	p.configInput.DisableDNS = &disable
-}
-
-// GetDisableFirewall reads disable firewall setting from config file
-func (p *Preferences) GetDisableFirewall() (bool, error) {
-	if p.configInput.DisableFirewall != nil {
-		return *p.configInput.DisableFirewall, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableFirewall, err
-}
-
-// SetDisableFirewall stores the given value and waits for commit
-func (p *Preferences) SetDisableFirewall(disable bool) {
-	p.configInput.DisableFirewall = &disable
-}
-
-// GetServerSSHAllowed reads server SSH allowed setting from config file
-func (p *Preferences) GetServerSSHAllowed() (bool, error) {
-	if p.configInput.ServerSSHAllowed != nil {
-		return *p.configInput.ServerSSHAllowed, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.ServerSSHAllowed == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.ServerSSHAllowed, err
-}
-
-// SetServerSSHAllowed stores the given value and waits for commit
-func (p *Preferences) SetServerSSHAllowed(allowed bool) {
-	p.configInput.ServerSSHAllowed = &allowed
-}
-
-// GetBlockInbound reads block inbound setting from config file
-func (p *Preferences) GetBlockInbound() (bool, error) {
-	if p.configInput.BlockInbound != nil {
-		return *p.configInput.BlockInbound, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.BlockInbound, err
-}
-
-// SetBlockInbound stores the given value and waits for commit
-func (p *Preferences) SetBlockInbound(block bool) {
-	p.configInput.BlockInbound = &block
-}
-
-// Commit writes out the changes to the config file
+// Commit write out the changes into config file
 func (p *Preferences) Commit() error {
 	_, err := internal.UpdateOrCreateConfig(p.configInput)
 	return err

client/cmd/status.go

@@ -69,10 +69,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	status := resp.GetStatus()
-
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+

client/cmd/system.go

@@ -38,5 +38,5 @@ func init() {
 
 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-			"This overrides any policies received from the management service.")
+		"This overrides any policies received from the management service.")
 }

client/cmd/testutil_test.go

@@ -102,13 +102,8 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&types.Settings{}, nil).
 		AnyTimes()
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/trace.go

@@ -118,7 +118,7 @@ func tracePacket(cmd *cobra.Command, args []string) error {
 }
 
 func printTrace(cmd *cobra.Command, src, dst, proto string, sport, dport uint16, resp *proto.TracePacketResponse) {
-	cmd.Printf("Packet trace %s:%d → %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
+	cmd.Printf("Packet trace %s:%d -> %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
 
 	for _, stage := range resp.Stages {
 		if stage.ForwardingDetails != nil {

client/firewall/uspfilter/conntrack/common.go

@@ -62,5 +62,5 @@ type ConnKey struct {
 }
 
 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
 }

client/firewall/uspfilter/conntrack/icmp.go

@@ -3,7 +3,6 @@ package conntrack
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"sync"
 	"time"
@@ -20,10 +19,6 @@ const (
 	DefaultICMPTimeout = 30 * time.Second
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second
-
-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
 )
 
 // ICMPConnKey uniquely identifies an ICMP connection
@@ -34,7 +29,7 @@ type ICMPConnKey struct {
 }
 
 func (i ICMPConnKey) String() string {
-	return fmt.Sprintf("%s → %s (id %d)", i.SrcIP, i.DstIP, i.ID)
+	return fmt.Sprintf("%s -> %s (id %d)", i.SrcIP, i.DstIP, i.ID)
 }
 
 // ICMPConnTrack represents an ICMP connection state
@@ -55,72 +50,6 @@ type ICMPTracker struct {
 	flowLogger    nftypes.FlowLogger
 }
 
-// ICMPInfo holds ICMP type, code, and payload for lazy string formatting in logs
-type ICMPInfo struct {
-	TypeCode    layers.ICMPv4TypeCode
-	PayloadData [MaxICMPPayloadLength]byte
-	// actual length of valid data
-	PayloadLen int
-}
-
-// String implements fmt.Stringer for lazy evaluation in log messages
-func (info ICMPInfo) String() string {
-	if info.isErrorMessage() && info.PayloadLen >= MaxICMPPayloadLength {
-		if origInfo := info.parseOriginalPacket(); origInfo != "" {
-			return fmt.Sprintf("%s (original: %s)", info.TypeCode, origInfo)
-		}
-	}
-
-	return info.TypeCode.String()
-}
-
-// isErrorMessage returns true if this ICMP type carries original packet info
-func (info ICMPInfo) isErrorMessage() bool {
-	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
-}
-
-// parseOriginalPacket extracts info about the original packet from ICMP payload
-func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
-		return ""
-	}
-
-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
-		return ""
-	}
-
-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
-	switch nftypes.Protocol(protocol) {
-	case nftypes.TCP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.UDP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.ICMP:
-		icmpType := transportData[0]
-		icmpCode := transportData[1]
-		return fmt.Sprintf("ICMP %s → %s (type %d code %d)", srcIP, dstIP, icmpType, icmpCode)
-
-	default:
-		return fmt.Sprintf("Proto %d %s → %s", protocol, srcIP, dstIP)
-	}
-}
-
 // NewICMPTracker creates a new ICMP connection tracker
 func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *ICMPTracker {
 	if timeout == 0 {
@@ -164,64 +93,30 @@ func (t *ICMPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, id uint
 }
 
 // TrackOutbound records an outbound ICMP connection
-func (t *ICMPTracker) TrackOutbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, size int) {
 	if _, exists := t.updateIfExists(dstIP, srcIP, id, nftypes.Egress, size); !exists {
 		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, payload, size)
+		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, size)
 	}
 }
 
 // TrackInbound records an inbound ICMP Echo Request
-func (t *ICMPTracker) TrackInbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
-	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, payload, size)
+func (t *ICMPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, ruleId []byte, size int) {
+	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, size)
 }
 
 // track is the common implementation for tracking both inbound and outbound ICMP connections
-func (t *ICMPTracker) track(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	direction nftypes.Direction,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) track(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, direction nftypes.Direction, ruleId []byte, size int) {
 	key, exists := t.updateIfExists(srcIP, dstIP, id, direction, size)
 	if exists {
 		return
 	}
 
 	typ, code := typecode.Type(), typecode.Code()
-	icmpInfo := ICMPInfo{
-		TypeCode: typecode,
-	}
-	if len(payload) > 0 {
-		icmpInfo.PayloadLen = len(payload)
-		if icmpInfo.PayloadLen > MaxICMPPayloadLength {
-			icmpInfo.PayloadLen = MaxICMPPayloadLength
-		}
-		copy(icmpInfo.PayloadData[:], payload[:icmpInfo.PayloadLen])
-	}
 
 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -243,7 +138,7 @@ func (t *ICMPTracker) track(
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -15,7 +15,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, 0)
 		}
 	})
 
@@ -28,7 +28,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		// Pre-populate some connections
 		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, 0)
 		}
 
 		b.ResetTimer()

client/firewall/uspfilter/forwarder/endpoint.go

@@ -86,5 +86,5 @@ type epID stack.TransportEndpointID
 
 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
 }

client/firewall/uspfilter/forwarder/tcp.go

@@ -111,12 +111,12 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 
 	if errInToOut != nil {
 		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
+			f.logger.Error("proxyTCP: copy error (in -> out) for %s: %v", epID(id), errInToOut)
 		}
 	}
 	if errOutToIn != nil {
 		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
+			f.logger.Error("proxyTCP: copy error (out -> in) for %s: %v", epID(id), errOutToIn)
 		}
 	}
 

client/firewall/uspfilter/forwarder/udp.go

@@ -250,10 +250,10 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 	wg.Wait()
 
 	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound→inbound) for %s: %v", epID(id), outboundErr)
+		f.logger.Error("proxyUDP: copy error (outbound->inbound) for %s: %v", epID(id), outboundErr)
 	}
 	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound→outbound) for %s: %v", epID(id), inboundErr)
+		f.logger.Error("proxyUDP: copy error (inbound->outbound) for %s: %v", epID(id), inboundErr)
 	}
 
 	var rxPackets, txPackets uint64

client/firewall/uspfilter/uspfilter.go

@@ -671,7 +671,7 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, size)
 	}
 }
 
@@ -684,7 +684,7 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, size)
 	}
 }
 

client/iface/device/device_android.go

@@ -24,7 +24,6 @@ type WGTunDevice struct {
 	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
-	disableDNS bool
 
 	name           string
 	device         *device.Device
@@ -33,7 +32,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -41,7 +40,6 @@ func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind
 		mtu:        mtu,
 		iceBind:    iceBind,
 		tunAdapter: tunAdapter,
-		disableDNS: disableDNS,
 	}
 }
 
@@ -51,13 +49,6 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	routesString := routesToString(routes)
 	searchDomainsToString := searchDomainsToString(searchDomains)
 
-	// Skip DNS configuration when DisableDNS is enabled
-	if t.disableDNS {
-		log.Info("DNS is disabled, skipping DNS and search domain configuration")
-		dns = ""
-		searchDomainsToString = ""
-	}
-
 	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)

client/iface/iface.go

@@ -43,7 +43,6 @@ type WGIFaceOpts struct {
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
-	DisableDNS   bool
 }
 
 // WGIface represents an interface instance

client/iface/iface_new_android.go

@@ -18,7 +18,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil

client/internal/acl/manager.go

@@ -398,15 +398,11 @@ func (d *DefaultManager) squashAcceptRules(
 	//
 	// We zeroed this to notify squash function that this protocol can't be squashed.
 	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
-		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
-			r.Port != "" || !portInfoEmpty(r.PortInfo)
-
-		if hasPortRestrictions {
-			// Don't squash rules with port restrictions
+		drop := r.Action == mgmProto.RuleAction_DROP || r.Port != ""
+		if drop {
 			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
 			return
 		}
-
 		if _, ok := protocols[r.Protocol]; !ok {
 			protocols[r.Protocol] = &protoMatch{
 				ips: map[string]int{},

client/internal/acl/manager_test.go

@@ -330,434 +330,6 @@ func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
 	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
 }
 
-func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
-	tests := []struct {
-		name          string
-		rules         []*mgmProto.FirewallRule
-		expectedCount int
-		description   string
-	}{
-		{
-			name: "should not squash rules with port ranges",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with port ranges should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with specific ports",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with specific ports should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with legacy port field",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with legacy port field should not be squashed",
-		},
-		{
-			name: "should not squash rules with DROP action",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with DROP action should not be squashed",
-		},
-		{
-			name: "should squash rules without port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 1,
-			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
-		},
-		{
-			name: "mixed rules should not squash protocol with port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "TCP should not be squashed because one rule has port restrictions",
-		},
-		{
-			name: "should squash UDP but not TCP when TCP has port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				// TCP rules with port restrictions - should NOT be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				// UDP rules without port restrictions - SHOULD be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-			},
-			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
-			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			networkMap := &mgmProto.NetworkMap{
-				RemotePeers: []*mgmProto.RemotePeerConfig{
-					{AllowedIps: []string{"10.93.0.1"}},
-					{AllowedIps: []string{"10.93.0.2"}},
-					{AllowedIps: []string{"10.93.0.3"}},
-					{AllowedIps: []string{"10.93.0.4"}},
-				},
-				FirewallRules: tt.rules,
-			}
-
-			manager := &DefaultManager{}
-			rules, _ := manager.squashAcceptRules(networkMap)
-
-			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
-
-			// For squashed rules, verify we get the expected 0.0.0.0 rule
-			if tt.expectedCount == 1 {
-				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
-				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
-				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
-			}
-		})
-	}
-}
-
-func TestPortInfoEmpty(t *testing.T) {
-	tests := []struct {
-		name     string
-		portInfo *mgmProto.PortInfo
-		expected bool
-	}{
-		{
-			name:     "nil PortInfo should be empty",
-			portInfo: nil,
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero port should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 0,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid port should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 80,
-				},
-			},
-			expected: false,
-		},
-		{
-			name: "PortInfo with nil range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: nil,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero start range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 0,
-						End:   100,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero end range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 80,
-						End:   0,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid range should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 8080,
-						End:   8090,
-					},
-				},
-			},
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := portInfoEmpty(tt.portInfo)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
 func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{

client/internal/config.go

@@ -223,8 +223,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
-		// default to disabling server routes on Android for security
-		DisableServerRoutes: runtime.GOOS == "android",
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -418,15 +416,9 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		config.ServerSSHAllowed = input.ServerSSHAllowed
 		updated = true
 	} else if config.ServerSSHAllowed == nil {
-		if runtime.GOOS == "android" {
-			// default to disabled SSH on Android for security
-			log.Infof("setting SSH server to false by default on Android")
-			config.ServerSSHAllowed = util.False()
-		} else {
-			// enables SSH for configs from old versions to preserve backwards compatibility
-			log.Infof("falling back to enabled SSH server for pre-existing configuration")
-			config.ServerSSHAllowed = util.True()
-		}
+		// enables SSH for configs from old versions to preserve backwards compatibility
+		log.Infof("falling back to enabled SSH server for pre-existing configuration")
+		config.ServerSSHAllowed = util.True()
 		updated = true
 	}
 

client/internal/conn_mgr.go

@@ -175,7 +175,7 @@ func (e *ConnMgr) AddPeerConn(ctx context.Context, peerKey string, conn *peer.Co
 		PeerConnID: conn.ConnID(),
 		Log:        conn.Log,
 	}
-	excluded, err := e.lazyConnMgr.AddPeer(e.lazyCtx, lazyPeerCfg)
+	excluded, err := e.lazyConnMgr.AddPeer(lazyPeerCfg)
 	if err != nil {
 		conn.Log.Errorf("failed to add peer to lazyconn manager: %v", err)
 		if err := conn.Open(ctx); err != nil {

client/internal/dns/handler_chain.go

@@ -11,10 +11,9 @@ import (
 )
 
 const (
-	PriorityLocal    = 100
-	PriorityDNSRoute = 75
-	PriorityUpstream = 50
-	PriorityDefault  = 1
+	PriorityDNSRoute    = 100
+	PriorityMatchDomain = 50
+	PriorityDefault     = 1
 )
 
 type SubdomainMatcher interface {

client/internal/dns/handler_chain_test.go

@@ -22,7 +22,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 
 	// Setup handlers with different priorities
 	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault)
-	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute)
 
 	// Create test request
@@ -200,7 +200,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "*.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "*.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "test.example.com.",
@@ -214,7 +214,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "test.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "test.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.test.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "sub.test.example.com.",
@@ -281,7 +281,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 
 	// Add handlers in priority order
 	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute)
-	chain.AddHandler("example.com.", handler2, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault)
 
 	// Create test request
@@ -344,13 +344,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: true,
 			},
 		},
 		{
@@ -361,13 +361,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: true,
-				nbdns.PriorityUpstream: false,
+				nbdns.PriorityDNSRoute:    true,
+				nbdns.PriorityMatchDomain: false,
 			},
 		},
 		{
@@ -378,16 +378,16 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"add", "example.com.", nbdns.PriorityDefault},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: false,
-				nbdns.PriorityDefault:  true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: false,
+				nbdns.PriorityDefault:     true,
 			},
 		},
 	}
@@ -454,7 +454,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Add handlers in mixed order
 	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault)
 	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute)
-	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityUpstream)
+	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
 
 	// Test 1: Initial state
 	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
@@ -490,7 +490,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	defaultHandler.Calls = nil
 
 	// Test 3: Remove middle priority handler
-	chain.RemoveHandler(testDomain, nbdns.PriorityUpstream)
+	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
 
 	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
@@ -607,7 +607,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 				shouldMatch bool
 			}{
 				{"EXAMPLE.COM.", nbdns.PriorityDefault, false, false},
-				{"example.com.", nbdns.PriorityUpstream, false, false},
+				{"example.com.", nbdns.PriorityMatchDomain, false, false},
 				{"Example.Com.", nbdns.PriorityDNSRoute, false, true},
 			},
 			query:         "example.com.",
@@ -702,8 +702,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -717,8 +717,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -732,10 +732,10 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "test.sub.example.com.", nbdns.PriorityUpstream, false},
-				{"remove", "test.sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
+				{"remove", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "test.sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -749,7 +749,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 				{"add", "example.com.", nbdns.PriorityDNSRoute, true},
 			},
 			query:         "sub.example.com.",
@@ -764,9 +764,9 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "other.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "other.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",

client/internal/dns/server.go

@@ -527,7 +527,7 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 		muxUpdates = append(muxUpdates, handlerWrapper{
 			domain:   customZone.Domain,
 			handler:  s.localResolver,
-			priority: PriorityLocal,
+			priority: PriorityMatchDomain,
 		})
 
 		for _, record := range customZone.Records {
@@ -566,7 +566,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 	groupedNS := groupNSGroupsByDomain(nameServerGroups)
 
 	for _, domainGroup := range groupedNS {
-		basePriority := PriorityUpstream
+		basePriority := PriorityMatchDomain
 		if domainGroup.domain == nbdns.RootZone {
 			basePriority = PriorityDefault
 		}
@@ -588,14 +588,10 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		// Decrement priority by handler index (0, 1, 2, ...) to avoid conflicts
 		priority := basePriority - i
 
-		// Check if we're about to overlap with the next priority tier.
-		// This boundary check ensures that the priority of upstream handlers does not conflict
-		// with the default priority tier. By decrementing the priority for each handler, we avoid
-		// overlaps, but if the calculated priority falls into the default tier, we skip the remaining
-		// handlers to maintain the integrity of the priority system.
-		if basePriority == PriorityUpstream && priority <= PriorityDefault {
+		// Check if we're about to overlap with the next priority tier
+		if basePriority == PriorityMatchDomain && priority <= PriorityDefault {
 			log.Warnf("too many handlers for domain=%s, would overlap with default priority tier (diff=%d). Skipping remaining handlers",
-				domainGroup.domain, PriorityUpstream-PriorityDefault)
+				domainGroup.domain, PriorityMatchDomain-PriorityDefault)
 			break
 		}
 

client/internal/dns/server_test.go

@@ -164,12 +164,12 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
 				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
@@ -186,7 +186,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:  0,
@@ -210,12 +210,12 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				"local-resolver": handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
@@ -305,7 +305,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
@@ -321,7 +321,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
@@ -495,7 +495,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
 			handler:  &local.Resolver{},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 	}
 	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
@@ -978,7 +978,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 	}
 
 	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute)
-	chain.AddHandler("example.com.", upstreamHandler, PriorityUpstream)
+	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain)
 
 	testCases := []struct {
 		name            string
@@ -1059,14 +1059,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 	}
 
@@ -1093,21 +1093,21 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 		"upstream-other": {
 			domain: "other.com",
 			handler: &mockHandler{
 				Id: "upstream-other",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 	}
 
@@ -1128,7 +1128,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1146,7 +1146,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1164,7 +1164,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream + 1,
+					priority: PriorityMatchDomain + 1,
 				},
 				// Keep existing groups with their original priorities
 				{
@@ -1172,14 +1172,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1199,14 +1199,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				// Add group3 with lowest priority
 				{
@@ -1214,7 +1214,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream - 2,
+					priority: PriorityMatchDomain - 2,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1335,14 +1335,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1360,28 +1360,28 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "new.com",
 					handler: &mockHandler{
 						Id: "upstream-new",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1791,14 +1791,14 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 
 	// Register domains from different handlers with same domain
 	server.RegisterHandler(domain.List{"*.shared.example.com"}, &MockHandler{}, PriorityDNSRoute)
-	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityMatchDomain)
 
 	// Verify refcount is 2
 	zoneKey := toZone("shared.example.com")
 	assert.Equal(t, 2, server.extraDomains[zoneKey], "Refcount should be 2 after registering same domain twice")
 
 	// Deregister one handler
-	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityUpstream)
+	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityMatchDomain)
 
 	// Verify refcount is 1
 	assert.Equal(t, 1, server.extraDomains[zoneKey], "Refcount should be 1 after deregistering one handler")
@@ -1925,7 +1925,7 @@ func TestDomainCaseHandling(t *testing.T) {
 	}
 
 	server.RegisterHandler(domain.List{"MIXED.example.com"}, &MockHandler{}, PriorityDefault)
-	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityMatchDomain)
 
 	assert.Equal(t, 1, len(server.extraDomains), "Case differences should be normalized")
 
@@ -1945,111 +1945,3 @@ func TestDomainCaseHandling(t *testing.T) {
 	assert.Contains(t, domains, "config.example.com.", "Mixed case domain should be normalized and pre.sent")
 	assert.Contains(t, domains, "mixed.example.com.", "Mixed case domain should be normalized and present")
 }
-
-func TestLocalResolverPriorityInServer(t *testing.T) {
-	server := &DefaultServer{
-		ctx:           context.Background(),
-		wgInterface:   &mocWGIface{},
-		handlerChain:  NewHandlerChain(),
-		localResolver: local.NewResolver(),
-		service:       &mockService{},
-		extraDomains:  make(map[domain.Domain]int),
-	}
-
-	config := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				Domains: []string{"local.example.com"}, // Same domain as local records
-				NameServers: []nbdns.NameServer{
-					{
-						IP:     netip.MustParseAddr("8.8.8.8"),
-						NSType: nbdns.UDPNameServerType,
-						Port:   53,
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-
-	upstreamMuxUpdates, err := server.buildUpstreamHandlerUpdate(config.NameServerGroups)
-	assert.NoError(t, err)
-
-	// Verify that local handler has higher priority than upstream for same domain
-	var localPriority, upstreamPriority int
-	localFound, upstreamFound := false, false
-
-	for _, update := range localMuxUpdates {
-		if update.domain == "local.example.com" {
-			localPriority = update.priority
-			localFound = true
-		}
-	}
-
-	for _, update := range upstreamMuxUpdates {
-		if update.domain == "local.example.com" {
-			upstreamPriority = update.priority
-			upstreamFound = true
-		}
-	}
-
-	assert.True(t, localFound, "Local handler should be found")
-	assert.True(t, upstreamFound, "Upstream handler should be found")
-	assert.Greater(t, localPriority, upstreamPriority,
-		"Local handler priority (%d) should be higher than upstream priority (%d)",
-		localPriority, upstreamPriority)
-	assert.Equal(t, PriorityLocal, localPriority, "Local handler should use PriorityLocal")
-	assert.Equal(t, PriorityUpstream, upstreamPriority, "Upstream handler should use PriorityUpstream")
-}
-
-func TestLocalResolverPriorityConstants(t *testing.T) {
-	// Test that priority constants are ordered correctly
-	assert.Greater(t, PriorityLocal, PriorityDNSRoute, "Local priority should be higher than DNS route")
-	assert.Greater(t, PriorityLocal, PriorityUpstream, "Local priority should be higher than upstream")
-	assert.Greater(t, PriorityUpstream, PriorityDefault, "Upstream priority should be higher than default")
-
-	// Test that local resolver uses the correct priority
-	server := &DefaultServer{
-		localResolver: local.NewResolver(),
-	}
-
-	config := nbdns.Config{
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-	assert.Len(t, localMuxUpdates, 1)
-	assert.Equal(t, PriorityLocal, localMuxUpdates[0].priority, "Local handler should use PriorityLocal")
-	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
-}

client/internal/dns/upstream.go

@@ -2,7 +2,6 @@ package dns
 
 import (
 	"context"
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
@@ -104,21 +103,19 @@ func (u *upstreamResolverBase) Stop() {
 
 // ServeDNS handles a DNS request
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	requestID := GenerateRequestID()
-	logger := log.WithField("request_id", requestID)
 	var err error
 	defer func() {
 		u.checkUpstreamFails(err)
 	}()
 
-	logger.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	log.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
 	select {
 	case <-u.ctx.Done():
-		logger.Tracef("%s has been stopped", u)
+		log.Tracef("%s has been stopped", u)
 		return
 	default:
 	}
@@ -135,35 +132,35 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
-				logger.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
+				log.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
 				continue
 			}
-			logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
+			log.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
 			continue
 		}
 
 		if rm == nil || !rm.Response {
-			logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
+			log.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
 			continue
 		}
 
 		u.successCount.Add(1)
-		logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
+		log.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
 
 		if err = w.WriteMsg(rm); err != nil {
-			logger.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
+			log.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
 		}
 		// count the fails only if they happen sequentially
 		u.failsCount.Store(0)
 		return
 	}
 	u.failsCount.Add(1)
-	logger.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
+	log.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
 
 	m := new(dns.Msg)
 	m.SetRcode(r, dns.RcodeServerFailure)
 	if err := w.WriteMsg(m); err != nil {
-		logger.Errorf("failed to write error response for %s for question domain=%s: %s", u, r.Question[0].Name, err)
+		log.Errorf("failed to write error response for %s for question domain=%s: %s", u, r.Question[0].Name, err)
 	}
 }
 
@@ -388,13 +385,3 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 
 	return rm, t, nil
 }
-
-func GenerateRequestID() string {
-	bytes := make([]byte, 4)
-	_, err := rand.Read(bytes)
-	if err != nil {
-		log.Errorf("failed to generate request ID: %v", err)
-		return ""
-	}
-	return hex.EncodeToString(bytes)
-}

client/internal/dns/upstream_android.go

@@ -84,10 +84,3 @@ func (u *upstreamResolver) isLocalResolver(upstream string) bool {
 	}
 	return false
 }
-
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	return &dns.Client{
-		Timeout: dialTimeout,
-		Net:     "udp",
-	}, nil
-}

client/internal/dns/upstream_general.go

@@ -36,10 +36,3 @@ func newUpstreamResolver(
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
 	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
 }
-
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	return &dns.Client{
-		Timeout: dialTimeout,
-		Net:     "udp",
-	}, nil
-}

client/internal/dnsfwd/forwarder.go

@@ -18,20 +18,14 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
 
 const errResolveFailed = "failed to resolve query for domain=%s: %v"
 const upstreamTimeout = 15 * time.Second
 
-type resolver interface {
-	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
-}
-
-type firewaller interface {
-	UpdateSet(set firewall.Set, prefixes []netip.Prefix) error
-}
-
 type DNSForwarder struct {
 	listenAddress  string
 	ttl            uint32
@@ -44,18 +38,16 @@ type DNSForwarder struct {
 
 	mutex      sync.RWMutex
 	fwdEntries []*ForwarderEntry
-	firewall   firewaller
-	resolver   resolver
+	firewall   firewall.Manager
 }
 
-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewall.Manager, statusRecorder *peer.Status) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
 		ttl:            ttl,
 		firewall:       firewall,
 		statusRecorder: statusRecorder,
-		resolver:       net.DefaultResolver,
 	}
 }
 
@@ -65,17 +57,14 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
-	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "udp",
 		Handler: mux,
 	}
-
 	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
-	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "tcp",
@@ -98,13 +87,30 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
-
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
 
+	if f.mux == nil {
+		log.Debug("DNS mux is nil, skipping domain update")
+		f.fwdEntries = entries
+		return
+	}
+
+	oldDomains := filterDomains(f.fwdEntries)
+	for _, d := range oldDomains {
+		f.mux.HandleRemove(d.PunycodeString())
+		f.tcpMux.HandleRemove(d.PunycodeString())
+	}
+
+	newDomains := filterDomains(entries)
+	for _, d := range newDomains {
+		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQueryUDP)
+		f.tcpMux.HandleFunc(d.PunycodeString(), f.handleDNSQueryTCP)
+	}
+
 	f.fwdEntries = entries
-	log.Debugf("Updated DNS forwarder with %d domains", len(entries))
+	log.Debugf("Updated domains from %v to %v", oldDomains, newDomains)
 }
 
 func (f *DNSForwarder) Close(ctx context.Context) error {
@@ -151,31 +157,22 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns
 		return nil
 	}
 
-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
-	// query doesn't match any configured domain
-	if mostSpecificResId == "" {
-		resp.Rcode = dns.RcodeRefused
-		if err := w.WriteMsg(resp); err != nil {
-			log.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
-	}
-
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
-	ips, err := f.resolver.LookupNetIP(ctx, network, domain)
+	ips, err := net.DefaultResolver.LookupNetIP(ctx, network, domain)
 	if err != nil {
 		f.handleDNSError(w, query, resp, domain, err)
 		return nil
 	}
 
-	f.updateInternalState(ips, mostSpecificResId, matchingEntries)
+	f.updateInternalState(domain, ips)
 	f.addIPsToResponse(resp, domain, ips)
 
 	return resp
 }
 
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
+
 	resp := f.handleDNSQuery(w, query)
 	if resp == nil {
 		return
@@ -209,8 +206,9 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 	}
 }
 
-func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
+func (f *DNSForwarder) updateInternalState(domain string, ips []netip.Addr) {
 	var prefixes []netip.Prefix
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
 	if mostSpecificResId != "" {
 		for _, ip := range ips {
 			var prefix netip.Prefix
@@ -341,3 +339,16 @@ func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*Forwar
 
 	return selectedResId, matches
 }
+
+// filterDomains returns a list of normalized domains
+func filterDomains(entries []*ForwarderEntry) domain.List {
+	newDomains := make(domain.List, 0, len(entries))
+	for _, d := range entries {
+		if d.Domain == "" {
+			log.Warn("empty domain in DNS forwarder")
+			continue
+		}
+		newDomains = append(newDomains, domain.Domain(nbdns.NormalizeZone(d.Domain.PunycodeString())))
+	}
+	return newDomains
+}

client/internal/dnsfwd/forwarder_test.go

@@ -1,21 +1,11 @@
 package dnsfwd
 
 import (
-	"context"
-	"fmt"
-	"net/netip"
-	"strings"
 	"testing"
-	"time"
 
-	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
@@ -23,7 +13,7 @@ import (
 func Test_getMatchingEntries(t *testing.T) {
 	testCases := []struct {
 		name           string
-		storedMappings map[string]route.ResID
+		storedMappings map[string]route.ResID // key: domain pattern, value: resId
 		queryDomain    string
 		expectedResId  route.ResID
 	}{
@@ -54,7 +44,7 @@ func Test_getMatchingEntries(t *testing.T) {
 		{
 			name:           "Wildcard pattern does not match different domain",
 			storedMappings: map[string]route.ResID{"*.example.com": "res4"},
-			queryDomain:    "foo.example.org",
+			queryDomain:    "foo.notexample.com",
 			expectedResId:  "",
 		},
 		{
@@ -111,619 +101,3 @@ func Test_getMatchingEntries(t *testing.T) {
 		})
 	}
 }
-
-type MockFirewall struct {
-	mock.Mock
-}
-
-func (m *MockFirewall) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	args := m.Called(set, prefixes)
-	return args.Error(0)
-}
-
-type MockResolver struct {
-	mock.Mock
-}
-
-func (m *MockResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
-	args := m.Called(ctx, network, host)
-	return args.Get(0).([]netip.Addr), args.Error(1)
-}
-
-func TestDNSForwarder_SubdomainAccessLogic(t *testing.T) {
-	tests := []struct {
-		name             string
-		configuredDomain string
-		queryDomain      string
-		shouldMatch      bool
-		expectedResID    route.ResID
-		description      string
-	}{
-		{
-			name:             "exact domain match should be allowed",
-			configuredDomain: "example.com",
-			queryDomain:      "example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Direct match to configured domain should work",
-		},
-		{
-			name:             "subdomain access should be restricted",
-			configuredDomain: "example.com",
-			queryDomain:      "mail.example.com",
-			shouldMatch:      false,
-			expectedResID:    "",
-			description:      "Subdomain should not be accessible unless explicitly configured",
-		},
-		{
-			name:             "wildcard should allow subdomains",
-			configuredDomain: "*.example.com",
-			queryDomain:      "mail.example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard domains should allow subdomain access",
-		},
-		{
-			name:             "wildcard should allow base domain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard should also match the base domain",
-		},
-		{
-			name:             "deep subdomain should be restricted",
-			configuredDomain: "example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldMatch:      false,
-			expectedResID:    "",
-			description:      "Deep subdomains should not be accessible",
-		},
-		{
-			name:             "wildcard allows deep subdomains",
-			configuredDomain: "*.example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard should allow deep subdomains",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			forwarder := &DNSForwarder{}
-
-			d, err := domain.FromString(tt.configuredDomain)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{
-				{
-					Domain: d,
-					ResID:  "test-res-id",
-				},
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			resID, matchingEntries := forwarder.getMatchingEntries(tt.queryDomain)
-
-			if tt.shouldMatch {
-				assert.Equal(t, tt.expectedResID, resID, "Expected matching ResID")
-				assert.NotEmpty(t, matchingEntries, "Expected matching entries")
-				t.Logf("✓ Domain %s correctly matches pattern %s", tt.queryDomain, tt.configuredDomain)
-			} else {
-				assert.Equal(t, tt.expectedResID, resID, "Expected no ResID match")
-				assert.Empty(t, matchingEntries, "Expected no matching entries")
-				t.Logf("✓ Domain %s correctly does NOT match pattern %s", tt.queryDomain, tt.configuredDomain)
-			}
-		})
-	}
-}
-
-func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping integration test in short mode")
-	}
-
-	tests := []struct {
-		name             string
-		configuredDomain string
-		queryDomain      string
-		shouldResolve    bool
-		description      string
-	}{
-		{
-			name:             "configured exact domain resolves",
-			configuredDomain: "example.com",
-			queryDomain:      "example.com",
-			shouldResolve:    true,
-			description:      "Exact match should resolve",
-		},
-		{
-			name:             "unauthorized subdomain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "mail.example.com",
-			shouldResolve:    false,
-			description:      "Subdomain should be blocked without wildcard",
-		},
-		{
-			name:             "wildcard allows subdomain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "mail.example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow subdomain",
-		},
-		{
-			name:             "wildcard allows base domain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow base domain",
-		},
-		{
-			name:             "unrelated domain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "example.org",
-			shouldResolve:    false,
-			description:      "Unrelated domain should be blocked",
-		},
-		{
-			name:             "deep subdomain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldResolve:    false,
-			description:      "Deep subdomain should be blocked",
-		},
-		{
-			name:             "wildcard allows deep subdomain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow deep subdomain",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockFirewall := &MockFirewall{}
-			mockResolver := &MockResolver{}
-
-			if tt.shouldResolve {
-				mockFirewall.On("UpdateSet", mock.AnythingOfType("manager.Set"), mock.AnythingOfType("[]netip.Prefix")).Return(nil)
-
-				// Mock successful DNS resolution
-				fakeIP := netip.MustParseAddr("1.2.3.4")
-				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
-			}
-
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-			forwarder.resolver = mockResolver
-
-			d, err := domain.FromString(tt.configuredDomain)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{
-				{
-					Domain: d,
-					ResID:  "test-res-id",
-					Set:    firewall.NewDomainSet([]domain.Domain{d}),
-				},
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			query := &dns.Msg{}
-			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)
-
-			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(mockWriter, query)
-
-			if tt.shouldResolve {
-				require.NotNil(t, resp, "Expected response for authorized domain")
-				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
-				assert.NotEmpty(t, resp.Answer, "Expected DNS answer records")
-
-				time.Sleep(10 * time.Millisecond)
-				mockFirewall.AssertExpectations(t)
-				mockResolver.AssertExpectations(t)
-			} else {
-				if resp != nil {
-					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-						"Unauthorized domain should not return successful answers")
-				}
-				mockFirewall.AssertNotCalled(t, "UpdateSet")
-				mockResolver.AssertNotCalled(t, "LookupNetIP")
-			}
-		})
-	}
-}
-
-func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
-	tests := []struct {
-		name              string
-		configuredDomains []string
-		query             string
-		mockIP            string
-		shouldResolve     bool
-		expectedSetCount  int // How many sets should be updated
-		description       string
-	}{
-		{
-			name:              "exact domain gets firewall update",
-			configuredDomains: []string{"example.com"},
-			query:             "example.com",
-			mockIP:            "1.1.1.1",
-			shouldResolve:     true,
-			expectedSetCount:  1,
-			description:       "Single exact match updates one set",
-		},
-		{
-			name:              "wildcard domain gets firewall update",
-			configuredDomains: []string{"*.example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.2",
-			shouldResolve:     true,
-			expectedSetCount:  1,
-			description:       "Wildcard match updates one set",
-		},
-		{
-			name:              "overlapping exact and wildcard both get updates",
-			configuredDomains: []string{"*.example.com", "mail.example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.3",
-			shouldResolve:     true,
-			expectedSetCount:  2,
-			description:       "Both exact and wildcard sets should be updated",
-		},
-		{
-			name:              "unauthorized domain gets no firewall update",
-			configuredDomains: []string{"example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.4",
-			shouldResolve:     false,
-			expectedSetCount:  0,
-			description:       "No firewall update for unauthorized domains",
-		},
-		{
-			name:              "multiple wildcards matching get all updated",
-			configuredDomains: []string{"*.example.com", "*.sub.example.com"},
-			query:             "test.sub.example.com",
-			mockIP:            "1.1.1.5",
-			shouldResolve:     true,
-			expectedSetCount:  2,
-			description:       "All matching wildcard sets should be updated",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockFirewall := &MockFirewall{}
-			mockResolver := &MockResolver{}
-
-			// Set up forwarder
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-			forwarder.resolver = mockResolver
-
-			// Create entries and track sets
-			var entries []*ForwarderEntry
-			sets := make([]firewall.Set, 0)
-
-			for i, configDomain := range tt.configuredDomains {
-				d, err := domain.FromString(configDomain)
-				require.NoError(t, err)
-
-				set := firewall.NewDomainSet([]domain.Domain{d})
-				sets = append(sets, set)
-
-				entries = append(entries, &ForwarderEntry{
-					Domain: d,
-					ResID:  route.ResID(fmt.Sprintf("res-%d", i)),
-					Set:    set,
-				})
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			// Set up mocks
-			if tt.shouldResolve {
-				fakeIP := netip.MustParseAddr(tt.mockIP)
-				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.query)).
-					Return([]netip.Addr{fakeIP}, nil).Once()
-
-				expectedPrefixes := []netip.Prefix{netip.PrefixFrom(fakeIP, 32)}
-
-				// Count how many sets should actually match
-				updateCount := 0
-				for i, entry := range entries {
-					domain := strings.ToLower(tt.query)
-					pattern := entry.Domain.PunycodeString()
-
-					matches := false
-					if strings.HasPrefix(pattern, "*.") {
-						baseDomain := strings.TrimPrefix(pattern, "*.")
-						if domain == baseDomain || strings.HasSuffix(domain, "."+baseDomain) {
-							matches = true
-						}
-					} else if domain == pattern {
-						matches = true
-					}
-
-					if matches {
-						mockFirewall.On("UpdateSet", sets[i], expectedPrefixes).Return(nil).Once()
-						updateCount++
-					}
-				}
-
-				assert.Equal(t, tt.expectedSetCount, updateCount,
-					"Expected %d sets to be updated, but mock expects %d",
-					tt.expectedSetCount, updateCount)
-			}
-
-			// Execute query
-			dnsQuery := &dns.Msg{}
-			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)
-
-			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(mockWriter, dnsQuery)
-
-			// Verify response
-			if tt.shouldResolve {
-				require.NotNil(t, resp, "Expected response for authorized domain")
-				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
-				require.NotEmpty(t, resp.Answer)
-			} else if resp != nil {
-				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
-					"Unauthorized domain should be refused or have no answers")
-			}
-
-			// Verify all mock expectations were met
-			mockFirewall.AssertExpectations(t)
-			mockResolver.AssertExpectations(t)
-		})
-	}
-}
-
-// Test to verify that multiple IPs for one domain result in all prefixes being sent together
-func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
-	mockFirewall := &MockFirewall{}
-	mockResolver := &MockResolver{}
-
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	// Configure a single domain
-	d, err := domain.FromString("example.com")
-	require.NoError(t, err)
-
-	set := firewall.NewDomainSet([]domain.Domain{d})
-	entries := []*ForwarderEntry{{
-		Domain: d,
-		ResID:  "test-res",
-		Set:    set,
-	}}
-
-	forwarder.UpdateDomains(entries)
-
-	// Mock resolver returns multiple IPs
-	ips := []netip.Addr{
-		netip.MustParseAddr("1.1.1.1"),
-		netip.MustParseAddr("1.1.1.2"),
-		netip.MustParseAddr("1.1.1.3"),
-	}
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
-		Return(ips, nil).Once()
-
-	// Expect ONE UpdateSet call with ALL prefixes
-	expectedPrefixes := []netip.Prefix{
-		netip.PrefixFrom(ips[0], 32),
-		netip.PrefixFrom(ips[1], 32),
-		netip.PrefixFrom(ips[2], 32),
-	}
-	mockFirewall.On("UpdateSet", set, expectedPrefixes).Return(nil).Once()
-
-	// Execute query
-	query := &dns.Msg{}
-	query.SetQuestion("example.com.", dns.TypeA)
-
-	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	// Verify response contains all IPs
-	require.NotNil(t, resp)
-	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
-	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
-
-	// Verify mocks
-	mockFirewall.AssertExpectations(t)
-	mockResolver.AssertExpectations(t)
-}
-
-func TestDNSForwarder_ResponseCodes(t *testing.T) {
-	tests := []struct {
-		name         string
-		queryType    uint16
-		queryDomain  string
-		configured   string
-		expectedCode int
-		description  string
-	}{
-		{
-			name:         "unauthorized domain returns REFUSED",
-			queryType:    dns.TypeA,
-			queryDomain:  "evil.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeRefused,
-			description:  "RFC compliant REFUSED for unauthorized queries",
-		},
-		{
-			name:         "unsupported query type returns NOTIMP",
-			queryType:    dns.TypeMX,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "RFC compliant NOTIMP for unsupported types",
-		},
-		{
-			name:         "CNAME query returns NOTIMP",
-			queryType:    dns.TypeCNAME,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "CNAME queries not supported",
-		},
-		{
-			name:         "TXT query returns NOTIMP",
-			queryType:    dns.TypeTXT,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "TXT queries not supported",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-
-			d, err := domain.FromString(tt.configured)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{{Domain: d, ResID: "test-res"}}
-			forwarder.UpdateDomains(entries)
-
-			query := &dns.Msg{}
-			query.SetQuestion(dns.Fqdn(tt.queryDomain), tt.queryType)
-
-			// Capture the written response
-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
-
-			_ = forwarder.handleDNSQuery(mockWriter, query)
-
-			// Check the response written to the writer
-			require.NotNil(t, writtenResp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
-		})
-	}
-}
-
-func TestDNSForwarder_TCPTruncation(t *testing.T) {
-	// Test that large UDP responses are truncated with TC bit set
-	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	d, _ := domain.FromString("example.com")
-	entries := []*ForwarderEntry{{Domain: d, ResID: "test-res"}}
-	forwarder.UpdateDomains(entries)
-
-	// Mock many IPs to create a large response
-	var manyIPs []netip.Addr
-	for i := 0; i < 100; i++ {
-		manyIPs = append(manyIPs, netip.MustParseAddr(fmt.Sprintf("1.1.1.%d", i%256)))
-	}
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").Return(manyIPs, nil)
-
-	// Query without EDNS0
-	query := &dns.Msg{}
-	query.SetQuestion("example.com.", dns.TypeA)
-
-	var writtenResp *dns.Msg
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writtenResp = m
-			return nil
-		},
-	}
-	forwarder.handleDNSQueryUDP(mockWriter, query)
-
-	require.NotNil(t, writtenResp)
-	assert.True(t, writtenResp.Truncated, "Large response should be truncated")
-	assert.LessOrEqual(t, writtenResp.Len(), dns.MinMsgSize, "Response should fit in minimum UDP size")
-}
-
-func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
-	// Test complex overlapping pattern scenarios
-	mockFirewall := &MockFirewall{}
-	mockResolver := &MockResolver{}
-
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	// Set up complex overlapping patterns
-	patterns := []string{
-		"*.example.com",         // Matches all subdomains
-		"*.mail.example.com",    // More specific wildcard
-		"smtp.mail.example.com", // Exact match
-		"example.com",           // Base domain
-	}
-
-	var entries []*ForwarderEntry
-	sets := make(map[string]firewall.Set)
-
-	for _, pattern := range patterns {
-		d, _ := domain.FromString(pattern)
-		set := firewall.NewDomainSet([]domain.Domain{d})
-		sets[pattern] = set
-		entries = append(entries, &ForwarderEntry{
-			Domain: d,
-			ResID:  route.ResID("res-" + pattern),
-			Set:    set,
-		})
-	}
-
-	forwarder.UpdateDomains(entries)
-
-	// Test smtp.mail.example.com - should match 3 patterns
-	fakeIP := netip.MustParseAddr("1.2.3.4")
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "smtp.mail.example.com.").Return([]netip.Addr{fakeIP}, nil)
-
-	expectedPrefix := netip.PrefixFrom(fakeIP, 32)
-	// All three matching patterns should get firewall updates
-	mockFirewall.On("UpdateSet", sets["smtp.mail.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-	mockFirewall.On("UpdateSet", sets["*.mail.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-	mockFirewall.On("UpdateSet", sets["*.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-
-	query := &dns.Msg{}
-	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)
-
-	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	require.NotNil(t, resp)
-	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)
-
-	// Verify all three sets were updated
-	mockFirewall.AssertExpectations(t)
-
-	// Verify the most specific ResID was selected
-	// (exact match should win over wildcards)
-	resID, matches := forwarder.getMatchingEntries("smtp.mail.example.com")
-	assert.Equal(t, route.ResID("res-smtp.mail.example.com"), resID)
-	assert.Len(t, matches, 3, "Should match 3 patterns")
-}
-
-func TestDNSForwarder_EmptyQuery(t *testing.T) {
-	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-
-	query := &dns.Msg{}
-	// Don't set any question
-
-	writeCalled := false
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writeCalled = true
-			return nil
-		},
-	}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	assert.Nil(t, resp, "Should return nil for empty query")
-	assert.False(t, writeCalled, "Should not write response for empty query")
-}

client/internal/engine.go

@@ -1527,7 +1527,6 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		MTU:          iface.DefaultMTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
-		DisableDNS:   e.config.DisableDNS,
 	}
 
 	switch runtime.GOOS {

client/internal/engine_test.go

@@ -1476,7 +1476,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	permissionsManager := permissions.NewManager(store)
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/inactivity/inactivity.go

@@ -68,8 +68,3 @@ func (i *Monitor) PauseTimer() {
 func (i *Monitor) ResetTimer() {
 	i.timer.Reset(i.inactivityThreshold)
 }
-
-func (i *Monitor) ResetMonitor(ctx context.Context, timeoutChan chan peer.ConnID) {
-	i.Stop()
-	go i.Start(ctx, timeoutChan)
-}

client/internal/lazyconn/manager/manager.go

@@ -58,7 +58,7 @@ type Manager struct {
 	// Route HA group management
 	peerToHAGroups map[string][]route.HAUniqueID // peer ID -> HA groups they belong to
 	haGroupToPeers map[route.HAUniqueID][]string // HA group -> peer IDs in the group
-	routesMu       sync.RWMutex
+	routesMu       sync.RWMutex                  // protects route mappings
 
 	onInactive chan peerid.ConnID
 }
@@ -146,7 +146,7 @@ func (m *Manager) Start(ctx context.Context) {
 		case peerConnID := <-m.activityManager.OnActivityChan:
 			m.onPeerActivity(ctx, peerConnID)
 		case peerConnID := <-m.onInactive:
-			m.onPeerInactivityTimedOut(ctx, peerConnID)
+			m.onPeerInactivityTimedOut(peerConnID)
 		}
 	}
 }
@@ -197,7 +197,7 @@ func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerCo
 	return added
 }
 
-func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (bool, error) {
+func (m *Manager) AddPeer(peerCfg lazyconn.PeerConfig) (bool, error) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -225,13 +225,6 @@ func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (boo
 		peerCfg:         &peerCfg,
 		expectedWatcher: watcherActivity,
 	}
-
-	// Check if this peer should be activated because its HA group peers are active
-	if group, ok := m.shouldActivateNewPeer(peerCfg.PublicKey); ok {
-		peerCfg.Log.Debugf("peer belongs to active HA group %s, will activate immediately", group)
-		m.activateNewPeerInActiveGroup(ctx, peerCfg)
-	}
-
 	return false, nil
 }
 
@@ -322,38 +315,36 @@ func (m *Manager) activateSinglePeer(ctx context.Context, cfg *lazyconn.PeerConf
 
 // activateHAGroupPeers activates all peers in HA groups that the given peer belongs to
 func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string) {
-	var peersToActivate []string
-
 	m.routesMu.RLock()
 	haGroups := m.peerToHAGroups[triggerPeerID]
+	m.routesMu.RUnlock()
 
 	if len(haGroups) == 0 {
-		m.routesMu.RUnlock()
 		log.Debugf("peer %s is not part of any HA groups", triggerPeerID)
 		return
 	}
 
-	for _, haGroup := range haGroups {
-		peers := m.haGroupToPeers[haGroup]
-		for _, peerID := range peers {
-			if peerID != triggerPeerID {
-				peersToActivate = append(peersToActivate, peerID)
-			}
-		}
-	}
-	m.routesMu.RUnlock()
-
 	activatedCount := 0
-	for _, peerID := range peersToActivate {
-		cfg, mp := m.getPeerForActivation(peerID)
-		if cfg == nil {
-			continue
-		}
+	for _, haGroup := range haGroups {
+		m.routesMu.RLock()
+		peers := m.haGroupToPeers[haGroup]
+		m.routesMu.RUnlock()
 
-		if m.activateSinglePeer(ctx, cfg, mp) {
-			activatedCount++
-			cfg.Log.Infof("activated peer as part of HA group (triggered by %s)", triggerPeerID)
-			m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
+		for _, peerID := range peers {
+			if peerID == triggerPeerID {
+				continue
+			}
+
+			cfg, mp := m.getPeerForActivation(peerID)
+			if cfg == nil {
+				continue
+			}
+
+			if m.activateSinglePeer(ctx, cfg, mp) {
+				activatedCount++
+				cfg.Log.Infof("activated peer as part of HA group %s (triggered by %s)", haGroup, triggerPeerID)
+				m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
+			}
 		}
 	}
 
@@ -363,51 +354,6 @@ func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string
 	}
 }
 
-// shouldActivateNewPeer checks if a newly added peer should be activated
-// because other peers in its HA groups are already active
-func (m *Manager) shouldActivateNewPeer(peerID string) (route.HAUniqueID, bool) {
-	m.routesMu.RLock()
-	defer m.routesMu.RUnlock()
-
-	haGroups := m.peerToHAGroups[peerID]
-	if len(haGroups) == 0 {
-		return "", false
-	}
-
-	for _, haGroup := range haGroups {
-		peers := m.haGroupToPeers[haGroup]
-		for _, groupPeerID := range peers {
-			if groupPeerID == peerID {
-				continue
-			}
-
-			cfg, ok := m.managedPeers[groupPeerID]
-			if !ok {
-				continue
-			}
-			if mp, ok := m.managedPeersByConnID[cfg.PeerConnID]; ok && mp.expectedWatcher == watcherInactivity {
-				return haGroup, true
-			}
-		}
-	}
-	return "", false
-}
-
-// activateNewPeerInActiveGroup activates a newly added peer that should be active due to HA group
-func (m *Manager) activateNewPeerInActiveGroup(ctx context.Context, peerCfg lazyconn.PeerConfig) {
-	mp, ok := m.managedPeersByConnID[peerCfg.PeerConnID]
-	if !ok {
-		return
-	}
-
-	if !m.activateSinglePeer(ctx, &peerCfg, mp) {
-		return
-	}
-
-	peerCfg.Log.Infof("activated newly added peer due to active HA group peers")
-	m.peerStore.PeerConnOpen(m.engineCtx, peerCfg.PublicKey)
-}
-
 func (m *Manager) addActivePeer(ctx context.Context, peerCfg lazyconn.PeerConfig) error {
 	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
 		peerCfg.Log.Warnf("peer already managed")
@@ -469,48 +415,6 @@ func (m *Manager) close() {
 	log.Infof("lazy connection manager closed")
 }
 
-// shouldDeferIdleForHA checks if peer should stay connected due to HA group requirements
-func (m *Manager) shouldDeferIdleForHA(peerID string) bool {
-	m.routesMu.RLock()
-	defer m.routesMu.RUnlock()
-
-	haGroups := m.peerToHAGroups[peerID]
-	if len(haGroups) == 0 {
-		return false
-	}
-
-	for _, haGroup := range haGroups {
-		groupPeers := m.haGroupToPeers[haGroup]
-
-		for _, groupPeerID := range groupPeers {
-			if groupPeerID == peerID {
-				continue
-			}
-
-			cfg, ok := m.managedPeers[groupPeerID]
-			if !ok {
-				continue
-			}
-
-			groupMp, ok := m.managedPeersByConnID[cfg.PeerConnID]
-			if !ok {
-				continue
-			}
-
-			if groupMp.expectedWatcher != watcherInactivity {
-				continue
-			}
-
-			// Other member is still connected, defer idle
-			if peer, ok := m.peerStore.PeerConn(groupPeerID); ok && peer.IsConnected() {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
 func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
@@ -537,7 +441,7 @@ func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID)
 	m.peerStore.PeerConnOpen(m.engineCtx, mp.peerCfg.PublicKey)
 }
 
-func (m *Manager) onPeerInactivityTimedOut(ctx context.Context, peerConnID peerid.ConnID) {
+func (m *Manager) onPeerInactivityTimedOut(peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -552,17 +456,6 @@ func (m *Manager) onPeerInactivityTimedOut(ctx context.Context, peerConnID peeri
 		return
 	}
 
-	if m.shouldDeferIdleForHA(mp.peerCfg.PublicKey) {
-		iw, ok := m.inactivityMonitors[peerConnID]
-		if ok {
-			mp.peerCfg.Log.Debugf("resetting inactivity timer due to HA group requirements")
-			iw.ResetMonitor(ctx, m.onInactive)
-		} else {
-			mp.peerCfg.Log.Errorf("inactivity monitor not found for HA defer reset")
-		}
-		return
-	}
-
 	mp.peerCfg.Log.Infof("connection timed out")
 
 	// this is blocking operation, potentially can be optimized
@@ -596,7 +489,7 @@ func (m *Manager) onPeerConnected(peerConnID peerid.ConnID) {
 
 	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
 	if !ok {
-		mp.peerCfg.Log.Warnf("inactivity monitor not found for peer")
+		mp.peerCfg.Log.Errorf("inactivity monitor not found for peer")
 		return
 	}
 

client/internal/netflow/conntrack/conntrack.go

@@ -204,7 +204,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 		eventStr = "Ended"
 	}
 
-	log.Tracef("%s %s %s connection: %s:%d → %s:%d", eventStr, direction, proto, srcIP, srcPort, dstIP, dstPort)
+	log.Tracef("%s %s %s connection: %s:%d -> %s:%d", eventStr, direction, proto, srcIP, srcPort, dstIP, dstPort)
 
 	c.flowLogger.StoreEvent(nftypes.EventFields{
 		FlowID:     flowID,

client/internal/peer/conn.go

@@ -317,12 +317,12 @@ func (conn *Conn) WgConfig() WgConfig {
 	return conn.config.WgConfig
 }
 
-// IsConnected returns true if the peer is connected
+// IsConnected unit tests only
+// refactor unit test to use status recorder use refactor status recorded to manage connection status in peer.Conn
 func (conn *Conn) IsConnected() bool {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
-
-	return conn.evalStatus() == StatusConnected
+	return conn.currentConnPriority != conntype.None
 }
 
 func (conn *Conn) GetKey() string {

client/internal/peer/status.go

@@ -575,12 +575,13 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	if !d.peerListChangedForNotification {
+		d.mux.Unlock()
 		return
 	}
 	d.peerListChangedForNotification = false
+	d.mux.Unlock()
 
 	d.notifyPeerListChanged()
 

client/internal/routemanager/client/client.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"runtime"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -22,7 +23,7 @@ import (
 
 const (
 	handlerTypeDynamic = iota
-	handlerTypeDnsInterceptor
+	handlerTypeDomain
 	handlerTypeStatic
 )
 
@@ -565,14 +566,13 @@ func HandlerFromRoute(
 	useNewDNSRoute bool,
 ) RouteHandler {
 	switch handlerType(rt, useNewDNSRoute) {
-	case handlerTypeDnsInterceptor:
+	case handlerTypeDomain:
 		return dnsinterceptor.New(
 			rt,
 			routeRefCounter,
 			allowedIPsRefCounter,
 			statusRecorder,
 			dnsServer,
-			wgInterface,
 			peerStore,
 		)
 	case handlerTypeDynamic:
@@ -596,8 +596,8 @@ func handlerType(rt *route.Route, useNewDNSRoute bool) int {
 		return handlerTypeStatic
 	}
 
-	if useNewDNSRoute {
-		return handlerTypeDnsInterceptor
+	if useNewDNSRoute && runtime.GOOS != "ios" {
+		return handlerTypeDomain
 	}
 	return handlerTypeDynamic
 }

client/internal/routemanager/dnsinterceptor/handler.go

@@ -6,13 +6,13 @@ import (
 	"net/netip"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -24,11 +24,6 @@ import (
 
 type domainMap map[domain.Domain][]netip.Prefix
 
-type wgInterface interface {
-	Name() string
-	Address() wgaddr.Address
-}
-
 type DnsInterceptor struct {
 	mu                   sync.RWMutex
 	route                *route.Route
@@ -38,7 +33,6 @@ type DnsInterceptor struct {
 	dnsServer            nbdns.Server
 	currentPeerKey       string
 	interceptedDomains   domainMap
-	wgInterface          wgInterface
 	peerStore            *peerstore.Store
 }
 
@@ -48,7 +42,6 @@ func New(
 	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
 	statusRecorder *peer.Status,
 	dnsServer nbdns.Server,
-	wgInterface wgInterface,
 	peerStore *peerstore.Store,
 ) *DnsInterceptor {
 	return &DnsInterceptor{
@@ -57,7 +50,6 @@ func New(
 		allowedIPsRefcounter: allowedIPsRefCounter,
 		statusRecorder:       statusRecorder,
 		dnsServer:            dnsServer,
-		wgInterface:          wgInterface,
 		interceptedDomains:   make(domainMap),
 		peerStore:            peerStore,
 	}
@@ -72,6 +64,118 @@ func (d *DnsInterceptor) AddRoute(context.Context) error {
 	return nil
 }
 
+// preResolveDomains performs background DNS resolution for non-wildcard domains
+func (d *DnsInterceptor) preResolveDomains() {
+	for _, domain := range d.route.Domains {
+		domainStr := string(domain)
+
+		if strings.HasPrefix(domainStr, "*.") {
+			continue
+		}
+
+		domainStr = strings.TrimSuffix(domainStr, ".")
+		go func(domain string) {
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+
+			if err := d.resolveAndUpdateDomain(ctx, domain); err != nil {
+				log.Debugf("pre-resolve failed for domain %s: %v", domain, err)
+			} else {
+				log.Tracef("pre-resolve completed for domain %s", domain)
+			}
+		}(domainStr)
+	}
+}
+
+// resolveAndUpdateDomain performs DNS resolution and updates domain prefixes
+func (d *DnsInterceptor) resolveAndUpdateDomain(ctx context.Context, qDomain string) error {
+	d.mu.RLock()
+	peerKey := d.currentPeerKey
+	d.mu.RUnlock()
+
+	if peerKey == "" {
+		return fmt.Errorf("no current peer key")
+	}
+
+	upstreamIP, err := d.getUpstreamIP(peerKey)
+	if err != nil {
+		return fmt.Errorf("get upstream IP: %v", err)
+	}
+
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(qDomain), dns.TypeA)
+	msg.Id = dns.Id()
+	msg.MsgHdr.AuthenticatedData = true
+
+	reply, err := d.exchangeWithUpstream(ctx, msg, upstreamIP)
+	if err != nil {
+		return fmt.Errorf("exchange with upstream: %v", err)
+	}
+
+	if reply == nil || len(reply.Answer) == 0 {
+		return nil
+	}
+
+	resolvedDomain := domain.Domain(dns.Fqdn(qDomain))
+	return d.processResolveResponse(reply, resolvedDomain, resolvedDomain)
+}
+
+// exchangeWithUpstream performs DNS exchange with the upstream server
+func (d *DnsInterceptor) exchangeWithUpstream(ctx context.Context, msg *dns.Msg, upstreamIP netip.Addr) (*dns.Msg, error) {
+	client := &dns.Client{
+		Timeout: nbdns.UpstreamTimeout,
+		Net:     "udp",
+	}
+	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort)
+
+	reply, _, err := nbdns.ExchangeWithFallback(ctx, client, msg, upstream)
+	return reply, err
+}
+
+// extractIPsFromDNSResponse extracts IP addresses from DNS answer records
+func (d *DnsInterceptor) extractIPsFromDNSResponse(reply *dns.Msg, domainForLogging domain.Domain) []netip.Prefix {
+	if reply == nil || len(reply.Answer) == 0 {
+		return nil
+	}
+
+	var prefixes []netip.Prefix
+	for _, answer := range reply.Answer {
+		var ip netip.Addr
+		switch rr := answer.(type) {
+		case *dns.A:
+			addr, ok := netip.AddrFromSlice(rr.A)
+			if !ok {
+				log.Tracef("failed to convert A record for domain=%s ip=%v", domainForLogging, rr.A)
+				continue
+			}
+			ip = addr
+		case *dns.AAAA:
+			addr, ok := netip.AddrFromSlice(rr.AAAA)
+			if !ok {
+				log.Tracef("failed to convert AAAA record for domain=%s ip=%v", domainForLogging, rr.AAAA)
+				continue
+			}
+			ip = addr
+		default:
+			continue
+		}
+
+		prefix := netip.PrefixFrom(ip.Unmap(), ip.BitLen())
+		prefixes = append(prefixes, prefix)
+	}
+
+	return prefixes
+}
+
+// processResolveResponse extracts IPs from DNS response and updates domain prefixes
+func (d *DnsInterceptor) processResolveResponse(reply *dns.Msg, resolvedDomain, originalDomain domain.Domain) error {
+	newPrefixes := d.extractIPsFromDNSResponse(reply, resolvedDomain)
+	if len(newPrefixes) > 0 {
+		return d.updateDomainPrefixes(resolvedDomain, originalDomain, newPrefixes)
+	}
+	return nil
+}
+
 func (d *DnsInterceptor) RemoveRoute() error {
 	d.mu.Lock()
 
@@ -122,6 +226,7 @@ func (d *DnsInterceptor) AddAllowedIPs(peerKey string) error {
 	}
 
 	d.currentPeerKey = peerKey
+	go d.preResolveDomains()
 	return nberrors.FormatErrorOrNil(merr)
 }
 
@@ -144,18 +249,15 @@ func (d *DnsInterceptor) RemoveAllowedIPs() error {
 
 // ServeDNS implements the dns.Handler interface
 func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	requestID := nbdns.GenerateRequestID()
-	logger := log.WithField("request_id", requestID)
-
 	if len(r.Question) == 0 {
 		return
 	}
-	logger.Tracef("received DNS request for domain=%s type=%v class=%v",
+	log.Tracef("received DNS request for domain=%s type=%v class=%v",
 		r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 
 	// pass if non A/AAAA query
 	if r.Question[0].Qtype != dns.TypeA && r.Question[0].Qtype != dns.TypeAAAA {
-		d.continueToNextHandler(w, r, logger, "non A/AAAA query")
+		d.continueToNextHandler(w, r, "non A/AAAA query")
 		return
 	}
 
@@ -164,19 +266,13 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	d.mu.RUnlock()
 
 	if peerKey == "" {
-		d.writeDNSError(w, r, logger, "no current peer key")
+		d.writeDNSError(w, r, "no current peer key")
 		return
 	}
 
 	upstreamIP, err := d.getUpstreamIP(peerKey)
 	if err != nil {
-		d.writeDNSError(w, r, logger, fmt.Sprintf("get upstream IP: %v", err))
-		return
-	}
-
-	client, err := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), nbdns.UpstreamTimeout)
-	if err != nil {
-		d.writeDNSError(w, r, logger, fmt.Sprintf("create DNS client: %v", err))
+		d.writeDNSError(w, r, fmt.Sprintf("get upstream IP: %v", err))
 		return
 	}
 
@@ -184,12 +280,11 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
-	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort)
-	reply, _, err := nbdns.ExchangeWithFallback(context.TODO(), client, r, upstream)
+	reply, err := d.exchangeWithUpstream(context.TODO(), r, upstreamIP)
 	if err != nil {
-		logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
+		log.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
 		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
-			logger.Errorf("failed writing DNS response: %v", err)
+			log.Errorf("failed writing DNS response: %v", err)
 		}
 		return
 	}
@@ -199,34 +294,34 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		answer = reply.Answer
 	}
 
-	logger.Tracef("upstream %s (%s) DNS response for domain=%s answers=%v", upstreamIP.String(), peerKey, r.Question[0].Name, answer)
+	log.Tracef("upstream %s (%s) DNS response for domain=%s answers=%v", upstreamIP.String(), peerKey, r.Question[0].Name, answer)
 
 	reply.Id = r.Id
 	if err := d.writeMsg(w, reply); err != nil {
-		logger.Errorf("failed writing DNS response: %v", err)
+		log.Errorf("failed writing DNS response: %v", err)
 	}
 }
 
-func (d *DnsInterceptor) writeDNSError(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry, reason string) {
-	logger.Warnf("failed to query upstream for domain=%s: %s", r.Question[0].Name, reason)
+func (d *DnsInterceptor) writeDNSError(w dns.ResponseWriter, r *dns.Msg, reason string) {
+	log.Warnf("failed to query upstream for domain=%s: %s", r.Question[0].Name, reason)
 
 	resp := new(dns.Msg)
 	resp.SetRcode(r, dns.RcodeServerFailure)
 	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS error response: %v", err)
+		log.Errorf("failed to write DNS error response: %v", err)
 	}
 }
 
 // continueToNextHandler signals the handler chain to try the next handler
-func (d *DnsInterceptor) continueToNextHandler(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry, reason string) {
-	logger.Tracef("continuing to next handler for domain=%s reason=%s", r.Question[0].Name, reason)
+func (d *DnsInterceptor) continueToNextHandler(w dns.ResponseWriter, r *dns.Msg, reason string) {
+	log.Tracef("continuing to next handler for domain=%s reason=%s", r.Question[0].Name, reason)
 
 	resp := new(dns.Msg)
 	resp.SetRcode(r, dns.RcodeNameError)
 	// Set Zero bit to signal handler chain to continue
 	resp.MsgHdr.Zero = true
 	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed writing DNS continue response: %v", err)
+		log.Errorf("failed writing DNS continue response: %v", err)
 	}
 }
 
@@ -250,43 +345,13 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg) error {
 		}
 
 		resolvedDomain := domain.Domain(strings.ToLower(r.Question[0].Name))
-
-		// already punycode via RegisterHandler()
 		originalDomain := domain.Domain(origPattern)
 		if originalDomain == "" {
 			originalDomain = resolvedDomain
 		}
 
-		var newPrefixes []netip.Prefix
-		for _, answer := range r.Answer {
-			var ip netip.Addr
-			switch rr := answer.(type) {
-			case *dns.A:
-				addr, ok := netip.AddrFromSlice(rr.A)
-				if !ok {
-					log.Tracef("failed to convert A record for domain=%s ip=%v", resolvedDomain, rr.A)
-					continue
-				}
-				ip = addr
-			case *dns.AAAA:
-				addr, ok := netip.AddrFromSlice(rr.AAAA)
-				if !ok {
-					log.Tracef("failed to convert AAAA record for domain=%s ip=%v", resolvedDomain, rr.AAAA)
-					continue
-				}
-				ip = addr
-			default:
-				continue
-			}
-
-			prefix := netip.PrefixFrom(ip.Unmap(), ip.BitLen())
-			newPrefixes = append(newPrefixes, prefix)
-		}
-
-		if len(newPrefixes) > 0 {
-			if err := d.updateDomainPrefixes(resolvedDomain, originalDomain, newPrefixes); err != nil {
-				log.Errorf("failed to update domain prefixes: %v", err)
-			}
+		if err := d.processResolveResponse(r, resolvedDomain, originalDomain); err != nil {
+			log.Errorf("failed to process DNS response: %v", err)
 		}
 	}
 

client/internal/routemanager/mock.go

@@ -15,7 +15,7 @@ import (
 // MockManager is the mock instance of a route manager
 type MockManager struct {
 	ClassifyRoutesFunc           func(routes []*route.Route) (map[route.ID]*route.Route, route.HAMap)
-	UpdateRoutesFunc             func(updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error
+	UpdateRoutesFunc             func (updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error
 	TriggerSelectionFunc         func(haMap route.HAMap)
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap

client/internal/routemanager/notifier/notifier.go

@@ -32,6 +32,7 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 func (n *Notifier) SetInitialClientRoutes(clientRoutes []*route.Route) {
 	nets := make([]string, 0)
 	for _, r := range clientRoutes {
+		// filter out domain routes
 		if r.IsDynamic() {
 			continue
 		}
@@ -45,27 +46,30 @@ func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	if runtime.GOOS != "android" {
 		return
 	}
-
-	var newNets []string
+	newNets := make([]string, 0)
 	for _, routes := range idMap {
 		for _, r := range routes {
-			if r.IsDynamic() {
-				continue
-			}
 			newNets = append(newNets, r.Network.String())
 		}
 	}
 
 	sort.Strings(newNets)
-	if !n.hasDiff(n.initialRouteRanges, newNets) {
-		return
+	switch runtime.GOOS {
+	case "android":
+		if !n.hasDiff(n.initialRouteRanges, newNets) {
+			return
+		}
+	default:
+		if !n.hasDiff(n.routeRanges, newNets) {
+			return
+		}
 	}
 
 	n.routeRanges = newNets
+
 	n.notify()
 }
 
-// OnNewPrefixes is called from iOS only
 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	newNets := make([]string, 0)
 	for _, prefix := range prefixes {
@@ -73,11 +77,19 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	}
 
 	sort.Strings(newNets)
-	if !n.hasDiff(n.routeRanges, newNets) {
-		return
+	switch runtime.GOOS {
+	case "android":
+		if !n.hasDiff(n.initialRouteRanges, newNets) {
+			return
+		}
+	default:
+		if !n.hasDiff(n.routeRanges, newNets) {
+			return
+		}
 	}
 
 	n.routeRanges = newNets
+
 	n.notify()
 }
 

client/internal/routemanager/systemops/systemops.go

@@ -28,10 +28,7 @@ func (n Nexthop) String() string {
 	if n.Intf == nil {
 		return n.IP.String()
 	}
-	if n.IP.IsValid() {
-		return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
-	}
-	return fmt.Sprintf("no-ip @ %d (%s)", n.Intf.Index, n.Intf.Name)
+	return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
 }
 
 type wgIface interface {

client/internal/state.go

@@ -10,11 +10,10 @@ type StatusType string
 const (
 	StatusIdle StatusType = "Idle"
 
-	StatusConnecting     StatusType = "Connecting"
-	StatusConnected      StatusType = "Connected"
-	StatusNeedsLogin     StatusType = "NeedsLogin"
-	StatusLoginFailed    StatusType = "LoginFailed"
-	StatusSessionExpired StatusType = "SessionExpired"
+	StatusConnecting  StatusType = "Connecting"
+	StatusConnected   StatusType = "Connected"
+	StatusNeedsLogin  StatusType = "NeedsLogin"
+	StatusLoginFailed StatusType = "LoginFailed"
 )
 
 // CtxInitState setup context state into the context tree.

client/netbird.wxs

@@ -1,10 +1,8 @@
 <Wix
-	xmlns="http://wixtoolset.org/schemas/v4/wxs"
-	xmlns:util="http://wixtoolset.org/schemas/v4/wxs/util">
+	xmlns="http://wixtoolset.org/schemas/v4/wxs">
 	<Package Name="NetBird" Version="$(env.NETBIRD_VERSION)" Manufacturer="NetBird GmbH" Language="1033" UpgradeCode="6456ec4e-3ad6-4b9b-a2be-98e81cb21ccf"
         InstallerVersion="500" Compressed="yes"  Codepage="utf-8" >
 
-
 		<MediaTemplate EmbedCab="yes" />
 
 		<Feature Id="NetbirdFeature" Title="Netbird" Level="1">
@@ -48,10 +46,29 @@
 			<ComponentRef Id="NetbirdFiles" />
 		</ComponentGroup>
 
-		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
-		<util:CloseApplication Id="CloseNetBirdUI" CloseMessage="no" Target="netbird-ui.exe" RebootPrompt="no" />
+		<Property Id="cmd" Value="cmd.exe"/>
 
+		<CustomAction Id="KillDaemon"
+                      ExeCommand='/c "taskkill /im netbird.exe"'
+                      Execute="deferred"
+                      Property="cmd"
+                      Impersonate="no"
+                      Return="ignore"
+            />
 
+		<CustomAction Id="KillUI"
+                      ExeCommand='/c "taskkill /im netbird-ui.exe"'
+                      Execute="deferred"
+                      Property="cmd"
+                      Impersonate="no"
+                      Return="ignore"
+            />
+
+		<InstallExecuteSequence>
+			<!-- For Uninstallation -->
+			<Custom Action="KillDaemon" Before="RemoveFiles" Condition="Installed"/>
+			<Custom Action="KillUI" After="KillDaemon" Condition="Installed"/>
+		</InstallExecuteSequence>
 
 		<!-- Icons -->
 		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\assets\netbird.ico" />

client/server/server.go

@@ -8,7 +8,6 @@ import (
 	"runtime"
 	"strconv"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
@@ -67,7 +66,6 @@ type Server struct {
 
 	lastProbe         time.Time
 	persistNetworkMap bool
-	isSessionActive   atomic.Bool
 }
 
 type oauthAuthFlow struct {
@@ -569,6 +567,9 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 
 	tokenInfo, err := s.oauthAuthFlow.flow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
+		if err == context.Canceled {
+			return nil, nil //nolint:nilnil
+		}
 		s.mutex.Lock()
 		s.oauthAuthFlow.expiresAt = time.Now()
 		s.mutex.Unlock()
@@ -639,7 +640,6 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	for {
 		select {
 		case <-runningChan:
-			s.isSessionActive.Store(true)
 			return &proto.UpResponse{}, nil
 		case <-callerCtx.Done():
 			log.Debug("context done, stopping the wait for engine to become ready")
@@ -668,7 +668,6 @@ func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownRes
 		log.Errorf("failed to shut down properly: %v", err)
 		return nil, err
 	}
-	s.isSessionActive.Store(false)
 
 	state := internal.CtxGetState(s.rootCtx)
 	state.Set(internal.StatusIdle)
@@ -695,12 +694,6 @@ func (s *Server) Status(
 		return nil, err
 	}
 
-	if status == internal.StatusNeedsLogin && s.isSessionActive.Load() {
-		log.Debug("status requested while session is active, returning SessionExpired")
-		status = internal.StatusSessionExpired
-		s.isSessionActive.Store(false)
-	}
-
 	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: version.NetbirdVersion()}
 
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())

client/server/server_test.go

@@ -206,7 +206,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
 	if err != nil {
 		return nil, "", err
 	}

client/system/info.go

@@ -59,16 +59,16 @@ type Info struct {
 	Environment        Environment
 	Files              []File // for posture checks
 
-	RosenpassEnabled    bool
-	RosenpassPermissive bool
-	ServerSSHAllowed    bool
+	RosenpassEnabled      bool
+	RosenpassPermissive   bool
+	ServerSSHAllowed      bool
 
-	DisableClientRoutes bool
-	DisableServerRoutes bool
-	DisableDNS          bool
-	DisableFirewall     bool
-	BlockLANAccess      bool
-	BlockInbound        bool
+	DisableClientRoutes   bool
+	DisableServerRoutes   bool
+	DisableDNS            bool
+	DisableFirewall       bool
+	BlockLANAccess        bool
+	BlockInbound          bool
 
 	LazyConnectionEnabled bool
 }

client/ui/client_ui.go

@@ -20,10 +20,7 @@ import (
 
 	"fyne.io/fyne/v2"
 	"fyne.io/fyne/v2/app"
-	"fyne.io/fyne/v2/canvas"
-	"fyne.io/fyne/v2/container"
 	"fyne.io/fyne/v2/dialog"
-	"fyne.io/fyne/v2/layout"
 	"fyne.io/fyne/v2/theme"
 	"fyne.io/fyne/v2/widget"
 	"fyne.io/systray"
@@ -54,7 +51,7 @@ const (
 )
 
 func main() {
-	daemonAddr, showSettings, showNetworks, showLoginURL, showDebug, errorMsg, saveLogsInFile := parseFlags()
+	daemonAddr, showSettings, showNetworks, showDebug, errorMsg, saveLogsInFile := parseFlags()
 
 	// Initialize file logging if needed.
 	var logFile string
@@ -80,13 +77,13 @@ func main() {
 	}
 
 	// Create the service client (this also builds the settings or networks UI if requested).
-	client := newServiceClient(daemonAddr, logFile, a, showSettings, showNetworks, showLoginURL, showDebug)
+	client := newServiceClient(daemonAddr, logFile, a, showSettings, showNetworks, showDebug)
 
 	// Watch for theme/settings changes to update the icon.
 	go watchSettingsChanges(a, client)
 
 	// Run in window mode if any UI flag was set.
-	if showSettings || showNetworks || showDebug || showLoginURL {
+	if showSettings || showNetworks || showDebug {
 		a.Run()
 		return
 	}
@@ -107,7 +104,7 @@ func main() {
 }
 
 // parseFlags reads and returns all needed command-line flags.
-func parseFlags() (daemonAddr string, showSettings, showNetworks, showLoginURL, showDebug bool, errorMsg string, saveLogsInFile bool) {
+func parseFlags() (daemonAddr string, showSettings, showNetworks, showDebug bool, errorMsg string, saveLogsInFile bool) {
 	defaultDaemonAddr := "unix:///var/run/netbird.sock"
 	if runtime.GOOS == "windows" {
 		defaultDaemonAddr = "tcp://127.0.0.1:41731"
@@ -115,7 +112,6 @@ func parseFlags() (daemonAddr string, showSettings, showNetworks, showLoginURL,
 	flag.StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
 	flag.BoolVar(&showSettings, "settings", false, "run settings window")
 	flag.BoolVar(&showNetworks, "networks", false, "run networks window")
-	flag.BoolVar(&showLoginURL, "login-url", false, "show login URL in a popup window")
 	flag.BoolVar(&showDebug, "debug", false, "run debug window")
 	flag.StringVar(&errorMsg, "error-msg", "", "displays an error message window")
 	flag.BoolVar(&saveLogsInFile, "use-log-file", false, fmt.Sprintf("save logs in a file: %s/netbird-ui-PID.log", os.TempDir()))
@@ -257,7 +253,6 @@ type serviceClient struct {
 	exitNodeStates       []exitNodeState
 	mExitNodeDeselectAll *systray.MenuItem
 	logFile              string
-	wLoginURL            fyne.Window
 }
 
 type menuHandler struct {
@@ -268,7 +263,7 @@ type menuHandler struct {
 // newServiceClient instance constructor
 //
 // This constructor also builds the UI elements for the settings window.
-func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool, showNetworks bool, showLoginURL bool, showDebug bool) *serviceClient {
+func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool, showNetworks bool, showDebug bool) *serviceClient {
 	ctx, cancel := context.WithCancel(context.Background())
 	s := &serviceClient{
 		ctx:              ctx,
@@ -280,7 +275,7 @@ func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool
 
 		showAdvancedSettings: showSettings,
 		showNetworks:         showNetworks,
-		update:               version.NewUpdate("nb/client-ui"),
+		update:               version.NewUpdate(),
 	}
 
 	s.eventHandler = newEventHandler(s)
@@ -291,8 +286,6 @@ func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool
 		s.showSettingsUI()
 	case showNetworks:
 		s.showNetworksUI()
-	case showLoginURL:
-		s.showLoginURL()
 	case showDebug:
 		s.showDebugUI()
 	}
@@ -452,11 +445,11 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 	}
 }
 
-func (s *serviceClient) login(openURL bool) (*proto.LoginResponse, error) {
+func (s *serviceClient) login() error {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		log.Errorf("get client: %v", err)
-		return nil, err
+		return err
 	}
 
 	loginResp, err := conn.Login(s.ctx, &proto.LoginRequest{
@@ -464,24 +457,24 @@ func (s *serviceClient) login(openURL bool) (*proto.LoginResponse, error) {
 	})
 	if err != nil {
 		log.Errorf("login to management URL with: %v", err)
-		return nil, err
+		return err
 	}
 
-	if loginResp.NeedsSSOLogin && openURL {
+	if loginResp.NeedsSSOLogin {
 		err = open.Run(loginResp.VerificationURIComplete)
 		if err != nil {
 			log.Errorf("opening the verification uri in the browser failed: %v", err)
-			return nil, err
+			return err
 		}
 
 		_, err = conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 		if err != nil {
 			log.Errorf("waiting sso login failed with: %v", err)
-			return nil, err
+			return err
 		}
 	}
 
-	return loginResp, nil
+	return nil
 }
 
 func (s *serviceClient) menuUpClick() error {
@@ -493,7 +486,7 @@ func (s *serviceClient) menuUpClick() error {
 		return err
 	}
 
-	_, err = s.login(true)
+	err = s.login()
 	if err != nil {
 		log.Errorf("login failed with: %v", err)
 		return err
@@ -565,7 +558,7 @@ func (s *serviceClient) updateStatus() error {
 		defer s.updateIndicationLock.Unlock()
 
 		// notify the user when the session has expired
-		if status.Status == string(internal.StatusSessionExpired) {
+		if status.Status == string(internal.StatusNeedsLogin) {
 			s.onSessionExpire()
 		}
 
@@ -739,6 +732,7 @@ func (s *serviceClient) onTrayReady() {
 	go s.eventHandler.listen(s.ctx)
 }
 
+
 func (s *serviceClient) attachOutput(cmd *exec.Cmd) *os.File {
 	if s.logFile == "" {
 		// attach child's streams to parent's streams
@@ -877,9 +871,17 @@ func (s *serviceClient) onUpdateAvailable() {
 
 // onSessionExpire sends a notification to the user when the session expires.
 func (s *serviceClient) onSessionExpire() {
-	s.sendNotification = true
 	if s.sendNotification {
-		go s.eventHandler.runSelfCommand(s.ctx, "login-url", "true")
+		title := "Connection session expired"
+		if runtime.GOOS == "darwin" {
+			title = "NetBird connection session expired"
+		}
+		s.app.SendNotification(
+			fyne.NewNotification(
+				title,
+				"Please re-authenticate to connect to the network",
+			),
+		)
 		s.sendNotification = false
 	}
 }
@@ -953,9 +955,9 @@ func (s *serviceClient) updateConfig() error {
 		ServerSSHAllowed:      &sshAllowed,
 		RosenpassEnabled:      &rosenpassEnabled,
 		DisableAutoConnect:    &disableAutoStart,
-		DisableNotifications:  &notificationsDisabled,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
+		DisableNotifications:  &notificationsDisabled,
 	}
 
 	if err := s.restartClient(&loginRequest); err != nil {
@@ -989,99 +991,6 @@ func (s *serviceClient) restartClient(loginRequest *proto.LoginRequest) error {
 	return nil
 }
 
-// showLoginURL creates a borderless window styled like a pop-up in the top-right corner using s.wLoginURL.
-func (s *serviceClient) showLoginURL() {
-
-	resIcon := fyne.NewStaticResource("netbird.png", iconAbout)
-
-	if s.wLoginURL == nil {
-		s.wLoginURL = s.app.NewWindow("NetBird Session Expired")
-		s.wLoginURL.Resize(fyne.NewSize(400, 200))
-		s.wLoginURL.SetIcon(resIcon)
-	}
-	// add a description label
-	label := widget.NewLabel("Your NetBird session has expired.\nPlease re-authenticate to continue using NetBird.")
-
-	btn := widget.NewButtonWithIcon("Re-authenticate", theme.ViewRefreshIcon(), func() {
-
-		conn, err := s.getSrvClient(defaultFailTimeout)
-		if err != nil {
-			log.Errorf("get client: %v", err)
-			return
-		}
-
-		resp, err := s.login(false)
-		if err != nil {
-			log.Errorf("failed to fetch login URL: %v", err)
-			return
-		}
-		verificationURL := resp.VerificationURIComplete
-		if verificationURL == "" {
-			verificationURL = resp.VerificationURI
-		}
-
-		if verificationURL == "" {
-			log.Error("no verification URL provided in the login response")
-			return
-		}
-
-		if err := openURL(verificationURL); err != nil {
-			log.Errorf("failed to open login URL: %v", err)
-			return
-		}
-
-		_, err = conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: resp.UserCode})
-		if err != nil {
-			log.Errorf("Waiting sso login failed with: %v", err)
-			label.SetText("Waiting login failed, please create \na debug bundle in the settings and contact support.")
-			return
-		}
-
-		label.SetText("Re-authentication successful.\nReconnecting")
-		status, err := conn.Status(s.ctx, &proto.StatusRequest{})
-		if err != nil {
-			log.Errorf("get service status: %v", err)
-			return
-		}
-
-		if status.Status == string(internal.StatusConnected) {
-			label.SetText("Already connected.\nClosing this window.")
-			time.Sleep(2 * time.Second)
-			s.wLoginURL.Close()
-			return
-		}
-
-		_, err = conn.Up(s.ctx, &proto.UpRequest{})
-		if err != nil {
-			label.SetText("Reconnecting failed, please create \na debug bundle in the settings and contact support.")
-			log.Errorf("Reconnecting failed with: %v", err)
-			return
-		}
-
-		label.SetText("Connection successful.\nClosing this window.")
-		time.Sleep(time.Second)
-
-		s.wLoginURL.Close()
-	})
-
-	img := canvas.NewImageFromResource(resIcon)
-	img.FillMode = canvas.ImageFillContain
-	img.SetMinSize(fyne.NewSize(64, 64))
-	img.Resize(fyne.NewSize(64, 64))
-
-	// center the content vertically
-	content := container.NewVBox(
-		layout.NewSpacer(),
-		img,
-		label,
-		btn,
-		layout.NewSpacer(),
-	)
-	s.wLoginURL.SetContent(container.NewCenter(content))
-
-	s.wLoginURL.Show()
-}
-
 func openURL(url string) error {
 	var err error
 	switch runtime.GOOS {

client/ui/event_handler.go

@@ -12,8 +12,6 @@ import (
 	"fyne.io/fyne/v2"
 	"fyne.io/systray"
 	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/version"
 )
 
 type eventHandler struct {
@@ -122,7 +120,7 @@ func (h *eventHandler) handleAdvancedSettingsClick() {
 	go func() {
 		defer h.client.mAdvancedSettings.Enable()
 		defer h.client.getSrvConfig()
-		h.runSelfCommand(h.client.ctx, "settings", "true")
+		h.runSelfCommand("settings", "true")
 	}()
 }
 
@@ -130,7 +128,7 @@ func (h *eventHandler) handleCreateDebugBundleClick() {
 	h.client.mCreateDebugBundle.Disable()
 	go func() {
 		defer h.client.mCreateDebugBundle.Enable()
-		h.runSelfCommand(h.client.ctx, "debug", "true")
+		h.runSelfCommand("debug", "true")
 	}()
 }
 
@@ -145,7 +143,7 @@ func (h *eventHandler) handleGitHubClick() {
 }
 
 func (h *eventHandler) handleUpdateClick() {
-	if err := openURL(version.DownloadUrl()); err != nil {
+	if err := openURL("https://netbird.io/download"); err != nil {
 		log.Errorf("failed to open download URL: %v", err)
 	}
 }
@@ -154,7 +152,7 @@ func (h *eventHandler) handleNetworksClick() {
 	h.client.mNetworks.Disable()
 	go func() {
 		defer h.client.mNetworks.Enable()
-		h.runSelfCommand(h.client.ctx, "networks", "true")
+		h.runSelfCommand("networks", "true")
 	}()
 }
 
@@ -172,14 +170,14 @@ func (h *eventHandler) updateConfigWithErr() {
 	}
 }
 
-func (h *eventHandler) runSelfCommand(ctx context.Context, command, arg string) {
+func (h *eventHandler) runSelfCommand(command, arg string) {
 	proc, err := os.Executable()
 	if err != nil {
 		log.Errorf("error getting executable path: %v", err)
 		return
 	}
 
-	cmd := exec.CommandContext(ctx, proc,
+	cmd := exec.Command(proc,
 		fmt.Sprintf("--%s=%s", command, arg),
 		fmt.Sprintf("--daemon-addr=%s", h.client.addr),
 	)

client/ui/network.go

@@ -358,6 +358,8 @@ func (s *serviceClient) updateExitNodes() {
 	} else {
 		s.mExitNode.Disable()
 	}
+
+	log.Debugf("Exit nodes updated: %d", len(s.mExitNodeItems))
 }
 
 func (s *serviceClient) recreateExitNodeMenu(exitNodes []*proto.Network) {

go.mod

@@ -63,7 +63,7 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20250612164546-6bd7e2338d65
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20250529122842-6700aa91190c
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250514131221-a464fd5f30cb
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
@@ -105,7 +105,6 @@ require (
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.13.0
 	golang.org/x/term v0.31.0
-	golang.org/x/time v0.5.0
 	google.golang.org/api v0.177.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
@@ -241,6 +240,7 @@ require (
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 // indirect

go.sum

@@ -503,8 +503,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250612164546-6bd7e2338d65 h1:5OfYiLjpr4dbQYJI5ouZaylkVdi2KlErLFOwBeBo5Hw=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250612164546-6bd7e2338d65/go.mod h1:Gi9raplYzCCyh07Olw/DVfCJTFgpr1WCXJ/Q+8TSA9Q=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250529122842-6700aa91190c h1:SdZxYjR9XXHLyRsTbS1EHBr6+RI15oie1K9Q8yvi3FY=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250529122842-6700aa91190c/go.mod h1:Gi9raplYzCCyh07Olw/DVfCJTFgpr1WCXJ/Q+8TSA9Q=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250514131221-a464fd5f30cb h1:Cr6age+ePALqlSvtp7wc6lYY97XN7rkD1K4XEDmY+TU=

infrastructure_files/base.setup.env

@@ -15,7 +15,6 @@ NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAI
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
 NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
-NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}
 
 # Signal
 NETBIRD_SIGNAL_PROTOCOL="http"
@@ -61,7 +60,7 @@ NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS=${NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS:-"53000"}
 NETBIRD_AUTH_PKCE_USE_ID_TOKEN=${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=${NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN:-false}
-NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-0}
+NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-1}
 NETBIRD_AUTH_PKCE_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 
 # Dashboard
@@ -140,4 +139,3 @@ export NETBIRD_RELAY_PORT
 export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
-export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY

infrastructure_files/getting-started-with-zitadel.sh

@@ -791,6 +791,7 @@ services:
       - '443:443'
       - '443:443/udp'
       - '80:80'
+      - '8080:8080'
     volumes:
       - netbird_caddy_data:/data
       - ./Caddyfile:/etc/caddy/Caddyfile

infrastructure_files/management.json.tmpl

@@ -38,7 +38,6 @@
              "0.0.0.0/0"
         ]
     },
-    "DisableDefaultPolicy": $NETBIRD_MGMT_DISABLE_DEFAULT_POLICY,
     "Datadir": "",
     "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
     "StoreConfig": {

infrastructure_files/setup.env.example

@@ -92,8 +92,7 @@ NETBIRD_LETSENCRYPT_EMAIL=""
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
 NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
-# Disable default all-to-all policy for new accounts
-NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
+
 # -------------------------------------------
 # Relay settings
 # -------------------------------------------

infrastructure_files/tests/setup.env

@@ -29,4 +29,3 @@ NETBIRD_TURN_EXTERNAL_IP=1.2.3.4
 NETBIRD_RELAY_PORT=33445
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=true
 NETBIRD_AUTH_PKCE_LOGIN_FLAG=0
-NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY

management/client/client_test.go

@@ -87,12 +87,6 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		).
 		Return(&types.Settings{}, nil).
 		AnyTimes()
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
-
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	permissionsManagerMock.
 		EXPECT().
@@ -106,7 +100,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		Return(true, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
 	if err != nil {
 		t.Fatal(err)
 	}

management/cmd/management.go

@@ -159,12 +159,6 @@ var (
 			if err != nil {
 				return err
 			}
-
-			integrationMetrics, err := integrations.InitIntegrationMetrics(ctx, appMetrics)
-			if err != nil {
-				return err
-			}
-
 			store, err := store.NewStore(ctx, config.StoreConfig.Engine, config.Datadir, appMetrics, false)
 			if err != nil {
 				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
@@ -182,7 +176,7 @@ var (
 			if disableSingleAccMode {
 				mgmtSingleAccModeDomain = ""
 			}
-			eventStore, key, err := integrations.InitEventStore(ctx, config.Datadir, config.DataStoreEncryptionKey, integrationMetrics)
+			eventStore, key, err := integrations.InitEventStore(ctx, config.Datadir, config.DataStoreEncryptionKey)
 			if err != nil {
 				return fmt.Errorf("failed to initialize database: %s", err)
 			}
@@ -215,7 +209,7 @@ var (
 			peersManager := peers.NewManager(store, permissionsManager)
 			proxyController := integrations.NewController(store)
 			accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
-				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager, config.DisableDefaultPolicy)
+				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager)
 			if err != nil {
 				return fmt.Errorf("failed to build default manager: %v", err)
 			}
@@ -357,13 +351,6 @@ var (
 			log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
 			serveGRPCWithHTTP(ctx, listener, rootHandler, tlsEnabled)
 
-			update := version.NewUpdate("nb/management")
-			update.SetDaemonVersion(version.NetbirdVersion())
-			update.SetOnUpdateListener(func() {
-				log.WithContext(ctx).Infof("your management version, \"%s\", is outdated, a new management version is available. Learn more here: https://github.com/netbirdio/netbird/releases", version.NetbirdVersion())
-			})
-			defer update.StopWatch()
-
 			SetupCloseHandler()
 
 			<-stopCh

management/server/account.go

@@ -24,7 +24,6 @@ import (
 	"golang.org/x/exp/maps"
 
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
@@ -102,8 +101,6 @@ type DefaultAccountManager struct {
 
 	accountUpdateLocks               sync.Map
 	updateAccountPeersBufferInterval atomic.Int64
-
-	disableDefaultPolicy bool
 }
 
 // getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
@@ -172,7 +169,6 @@ func BuildManager(
 	proxyController port_forwarding.Controller,
 	settingsManager settings.Manager,
 	permissionsManager permissions.Manager,
-	disableDefaultPolicy bool,
 ) (*DefaultAccountManager, error) {
 	start := time.Now()
 	defer func() {
@@ -198,7 +194,6 @@ func BuildManager(
 		proxyController:          proxyController,
 		settingsManager:          settingsManager,
 		permissionsManager:       permissionsManager,
-		disableDefaultPolicy:     disableDefaultPolicy,
 	}
 
 	am.startWarmup(ctx)
@@ -414,15 +409,14 @@ func (am *DefaultAccountManager) handlePeerLoginExpirationSettings(ctx context.C
 			event = activity.AccountPeerLoginExpirationDisabled
 			am.peerLoginExpiry.Cancel(ctx, []string{accountID})
 		} else {
-			am.schedulePeerLoginExpiration(ctx, accountID)
+			am.checkAndSchedulePeerLoginExpiration(ctx, accountID)
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, event, nil)
 	}
 
 	if oldSettings.PeerLoginExpiration != newSettings.PeerLoginExpiration {
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountPeerLoginExpirationDurationUpdated, nil)
-		am.peerLoginExpiry.Cancel(ctx, []string{accountID})
-		am.schedulePeerLoginExpiration(ctx, accountID)
+		am.checkAndSchedulePeerLoginExpiration(ctx, accountID)
 	}
 }
 
@@ -460,10 +454,6 @@ func (am *DefaultAccountManager) handleInactivityExpirationSettings(ctx context.
 
 func (am *DefaultAccountManager) peerLoginExpirationJob(ctx context.Context, accountID string) func() (time.Duration, bool) {
 	return func() (time.Duration, bool) {
-		//nolint
-		ctx := context.WithValue(ctx, nbcontext.AccountIDKey, accountID)
-		//nolint
-		ctx = context.WithValue(ctx, hook.ExecutionContextKey, fmt.Sprintf("%s-PEER-EXPIRATION", hook.SystemSource))
 		unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 		defer unlock()
 
@@ -488,11 +478,8 @@ func (am *DefaultAccountManager) peerLoginExpirationJob(ctx context.Context, acc
 	}
 }
 
-func (am *DefaultAccountManager) schedulePeerLoginExpiration(ctx context.Context, accountID string) {
-	if am.peerLoginExpiry.IsSchedulerRunning(accountID) {
-		log.WithContext(ctx).Tracef("peer login expiration job for account %s is already scheduled", accountID)
-		return
-	}
+func (am *DefaultAccountManager) checkAndSchedulePeerLoginExpiration(ctx context.Context, accountID string) {
+	am.peerLoginExpiry.Cancel(ctx, []string{accountID})
 	if nextRun, ok := am.getNextPeerExpiration(ctx, accountID); ok {
 		go am.peerLoginExpiry.Schedule(ctx, nextRun, accountID, am.peerLoginExpirationJob(ctx, accountID))
 	}
@@ -547,7 +534,7 @@ func (am *DefaultAccountManager) newAccount(ctx context.Context, userID, domain
 			log.WithContext(ctx).Warnf("an account with ID already exists, retrying...")
 			continue
 		case statusErr.Type() == status.NotFound:
-			newAccount := newAccountWithId(ctx, accountId, userID, domain, am.disableDefaultPolicy)
+			newAccount := newAccountWithId(ctx, accountId, userID, domain)
 			am.StoreEvent(ctx, userID, newAccount.Id, accountId, activity.AccountCreated, nil)
 			return newAccount, nil
 		default:
@@ -1192,71 +1179,6 @@ func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID s
 	return am.Store.GetAccountMeta(ctx, store.LockingStrengthShare, accountID)
 }
 
-// GetAccountOnboarding retrieves the onboarding information for a specific account.
-func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-
-	if !allowed {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	onboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
-	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
-		log.Errorf("failed to get account onboarding for accountssssssss %s: %v", accountID, err)
-		return nil, err
-	}
-
-	if onboarding == nil {
-		onboarding = &types.AccountOnboarding{
-			AccountID: accountID,
-		}
-	}
-
-	return onboarding, nil
-}
-
-func (am *DefaultAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
-	if err != nil {
-		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
-	}
-
-	if !allowed {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	oldOnboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
-	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
-		return nil, fmt.Errorf("failed to get account onboarding: %w", err)
-	}
-
-	if oldOnboarding == nil {
-		oldOnboarding = &types.AccountOnboarding{
-			AccountID: accountID,
-		}
-	}
-
-	if newOnboarding == nil {
-		return oldOnboarding, nil
-	}
-
-	if oldOnboarding.IsEqual(*newOnboarding) {
-		log.WithContext(ctx).Debugf("no changes in onboarding for account %s", accountID)
-		return oldOnboarding, nil
-	}
-
-	newOnboarding.AccountID = accountID
-	err = am.Store.SaveAccountOnboarding(ctx, newOnboarding)
-	if err != nil {
-		return nil, fmt.Errorf("failed to update account onboarding: %w", err)
-	}
-
-	return newOnboarding, nil
-}
-
 func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error) {
 	if userAuth.UserId == "" {
 		return "", "", errors.New(emptyUserID)
@@ -1757,7 +1679,7 @@ func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, account
 }
 
 // newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(ctx context.Context, accountID, userID, domain string, disableDefaultPolicy bool) *types.Account {
+func newAccountWithId(ctx context.Context, accountID, userID, domain string) *types.Account {
 	log.WithContext(ctx).Debugf("creating new account")
 
 	network := types.NewNetwork()
@@ -1798,13 +1720,9 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string, dis
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 			RoutingPeerDNSResolutionEnabled: true,
 		},
-		Onboarding: types.AccountOnboarding{
-			OnboardingFlowPending: true,
-			SignupFormPending:     true,
-		},
 	}
 
-	if err := acc.AddAllGroup(disableDefaultPolicy); err != nil {
+	if err := acc.AddAllGroup(); err != nil {
 		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
 	}
 	return acc
@@ -1906,7 +1824,7 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 			},
 		}
 
-		if err := newAccount.AddAllGroup(am.disableDefaultPolicy); err != nil {
+		if err := newAccount.AddAllGroup(); err != nil {
 			return nil, false, status.Errorf(status.Internal, "failed to add all group to new account by private domain")
 		}
 
@@ -1926,49 +1844,40 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 }
 
 func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error) {
-	var account *types.Account
-	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
-		account, err = transaction.GetAccount(ctx, accountId)
-		if err != nil {
-			return err
-		}
-
-		if account.IsDomainPrimaryAccount {
-			return nil
-		}
-
-		existingPrimaryAccountID, err := transaction.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthShare, account.Domain)
-
-		// error is not a not found error
-		if handleNotFound(err) != nil {
-			return err
-		}
-
-		// a primary account already exists for this private domain
-		if err == nil {
-			log.WithContext(ctx).WithFields(log.Fields{
-				"accountId":         accountId,
-				"existingAccountId": existingPrimaryAccountID,
-			}).Errorf("cannot update account to primary, another account already exists as primary for the same domain")
-			return status.Errorf(status.Internal, "cannot update account to primary")
-		}
-
-		account.IsDomainPrimaryAccount = true
-
-		if err := transaction.SaveAccount(ctx, account); err != nil {
-			log.WithContext(ctx).WithFields(log.Fields{
-				"accountId": accountId,
-			}).Errorf("failed to update account to primary: %v", err)
-			return status.Errorf(status.Internal, "failed to update account to primary")
-		}
-
-		return nil
-	})
+	account, err := am.Store.GetAccount(ctx, accountId)
 	if err != nil {
 		return nil, err
 	}
 
+	if account.IsDomainPrimaryAccount {
+		return account, nil
+	}
+
+	existingPrimaryAccountID, err := am.Store.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthShare, account.Domain)
+
+	// error is not a not found error
+	if handleNotFound(err) != nil {
+		return nil, err
+	}
+
+	// a primary account already exists for this private domain
+	if err == nil {
+		log.WithContext(ctx).WithFields(log.Fields{
+			"accountId":         accountId,
+			"existingAccountId": existingPrimaryAccountID,
+		}).Errorf("cannot update account to primary, another account already exists as primary for the same domain")
+		return nil, status.Errorf(status.Internal, "cannot update account to primary")
+	}
+
+	account.IsDomainPrimaryAccount = true
+
+	if err := am.Store.SaveAccount(ctx, account); err != nil {
+		log.WithContext(ctx).WithFields(log.Fields{
+			"accountId": accountId,
+		}).Errorf("failed to update account to primary: %v", err)
+		return nil, status.Errorf(status.Internal, "failed to update account to primary")
+	}
+
 	return account, nil
 }
 

management/server/account/manager.go

@@ -39,7 +39,6 @@ type Manager interface {
 	GetSetupKey(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
 	GetAccountByID(ctx context.Context, accountID string, userID string) (*types.Account, error)
 	GetAccountMeta(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error)
-	GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error)
 	AccountExists(ctx context.Context, accountID string) (bool, error)
 	GetAccountIDByUserID(ctx context.Context, userID, domain string) (string, error)
 	GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
@@ -90,7 +89,6 @@ type Manager interface {
 	SaveDNSSettings(ctx context.Context, accountID string, userID string, dnsSettingsToSave *types.DNSSettings) error
 	GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
 	UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
-	UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error)
 	LoginPeer(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)                // used by peer gRPC API
 	SyncPeer(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) // used by peer gRPC API
 	GetAllConnectedPeers() (map[string]struct{}, error)
@@ -112,7 +110,6 @@ type Manager interface {
 	GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error)
 	DeleteSetupKey(ctx context.Context, accountID, userID, keyID string) error
 	UpdateAccountPeers(ctx context.Context, accountID string)
-	BufferUpdateAccountPeers(ctx context.Context, accountID string)
 	BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
 	SyncUserJWTGroups(ctx context.Context, userAuth nbcontext.UserAuth) error
 	GetStore() store.Store

management/server/account_test.go

@@ -373,7 +373,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 	}
 
 	for _, testCase := range tt {
-		account := newAccountWithId(context.Background(), "account-1", userID, "netbird.io", false)
+		account := newAccountWithId(context.Background(), "account-1", userID, "netbird.io")
 		account.UpdateSettings(&testCase.accountSettings)
 		account.Network = network
 		account.Peers = testCase.peers
@@ -398,7 +398,7 @@ func TestNewAccount(t *testing.T) {
 	domain := "netbird.io"
 	userId := "account_creator"
 	accountID := "account_id"
-	account := newAccountWithId(context.Background(), accountID, userId, domain, false)
+	account := newAccountWithId(context.Background(), accountID, userId, domain)
 	verifyNewAccountHasDefaultFields(t, account, userId, domain, []string{userId})
 }
 
@@ -640,7 +640,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 func TestDefaultAccountManager_SyncUserJWTGroups(t *testing.T) {
 	userId := "user-id"
 	domain := "test.domain"
-	_ = newAccountWithId(context.Background(), "", userId, domain, false)
+	_ = newAccountWithId(context.Background(), "", userId, domain)
 	manager, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userId, domain)
@@ -793,7 +793,7 @@ func TestAccountManager_GetAccountByUserID(t *testing.T) {
 }
 
 func createAccount(am *DefaultAccountManager, accountID, userID, domain string) (*types.Account, error) {
-	account := newAccountWithId(context.Background(), accountID, userID, domain, false)
+	account := newAccountWithId(context.Background(), accountID, userID, domain)
 	err := am.Store.SaveAccount(context.Background(), account)
 	if err != nil {
 		return nil, err
@@ -1862,8 +1862,11 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	require.NoError(t, err, "expecting to update account settings successfully but got error")
 
 	wg := &sync.WaitGroup{}
-	wg.Add(1)
+	wg.Add(2)
 	manager.peerLoginExpiry = &MockScheduler{
+		CancelFunc: func(ctx context.Context, IDs []string) {
+			wg.Done()
+		},
 		ScheduleFunc: func(ctx context.Context, in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
 			wg.Done()
 		},
@@ -2879,7 +2882,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, error) {
 
 	permissionsManager := permissions.NewManager(store)
 
-	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	if err != nil {
 		return nil, err
 	}
@@ -3440,74 +3443,3 @@ func TestPropagateUserGroupMemberships(t *testing.T) {
 		}
 	})
 }
-
-func TestDefaultAccountManager_GetAccountOnboarding(t *testing.T) {
-	manager, err := createManager(t)
-	require.NoError(t, err)
-
-	account, err := manager.GetOrCreateAccountByUser(context.Background(), userID, "")
-	require.NoError(t, err)
-
-	t.Run("should return account onboarding when onboarding exist", func(t *testing.T) {
-		onboarding, err := manager.GetAccountOnboarding(context.Background(), account.Id, userID)
-		require.NoError(t, err)
-		require.NotNil(t, onboarding)
-		assert.Equal(t, account.Id, onboarding.AccountID)
-		assert.Equal(t, true, onboarding.OnboardingFlowPending)
-		assert.Equal(t, true, onboarding.SignupFormPending)
-		if onboarding.UpdatedAt.IsZero() {
-			t.Errorf("Onboarding was not retrieved from the store")
-		}
-	})
-
-	t.Run("should return account onboarding when onboard don't exist", func(t *testing.T) {
-		account.Id = "with-zero-onboarding"
-		account.Onboarding = types.AccountOnboarding{}
-		err = manager.Store.SaveAccount(context.Background(), account)
-		require.NoError(t, err)
-		onboarding, err := manager.GetAccountOnboarding(context.Background(), account.Id, userID)
-		require.NoError(t, err)
-		require.NotNil(t, onboarding)
-		_, err = manager.Store.GetAccountOnboarding(context.Background(), account.Id)
-		require.Error(t, err, "should return error when onboarding is not set")
-	})
-}
-
-func TestDefaultAccountManager_UpdateAccountOnboarding(t *testing.T) {
-	manager, err := createManager(t)
-	require.NoError(t, err)
-
-	account, err := manager.GetOrCreateAccountByUser(context.Background(), userID, "")
-	require.NoError(t, err)
-
-	onboarding := &types.AccountOnboarding{
-		OnboardingFlowPending: true,
-		SignupFormPending:     true,
-	}
-
-	t.Run("update onboarding with no change", func(t *testing.T) {
-		updated, err := manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, onboarding)
-		require.NoError(t, err)
-		assert.Equal(t, onboarding.OnboardingFlowPending, updated.OnboardingFlowPending)
-		assert.Equal(t, onboarding.SignupFormPending, updated.SignupFormPending)
-		if updated.UpdatedAt.IsZero() {
-			t.Errorf("Onboarding was updated in the store")
-		}
-	})
-
-	onboarding.OnboardingFlowPending = false
-	onboarding.SignupFormPending = false
-
-	t.Run("update onboarding", func(t *testing.T) {
-		updated, err := manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, onboarding)
-		require.NoError(t, err)
-		require.NotNil(t, updated)
-		assert.Equal(t, onboarding.OnboardingFlowPending, updated.OnboardingFlowPending)
-		assert.Equal(t, onboarding.SignupFormPending, updated.SignupFormPending)
-	})
-
-	t.Run("update onboarding with no onboarding", func(t *testing.T) {
-		_, err = manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, nil)
-		require.NoError(t, err)
-	})
-}

management/server/dns_test.go

@@ -216,10 +216,8 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	t.Cleanup(ctrl.Finish)
 
 	settingsMockManager := settings.NewMockManager(ctrl)
-	// return empty extra settings for expected calls to UpdateAccountPeers
-	settingsMockManager.EXPECT().GetExtraSettings(gomock.Any(), gomock.Any()).Return(&types.ExtraSettings{}, nil).AnyTimes()
 	permissionsManager := permissions.NewManager(store)
-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 }
 
 func createDNSStore(t *testing.T) (store.Store, error) {
@@ -269,7 +267,7 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account
 
 	domain := "example.com"
 
-	account := newAccountWithId(context.Background(), dnsAccountID, dnsAdminUserID, domain, false)
+	account := newAccountWithId(context.Background(), dnsAccountID, dnsAdminUserID, domain)
 
 	account.Users[dnsRegularUserID] = &types.User{
 		Id:   dnsRegularUserID,

management/server/ephemeral.go

@@ -5,20 +5,16 @@ import (
 	"sync"
 	"time"
 
-	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
-	nbContext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/store"
 )
 
 const (
 	ephemeralLifeTime = 10 * time.Minute
-	// cleanupWindow is the time window to wait after nearest peer deadline to start the cleanup procedure.
-	cleanupWindow = 1 * time.Minute
 )
 
 var (
@@ -45,9 +41,6 @@ type EphemeralManager struct {
 	tailPeer  *ephemeralPeer
 	peersLock sync.Mutex
 	timer     *time.Timer
-
-	lifeTime      time.Duration
-	cleanupWindow time.Duration
 }
 
 // NewEphemeralManager instantiate new EphemeralManager
@@ -55,9 +48,6 @@ func NewEphemeralManager(store store.Store, accountManager nbAccount.Manager) *E
 	return &EphemeralManager{
 		store:          store,
 		accountManager: accountManager,
-
-		lifeTime:      ephemeralLifeTime,
-		cleanupWindow: cleanupWindow,
 	}
 }
 
@@ -70,7 +60,7 @@ func (e *EphemeralManager) LoadInitialPeers(ctx context.Context) {
 
 	e.loadEphemeralPeers(ctx)
 	if e.headPeer != nil {
-		e.timer = time.AfterFunc(e.lifeTime, func() {
+		e.timer = time.AfterFunc(ephemeralLifeTime, func() {
 			e.cleanup(ctx)
 		})
 	}
@@ -123,13 +113,9 @@ func (e *EphemeralManager) OnPeerDisconnected(ctx context.Context, peer *nbpeer.
 		return
 	}
 
-	e.addPeer(peer.AccountID, peer.ID, e.newDeadLine())
+	e.addPeer(peer.AccountID, peer.ID, newDeadLine())
 	if e.timer == nil {
-		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
-		if delay < 0 {
-			delay = 0
-		}
-		e.timer = time.AfterFunc(delay, func() {
+		e.timer = time.AfterFunc(e.headPeer.deadline.Sub(timeNow()), func() {
 			e.cleanup(ctx)
 		})
 	}
@@ -142,7 +128,7 @@ func (e *EphemeralManager) loadEphemeralPeers(ctx context.Context) {
 		return
 	}
 
-	t := e.newDeadLine()
+	t := newDeadLine()
 	for _, p := range peers {
 		e.addPeer(p.AccountID, p.ID, t)
 	}
@@ -152,9 +138,6 @@ func (e *EphemeralManager) loadEphemeralPeers(ctx context.Context) {
 
 func (e *EphemeralManager) cleanup(ctx context.Context) {
 	log.Tracef("on ephemeral cleanup")
-	reqID := uuid.New().String()
-	//nolint
-	ctx = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
 	deletePeers := make(map[string]*ephemeralPeer)
 
 	e.peersLock.Lock()
@@ -172,11 +155,7 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 	}
 
 	if e.headPeer != nil {
-		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
-		if delay < 0 {
-			delay = 0
-		}
-		e.timer = time.AfterFunc(delay, func() {
+		e.timer = time.AfterFunc(e.headPeer.deadline.Sub(timeNow()), func() {
 			e.cleanup(ctx)
 		})
 	} else {
@@ -185,21 +164,13 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 
 	e.peersLock.Unlock()
 
-	bufferAccountCall := make(map[string]struct{})
-
 	for id, p := range deletePeers {
 		log.WithContext(ctx).Debugf("delete ephemeral peer: %s", id)
 		err := e.accountManager.DeletePeer(ctx, p.accountID, id, activity.SystemInitiator)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed to delete ephemeral peer: %s", err)
-		} else {
-			bufferAccountCall[p.accountID] = struct{}{}
 		}
 	}
-	for accountID := range bufferAccountCall {
-		log.WithContext(ctx).Debugf("ephemeral - buffer update account peers for account: %s", accountID)
-		e.accountManager.BufferUpdateAccountPeers(ctx, accountID)
-	}
 }
 
 func (e *EphemeralManager) addPeer(accountID string, peerID string, deadline time.Time) {
@@ -252,6 +223,6 @@ func (e *EphemeralManager) isPeerOnList(id string) bool {
 	return false
 }
 
-func (e *EphemeralManager) newDeadLine() time.Time {
-	return timeNow().Add(e.lifeTime)
+func newDeadLine() time.Time {
+	return timeNow().Add(ephemeralLifeTime)
 }

management/server/ephemeral_test.go

@@ -3,12 +3,9 @@ package server
 import (
 	"context"
 	"fmt"
-	"sync"
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
-
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -30,65 +27,28 @@ func (s *MockStore) GetAllEphemeralPeers(_ context.Context, _ store.LockingStren
 	return peers, nil
 }
 
-type MockAccountManager struct {
-	mu sync.Mutex
+type MocAccountManager struct {
 	nbAccount.Manager
-	store             *MockStore
-	deletePeerCalls   int
-	bufferUpdateCalls map[string]int
-	wg                *sync.WaitGroup
+	store *MockStore
 }
 
-func (a *MockAccountManager) DeletePeer(_ context.Context, accountID, peerID, userID string) error {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.deletePeerCalls++
-	if a.wg != nil {
-		a.wg.Done()
-	}
+func (a MocAccountManager) DeletePeer(_ context.Context, accountID, peerID, userID string) error {
 	delete(a.store.account.Peers, peerID)
-	return nil
+	return nil //nolint:nil
 }
 
-func (a *MockAccountManager) GetDeletePeerCalls() int {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	return a.deletePeerCalls
-}
-
-func (a *MockAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.bufferUpdateCalls == nil {
-		a.bufferUpdateCalls = make(map[string]int)
-	}
-	a.bufferUpdateCalls[accountID]++
-}
-
-func (a *MockAccountManager) GetBufferUpdateCalls(accountID string) int {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.bufferUpdateCalls == nil {
-		return 0
-	}
-	return a.bufferUpdateCalls[accountID]
-}
-
-func (a *MockAccountManager) GetStore() store.Store {
+func (a MocAccountManager) GetStore() store.Store {
 	return a.store
 }
 
 func TestNewManager(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
 	startTime := time.Now()
 	timeNow = func() time.Time {
 		return startTime
 	}
 
 	store := &MockStore{}
-	am := MockAccountManager{
+	am := MocAccountManager{
 		store: store,
 	}
 
@@ -96,7 +56,7 @@ func TestNewManager(t *testing.T) {
 	numberOfEphemeralPeers := 3
 	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
 
-	mgr := NewEphemeralManager(store, &am)
+	mgr := NewEphemeralManager(store, am)
 	mgr.loadEphemeralPeers(context.Background())
 	startTime = startTime.Add(ephemeralLifeTime + 1)
 	mgr.cleanup(context.Background())
@@ -107,16 +67,13 @@ func TestNewManager(t *testing.T) {
 }
 
 func TestNewManagerPeerConnected(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
 	startTime := time.Now()
 	timeNow = func() time.Time {
 		return startTime
 	}
 
 	store := &MockStore{}
-	am := MockAccountManager{
+	am := MocAccountManager{
 		store: store,
 	}
 
@@ -124,7 +81,7 @@ func TestNewManagerPeerConnected(t *testing.T) {
 	numberOfEphemeralPeers := 3
 	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
 
-	mgr := NewEphemeralManager(store, &am)
+	mgr := NewEphemeralManager(store, am)
 	mgr.loadEphemeralPeers(context.Background())
 	mgr.OnPeerConnected(context.Background(), store.account.Peers["ephemeral_peer_0"])
 
@@ -138,16 +95,13 @@ func TestNewManagerPeerConnected(t *testing.T) {
 }
 
 func TestNewManagerPeerDisconnected(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
 	startTime := time.Now()
 	timeNow = func() time.Time {
 		return startTime
 	}
 
 	store := &MockStore{}
-	am := MockAccountManager{
+	am := MocAccountManager{
 		store: store,
 	}
 
@@ -155,7 +109,7 @@ func TestNewManagerPeerDisconnected(t *testing.T) {
 	numberOfEphemeralPeers := 3
 	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
 
-	mgr := NewEphemeralManager(store, &am)
+	mgr := NewEphemeralManager(store, am)
 	mgr.loadEphemeralPeers(context.Background())
 	for _, v := range store.account.Peers {
 		mgr.OnPeerConnected(context.Background(), v)
@@ -172,38 +126,8 @@ func TestNewManagerPeerDisconnected(t *testing.T) {
 	}
 }
 
-func TestCleanupSchedulingBehaviorIsBatched(t *testing.T) {
-	const (
-		ephemeralPeers    = 10
-		testLifeTime      = 1 * time.Second
-		testCleanupWindow = 100 * time.Millisecond
-	)
-	mockStore := &MockStore{}
-	mockAM := &MockAccountManager{
-		store: mockStore,
-	}
-	mockAM.wg = &sync.WaitGroup{}
-	mockAM.wg.Add(ephemeralPeers)
-	mgr := NewEphemeralManager(mockStore, mockAM)
-	mgr.lifeTime = testLifeTime
-	mgr.cleanupWindow = testCleanupWindow
-
-	account := newAccountWithId(context.Background(), "account", "", "", false)
-	mockStore.account = account
-	for i := range ephemeralPeers {
-		p := &nbpeer.Peer{ID: fmt.Sprintf("peer-%d", i), AccountID: account.Id, Ephemeral: true}
-		mockStore.account.Peers[p.ID] = p
-		time.Sleep(testCleanupWindow / ephemeralPeers)
-		mgr.OnPeerDisconnected(context.Background(), p)
-	}
-	mockAM.wg.Wait()
-	assert.Len(t, mockStore.account.Peers, 0, "all ephemeral peers should be cleaned up after the lifetime")
-	assert.Equal(t, 1, mockAM.GetBufferUpdateCalls(account.Id), "buffer update should be called once")
-	assert.Equal(t, ephemeralPeers, mockAM.GetDeletePeerCalls(), "should have deleted only the first peer")
-}
-
 func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int) {
-	store.account = newAccountWithId(context.Background(), "my account", "", "", false)
+	store.account = newAccountWithId(context.Background(), "my account", "", "")
 
 	for i := 0; i < numberOfPeers; i++ {
 		peerId := fmt.Sprintf("peer_%d", i)

management/server/group.go

@@ -664,6 +664,15 @@ func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, ac
 	return false, nil
 }
 
+func (am *DefaultAccountManager) anyGroupHasPeers(account *types.Account, groupIDs []string) bool {
+	for _, groupID := range groupIDs {
+		if group, exists := account.Groups[groupID]; exists && group.HasPeers() {
+			return true
+		}
+	}
+	return false
+}
+
 // anyGroupHasPeersOrResources checks if any of the given groups in the account have peers or resources.
 func anyGroupHasPeersOrResources(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
 	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, groupIDs)

management/server/group_test.go

@@ -369,7 +369,7 @@ func initTestGroupAccount(am *DefaultAccountManager) (*DefaultAccountManager, *t
 		Id:         "example user",
 		AutoGroups: []string{groupForUsers.ID},
 	}
-	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain, false)
+	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain)
 	account.Routes[routeResource.ID] = routeResource
 	account.Routes[routePeerGroupResource.ID] = routePeerGroupResource
 	account.NameServerGroups[nameServerGroup.ID] = nameServerGroup

management/server/grpcserver.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -15,7 +13,6 @@ import (
 	"github.com/golang/protobuf/ptypes/timestamp"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/time/rate"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/peer"
@@ -50,10 +47,6 @@ type GRPCServer struct {
 	ephemeralManager   *EphemeralManager
 	peerLocks          sync.Map
 	authManager        auth.Manager
-	syncLimiter        *rate.Limiter
-	loginLimiterStore  sync.Map
-	loginPeerBooster   int
-	loginPeerLimit     rate.Limit
 }
 
 // NewServer creates a new Management server
@@ -83,41 +76,6 @@ func NewServer(
 		}
 	}
 
-	multiplier := time.Minute
-	d, e := time.ParseDuration(os.Getenv("NB_LOGIN_RATE"))
-	if e == nil {
-		multiplier = d
-	}
-
-	loginRatePerS, err := strconv.Atoi(os.Getenv("NB_LOGIN_RATE_PER_M"))
-	if loginRatePerS == 0 || err != nil {
-		loginRatePerS = 200
-	}
-
-	loginBurst, err := strconv.Atoi(os.Getenv("NB_LOGIN_BURST"))
-	if loginBurst == 0 || err != nil {
-		loginBurst = 200
-	}
-	log.WithContext(ctx).Infof("login burst limit set to %d", loginBurst)
-
-	loginPeerRatePerS, err := strconv.Atoi(os.Getenv("NB_LOGIN_PEER_RATE_PER_M"))
-	if loginPeerRatePerS == 0 || err != nil {
-		loginPeerRatePerS = 200
-	}
-	log.WithContext(ctx).Infof("login rate limit set to %d/min", loginRatePerS)
-
-	syncRatePerS, err := strconv.Atoi(os.Getenv("NB_SYNC_RATE_PER_M"))
-	if syncRatePerS == 0 || err != nil {
-		syncRatePerS = 20000
-	}
-	log.WithContext(ctx).Infof("sync rate limit set to %d/min", syncRatePerS)
-
-	syncBurst, err := strconv.Atoi(os.Getenv("NB_SYNC_BURST"))
-	if syncBurst == 0 || err != nil {
-		syncBurst = 30000
-	}
-	log.WithContext(ctx).Infof("sync burst limit set to %d", syncBurst)
-
 	return &GRPCServer{
 		wgKey: key,
 		// peerKey -> event channel
@@ -129,9 +87,6 @@ func NewServer(
 		authManager:        authManager,
 		appMetrics:         appMetrics,
 		ephemeralManager:   ephemeralManager,
-		syncLimiter:        rate.NewLimiter(rate.Every(time.Minute/time.Duration(syncRatePerS)), syncBurst),
-		loginPeerLimit:     rate.Every(multiplier / time.Duration(loginPeerRatePerS)),
-		loginPeerBooster:   loginBurst,
 	}, nil
 }
 
@@ -173,17 +128,11 @@ func getRealIP(ctx context.Context) net.IP {
 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
+	reqStart := time.Now()
 	if s.appMetrics != nil {
 		s.appMetrics.GRPCMetrics().CountSyncRequest()
 	}
 
-	if !s.syncLimiter.Allow() {
-		log.Warnf("sync rate limit exceeded for peer %s", req.WgPubKey)
-		return status.Errorf(codes.Internal, "temp rate limit reached")
-	}
-
-	reqStart := time.Now()
-
 	ctx := srv.Context()
 
 	syncReq := &proto.SyncRequest{}
@@ -479,39 +428,15 @@ func (s *GRPCServer) parseRequest(ctx context.Context, req *proto.EncryptedMessa
 // In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer.
 // In case of the successful registration login is also successful
 func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
-	if s.appMetrics != nil {
-		s.appMetrics.GRPCMetrics().CountLoginRequest()
-	}
-
-	limiterIface, ok := s.loginLimiterStore.Load(req.WgPubKey)
-	if !ok {
-		// Create new limiter for this peer
-		newLimiter := rate.NewLimiter(s.loginPeerLimit, s.loginPeerBooster)
-		s.loginLimiterStore.Store(req.WgPubKey, newLimiter)
-
-		if !newLimiter.Allow() {
-			//time.Sleep(time.Second + (time.Millisecond * time.Duration(rand.IntN(20)*100)))
-			log.WithContext(ctx).Warnf("rate limit exceeded for peer %s", req.WgPubKey)
-			return nil, fmt.Errorf("temp rate limit reached (new peer limit)")
-		}
-	} else {
-		// Use existing limiter for this peer
-		limiter := limiterIface.(*rate.Limiter)
-		if !limiter.Allow() {
-			//time.Sleep(time.Second + (time.Millisecond * time.Duration(rand.IntN(20)*100)))
-			log.WithContext(ctx).Warnf("rate limit exceeded for peer %s", req.WgPubKey)
-			return nil, fmt.Errorf("temp rate limit reached (peer limit)")
-		}
-	}
 	reqStart := time.Now()
 	defer func() {
 		if s.appMetrics != nil {
 			s.appMetrics.GRPCMetrics().CountLoginRequestDuration(time.Since(reqStart))
 		}
 	}()
-	//if s.appMetrics != nil {
-	//	s.appMetrics.GRPCMetrics().CountLoginRequest()
-	//}
+	if s.appMetrics != nil {
+		s.appMetrics.GRPCMetrics().CountLoginRequest()
+	}
 	realIP := getRealIP(ctx)
 	log.WithContext(ctx).Debugf("Login request from peer [%s] [%s]", req.WgPubKey, realIP.String())
 

management/server/http/api/openapi.yml

@@ -60,8 +60,6 @@ components:
           description: Account creator
           type: string
           example: google-oauth2|277474792786460067937
-        onboarding:
-          $ref: '#/components/schemas/AccountOnboarding'
       required:
         - id
         - settings
@@ -69,21 +67,6 @@ components:
         - domain_category
         - created_at
         - created_by
-        - onboarding
-    AccountOnboarding:
-      type: object
-      properties:
-        signup_form_pending:
-          description: Indicates whether the account signup form is pending
-          type: boolean
-          example: true
-        onboarding_flow_pending:
-          description: Indicates whether the account onboarding flow is pending
-          type: boolean
-          example: false
-      required:
-        - signup_form_pending
-        - onboarding_flow_pending
     AccountSettings:
       type: object
       properties:
@@ -170,8 +153,6 @@ components:
       properties:
         settings:
           $ref: '#/components/schemas/AccountSettings'
-        onboarding:
-          $ref: '#/components/schemas/AccountOnboarding'
       required:
         - settings
     User:
@@ -445,10 +426,6 @@ components:
               items:
                 type: string
                 example: "stage-host-1"
-            ephemeral:
-              description: Indicates whether the peer is ephemeral or not
-              type: boolean
-              example: false
           required:
             - city_name
             - connected
@@ -473,7 +450,6 @@ components:
             - approval_required
             - serial_number
             - extra_dns_labels
-            - ephemeral
     AccessiblePeer:
       allOf:
         - $ref: '#/components/schemas/PeerMinimum'

management/server/http/api/types.gen.go

@@ -250,9 +250,8 @@ type Account struct {
 	DomainCategory string `json:"domain_category"`
 
 	// Id Account ID
-	Id         string            `json:"id"`
-	Onboarding AccountOnboarding `json:"onboarding"`
-	Settings   AccountSettings   `json:"settings"`
+	Id       string          `json:"id"`
+	Settings AccountSettings `json:"settings"`
 }
 
 // AccountExtraSettings defines model for AccountExtraSettings.
@@ -267,19 +266,9 @@ type AccountExtraSettings struct {
 	PeerApprovalEnabled bool `json:"peer_approval_enabled"`
 }
 
-// AccountOnboarding defines model for AccountOnboarding.
-type AccountOnboarding struct {
-	// OnboardingFlowPending Indicates whether the account onboarding flow is pending
-	OnboardingFlowPending bool `json:"onboarding_flow_pending"`
-
-	// SignupFormPending Indicates whether the account signup form is pending
-	SignupFormPending bool `json:"signup_form_pending"`
-}
-
 // AccountRequest defines model for AccountRequest.
 type AccountRequest struct {
-	Onboarding *AccountOnboarding `json:"onboarding,omitempty"`
-	Settings   AccountSettings    `json:"settings"`
+	Settings AccountSettings `json:"settings"`
 }
 
 // AccountSettings defines model for AccountSettings.
@@ -1027,9 +1016,6 @@ type Peer struct {
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`
 
-	// Ephemeral Indicates whether the peer is ephemeral or not
-	Ephemeral bool `json:"ephemeral"`
-
 	// ExtraDnsLabels Extra DNS labels added to the peer
 	ExtraDnsLabels []string `json:"extra_dns_labels"`
 
@@ -1111,9 +1097,6 @@ type PeerBatch struct {
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`
 
-	// Ephemeral Indicates whether the peer is ephemeral or not
-	Ephemeral bool `json:"ephemeral"`
-
 	// ExtraDnsLabels Extra DNS labels added to the peer
 	ExtraDnsLabels []string `json:"extra_dns_labels"`
 

management/server/http/handlers/accounts/accounts_handler.go

@@ -59,13 +59,7 @@ func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	onboarding, err := h.accountManager.GetAccountOnboarding(r.Context(), accountID, userID)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	resp := toAccountResponse(accountID, settings, meta, onboarding)
+	resp := toAccountResponse(accountID, settings, meta)
 	util.WriteJSONObject(r.Context(), w, []*api.Account{resp})
 }
 
@@ -132,20 +126,6 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		settings.LazyConnectionEnabled = *req.Settings.LazyConnectionEnabled
 	}
 
-	var onboarding *types.AccountOnboarding
-	if req.Onboarding != nil {
-		onboarding = &types.AccountOnboarding{
-			OnboardingFlowPending: req.Onboarding.OnboardingFlowPending,
-			SignupFormPending:     req.Onboarding.SignupFormPending,
-		}
-	}
-
-	updatedOnboarding, err := h.accountManager.UpdateAccountOnboarding(r.Context(), accountID, userID, onboarding)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
 	updatedSettings, err := h.accountManager.UpdateAccountSettings(r.Context(), accountID, userID, settings)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -158,7 +138,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding)
+	resp := toAccountResponse(accountID, updatedSettings, meta)
 
 	util.WriteJSONObject(r.Context(), w, &resp)
 }
@@ -187,7 +167,7 @@ func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }
 
-func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding) *api.Account {
+func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta) *api.Account {
 	jwtAllowGroups := settings.JWTAllowGroups
 	if jwtAllowGroups == nil {
 		jwtAllowGroups = []string{}
@@ -208,11 +188,6 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		DnsDomain:                       &settings.DNSDomain,
 	}
 
-	apiOnboarding := api.AccountOnboarding{
-		OnboardingFlowPending: onboarding.OnboardingFlowPending,
-		SignupFormPending:     onboarding.SignupFormPending,
-	}
-
 	if settings.Extra != nil {
 		apiSettings.Extra = &api.AccountExtraSettings{
 			PeerApprovalEnabled:                settings.Extra.PeerApprovalEnabled,
@@ -228,6 +203,5 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		CreatedBy:      meta.CreatedBy,
 		Domain:         meta.Domain,
 		DomainCategory: meta.DomainCategory,
-		Onboarding:     apiOnboarding,
 	}
 }

management/server/http/handlers/accounts/accounts_handler_test.go

@@ -54,18 +54,6 @@ func initAccountsTestData(t *testing.T, account *types.Account) *handler {
 			GetAccountMetaFunc: func(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error) {
 				return account.GetMeta(), nil
 			},
-			GetAccountOnboardingFunc: func(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
-				return &types.AccountOnboarding{
-					OnboardingFlowPending: true,
-					SignupFormPending:     true,
-				}, nil
-			},
-			UpdateAccountOnboardingFunc: func(ctx context.Context, accountID, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
-				return &types.AccountOnboarding{
-					OnboardingFlowPending: true,
-					SignupFormPending:     true,
-				}, nil
-			},
 		},
 		settingsManager: settingsMockManager,
 	}
@@ -129,7 +117,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             15552000,
@@ -151,7 +139,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             15552000,
@@ -173,7 +161,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true,\"regular_users_view_blocked\":true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true,\"regular_users_view_blocked\":true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             554400,
@@ -190,34 +178,12 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedArray: false,
 			expectedID:    accountID,
 		},
-		{
-			name:           "PutAccount OK without onboarding",
-			expectedBody:   true,
-			requestType:    http.MethodPut,
-			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true}}"),
-			expectedStatus: http.StatusOK,
-			expectedSettings: api.AccountSettings{
-				PeerLoginExpiration:             15552000,
-				PeerLoginExpirationEnabled:      false,
-				GroupsPropagationEnabled:        br(false),
-				JwtGroupsClaimName:              sr("roles"),
-				JwtGroupsEnabled:                br(true),
-				JwtAllowGroups:                  &[]string{"test"},
-				RegularUsersViewBlocked:         true,
-				RoutingPeerDnsResolutionEnabled: br(false),
-				LazyConnectionEnabled:           br(false),
-				DnsDomain:                       sr(""),
-			},
-			expectedArray: false,
-			expectedID:    accountID,
-		},
 		{
 			name:           "Update account failure with high peer_login_expiration more than 180 days",
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552001,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552001,\"peer_login_expiration_enabled\": true}}"),
 			expectedStatus: http.StatusUnprocessableEntity,
 			expectedArray:  false,
 		},
@@ -226,7 +192,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 3599,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 3599,\"peer_login_expiration_enabled\": true}}"),
 			expectedStatus: http.StatusUnprocessableEntity,
 			expectedArray:  false,
 		},

management/server/http/handlers/peers/peers_handler.go

@@ -365,7 +365,6 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		CityName:                    peer.Location.CityName,
 		SerialNumber:                peer.Meta.SystemSerialNumber,
 		InactivityExpirationEnabled: peer.InactivityExpirationEnabled,
-		Ephemeral:                   peer.Ephemeral,
 	}
 }
 

management/server/http/testing/testing_tools/tools.go

@@ -1,4 +1,5 @@
 package testing_tools
+
 import (
 	"bytes"
 	"context"
@@ -137,7 +138,7 @@ func BuildApiBlackBoxWithDBState(t TB, sqlFile string, expectedPeerUpdate *serve
 	userManager := users.NewManager(store)
 	permissionsManager := permissions.NewManager(store)
 	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager)
-	am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager, false)
+	am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager)
 	if err != nil {
 		t.Fatalf("Failed to create manager: %v", err)
 	}

management/server/integrated_validator.go

@@ -37,23 +37,21 @@ func (am *DefaultAccountManager) UpdateIntegratedValidatorGroups(ctx context.Con
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()
 
-	return am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		a, err := transaction.GetAccountByUser(ctx, userID)
-		if err != nil {
-			return err
-		}
+	a, err := am.Store.GetAccountByUser(ctx, userID)
+	if err != nil {
+		return err
+	}
 
-		var extra *types.ExtraSettings
+	var extra *types.ExtraSettings
 
-		if a.Settings.Extra != nil {
-			extra = a.Settings.Extra
-		} else {
-			extra = &types.ExtraSettings{}
-			a.Settings.Extra = extra
-		}
-		extra.IntegratedValidatorGroups = groups
-		return transaction.SaveAccount(ctx, a)
-	})
+	if a.Settings.Extra != nil {
+		extra = a.Settings.Extra
+	} else {
+		extra = &types.ExtraSettings{}
+		a.Settings.Extra = extra
+	}
+	extra.IntegratedValidatorGroups = groups
+	return am.Store.SaveAccount(ctx, a)
 }
 
 func (am *DefaultAccountManager) GroupValidation(ctx context.Context, accountID string, groupIDs []string) (bool, error) {
@@ -83,12 +81,15 @@ func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountI
 	var peers []*nbpeer.Peer
 	var settings *types.Settings
 
-	groups, err = am.Store.GetAccountGroups(ctx, store.LockingStrengthShare, accountID)
-	if err != nil {
-		return nil, err
-	}
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		groups, err = transaction.GetAccountGroups(ctx, store.LockingStrengthShare, accountID)
+		if err != nil {
+			return err
+		}
 
-	peers, err = am.Store.GetAccountPeers(ctx, store.LockingStrengthShare, accountID, "", "")
+		peers, err = transaction.GetAccountPeers(ctx, store.LockingStrengthShare, accountID, "", "")
+		return err
+	})
 	if err != nil {
 		return nil, err
 	}

management/server/management_proto_test.go

@@ -440,15 +440,11 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config)
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
 		AnyTimes().
 		Return(&types.Settings{}, nil)
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
+
 	permissionsManager := permissions.NewManager(store)
 
 	accountManager, err := BuildManager(ctx, store, peersUpdateManager, nil, "", "netbird.selfhosted",
-		eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+		eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 
 	if err != nil {
 		cleanup()

management/server/management_test.go

@@ -211,7 +211,7 @@ func startServer(
 		port_forwarding.NewControllerMock(),
 		settingsMockManager,
 		permissionsManager,
-		false)
+	)
 	if err != nil {
 		t.Fatalf("failed creating an account manager: %v", err)
 	}

management/server/metrics/selfhosted.go

@@ -184,9 +184,7 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		ephemeralPeersSKs         int
 		ephemeralPeersSKUsage     int
 		activePeersLastDay        int
-		activeUserPeersLastDay    int
 		osPeers                   map[string]int
-		activeUsersLastDay        map[string]struct{}
 		userPeers                 int
 		rules                     int
 		rulesProtocol             map[string]int
@@ -205,7 +203,6 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		version                   string
 		peerActiveVersions        []string
 		osUIClients               map[string]int
-		rosenpassEnabled          int
 	)
 	start := time.Now()
 	metricsProperties := make(properties)
@@ -213,7 +210,6 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	osUIClients = make(map[string]int)
 	rulesProtocol = make(map[string]int)
 	rulesDirection = make(map[string]int)
-	activeUsersLastDay = make(map[string]struct{})
 	uptime = time.Since(w.startupTime).Seconds()
 	connections := w.connManager.GetAllConnectedPeers()
 	version = nbversion.NetbirdVersion()
@@ -281,14 +277,10 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		for _, peer := range account.Peers {
 			peers++
 
-			if peer.SSHEnabled || peer.Meta.Flags.ServerSSHAllowed {
+			if peer.SSHEnabled {
 				peersSSHEnabled++
 			}
 
-			if peer.Meta.Flags.RosenpassEnabled {
-				rosenpassEnabled++
-			}
-
 			if peer.UserID != "" {
 				userPeers++
 			}
@@ -307,10 +299,6 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 			_, connected := connections[peer.ID]
 			if connected || peer.Status.LastSeen.After(w.lastRun) {
 				activePeersLastDay++
-				if peer.UserID != "" {
-					activeUserPeersLastDay++
-					activeUsersLastDay[peer.UserID] = struct{}{}
-				}
 				osActiveKey := osKey + "_active"
 				osActiveCount := osPeers[osActiveKey]
 				osPeers[osActiveKey] = osActiveCount + 1
@@ -332,8 +320,6 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	metricsProperties["ephemeral_peers_setup_keys"] = ephemeralPeersSKs
 	metricsProperties["ephemeral_peers_setup_keys_usage"] = ephemeralPeersSKUsage
 	metricsProperties["active_peers_last_day"] = activePeersLastDay
-	metricsProperties["active_user_peers_last_day"] = activeUserPeersLastDay
-	metricsProperties["active_users_last_day"] = len(activeUsersLastDay)
 	metricsProperties["user_peers"] = userPeers
 	metricsProperties["rules"] = rules
 	metricsProperties["rules_with_src_posture_checks"] = rulesWithSrcPostureChecks
@@ -352,7 +338,6 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	metricsProperties["ui_clients"] = uiClient
 	metricsProperties["idp_manager"] = w.idpManager
 	metricsProperties["store_engine"] = w.dataSource.GetStoreEngine()
-	metricsProperties["rosenpass_enabled"] = rosenpassEnabled
 
 	for protocol, count := range rulesProtocol {
 		metricsProperties["rules_protocol_"+protocol] = count

management/server/metrics/selfhosted_test.go

@@ -47,8 +47,8 @@ func (mockDatasource) GetAllAccounts(_ context.Context) []*types.Account {
 				"1": {
 					ID:         "1",
 					UserID:     "test",
-					SSHEnabled: false,
-					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1", Flags: nbpeer.Flags{ServerSSHAllowed: true, RosenpassEnabled: true}},
+					SSHEnabled: true,
+					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
 				},
 			},
 			Policies: []*types.Policy{
@@ -312,19 +312,7 @@ func TestGenerateProperties(t *testing.T) {
 	}
 
 	if properties["posture_checks"] != 2 {
-		t.Errorf("expected 2 posture_checks, got %d", properties["posture_checks"])
-	}
-
-	if properties["rosenpass_enabled"] != 1 {
-		t.Errorf("expected 1 rosenpass_enabled, got %d", properties["rosenpass_enabled"])
-	}
-
-	if properties["active_user_peers_last_day"] != 2 {
-		t.Errorf("expected 2 active_user_peers_last_day, got %d", properties["active_user_peers_last_day"])
-	}
-
-	if properties["active_users_last_day"] != 1 {
-		t.Errorf("expected 1 active_users_last_day, got %d", properties["active_users_last_day"])
+		t.Errorf("expected 1 posture_checks, got %d", properties["posture_checks"])
 	}
 
 }

management/server/mock_server/account_mock.go

@@ -30,95 +30,94 @@ type MockAccountManager struct {
 	GetAccountFunc               func(ctx context.Context, accountID string) (*types.Account, error)
 	CreateSetupKeyFunc           func(ctx context.Context, accountId string, keyName string, keyType types.SetupKeyType,
 		expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
-	GetSetupKeyFunc                       func(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
-	AccountExistsFunc                     func(ctx context.Context, accountID string) (bool, error)
-	GetAccountIDByUserIdFunc              func(ctx context.Context, userId, domain string) (string, error)
-	GetUserFromUserAuthFunc               func(ctx context.Context, userAuth nbcontext.UserAuth) (*types.User, error)
-	ListUsersFunc                         func(ctx context.Context, accountID string) ([]*types.User, error)
-	GetPeersFunc                          func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
-	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
-	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
-	GetPeerNetworkFunc                    func(ctx context.Context, peerKey string) (*types.Network, error)
-	AddPeerFunc                           func(ctx context.Context, setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	GetGroupFunc                          func(ctx context.Context, accountID, groupID, userID string) (*types.Group, error)
-	GetAllGroupsFunc                      func(ctx context.Context, accountID, userID string) ([]*types.Group, error)
-	GetGroupByNameFunc                    func(ctx context.Context, accountID, groupName string) (*types.Group, error)
-	SaveGroupFunc                         func(ctx context.Context, accountID, userID string, group *types.Group, create bool) error
-	SaveGroupsFunc                        func(ctx context.Context, accountID, userID string, groups []*types.Group, create bool) error
-	DeleteGroupFunc                       func(ctx context.Context, accountID, userId, groupID string) error
-	DeleteGroupsFunc                      func(ctx context.Context, accountId, userId string, groupIDs []string) error
-	GroupAddPeerFunc                      func(ctx context.Context, accountID, groupID, peerID string) error
-	GroupDeletePeerFunc                   func(ctx context.Context, accountID, groupID, peerID string) error
-	GetPeerGroupsFunc                     func(ctx context.Context, accountID, peerID string) ([]*types.Group, error)
-	DeleteRuleFunc                        func(ctx context.Context, accountID, ruleID, userID string) error
-	GetPolicyFunc                         func(ctx context.Context, accountID, policyID, userID string) (*types.Policy, error)
-	SavePolicyFunc                        func(ctx context.Context, accountID, userID string, policy *types.Policy, create bool) (*types.Policy, error)
-	DeletePolicyFunc                      func(ctx context.Context, accountID, policyID, userID string) error
-	ListPoliciesFunc                      func(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
-	GetUsersFromAccountFunc               func(ctx context.Context, accountID, userID string) (map[string]*types.UserInfo, error)
-	UpdatePeerMetaFunc                    func(ctx context.Context, peerID string, meta nbpeer.PeerSystemMeta) error
-	UpdatePeerFunc                        func(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
-	CreateRouteFunc                       func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
-	GetRouteFunc                          func(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
-	SaveRouteFunc                         func(ctx context.Context, accountID string, userID string, route *route.Route) error
-	DeleteRouteFunc                       func(ctx context.Context, accountID string, routeID route.ID, userID string) error
-	ListRoutesFunc                        func(ctx context.Context, accountID, userID string) ([]*route.Route, error)
-	SaveSetupKeyFunc                      func(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
-	ListSetupKeysFunc                     func(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error)
-	SaveUserFunc                          func(ctx context.Context, accountID, userID string, user *types.User) (*types.UserInfo, error)
-	SaveOrAddUserFunc                     func(ctx context.Context, accountID, userID string, user *types.User, addIfNotExists bool) (*types.UserInfo, error)
-	SaveOrAddUsersFunc                    func(ctx context.Context, accountID, initiatorUserID string, update []*types.User, addIfNotExists bool) ([]*types.UserInfo, error)
-	DeleteUserFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) error
-	DeleteRegularUsersFunc                func(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
-	CreatePATFunc                         func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenName string, expiresIn int) (*types.PersonalAccessTokenGenerated, error)
-	DeletePATFunc                         func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) error
-	GetPATFunc                            func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) (*types.PersonalAccessToken, error)
-	GetAllPATsFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string) ([]*types.PersonalAccessToken, error)
-	GetNameServerGroupFunc                func(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
-	CreateNameServerGroupFunc             func(ctx context.Context, accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
-	SaveNameServerGroupFunc               func(ctx context.Context, accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
-	DeleteNameServerGroupFunc             func(ctx context.Context, accountID, nsGroupID, userID string) error
-	ListNameServerGroupsFunc              func(ctx context.Context, accountID string, userID string) ([]*nbdns.NameServerGroup, error)
-	CreateUserFunc                        func(ctx context.Context, accountID, userID string, key *types.UserInfo) (*types.UserInfo, error)
-	GetAccountIDFromUserAuthFunc          func(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
-	DeleteAccountFunc                     func(ctx context.Context, accountID, userID string) error
-	GetDNSDomainFunc                      func(settings *types.Settings) string
-	StoreEventFunc                        func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
-	GetEventsFunc                         func(ctx context.Context, accountID, userID string) ([]*activity.Event, error)
-	GetDNSSettingsFunc                    func(ctx context.Context, accountID, userID string) (*types.DNSSettings, error)
-	SaveDNSSettingsFunc                   func(ctx context.Context, accountID, userID string, dnsSettingsToSave *types.DNSSettings) error
-	GetPeerFunc                           func(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
-	UpdateAccountSettingsFunc             func(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
-	LoginPeerFunc                         func(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	SyncPeerFunc                          func(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	InviteUserFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserEmail string) error
-	GetAllConnectedPeersFunc              func() (map[string]struct{}, error)
-	HasConnectedChannelFunc               func(peerID string) bool
-	GetExternalCacheManagerFunc           func() account.ExternalCacheManager
-	GetPostureChecksFunc                  func(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error)
-	SavePostureChecksFunc                 func(ctx context.Context, accountID, userID string, postureChecks *posture.Checks, create bool) (*posture.Checks, error)
-	DeletePostureChecksFunc               func(ctx context.Context, accountID, postureChecksID, userID string) error
-	ListPostureChecksFunc                 func(ctx context.Context, accountID, userID string) ([]*posture.Checks, error)
-	GetIdpManagerFunc                     func() idp.Manager
-	UpdateIntegratedValidatorGroupsFunc   func(ctx context.Context, accountID string, userID string, groups []string) error
-	GroupValidationFunc                   func(ctx context.Context, accountId string, groups []string) (bool, error)
-	SyncPeerMetaFunc                      func(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
-	FindExistingPostureCheckFunc          func(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
-	GetAccountIDForPeerKeyFunc            func(ctx context.Context, peerKey string) (string, error)
-	GetAccountByIDFunc                    func(ctx context.Context, accountID string, userID string) (*types.Account, error)
-	GetUserByIDFunc                       func(ctx context.Context, id string) (*types.User, error)
-	GetAccountSettingsFunc                func(ctx context.Context, accountID string, userID string) (*types.Settings, error)
-	DeleteSetupKeyFunc                    func(ctx context.Context, accountID, userID, keyID string) error
-	BuildUserInfosForAccountFunc          func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
-	GetStoreFunc                          func() store.Store
-	UpdateToPrimaryAccountFunc            func(ctx context.Context, accountId string) (*types.Account, error)
-	GetOwnerInfoFunc                      func(ctx context.Context, accountID string) (*types.UserInfo, error)
-	GetCurrentUserInfoFunc                func(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
-	GetAccountMetaFunc                    func(ctx context.Context, accountID, userID string) (*types.AccountMeta, error)
-	GetAccountOnboardingFunc              func(ctx context.Context, accountID, userID string) (*types.AccountOnboarding, error)
-	UpdateAccountOnboardingFunc           func(ctx context.Context, accountID, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error)
+	GetSetupKeyFunc                     func(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
+	AccountExistsFunc                   func(ctx context.Context, accountID string) (bool, error)
+	GetAccountIDByUserIdFunc            func(ctx context.Context, userId, domain string) (string, error)
+	GetUserFromUserAuthFunc             func(ctx context.Context, userAuth nbcontext.UserAuth) (*types.User, error)
+	ListUsersFunc                       func(ctx context.Context, accountID string) ([]*types.User, error)
+	GetPeersFunc                        func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
+	MarkPeerConnectedFunc               func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
+	SyncAndMarkPeerFunc                 func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	DeletePeerFunc                      func(ctx context.Context, accountID, peerKey, userID string) error
+	GetNetworkMapFunc                   func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
+	GetPeerNetworkFunc                  func(ctx context.Context, peerKey string) (*types.Network, error)
+	AddPeerFunc                         func(ctx context.Context, setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	GetGroupFunc                        func(ctx context.Context, accountID, groupID, userID string) (*types.Group, error)
+	GetAllGroupsFunc                    func(ctx context.Context, accountID, userID string) ([]*types.Group, error)
+	GetGroupByNameFunc                  func(ctx context.Context, accountID, groupName string) (*types.Group, error)
+	SaveGroupFunc                       func(ctx context.Context, accountID, userID string, group *types.Group, create bool) error
+	SaveGroupsFunc                      func(ctx context.Context, accountID, userID string, groups []*types.Group, create bool) error
+	DeleteGroupFunc                     func(ctx context.Context, accountID, userId, groupID string) error
+	DeleteGroupsFunc                    func(ctx context.Context, accountId, userId string, groupIDs []string) error
+	GroupAddPeerFunc                    func(ctx context.Context, accountID, groupID, peerID string) error
+	GroupDeletePeerFunc                 func(ctx context.Context, accountID, groupID, peerID string) error
+	GetPeerGroupsFunc                   func(ctx context.Context, accountID, peerID string) ([]*types.Group, error)
+	DeleteRuleFunc                      func(ctx context.Context, accountID, ruleID, userID string) error
+	GetPolicyFunc                       func(ctx context.Context, accountID, policyID, userID string) (*types.Policy, error)
+	SavePolicyFunc                      func(ctx context.Context, accountID, userID string, policy *types.Policy, create bool) (*types.Policy, error)
+	DeletePolicyFunc                    func(ctx context.Context, accountID, policyID, userID string) error
+	ListPoliciesFunc                    func(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
+	GetUsersFromAccountFunc             func(ctx context.Context, accountID, userID string) (map[string]*types.UserInfo, error)
+	UpdatePeerMetaFunc                  func(ctx context.Context, peerID string, meta nbpeer.PeerSystemMeta) error
+	UpdatePeerFunc                      func(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
+	CreateRouteFunc                     func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	GetRouteFunc                        func(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
+	SaveRouteFunc                       func(ctx context.Context, accountID string, userID string, route *route.Route) error
+	DeleteRouteFunc                     func(ctx context.Context, accountID string, routeID route.ID, userID string) error
+	ListRoutesFunc                      func(ctx context.Context, accountID, userID string) ([]*route.Route, error)
+	SaveSetupKeyFunc                    func(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
+	ListSetupKeysFunc                   func(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error)
+	SaveUserFunc                        func(ctx context.Context, accountID, userID string, user *types.User) (*types.UserInfo, error)
+	SaveOrAddUserFunc                   func(ctx context.Context, accountID, userID string, user *types.User, addIfNotExists bool) (*types.UserInfo, error)
+	SaveOrAddUsersFunc                  func(ctx context.Context, accountID, initiatorUserID string, update []*types.User, addIfNotExists bool) ([]*types.UserInfo, error)
+	DeleteUserFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) error
+	DeleteRegularUsersFunc              func(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
+	CreatePATFunc                       func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenName string, expiresIn int) (*types.PersonalAccessTokenGenerated, error)
+	DeletePATFunc                       func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) error
+	GetPATFunc                          func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) (*types.PersonalAccessToken, error)
+	GetAllPATsFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string) ([]*types.PersonalAccessToken, error)
+	GetNameServerGroupFunc              func(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
+	CreateNameServerGroupFunc           func(ctx context.Context, accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
+	SaveNameServerGroupFunc             func(ctx context.Context, accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
+	DeleteNameServerGroupFunc           func(ctx context.Context, accountID, nsGroupID, userID string) error
+	ListNameServerGroupsFunc            func(ctx context.Context, accountID string, userID string) ([]*nbdns.NameServerGroup, error)
+	CreateUserFunc                      func(ctx context.Context, accountID, userID string, key *types.UserInfo) (*types.UserInfo, error)
+	GetAccountIDFromUserAuthFunc        func(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
+	DeleteAccountFunc                   func(ctx context.Context, accountID, userID string) error
+	GetDNSDomainFunc                    func(settings *types.Settings) string
+	StoreEventFunc                      func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
+	GetEventsFunc                       func(ctx context.Context, accountID, userID string) ([]*activity.Event, error)
+	GetDNSSettingsFunc                  func(ctx context.Context, accountID, userID string) (*types.DNSSettings, error)
+	SaveDNSSettingsFunc                 func(ctx context.Context, accountID, userID string, dnsSettingsToSave *types.DNSSettings) error
+	GetPeerFunc                         func(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
+	UpdateAccountSettingsFunc           func(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
+	LoginPeerFunc                       func(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	SyncPeerFunc                        func(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	InviteUserFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserEmail string) error
+	GetAllConnectedPeersFunc            func() (map[string]struct{}, error)
+	HasConnectedChannelFunc             func(peerID string) bool
+	GetExternalCacheManagerFunc         func() account.ExternalCacheManager
+	GetPostureChecksFunc                func(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error)
+	SavePostureChecksFunc               func(ctx context.Context, accountID, userID string, postureChecks *posture.Checks, create bool) (*posture.Checks, error)
+	DeletePostureChecksFunc             func(ctx context.Context, accountID, postureChecksID, userID string) error
+	ListPostureChecksFunc               func(ctx context.Context, accountID, userID string) ([]*posture.Checks, error)
+	GetIdpManagerFunc                   func() idp.Manager
+	UpdateIntegratedValidatorGroupsFunc func(ctx context.Context, accountID string, userID string, groups []string) error
+	GroupValidationFunc                 func(ctx context.Context, accountId string, groups []string) (bool, error)
+	SyncPeerMetaFunc                    func(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
+	FindExistingPostureCheckFunc        func(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
+	GetAccountIDForPeerKeyFunc          func(ctx context.Context, peerKey string) (string, error)
+	GetAccountByIDFunc                  func(ctx context.Context, accountID string, userID string) (*types.Account, error)
+	GetUserByIDFunc                     func(ctx context.Context, id string) (*types.User, error)
+	GetAccountSettingsFunc              func(ctx context.Context, accountID string, userID string) (*types.Settings, error)
+	DeleteSetupKeyFunc                  func(ctx context.Context, accountID, userID, keyID string) error
+	BuildUserInfosForAccountFunc        func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
+	GetStoreFunc                        func() store.Store
+	UpdateToPrimaryAccountFunc          func(ctx context.Context, accountId string) (*types.Account, error)
+	GetOwnerInfoFunc                    func(ctx context.Context, accountID string) (*types.UserInfo, error)
+	GetCurrentUserInfoFunc              func(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
+	GetAccountMetaFunc                  func(ctx context.Context, accountID, userID string) (*types.AccountMeta, error)
+
 	GetOrCreateAccountByPrivateDomainFunc func(ctx context.Context, initiatorId, domain string) (*types.Account, bool, error)
 }
 
@@ -126,10 +125,6 @@ func (am *MockAccountManager) UpdateAccountPeers(ctx context.Context, accountID
 	// do nothing
 }
 
-func (am *MockAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string) {
-	// do nothing
-}
-
 func (am *MockAccountManager) DeleteSetupKey(ctx context.Context, accountID, userID, keyID string) error {
 	if am.DeleteSetupKeyFunc != nil {
 		return am.DeleteSetupKeyFunc(ctx, accountID, userID, keyID)
@@ -819,22 +814,6 @@ func (am *MockAccountManager) GetAccountMeta(ctx context.Context, accountID stri
 	return nil, status.Errorf(codes.Unimplemented, "method GetAccountMeta is not implemented")
 }
 
-// GetAccountOnboarding mocks GetAccountOnboarding of the AccountManager interface
-func (am *MockAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
-	if am.GetAccountOnboardingFunc != nil {
-		return am.GetAccountOnboardingFunc(ctx, accountID, userID)
-	}
-	return nil, status.Errorf(codes.Unimplemented, "method GetAccountOnboarding is not implemented")
-}
-
-// UpdateAccountOnboarding mocks UpdateAccountOnboarding of the AccountManager interface
-func (am *MockAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID string, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
-	if am.UpdateAccountOnboardingFunc != nil {
-		return am.UpdateAccountOnboardingFunc(ctx, accountID, userID, onboarding)
-	}
-	return nil, status.Errorf(codes.Unimplemented, "method UpdateAccountOnboarding is not implemented")
-}
-
 // GetUserByID mocks GetUserByID of the AccountManager interface
 func (am *MockAccountManager) GetUserByID(ctx context.Context, id string) (*types.User, error) {
 	if am.GetUserByIDFunc != nil {

management/server/nameserver_test.go

@@ -778,14 +778,8 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
-
 	permissionsManager := permissions.NewManager(store)
-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 }
 
 func createNSStore(t *testing.T) (store.Store, error) {
@@ -854,7 +848,7 @@ func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account,
 	userID := testUserID
 	domain := "example.com"
 
-	account := newAccountWithId(context.Background(), accountID, userID, domain, false)
+	account := newAccountWithId(context.Background(), accountID, userID, domain)
 
 	account.NameServerGroups[existingNSGroup.ID] = &existingNSGroup
 

management/server/peer.go

@@ -92,7 +92,7 @@ func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, acc
 
 	// fetch all the peers that have access to the user's peers
 	for _, peer := range peers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap)
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer.ID, approvedPeersMap)
 		for _, p := range aclPeers {
 			peersMap[p.ID] = p
 		}
@@ -133,7 +133,7 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 		}
 
 		if peer.LoginExpirationEnabled && settings.PeerLoginExpirationEnabled {
-			am.schedulePeerLoginExpiration(ctx, accountID)
+			am.checkAndSchedulePeerLoginExpiration(ctx, accountID)
 		}
 
 		if peer.InactivityExpirationEnabled && settings.PeerInactivityExpirationEnabled {
@@ -296,8 +296,7 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 		am.StoreEvent(ctx, userID, peer.IP.String(), accountID, event, peer.EventMeta(dnsDomain))
 
 		if peer.AddedWithSSOLogin() && peer.LoginExpirationEnabled && settings.PeerLoginExpirationEnabled {
-			am.peerLoginExpiry.Cancel(ctx, []string{accountID})
-			am.schedulePeerLoginExpiration(ctx, accountID)
+			am.checkAndSchedulePeerLoginExpiration(ctx, accountID)
 		}
 	}
 
@@ -391,7 +390,7 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 		storeEvent()
 	}
 
-	if updateAccountPeers && userID != activity.SystemInitiator {
+	if updateAccountPeers {
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}
 
@@ -1149,7 +1148,7 @@ func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accoun
 	}
 
 	for _, p := range userPeers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap)
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, p.ID, approvedPeersMap)
 		for _, aclPeer := range aclPeers {
 			if aclPeer.ID == peer.ID {
 				return peer, nil
@@ -1169,26 +1168,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 		return
 	}
 
-	if am.metrics != nil {
-		globalStart := time.Now()
-		defer func() {
-			am.metrics.AccountManagerMetrics().CountUpdateAccountPeersDuration(time.Since(globalStart))
-		}()
-	}
-
-	peersToUpdate := []*nbpeer.Peer{}
-	for _, peer := range account.Peers {
-		if !am.peersUpdateManager.HasChannel(peer.ID) {
-			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
-			continue
-		}
-
-		peersToUpdate = append(peersToUpdate, peer)
-	}
-
-	if len(peersToUpdate) == 0 {
-		return
-	}
+	start := time.Now()
 
 	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
@@ -1211,70 +1191,62 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 		return
 	}
 
-	extraSetting, err := am.settingsManager.GetExtraSettings(ctx, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get flow enabled status: %v", err)
-		return
-	}
+	for _, peer := range account.Peers {
+		if !am.peersUpdateManager.HasChannel(peer.ID) {
+			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
+			continue
+		}
 
-	for _, peer := range peersToUpdate {
 		wg.Add(1)
 		semaphore <- struct{}{}
 		go func(p *nbpeer.Peer) {
 			defer wg.Done()
 			defer func() { <-semaphore }()
 
-			start := time.Now()
-
 			postureChecks, err := am.getPeerPostureChecks(account, p.ID)
 			if err != nil {
 				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", peer.ID, err)
 				return
 			}
 
-			am.metrics.UpdateChannelMetrics().CountCalcPostureChecksDuration(time.Since(start))
-			start = time.Now()
-
 			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
 
-			am.metrics.UpdateChannelMetrics().CountCalcPeerNetworkMapDuration(time.Since(start))
-			start = time.Now()
-
 			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
 			if ok {
 				remotePeerNetworkMap.Merge(proxyNetworkMap)
 			}
-			am.metrics.UpdateChannelMetrics().CountMergeNetworkMapDuration(time.Since(start))
 
-			start = time.Now()
+			extraSetting, err := am.settingsManager.GetExtraSettings(ctx, accountID)
+			if err != nil {
+				log.WithContext(ctx).Errorf("failed to get flow enabled status: %v", err)
+				return
+			}
+
 			update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting)
-			am.metrics.UpdateChannelMetrics().CountToSyncResponseDuration(time.Since(start))
-
 			am.peersUpdateManager.SendUpdate(ctx, p.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
 		}(peer)
 	}
 
+	//
+
 	wg.Wait()
+	if am.metrics != nil {
+		am.metrics.AccountManagerMetrics().CountUpdateAccountPeersDuration(time.Since(start))
+	}
 }
 
 func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string) {
 	mu, _ := am.accountUpdateLocks.LoadOrStore(accountID, &sync.Mutex{})
 	lock := mu.(*sync.Mutex)
 
-	log.WithContext(ctx).Debugf("try to BufferUpdateAccountPeers for account %s", accountID)
-
 	if !lock.TryLock() {
-		log.WithContext(ctx).Debugf("BufferUpdateAccountPeers for an account %s locked - returning", accountID)
 		return
 	}
 
 	go func() {
-		// time.Sleep(time.Duration(am.updateAccountPeersBufferInterval.Load()))
-		defer lock.Unlock()
-		log.WithContext(ctx).Debugf("BufferUpdateAccountPeers for an account %s - in progress", accountID)
-		tn := time.Now()
+		time.Sleep(time.Duration(am.updateAccountPeersBufferInterval.Load()))
+		lock.Unlock()
 		am.UpdateAccountPeers(ctx, accountID)
-		log.WithContext(ctx).Debugf("BufferUpdateAccountPeers for an account %s - took %dms", accountID, time.Since(tn).Milliseconds())
 	}()
 }
 

management/server/peer_test.go

@@ -480,7 +480,7 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	accountID := "test_account"
 	adminUser := "account_creator"
 	someUser := "some_user"
-	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
+	account := newAccountWithId(context.Background(), accountID, adminUser, "")
 	account.Users[someUser] = &types.User{
 		Id:   someUser,
 		Role: types.UserRoleUser,
@@ -667,7 +667,7 @@ func TestDefaultAccountManager_GetPeers(t *testing.T) {
 			accountID := "test_account"
 			adminUser := "account_creator"
 			someUser := "some_user"
-			account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
+			account := newAccountWithId(context.Background(), accountID, adminUser, "")
 			account.Users[someUser] = &types.User{
 				Id:            someUser,
 				Role:          testCase.role,
@@ -737,7 +737,7 @@ func setupTestAccountManager(b testing.TB, peers int, groups int) (*DefaultAccou
 	adminUser := "account_creator"
 	regularUser := "regular_user"
 
-	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
+	account := newAccountWithId(context.Background(), accountID, adminUser, "")
 	account.Users[regularUser] = &types.User{
 		Id:   regularUser,
 		Role: types.UserRoleUser,
@@ -1267,7 +1267,7 @@ func Test_RegisterPeerByUser(t *testing.T) {
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(s)
 
-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	assert.NoError(t, err)
 
 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1340,14 +1340,9 @@ func Test_RegisterPeerBySetupKey(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
 	permissionsManager := permissions.NewManager(s)
 
-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	assert.NoError(t, err)
 
 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1482,7 +1477,7 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 
 	permissionsManager := permissions.NewManager(s)
 
-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	assert.NoError(t, err)
 
 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1549,14 +1544,9 @@ func Test_LoginPeer(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
-	settingsMockManager.
-		EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
 	permissionsManager := permissions.NewManager(s)
 
-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	assert.NoError(t, err)
 
 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -2062,7 +2052,7 @@ func Test_DeletePeer(t *testing.T) {
 	// account with an admin and a regular user
 	accountID := "test_account"
 	adminUser := "account_creator"
-	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
+	account := newAccountWithId(context.Background(), accountID, adminUser, "")
 	account.Peers = map[string]*nbpeer.Peer{
 		"peer1": {
 			ID:        "peer1",

management/server/policy_test.go

@@ -27,7 +27,6 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				ID:     "peerB",
 				IP:     net.ParseIP("100.65.80.39"),
 				Status: &nbpeer.PeerStatus{},
-				Meta:   nbpeer.PeerSystemMeta{WtVersion: "0.48.0"},
 			},
 			"peerC": {
 				ID:     "peerC",
@@ -64,12 +63,6 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				IP:     net.ParseIP("100.65.31.2"),
 				Status: &nbpeer.PeerStatus{},
 			},
-			"peerK": {
-				ID:     "peerK",
-				IP:     net.ParseIP("100.32.80.1"),
-				Status: &nbpeer.PeerStatus{},
-				Meta:   nbpeer.PeerSystemMeta{WtVersion: "0.30.0"},
-			},
 		},
 		Groups: map[string]*types.Group{
 			"GroupAll": {
@@ -118,13 +111,6 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 					"peerI",
 				},
 			},
-			"GroupWorkflow": {
-				ID:   "GroupWorkflow",
-				Name: "workflow",
-				Peers: []string{
-					"peerK",
-				},
-			},
 		},
 		Policies: []*types.Policy{
 			{
@@ -203,39 +189,6 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 					},
 				},
 			},
-			{
-				ID:          "RuleWorkflow",
-				Name:        "Workflow",
-				Description: "No description",
-				Enabled:     true,
-				Rules: []*types.PolicyRule{
-					{
-						ID:            "RuleWorkflow",
-						Name:          "Workflow",
-						Description:   "No description",
-						Bidirectional: true,
-						Enabled:       true,
-						Protocol:      types.PolicyRuleProtocolTCP,
-						Action:        types.PolicyTrafficActionAccept,
-						PortRanges: []types.RulePortRange{
-							{
-								Start: 8088,
-								End:   8088,
-							},
-							{
-								Start: 9090,
-								End:   9095,
-							},
-						},
-						Sources: []string{
-							"GroupWorkflow",
-						},
-						Destinations: []string{
-							"GroupDMZ",
-						},
-					},
-				},
-			},
 		},
 	}
 
@@ -246,14 +199,14 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 
 	t.Run("check that all peers get map", func(t *testing.T) {
 		for _, p := range account.Peers {
-			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p, validatedPeers)
-			assert.GreaterOrEqual(t, len(peers), 1, "minimum number peers should present")
-			assert.GreaterOrEqual(t, len(firewallRules), 1, "minimum number of firewall rules should present")
+			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p.ID, validatedPeers)
+			assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
+			assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
 		}
 	})
 
 	t.Run("check first peer map details", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], validatedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", validatedPeers)
 		assert.Len(t, peers, 8)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
@@ -411,32 +364,6 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 			assert.True(t, contains, "rule not found in expected rules %#v", rule)
 		}
 	})
-
-	t.Run("check port ranges support for older peers", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers)
-		assert.Len(t, peers, 1)
-		assert.Contains(t, peers, account.Peers["peerI"])
-
-		expectedFirewallRules := []*types.FirewallRule{
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionIN,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "8088",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionOUT,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "8088",
-				PolicyID:  "RuleWorkflow",
-			},
-		}
-		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
-	})
 }
 
 func TestAccount_getPeersByPolicyDirect(t *testing.T) {
@@ -539,10 +466,10 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	}
 
 	t.Run("check first peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])
 
-		expectedFirewallRules := []*types.FirewallRule{
+		epectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.254.139",
 				Direction: types.FirewallRuleDirectionIN,
@@ -560,19 +487,19 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(expectedFirewallRules))
-		slices.SortFunc(expectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(epectedFirewallRules))
+		slices.SortFunc(epectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
 		}
 	})
 
 	t.Run("check second peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])
 
-		expectedFirewallRules := []*types.FirewallRule{
+		epectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.80.39",
 				Direction: types.FirewallRuleDirectionIN,
@@ -590,21 +517,21 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(expectedFirewallRules))
-		slices.SortFunc(expectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(epectedFirewallRules))
+		slices.SortFunc(epectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
 		}
 	})
 
 	account.Policies[1].Rules[0].Bidirectional = false
 
 	t.Run("check first peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])
 
-		expectedFirewallRules := []*types.FirewallRule{
+		epectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.254.139",
 				Direction: types.FirewallRuleDirectionOUT,
@@ -614,19 +541,19 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(expectedFirewallRules))
-		slices.SortFunc(expectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(epectedFirewallRules))
+		slices.SortFunc(epectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
 		}
 	})
 
 	t.Run("check second peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])
 
-		expectedFirewallRules := []*types.FirewallRule{
+		epectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.80.39",
 				Direction: types.FirewallRuleDirectionIN,
@@ -636,11 +563,11 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(expectedFirewallRules))
-		slices.SortFunc(expectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(epectedFirewallRules))
+		slices.SortFunc(epectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
 		}
 	})
 }
@@ -821,7 +748,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 	t.Run("verify peer's network map with default group peer list", func(t *testing.T) {
 		// peerB doesn't fulfill the NB posture check but is included in the destination group Swarm,
 		// will establish a connection with all source peers satisfying the NB posture check.
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -831,7 +758,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 
 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, 1)
 		expectedFirewallRules := []*types.FirewallRule{
@@ -848,7 +775,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 
 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerE"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -858,7 +785,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 
 		// peerI doesn't fulfill the OS version posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerI"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -873,19 +800,19 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 
 		// peerB doesn't satisfy the NB posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)
 
 		// peerI doesn't satisfy the OS version posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerI"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)
 
 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, len(account.Groups["GroupSwarm"].Peers))
 
@@ -900,14 +827,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 
 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerE"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
 		assert.Len(t, peers, 3)
 		assert.Len(t, firewallRules, 3)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
 		assert.Contains(t, peers, account.Peers["peerD"])
 
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerA"], approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerA", approvedPeers)
 		assert.Len(t, peers, 5)
 		// assert peers from Group Swarm
 		assert.Contains(t, peers, account.Peers["peerD"])

management/server/posture/nb_version.go

@@ -24,12 +24,20 @@ func sanitizeVersion(version string) string {
 }
 
 func (n *NBVersionCheck) Check(ctx context.Context, peer nbpeer.Peer) (bool, error) {
-	meetsMin, err := MeetsMinVersion(n.MinVersion, peer.Meta.WtVersion)
+	peerVersion := sanitizeVersion(peer.Meta.WtVersion)
+	minVersion := sanitizeVersion(n.MinVersion)
+
+	peerNBVersion, err := version.NewVersion(peerVersion)
 	if err != nil {
 		return false, err
 	}
 
-	if meetsMin {
+	constraints, err := version.NewConstraint(">= " + minVersion)
+	if err != nil {
+		return false, err
+	}
+
+	if constraints.Check(peerNBVersion) {
 		return true, nil
 	}
 
@@ -52,21 +60,3 @@ func (n *NBVersionCheck) Validate() error {
 	}
 	return nil
 }
-
-// MeetsMinVersion checks if the peer's version meets or exceeds the minimum required version
-func MeetsMinVersion(minVer, peerVer string) (bool, error) {
-	peerVer = sanitizeVersion(peerVer)
-	minVer = sanitizeVersion(minVer)
-
-	peerNBVer, err := version.NewVersion(peerVer)
-	if err != nil {
-		return false, err
-	}
-
-	constraints, err := version.NewConstraint(">= " + minVer)
-	if err != nil {
-		return false, err
-	}
-
-	return constraints.Check(peerNBVer), nil
-}

management/server/posture/nb_version_test.go

@@ -139,68 +139,3 @@ func TestNBVersionCheck_Validate(t *testing.T) {
 		})
 	}
 }
-
-func TestMeetsMinVersion(t *testing.T) {
-	tests := []struct {
-		name    string
-		minVer  string
-		peerVer string
-		want    bool
-		wantErr bool
-	}{
-		{
-			name:    "Peer version greater than min version",
-			minVer:  "0.26.0",
-			peerVer: "0.60.1",
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name:    "Peer version equals min version",
-			minVer:  "1.0.0",
-			peerVer: "1.0.0",
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name:    "Peer version less than min version",
-			minVer:  "1.0.0",
-			peerVer: "0.9.9",
-			want:    false,
-			wantErr: false,
-		},
-		{
-			name:    "Peer version with pre-release tag greater than min version",
-			minVer:  "1.0.0",
-			peerVer: "1.0.1-alpha",
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name:    "Invalid peer version format",
-			minVer:  "1.0.0",
-			peerVer: "dev",
-			want:    false,
-			wantErr: true,
-		},
-		{
-			name:    "Invalid min version format",
-			minVer:  "invalid.version",
-			peerVer: "1.0.0",
-			want:    false,
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := MeetsMinVersion(tt.minVer, tt.peerVer)
-			if tt.wantErr {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-			}
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}

management/server/posture_checks_test.go

@@ -106,7 +106,7 @@ func initTestPostureChecksAccount(am *DefaultAccountManager) (*types.Account, er
 		Role: types.UserRoleUser,
 	}
 
-	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain, false)
+	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain)
 	account.Users[admin.Id] = admin
 	account.Users[user.Id] = user
 

management/server/route.go

@@ -4,19 +4,19 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
-	"slices"
 	"unicode/utf8"
 
 	"github.com/rs/xid"
 
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -30,19 +30,13 @@ func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string,
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	return am.Store.GetRouteByID(ctx, store.LockingStrengthShare, accountID, string(routeID))
+	return am.Store.GetRouteByID(ctx, store.LockingStrengthShare, string(routeID), accountID)
 }
 
 // checkRoutePrefixOrDomainsExistForPeers checks if a route with a given prefix exists for a single peer or multiple peer groups.
-func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction store.Store, accountID string, checkRoute *route.Route, groupsMap map[string]*types.Group) error {
+func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account *types.Account, peerID string, routeID route.ID, peerGroupIDs []string, prefix netip.Prefix, domains domain.List) error {
 	// routes can have both peer and peer_groups
-	prefix := checkRoute.Network
-	domains := checkRoute.Domains
-
-	routesWithPrefix, err := getRoutesByPrefixOrDomains(ctx, transaction, accountID, prefix, domains)
-	if err != nil {
-		return err
-	}
+	routesWithPrefix := account.GetRoutesByPrefixOrDomains(prefix, domains)
 
 	// lets remember all the peers and the peer groups from routesWithPrefix
 	seenPeers := make(map[string]bool)
@@ -51,24 +45,18 @@ func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction sto
 	for _, prefixRoute := range routesWithPrefix {
 		// we skip route(s) with the same network ID as we want to allow updating of the existing route
 		// when creating a new route routeID is newly generated so nothing will be skipped
-		if checkRoute.ID == prefixRoute.ID {
+		if routeID == prefixRoute.ID {
 			continue
 		}
 
 		if prefixRoute.Peer != "" {
 			seenPeers[string(prefixRoute.ID)] = true
 		}
-
-		peerGroupsMap, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, prefixRoute.PeerGroups)
-		if err != nil {
-			return err
-		}
-
 		for _, groupID := range prefixRoute.PeerGroups {
 			seenPeerGroups[groupID] = true
 
-			group, ok := peerGroupsMap[groupID]
-			if !ok || group == nil {
+			group := account.GetGroup(groupID)
+			if group == nil {
 				return status.Errorf(
 					status.InvalidArgument, "failed to add route with %s - peer group %s doesn't exist",
 					getRouteDescriptor(prefix, domains), groupID,
@@ -81,13 +69,12 @@ func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction sto
 		}
 	}
 
-	if peerID := checkRoute.Peer; peerID != "" {
+	if peerID != "" {
 		// check that peerID exists and is not in any route as single peer or part of the group
-		_, err = transaction.GetPeerByID(context.Background(), store.LockingStrengthShare, accountID, peerID)
-		if err != nil {
+		peer := account.GetPeer(peerID)
+		if peer == nil {
 			return status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
 		}
-
 		if _, ok := seenPeers[peerID]; ok {
 			return status.Errorf(status.AlreadyExists,
 				"failed to add route with %s - peer %s already has this route", getRouteDescriptor(prefix, domains), peerID)
@@ -95,8 +82,9 @@ func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction sto
 	}
 
 	// check that peerGroupIDs are not in any route peerGroups list
-	for _, groupID := range checkRoute.PeerGroups {
-		group := groupsMap[groupID] // we validated the group existence before entering this function, no need to check again.
+	for _, groupID := range peerGroupIDs {
+		group := account.GetGroup(groupID) // we validated the group existence before entering this function, no need to check again.
+
 		if _, ok := seenPeerGroups[groupID]; ok {
 			return status.Errorf(
 				status.AlreadyExists, "failed to add route with %s - peer group %s already has this route",
@@ -104,18 +92,12 @@ func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction sto
 		}
 
 		// check that the peers from peerGroupIDs groups are not the same peers we saw in routesWithPrefix
-		peersMap, err := transaction.GetPeersByIDs(ctx, store.LockingStrengthShare, accountID, group.Peers)
-		if err != nil {
-			return err
-		}
-
 		for _, id := range group.Peers {
 			if _, ok := seenPeers[id]; ok {
-				peer, ok := peersMap[id]
-				if !ok || peer == nil {
-					return status.Errorf(status.InvalidArgument, "peer with ID %s not found", id)
+				peer := account.GetPeer(id)
+				if peer == nil {
+					return status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
 				}
-
 				return status.Errorf(status.AlreadyExists,
 					"failed to add route with %s - peer %s from the group %s already has this route",
 					getRouteDescriptor(prefix, domains), peer.Name, group.Name)
@@ -146,58 +128,97 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	if len(domains) > 0 && prefix.IsValid() {
-		return nil, status.Errorf(status.InvalidArgument, "domains and network should not be provided at the same time")
-	}
-
-	var newRoute *route.Route
-	var updateAccountPeers bool
-
-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		newRoute = &route.Route{
-			ID:                  route.ID(xid.New().String()),
-			AccountID:           accountID,
-			Network:             prefix,
-			Domains:             domains,
-			KeepRoute:           keepRoute,
-			NetID:               netID,
-			Description:         description,
-			Peer:                peerID,
-			PeerGroups:          peerGroupIDs,
-			NetworkType:         networkType,
-			Masquerade:          masquerade,
-			Metric:              metric,
-			Enabled:             enabled,
-			Groups:              groups,
-			AccessControlGroups: accessControlGroupIDs,
-		}
-
-		if err = validateRoute(ctx, transaction, accountID, newRoute); err != nil {
-			return err
-		}
-
-		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, newRoute)
-		if err != nil {
-			return err
-		}
-
-		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
-			return err
-		}
-
-		return transaction.SaveRoute(ctx, store.LockingStrengthUpdate, newRoute)
-	})
+	account, err := am.Store.GetAccount(ctx, accountID)
 	if err != nil {
 		return nil, err
 	}
 
-	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())
+	if len(domains) > 0 && prefix.IsValid() {
+		return nil, status.Errorf(status.InvalidArgument, "domains and network should not be provided at the same time")
+	}
 
-	if updateAccountPeers {
+	if len(domains) == 0 && !prefix.IsValid() {
+		return nil, status.Errorf(status.InvalidArgument, "invalid Prefix")
+	}
+
+	if len(domains) > 0 {
+		prefix = getPlaceholderIP()
+	}
+
+	if peerID != "" && len(peerGroupIDs) != 0 {
+		return nil, status.Errorf(
+			status.InvalidArgument,
+			"peer with ID %s and peers group %s should not be provided at the same time",
+			peerID, peerGroupIDs)
+	}
+
+	var newRoute route.Route
+	newRoute.ID = route.ID(xid.New().String())
+
+	if len(peerGroupIDs) > 0 {
+		err = validateGroups(peerGroupIDs, account.Groups)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if len(accessControlGroupIDs) > 0 {
+		err = validateGroups(accessControlGroupIDs, account.Groups)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	err = am.checkRoutePrefixOrDomainsExistForPeers(account, peerID, newRoute.ID, peerGroupIDs, prefix, domains)
+	if err != nil {
+		return nil, err
+	}
+
+	if metric < route.MinMetric || metric > route.MaxMetric {
+		return nil, status.Errorf(status.InvalidArgument, "metric should be between %d and %d", route.MinMetric, route.MaxMetric)
+	}
+
+	if utf8.RuneCountInString(string(netID)) > route.MaxNetIDChar || netID == "" {
+		return nil, status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
+	}
+
+	err = validateGroups(groups, account.Groups)
+	if err != nil {
+		return nil, err
+	}
+
+	newRoute.Peer = peerID
+	newRoute.PeerGroups = peerGroupIDs
+	newRoute.Network = prefix
+	newRoute.Domains = domains
+	newRoute.NetworkType = networkType
+	newRoute.Description = description
+	newRoute.NetID = netID
+	newRoute.Masquerade = masquerade
+	newRoute.Metric = metric
+	newRoute.Enabled = enabled
+	newRoute.Groups = groups
+	newRoute.KeepRoute = keepRoute
+	newRoute.AccessControlGroups = accessControlGroupIDs
+
+	if account.Routes == nil {
+		account.Routes = make(map[route.ID]*route.Route)
+	}
+
+	account.Routes[newRoute.ID] = &newRoute
+
+	account.Network.IncSerial()
+	if err = am.Store.SaveAccount(ctx, account); err != nil {
+		return nil, err
+	}
+
+	if am.isRouteChangeAffectPeers(account, &newRoute) {
 		am.UpdateAccountPeers(ctx, accountID)
 	}
 
-	return newRoute, nil
+	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())
+
+	return &newRoute, nil
 }
 
 // SaveRoute saves route
@@ -205,115 +226,6 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()
 
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return status.NewPermissionDeniedError()
-	}
-
-	var oldRoute *route.Route
-	var oldRouteAffectsPeers bool
-	var newRouteAffectsPeers bool
-
-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err = validateRoute(ctx, transaction, accountID, routeToSave); err != nil {
-			return err
-		}
-
-		oldRoute, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeToSave.ID))
-		if err != nil {
-			return err
-		}
-
-		oldRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, oldRoute)
-		if err != nil {
-			return err
-		}
-
-		newRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, routeToSave)
-		if err != nil {
-			return err
-		}
-		routeToSave.AccountID = accountID
-
-		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
-			return err
-		}
-
-		return transaction.SaveRoute(ctx, store.LockingStrengthUpdate, routeToSave)
-	})
-	if err != nil {
-		return err
-	}
-
-	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())
-
-	if oldRouteAffectsPeers || newRouteAffectsPeers {
-		am.UpdateAccountPeers(ctx, accountID)
-	}
-
-	return nil
-}
-
-// DeleteRoute deletes route with routeID
-func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return status.NewPermissionDeniedError()
-	}
-
-	var route *route.Route
-	var updateAccountPeers bool
-
-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		route, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
-		if err != nil {
-			return err
-		}
-
-		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, route)
-		if err != nil {
-			return err
-		}
-
-		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
-			return err
-		}
-
-		return transaction.DeleteRoute(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
-	})
-
-	am.StoreEvent(ctx, userID, string(route.ID), accountID, activity.RouteRemoved, route.EventMeta())
-
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID)
-	}
-
-	return nil
-}
-
-// ListRoutes returns a list of routes from account
-func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error) {
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	return am.Store.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
-}
-
-func validateRoute(ctx context.Context, transaction store.Store, accountID string, routeToSave *route.Route) error {
 	if routeToSave == nil {
 		return status.Errorf(status.InvalidArgument, "route provided is nil")
 	}
@@ -326,6 +238,19 @@ func validateRoute(ctx context.Context, transaction store.Store, accountID strin
 		return status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
 	}
 
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
+	account, err := am.Store.GetAccount(ctx, accountID)
+	if err != nil {
+		return err
+	}
+
 	if len(routeToSave.Domains) > 0 && routeToSave.Network.IsValid() {
 		return status.Errorf(status.InvalidArgument, "domains and network should not be provided at the same time")
 	}
@@ -342,39 +267,96 @@ func validateRoute(ctx context.Context, transaction store.Store, accountID strin
 		return status.Errorf(status.InvalidArgument, "peer with ID and peer groups should not be provided at the same time")
 	}
 
-	groupsMap, err := validateRouteGroups(ctx, transaction, accountID, routeToSave)
-	if err != nil {
-		return err
-	}
-
-	return checkRoutePrefixOrDomainsExistForPeers(ctx, transaction, accountID, routeToSave, groupsMap)
-}
-
-// validateRouteGroups validates the route groups and returns the validated groups map.
-func validateRouteGroups(ctx context.Context, transaction store.Store, accountID string, routeToSave *route.Route) (map[string]*types.Group, error) {
-	groupsToValidate := slices.Concat(routeToSave.Groups, routeToSave.PeerGroups, routeToSave.AccessControlGroups)
-	groupsMap, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, groupsToValidate)
-	if err != nil {
-		return nil, err
-	}
-
 	if len(routeToSave.PeerGroups) > 0 {
-		if err = validateGroups(routeToSave.PeerGroups, groupsMap); err != nil {
-			return nil, err
+		err = validateGroups(routeToSave.PeerGroups, account.Groups)
+		if err != nil {
+			return err
 		}
 	}
 
 	if len(routeToSave.AccessControlGroups) > 0 {
-		if err = validateGroups(routeToSave.AccessControlGroups, groupsMap); err != nil {
-			return nil, err
+		err = validateGroups(routeToSave.AccessControlGroups, account.Groups)
+		if err != nil {
+			return err
 		}
 	}
 
-	if err = validateGroups(routeToSave.Groups, groupsMap); err != nil {
-		return nil, err
+	err = am.checkRoutePrefixOrDomainsExistForPeers(account, routeToSave.Peer, routeToSave.ID, routeToSave.Copy().PeerGroups, routeToSave.Network, routeToSave.Domains)
+	if err != nil {
+		return err
 	}
 
-	return groupsMap, nil
+	err = validateGroups(routeToSave.Groups, account.Groups)
+	if err != nil {
+		return err
+	}
+
+	oldRoute := account.Routes[routeToSave.ID]
+	account.Routes[routeToSave.ID] = routeToSave
+
+	account.Network.IncSerial()
+	if err = am.Store.SaveAccount(ctx, account); err != nil {
+		return err
+	}
+
+	if am.isRouteChangeAffectPeers(account, oldRoute) || am.isRouteChangeAffectPeers(account, routeToSave) {
+		am.UpdateAccountPeers(ctx, accountID)
+	}
+
+	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())
+
+	return nil
+}
+
+// DeleteRoute deletes route with routeID
+func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error {
+	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
+	defer unlock()
+
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
+	account, err := am.Store.GetAccount(ctx, accountID)
+	if err != nil {
+		return err
+	}
+
+	routy := account.Routes[routeID]
+	if routy == nil {
+		return status.Errorf(status.NotFound, "route with ID %s doesn't exist", routeID)
+	}
+	delete(account.Routes, routeID)
+
+	account.Network.IncSerial()
+	if err = am.Store.SaveAccount(ctx, account); err != nil {
+		return err
+	}
+
+	am.StoreEvent(ctx, userID, string(routy.ID), accountID, activity.RouteRemoved, routy.EventMeta())
+
+	if am.isRouteChangeAffectPeers(account, routy) {
+		am.UpdateAccountPeers(ctx, accountID)
+	}
+
+	return nil
+}
+
+// ListRoutes returns a list of routes from account
+func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return am.Store.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
 }
 
 func toProtocolRoute(route *route.Route) *proto.Route {
@@ -473,40 +455,8 @@ func getProtoPortInfo(rule *types.RouteFirewallRule) *proto.PortInfo {
 	return &portInfo
 }
 
-// areRouteChangesAffectPeers checks if a given route affects peers by determining
-// if it has a routing peer, distribution, or peer groups that include peers.
-func areRouteChangesAffectPeers(ctx context.Context, transaction store.Store, route *route.Route) (bool, error) {
-	if route.Peer != "" {
-		return true, nil
-	}
-
-	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.Groups)
-	if err != nil {
-		return false, err
-	}
-
-	if hasPeers {
-		return true, nil
-	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.PeerGroups)
-}
-
-// GetRoutesByPrefixOrDomains return list of routes by account and route prefix
-func getRoutesByPrefixOrDomains(ctx context.Context, transaction store.Store, accountID string, prefix netip.Prefix, domains domain.List) ([]*route.Route, error) {
-	accountRoutes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	routes := make([]*route.Route, 0)
-	for _, r := range accountRoutes {
-		dynamic := r.IsDynamic()
-		if dynamic && r.Domains.PunycodeString() == domains.PunycodeString() ||
-			!dynamic && r.Network.String() == prefix.String() {
-			routes = append(routes, r)
-		}
-	}
-
-	return routes, nil
+// isRouteChangeAffectPeers checks if a given route affects peers by determining
+// if it has a routing peer, distribution, or peer groups that include peers
+func (am *DefaultAccountManager) isRouteChangeAffectPeers(account *types.Account, route *route.Route) bool {
+	return am.anyGroupHasPeers(account, route.Groups) || am.anyGroupHasPeers(account, route.PeerGroups) || route.Peer != ""
 }

management/server/route_test.go

@@ -1284,7 +1284,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {
 
 	permissionsManager := permissions.NewManager(store)
 
-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 }
 
 func createRouterStore(t *testing.T) (store.Store, error) {
@@ -1305,7 +1305,7 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*types.Accou
 	accountID := "testingAcc"
 	domain := "example.com"
 
-	account := newAccountWithId(context.Background(), accountID, userID, domain, false)
+	account := newAccountWithId(context.Background(), accountID, userID, domain)
 	err := am.Store.SaveAccount(context.Background(), account)
 	if err != nil {
 		return nil, err

management/server/scheduler.go

@@ -12,7 +12,6 @@ import (
 type Scheduler interface {
 	Cancel(ctx context.Context, IDs []string)
 	Schedule(ctx context.Context, in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool))
-	IsSchedulerRunning(ID string) bool
 }
 
 // MockScheduler is a mock implementation of  Scheduler
@@ -27,7 +26,7 @@ func (mock *MockScheduler) Cancel(ctx context.Context, IDs []string) {
 		mock.CancelFunc(ctx, IDs)
 		return
 	}
-	log.WithContext(ctx).Warnf("MockScheduler doesn't have Cancel function defined ")
+	log.WithContext(ctx).Errorf("MockScheduler doesn't have Cancel function defined ")
 }
 
 // Schedule mocks the Schedule function of the Scheduler interface
@@ -36,13 +35,7 @@ func (mock *MockScheduler) Schedule(ctx context.Context, in time.Duration, ID st
 		mock.ScheduleFunc(ctx, in, ID, job)
 		return
 	}
-	log.WithContext(ctx).Warnf("MockScheduler doesn't have Schedule function defined")
-}
-
-func (mock *MockScheduler) IsSchedulerRunning(ID string) bool {
-	// MockScheduler does not implement IsSchedulerRunning, so we return false
-	log.Warnf("MockScheduler doesn't have IsSchedulerRunning function defined")
-	return false
+	log.WithContext(ctx).Errorf("MockScheduler doesn't have Schedule function defined")
 }
 
 // DefaultScheduler is a generic structure that allows to schedule jobs (functions) to run in the future and cancel them.
@@ -131,11 +124,3 @@ func (wm *DefaultScheduler) Schedule(ctx context.Context, in time.Duration, ID s
 
 	}()
 }
-
-// IsSchedulerRunning checks if a job with the provided ID is scheduled to run
-func (wm *DefaultScheduler) IsSchedulerRunning(ID string) bool {
-	wm.mu.Lock()
-	defer wm.mu.Unlock()
-	_, ok := wm.jobs[ID]
-	return ok
-}

management/server/setupkey_test.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -181,7 +182,7 @@ func TestDefaultAccountManager_CreateSetupKey(t *testing.T) {
 			}
 
 			assertKey(t, key, tCase.expectedKeyName, false, tCase.expectedType, tCase.expectedUsedTimes,
-				tCase.expectedCreatedAt, tCase.expectedExpiresAt, key.Id,
+				tCase.expectedCreatedAt, tCase.expectedExpiresAt, strconv.Itoa(int(types.Hash(key.Key))),
 				tCase.expectedUpdatedAt, tCase.expectedGroups, false)
 
 			// check the corresponding events that should have been generated
@@ -257,10 +258,10 @@ func TestGenerateDefaultSetupKey(t *testing.T) {
 	expectedExpiresAt := time.Now().UTC().Add(24 * 30 * time.Hour)
 	var expectedAutoGroups []string
 
-	key, _ := types.GenerateDefaultSetupKey()
+	key, plainKey := types.GenerateDefaultSetupKey()
 
 	assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt,
-		expectedExpiresAt, key.Id, expectedUpdatedAt, expectedAutoGroups, true)
+		expectedExpiresAt, strconv.Itoa(int(types.Hash(plainKey))), expectedUpdatedAt, expectedAutoGroups, true)
 
 }
 
@@ -274,10 +275,10 @@ func TestGenerateSetupKey(t *testing.T) {
 	expectedUpdatedAt := time.Now().UTC()
 	var expectedAutoGroups []string
 
-	key, _ := types.GenerateSetupKey(expectedName, types.SetupKeyOneOff, time.Hour, []string{}, types.SetupKeyUnlimitedUsage, false, false)
+	key, plain := types.GenerateSetupKey(expectedName, types.SetupKeyOneOff, time.Hour, []string{}, types.SetupKeyUnlimitedUsage, false, false)
 
 	assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt,
-		expectedExpiresAt, key.Id, expectedUpdatedAt, expectedAutoGroups, true)
+		expectedExpiresAt, strconv.Itoa(int(types.Hash(plain))), expectedUpdatedAt, expectedAutoGroups, true)
 
 }
 

management/server/status/error.go

@@ -90,11 +90,6 @@ func NewAccountNotFoundError(accountKey string) error {
 	return Errorf(NotFound, "account not found: %s", accountKey)
 }
 
-// NewAccountOnboardingNotFoundError creates a new Error with NotFound type for a missing account onboarding
-func NewAccountOnboardingNotFoundError(accountKey string) error {
-	return Errorf(NotFound, "account onboarding not found: %s", accountKey)
-}
-
 // NewPeerNotPartOfAccountError creates a new Error with PermissionDenied type for a peer not being part of an account
 func NewPeerNotPartOfAccountError() error {
 	return Errorf(PermissionDenied, "peer is not part of this account")
@@ -232,7 +227,3 @@ func NewUserRoleNotFoundError(role string) error {
 func NewOperationNotFoundError(operation operations.Operation) error {
 	return Errorf(NotFound, "operation: %s not found", operation)
 }
-
-func NewRouteNotFoundError(routeID string) error {
-	return Errorf(NotFound, "route: %s not found", routeID)
-}

management/server/store/sql_store.go

@@ -23,6 +23,8 @@ import (
 	"gorm.io/gorm/clause"
 	"gorm.io/gorm/logger"
 
+	"github.com/netbirdio/netbird/management/server/util"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
@@ -32,7 +34,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -99,7 +100,7 @@ func NewSqlStore(ctx context.Context, db *gorm.DB, storeEngine types.Engine, met
 		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.Group{},
 		&types.Account{}, &types.Policy{}, &types.PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
 		&installation{}, &types.ExtraSettings{}, &posture.Checks{}, &nbpeer.NetworkAddress{},
-		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{}, &types.AccountOnboarding{},
+		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("auto migrate: %w", err)
@@ -725,32 +726,6 @@ func (s *SqlStore) GetAccountMeta(ctx context.Context, lockStrength LockingStren
 	return &accountMeta, nil
 }
 
-// GetAccountOnboarding retrieves the onboarding information for a specific account.
-func (s *SqlStore) GetAccountOnboarding(ctx context.Context, accountID string) (*types.AccountOnboarding, error) {
-	var accountOnboarding types.AccountOnboarding
-	result := s.db.Model(&accountOnboarding).First(&accountOnboarding, accountIDCondition, accountID)
-	if result.Error != nil {
-		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
-			return nil, status.NewAccountOnboardingNotFoundError(accountID)
-		}
-		log.WithContext(ctx).Errorf("error when getting account onboarding %s from the store: %s", accountID, result.Error)
-		return nil, status.NewGetAccountFromStoreError(result.Error)
-	}
-
-	return &accountOnboarding, nil
-}
-
-// SaveAccountOnboarding updates the onboarding information for a specific account.
-func (s *SqlStore) SaveAccountOnboarding(ctx context.Context, onboarding *types.AccountOnboarding) error {
-	result := s.db.Clauses(clause.OnConflict{UpdateAll: true}).Create(onboarding)
-	if result.Error != nil {
-		log.WithContext(ctx).Errorf("error when saving account onboarding %s in the store: %s", onboarding.AccountID, result.Error)
-		return status.Errorf(status.Internal, "error when saving account onboarding %s in the store: %s", onboarding.AccountID, result.Error)
-	}
-
-	return nil
-}
-
 func (s *SqlStore) GetAccount(ctx context.Context, accountID string) (*types.Account, error) {
 	start := time.Now()
 	defer func() {
@@ -1210,7 +1185,7 @@ func NewSqliteStoreFromFileStore(ctx context.Context, fileStore *FileStore, data
 	for _, account := range fileStore.GetAllAccounts(ctx) {
 		_, err = account.GetGroupAll()
 		if err != nil {
-			if err := account.AddAllGroup(false); err != nil {
+			if err := account.AddAllGroup(); err != nil {
 				return nil, err
 			}
 		}
@@ -1993,58 +1968,12 @@ func (s *SqlStore) DeletePostureChecks(ctx context.Context, lockStrength Locking
 
 // GetAccountRoutes retrieves network routes for an account.
 func (s *SqlStore) GetAccountRoutes(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*route.Route, error) {
-	var routes []*route.Route
-	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
-		Find(&routes, accountIDCondition, accountID)
-	if err := result.Error; err != nil {
-		log.WithContext(ctx).Errorf("failed to get routes from the store: %s", err)
-		return nil, status.Errorf(status.Internal, "failed to get routes from store")
-	}
-
-	return routes, nil
+	return getRecords[*route.Route](s.db, lockStrength, accountID)
 }
 
 // GetRouteByID retrieves a route by its ID and account ID.
-func (s *SqlStore) GetRouteByID(ctx context.Context, lockStrength LockingStrength, accountID string, routeID string) (*route.Route, error) {
-	var route *route.Route
-	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
-		First(&route, accountAndIDQueryCondition, accountID, routeID)
-	if err := result.Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, status.NewRouteNotFoundError(routeID)
-		}
-		log.WithContext(ctx).Errorf("failed to get route from the store: %s", err)
-		return nil, status.Errorf(status.Internal, "failed to get route from store")
-	}
-
-	return route, nil
-}
-
-// SaveRoute saves a route to the database.
-func (s *SqlStore) SaveRoute(ctx context.Context, lockStrength LockingStrength, route *route.Route) error {
-	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Save(route)
-	if err := result.Error; err != nil {
-		log.WithContext(ctx).Errorf("failed to save route to the store: %s", err)
-		return status.Errorf(status.Internal, "failed to save route to store")
-	}
-
-	return nil
-}
-
-// DeleteRoute deletes a route from the database.
-func (s *SqlStore) DeleteRoute(ctx context.Context, lockStrength LockingStrength, accountID, routeID string) error {
-	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
-		Delete(&route.Route{}, accountAndIDQueryCondition, accountID, routeID)
-	if err := result.Error; err != nil {
-		log.WithContext(ctx).Errorf("failed to delete route from the store: %s", err)
-		return status.Errorf(status.Internal, "failed to delete route from store")
-	}
-
-	if result.RowsAffected == 0 {
-		return status.NewRouteNotFoundError(routeID)
-	}
-
-	return nil
+func (s *SqlStore) GetRouteByID(ctx context.Context, lockStrength LockingStrength, routeID string, accountID string) (*route.Route, error) {
+	return getRecordByID[route.Route](s.db, lockStrength, routeID, accountID)
 }
 
 // GetAccountSetupKeys retrieves setup keys for an account.
@@ -2175,6 +2104,49 @@ func (s *SqlStore) DeleteNameServerGroup(ctx context.Context, lockStrength Locki
 	return nil
 }
 
+// getRecords retrieves records from the database based on the account ID.
+func getRecords[T any](db *gorm.DB, lockStrength LockingStrength, accountID string) ([]T, error) {
+	tx := db
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var record []T
+
+	result := tx.Find(&record, accountIDCondition, accountID)
+	if err := result.Error; err != nil {
+		parts := strings.Split(fmt.Sprintf("%T", record), ".")
+		recordType := parts[len(parts)-1]
+
+		return nil, status.Errorf(status.Internal, "failed to get account %ss from store: %v", recordType, err)
+	}
+
+	return record, nil
+}
+
+// getRecordByID retrieves a record by its ID and account ID from the database.
+func getRecordByID[T any](db *gorm.DB, lockStrength LockingStrength, recordID, accountID string) (*T, error) {
+	tx := db
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var record T
+
+	result := tx.Clauses(clause.Locking{Strength: string(lockStrength)}).
+		First(&record, accountAndIDQueryCondition, accountID, recordID)
+	if err := result.Error; err != nil {
+		parts := strings.Split(fmt.Sprintf("%T", record), ".")
+		recordType := parts[len(parts)-1]
+
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "%s not found", recordType)
+		}
+		return nil, status.Errorf(status.Internal, "failed to get %s from store: %v", recordType, err)
+	}
+	return &record, nil
+}
+
 // SaveDNSSettings saves the DNS settings to the store.
 func (s *SqlStore) SaveDNSSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.DNSSettings) error {
 	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Model(&types.Account{}).

management/server/store/sql_store_test.go

@@ -19,17 +19,21 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/netbirdio/netbird/management/server/util"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/management/server/util"
-	nbroute "github.com/netbirdio/netbird/route"
+
 	route2 "github.com/netbirdio/netbird/route"
+
+	"github.com/netbirdio/netbird/management/server/status"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	nbroute "github.com/netbirdio/netbird/route"
 )
 
 func runTestForAllEngines(t *testing.T, testDataFile string, f func(t *testing.T, store Store)) {
@@ -353,16 +357,9 @@ func TestSqlite_DeleteAccount(t *testing.T) {
 		t.Errorf("expecting 1 Accounts to be stored after SaveAccount()")
 	}
 
-	o, err := store.GetAccountOnboarding(context.Background(), account.Id)
-	require.NoError(t, err)
-	require.Equal(t, o.AccountID, account.Id)
-
 	err = store.DeleteAccount(context.Background(), account)
 	require.NoError(t, err)
 
-	_, err = store.GetAccountOnboarding(context.Background(), account.Id)
-	require.Error(t, err, "expecting error after removing DeleteAccount when getting onboarding")
-
 	if len(store.GetAllAccounts(context.Background())) != 0 {
 		t.Errorf("expecting 0 Accounts to be stored after DeleteAccount()")
 	}
@@ -420,21 +417,12 @@ func Test_GetAccount(t *testing.T) {
 		account, err := store.GetAccount(context.Background(), id)
 		require.NoError(t, err)
 		require.Equal(t, id, account.Id, "account id should match")
-		require.Equal(t, false, account.Onboarding.OnboardingFlowPending)
-
-		id = "9439-34653001fc3b-bf1c8084-ba50-4ce7"
-
-		account, err = store.GetAccount(context.Background(), id)
-		require.NoError(t, err)
-		require.Equal(t, id, account.Id, "account id should match")
-		require.Equal(t, true, account.Onboarding.OnboardingFlowPending)
 
 		_, err = store.GetAccount(context.Background(), "non-existing-account")
 		assert.Error(t, err)
 		parsedErr, ok := status.FromError(err)
 		require.True(t, ok)
 		require.Equal(t, status.NotFound, parsedErr.Type(), "should return not found error")
-
 	})
 }
 
@@ -2058,10 +2046,9 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string) *ty
 			PeerInactivityExpirationEnabled: false,
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 		},
-		Onboarding: types.AccountOnboarding{SignupFormPending: true, OnboardingFlowPending: true},
 	}
 
-	if err := acc.AddAllGroup(false); err != nil {
+	if err := acc.AddAllGroup(); err != nil {
 		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
 	}
 	return acc
@@ -3260,132 +3247,6 @@ func TestSqlStore_SaveGroups_LargeBatch(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 8003, len(accountGroups))
 }
-func TestSqlStore_GetAccountRoutes(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	tests := []struct {
-		name          string
-		accountID     string
-		expectedCount int
-	}{
-		{
-			name:          "retrieve routes by existing account ID",
-			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-			expectedCount: 1,
-		},
-		{
-			name:          "non-existing account ID",
-			accountID:     "nonexistent",
-			expectedCount: 0,
-		},
-		{
-			name:          "empty account ID",
-			accountID:     "",
-			expectedCount: 0,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			routes, err := store.GetAccountRoutes(context.Background(), LockingStrengthShare, tt.accountID)
-			require.NoError(t, err)
-			require.Len(t, routes, tt.expectedCount)
-		})
-	}
-}
-
-func TestSqlStore_GetRouteByID(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-	tests := []struct {
-		name        string
-		routeID     string
-		expectError bool
-	}{
-		{
-			name:        "retrieve existing route",
-			routeID:     "ct03t427qv97vmtmglog",
-			expectError: false,
-		},
-		{
-			name:        "retrieve non-existing route",
-			routeID:     "non-existing",
-			expectError: true,
-		},
-		{
-			name:        "retrieve with empty route ID",
-			routeID:     "",
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			route, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, tt.routeID)
-			if tt.expectError {
-				require.Error(t, err)
-				sErr, ok := status.FromError(err)
-				require.True(t, ok)
-				require.Equal(t, sErr.Type(), status.NotFound)
-				require.Nil(t, route)
-			} else {
-				require.NoError(t, err)
-				require.NotNil(t, route)
-				require.Equal(t, tt.routeID, string(route.ID))
-			}
-		})
-	}
-}
-
-func TestSqlStore_SaveRoute(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	route := &route2.Route{
-		ID:                  "route-id",
-		AccountID:           accountID,
-		Network:             netip.MustParsePrefix("10.10.0.0/16"),
-		NetID:               "netID",
-		PeerGroups:          []string{"routeA"},
-		NetworkType:         route2.IPv4Network,
-		Masquerade:          true,
-		Metric:              9999,
-		Enabled:             true,
-		Groups:              []string{"groupA"},
-		AccessControlGroups: []string{},
-	}
-	err = store.SaveRoute(context.Background(), LockingStrengthUpdate, route)
-	require.NoError(t, err)
-
-	saveRoute, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, string(route.ID))
-	require.NoError(t, err)
-	require.Equal(t, route, saveRoute)
-
-}
-
-func TestSqlStore_DeleteRoute(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-	routeID := "ct03t427qv97vmtmglog"
-
-	err = store.DeleteRoute(context.Background(), LockingStrengthUpdate, accountID, routeID)
-	require.NoError(t, err)
-
-	route, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, routeID)
-	require.Error(t, err)
-	require.Nil(t, route)
-}
 
 func TestSqlStore_GetAccountMeta(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
@@ -3403,63 +3264,6 @@ func TestSqlStore_GetAccountMeta(t *testing.T) {
 	require.Equal(t, time.Date(2024, time.October, 2, 14, 1, 38, 210000000, time.UTC), accountMeta.CreatedAt.UTC())
 }
 
-func TestSqlStore_GetAccountOnboarding(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "9439-34653001fc3b-bf1c8084-ba50-4ce7"
-	a, err := store.GetAccount(context.Background(), accountID)
-	require.NoError(t, err)
-	t.Logf("Onboarding: %+v", a.Onboarding)
-	err = store.SaveAccount(context.Background(), a)
-	require.NoError(t, err)
-	onboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
-	require.NoError(t, err)
-	require.NotNil(t, onboarding)
-	require.Equal(t, accountID, onboarding.AccountID)
-	require.Equal(t, time.Date(2024, time.October, 2, 14, 1, 38, 210000000, time.UTC), onboarding.CreatedAt.UTC())
-}
-
-func TestSqlStore_SaveAccountOnboarding(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-	t.Run("New onboarding should be saved correctly", func(t *testing.T) {
-		accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-		onboarding := &types.AccountOnboarding{
-			AccountID:             accountID,
-			SignupFormPending:     true,
-			OnboardingFlowPending: true,
-		}
-
-		err = store.SaveAccountOnboarding(context.Background(), onboarding)
-		require.NoError(t, err)
-
-		savedOnboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
-		require.NoError(t, err)
-		require.Equal(t, onboarding.SignupFormPending, savedOnboarding.SignupFormPending)
-		require.Equal(t, onboarding.OnboardingFlowPending, savedOnboarding.OnboardingFlowPending)
-	})
-
-	t.Run("Existing onboarding should be updated correctly", func(t *testing.T) {
-		accountID := "9439-34653001fc3b-bf1c8084-ba50-4ce7"
-		onboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
-		require.NoError(t, err)
-
-		onboarding.OnboardingFlowPending = !onboarding.OnboardingFlowPending
-		onboarding.SignupFormPending = !onboarding.SignupFormPending
-
-		err = store.SaveAccountOnboarding(context.Background(), onboarding)
-		require.NoError(t, err)
-
-		savedOnboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
-		require.NoError(t, err)
-		require.Equal(t, onboarding.SignupFormPending, savedOnboarding.SignupFormPending)
-		require.Equal(t, onboarding.OnboardingFlowPending, savedOnboarding.OnboardingFlowPending)
-	})
-}
-
 func TestSqlStore_GetAnyAccountID(t *testing.T) {
 	t.Run("should return account ID when accounts exist", func(t *testing.T) {
 		store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())