Merge PR #5971 and add NRPT root-zone catch-all in RouteAll mode

# Conflicts:
#	client/internal/dns/upstream.go

.github/pull_request_template.md

@@ -12,7 +12,6 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
-- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).
 
 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).
 

.github/workflows/proto-version-check.yml

@@ -20,66 +20,34 @@ jobs:
               per_page: 100,
             });
 
-            const modifiedPbFiles = files.filter(
-              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
-            );
-            if (modifiedPbFiles.length === 0) {
-              console.log('No modified .pb.go files to check');
+            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
+            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
+            if (missingPatch.length > 0) {
+              core.setFailed(
+                `Cannot inspect patch data for:\n` +
+                missingPatch.map(f => `- ${f}`).join('\n') +
+                `\nThis can happen with very large PRs. Verify proto versions manually.`
+              );
               return;
             }
-
-            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const baseSha = context.payload.pull_request.base.sha;
-            const headSha = context.payload.pull_request.head.sha;
-
-            async function getVersionHeader(path, ref) {
-              try {
-                const res = await github.rest.repos.getContent({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  path,
-                  ref,
-                });
-                if (!res.data.content) {
-                  return { ok: false, reason: 'no inline content (file too large)' };
-                }
-                const content = Buffer.from(res.data.content, 'base64').toString('utf8');
-                const lines = content
-                  .split('\n')
-                  .slice(0, 20)
-                  .filter(line => versionPattern.test(line));
-                return { ok: true, lines };
-              } catch (e) {
-                return { ok: false, reason: e.message };
-              }
-            }
-
+            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
             const violations = [];
-            for (const file of modifiedPbFiles) {
-              const [base, head] = await Promise.all([
-                getVersionHeader(file.filename, baseSha),
-                getVersionHeader(file.filename, headSha),
-              ]);
-              if (!base.ok || !head.ok) {
-                core.warning(
-                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
-                );
-                continue;
-              }
-              if (base.lines.join('\n') !== head.lines.join('\n')) {
+
+            for (const file of pbFiles) {
+              const changed = file.patch
+                .split('\n')
+                .filter(line => versionPattern.test(line));
+              if (changed.length > 0) {
                 violations.push({
                   file: file.filename,
-                  base: base.lines,
-                  head: head.lines,
+                  lines: changed,
                 });
               }
             }
 
             if (violations.length > 0) {
               const details = violations.map(v =>
-                `${v.file}:\n` +
-                `  base:\n${v.base.map(l => '    ' + l).join('\n') || '    (none)'}\n` +
-                `  head:\n${v.head.map(l => '    ' + l).join('\n') || '    (none)'}`
+                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
               ).join('\n\n');
 
               core.setFailed(

.golangci.yaml

@@ -92,6 +92,9 @@ linters:
       - linters:
           - unused
         path: client/firewall/iptables/rule\.go
+      - linters:
+          - unused
+        path: client/internal/dns/dnsfw/(types|syscall|zsyscall)_windows.*\.go
       - linters:
           - gosec
           - mirror

CONTRIBUTING.md

@@ -15,7 +15,6 @@ If you haven't already, join our slack workspace [here](https://docs.netbird.io/
 - [Contributing to NetBird](#contributing-to-netbird)
     - [Contents](#contents)
     - [Code of conduct](#code-of-conduct)
-    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
     - [Directory structure](#directory-structure)
     - [Development setup](#development-setup)
         - [Requirements](#requirements)
@@ -34,14 +33,6 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.
 
-## Discuss changes with the NetBird team first
-
-Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
-
-Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
-
-Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
-
 ## Directory structure
 
 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.

README.md

@@ -1,134 +1,147 @@
 
 <div align="center">
-  <p align="center">
-    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
-  </p>
-  <p align="center">
-    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
-      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
-    </a>
-    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
-    </a>
+<br/>
+  <br/>
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
+  <p>
+   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
+       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
+     </a> 
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+    <br>
     <a href="https://docs.netbird.io/slack-url">
-      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
-    </a>
+        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
     <a href="https://forum.netbird.io">
-      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
-    </a>
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
+     </a>  
+     <br>
     <a href="https://gurubase.io/g/netbird">
-      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
-    </a>
+        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
+     </a>    
   </p>
 </div>
 
+
 <p align="center">
-  <strong>
-    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
-    <br/>
-    See <a href="https://netbird.io/docs/">Documentation</a>
-    <br/>
-    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  </strong>
+<strong>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
   <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-  <strong>
-    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-  </strong>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  <br/>
+ 
+</strong>
+<br>
+<strong>
+  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+</strong>
+<br>
+<br>
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
+    New: NetBird terraform provider
+  </a> 
 </p>
 
+<br>
+
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
 
 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
+### Open Source Network Security in a Single Platform
+
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### Self-host NetBird (video)
-
+### Self-Host NetBird (Video)
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 
 ### Key features
 
-| Connectivity | Management | Security | Automation | Platforms |
-|---|---|---|---|---|
-| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
-| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
-| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
-| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
-| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
-| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
-| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
-| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
-| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
-| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
-| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
-| | | | | ✓ OpenWRT |
-| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
-| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
-| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
-| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
-| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
-| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
+| Connectivity | Management | Security | Automation| Platforms |
+|----|----|----|----|----|
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
+||||| <ul><li>- \[x] Docker</ui></li> |
 
 ### Quickstart with NetBird Cloud
 
-- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
-- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
-- Check the NetBird [admin UI](https://app.netbird.io/).
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.
 
 ### Quickstart with self-hosted NetBird
 
-This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
 
 **Infrastructure requirements:**
-- A Linux VM with at least **1 CPU** and **2 GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
-- A **public domain** name pointing to the VM.
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- **Public domain** name pointing to the VM.
 
 **Software requirements:**
-- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
 
 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
+- Once finished, you can manage the resources via `docker-compose`
 
 ### A bit on NetBird internals
-- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
-- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
-- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
-- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
-- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
+-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
+-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
 
 ### Community projects
-- [NetBird installer script](https://github.com/physk/netbird-installer)
-- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
-- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
+-  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
 ### Support acknowledgement
 
-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
 
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
 
-### Acknowledgements
-We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
 
 ### Legal
-This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

client/cmd/service.go

@@ -5,7 +5,6 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"runtime"
 	"strings"
 	"sync"
@@ -23,21 +22,15 @@ var serviceCmd = &cobra.Command{
 	Short: "Manage the NetBird daemon service",
 }
 
-const defaultJSONSocket = "unix:///var/run/netbird-http.sock"
-
 var (
-	serviceName        string
-	serviceEnvVars     []string
-	jsonSocket         string
-	jsonSocketDisabled bool
+	serviceName    string
+	serviceEnvVars []string
 )
 
 type program struct {
 	ctx              context.Context
 	cancel           context.CancelFunc
 	serv             *grpc.Server
-	jsonServ         *http.Server
-	jsonServMu       sync.Mutex
 	serverInstance   *server.Server
 	serverInstanceMu sync.Mutex
 }
@@ -53,8 +46,6 @@ func init() {
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
-	serviceCmd.PersistentFlags().StringVar(&jsonSocket, "json-socket", defaultJSONSocket, "HTTP/JSON API socket address served by grpc-gateway [unix|tcp]://[path|host:port]. To persist, use: netbird service install --json-socket")
-	serviceCmd.PersistentFlags().BoolVar(&jsonSocketDisabled, "disable-json-socket", false, "Disables the HTTP/JSON API socket. To persist, use: netbird service install --disable-json-socket")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +

client/cmd/service_controller.go

@@ -5,6 +5,9 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"net"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/kardianos/service"
@@ -29,35 +32,31 @@ func (p *program) Start(svc service.Service) error {
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
 
-	daemonListener, err := listenOnAddress(daemonAddr)
+	split := strings.Split(daemonAddr, "://")
+	switch split[0] {
+	case "unix":
+		// cleanup failed close
+		stat, err := os.Stat(split[1])
+		if err == nil && !stat.IsDir() {
+			if err := os.Remove(split[1]); err != nil {
+				log.Debugf("remove socket file: %v", err)
+			}
+		}
+	case "tcp":
+	default:
+		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
+	}
+
+	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
 	}
-
-	var jsonListener *socketListener
-	if !jsonSocketDisabled {
-		jsonListener, err = listenOnAddress(jsonSocket)
-		if err != nil {
-			_ = daemonListener.Close()
-			return fmt.Errorf("listen daemon JSON interface: %w", err)
-		}
-	} else {
-		removeStaleUnixSocketForAddress(jsonSocket)
-	}
-
 	go func() {
-		defer daemonListener.Close()
-		if jsonListener != nil {
-			defer jsonListener.Close()
-		}
+		defer listen.Close()
 
-		if err := daemonListener.chmodUnixSocket("daemon"); err != nil {
-			log.Error(err)
-			return
-		}
-		if jsonListener != nil {
-			if err := jsonListener.chmodUnixSocket("daemon JSON"); err != nil {
-				log.Error(err)
+		if split[0] == "unix" {
+			if err := os.Chmod(split[1], 0666); err != nil {
+				log.Errorf("failed setting daemon permissions: %v", split[1])
 				return
 			}
 		}
@@ -72,16 +71,8 @@ func (p *program) Start(svc service.Service) error {
 		p.serverInstance = serverInstance
 		p.serverInstanceMu.Unlock()
 
-		if jsonListener != nil {
-			if err := p.startJSONGateway(jsonListener, daemonAddr); err != nil {
-				log.Fatalf("failed to start daemon JSON server: %v", err)
-			}
-		} else {
-			log.Debug("daemon JSON socket disabled")
-		}
-
-		log.Printf("started daemon server: %v", daemonListener.address)
-		if err := p.serv.Serve(daemonListener.Listener); err != nil {
+		log.Printf("started daemon server: %v", split[1])
+		if err := p.serv.Serve(listen); err != nil {
 			log.Errorf("failed to serve daemon requests: %v", err)
 		}
 	}()
@@ -101,20 +92,6 @@ func (p *program) Stop(srv service.Service) error {
 
 	p.cancel()
 
-	p.jsonServMu.Lock()
-	jsonServ := p.jsonServ
-	p.jsonServMu.Unlock()
-	if jsonServ != nil {
-		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 2*time.Second)
-		if err := jsonServ.Shutdown(shutdownCtx); err != nil {
-			log.Errorf("failed to stop daemon JSON server gracefully: %v", err)
-			if err := jsonServ.Close(); err != nil {
-				log.Errorf("failed to close daemon JSON server: %v", err)
-			}
-		}
-		shutdownCancel()
-	}
-
 	if p.serv != nil {
 		p.serv.Stop()
 	}

client/cmd/service_installer.go

@@ -67,11 +67,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-networks")
 	}
 
-	args = append(args, "--json-socket", jsonSocket)
-	if jsonSocketDisabled {
-		args = append(args, "--disable-json-socket")
-	}
-
 	return args
 }
 

client/cmd/service_json_gateway.go

@@ -1,52 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"context"
-	"errors"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-func grpcGatewayEndpoint(addr string) string {
-	return strings.TrimPrefix(addr, "tcp://")
-}
-
-func (p *program) startJSONGateway(jsonListener *socketListener, daemonEndpoint string) error {
-	mux := runtime.NewServeMux()
-	opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
-	if err := proto.RegisterDaemonServiceHandlerFromEndpoint(p.ctx, mux, grpcGatewayEndpoint(daemonEndpoint), opts); err != nil {
-		return err
-	}
-
-	jsonServer := &http.Server{
-		Handler:           mux,
-		ReadHeaderTimeout: 5 * time.Second,
-		BaseContext: func(net.Listener) context.Context {
-			return p.ctx
-		},
-	}
-
-	p.jsonServMu.Lock()
-	p.jsonServ = jsonServer
-	p.jsonServMu.Unlock()
-
-	go func() {
-		log.Printf("started daemon JSON server: %v", jsonListener.address)
-		if err := jsonServer.Serve(jsonListener.Listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
-			log.Errorf("failed to serve daemon JSON requests: %v", err)
-		}
-	}()
-
-	return nil
-}

client/cmd/service_params.go

@@ -23,7 +23,6 @@ const serviceParamsFile = "service.json"
 type serviceParams struct {
 	LogLevel              string            `json:"log_level"`
 	DaemonAddr            string            `json:"daemon_addr"`
-	JSONSocket            string            `json:"json_socket"`
 	ManagementURL         string            `json:"management_url,omitempty"`
 	ConfigPath            string            `json:"config_path,omitempty"`
 	LogFiles              []string          `json:"log_files,omitempty"`
@@ -31,7 +30,6 @@ type serviceParams struct {
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
 	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
-	DisableJSONSocket     bool              `json:"disable_json_socket,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -77,7 +75,6 @@ func currentServiceParams() *serviceParams {
 	params := &serviceParams{
 		LogLevel:              logLevel,
 		DaemonAddr:            daemonAddr,
-		JSONSocket:            jsonSocket,
 		ManagementURL:         managementURL,
 		ConfigPath:            configPath,
 		LogFiles:              logFiles,
@@ -85,7 +82,6 @@ func currentServiceParams() *serviceParams {
 		DisableUpdateSettings: updateSettingsDisabled,
 		EnableCapture:         captureEnabled,
 		DisableNetworks:       networksDisabled,
-		DisableJSONSocket:     jsonSocketDisabled,
 	}
 
 	if len(serviceEnvVars) > 0 {
@@ -117,8 +113,9 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		return
 	}
 
-	// For fields with non-empty defaults, keep the != "" guard so that an older
-	// service.json missing the field doesn't clobber the default with an empty string.
+	// For fields with non-empty defaults (log-level, daemon-addr), keep the
+	// != "" guard so that an older service.json missing the field doesn't
+	// clobber the default with an empty string.
 	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
 		logLevel = params.LogLevel
 	}
@@ -127,20 +124,6 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		daemonAddr = params.DaemonAddr
 	}
 
-	jsonSocketChanged := serviceCmd.PersistentFlags().Changed("json-socket")
-	if !jsonSocketChanged && params.JSONSocket != "" {
-		jsonSocket = params.JSONSocket
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-json-socket") {
-		jsonSocketDisabled = params.DisableJSONSocket
-		// Passing --json-socket should re-enable the JSON gateway unless
-		// --disable-json-socket was explicitly provided too.
-		if jsonSocketChanged {
-			jsonSocketDisabled = false
-		}
-	}
-
 	// For optional fields where empty means "use default", always apply so
 	// that an explicit clear (--management-url "") persists across reinstalls.
 	if !rootCmd.PersistentFlags().Changed("management-url") {

client/cmd/service_params_test.go

@@ -530,7 +530,6 @@ func fieldToGlobalVar(field string) string {
 	m := map[string]string{
 		"LogLevel":              "logLevel",
 		"DaemonAddr":            "daemonAddr",
-		"JSONSocket":            "jsonSocket",
 		"ManagementURL":         "managementURL",
 		"ConfigPath":            "configPath",
 		"LogFiles":              "logFiles",
@@ -538,7 +537,6 @@ func fieldToGlobalVar(field string) string {
 		"DisableUpdateSettings": "updateSettingsDisabled",
 		"EnableCapture":         "captureEnabled",
 		"DisableNetworks":       "networksDisabled",
-		"DisableJSONSocket":     "jsonSocketDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/service_socket.go

@@ -1,83 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-type socketListener struct {
-	net.Listener
-	network string
-	address string
-}
-
-func listenOnAddress(addr string) (*socketListener, error) {
-	network, address, err := parseListenAddress(addr)
-	if err != nil {
-		return nil, err
-	}
-
-	if network == "unix" {
-		removeStaleUnixSocket(address)
-	}
-
-	listener, err := net.Listen(network, address)
-	if err != nil {
-		return nil, err
-	}
-
-	return &socketListener{Listener: listener, network: network, address: address}, nil
-}
-
-func parseListenAddress(addr string) (string, string, error) {
-	network, address, ok := strings.Cut(addr, "://")
-	if !ok || network == "" || address == "" {
-		return "", "", fmt.Errorf("address must be in [unix|tcp]://[path|host:port] format: %q", addr)
-	}
-
-	switch network {
-	case "unix", "tcp":
-		return network, address, nil
-	default:
-		return "", "", fmt.Errorf("unsupported daemon address protocol: %v", network)
-	}
-}
-
-func removeStaleUnixSocket(path string) {
-	stat, err := os.Stat(path)
-	if err == nil && !stat.IsDir() {
-		if err := os.Remove(path); err != nil {
-			log.Debugf("remove socket file: %v", err)
-		}
-		return
-	}
-
-	if err != nil && !os.IsNotExist(err) {
-		log.Debugf("stat socket file: %v", err)
-	}
-}
-
-func removeStaleUnixSocketForAddress(addr string) {
-	network, address, err := parseListenAddress(addr)
-	if err != nil || network != "unix" {
-		return
-	}
-	removeStaleUnixSocket(address)
-}
-
-func (l *socketListener) chmodUnixSocket(description string) error {
-	if l == nil || l.network != "unix" {
-		return nil
-	}
-
-	if err := os.Chmod(l.address, 0666); err != nil {
-		return fmt.Errorf("failed setting %s permissions for %s: %w", description, l.address, err)
-	}
-	return nil
-}

client/cmd/status.go

@@ -43,16 +43,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
-	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {

client/cmd/testutil_test.go

@@ -11,7 +11,7 @@ import (
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"
 
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"
 
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 
@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}
 
-	iv, _ := validator.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)

client/embed/embed.go

@@ -12,7 +12,6 @@ import (
 	"sync"
 
 	"github.com/sirupsen/logrus"
-	wgdevice "golang.zx2c4.com/wireguard/device"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface"
@@ -85,12 +84,6 @@ type Options struct {
 	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// BlockLANAccess blocks the embedded peer from reaching the host's
-	// LAN (RFC 1918, link-local, loopback) when it's used as a routing
-	// peer. Mirrors profilemanager.ConfigInput.BlockLANAccess. Useful
-	// when the embedded client must never act as a stepping stone into
-	// the host's local network (e.g. the proxy's overlay peer).
-	BlockLANAccess bool
 	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the tunnel interface.
@@ -101,26 +94,6 @@ type Options struct {
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
-	// Performance configures the tunnel's buffer pool cap and batch size.
-	Performance Performance
-}
-
-// Performance configures the embedded client's tunnel memory/throughput knobs.
-//
-// These settings are process-global: any non-nil field also becomes the
-// default for Clients constructed by later embed.New calls in the same
-// process. Nil fields are ignored.
-type Performance struct {
-	// PreallocatedBuffersPerPool caps the per-tunnel buffer pool. Zero
-	// leaves the pool unbounded. Lower values trade throughput for a
-	// tighter memory ceiling. May also be changed on a running Client via
-	// Client.SetPerformance, provided this field was nonzero at construction.
-	PreallocatedBuffersPerPool *uint32
-	// MaxBatchSize overrides the number of packets the tunnel reads or
-	// writes per syscall, which also bounds eager buffer allocation per
-	// worker. Zero uses the platform default. Applied at construction
-	// only; ignored by Client.SetPerformance.
-	MaxBatchSize *uint32
 }
 
 // validateCredentials checks that exactly one credential type is provided
@@ -202,7 +175,6 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
-		BlockLANAccess:      &opts.BlockLANAccess,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
@@ -220,13 +192,6 @@ func New(opts Options) (*Client, error) {
 		config.PrivateKey = opts.PrivateKey
 	}
 
-	if opts.Performance.PreallocatedBuffersPerPool != nil {
-		wgdevice.SetPreallocatedBuffersPerPool(*opts.Performance.PreallocatedBuffersPerPool)
-	}
-	if opts.Performance.MaxBatchSize != nil {
-		wgdevice.SetMaxBatchSizeOverride(*opts.Performance.MaxBatchSize)
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
@@ -371,7 +336,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := net.JoinHostPort(addr.String(), port)
+	listenAddr := fmt.Sprintf("%s:%s", addr, port)
 
 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -392,7 +357,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := net.JoinHostPort(addr.String(), port)
+	listenAddr := fmt.Sprintf("%s:%s", addr, port)
 
 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {
@@ -440,21 +405,6 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 	}, nil
 }
 
-// IdentityForIP looks up a remote peer by its tunnel IP using the
-// embedded client's status recorder. Returns the peer's WireGuard public
-// key and FQDN. ok=false means the IP isn't in this client's peer
-// roster — callers should treat that as "unknown peer".
-func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
-	if !ip.IsValid() || c.recorder == nil {
-		return "", "", false
-	}
-	state, found := c.recorder.PeerStateByIP(ip.String())
-	if !found {
-		return "", "", false
-	}
-	return state.PubKey, state.FQDN, true
-}
-
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
@@ -523,25 +473,6 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 
-// SetPerformance retunes a running Client. Only PreallocatedBuffersPerPool
-// takes effect, and only when it was nonzero at construction;
-// MaxBatchSize is construction-only and returns an error if set here.
-//
-// Returns ErrClientNotStarted / ErrEngineNotStarted if the Client is not
-// running yet.
-func (c *Client) SetPerformance(t Performance) error {
-	if t.MaxBatchSize != nil {
-		return errors.New("MaxBatchSize is construction-only and cannot be changed at runtime")
-	}
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-	return engine.SetPerformance(internal.Performance{
-		PreallocatedBuffersPerPool: t.PreallocatedBuffersPerPool,
-	})
-}
-
 // StartCapture begins capturing packets on this client's tunnel device.
 // Only one capture can be active at a time; starting a new one stops the previous.
 // Call StopCapture (or CaptureSession.Stop) to end it.

client/firewall/nftables/external_chain_monitor_linux.go

@@ -52,10 +52,9 @@ func (m *externalChainMonitor) start() {
 
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	done := make(chan struct{})
-	m.done = done
+	m.done = make(chan struct{})
 
-	go m.run(ctx, done)
+	go m.run(ctx)
 }
 
 func (m *externalChainMonitor) stop() {
@@ -73,8 +72,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }
 
-func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
-	defer close(done)
+func (m *externalChainMonitor) run(ctx context.Context) {
+	defer close(m.done)
 
 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,

client/internal/debug/debug.go

@@ -45,11 +45,8 @@ netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Detailed system routing table in tabular format including destination, gateway, interface, metrics, and protocol information, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
-iptables.txt: Anonymized iptables (IPv4) rules with packet counters, if --system-info flag was provided.
-ip6tables.txt: Anonymized ip6tables (IPv6) rules with packet counters, if --system-info flag was provided.
-ipset.txt: Anonymized ipset list output, if --system-info flag was provided.
-nftables.txt: Anonymized nftables rules with packet counters across all families (ip, ip6, inet, etc.), if --system-info flag was provided.
-sysctls.txt: Forwarding, reverse-path filter, source-validation, and conntrack accounting sysctl values that the NetBird client may read or modify, if --system-info flag was provided (Linux only).
+iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
@@ -168,33 +165,22 @@ The config.txt file contains anonymized configuration information of the NetBird
 Other non-sensitive configuration options are included without anonymization.
 
 Firewall Rules (Linux only)
-The bundle includes the following firewall-related files:
+The bundle includes two separate firewall rule files:
 
 iptables.txt:
-- IPv4 iptables ruleset with packet counters using 'iptables-save' and 'iptables -v -n -L'
+- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
 - Includes all tables (filter, nat, mangle, raw, security)
 - Shows packet and byte counters for each rule
 - All IP addresses are anonymized
 - Chain names, table names, and other non-sensitive information remain unchanged
 
-ip6tables.txt:
-- IPv6 ip6tables ruleset with packet counters using 'ip6tables-save' and 'ip6tables -v -n -L'
-- Same table coverage and anonymization as iptables.txt
-- Omitted when ip6tables is not installed or no IPv6 rules are present
-
-ipset.txt:
-- Output of 'ipset list' (family-agnostic)
-- IP addresses are anonymized; set names and types remain unchanged
-
 nftables.txt:
-- Complete nftables ruleset across all families (ip, ip6, inet, arp, bridge, netdev) via 'nft -a list ruleset'
+- Complete nftables ruleset obtained via 'nft -a list ruleset'
 - Includes rule handle numbers and packet counters
-- All IP addresses are anonymized; chain/table names remain unchanged
-
-sysctls.txt:
-- Forwarding (IPv4 + IPv6, global and per-interface), reverse-path filter, source-validation, conntrack accounting, and TCP-related sysctls that netbird may read or modify
-- Per-interface keys are enumerated from /proc/sys/net/ipv{4,6}/conf
-- Interface names anonymized when --anonymize is set
+- All tables, chains, and rules are included
+- Shows packet and byte counters for each rule
+- All IP addresses are anonymized
+- Chain names, table names, and other non-sensitive information remain unchanged
 
 IP Rules (Linux only)
 The ip_rules.txt file contains detailed IP routing rule information:
@@ -426,10 +412,6 @@ func (g *BundleGenerator) addSystemInfo() {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}
 
-	if err := g.addSysctls(); err != nil {
-		log.Errorf("failed to add sysctls to debug bundle: %v", err)
-	}
-
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}

client/internal/debug/debug_linux.go

@@ -124,18 +124,15 @@ func getSystemdLogs(serviceName string) (string, error) {
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
-	g.addIPTablesRulesToBundle("iptables-save", "iptables", "iptables.txt")
-	g.addIPTablesRulesToBundle("ip6tables-save", "ip6tables", "ip6tables.txt")
-
-	ipsetOutput, err := collectIPSets()
+	iptablesRules, err := collectIPTablesRules()
 	if err != nil {
-		log.Warnf("Failed to collect ipset information: %v", err)
+		log.Warnf("Failed to collect iptables rules: %v", err)
 	} else {
 		if g.anonymize {
-			ipsetOutput = g.anonymizer.AnonymizeString(ipsetOutput)
+			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
 		}
-		if err := g.addFileToZip(strings.NewReader(ipsetOutput), "ipset.txt"); err != nil {
-			log.Warnf("Failed to add ipset output to bundle: %v", err)
+		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
+			log.Warnf("Failed to add iptables rules to bundle: %v", err)
 		}
 	}
 
@@ -154,65 +151,44 @@ func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
 
-// addIPTablesRulesToBundle collects iptables/ip6tables rules and writes them to the bundle.
-func (g *BundleGenerator) addIPTablesRulesToBundle(saveBin, listBin, filename string) {
-	rules, err := collectIPTablesRules(saveBin, listBin)
-	if err != nil {
-		log.Warnf("Failed to collect %s rules: %v", listBin, err)
-		return
-	}
-	if g.anonymize {
-		rules = g.anonymizer.AnonymizeString(rules)
-	}
-	if err := g.addFileToZip(strings.NewReader(rules), filename); err != nil {
-		log.Warnf("Failed to add %s rules to bundle: %v", listBin, err)
-	}
-}
-
-// collectIPTablesRules collects rules using both <saveBin> and verbose listing via <listBin>.
-// Returns an error when neither command produced any output (e.g. the binary is missing),
-// so the caller can skip writing an empty file.
-func collectIPTablesRules(saveBin, listBin string) (string, error) {
+// collectIPTablesRules collects rules using both iptables-save and verbose listing
+func collectIPTablesRules() (string, error) {
 	var builder strings.Builder
-	var collected bool
-	var firstErr error
 
-	saveOutput, err := runCommand(saveBin)
-	switch {
-	case err != nil:
-		firstErr = err
-		log.Warnf("Failed to collect %s output: %v", saveBin, err)
-	case strings.TrimSpace(saveOutput) == "":
-		log.Debugf("%s produced no output, skipping", saveBin)
-	default:
-		builder.WriteString(fmt.Sprintf("=== %s output ===\n", saveBin))
+	saveOutput, err := collectIPTablesSave()
+	if err != nil {
+		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
+	} else {
+		builder.WriteString("=== iptables-save output ===\n")
 		builder.WriteString(saveOutput)
 		builder.WriteString("\n")
-		collected = true
 	}
 
-	listHeader := fmt.Sprintf("=== %s -v -n -L output ===\n", listBin)
-	builder.WriteString(listHeader)
+	ipsetOutput, err := collectIPSets()
+	if err != nil {
+		log.Warnf("Failed to collect ipset information: %v", err)
+	} else {
+		builder.WriteString("=== ipset list output ===\n")
+		builder.WriteString(ipsetOutput)
+		builder.WriteString("\n")
+	}
+
+	builder.WriteString("=== iptables -v -n -L output ===\n")
 
 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
+
 	for _, table := range tables {
-		stats, err := runCommand(listBin, "-v", "-n", "-L", "-t", table)
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
+
+		stats, err := getTableStatistics(table)
 		if err != nil {
-			if firstErr == nil {
-				firstErr = err
-			}
-			log.Warnf("Failed to get %s statistics for table %s: %v", listBin, table, err)
+			log.Warnf("Failed to get statistics for table %s: %v", table, err)
 			continue
 		}
-		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		builder.WriteString(stats)
 		builder.WriteString("\n")
-		collected = true
 	}
 
-	if !collected {
-		return "", fmt.Errorf("collect %s rules: %w", listBin, firstErr)
-	}
 	return builder.String(), nil
 }
 
@@ -238,15 +214,34 @@ func collectIPSets() (string, error) {
 	return ipsets, nil
 }
 
-// runCommand executes a command and returns its stdout, wrapping stderr in the error on failure.
-func runCommand(name string, args ...string) (string, error) {
-	cmd := exec.Command(name, args...)
+// collectIPTablesSave uses iptables-save to get rule definitions
+func collectIPTablesSave() (string, error) {
+	cmd := exec.Command("iptables-save")
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 
 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute %s: %w (stderr: %s)", name, err, stderr.String())
+		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
+	}
+
+	rules := stdout.String()
+	if strings.TrimSpace(rules) == "" {
+		return "", fmt.Errorf("no iptables rules found")
+	}
+
+	return rules, nil
+}
+
+// getTableStatistics gets verbose statistics for an entire table using iptables command
+func getTableStatistics(table string) (string, error) {
+	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
 	}
 
 	return stdout.String(), nil
@@ -809,91 +804,3 @@ func formatSetKeyType(keyType nftables.SetDatatype) string {
 		return fmt.Sprintf("type-%v", keyType)
 	}
 }
-
-// addSysctls collects forwarding and netbird-managed sysctl values and writes them to the bundle.
-func (g *BundleGenerator) addSysctls() error {
-	log.Info("Collecting sysctls")
-	content := collectSysctls()
-	if g.anonymize {
-		content = g.anonymizer.AnonymizeString(content)
-	}
-	if err := g.addFileToZip(strings.NewReader(content), "sysctls.txt"); err != nil {
-		return fmt.Errorf("add sysctls to bundle: %w", err)
-	}
-	return nil
-}
-
-// collectSysctls reads every sysctl that the netbird client may modify, plus
-// global IPv4/IPv6 forwarding, and returns a formatted dump grouped by topic.
-// Per-interface values are enumerated by listing /proc/sys/net/ipv{4,6}/conf.
-func collectSysctls() string {
-	var builder strings.Builder
-
-	writeSysctlGroup(&builder, "forwarding", []string{
-		"net.ipv4.ip_forward",
-		"net.ipv6.conf.all.forwarding",
-		"net.ipv6.conf.default.forwarding",
-	})
-	writeSysctlGroup(&builder, "ipv4 per-interface forwarding", listInterfaceSysctls("ipv4", "forwarding"))
-	writeSysctlGroup(&builder, "ipv6 per-interface forwarding", listInterfaceSysctls("ipv6", "forwarding"))
-	writeSysctlGroup(&builder, "rp_filter", append(
-		[]string{"net.ipv4.conf.all.rp_filter", "net.ipv4.conf.default.rp_filter"},
-		listInterfaceSysctls("ipv4", "rp_filter")...,
-	))
-	writeSysctlGroup(&builder, "src_valid_mark", append(
-		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
-		listInterfaceSysctls("ipv4", "src_valid_mark")...,
-	))
-	writeSysctlGroup(&builder, "conntrack", []string{
-		"net.netfilter.nf_conntrack_acct",
-		"net.netfilter.nf_conntrack_tcp_loose",
-	})
-	writeSysctlGroup(&builder, "tcp", []string{
-		"net.ipv4.tcp_tw_reuse",
-	})
-
-	return builder.String()
-}
-
-func writeSysctlGroup(builder *strings.Builder, title string, keys []string) {
-	builder.WriteString(fmt.Sprintf("=== %s ===\n", title))
-	for _, key := range keys {
-		value, err := readSysctl(key)
-		if err != nil {
-			builder.WriteString(fmt.Sprintf("%s = <error: %v>\n", key, err))
-			continue
-		}
-		builder.WriteString(fmt.Sprintf("%s = %s\n", key, value))
-	}
-	builder.WriteString("\n")
-}
-
-// listInterfaceSysctls returns net.ipvX.conf.<iface>.<leaf> keys for every
-// interface present in /proc/sys/net/ipvX/conf, skipping "all" and "default"
-// (callers add those explicitly so they appear first).
-func listInterfaceSysctls(family, leaf string) []string {
-	dir := fmt.Sprintf("/proc/sys/net/%s/conf", family)
-	entries, err := os.ReadDir(dir)
-	if err != nil {
-		return nil
-	}
-	var keys []string
-	for _, e := range entries {
-		name := e.Name()
-		if name == "all" || name == "default" {
-			continue
-		}
-		keys = append(keys, fmt.Sprintf("net.%s.conf.%s.%s", family, name, leaf))
-	}
-	sort.Strings(keys)
-	return keys
-}
-
-func readSysctl(key string) (string, error) {
-	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
-	value, err := os.ReadFile(path)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(value)), nil
-}

client/internal/debug/debug_nonlinux.go

@@ -17,8 +17,3 @@ func (g *BundleGenerator) addIPRules() error {
 	// IP rules are only supported on Linux
 	return nil
 }
-
-func (g *BundleGenerator) addSysctls() error {
-	// Sysctl collection is only supported on Linux
-	return nil
-}

client/internal/dns/dnsfw/config.go

@@ -0,0 +1,63 @@
+package dnsfw
+
+import (
+	"os"
+	"strconv"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// EnvDisable disables the DNS firewall entirely when set to a truthy value.
+	EnvDisable = "NB_DISABLE_DNS_FIREWALL"
+	// EnvPorts overrides the comma-separated list of remote ports to block.
+	// Empty disables the firewall.
+	EnvPorts = "NB_DNS_FIREWALL_PORTS"
+	// EnvStrict enables strict mode: permit DNS only to the virtual DNS IP
+	// and the netbird daemon. Default mode also permits anything on the
+	// netbird tunnel interface, which is safer if NRPT is silently ignored
+	// by Windows but lets apps reach custom DNS servers via the tunnel.
+	EnvStrict = "NB_DNS_FIREWALL_STRICT"
+)
+
+// defaultBlockedPorts are the well-known DNS ports we block for non-netbird
+// processes: 53 (plain DNS) and 853 (DNS-over-TLS).
+var defaultBlockedPorts = []uint16{53, 853}
+
+// blockedPorts returns the effective port list, honoring env overrides.
+// A nil return means the firewall should not be installed.
+func blockedPorts() []uint16 {
+	if disabled, _ := strconv.ParseBool(os.Getenv(EnvDisable)); disabled {
+		log.Infof("dns firewall disabled via %s", EnvDisable)
+		return nil
+	}
+
+	override, ok := os.LookupEnv(EnvPorts)
+	if !ok {
+		return defaultBlockedPorts
+	}
+
+	var ports []uint16
+	for _, raw := range strings.Split(override, ",") {
+		raw = strings.TrimSpace(raw)
+		if raw == "" {
+			continue
+		}
+		port, err := strconv.ParseUint(raw, 10, 16)
+		if err != nil {
+			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
+			continue
+		}
+		if port == 0 {
+			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
+			continue
+		}
+		ports = append(ports, uint16(port))
+	}
+	if len(ports) == 0 {
+		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
+		return nil
+	}
+	return ports
+}

client/internal/dns/dnsfw/config_test.go

@@ -0,0 +1,39 @@
+package dnsfw
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestBlockedPorts(t *testing.T) {
+	tests := []struct {
+		name     string
+		disable  string
+		ports    string
+		setPorts bool
+		want     []uint16
+	}{
+		{name: "default", want: defaultBlockedPorts},
+		{name: "disabled", disable: "true", want: nil},
+		{name: "disabled false keeps default", disable: "false", want: defaultBlockedPorts},
+		{name: "override single port", ports: "53", setPorts: true, want: []uint16{53}},
+		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
+		{name: "override empty disables", ports: "", setPorts: true, want: nil},
+		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(EnvDisable, tc.disable)
+			if tc.setPorts {
+				t.Setenv(EnvPorts, tc.ports)
+			}
+			got := blockedPorts()
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Fatalf("blockedPorts() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}

client/internal/dns/dnsfw/dnsfw.go

@@ -0,0 +1,16 @@
+// Package dnsfw blocks DNS traffic from non-netbird processes when netbird is
+// managing the host's DNS, so that resolvers running on apps or libraries
+// outside netbird cannot bypass the configured DNS path.
+//
+// Implementation is Windows-only (uses WFP). On other platforms New returns
+// a no-op manager.
+package dnsfw
+
+import "net/netip"
+
+// Manager controls the per-tunnel DNS firewall. Both methods must be safe
+// to call multiple times.
+type Manager interface {
+	Enable(ifaceGUID string, virtualDNSIP netip.Addr) error
+	Disable() error
+}

client/internal/dns/dnsfw/dnsfw_other.go

@@ -0,0 +1,15 @@
+//go:build !windows
+
+package dnsfw
+
+import "net/netip"
+
+type noopManager struct{}
+
+func (noopManager) Enable(string, netip.Addr) error { return nil }
+func (noopManager) Disable() error                  { return nil }
+
+// New returns a no-op manager on non-Windows platforms.
+func New() Manager {
+	return noopManager{}
+}

client/internal/dns/dnsfw/dnsfw_windows.go

@@ -0,0 +1,144 @@
+//go:build windows
+
+package dnsfw
+
+import (
+	"fmt"
+	"net/netip"
+	"os"
+	"strconv"
+	"sync"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	modIphlpapi                    = windows.NewLazyDLL("iphlpapi.dll")
+	procConvertInterfaceGuidToLuid = modIphlpapi.NewProc("ConvertInterfaceGuidToLuid")
+)
+
+type windowsManager struct {
+	mu sync.Mutex
+	// session is the WFP engine handle. Zero when disabled.
+	session uintptr
+}
+
+// Enable installs the dns firewall. Strict mode propagates failures;
+// non-strict mode logs and returns nil so partial protection is preserved.
+func (m *windowsManager) Enable(ifaceGUID string, virtualDNSIP netip.Addr) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	ports := blockedPorts()
+	if len(ports) == 0 {
+		return nil
+	}
+
+	if m.session != 0 {
+		if err := m.disableLocked(); err != nil {
+			return fmt.Errorf("reset existing dns firewall session: %w", err)
+		}
+	}
+
+	strict := strictMode()
+
+	luid, err := luidFromGUID(ifaceGUID)
+	if err != nil {
+		return m.failOrLog(strict, fmt.Errorf("resolve tun luid from guid %s: %w", ifaceGUID, err))
+	}
+
+	exe, err := os.Executable()
+	if err != nil {
+		return m.failOrLog(strict, fmt.Errorf("resolve daemon executable path: %w", err))
+	}
+
+	cfg := installConfig{
+		tunLUID:      luid,
+		daemonExe:    exe,
+		blockedPorts: ports,
+		strict:       strict,
+		virtualDNSIP: virtualDNSIP,
+	}
+	// session==0 signals a hard failure; non-zero with non-nil err is a partial install.
+	session, installErr := installFilters(cfg)
+	if session == 0 {
+		return m.failOrLog(strict, fmt.Errorf("install dns firewall filters: %w", installErr))
+	}
+
+	if installErr != nil && strict {
+		_ = closeSession(session)
+		return fmt.Errorf("strict dns firewall: partial install: %w", installErr)
+	}
+
+	m.session = session
+	log.Infof("dns firewall installed: iface=%s daemon=%s ports=%v strict=%v virtual_dns=%s",
+		ifaceGUID, exe, ports, strict, virtualDNSIP)
+	if installErr != nil {
+		log.Warnf("dns firewall partially installed (some filters failed): %v", installErr)
+	}
+	return nil
+}
+
+func (m *windowsManager) Disable() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.disableLocked()
+}
+
+func (m *windowsManager) disableLocked() error {
+	if m.session == 0 {
+		return nil
+	}
+	session := m.session
+	m.session = 0
+	if err := closeSession(session); err != nil {
+		return fmt.Errorf("close wfp session: %w", err)
+	}
+	log.Info("dns firewall removed")
+	return nil
+}
+
+// failOrLog returns err unchanged in strict mode. In non-strict mode the
+// error is logged and nil is returned.
+func (m *windowsManager) failOrLog(strict bool, err error) error {
+	if strict {
+		return err
+	}
+	log.Errorf("dns firewall: %v", err)
+	return nil
+}
+
+// New returns a Windows DNS firewall manager backed by WFP.
+func New() Manager {
+	return &windowsManager{}
+}
+
+// strictMode reports whether strict mode is enabled via env.
+func strictMode() bool {
+	v, _ := strconv.ParseBool(os.Getenv(EnvStrict))
+	return v
+}
+
+// luidFromGUID converts a Windows interface GUID string to its LUID.
+func luidFromGUID(ifaceGUID string) (luid uint64, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in luidFromGUID: %v", r)
+		}
+	}()
+
+	guid, err := windows.GUIDFromString(ifaceGUID)
+	if err != nil {
+		return 0, fmt.Errorf("parse guid: %w", err)
+	}
+	rc, _, _ := procConvertInterfaceGuidToLuid.Call(
+		uintptr(unsafe.Pointer(&guid)),
+		uintptr(unsafe.Pointer(&luid)),
+	)
+	if rc != 0 {
+		return 0, fmt.Errorf("ConvertInterfaceGuidToLuid returned %d", rc)
+	}
+	return luid, nil
+}

client/internal/dns/dnsfw/dnsfw_windows_test.go

@@ -0,0 +1,72 @@
+//go:build windows
+
+package dnsfw
+
+import (
+	"net/netip"
+	"os"
+	"testing"
+)
+
+func TestStrictMode(t *testing.T) {
+	tests := []struct {
+		name string
+		val  string
+		set  bool
+		want bool
+	}{
+		{name: "unset", want: false},
+		{name: "true", val: "true", set: true, want: true},
+		{name: "1", val: "1", set: true, want: true},
+		{name: "false", val: "false", set: true, want: false},
+		{name: "invalid is false", val: "garbage", set: true, want: false},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(EnvStrict, tc.val)
+			if !tc.set {
+				os.Unsetenv(EnvStrict)
+			}
+			if got := strictMode(); got != tc.want {
+				t.Fatalf("strictMode() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestWindowsManagerDisableIdempotent(t *testing.T) {
+	m := &windowsManager{}
+	if err := m.Disable(); err != nil {
+		t.Fatalf("first Disable on fresh manager: %v", err)
+	}
+	if err := m.Disable(); err != nil {
+		t.Fatalf("second Disable on fresh manager: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session should remain zero, got %d", m.session)
+	}
+}
+
+func TestWindowsManagerEnableNoOpWhenDisabledByEnv(t *testing.T) {
+	t.Setenv(EnvDisable, "true")
+
+	m := &windowsManager{}
+	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
+		t.Fatalf("Enable should be a no-op when firewall disabled by env: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session must remain zero when env disables firewall, got %d", m.session)
+	}
+}
+
+func TestWindowsManagerEnableNoOpWhenPortsEmpty(t *testing.T) {
+	t.Setenv(EnvPorts, "")
+
+	m := &windowsManager{}
+	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
+		t.Fatalf("Enable should be a no-op when ports list is empty: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session must remain zero when ports list is empty, got %d", m.session)
+	}
+}

client/internal/dns/dnsfw/helpers_windows.go

@@ -0,0 +1,53 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/helpers.go.
+ */
+
+package dnsfw
+
+import (
+	"errors"
+	"fmt"
+	"runtime"
+	"syscall"
+
+	"golang.org/x/sys/windows"
+)
+
+func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
+	namePtr, err := windows.UTF16PtrFromString(name)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	descriptionPtr, err := windows.UTF16PtrFromString(description)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	return &wtFwpmDisplayData0{
+		name:        namePtr,
+		description: descriptionPtr,
+	}, nil
+}
+
+func filterWeight(weight uint8) wtFwpValue0 {
+	return wtFwpValue0{
+		_type: cFWP_UINT8,
+		value: uintptr(weight),
+	}
+}
+
+func wrapErr(err error) error {
+	var errno syscall.Errno
+	if !errors.As(err, &errno) {
+		return err
+	}
+	_, file, line, ok := runtime.Caller(1)
+	if !ok {
+		return fmt.Errorf("wfp error at unknown location: %w", err)
+	}
+	return fmt.Errorf("wfp error at %s:%d: %w", file, line, err)
+}

client/internal/dns/dnsfw/rules_windows.go

@@ -0,0 +1,249 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
+ *
+ * Filter installers adapted from wireguard-windows tunnel/firewall/rules.go.
+ * The block-DNS approach (port 53 + UDP/TCP) matches what wireguard-windows
+ * uses for its kill-switch DNS leak protection. We extend it with a
+ * configurable port set so we also cover :853 (DoT) and any future ports.
+ */
+
+package dnsfw
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+	"unsafe"
+
+	"github.com/hashicorp/go-multierror"
+	"golang.org/x/sys/windows"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+)
+
+// Filters install at outbound ALE_AUTH_CONNECT layers only; inbound replies
+// follow the authorized outbound flow.
+
+// permitTunInterface installs a permit filter for any traffic whose local
+// interface is the netbird tunnel.
+func permitTunInterface(session uintptr, base *baseObjects, weight uint8, ifLUID uint64) error {
+	cond := wtFwpmFilterCondition0{
+		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
+		matchType: cFWP_MATCH_EQUAL,
+		conditionValue: wtFwpConditionValue0{
+			_type: cFWP_UINT64,
+			value: uintptr(unsafe.Pointer(&ifLUID)),
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: 1,
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	return addOutboundFilters(session, &filter, "Permit netbird tunnel")
+}
+
+// permitDaemonByAppID installs a permit filter matching the netbird daemon
+// executable by App-ID. App-ID alone is sufficient because netbird.exe is a
+// dedicated binary.
+func permitDaemonByAppID(session uintptr, base *baseObjects, daemonExe string, weight uint8) error {
+	appID, err := daemonAppID(daemonExe)
+	if err != nil {
+		return err
+	}
+	defer fwpmFreeMemory0(unsafe.Pointer(&appID))
+
+	cond := wtFwpmFilterCondition0{
+		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
+		matchType: cFWP_MATCH_EQUAL,
+		conditionValue: wtFwpConditionValue0{
+			_type: cFWP_BYTE_BLOB_TYPE,
+			value: uintptr(unsafe.Pointer(appID)),
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: 1,
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	return addOutboundFilters(session, &filter, "Permit netbird daemon")
+}
+
+// permitVirtualDNSIP installs a permit filter for DNS-port traffic destined
+// for the in-tunnel virtual DNS IP. Used in strict mode in lieu of
+// permitTunInterface.
+func permitVirtualDNSIP(session uintptr, base *baseObjects, ip netip.Addr, ports []uint16, weight uint8) error {
+	var merr *multierror.Error
+	for _, port := range ports {
+		if err := permitDNSToHost(session, base, ip, port, weight); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit %s:%d: %w", ip, port, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func permitDNSToHost(session uintptr, base *baseObjects, ip netip.Addr, port uint16, weight uint8) error {
+	if !ip.IsValid() {
+		return fmt.Errorf("invalid address")
+	}
+
+	var addrCond wtFwpmFilterCondition0
+	var layer windows.GUID
+	// v6 backing must outlive fwpmFilterAdd0; keep it on this stack frame.
+	var v6 wtFwpByteArray16
+
+	if ip.Is4() {
+		v4 := ip.As4()
+		addrCond = wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT32,
+				value: uintptr(binary.BigEndian.Uint32(v4[:])),
+			},
+		}
+		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
+	} else {
+		v6 = wtFwpByteArray16{byteArray16: ip.As16()}
+		addrCond = wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_BYTE_ARRAY16_TYPE,
+				value: uintptr(unsafe.Pointer(&v6)),
+			},
+		}
+		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
+	}
+
+	conditions := [2]wtFwpmFilterCondition0{
+		addrCond,
+		{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT16,
+				value: uintptr(port),
+			},
+		},
+	}
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: uint32(len(conditions)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	display, err := createWtFwpmDisplayData0(fmt.Sprintf("Permit DNS to %s:%d", ip, port), "")
+	if err != nil {
+		return wrapErr(err)
+	}
+	filter.displayData = *display
+	filter.layerKey = layer
+
+	var filterID uint64
+	if err := fwpmFilterAdd0(session, &filter, 0, &filterID); err != nil {
+		return wrapErr(err)
+	}
+	_ = v6
+	return nil
+}
+
+// blockDNSPorts installs a deny filter for outbound traffic to each of the
+// given remote ports over UDP or TCP. Per-port and per-layer failures are
+// accumulated; partial coverage is preferred over zero coverage.
+func blockDNSPorts(session uintptr, base *baseObjects, ports []uint16, weight uint8) error {
+	var merr *multierror.Error
+	for _, port := range ports {
+		if err := blockDNSPort(session, base, port, weight); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("block port %d: %w", port, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) error {
+	conditions := [3]wtFwpmFilterCondition0{
+		{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT16,
+				value: uintptr(port),
+			},
+		},
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_UDP),
+			},
+		},
+		// Repeat the IP_PROTOCOL condition for logical OR with TCP.
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_TCP),
+			},
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: uint32(len(conditions)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
+	}
+
+	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
+}
+
+// addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
+// connect layers. v4 and v6 are installed independently: failure on one
+// layer does not abort the other, and the accumulated errors are returned.
+// Partial coverage is preferred over zero coverage.
+func addOutboundFilters(session uintptr, filter *wtFwpmFilter0, name string) error {
+	layers := [...]struct {
+		layer windows.GUID
+		label string
+	}{
+		{cFWPM_LAYER_ALE_AUTH_CONNECT_V4, name + " (IPv4)"},
+		{cFWPM_LAYER_ALE_AUTH_CONNECT_V6, name + " (IPv6)"},
+	}
+
+	var merr *multierror.Error
+	for _, l := range layers {
+		display, err := createWtFwpmDisplayData0(l.label, "")
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
+			continue
+		}
+		filter.displayData = *display
+		filter.layerKey = l.layer
+
+		var filterID uint64
+		if err := fwpmFilterAdd0(session, filter, 0, &filterID); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}

client/internal/dns/dnsfw/session_windows.go

@@ -0,0 +1,177 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
+ *
+ * Session lifecycle and the high-level Install/Close entry points adapted
+ * from wireguard-windows tunnel/firewall.
+ */
+
+package dnsfw
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"unsafe"
+
+	"github.com/hashicorp/go-multierror"
+	"golang.org/x/sys/windows"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+)
+
+// installConfig is the input to installFilters.
+type installConfig struct {
+	tunLUID      uint64
+	daemonExe    string
+	blockedPorts []uint16
+	// strict, when true, narrows the carve-out from "anything on tun" to
+	// "DNS only to virtualDNSIP". virtualDNSIP must be valid in this case.
+	strict       bool
+	virtualDNSIP netip.Addr
+}
+
+// baseObjects holds the GUIDs of the WFP provider and sublayer registered
+// for our session. Both are randomly generated per session.
+type baseObjects struct {
+	provider windows.GUID
+	filters  windows.GUID
+}
+
+// installFilters opens a dynamic WFP session and installs the netbird DNS
+// firewall filters. Returns a zero session on hard failure (session create,
+// base objects); a non-zero session with a non-nil error is a partial install
+// (some per-filter installs failed) and is safe to close.
+func installFilters(cfg installConfig) (session uintptr, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			// Dynamic session: kernel will clean up on process exit even
+			// if we leave the handle dangling here.
+			err = fmt.Errorf("panic in installFilters: %v", r)
+		}
+	}()
+
+	if len(cfg.blockedPorts) == 0 {
+		return 0, errors.New("dns firewall: no blocked ports configured")
+	}
+	if cfg.strict && !cfg.virtualDNSIP.IsValid() {
+		return 0, errors.New("dns firewall: strict mode requires a valid virtual DNS IP")
+	}
+
+	session, err = createSession()
+	if err != nil {
+		return 0, err
+	}
+
+	base, err := registerBaseObjects(session)
+	if err != nil {
+		_ = fwpmEngineClose0(session)
+		return 0, fmt.Errorf("register base objects: %w", err)
+	}
+
+	var merr *multierror.Error
+	if cfg.strict {
+		if err := permitVirtualDNSIP(session, base, cfg.virtualDNSIP, cfg.blockedPorts, 15); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit virtual dns: %w", err))
+		}
+	} else {
+		if err := permitTunInterface(session, base, 15, cfg.tunLUID); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit tun interface: %w", err))
+		}
+	}
+	if err := permitDaemonByAppID(session, base, cfg.daemonExe, 14); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("permit netbird daemon: %w", err))
+	}
+	if err := blockDNSPorts(session, base, cfg.blockedPorts, 10); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("block dns ports: %w", err))
+	}
+
+	return session, nberrors.FormatErrorOrNil(merr)
+}
+
+// closeSession tears down a WFP session previously opened by installFilters.
+// All filters owned by the session are removed.
+func closeSession(session uintptr) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in closeSession: %v", r)
+		}
+	}()
+
+	if session == 0 {
+		return nil
+	}
+	if err := fwpmEngineClose0(session); err != nil {
+		return wrapErr(err)
+	}
+	return nil
+}
+
+func createSession() (uintptr, error) {
+	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall dynamic session")
+	if err != nil {
+		return 0, wrapErr(err)
+	}
+	session := wtFwpmSession0{
+		displayData:          *displayData,
+		flags:                cFWPM_SESSION_FLAG_DYNAMIC,
+		txnWaitTimeoutInMSec: windows.INFINITE,
+	}
+	var handle uintptr
+	if err := fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&handle)); err != nil {
+		return 0, wrapErr(err)
+	}
+	return handle, nil
+}
+
+func registerBaseObjects(session uintptr) (*baseObjects, error) {
+	bo := &baseObjects{}
+	var err error
+	if bo.provider, err = windows.GenerateGUID(); err != nil {
+		return nil, wrapErr(err)
+	}
+	if bo.filters, err = windows.GenerateGUID(); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall provider")
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	provider := wtFwpmProvider0{
+		providerKey: bo.provider,
+		displayData: *displayData,
+	}
+	if err := fwpmProviderAdd0(session, &provider, 0); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	subDisplay, err := createWtFwpmDisplayData0("NetBird DNS firewall filters", "Permit and block filters")
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	sublayer := wtFwpmSublayer0{
+		subLayerKey: bo.filters,
+		displayData: *subDisplay,
+		providerKey: &bo.provider,
+		weight:      ^uint16(0),
+	}
+	if err := fwpmSubLayerAdd0(session, &sublayer, 0); err != nil {
+		return nil, wrapErr(err)
+	}
+	return bo, nil
+}
+
+// daemonAppID returns the WFP App-ID byte blob for the given executable path.
+func daemonAppID(path string) (*wtFwpByteBlob, error) {
+	pathPtr, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	var appID *wtFwpByteBlob
+	if err := fwpmGetAppIdFromFileName0(pathPtr, unsafe.Pointer(&appID)); err != nil {
+		return nil, wrapErr(err)
+	}
+	return appID, nil
+}

client/internal/dns/dnsfw/syscall_windows.go

@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
+ */
+
+package dnsfw
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineopen0
+//sys	fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmEngineOpen0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineclose0
+//sys	fwpmEngineClose0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmEngineClose0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmsublayeradd0
+//sys	fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmSubLayerAdd0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmgetappidfromfilename0
+//sys	fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmGetAppIdFromFileName0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfreememory0
+//sys	fwpmFreeMemory0(p unsafe.Pointer) = fwpuclnt.FwpmFreeMemory0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfilteradd0
+//sys	fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) [failretval!=0] = fwpuclnt.FwpmFilterAdd0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/Fwpmu/nf-fwpmu-fwpmtransactionbegin0
+//sys	fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionBegin0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactioncommit0
+//sys	fwpmTransactionCommit0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionCommit0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactionabort0
+//sys	fwpmTransactionAbort0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionAbort0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
+//sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0

client/internal/dns/dnsfw/types_windows.go

@@ -0,0 +1,414 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	anysizeArray = 1 // ANYSIZE_ARRAY defined in winnt.h
+
+	wtFwpBitmapArray64_Size = 8
+
+	wtFwpByteArray16_Size = 16
+
+	wtFwpByteArray6_Size = 6
+
+	wtFwpmAction0_Size              = 20
+	wtFwpmAction0_filterType_Offset = 4
+
+	wtFwpV4AddrAndMask_Size        = 8
+	wtFwpV4AddrAndMask_mask_Offset = 4
+
+	wtFwpV6AddrAndMask_Size                = 17
+	wtFwpV6AddrAndMask_prefixLength_Offset = 16
+)
+
+type wtFwpActionFlag uint32
+
+const (
+	cFWP_ACTION_FLAG_TERMINATING     wtFwpActionFlag = 0x00001000
+	cFWP_ACTION_FLAG_NON_TERMINATING wtFwpActionFlag = 0x00002000
+	cFWP_ACTION_FLAG_CALLOUT         wtFwpActionFlag = 0x00004000
+)
+
+// FWP_ACTION_TYPE defined in fwptypes.h
+type wtFwpActionType uint32
+
+const (
+	cFWP_ACTION_BLOCK               wtFwpActionType = wtFwpActionType(0x00000001 | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_PERMIT              wtFwpActionType = wtFwpActionType(0x00000002 | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_CALLOUT_TERMINATING wtFwpActionType = wtFwpActionType(0x00000003 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
+	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
+	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
+	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
+	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
+	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
+)
+
+// FWP_BYTE_BLOB defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_blob_)
+type wtFwpByteBlob struct {
+	size uint32
+	data *uint8
+}
+
+// FWP_MATCH_TYPE defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_match_type_)
+type wtFwpMatchType uint32
+
+const (
+	cFWP_MATCH_EQUAL                  wtFwpMatchType = 0
+	cFWP_MATCH_GREATER                wtFwpMatchType = cFWP_MATCH_EQUAL + 1
+	cFWP_MATCH_LESS                   wtFwpMatchType = cFWP_MATCH_GREATER + 1
+	cFWP_MATCH_GREATER_OR_EQUAL       wtFwpMatchType = cFWP_MATCH_LESS + 1
+	cFWP_MATCH_LESS_OR_EQUAL          wtFwpMatchType = cFWP_MATCH_GREATER_OR_EQUAL + 1
+	cFWP_MATCH_RANGE                  wtFwpMatchType = cFWP_MATCH_LESS_OR_EQUAL + 1
+	cFWP_MATCH_FLAGS_ALL_SET          wtFwpMatchType = cFWP_MATCH_RANGE + 1
+	cFWP_MATCH_FLAGS_ANY_SET          wtFwpMatchType = cFWP_MATCH_FLAGS_ALL_SET + 1
+	cFWP_MATCH_FLAGS_NONE_SET         wtFwpMatchType = cFWP_MATCH_FLAGS_ANY_SET + 1
+	cFWP_MATCH_EQUAL_CASE_INSENSITIVE wtFwpMatchType = cFWP_MATCH_FLAGS_NONE_SET + 1
+	cFWP_MATCH_NOT_EQUAL              wtFwpMatchType = cFWP_MATCH_EQUAL_CASE_INSENSITIVE + 1
+	cFWP_MATCH_PREFIX                 wtFwpMatchType = cFWP_MATCH_NOT_EQUAL + 1
+	cFWP_MATCH_NOT_PREFIX             wtFwpMatchType = cFWP_MATCH_PREFIX + 1
+	cFWP_MATCH_TYPE_MAX               wtFwpMatchType = cFWP_MATCH_NOT_PREFIX + 1
+)
+
+// FWPM_ACTION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_action0_)
+type wtFwpmAction0 struct {
+	_type      wtFwpActionType
+	filterType windows.GUID // Windows type: GUID
+}
+
+// Defined in fwpmu.h. 4cd62a49-59c3-4969-b7f3-bda5d32890a4
+var cFWPM_CONDITION_IP_LOCAL_INTERFACE = windows.GUID{
+	Data1: 0x4cd62a49,
+	Data2: 0x59c3,
+	Data3: 0x4969,
+	Data4: [8]byte{0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4},
+}
+
+// Defined in fwpmu.h. b235ae9a-1d64-49b8-a44c-5ff3d9095045
+var cFWPM_CONDITION_IP_REMOTE_ADDRESS = windows.GUID{
+	Data1: 0xb235ae9a,
+	Data2: 0x1d64,
+	Data3: 0x49b8,
+	Data4: [8]byte{0xa4, 0x4c, 0x5f, 0xf3, 0xd9, 0x09, 0x50, 0x45},
+}
+
+// Defined in fwpmu.h. 3971ef2b-623e-4f9a-8cb1-6e79b806b9a7
+var cFWPM_CONDITION_IP_PROTOCOL = windows.GUID{
+	Data1: 0x3971ef2b,
+	Data2: 0x623e,
+	Data3: 0x4f9a,
+	Data4: [8]byte{0x8c, 0xb1, 0x6e, 0x79, 0xb8, 0x06, 0xb9, 0xa7},
+}
+
+// Defined in fwpmu.h. 0c1ba1af-5765-453f-af22-a8f791ac775b
+var cFWPM_CONDITION_IP_LOCAL_PORT = windows.GUID{
+	Data1: 0x0c1ba1af,
+	Data2: 0x5765,
+	Data3: 0x453f,
+	Data4: [8]byte{0xaf, 0x22, 0xa8, 0xf7, 0x91, 0xac, 0x77, 0x5b},
+}
+
+// Defined in fwpmu.h. c35a604d-d22b-4e1a-91b4-68f674ee674b
+var cFWPM_CONDITION_IP_REMOTE_PORT = windows.GUID{
+	Data1: 0xc35a604d,
+	Data2: 0xd22b,
+	Data3: 0x4e1a,
+	Data4: [8]byte{0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b},
+}
+
+// Defined in fwpmu.h. d78e1e87-8644-4ea5-9437-d809ecefc971
+var cFWPM_CONDITION_ALE_APP_ID = windows.GUID{
+	Data1: 0xd78e1e87,
+	Data2: 0x8644,
+	Data3: 0x4ea5,
+	Data4: [8]byte{0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71},
+}
+
+// af043a0a-b34d-4f86-979c-c90371af6e66
+var cFWPM_CONDITION_ALE_USER_ID = windows.GUID{
+	Data1: 0xaf043a0a,
+	Data2: 0xb34d,
+	Data3: 0x4f86,
+	Data4: [8]byte{0x97, 0x9c, 0xc9, 0x03, 0x71, 0xaf, 0x6e, 0x66},
+}
+
+// d9ee00de-c1ef-4617-bfe3-ffd8f5a08957
+var cFWPM_CONDITION_IP_LOCAL_ADDRESS = windows.GUID{
+	Data1: 0xd9ee00de,
+	Data2: 0xc1ef,
+	Data3: 0x4617,
+	Data4: [8]byte{0xbf, 0xe3, 0xff, 0xd8, 0xf5, 0xa0, 0x89, 0x57},
+}
+
+var (
+	cFWPM_CONDITION_ICMP_TYPE = cFWPM_CONDITION_IP_LOCAL_PORT
+	cFWPM_CONDITION_ICMP_CODE = cFWPM_CONDITION_IP_REMOTE_PORT
+)
+
+// 7bc43cbf-37ba-45f1-b74a-82ff518eeb10
+var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
+	Data1: 0x7bc43cbf,
+	Data2: 0x37ba,
+	Data3: 0x45f1,
+	Data4: [8]byte{0xb7, 0x4a, 0x82, 0xff, 0x51, 0x8e, 0xeb, 0x10},
+}
+
+type wtFwpmL2Flags uint32
+
+const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
+
+var cFWPM_CONDITION_FLAGS = windows.GUID{
+	Data1: 0x632ce23b,
+	Data2: 0x5167,
+	Data3: 0x435c,
+	Data4: [8]byte{0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c},
+}
+
+type wtFwpmFlags uint32
+
+const cFWP_CONDITION_FLAG_IS_LOOPBACK wtFwpmFlags = 0x00000001
+
+// Defined in fwpmtypes.h
+type wtFwpmFilterFlags uint32
+
+const (
+	cFWPM_FILTER_FLAG_NONE                                wtFwpmFilterFlags = 0x00000000
+	cFWPM_FILTER_FLAG_PERSISTENT                          wtFwpmFilterFlags = 0x00000001
+	cFWPM_FILTER_FLAG_BOOTTIME                            wtFwpmFilterFlags = 0x00000002
+	cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT                wtFwpmFilterFlags = 0x00000004
+	cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT                  wtFwpmFilterFlags = 0x00000008
+	cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED      wtFwpmFilterFlags = 0x00000010
+	cFWPM_FILTER_FLAG_DISABLED                            wtFwpmFilterFlags = 0x00000020
+	cFWPM_FILTER_FLAG_INDEXED                             wtFwpmFilterFlags = 0x00000040
+	cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT wtFwpmFilterFlags = 0x00000080
+	cFWPM_FILTER_FLAG_SYSTEMOS_ONLY                       wtFwpmFilterFlags = 0x00000100
+	cFWPM_FILTER_FLAG_GAMEOS_ONLY                         wtFwpmFilterFlags = 0x00000200
+	cFWPM_FILTER_FLAG_SILENT_MODE                         wtFwpmFilterFlags = 0x00000400
+	cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE           wtFwpmFilterFlags = 0x00000800
+)
+
+// FWPM_LAYER_ALE_AUTH_CONNECT_V4 (c38d57d1-05a7-4c33-904f-7fbceee60e82) defined in fwpmu.h
+var cFWPM_LAYER_ALE_AUTH_CONNECT_V4 = windows.GUID{
+	Data1: 0xc38d57d1,
+	Data2: 0x05a7,
+	Data3: 0x4c33,
+	Data4: [8]byte{0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82},
+}
+
+// e1cd9fe7-f4b5-4273-96c0-592e487b8650
+var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = windows.GUID{
+	Data1: 0xe1cd9fe7,
+	Data2: 0xf4b5,
+	Data3: 0x4273,
+	Data4: [8]byte{0x96, 0xc0, 0x59, 0x2e, 0x48, 0x7b, 0x86, 0x50},
+}
+
+// FWPM_LAYER_ALE_AUTH_CONNECT_V6 (4a72393b-319f-44bc-84c3-ba54dcb3b6b4) defined in fwpmu.h
+var cFWPM_LAYER_ALE_AUTH_CONNECT_V6 = windows.GUID{
+	Data1: 0x4a72393b,
+	Data2: 0x319f,
+	Data3: 0x44bc,
+	Data4: [8]byte{0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4},
+}
+
+// a3b42c97-9f04-4672-b87e-cee9c483257f
+var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = windows.GUID{
+	Data1: 0xa3b42c97,
+	Data2: 0x9f04,
+	Data3: 0x4672,
+	Data4: [8]byte{0xb8, 0x7e, 0xce, 0xe9, 0xc4, 0x83, 0x25, 0x7f},
+}
+
+// 94c44912-9d6f-4ebf-b995-05ab8a088d1b
+var cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE = windows.GUID{
+	Data1: 0x94c44912,
+	Data2: 0x9d6f,
+	Data3: 0x4ebf,
+	Data4: [8]byte{0xb9, 0x95, 0x05, 0xab, 0x8a, 0x08, 0x8d, 0x1b},
+}
+
+// d4220bd3-62ce-4f08-ae88-b56e8526df50
+var cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE = windows.GUID{
+	Data1: 0xd4220bd3,
+	Data2: 0x62ce,
+	Data3: 0x4f08,
+	Data4: [8]byte{0xae, 0x88, 0xb5, 0x6e, 0x85, 0x26, 0xdf, 0x50},
+}
+
+// FWP_BITMAP_ARRAY64 defined in fwtypes.h
+type wtFwpBitmapArray64 struct {
+	bitmapArray64 [8]uint8 // Windows type: [8]UINT8
+}
+
+// FWP_BYTE_ARRAY6 defined in fwtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array6_)
+type wtFwpByteArray6 struct {
+	byteArray6 [6]uint8 // Windows type: [6]UINT8
+}
+
+// FWP_BYTE_ARRAY16 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array16_)
+type wtFwpByteArray16 struct {
+	byteArray16 [16]uint8 // Windows type [16]UINT8
+}
+
+// FWP_CONDITION_VALUE0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_condition_value0).
+type wtFwpConditionValue0 wtFwpValue0
+
+// FWP_DATA_TYPE defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_data_type_)
+type wtFwpDataType uint
+
+const (
+	cFWP_EMPTY                         wtFwpDataType = 0
+	cFWP_UINT8                         wtFwpDataType = cFWP_EMPTY + 1
+	cFWP_UINT16                        wtFwpDataType = cFWP_UINT8 + 1
+	cFWP_UINT32                        wtFwpDataType = cFWP_UINT16 + 1
+	cFWP_UINT64                        wtFwpDataType = cFWP_UINT32 + 1
+	cFWP_INT8                          wtFwpDataType = cFWP_UINT64 + 1
+	cFWP_INT16                         wtFwpDataType = cFWP_INT8 + 1
+	cFWP_INT32                         wtFwpDataType = cFWP_INT16 + 1
+	cFWP_INT64                         wtFwpDataType = cFWP_INT32 + 1
+	cFWP_FLOAT                         wtFwpDataType = cFWP_INT64 + 1
+	cFWP_DOUBLE                        wtFwpDataType = cFWP_FLOAT + 1
+	cFWP_BYTE_ARRAY16_TYPE             wtFwpDataType = cFWP_DOUBLE + 1
+	cFWP_BYTE_BLOB_TYPE                wtFwpDataType = cFWP_BYTE_ARRAY16_TYPE + 1
+	cFWP_SID                           wtFwpDataType = cFWP_BYTE_BLOB_TYPE + 1
+	cFWP_SECURITY_DESCRIPTOR_TYPE      wtFwpDataType = cFWP_SID + 1
+	cFWP_TOKEN_INFORMATION_TYPE        wtFwpDataType = cFWP_SECURITY_DESCRIPTOR_TYPE + 1
+	cFWP_TOKEN_ACCESS_INFORMATION_TYPE wtFwpDataType = cFWP_TOKEN_INFORMATION_TYPE + 1
+	cFWP_UNICODE_STRING_TYPE           wtFwpDataType = cFWP_TOKEN_ACCESS_INFORMATION_TYPE + 1
+	cFWP_BYTE_ARRAY6_TYPE              wtFwpDataType = cFWP_UNICODE_STRING_TYPE + 1
+	cFWP_BITMAP_INDEX_TYPE             wtFwpDataType = cFWP_BYTE_ARRAY6_TYPE + 1
+	cFWP_BITMAP_ARRAY64_TYPE           wtFwpDataType = cFWP_BITMAP_INDEX_TYPE + 1
+	cFWP_SINGLE_DATA_TYPE_MAX          wtFwpDataType = 0xff
+	cFWP_V4_ADDR_MASK                  wtFwpDataType = cFWP_SINGLE_DATA_TYPE_MAX + 1
+	cFWP_V6_ADDR_MASK                  wtFwpDataType = cFWP_V4_ADDR_MASK + 1
+	cFWP_RANGE_TYPE                    wtFwpDataType = cFWP_V6_ADDR_MASK + 1
+	cFWP_DATA_TYPE_MAX                 wtFwpDataType = cFWP_RANGE_TYPE + 1
+)
+
+// FWP_V4_ADDR_AND_MASK defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v4_addr_and_mask).
+type wtFwpV4AddrAndMask struct {
+	addr uint32
+	mask uint32
+}
+
+// FWP_V6_ADDR_AND_MASK defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v6_addr_and_mask).
+type wtFwpV6AddrAndMask struct {
+	addr         [16]uint8
+	prefixLength uint8
+}
+
+// FWP_VALUE0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_value0_)
+type wtFwpValue0 struct {
+	_type wtFwpDataType
+	value uintptr
+}
+
+// FWPM_DISPLAY_DATA0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwpm_display_data0).
+type wtFwpmDisplayData0 struct {
+	name        *uint16 // Windows type: *wchar_t
+	description *uint16 // Windows type: *wchar_t
+}
+
+// FWPM_FILTER_CONDITION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0).
+type wtFwpmFilterCondition0 struct {
+	fieldKey       windows.GUID // Windows type: GUID
+	matchType      wtFwpMatchType
+	conditionValue wtFwpConditionValue0
+}
+
+// FWPM_PROVIDER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0_)
+type wtFwpProvider0 struct {
+	providerKey  windows.GUID // Windows type: GUID
+	displayData  wtFwpmDisplayData0
+	flags        uint32
+	providerData wtFwpByteBlob
+	serviceName  *uint16 // Windows type: *wchar_t
+}
+
+type wtFwpmSessionFlagsValue uint32
+
+const (
+	cFWPM_SESSION_FLAG_DYNAMIC wtFwpmSessionFlagsValue = 0x00000001 // FWPM_SESSION_FLAG_DYNAMIC defined in fwpmtypes.h
+)
+
+// FWPM_SESSION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_session0).
+type wtFwpmSession0 struct {
+	sessionKey           windows.GUID // Windows type: GUID
+	displayData          wtFwpmDisplayData0
+	flags                wtFwpmSessionFlagsValue // Windows type UINT32
+	txnWaitTimeoutInMSec uint32
+	processId            uint32 // Windows type: DWORD
+	sid                  *windows.SID
+	username             *uint16 // Windows type: *wchar_t
+	kernelMode           uint8   // Windows type: BOOL
+}
+
+type wtFwpmSublayerFlags uint32
+
+const (
+	cFWPM_SUBLAYER_FLAG_PERSISTENT wtFwpmSublayerFlags = 0x00000001 // FWPM_SUBLAYER_FLAG_PERSISTENT defined in fwpmtypes.h
+)
+
+// FWPM_SUBLAYER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_sublayer0_)
+type wtFwpmSublayer0 struct {
+	subLayerKey  windows.GUID // Windows type: GUID
+	displayData  wtFwpmDisplayData0
+	flags        wtFwpmSublayerFlags
+	providerKey  *windows.GUID // Windows type: *GUID
+	providerData wtFwpByteBlob
+	weight       uint16
+}
+
+// Defined in rpcdce.h
+type wtRpcCAuthN uint32
+
+const (
+	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
+	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
+	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
+)
+
+// FWPM_PROVIDER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/sv-se/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0).
+type wtFwpmProvider0 struct {
+	providerKey  windows.GUID
+	displayData  wtFwpmDisplayData0
+	flags        uint32
+	providerData wtFwpByteBlob
+	serviceName  *uint16
+}
+
+type wtIPProto uint32
+
+const (
+	cIPPROTO_ICMP   wtIPProto = 1
+	cIPPROTO_ICMPV6 wtIPProto = 58
+	cIPPROTO_TCP    wtIPProto = 6
+	cIPPROTO_UDP    wtIPProto = 17
+)
+
+const (
+	cFWP_ACTRL_MATCH_FILTER = 1
+)

client/internal/dns/dnsfw/types_windows_32.go

@@ -0,0 +1,92 @@
+//go:build windows && (386 || arm)
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	wtFwpByteBlob_Size        = 8
+	wtFwpByteBlob_data_Offset = 4
+
+	wtFwpConditionValue0_Size         = 8
+	wtFwpConditionValue0_uint8_Offset = 4
+
+	wtFwpmDisplayData0_Size               = 8
+	wtFwpmDisplayData0_description_Offset = 4
+
+	wtFwpmFilter0_Size                       = 152
+	wtFwpmFilter0_displayData_Offset         = 16
+	wtFwpmFilter0_flags_Offset               = 24
+	wtFwpmFilter0_providerKey_Offset         = 28
+	wtFwpmFilter0_providerData_Offset        = 32
+	wtFwpmFilter0_layerKey_Offset            = 40
+	wtFwpmFilter0_subLayerKey_Offset         = 56
+	wtFwpmFilter0_weight_Offset              = 72
+	wtFwpmFilter0_numFilterConditions_Offset = 80
+	wtFwpmFilter0_filterCondition_Offset     = 84
+	wtFwpmFilter0_action_Offset              = 88
+	wtFwpmFilter0_providerContextKey_Offset  = 112
+	wtFwpmFilter0_reserved_Offset            = 128
+	wtFwpmFilter0_filterID_Offset            = 136
+	wtFwpmFilter0_effectiveWeight_Offset     = 144
+
+	wtFwpmFilterCondition0_Size                  = 28
+	wtFwpmFilterCondition0_matchType_Offset      = 16
+	wtFwpmFilterCondition0_conditionValue_Offset = 20
+
+	wtFwpmSession0_Size                        = 48
+	wtFwpmSession0_displayData_Offset          = 16
+	wtFwpmSession0_flags_Offset                = 24
+	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
+	wtFwpmSession0_processId_Offset            = 32
+	wtFwpmSession0_sid_Offset                  = 36
+	wtFwpmSession0_username_Offset             = 40
+	wtFwpmSession0_kernelMode_Offset           = 44
+
+	wtFwpmSublayer0_Size                = 44
+	wtFwpmSublayer0_displayData_Offset  = 16
+	wtFwpmSublayer0_flags_Offset        = 24
+	wtFwpmSublayer0_providerKey_Offset  = 28
+	wtFwpmSublayer0_providerData_Offset = 32
+	wtFwpmSublayer0_weight_Offset       = 40
+
+	wtFwpProvider0_Size                = 40
+	wtFwpProvider0_displayData_Offset  = 16
+	wtFwpProvider0_flags_Offset        = 24
+	wtFwpProvider0_providerData_Offset = 28
+	wtFwpProvider0_serviceName_Offset  = 36
+
+	wtFwpTokenInformation_Size = 16
+
+	wtFwpValue0_Size         = 8
+	wtFwpValue0_value_Offset = 4
+)
+
+// FWPM_FILTER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
+type wtFwpmFilter0 struct {
+	filterKey           windows.GUID // Windows type: GUID
+	displayData         wtFwpmDisplayData0
+	flags               wtFwpmFilterFlags
+	providerKey         *windows.GUID // Windows type: *GUID
+	providerData        wtFwpByteBlob
+	layerKey            windows.GUID // Windows type: GUID
+	subLayerKey         windows.GUID // Windows type: GUID
+	weight              wtFwpValue0
+	numFilterConditions uint32
+	filterCondition     *wtFwpmFilterCondition0
+	action              wtFwpmAction0
+	offset1             [4]byte       // Layout correction field
+	providerContextKey  windows.GUID  // Windows type: GUID
+	reserved            *windows.GUID // Windows type: *GUID
+	offset2             [4]byte       // Layout correction field
+	filterID            uint64
+	effectiveWeight     wtFwpValue0
+}

client/internal/dns/dnsfw/types_windows_64.go

@@ -0,0 +1,89 @@
+//go:build windows && (amd64 || arm64)
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	wtFwpByteBlob_Size        = 16
+	wtFwpByteBlob_data_Offset = 8
+
+	wtFwpConditionValue0_Size         = 16
+	wtFwpConditionValue0_uint8_Offset = 8
+
+	wtFwpmDisplayData0_Size               = 16
+	wtFwpmDisplayData0_description_Offset = 8
+
+	wtFwpmFilter0_Size                       = 200
+	wtFwpmFilter0_displayData_Offset         = 16
+	wtFwpmFilter0_flags_Offset               = 32
+	wtFwpmFilter0_providerKey_Offset         = 40
+	wtFwpmFilter0_providerData_Offset        = 48
+	wtFwpmFilter0_layerKey_Offset            = 64
+	wtFwpmFilter0_subLayerKey_Offset         = 80
+	wtFwpmFilter0_weight_Offset              = 96
+	wtFwpmFilter0_numFilterConditions_Offset = 112
+	wtFwpmFilter0_filterCondition_Offset     = 120
+	wtFwpmFilter0_action_Offset              = 128
+	wtFwpmFilter0_providerContextKey_Offset  = 152
+	wtFwpmFilter0_reserved_Offset            = 168
+	wtFwpmFilter0_filterID_Offset            = 176
+	wtFwpmFilter0_effectiveWeight_Offset     = 184
+
+	wtFwpmFilterCondition0_Size                  = 40
+	wtFwpmFilterCondition0_matchType_Offset      = 16
+	wtFwpmFilterCondition0_conditionValue_Offset = 24
+
+	wtFwpmSession0_Size                        = 72
+	wtFwpmSession0_displayData_Offset          = 16
+	wtFwpmSession0_flags_Offset                = 32
+	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
+	wtFwpmSession0_processId_Offset            = 40
+	wtFwpmSession0_sid_Offset                  = 48
+	wtFwpmSession0_username_Offset             = 56
+	wtFwpmSession0_kernelMode_Offset           = 64
+
+	wtFwpmSublayer0_Size                = 72
+	wtFwpmSublayer0_displayData_Offset  = 16
+	wtFwpmSublayer0_flags_Offset        = 32
+	wtFwpmSublayer0_providerKey_Offset  = 40
+	wtFwpmSublayer0_providerData_Offset = 48
+	wtFwpmSublayer0_weight_Offset       = 64
+
+	wtFwpProvider0_Size                = 64
+	wtFwpProvider0_displayData_Offset  = 16
+	wtFwpProvider0_flags_Offset        = 32
+	wtFwpProvider0_providerData_Offset = 40
+	wtFwpProvider0_serviceName_Offset  = 56
+
+	wtFwpValue0_Size         = 16
+	wtFwpValue0_value_Offset = 8
+)
+
+// FWPM_FILTER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
+type wtFwpmFilter0 struct {
+	filterKey           windows.GUID // Windows type: GUID
+	displayData         wtFwpmDisplayData0
+	flags               wtFwpmFilterFlags // Windows type: UINT32
+	providerKey         *windows.GUID     // Windows type: *GUID
+	providerData        wtFwpByteBlob
+	layerKey            windows.GUID // Windows type: GUID
+	subLayerKey         windows.GUID // Windows type: GUID
+	weight              wtFwpValue0
+	numFilterConditions uint32
+	filterCondition     *wtFwpmFilterCondition0
+	action              wtFwpmAction0
+	offset1             [4]byte       // Layout correction field
+	providerContextKey  windows.GUID  // Windows type: GUID
+	reserved            *windows.GUID // Windows type: *GUID
+	filterID            uint64
+	effectiveWeight     wtFwpValue0
+}

client/internal/dns/dnsfw/zsyscall_windows.go

@@ -0,0 +1,130 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package dnsfw
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
+
+	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
+	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
+	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
+	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
+	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
+	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
+	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
+	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
+	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
+	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
+)
+
+func fwpmEngineClose0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmEngineClose0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.Syscall6(procFwpmEngineOpen0.Addr(), 5, uintptr(unsafe.Pointer(serverName)), uintptr(authnService), uintptr(unsafe.Pointer(authIdentity)), uintptr(unsafe.Pointer(session)), uintptr(engineHandle), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) {
+	r1, _, e1 := syscall.Syscall6(procFwpmFilterAdd0.Addr(), 4, uintptr(engineHandle), uintptr(unsafe.Pointer(filter)), uintptr(sd), uintptr(unsafe.Pointer(id)), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmFreeMemory0(p unsafe.Pointer) {
+	syscall.Syscall(procFwpmFreeMemory0.Addr(), 1, uintptr(p), 0, 0)
+	return
+}
+
+func fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmGetAppIdFromFileName0.Addr(), 2, uintptr(unsafe.Pointer(fileName)), uintptr(appID), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmProviderAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(provider)), uintptr(sd))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmSubLayerAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(subLayer)), uintptr(sd))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionAbort0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionAbort0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionBegin0.Addr(), 2, uintptr(engineHandle), uintptr(flags), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionCommit0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionCommit0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

client/internal/dns/handler_chain.go

@@ -339,7 +339,8 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	case entry.Pattern == ".":
 		return true
 	case entry.IsWildcard:
-		return strings.HasSuffix(qname, "."+entry.Pattern)
+		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
 	default:
 		// For non-wildcard patterns:
 		// If handler wants subdomain matching, allow suffix match

client/internal/dns/handler_chain_test.go

@@ -164,54 +164,6 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 			matchSubdomains: true,
 			shouldMatch:     true,
 		},
-		{
-			name:            "wildcard label-boundary mismatch (suffix overlap)",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.ab.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard label-boundary match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard multi-label match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.y.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard no match on multi-label apex",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard no match on unrelated suffix containment",
-			handlerDomain:   "*.example.com.",
-			queryDomain:     "notexample.com.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard accepts pattern registered without trailing dot",
-			handlerDomain:   "*.b.test",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
 	}
 
 	for _, tt := range tests {
@@ -321,19 +273,6 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			expectedCalls:   1,
 			expectedHandler: 2, // highest priority matching handler should be called
 		},
-		{
-			name: "overlapping wildcard suffixes route to correct handler",
-			handlers: []struct {
-				pattern  string
-				priority int
-			}{
-				{pattern: "*.b.test.", priority: nbdns.PriorityDNSRoute},
-				{pattern: "*.ab.test.", priority: nbdns.PriorityDNSRoute},
-			},
-			queryDomain:     "app.ab.test.",
-			expectedCalls:   1,
-			expectedHandler: 1,
-		},
 		{
 			name: "root zone with specific domain",
 			handlers: []struct {

client/internal/dns/host_windows.go

@@ -17,6 +17,7 @@ import (
 	"golang.org/x/sys/windows/registry"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -74,6 +75,7 @@ type registryConfigurator struct {
 	routingAll      bool
 	gpo             bool
 	nrptEntryCount  int
+	dnsFirewall     dnsfw.Manager
 	origNameservers []netip.Addr
 }
 
@@ -94,8 +96,9 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}
 
 	configurator := &registryConfigurator{
-		guid: guid,
-		gpo:  useGPO,
+		guid:        guid,
+		gpo:         useGPO,
+		dnsFirewall: dnsfw.New(),
 	}
 
 	origNameservers, err := configurator.captureOriginalNameservers()
@@ -276,16 +279,8 @@ func (r *registryConfigurator) disableWINSForInterface() error {
 }
 
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
-	if config.RouteAll {
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			return fmt.Errorf("add dns setup: %w", err)
-		}
-	} else if r.routingAll {
-		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-			return fmt.Errorf("delete interface registry key property: %w", err)
-		}
-		r.routingAll = false
-		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
+	if err := r.applyRouteAll(config); err != nil {
+		return err
 	}
 
 	r.updateState(stateManager)
@@ -301,6 +296,13 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}
 
+	// In RouteAll mode, install an NRPT root-zone rule so the system DNS client
+	// steers every query to the NetBird resolver even if the per-interface
+	// NameServer setting is bypassed or overridden by another adapter.
+	if config.RouteAll {
+		matchDomains = append(matchDomains, ".")
+	}
+
 	if err := r.removeDNSMatchPolicies(); err != nil {
 		log.Errorf("cleanup old dns match policies: %s", err)
 	}
@@ -327,6 +329,35 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }
 
+func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
+	if config.RouteAll {
+		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
+			return fmt.Errorf("dns firewall: %w", err)
+		}
+		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
+			if dErr := r.dnsFirewall.Disable(); dErr != nil {
+				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
+			}
+			return nberrors.FormatErrorOrNil(merr)
+		}
+		return nil
+	}
+
+	if err := r.dnsFirewall.Disable(); err != nil {
+		log.Errorf("disable dns firewall: %v", err)
+	}
+	if !r.routingAll {
+		return nil
+	}
+	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+		return fmt.Errorf("delete interface registry key property: %w", err)
+	}
+	r.routingAll = false
+	log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
+	return nil
+}
+
 func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
 	if err := stateManager.UpdateState(&ShutdownState{
 		Guid:           r.guid,
@@ -513,6 +544,10 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
+	if err := r.dnsFirewall.Disable(); err != nil {
+		log.Errorf("disable dns firewall: %v", err)
+	}
+
 	go r.flushDNSCache()
 
 	return nil

client/internal/dns/host_windows_test.go

@@ -8,6 +8,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows/registry"
+
+	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 )
 
 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
@@ -34,8 +36,9 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	}()
 
 	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
+		guid:        testGUID,
+		gpo:         false,
+		dnsFirewall: dnsfw.New(),
 	}
 
 	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
@@ -134,8 +137,9 @@ func TestNRPTDomainBatching(t *testing.T) {
 	}()
 
 	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
+		guid:        testGUID,
+		gpo:         false,
+		dnsFirewall: dnsfw.New(),
 	}
 
 	testCases := []struct {

client/internal/dns/local/local.go

@@ -26,19 +26,6 @@ type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }
 
-// PeerConnectivity reports whether a tunnel IP belongs to a peer the
-// client knows about and whether that peer is currently connected. The
-// local resolver uses this to suppress A/AAAA answers whose RDATA points
-// at a disconnected peer (typical case: a synthesized private-service
-// record pointing at an embedded proxy peer that just went offline).
-//
-// known=false means the IP isn't in the local peerstore at all — the
-// record is left alone (it points at something outside our mesh, e.g.
-// a non-peer upstream).
-type PeerConnectivity interface {
-	IsConnectedByIP(ip string) (known, connected bool)
-}
-
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
@@ -46,11 +33,6 @@ type Resolver struct {
 	// zones maps zone domain -> NonAuthoritative (true = non-authoritative, user-created zone)
 	zones    map[domain.Domain]bool
 	resolver resolver
-	// peerConn, when non-nil, is consulted on every A/AAAA answer to
-	// drop records pointing at disconnected peers. nil disables the
-	// filter and preserves the legacy "return whatever is registered"
-	// behaviour for callers that never wire a status source.
-	peerConn PeerConnectivity
 
 	ctx    context.Context
 	cancel context.CancelFunc
@@ -67,15 +49,6 @@ func NewResolver() *Resolver {
 	}
 }
 
-// SetPeerConnectivity wires the per-IP connectivity check used to filter
-// out A/AAAA answers pointing at disconnected peers. Pass nil to disable.
-// Safe to call multiple times; the latest value wins.
-func (d *Resolver) SetPeerConnectivity(p PeerConnectivity) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	d.peerConn = p
-}
-
 func (d *Resolver) MatchSubdomains() bool {
 	return true
 }
@@ -122,7 +95,6 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	replyMessage.RecursionAvailable = true
 
 	result := d.lookupRecords(logger, question)
-	result.records = d.filterDisconnectedPeerAnswers(logger, question, result.records)
 	replyMessage.Authoritative = !result.hasExternalData
 	replyMessage.Answer = result.records
 	replyMessage.Rcode = d.determineRcode(question, result)
@@ -464,78 +436,6 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 	}
 }
 
-// filterDisconnectedPeerAnswers drops A/AAAA records whose RDATA matches
-// a known but disconnected peer. The synthesized private-service zones
-// emit one A record per connected proxy peer in a cluster; when a peer
-// goes offline, the server-side refresh removes the record from the
-// next netmap, but the client may still hold the previous netmap for a
-// short window. This filter is the local belt to that braces — even on
-// the stale netmap, the resolver hides the offline target.
-//
-// Records pointing at unknown IPs (outside the local peerstore, e.g.
-// non-mesh upstreams) are never dropped. Non-A/AAAA records pass
-// through untouched.
-//
-// Escape hatch: if filtering would leave the answer empty AND at least
-// one record was filtered, the original list is returned. Better to
-// hand the client a record that may not respond than NXDOMAIN it
-// completely when every proxy peer is offline (the upstream may still
-// be reachable some other way, or the peerstore may be stale).
-func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
-	if len(records) == 0 {
-		return records
-	}
-	d.mu.RLock()
-	checker := d.peerConn
-	d.mu.RUnlock()
-	if checker == nil {
-		return records
-	}
-
-	kept := make([]dns.RR, 0, len(records))
-	var dropped int
-	for _, rr := range records {
-		ip := extractRecordIP(rr)
-		if ip == "" {
-			kept = append(kept, rr)
-			continue
-		}
-		known, connected := checker.IsConnectedByIP(ip)
-		if known && !connected {
-			dropped++
-			continue
-		}
-		kept = append(kept, rr)
-	}
-	if dropped == 0 {
-		return records
-	}
-	if len(kept) == 0 {
-		logger.Debugf("all %d answers for %s point at disconnected peers; returning the original list", dropped, question.Name)
-		return records
-	}
-	logger.Tracef("dropped %d disconnected-peer answer(s) for %s, returning %d", dropped, question.Name, len(kept))
-	return kept
-}
-
-// extractRecordIP returns the dotted-decimal / colon-hex IP carried by
-// an A or AAAA record, or "" for any other record type.
-func extractRecordIP(rr dns.RR) string {
-	switch r := rr.(type) {
-	case *dns.A:
-		if r.A == nil {
-			return ""
-		}
-		return r.A.String()
-	case *dns.AAAA:
-		if r.AAAA == nil {
-			return ""
-		}
-		return r.AAAA.String()
-	}
-	return ""
-}
-
 // Update replaces all zones and their records
 func (d *Resolver) Update(customZones []nbdns.CustomZone) {
 	d.mu.Lock()

client/internal/dns/local/local_test.go

@@ -30,21 +30,6 @@ func (m *mockResolver) LookupNetIP(ctx context.Context, network, host string) ([
 	return nil, nil
 }
 
-// mockPeerConnectivity returns canned (known, connected) results per IP.
-// Used by the disconnected-peer filter tests below. IPs not in the map
-// are reported as unknown so the filter leaves them alone.
-type mockPeerConnectivity struct {
-	byIP map[string]struct{ known, connected bool }
-}
-
-func (m mockPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
-	v, ok := m.byIP[ip]
-	if !ok {
-		return false, false
-	}
-	return v.known, v.connected
-}
-
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
@@ -2667,114 +2652,3 @@ func BenchmarkIsInManagedZone_ManyZones(b *testing.B) {
 		resolver.isInManagedZone(qname)
 	}
 }
-
-// TestLocalResolver_FilterDisconnectedPeerAnswers verifies the
-// connectivity-aware filtering layered on top of lookupRecords:
-// when an A record's IP belongs to a known peer that's disconnected,
-// the record is dropped from the answer. Records for unknown IPs pass
-// through. If filtering would empty the answer entirely and at least
-// one record was dropped, the original list is restored (escape hatch
-// for the "all proxies offline" case).
-func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
-	zone := "svc.cluster.netbird."
-	connectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.10",
-	}
-	disconnectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.11",
-	}
-	unknownRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "203.0.113.5",
-	}
-
-	type ipState struct{ known, connected bool }
-	tests := []struct {
-		name        string
-		records     []nbdns.SimpleRecord
-		connByIP    map[string]ipState
-		wantInOrder []string
-	}{
-		{
-			name:    "drops disconnected peer, keeps connected",
-			records: []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: true},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.10"},
-		},
-		{
-			name:    "unknown IPs pass through untouched",
-			records: []nbdns.SimpleRecord{unknownRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"203.0.113.5"},
-		},
-		{
-			name:    "all disconnected falls back to original list",
-			records: []nbdns.SimpleRecord{disconnectedRec, connectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: false},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.11", "100.64.0.10"},
-		},
-		{
-			name:        "no checker wired returns all records",
-			records:     []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP:    nil,
-			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			resolver := NewResolver()
-			if tc.connByIP != nil {
-				cm := mockPeerConnectivity{byIP: make(map[string]struct{ known, connected bool }, len(tc.connByIP))}
-				for ip, st := range tc.connByIP {
-					cm.byIP[ip] = struct{ known, connected bool }{st.known, st.connected}
-				}
-				resolver.SetPeerConnectivity(cm)
-			}
-			resolver.Update([]nbdns.CustomZone{{
-				Domain:           strings.TrimSuffix(zone, "."),
-				Records:          tc.records,
-				NonAuthoritative: true,
-			}})
-
-			var got *dns.Msg
-			writer := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					got = m
-					return nil
-				},
-			}
-			req := new(dns.Msg).SetQuestion(zone, dns.TypeA)
-			resolver.ServeDNS(writer, req)
-
-			require.NotNil(t, got, "resolver must produce a response")
-			require.Len(t, got.Answer, len(tc.wantInOrder),
-				"answer count must match expected: %v", tc.wantInOrder)
-			for i, want := range tc.wantInOrder {
-				a, ok := got.Answer[i].(*dns.A)
-				require.True(t, ok, "answer[%d] must be an A record", i)
-				assert.Equal(t, want, a.A.String(),
-					"answer[%d] expected %s got %s", i, want, a.A.String())
-			}
-		})
-	}
-}

client/internal/dns/server.go

@@ -301,11 +301,6 @@ func newDefaultServer(
 		warningDelayBase:  defaultWarningDelayBase,
 		healthRefresh:     make(chan struct{}, 1),
 	}
-	// Wire the local resolver against the peer status recorder so it can
-	// suppress A/AAAA answers that point at disconnected peers (typical
-	// case: synthesised private-service records pointing at an embedded
-	// proxy peer that just went offline).
-	defaultServer.localResolver.SetPeerConnectivity(localPeerConnectivity{statusRecorder})
 
 	// register with root zone, handler chain takes care of the routing
 	dnsService.RegisterMux(".", handlerChain)
@@ -1391,25 +1386,3 @@ func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	}
 	return nil
 }
-
-// localPeerConnectivity adapts *peer.Status to local.PeerConnectivity so
-// the local resolver can ask "is this IP a known peer and is it
-// connected?" without taking on the peer package as a dependency.
-// A nil status recorder always reports known=false so the resolver
-// short-circuits to the legacy "return everything" path.
-type localPeerConnectivity struct {
-	status *peer.Status
-}
-
-// IsConnectedByIP looks the IP up in the peerstore and surfaces both
-// the known and connected bits. Used by Resolver.filterDisconnectedPeerAnswers.
-func (l localPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
-	if l.status == nil {
-		return false, false
-	}
-	state, ok := l.status.PeerStateByIP(ip)
-	if !ok {
-		return false, false
-	}
-	return true, state.ConnStatus == peer.StatusConnected
-}

client/internal/engine.go

@@ -1967,29 +1967,6 @@ func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
 	return e.clientMetrics
 }
 
-// Performance bundles runtime-adjustable tunnel pool knobs.
-// See Engine.SetPerformance. Nil fields are ignored.
-type Performance struct {
-	PreallocatedBuffersPerPool *uint32
-}
-
-// SetPerformance applies the given tuning to this engine's live Device.
-func (e *Engine) SetPerformance(t Performance) error {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	if e.wgInterface == nil {
-		return fmt.Errorf("wg interface not initialized")
-	}
-	dev := e.wgInterface.GetWGDevice()
-	if dev == nil {
-		return fmt.Errorf("wg device not initialized")
-	}
-	if t.PreallocatedBuffersPerPool != nil {
-		dev.SetPreallocatedBuffersPerPool(*t.PreallocatedBuffersPerPool)
-	}
-	return nil
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {

client/internal/engine_test.go

@@ -27,7 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/management/server/job"
 
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -66,8 +66,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/shared/netiputil"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1641,7 +1641,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		return nil, "", err
 	}
 
-	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

client/internal/networkmonitor/check_change_common.go

@@ -50,7 +50,7 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 		switch msg.Type {
 		// handle route changes
 		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, flags, err := parseRouteMessage(buf[:n])
+			route, err := parseRouteMessage(buf[:n])
 			if err != nil {
 				log.Debugf("Network monitor: error parsing routing message: %v", err)
 				continue
@@ -66,10 +66,6 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 			}
 			switch msg.Type {
 			case unix.RTM_ADD:
-				if systemops.IgnoreAddedDefaultRoute(flags) {
-					log.Debugf("Network monitor: ignoring added default route via %s, interface %s, flags %#x", route.Gw, intf, flags)
-					continue
-				}
 				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 				return nil
 			case unix.RTM_DELETE:
@@ -82,26 +78,22 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 	}
 }
 
-func parseRouteMessage(buf []byte) (*systemops.Route, int, error) {
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
 	if err != nil {
-		return nil, 0, fmt.Errorf("parse RIB: %v", err)
+		return nil, fmt.Errorf("parse RIB: %v", err)
 	}
 
 	if len(msgs) != 1 {
-		return nil, 0, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
 	}
 
 	msg, ok := msgs[0].(*route.RouteMessage)
 	if !ok {
-		return nil, 0, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
 	}
 
-	r, err := systemops.MsgToRoute(msg)
-	if err != nil {
-		return nil, 0, err
-	}
-	return r, msg.Flags, nil
+	return systemops.MsgToRoute(msg)
 }
 
 // waitReadable blocks until fd has data to read, or ctx is cancelled.

client/internal/peer/status.go

@@ -185,12 +185,9 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 	return s.eventsChan
 }
 
-// Status holds a state of peers, signal, management connections and relays.
-// mux is an RWMutex so hot read paths (notably PeerStateByIP, called for
-// every private-service request) don't contend against each other.
-// Pure read methods take RLock; anything that mutates state takes Lock.
+// Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux                   sync.RWMutex
+	mux                   sync.Mutex
 	peers                 map[string]State
 	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState           bool
@@ -286,8 +283,8 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)
 
 // GetPeer adds peer to Daemon status map
 func (d *Status) GetPeer(peerPubKey string) (State, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	state, ok := d.peers[peerPubKey]
 	if !ok {
@@ -297,8 +294,8 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {
 }
 
 func (d *Status) PeerByIP(ip string) (string, bool) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	for _, state := range d.peers {
 		if state.IP == ip {
@@ -308,25 +305,6 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 	return "", false
 }
 
-// PeerStateByIP returns the full peer State for the given tunnel IP.
-// Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Returns the
-// zero State and false when no peer matches or the input is empty.
-func (d *Status) PeerStateByIP(ip string) (State, bool) {
-	if ip == "" {
-		return State{}, false
-	}
-	d.mux.RLock()
-	defer d.mux.RUnlock()
-
-	for _, state := range d.peers {
-		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
-			return state, true
-		}
-	}
-	return State{}, false
-}
-
 // RemovePeer removes peer from Daemon status map
 func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
@@ -724,8 +702,8 @@ func (d *Status) UnsubscribePeerStateChanges(subscription *StatusChangeSubscript
 
 // GetLocalPeerState returns the local peer state
 func (d *Status) GetLocalPeerState() LocalPeerState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.localPeer.Clone()
 }
 
@@ -931,8 +909,8 @@ func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
 }
 
 func (d *Status) GetRosenpassState() RosenpassState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return RosenpassState{
 		d.rosenpassEnabled,
 		d.rosenpassPermissive,
@@ -940,14 +918,14 @@ func (d *Status) GetRosenpassState() RosenpassState {
 }
 
 func (d *Status) GetLazyConnection() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.lazyConnectionEnabled
 }
 
 func (d *Status) GetManagementState() ManagementState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return ManagementState{
 		d.mgmAddress,
 		d.managementState,
@@ -973,8 +951,8 @@ func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {
 
 // IsLoginRequired determines if a peer's login has expired.
 func (d *Status) IsLoginRequired() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	// if peer is connected to the management then login is not expired
 	if d.managementState {
@@ -989,8 +967,8 @@ func (d *Status) IsLoginRequired() bool {
 }
 
 func (d *Status) GetSignalState() SignalState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return SignalState{
 		d.signalAddress,
 		d.signalState,
@@ -1000,8 +978,8 @@ func (d *Status) GetSignalState() SignalState {
 
 // GetRelayStates returns the stun/turn/permanent relay states
 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.relayMgr == nil {
 		return d.relayStates
 	}
@@ -1030,8 +1008,8 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 }
 
 func (d *Status) ForwardingRules() []firewall.ForwardRule {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.ingressGwMgr == nil {
 		return nil
 	}
@@ -1040,16 +1018,16 @@ func (d *Status) ForwardingRules() []firewall.ForwardRule {
 }
 
 func (d *Status) GetDNSStates() []NSGroupState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	// shallow copy is good enough, as slices fields are currently not updated
 	return slices.Clone(d.nsGroupStates)
 }
 
 func (d *Status) GetResolvedDomainsStates() map[domain.Domain]ResolvedDomainInfo {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return maps.Clone(d.resolvedDomainsStates)
 }
 
@@ -1065,8 +1043,8 @@ func (d *Status) GetFullStatus() FullStatus {
 		LazyConnectionEnabled: d.GetLazyConnection(),
 	}
 
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	fullStatus.LocalPeerState = d.localPeer
 
@@ -1241,8 +1219,8 @@ func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 }
 
 func (d *Status) PeersStatus() (*configurer.Stats, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.wgIface == nil {
 		return nil, fmt.Errorf("wgInterface is nil, cannot retrieve peers status")
 	}

client/internal/peer/status_test.go

@@ -63,33 +63,6 @@ func TestUpdatePeerState(t *testing.T) {
 	assert.Equal(t, ip, state.IP, "ip should be equal")
 }
 
-func TestStatus_PeerStateByIP(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", ""))
-	req.NoError(status.AddPeer("pk-2", "peer-2.netbird", "100.64.0.11", ""))
-
-	state, ok := status.PeerStateByIP("100.64.0.10")
-	req.True(ok, "known tunnel IP should resolve to a peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-	req.Equal("peer-1.netbird", state.FQDN, "matching state must carry the right FQDN")
-
-	_, ok = status.PeerStateByIP("100.64.0.99")
-	req.False(ok, "unknown IP must report ok=false")
-}
-
-func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
-
-	state, ok := status.PeerStateByIP("fd00::1")
-	req.True(ok, "IPv6-only match must resolve to the peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-}
-
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"

client/internal/routemanager/manager.go

@@ -738,10 +738,7 @@ func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeI
 }
 
 func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
-	if len(routes) == 0 {
-		return false
-	}
-	return route.IsV4DefaultRoute(routes[0].Network) || route.IsV6DefaultRoute(routes[0].Network)
+	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
 }
 
 func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {

client/internal/routemanager/systemops/routeflags_addfilter_bsd.go

@@ -1,9 +0,0 @@
-//go:build dragonfly || freebsd || netbsd || openbsd
-
-package systemops
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	return filterRoutesByFlags(flags)
-}

client/internal/routemanager/systemops/routeflags_addfilter_darwin.go

@@ -1,21 +0,0 @@
-//go:build darwin
-
-package systemops
-
-import "golang.org/x/sys/unix"
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor. Scoped routes
-// (RTF_IFSCOPE) are tied to a specific interface index and cannot replace the
-// unscoped default the kernel uses for general egress, so flapping ones (e.g.
-// Wi-Fi calling IMS tunnels on ipsec0, Docker bridges, scoped utun defaults)
-// must not trigger an engine restart.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	if filterRoutesByFlags(flags) {
-		return true
-	}
-	if flags&unix.RTF_IFSCOPE != 0 {
-		return true
-	}
-	return false
-}

client/internal/routeselector/routeselector.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
-	"strings"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -13,6 +12,10 @@ import (
 	"github.com/netbirdio/netbird/route"
 )
 
+const (
+	exitNodeCIDR = "0.0.0.0/0"
+)
+
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
@@ -121,7 +124,13 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
 
-	return rs.isSelectedLocked(routeID)
+	if rs.deselectAll {
+		return false
+	}
+
+	_, deselected := rs.deselectedRoutes[routeID]
+	isSelected := !deselected
+	return isSelected
 }
 
 // FilterSelected removes unselected routes from the provided map.
@@ -135,22 +144,23 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 
 	filtered := route.HAMap{}
 	for id, rt := range routes {
-		if !rs.isDeselectedLocked(id.NetID()) {
+		netID := id.NetID()
+		_, deselected := rs.deselectedRoutes[netID]
+		if !deselected {
 			filtered[id] = rt
 		}
 	}
 	return filtered
 }
 
-// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this route.
-// Intended for exit-node code paths: a v6 exit-node pair (e.g. "MyExit-v6") with no explicit state of
-// its own inherits its v4 base's state, so legacy persisted selections that predate v6 pairing
-// transparently apply to the synthesized v6 entry.
+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
 func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
 
-	return rs.hasUserSelectionForRouteLocked(rs.effectiveNetID(routeID))
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
 }
 
 func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
@@ -164,7 +174,7 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	filtered := make(route.HAMap, len(routes))
 	for id, rt := range routes {
 		netID := id.NetID()
-		if rs.isDeselectedLocked(netID) {
+		if rs.isDeselected(netID) {
 			continue
 		}
 
@@ -179,48 +189,13 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	return filtered
 }
 
-// effectiveNetID returns the v4 base for a "-v6" exit pair entry that has no explicit
-// state of its own, so selections made on the v4 entry govern the v6 entry automatically.
-// Only call this from exit-node-specific code paths: applying it to a non-exit "-v6" route
-// would make it inherit unrelated v4 state. Must be called with rs.mu held.
-func (rs *RouteSelector) effectiveNetID(id route.NetID) route.NetID {
-	name := string(id)
-	if !strings.HasSuffix(name, route.V6ExitSuffix) {
-		return id
-	}
-	if _, ok := rs.selectedRoutes[id]; ok {
-		return id
-	}
-	if _, ok := rs.deselectedRoutes[id]; ok {
-		return id
-	}
-	return route.NetID(strings.TrimSuffix(name, route.V6ExitSuffix))
-}
-
-func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
-	if rs.deselectAll {
-		return false
-	}
-	_, deselected := rs.deselectedRoutes[routeID]
-	return !deselected
-}
-
-func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
-	if rs.deselectAll {
-		return true
-	}
+func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
 	_, deselected := rs.deselectedRoutes[netID]
-	return deselected
-}
-
-func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
-	_, selected := rs.selectedRoutes[routeID]
-	_, deselected := rs.deselectedRoutes[routeID]
-	return selected || deselected
+	return deselected || rs.deselectAll
 }
 
 func isExitNode(rt []*route.Route) bool {
-	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
+	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
 }
 
 func (rs *RouteSelector) applyExitNodeFilter(
@@ -229,23 +204,26 @@ func (rs *RouteSelector) applyExitNodeFilter(
 	rt []*route.Route,
 	out route.HAMap,
 ) {
-	// Exit-node path: apply the v4/v6 pair mirror so a deselect on the v4 base also
-	// drops the synthesized v6 entry that lacks its own explicit state.
-	effective := rs.effectiveNetID(netID)
-	if rs.hasUserSelectionForRouteLocked(effective) {
-		if rs.isSelectedLocked(effective) {
+
+	if rs.hasUserSelections() {
+		// user made explicit selects/deselects
+		if rs.IsSelected(netID) {
 			out[id] = rt
 		}
 		return
 	}
 
-	// no explicit selection for this route: defer to management's SkipAutoApply flag
+	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }
 
+func (rs *RouteSelector) hasUserSelections() bool {
+	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
+}
+
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {

client/internal/routeselector/routeselector_test.go

@@ -330,137 +330,6 @@ func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
 	assert.Len(t, filtered, 0) // No routes should be selected
 }
 
-// TestRouteSelector_V6ExitPairInherits covers the v4/v6 exit-node pair selection
-// mirror. The mirror is scoped to exit-node code paths: HasUserSelectionForRoute
-// and FilterSelectedExitNodes resolve a "-v6" entry without explicit state to its
-// v4 base, so legacy persisted selections that predate v6 pairing transparently
-// apply to the synthesized v6 entry. General lookups (IsSelected, FilterSelected)
-// stay literal so unrelated routes named "*-v6" don't inherit unrelated state.
-func TestRouteSelector_V6ExitPairInherits(t *testing.T) {
-	all := []route.NetID{"exit1", "exit1-v6", "exit2", "exit2-v6", "corp", "corp-v6"}
-
-	t.Run("HasUserSelectionForRoute mirrors deselected v4 base", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 pair sees v4 base's user selection")
-
-		// unrelated v6 with no v4 base touched is unaffected
-		assert.False(t, rs.HasUserSelectionForRoute("exit2-v6"))
-	})
-
-	t.Run("IsSelected stays literal for non-exit lookups", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
-
-		// A non-exit route literally named "corp-v6" must not inherit "corp"'s state
-		// via the mirror; the mirror only applies in exit-node code paths.
-		assert.False(t, rs.IsSelected("corp"))
-		assert.True(t, rs.IsSelected("corp-v6"), "non-exit *-v6 routes must not inherit unrelated v4 state")
-	})
-
-	t.Run("explicit v6 state overrides v4 base in filter", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1-v6"}, true, all))
-
-		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
-		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
-		routes := route.HAMap{
-			"exit1|0.0.0.0/0": {v4Route},
-			"exit1-v6|::/0":   {v6Route},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.NotContains(t, filtered, route.HAUniqueID("exit1|0.0.0.0/0"))
-		assert.Contains(t, filtered, route.HAUniqueID("exit1-v6|::/0"), "explicit v6 select wins over v4 base")
-	})
-
-	t.Run("non-v6-suffix routes unaffected", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		// A route literally named "exit1-something" must not pair-resolve.
-		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
-	})
-
-	t.Run("filter v6 paired with deselected v4 base", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
-		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
-		routes := route.HAMap{
-			"exit1|0.0.0.0/0": {v4Route},
-			"exit1-v6|::/0":   {v6Route},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.Empty(t, filtered, "deselecting v4 base must also drop the v6 pair")
-	})
-
-	t.Run("non-exit *-v6 routes pass through FilterSelectedExitNodes", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
-
-		// A non-default-route entry named "corp-v6" is not an exit node and
-		// must not be skipped because its v4 base "corp" is deselected.
-		corpV6 := &route.Route{NetID: "corp-v6", Network: netip.MustParsePrefix("10.0.0.0/8")}
-		routes := route.HAMap{
-			"corp-v6|10.0.0.0/8": {corpV6},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.Contains(t, filtered, route.HAUniqueID("corp-v6|10.0.0.0/8"),
-			"non-exit *-v6 routes must not inherit unrelated v4 state in FilterSelectedExitNodes")
-	})
-}
-
-// TestRouteSelector_SkipAutoApplyPerRoute verifies that management's
-// SkipAutoApply flag governs each untouched route independently, even when
-// the user has explicit selections on other routes.
-func TestRouteSelector_SkipAutoApplyPerRoute(t *testing.T) {
-	autoApplied := &route.Route{
-		NetID:         "Auto",
-		Network:       netip.MustParsePrefix("0.0.0.0/0"),
-		SkipAutoApply: false,
-	}
-	skipApply := &route.Route{
-		NetID:         "Skip",
-		Network:       netip.MustParsePrefix("0.0.0.0/0"),
-		SkipAutoApply: true,
-	}
-	routes := route.HAMap{
-		"Auto|0.0.0.0/0": {autoApplied},
-		"Skip|0.0.0.0/0": {skipApply},
-	}
-
-	rs := routeselector.NewRouteSelector()
-	// User makes an unrelated explicit selection elsewhere.
-	require.NoError(t, rs.DeselectRoutes([]route.NetID{"Unrelated"}, []route.NetID{"Auto", "Skip", "Unrelated"}))
-
-	filtered := rs.FilterSelectedExitNodes(routes)
-	assert.Contains(t, filtered, route.HAUniqueID("Auto|0.0.0.0/0"), "AutoApply route should be included")
-	assert.NotContains(t, filtered, route.HAUniqueID("Skip|0.0.0.0/0"), "SkipAutoApply route should be excluded without explicit user selection")
-}
-
-// TestRouteSelector_V6ExitIsExitNode verifies that ::/0 routes are recognized
-// as exit nodes by the selector's filter path.
-func TestRouteSelector_V6ExitIsExitNode(t *testing.T) {
-	v6Exit := &route.Route{
-		NetID:         "V6Only",
-		Network:       netip.MustParsePrefix("::/0"),
-		SkipAutoApply: true,
-	}
-	routes := route.HAMap{
-		"V6Only|::/0": {v6Exit},
-	}
-
-	rs := routeselector.NewRouteSelector()
-	filtered := rs.FilterSelectedExitNodes(routes)
-	assert.Empty(t, filtered, "::/0 should be treated as an exit node and respect SkipAutoApply")
-}
-
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}

client/internal/sleep/detector_darwin.go

@@ -188,9 +188,7 @@ func (d *Detector) triggerCallback(event EventType, cb func(event EventType), do
 	}
 
 	doneChan := make(chan struct{})
-	// macOS forces sleep ~30s after kIOMessageSystemWillSleep, so block long
-	// enough for teardown to finish while staying under that deadline.
-	timeout := time.NewTimer(20 * time.Second)
+	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
 	go func() {

client/proto/generate.sh

@@ -13,11 +13,5 @@ script_path=$(dirname $(realpath "$0"))
 cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.6
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
-go install github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway@v2.26.3
-protoc -I ./ ./daemon.proto \
-  --go_out=../ \
-  --go-grpc_out=../ \
-  --grpc-gateway_out=../ \
-  --grpc-gateway_opt=generate_unbound_methods=true \
-  --experimental_allow_proto3_optional
+protoc -I ./ ./daemon.proto --go_out=../ --go-grpc_out=../ --experimental_allow_proto3_optional
 cd "$old_pwd"

client/server/server_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -315,7 +315,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 		return nil, "", err
 	}
 
-	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

client/system/info_linux.go

@@ -3,14 +3,15 @@
 package system
 
 import (
+	"bytes"
 	"context"
 	"os"
+	"os/exec"
 	"regexp"
 	"runtime"
+	"strings"
 	"time"
 
-	"golang.org/x/sys/unix"
-
 	log "github.com/sirupsen/logrus"
 	"github.com/zcalusic/sysinfo"
 
@@ -28,11 +29,19 @@ func UpdateStaticInfoAsync() {
 
 // GetInfo retrieves and parses the system information
 func GetInfo(ctx context.Context) *Info {
-	kernelName, kernelVersion, kernelPlatform := kernelInfo()
+	info := _getInfo()
+	for strings.Contains(info, "broken pipe") {
+		info = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	osStr := strings.ReplaceAll(info, "\n", "")
+	osStr = strings.ReplaceAll(osStr, "\r\n", "")
+	osInfo := strings.Split(osStr, " ")
 
 	osName, osVersion := readOsReleaseFile()
 	if osName == "" {
-		osName = kernelName
+		osName = osInfo[3]
 	}
 
 	systemHostname, _ := os.Hostname()
@@ -49,8 +58,8 @@ func GetInfo(ctx context.Context) *Info {
 	}
 
 	gio := &Info{
-		Kernel:             kernelName,
-		Platform:           kernelPlatform,
+		Kernel:             osInfo[0],
+		Platform:           osInfo[2],
 		OS:                 osName,
 		OSVersion:          osVersion,
 		Hostname:           extractDeviceName(ctx, systemHostname),
@@ -58,7 +67,7 @@ func GetInfo(ctx context.Context) *Info {
 		CPUs:               runtime.NumCPU(),
 		NetbirdVersion:     version.NetbirdVersion(),
 		UIVersion:          extractUserAgent(ctx),
-		KernelVersion:      kernelVersion,
+		KernelVersion:      osInfo[1],
 		NetworkAddresses:   addrs,
 		SystemSerialNumber: si.SystemSerialNumber,
 		SystemProductName:  si.SystemProductName,
@@ -69,12 +78,18 @@ func GetInfo(ctx context.Context) *Info {
 	return gio
 }
 
-func kernelInfo() (string, string, string) {
-	var uts unix.Utsname
-	if err := unix.Uname(&uts); err != nil {
-		return "", "", ""
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srio")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		log.Warnf("getInfo: %s", err)
 	}
-	return unix.ByteSliceToString(uts.Sysname[:]), unix.ByteSliceToString(uts.Release[:]), unix.ByteSliceToString(uts.Machine[:])
+	return out.String()
 }
 
 func sysInfo() (string, string, string) {

client/ui/network.go

@@ -193,15 +193,7 @@ func getOverlappingNetworks(routes []*proto.Network) []*proto.Network {
 }
 
 func isDefaultRoute(routeRange string) bool {
-	// routeRange is the merged display string from the daemon, e.g. "0.0.0.0/0",
-	// "::/0", or "0.0.0.0/0, ::/0" when a v4 exit node has a paired v6 entry.
-	for _, part := range strings.Split(routeRange, ",") {
-		switch strings.TrimSpace(part) {
-		case "0.0.0.0/0", "::/0":
-			return true
-		}
-	}
-	return false
+	return routeRange == "0.0.0.0/0" || routeRange == "::/0"
 }
 
 func getExitNodeNetworks(routes []*proto.Network) []*proto.Network {

client/wasm/internal/rdp/cert_validation.go

@@ -6,7 +6,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"sync"
 	"syscall/js"
 	"time"
 
@@ -14,7 +13,7 @@ import (
 )
 
 const (
-	certValidationTimeout = 5 * time.Minute
+	certValidationTimeout = 60 * time.Second
 )
 
 func (p *RDCleanPathProxy) validateCertificateWithJS(conn *proxyConnection, certChain [][]byte) (bool, error) {
@@ -47,31 +46,17 @@ func (p *RDCleanPathProxy) validateCertificateWithJS(conn *proxyConnection, cert
 
 	promise := conn.wsHandlers.Call("onCertificateRequest", certInfo)
 
-	resultChan := make(chan bool, 1)
-	errorChan := make(chan error, 1)
+	resultChan := make(chan bool)
+	errorChan := make(chan error)
 
-	// Release from inside the callbacks so a post-timeout promise resolution
-	// does not invoke an already-released func.
-	var thenFn, catchFn js.Func
-	var releaseOnce sync.Once
-	release := func() {
-		releaseOnce.Do(func() {
-			thenFn.Release()
-			catchFn.Release()
-		})
-	}
-	thenFn = js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		defer release()
-		resultChan <- args[0].Bool()
+	promise.Call("then", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		result := args[0].Bool()
+		resultChan <- result
 		return nil
-	})
-	catchFn = js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		defer release()
+	})).Call("catch", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
 		errorChan <- fmt.Errorf("certificate validation failed")
 		return nil
-	})
-
-	promise.Call("then", thenFn).Call("catch", catchFn)
+	}))
 
 	select {
 	case result := <-resultChan:

client/wasm/internal/rdp/rdcleanpath.go

@@ -11,7 +11,6 @@ import (
 	"io"
 	"net"
 	"sync"
-	"sync/atomic"
 	"syscall/js"
 	"time"
 
@@ -58,8 +57,6 @@ type RDCleanPathProxy struct {
 	}
 	activeConnections map[string]*proxyConnection
 	destinations      map[string]string
-	pendingHandlers   map[string]js.Func
-	nextID            atomic.Uint64
 	mu                sync.Mutex
 }
 
@@ -69,15 +66,8 @@ type proxyConnection struct {
 	rdpConn     net.Conn
 	tlsConn     *tls.Conn
 	wsHandlers  js.Value
-	// Go-side callbacks exposed to JS. js.FuncOf pins the Go closure in a
-	// global handle map and MUST be released, otherwise every connection
-	// leaks the Go memory the closure captures.
-	wsHandlerFn  js.Func
-	onMessageFn  js.Func
-	onCloseFn    js.Func
-	cleanupOnce  sync.Once
-	ctx          context.Context
-	cancel       context.CancelFunc
+	ctx         context.Context
+	cancel      context.CancelFunc
 }
 
 // NewRDCleanPathProxy creates a new RDCleanPath proxy
@@ -90,11 +80,7 @@ func NewRDCleanPathProxy(client interface {
 	}
 }
 
-// CreateProxy creates a new proxy endpoint for the given destination.
-// The registered handler fn and its destinations/pendingHandlers entries are
-// only released once a connection is established and cleanupConnection runs.
-// If a caller invokes CreateProxy but never connects to the returned URL,
-// those entries stay pinned for the lifetime of the page.
+// CreateProxy creates a new proxy endpoint for the given destination
 func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
 	destination := net.JoinHostPort(hostname, port)
 
@@ -102,7 +88,7 @@ func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
 		resolve := args[0]
 
 		go func() {
-			proxyID := fmt.Sprintf("proxy_%d", p.nextID.Add(1))
+			proxyID := fmt.Sprintf("proxy_%d", len(p.activeConnections))
 
 			p.mu.Lock()
 			if p.destinations == nil {
@@ -114,7 +100,7 @@ func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
 			proxyURL := fmt.Sprintf("%s://%s/%s", RDCleanPathProxyScheme, RDCleanPathProxyHost, proxyID)
 
 			// Register the WebSocket handler for this specific proxy
-			handlerFn := js.FuncOf(func(_ js.Value, args []js.Value) any {
+			js.Global().Set(fmt.Sprintf("handleRDCleanPathWebSocket_%s", proxyID), js.FuncOf(func(_ js.Value, args []js.Value) any {
 				if len(args) < 1 {
 					return js.ValueOf("error: requires WebSocket argument")
 				}
@@ -122,14 +108,7 @@ func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
 				ws := args[0]
 				p.HandleWebSocketConnection(ws, proxyID)
 				return nil
-			})
-			p.mu.Lock()
-			if p.pendingHandlers == nil {
-				p.pendingHandlers = make(map[string]js.Func)
-			}
-			p.pendingHandlers[proxyID] = handlerFn
-			p.mu.Unlock()
-			js.Global().Set(fmt.Sprintf("handleRDCleanPathWebSocket_%s", proxyID), handlerFn)
+			}))
 
 			log.Infof("Created RDCleanPath proxy endpoint: %s for destination: %s", proxyURL, destination)
 			resolve.Invoke(proxyURL)
@@ -163,10 +142,6 @@ func (p *RDCleanPathProxy) HandleWebSocketConnection(ws js.Value, proxyID string
 
 	p.mu.Lock()
 	p.activeConnections[proxyID] = conn
-	if fn, ok := p.pendingHandlers[proxyID]; ok {
-		conn.wsHandlerFn = fn
-		delete(p.pendingHandlers, proxyID)
-	}
 	p.mu.Unlock()
 
 	p.setupWebSocketHandlers(ws, conn)
@@ -175,7 +150,7 @@ func (p *RDCleanPathProxy) HandleWebSocketConnection(ws js.Value, proxyID string
 }
 
 func (p *RDCleanPathProxy) setupWebSocketHandlers(ws js.Value, conn *proxyConnection) {
-	conn.onMessageFn = js.FuncOf(func(this js.Value, args []js.Value) any {
+	ws.Set("onGoMessage", js.FuncOf(func(this js.Value, args []js.Value) any {
 		if len(args) < 1 {
 			return nil
 		}
@@ -183,15 +158,13 @@ func (p *RDCleanPathProxy) setupWebSocketHandlers(ws js.Value, conn *proxyConnec
 		data := args[0]
 		go p.handleWebSocketMessage(conn, data)
 		return nil
-	})
-	ws.Set("onGoMessage", conn.onMessageFn)
+	}))
 
-	conn.onCloseFn = js.FuncOf(func(_ js.Value, args []js.Value) any {
+	ws.Set("onGoClose", js.FuncOf(func(_ js.Value, args []js.Value) any {
 		log.Debug("WebSocket closed by JavaScript")
 		conn.cancel()
 		return nil
-	})
-	ws.Set("onGoClose", conn.onCloseFn)
+	}))
 }
 
 func (p *RDCleanPathProxy) handleWebSocketMessage(conn *proxyConnection, data js.Value) {
@@ -288,49 +261,25 @@ func (p *RDCleanPathProxy) handleDirectRDP(conn *proxyConnection, firstPacket []
 }
 
 func (p *RDCleanPathProxy) cleanupConnection(conn *proxyConnection) {
-	conn.cleanupOnce.Do(func() {
-		log.Debugf("Cleaning up connection %s", conn.id)
-		conn.cancel()
-		if conn.tlsConn != nil {
-			log.Debug("Closing TLS connection")
-			if err := conn.tlsConn.Close(); err != nil {
-				log.Debugf("Error closing TLS connection: %v", err)
-			}
-			conn.tlsConn = nil
+	log.Debugf("Cleaning up connection %s", conn.id)
+	conn.cancel()
+	if conn.tlsConn != nil {
+		log.Debug("Closing TLS connection")
+		if err := conn.tlsConn.Close(); err != nil {
+			log.Debugf("Error closing TLS connection: %v", err)
 		}
-		if conn.rdpConn != nil {
-			log.Debug("Closing TCP connection")
-			if err := conn.rdpConn.Close(); err != nil {
-				log.Debugf("Error closing TCP connection: %v", err)
-			}
-			conn.rdpConn = nil
+		conn.tlsConn = nil
+	}
+	if conn.rdpConn != nil {
+		log.Debug("Closing TCP connection")
+		if err := conn.rdpConn.Close(); err != nil {
+			log.Debugf("Error closing TCP connection: %v", err)
 		}
-		js.Global().Delete(fmt.Sprintf("handleRDCleanPathWebSocket_%s", conn.id))
-
-		// Detach before releasing so late JS calls surface as TypeError instead
-		// of silent "call to released function".
-		if conn.wsHandlers.Truthy() {
-			conn.wsHandlers.Set("onGoMessage", js.Undefined())
-			conn.wsHandlers.Set("onGoClose", js.Undefined())
-		}
-
-		// wsHandlerFn may be zero-value if the pending handler lookup missed.
-		if conn.wsHandlerFn.Truthy() {
-			conn.wsHandlerFn.Release()
-		}
-		if conn.onMessageFn.Truthy() {
-			conn.onMessageFn.Release()
-		}
-		if conn.onCloseFn.Truthy() {
-			conn.onCloseFn.Release()
-		}
-
-		p.mu.Lock()
-		delete(p.activeConnections, conn.id)
-		delete(p.destinations, conn.id)
-		delete(p.pendingHandlers, conn.id)
-		p.mu.Unlock()
-	})
+		conn.rdpConn = nil
+	}
+	p.mu.Lock()
+	delete(p.activeConnections, conn.id)
+	p.mu.Unlock()
 }
 
 func (p *RDCleanPathProxy) sendToWebSocket(conn *proxyConnection, data []byte) {

client/wasm/internal/ssh/handlers.go

@@ -13,7 +13,7 @@ import (
 func CreateJSInterface(client *Client) js.Value {
 	jsInterface := js.Global().Get("Object").Call("create", js.Null())
 
-	writeFunc := js.FuncOf(func(this js.Value, args []js.Value) any {
+	jsInterface.Set("write", js.FuncOf(func(this js.Value, args []js.Value) any {
 		if len(args) < 1 {
 			return js.ValueOf(false)
 		}
@@ -32,10 +32,9 @@ func CreateJSInterface(client *Client) js.Value {
 
 		_, err := client.Write(bytes)
 		return js.ValueOf(err == nil)
-	})
-	jsInterface.Set("write", writeFunc)
+	}))
 
-	resizeFunc := js.FuncOf(func(this js.Value, args []js.Value) any {
+	jsInterface.Set("resize", js.FuncOf(func(this js.Value, args []js.Value) any {
 		if len(args) < 2 {
 			return js.ValueOf(false)
 		}
@@ -43,26 +42,14 @@ func CreateJSInterface(client *Client) js.Value {
 		rows := args[1].Int()
 		err := client.Resize(cols, rows)
 		return js.ValueOf(err == nil)
-	})
-	jsInterface.Set("resize", resizeFunc)
+	}))
 
-	closeFunc := js.FuncOf(func(this js.Value, args []js.Value) any {
+	jsInterface.Set("close", js.FuncOf(func(this js.Value, args []js.Value) any {
 		client.Close()
 		return js.Undefined()
-	})
-	jsInterface.Set("close", closeFunc)
+	}))
 
-	go func() {
-		readLoop(client, jsInterface)
-		// Detach before releasing so late JS calls surface as TypeError instead
-		// of silent "call to released function".
-		jsInterface.Set("write", js.Undefined())
-		jsInterface.Set("resize", js.Undefined())
-		jsInterface.Set("close", js.Undefined())
-		writeFunc.Release()
-		resizeFunc.Release()
-		closeFunc.Release()
-	}()
+	go readLoop(client, jsInterface)
 
 	return jsInterface
 }

combined/cmd/root.go

@@ -332,7 +332,7 @@ func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
 			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
 		}
 
-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
+		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
 		if servers.relaySrv != nil {
 			log.Infof("Relay WebSocket handler added (path: /relay)")
 		}
@@ -521,7 +521,7 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*
 }
 
 // createCombinedHandler creates an HTTP handler that multiplexes Management, Signal (via wsproxy), and Relay WebSocket traffic
-func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, idpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
+func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
 	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
 
 	var relayAcceptFn func(conn listener.Conn)
@@ -556,10 +556,6 @@ func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, id
 				http.Error(w, "Relay service not enabled", http.StatusNotFound)
 			}
 
-		// Embedded IdP (Dex)
-		case idpHandler != nil && strings.HasPrefix(r.URL.Path, "/oauth2"):
-			idpHandler.ServeHTTP(w, r)
-
 		// Management HTTP API (default)
 		default:
 			httpHandler.ServeHTTP(w, r)

go.mod

@@ -62,7 +62,6 @@ require (
 	github.com/google/nftables v0.3.0
 	github.com/gopacket/gopacket v1.1.1
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.7.0
@@ -325,7 +324,6 @@ require (
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/tools v0.43.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
@@ -337,7 +335,7 @@ replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-2024
 
 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949
 
-replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260523085312-4b4a4e36017f
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0
 
 replace github.com/cloudflare/circl => codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
 

go.sum

@@ -499,8 +499,8 @@ github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9ax
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45/go.mod h1:5/sjFmLb8O96B5737VCqhHyGRzNFIaN/Bu7ZodXc3qQ=
-github.com/netbirdio/wireguard-go v0.0.0-20260523085312-4b4a4e36017f h1:ff2D57RBjWtyQ2wVwJOxOgXAXOe/J2lJWtSX0Bz/BRk=
-github.com/netbirdio/wireguard-go v0.0.0-20260523085312-4b4a4e36017f/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0 h1:h/QnNzm7xzHPm+gajcblYUOclrW2FeNeDlUNj6tTWKQ=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/nicksnyder/go-i18n/v2 v2.5.1 h1:IxtPxYsR9Gp60cGXjfuR/llTqV8aYMsC472zD0D1vHk=

management/internals/modules/peers/ephemeral/manager/ephemeral.go

@@ -11,7 +11,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 
 	"github.com/netbirdio/netbird/management/server/store"
 )
@@ -48,11 +47,6 @@ type EphemeralManager struct {
 
 	lifeTime      time.Duration
 	cleanupWindow time.Duration
-
-	// metrics is nil-safe; methods on telemetry.EphemeralPeersMetrics
-	// no-op when the receiver is nil so deployments without an app
-	// metrics provider work unchanged.
-	metrics *telemetry.EphemeralPeersMetrics
 }
 
 // NewEphemeralManager instantiate new EphemeralManager
@@ -66,15 +60,6 @@ func NewEphemeralManager(store store.Store, peersManager peers.Manager) *Ephemer
 	}
 }
 
-// SetMetrics attaches a metrics collector. Safe to call once before
-// LoadInitialPeers; later attachment is fine but earlier loads won't be
-// reflected in the gauge. Pass nil to detach.
-func (e *EphemeralManager) SetMetrics(m *telemetry.EphemeralPeersMetrics) {
-	e.peersLock.Lock()
-	e.metrics = m
-	e.peersLock.Unlock()
-}
-
 // LoadInitialPeers load from the database the ephemeral type of peers and schedule a cleanup procedure to the head
 // of the linked list (to the most deprecated peer). At the end of cleanup it schedules the next cleanup to the new
 // head.
@@ -112,9 +97,7 @@ func (e *EphemeralManager) OnPeerConnected(ctx context.Context, peer *nbpeer.Pee
 	e.peersLock.Lock()
 	defer e.peersLock.Unlock()
 
-	if e.removePeer(peer.ID) {
-		e.metrics.DecPending(1)
-	}
+	e.removePeer(peer.ID)
 
 	// stop the unnecessary timer
 	if e.headPeer == nil && e.timer != nil {
@@ -140,7 +123,6 @@ func (e *EphemeralManager) OnPeerDisconnected(ctx context.Context, peer *nbpeer.
 	}
 
 	e.addPeer(peer.AccountID, peer.ID, e.newDeadLine())
-	e.metrics.IncPending()
 	if e.timer == nil {
 		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
 		if delay < 0 {
@@ -163,7 +145,6 @@ func (e *EphemeralManager) loadEphemeralPeers(ctx context.Context) {
 	for _, p := range peers {
 		e.addPeer(p.AccountID, p.ID, t)
 	}
-	e.metrics.AddPending(int64(len(peers)))
 
 	log.WithContext(ctx).Debugf("loaded ephemeral peer(s): %d", len(peers))
 }
@@ -200,15 +181,6 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 
 	e.peersLock.Unlock()
 
-	// Drop the gauge by the number of entries we just took off the list,
-	// regardless of whether the subsequent DeletePeers call succeeds. The
-	// list invariant is what the gauge tracks; failed delete batches are
-	// counted separately via CountCleanupError so we can still see them.
-	if len(deletePeers) > 0 {
-		e.metrics.CountCleanupRun()
-		e.metrics.DecPending(int64(len(deletePeers)))
-	}
-
 	peerIDsPerAccount := make(map[string][]string)
 	for id, p := range deletePeers {
 		peerIDsPerAccount[p.accountID] = append(peerIDsPerAccount[p.accountID], id)
@@ -219,10 +191,7 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 		err := e.peersManager.DeletePeers(ctx, accountID, peerIDs, activity.SystemInitiator, true)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed to delete ephemeral peers: %s", err)
-			e.metrics.CountCleanupError()
-			continue
 		}
-		e.metrics.CountPeersCleaned(int64(len(peerIDs)))
 	}
 }
 
@@ -242,12 +211,9 @@ func (e *EphemeralManager) addPeer(accountID string, peerID string, deadline tim
 	e.tailPeer = ep
 }
 
-// removePeer drops the entry from the linked list. Returns true if a
-// matching entry was found and removed so callers can keep the pending
-// metric gauge in sync.
-func (e *EphemeralManager) removePeer(id string) bool {
+func (e *EphemeralManager) removePeer(id string) {
 	if e.headPeer == nil {
-		return false
+		return
 	}
 
 	if e.headPeer.id == id {
@@ -255,7 +221,7 @@ func (e *EphemeralManager) removePeer(id string) bool {
 		if e.tailPeer.id == id {
 			e.tailPeer = nil
 		}
-		return true
+		return
 	}
 
 	for p := e.headPeer; p.next != nil; p = p.next {
@@ -265,10 +231,9 @@ func (e *EphemeralManager) removePeer(id string) bool {
 				e.tailPeer = p
 			}
 			p.next = p.next.next
-			return true
+			return
 		}
 	}
-	return false
 }
 
 func (e *EphemeralManager) isPeerOnList(id string) bool {

management/internals/modules/peers/manager.go

@@ -5,7 +5,6 @@ package peers
 import (
 	"context"
 	"fmt"
-	"net"
 	"time"
 
 	"github.com/rs/xid"
@@ -36,14 +35,6 @@ type Manager interface {
 	SetAccountManager(accountManager account.Manager)
 	GetPeerID(ctx context.Context, peerKey string) (string, error)
 	CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error
-	// GetPeerByTunnelIP looks up a peer in accountID by its WireGuard tunnel IP.
-	// Returns nil with an error when no match exists. No permission check;
-	// callers (the proxy's ValidateTunnelPeer RPC) are trusted server components.
-	GetPeerByTunnelIP(ctx context.Context, accountID string, ip net.IP) (*peer.Peer, error)
-	// GetPeerWithGroups returns the peer and the list of *types.Group it belongs
-	// to. Used by the proxy's auth path to authorise a request by the calling
-	// peer's group memberships.
-	GetPeerWithGroups(ctx context.Context, accountID, peerID string) (*peer.Peer, []*types.Group, error)
 }
 
 type managerImpl struct {
@@ -108,26 +99,6 @@ func (m *managerImpl) GetPeersByGroupIDs(ctx context.Context, accountID string,
 	return m.store.GetPeersByGroupIDs(ctx, accountID, groupsIDs)
 }
 
-// GetPeerByTunnelIP delegates to the store's indexed lookup.
-func (m *managerImpl) GetPeerByTunnelIP(ctx context.Context, accountID string, ip net.IP) (*peer.Peer, error) {
-	return m.store.GetPeerByIP(ctx, store.LockingStrengthNone, accountID, ip)
-}
-
-// GetPeerWithGroups returns the peer plus its group memberships. Any store
-// error returns (nil, nil, err) so callers never receive a valid peer
-// alongside a non-nil error.
-func (m *managerImpl) GetPeerWithGroups(ctx context.Context, accountID, peerID string) (*peer.Peer, []*types.Group, error) {
-	p, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
-	if err != nil {
-		return nil, nil, err
-	}
-	groups, err := m.store.GetPeerGroups(ctx, store.LockingStrengthNone, accountID, peerID)
-	if err != nil {
-		return nil, nil, err
-	}
-	return p, groups, nil
-}
-
 func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
 	settings, err := m.store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {

management/internals/modules/peers/manager_mock.go

@@ -6,7 +6,6 @@ package peers
 
 import (
 	context "context"
-	net "net"
 	reflect "reflect"
 
 	gomock "github.com/golang/mock/gomock"
@@ -14,7 +13,6 @@ import (
 	account "github.com/netbirdio/netbird/management/server/account"
 	integrated_validator "github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	peer "github.com/netbirdio/netbird/management/server/peer"
-	types "github.com/netbirdio/netbird/management/server/types"
 )
 
 // MockManager is a mock of Manager interface.
@@ -40,20 +38,6 @@ func (m *MockManager) EXPECT() *MockManagerMockRecorder {
 	return m.recorder
 }
 
-// CreateProxyPeer mocks base method.
-func (m *MockManager) CreateProxyPeer(ctx context.Context, accountID, peerKey, cluster string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateProxyPeer", ctx, accountID, peerKey, cluster)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateProxyPeer indicates an expected call of CreateProxyPeer.
-func (mr *MockManagerMockRecorder) CreateProxyPeer(ctx, accountID, peerKey, cluster interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxyPeer", reflect.TypeOf((*MockManager)(nil).CreateProxyPeer), ctx, accountID, peerKey, cluster)
-}
-
 // DeletePeers mocks base method.
 func (m *MockManager) DeletePeers(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
 	m.ctrl.T.Helper()
@@ -113,21 +97,6 @@ func (mr *MockManagerMockRecorder) GetPeerAccountID(ctx, peerID interface{}) *go
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerAccountID", reflect.TypeOf((*MockManager)(nil).GetPeerAccountID), ctx, peerID)
 }
 
-// GetPeerByTunnelIP mocks base method.
-func (m *MockManager) GetPeerByTunnelIP(ctx context.Context, accountID string, ip net.IP) (*peer.Peer, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetPeerByTunnelIP", ctx, accountID, ip)
-	ret0, _ := ret[0].(*peer.Peer)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPeerByTunnelIP indicates an expected call of GetPeerByTunnelIP.
-func (mr *MockManagerMockRecorder) GetPeerByTunnelIP(ctx, accountID, ip interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerByTunnelIP", reflect.TypeOf((*MockManager)(nil).GetPeerByTunnelIP), ctx, accountID, ip)
-}
-
 // GetPeerID mocks base method.
 func (m *MockManager) GetPeerID(ctx context.Context, peerKey string) (string, error) {
 	m.ctrl.T.Helper()
@@ -143,22 +112,6 @@ func (mr *MockManagerMockRecorder) GetPeerID(ctx, peerKey interface{}) *gomock.C
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerID", reflect.TypeOf((*MockManager)(nil).GetPeerID), ctx, peerKey)
 }
 
-// GetPeerWithGroups mocks base method.
-func (m *MockManager) GetPeerWithGroups(ctx context.Context, accountID, peerID string) (*peer.Peer, []*types.Group, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetPeerWithGroups", ctx, accountID, peerID)
-	ret0, _ := ret[0].(*peer.Peer)
-	ret1, _ := ret[1].([]*types.Group)
-	ret2, _ := ret[2].(error)
-	return ret0, ret1, ret2
-}
-
-// GetPeerWithGroups indicates an expected call of GetPeerWithGroups.
-func (mr *MockManagerMockRecorder) GetPeerWithGroups(ctx, accountID, peerID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerWithGroups", reflect.TypeOf((*MockManager)(nil).GetPeerWithGroups), ctx, accountID, peerID)
-}
-
 // GetPeersByGroupIDs mocks base method.
 func (m *MockManager) GetPeersByGroupIDs(ctx context.Context, accountID string, groupsIDs []string) ([]*peer.Peer, error) {
 	m.ctrl.T.Helper()
@@ -209,3 +162,17 @@ func (mr *MockManagerMockRecorder) SetNetworkMapController(networkMapController
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetworkMapController", reflect.TypeOf((*MockManager)(nil).SetNetworkMapController), networkMapController)
 }
+
+// CreateProxyPeer mocks base method.
+func (m *MockManager) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateProxyPeer", ctx, accountID, peerKey, cluster)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// CreateProxyPeer indicates an expected call of CreateProxyPeer.
+func (mr *MockManagerMockRecorder) CreateProxyPeer(ctx, accountID, peerKey, cluster interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxyPeer", reflect.TypeOf((*MockManager)(nil).CreateProxyPeer), ctx, accountID, peerKey, cluster)
+}

management/internals/modules/reverseproxy/domain/domain.go

@@ -23,8 +23,6 @@ type Domain struct {
 	// SupportsCrowdSec is populated at query time from proxy cluster capabilities.
 	// Not persisted.
 	SupportsCrowdSec *bool `gorm:"-"`
-	// SupportsPrivate is populated at query time from proxy cluster capabilities. Not persisted.
-	SupportsPrivate *bool `gorm:"-"`
 }
 
 // EventMeta returns activity event metadata for a domain

management/internals/modules/reverseproxy/domain/manager/api.go

@@ -49,7 +49,6 @@ func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
 		SupportsCustomPorts: d.SupportsCustomPorts,
 		RequireSubdomain:    d.RequireSubdomain,
 		SupportsCrowdsec:    d.SupportsCrowdSec,
-		SupportsPrivate:     d.SupportsPrivate,
 	}
 	if d.TargetCluster != "" {
 		resp.TargetCluster = &d.TargetCluster

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -35,7 +35,6 @@ type proxyManager interface {
 	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool
 }
 
 type Manager struct {
@@ -94,7 +93,6 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d
 		d.SupportsCustomPorts = m.proxyManager.ClusterSupportsCustomPorts(ctx, cluster)
 		d.RequireSubdomain = m.proxyManager.ClusterRequireSubdomain(ctx, cluster)
 		d.SupportsCrowdSec = m.proxyManager.ClusterSupportsCrowdSec(ctx, cluster)
-		d.SupportsPrivate = m.proxyManager.ClusterSupportsPrivate(ctx, cluster)
 		ret = append(ret, d)
 	}
 
@@ -111,7 +109,6 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d
 		if d.TargetCluster != "" {
 			cd.SupportsCustomPorts = m.proxyManager.ClusterSupportsCustomPorts(ctx, d.TargetCluster)
 			cd.SupportsCrowdSec = m.proxyManager.ClusterSupportsCrowdSec(ctx, d.TargetCluster)
-			cd.SupportsPrivate = m.proxyManager.ClusterSupportsPrivate(ctx, d.TargetCluster)
 		}
 		// Custom domains never require a subdomain by default since
 		// the account owns them and should be able to use the bare domain.
@@ -307,27 +304,10 @@ func (m Manager) getClusterAllowList(ctx context.Context, accountID string) ([]s
 	if err != nil {
 		return nil, fmt.Errorf("get BYOP cluster addresses: %w", err)
 	}
-	publicAddresses, err := m.proxyManager.GetActiveClusterAddresses(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("get public cluster addresses: %w", err)
+	if len(byopAddresses) > 0 {
+		return byopAddresses, nil
 	}
-	seen := make(map[string]struct{}, len(byopAddresses)+len(publicAddresses))
-	merged := make([]string, 0, len(byopAddresses)+len(publicAddresses))
-	for _, addr := range byopAddresses {
-		if _, ok := seen[addr]; ok {
-			continue
-		}
-		seen[addr] = struct{}{}
-		merged = append(merged, addr)
-	}
-	for _, addr := range publicAddresses {
-		if _, ok := seen[addr]; ok {
-			continue
-		}
-		seen[addr] = struct{}{}
-		merged = append(merged, addr)
-	}
-	return merged, nil
+	return m.proxyManager.GetActiveClusterAddresses(ctx)
 }
 
 func extractClusterFromCustomDomains(serviceDomain string, customDomains []*domain.Domain) (string, bool) {

management/internals/modules/reverseproxy/domain/manager/manager_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 type mockProxyManager struct {
-	getActiveClusterAddressesFunc           func(ctx context.Context) ([]string, error)
+	getActiveClusterAddressesFunc          func(ctx context.Context) ([]string, error)
 	getActiveClusterAddressesForAccountFunc func(ctx context.Context, accountID string) ([]string, error)
 }
 
@@ -40,41 +40,22 @@ func (m *mockProxyManager) ClusterSupportsCrowdSec(_ context.Context, _ string)
 	return nil
 }
 
-func (m *mockProxyManager) ClusterSupportsPrivate(_ context.Context, _ string) *bool {
-	return nil
-}
-
-func TestGetClusterAllowList_BYOPMergedWithPublic(t *testing.T) {
+func TestGetClusterAllowList_BYOPProxy(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, accID string) ([]string, error) {
 			assert.Equal(t, "acc-123", accID)
 			return []string{"byop.example.com"}, nil
 		},
 		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			return []string{"eu.proxy.netbird.io"}, nil
+			t.Fatal("should not call GetActiveClusterAddresses when BYOP addresses exist")
+			return nil, nil
 		},
 	}
 
 	mgr := Manager{proxyManager: pm}
 	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
 	require.NoError(t, err)
-	assert.Equal(t, []string{"byop.example.com", "eu.proxy.netbird.io"}, result)
-}
-
-func TestGetClusterAllowList_DeduplicatesBYOPAndPublic(t *testing.T) {
-	pm := &mockProxyManager{
-		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
-			return []string{"shared.example.com", "byop.example.com"}, nil
-		},
-		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			return []string{"shared.example.com", "eu.proxy.netbird.io"}, nil
-		},
-	}
-
-	mgr := Manager{proxyManager: pm}
-	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
-	require.NoError(t, err)
-	assert.Equal(t, []string{"shared.example.com", "byop.example.com", "eu.proxy.netbird.io"}, result)
+	assert.Equal(t, []string{"byop.example.com"}, result)
 }
 
 func TestGetClusterAllowList_NoBYOP_FallbackToShared(t *testing.T) {
@@ -98,6 +79,10 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
 			return nil, errors.New("db error")
 		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			t.Fatal("should not call GetActiveClusterAddresses when BYOP lookup fails")
+			return nil, nil
+		},
 	}
 
 	mgr := Manager{proxyManager: pm}
@@ -107,23 +92,6 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 	assert.Contains(t, err.Error(), "BYOP cluster addresses")
 }
 
-func TestGetClusterAllowList_PublicError_ReturnsError(t *testing.T) {
-	pm := &mockProxyManager{
-		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
-			return []string{"byop.example.com"}, nil
-		},
-		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			return nil, errors.New("db error")
-		},
-	}
-
-	mgr := Manager{proxyManager: pm}
-	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
-	require.Error(t, err)
-	assert.Nil(t, result)
-	assert.Contains(t, err.Error(), "public cluster addresses")
-}
-
 func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
@@ -140,18 +108,3 @@ func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	assert.Equal(t, []string{"eu.proxy.netbird.io"}, result)
 }
 
-func TestGetClusterAllowList_PublicEmpty_BYOPOnly(t *testing.T) {
-	pm := &mockProxyManager{
-		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
-			return []string{"byop.example.com"}, nil
-		},
-		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			return nil, nil
-		},
-	}
-
-	mgr := Manager{proxyManager: pm}
-	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
-	require.NoError(t, err)
-	assert.Equal(t, []string{"byop.example.com"}, result)
-}

management/internals/modules/reverseproxy/proxy/manager.go

@@ -19,7 +19,6 @@ type Manager interface {
 	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool
 	CleanupStale(ctx context.Context, inactivityDuration time.Duration) error
 	GetAccountProxy(ctx context.Context, accountID string) (*Proxy, error)
 	CountAccountProxies(ctx context.Context, accountID string) (int64, error)

management/internals/modules/reverseproxy/proxy/manager/manager.go

@@ -17,11 +17,10 @@ type store interface {
 	UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error
 	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
 	GetActiveProxyClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error)
-	GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
+	GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
 	GetClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	GetClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	GetClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
-	GetClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool
 	CleanupStaleProxies(ctx context.Context, inactivityDuration time.Duration) error
 	GetProxyByAccountID(ctx context.Context, accountID string) (*proxy.Proxy, error)
 	CountProxiesByAccountID(ctx context.Context, accountID string) (int64, error)
@@ -138,11 +137,6 @@ func (m Manager) ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string
 	return m.store.GetClusterSupportsCrowdSec(ctx, clusterAddr)
 }
 
-// ClusterSupportsPrivate reports whether any active proxy claims the private capability (nil = unreported).
-func (m Manager) ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool {
-	return m.store.GetClusterSupportsPrivate(ctx, clusterAddr)
-}
-
 // CleanupStale removes proxies that haven't sent heartbeat in the specified duration
 func (m *Manager) CleanupStale(ctx context.Context, inactivityDuration time.Duration) error {
 	if err := m.store.CleanupStaleProxies(ctx, inactivityDuration); err != nil {
@@ -184,3 +178,4 @@ func (m *Manager) DeleteAccountCluster(ctx context.Context, clusterAddress, acco
 	}
 	return nil
 }
+

management/internals/modules/reverseproxy/proxy/manager/manager_test.go

@@ -15,16 +15,16 @@ import (
 )
 
 type mockStore struct {
-	saveProxyFunc                            func(ctx context.Context, p *proxy.Proxy) error
-	disconnectProxyFunc                      func(ctx context.Context, proxyID, sessionID string) error
-	updateProxyHeartbeatFunc                 func(ctx context.Context, p *proxy.Proxy) error
-	getActiveProxyClusterAddressesFunc       func(ctx context.Context) ([]string, error)
-	getActiveProxyClusterAddressesForAccFunc func(ctx context.Context, accountID string) ([]string, error)
-	cleanupStaleProxiesFunc                  func(ctx context.Context, d time.Duration) error
-	getProxyByAccountIDFunc                  func(ctx context.Context, accountID string) (*proxy.Proxy, error)
-	countProxiesByAccountIDFunc              func(ctx context.Context, accountID string) (int64, error)
-	isClusterAddressConflictingFunc          func(ctx context.Context, clusterAddress, accountID string) (bool, error)
-	deleteAccountClusterFunc                 func(ctx context.Context, clusterAddress, accountID string) error
+	saveProxyFunc                              func(ctx context.Context, p *proxy.Proxy) error
+	disconnectProxyFunc                        func(ctx context.Context, proxyID, sessionID string) error
+	updateProxyHeartbeatFunc                   func(ctx context.Context, p *proxy.Proxy) error
+	getActiveProxyClusterAddressesFunc         func(ctx context.Context) ([]string, error)
+	getActiveProxyClusterAddressesForAccFunc   func(ctx context.Context, accountID string) ([]string, error)
+	cleanupStaleProxiesFunc                    func(ctx context.Context, d time.Duration) error
+	getProxyByAccountIDFunc                    func(ctx context.Context, accountID string) (*proxy.Proxy, error)
+	countProxiesByAccountIDFunc                func(ctx context.Context, accountID string) (int64, error)
+	isClusterAddressConflictingFunc            func(ctx context.Context, clusterAddress, accountID string) (bool, error)
+	deleteAccountClusterFunc                   func(ctx context.Context, clusterAddress, accountID string) error
 }
 
 func (m *mockStore) SaveProxy(ctx context.Context, p *proxy.Proxy) error {
@@ -57,7 +57,7 @@ func (m *mockStore) GetActiveProxyClusterAddressesForAccount(ctx context.Context
 	}
 	return nil, nil
 }
-func (m *mockStore) GetProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
+func (m *mockStore) GetActiveProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 func (m *mockStore) CleanupStaleProxies(ctx context.Context, d time.Duration) error {
@@ -99,9 +99,6 @@ func (m *mockStore) GetClusterRequireSubdomain(_ context.Context, _ string) *boo
 func (m *mockStore) GetClusterSupportsCrowdSec(_ context.Context, _ string) *bool {
 	return nil
 }
-func (m *mockStore) GetClusterSupportsPrivate(_ context.Context, _ string) *bool {
-	return nil
-}
 
 func newTestManager(s store) *Manager {
 	meter := noop.NewMeterProvider().Meter("test")

management/internals/modules/reverseproxy/proxy/manager_mock.go

@@ -92,20 +92,6 @@ func (mr *MockManagerMockRecorder) ClusterSupportsCrowdSec(ctx, clusterAddr inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterSupportsCrowdSec", reflect.TypeOf((*MockManager)(nil).ClusterSupportsCrowdSec), ctx, clusterAddr)
 }
 
-// ClusterSupportsPrivate mocks base method.
-func (m *MockManager) ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ClusterSupportsPrivate", ctx, clusterAddr)
-	ret0, _ := ret[0].(*bool)
-	return ret0
-}
-
-// ClusterSupportsPrivate indicates an expected call of ClusterSupportsPrivate.
-func (mr *MockManagerMockRecorder) ClusterSupportsPrivate(ctx, clusterAddr interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterSupportsPrivate", reflect.TypeOf((*MockManager)(nil).ClusterSupportsPrivate), ctx, clusterAddr)
-}
-
 // Connect mocks base method.
 func (m *MockManager) Connect(ctx context.Context, proxyID, sessionID, clusterAddress, ipAddress string, accountID *string, capabilities *Capabilities) (*Proxy, error) {
 	m.ctrl.T.Helper()

management/internals/modules/reverseproxy/proxy/proxy.go

@@ -20,9 +20,6 @@ type Capabilities struct {
 	RequireSubdomain *bool
 	// SupportsCrowdsec indicates whether this proxy has CrowdSec configured.
 	SupportsCrowdsec *bool
-	// Private indicates whether this proxy supports inbound access via Wireguard
-	// tunnel and netbird-only authentication policies
-	Private *bool
 }
 
 // Proxy represents a reverse proxy instance
@@ -45,34 +42,10 @@ func (Proxy) TableName() string {
 	return "proxies"
 }
 
-// ClusterType is the source of a proxy cluster.
-type ClusterType string
-
-const (
-	// ClusterTypeAccount is a cluster operated by the account itself (BYOP) —
-	// at least one proxy row in the cluster carries a non-NULL account_id.
-	ClusterTypeAccount ClusterType = "account"
-	// ClusterTypeShared is a cluster operated by NetBird and shared across
-	// accounts — all proxy rows in the cluster have account_id IS NULL.
-	ClusterTypeShared ClusterType = "shared"
-)
-
 // Cluster represents a group of proxy nodes serving the same address.
-//
-// Online and ConnectedProxies derive from the same 2-min active window
-// the rest of the module uses, but Cluster rows are not gated on it —
-// the cluster listing surfaces offline clusters too so operators can
-// see and clean them up. The 1-hour heartbeat reaper still bounds the
-// table eventually.
 type Cluster struct {
 	ID               string
 	Address          string
-	Type             ClusterType
-	Online           bool
 	ConnectedProxies int
-	// *bool: nil = no proxy reported the capability; the dashboard renders that as unknown.
-	SupportsCustomPorts *bool
-	RequireSubdomain    *bool
-	SupportsCrowdSec    *bool
-	Private             *bool
+	SelfHosted       bool
 }

management/internals/modules/reverseproxy/service/interface.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Manager interface {
-	GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
+	GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
 	DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error
 	GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error)
 	GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error)

management/internals/modules/reverseproxy/service/interface_mock.go

@@ -65,20 +65,6 @@ func (mr *MockManagerMockRecorder) CreateServiceFromPeer(ctx, accountID, peerID,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServiceFromPeer", reflect.TypeOf((*MockManager)(nil).CreateServiceFromPeer), ctx, accountID, peerID, req)
 }
 
-// DeleteAccountCluster mocks base method.
-func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
-func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
-}
-
 // DeleteAllServices mocks base method.
 func (m *MockManager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
 	m.ctrl.T.Helper()
@@ -93,6 +79,20 @@ func (mr *MockManagerMockRecorder) DeleteAllServices(ctx, accountID, userID inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAllServices", reflect.TypeOf((*MockManager)(nil).DeleteAllServices), ctx, accountID, userID)
 }
 
+// DeleteAccountCluster mocks base method.
+func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
+func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
+}
+
 // DeleteService mocks base method.
 func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
 	m.ctrl.T.Helper()
@@ -122,6 +122,21 @@ func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
 }
 
+// GetActiveClusters mocks base method.
+func (m *MockManager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetActiveClusters", ctx, accountID, userID)
+	ret0, _ := ret[0].([]proxy.Cluster)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetActiveClusters indicates an expected call of GetActiveClusters.
+func (mr *MockManagerMockRecorder) GetActiveClusters(ctx, accountID, userID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusters", reflect.TypeOf((*MockManager)(nil).GetActiveClusters), ctx, accountID, userID)
+}
+
 // GetAllServices mocks base method.
 func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
 	m.ctrl.T.Helper()
@@ -137,19 +152,19 @@ func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
 }
 
-// GetClusters mocks base method.
-func (m *MockManager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetServiceByDomain mocks base method.
+func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetClusters", ctx, accountID, userID)
-	ret0, _ := ret[0].([]proxy.Cluster)
+	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
+	ret0, _ := ret[0].(*Service)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// GetClusters indicates an expected call of GetClusters.
-func (mr *MockManagerMockRecorder) GetClusters(ctx, accountID, userID interface{}) *gomock.Call {
+// GetServiceByDomain indicates an expected call of GetServiceByDomain.
+func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClusters", reflect.TypeOf((*MockManager)(nil).GetClusters), ctx, accountID, userID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
 }
 
 // GetGlobalServices mocks base method.
@@ -182,21 +197,6 @@ func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
 }
 
-// GetServiceByDomain mocks base method.
-func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceByDomain indicates an expected call of GetServiceByDomain.
-func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
-}
-
 // GetServiceByID mocks base method.
 func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
 	m.ctrl.T.Helper()

management/internals/modules/reverseproxy/service/manager/api.go

@@ -187,7 +187,7 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	clusters, err := h.manager.GetClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
+	clusters, err := h.manager.GetActiveClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -196,15 +196,10 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 	apiClusters := make([]api.ProxyCluster, 0, len(clusters))
 	for _, c := range clusters {
 		apiClusters = append(apiClusters, api.ProxyCluster{
-			Id:                  c.ID,
-			Address:             c.Address,
-			Type:                api.ProxyClusterType(c.Type),
-			Online:              c.Online,
-			ConnectedProxies:    c.ConnectedProxies,
-			SupportsCustomPorts: c.SupportsCustomPorts,
-			RequireSubdomain:    c.RequireSubdomain,
-			SupportsCrowdsec:    c.SupportsCrowdSec,
-			Private:             c.Private,
+			Id:               c.ID,
+			Address:          c.Address,
+			ConnectedProxies: c.ConnectedProxies,
+			SelfHosted:       c.SelfHosted,
 		})
 	}
 

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -81,8 +81,6 @@ type ClusterDeriver interface {
 type CapabilityProvider interface {
 	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool
 }
 
 type Manager struct {
@@ -114,12 +112,8 @@ func (m *Manager) StartExposeReaper(ctx context.Context) {
 	m.exposeReaper.StartExposeReaper(ctx)
 }
 
-// GetClusters returns every proxy cluster visible to the account
-// (shared + its own BYOP), regardless of whether any proxy in the
-// cluster is currently heartbeating. Each cluster is enriched with the
-// capability flags reported by its active proxies so the dashboard can
-// render feature support without a second round-trip.
-func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetActiveClusters returns all active proxy clusters with their connected proxy count.
+func (m *Manager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -128,19 +122,7 @@ func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	clusters, err := m.store.GetProxyClusters(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	for i := range clusters {
-		clusters[i].SupportsCustomPorts = m.capabilities.ClusterSupportsCustomPorts(ctx, clusters[i].Address)
-		clusters[i].RequireSubdomain = m.capabilities.ClusterRequireSubdomain(ctx, clusters[i].Address)
-		clusters[i].SupportsCrowdSec = m.capabilities.ClusterSupportsCrowdSec(ctx, clusters[i].Address)
-		clusters[i].Private = m.capabilities.ClusterSupportsPrivate(ctx, clusters[i].Address)
-	}
-
-	return clusters, nil
+	return m.store.GetActiveProxyClusters(ctx, accountID)
 }
 
 // DeleteAccountCluster removes all proxy registrations for the given cluster address
@@ -210,9 +192,6 @@ func (m *Manager) replaceHostByLookup(ctx context.Context, accountID string, s *
 			target.Host = resource.Domain
 		case service.TargetTypeSubnet:
 			// For subnets we do not do any lookups on the resource
-		case service.TargetTypeCluster:
-			// Cluster targets carry the upstream address on target_id; the
-			// proxy resolves the destination at request time.
 		default:
 			return fmt.Errorf("unknown target type: %s", target.TargetType)
 		}
@@ -327,10 +306,6 @@ func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, clus
 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)
 
-	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
-		return err
-	}
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -346,6 +321,10 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			return err
 		}
 
+		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
+			return err
+		}
+
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -456,10 +435,6 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)
 
-	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
-		return err
-	}
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
@@ -473,6 +448,10 @@ func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, pee
 			return err
 		}
 
+		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
+			return err
+		}
+
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -573,22 +552,10 @@ func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, se
 	svcForCaps.ProxyCluster = effectiveCluster
 	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)
 
-	if err := validateTargetReferences(ctx, m.store, accountID, service.Targets); err != nil {
-		return nil, err
-	}
-
-	// Validate subdomain requirement *before* the transaction: the underlying
-	// capability lookup talks to the main DB pool, and SQLite's single-connection
-	// pool would self-deadlock if this ran while the tx already held the only
-	// connection.
-	if err := m.validateSubdomainRequirement(ctx, service.Domain, effectiveCluster); err != nil {
-		return nil, err
-	}
-
 	var updateInfo serviceUpdateInfo
 
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts, effectiveCluster)
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
 	})
 
 	return &updateInfo, err
@@ -618,7 +585,7 @@ func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string,
 	return existing.ProxyCluster, nil
 }
 
-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool, effectiveCluster string) error {
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
@@ -636,13 +603,17 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	updateInfo.domainChanged = existingService.Domain != service.Domain
 
 	if updateInfo.domainChanged {
-		if err := m.handleDomainChange(ctx, transaction, service, effectiveCluster); err != nil {
+		if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
 			return err
 		}
 	} else {
 		service.ProxyCluster = existingService.ProxyCluster
 	}
 
+	if err := m.validateSubdomainRequirement(ctx, service.Domain, service.ProxyCluster); err != nil {
+		return err
+	}
+
 	m.preserveExistingAuthSecrets(service, existingService)
 	if err := validateHeaderAuthValues(service.Auth.HeaderAuths); err != nil {
 		return err
@@ -657,6 +628,9 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {
 		return err
 	}
+	if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+		return err
+	}
 	if err := transaction.UpdateService(ctx, service); err != nil {
 		return fmt.Errorf("update service: %w", err)
 	}
@@ -664,18 +638,20 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	return nil
 }
 
-// handleDomainChange validates the new domain is free inside the transaction
-// and applies the pre-resolved cluster (computed outside the tx by
-// resolveEffectiveCluster). It must NOT call clusterDeriver here: that talks
-// to the main DB pool and would self-deadlock under SQLite (max_open_conns=1)
-// because the transaction already holds the only connection.
-func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, svc *service.Service, effectiveCluster string) error {
+func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, svc *service.Service) error {
 	if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, svc.ID); err != nil {
 		return err
 	}
-	if effectiveCluster != "" {
-		svc.ProxyCluster = effectiveCluster
+
+	if m.clusterDeriver != nil {
+		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
+		} else {
+			svc.ProxyCluster = newCluster
+		}
 	}
+
 	return nil
 }
 
@@ -784,10 +760,6 @@ func validateTargetReferences(ctx context.Context, transaction store.Store, acco
 			if err := validateResourceTarget(ctx, transaction, accountID, target); err != nil {
 				return err
 			}
-		case service.TargetTypeCluster:
-			if err := validateClusterTarget(target); err != nil {
-				return err
-			}
 		default:
 			return status.Errorf(status.InvalidArgument, "unknown target type %q for target %q", target.TargetType, target.TargetId)
 		}
@@ -795,13 +767,6 @@ func validateTargetReferences(ctx context.Context, transaction store.Store, acco
 	return nil
 }
 
-func validateClusterTarget(target *service.Target) error {
-	if !target.Options.DirectUpstream {
-		return status.Errorf(status.InvalidArgument, "cluster target %s has direct upstream disabled", target.Host)
-	}
-	return nil
-}
-
 func validatePeerTarget(ctx context.Context, transaction store.Store, accountID string, target *service.Target) error {
 	if _, err := transaction.GetPeerByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
 		if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
@@ -978,14 +943,12 @@ func (m *Manager) ReloadAllServicesForAccount(ctx context.Context, accountID str
 		return fmt.Errorf("failed to get services: %w", err)
 	}
 
-	oidcCfg := m.proxyController.GetOIDCValidationConfig()
-
 	for _, s := range services {
 		err = m.replaceHostByLookup(ctx, accountID, s)
 		if err != nil {
 			return fmt.Errorf("failed to replace host by lookup for service %s: %w", s.ID, err)
 		}
-		m.proxyController.SendServiceUpdateToCluster(ctx, accountID, s.ToProtoMapping(service.Update, "", oidcCfg), s.ProxyCluster)
+		m.proxyController.SendServiceUpdateToCluster(ctx, accountID, s.ToProtoMapping(service.Update, "", m.proxyController.GetOIDCValidationConfig()), s.ProxyCluster)
 	}
 
 	return nil

management/internals/modules/reverseproxy/service/manager/manager_test.go

@@ -1344,66 +1344,3 @@ func TestValidateSubdomainRequirement(t *testing.T) {
 		})
 	}
 }
-
-func TestValidateTargetReferences_ClusterTargetSkipsLookup(t *testing.T) {
-	ctx := context.Background()
-	ctrl := gomock.NewController(t)
-	mockStore := store.NewMockStore(ctrl)
-	accountID := "test-account"
-
-	// No peer or resource lookups must be issued for cluster targets.
-	targets := []*rpservice.Target{
-		{
-			TargetId:   "eu.proxy.netbird.io",
-			TargetType: rpservice.TargetTypeCluster,
-			Options:    rpservice.TargetOptions{DirectUpstream: true},
-		},
-	}
-	require.NoError(t, validateTargetReferences(ctx, mockStore, accountID, targets), "cluster target must validate without store lookups")
-}
-
-// TestValidateTargetReferences_ClusterTargetRequiresDirectUpstream pins the
-// store-side check that cluster targets must opt into the host-stack dial
-// path. Without DirectUpstream the proxy would route this target through
-// the embedded NetBird client and fail on every request.
-func TestValidateTargetReferences_ClusterTargetRequiresDirectUpstream(t *testing.T) {
-	ctx := context.Background()
-	ctrl := gomock.NewController(t)
-	mockStore := store.NewMockStore(ctrl)
-	accountID := "test-account"
-
-	targets := []*rpservice.Target{
-		{
-			TargetId:   "eu.proxy.netbird.io",
-			TargetType: rpservice.TargetTypeCluster,
-			Host:       "backend.lan",
-		},
-	}
-	err := validateTargetReferences(ctx, mockStore, accountID, targets)
-	require.Error(t, err, "cluster target without direct_upstream must be rejected")
-	assert.ErrorContains(t, err, "direct upstream disabled")
-}
-
-func TestReplaceHostByLookup_SkipsClusterTarget(t *testing.T) {
-	ctx := context.Background()
-	ctrl := gomock.NewController(t)
-	mockStore := store.NewMockStore(ctrl)
-	accountID := "test-account"
-
-	mgr := &Manager{store: mockStore}
-
-	svc := &rpservice.Service{
-		ID:        "svc-1",
-		AccountID: accountID,
-		Targets: []*rpservice.Target{
-			{
-				TargetId:   "eu.proxy.netbird.io",
-				TargetType: rpservice.TargetTypeCluster,
-				Host:       "127.0.0.1",
-			},
-		},
-	}
-
-	require.NoError(t, mgr.replaceHostByLookup(ctx, accountID, svc), "cluster target must not trigger peer/resource lookup")
-	assert.Equal(t, "127.0.0.1", svc.Targets[0].Host, "operator-supplied host must be preserved for cluster target")
-}

management/internals/modules/reverseproxy/service/service.go

@@ -45,11 +45,10 @@ const (
 	StatusCertificateFailed  Status = "certificate_failed"
 	StatusError              Status = "error"
 
-	TargetTypePeer    TargetType = "peer"
-	TargetTypeHost    TargetType = "host"
-	TargetTypeDomain  TargetType = "domain"
-	TargetTypeSubnet  TargetType = "subnet"
-	TargetTypeCluster TargetType = "cluster"
+	TargetTypePeer   TargetType = "peer"
+	TargetTypeHost   TargetType = "host"
+	TargetTypeDomain TargetType = "domain"
+	TargetTypeSubnet TargetType = "subnet"
 
 	SourcePermanent = "permanent"
 	SourceEphemeral = "ephemeral"
@@ -61,11 +60,6 @@ type TargetOptions struct {
 	SessionIdleTimeout time.Duration     `json:"session_idle_timeout,omitempty"`
 	PathRewrite        PathRewriteMode   `json:"path_rewrite,omitempty"`
 	CustomHeaders      map[string]string `gorm:"serializer:json" json:"custom_headers,omitempty"`
-	// DirectUpstream bypasses the proxy's embedded NetBird client and dials
-	// the target via the proxy host's network stack. Useful for upstreams
-	// reachable without WireGuard (public APIs, LAN services, localhost
-	// sidecars). Default false.
-	DirectUpstream bool `json:"direct_upstream,omitempty"`
 }
 
 type Target struct {
@@ -73,7 +67,7 @@ type Target struct {
 	AccountID     string        `gorm:"index:idx_target_account;not null" json:"-"`
 	ServiceID     string        `gorm:"index:idx_service_targets;not null" json:"-"`
 	Path          *string       `json:"path,omitempty"`
-	Host          string        `json:"host"`
+	Host          string        `json:"host"` // the Host field is only used for subnet targets, otherwise ignored
 	Port          uint16        `gorm:"index:idx_target_port" json:"port"`
 	Protocol      string        `gorm:"index:idx_target_protocol" json:"protocol"`
 	TargetId      string        `gorm:"index:idx_target_id" json:"target_id"`
@@ -206,10 +200,6 @@ type Service struct {
 	Mode             string `gorm:"default:'http'"`
 	ListenPort       uint16
 	PortAutoAssigned bool
-	// Private marks the service as NetBird-only: auth via ValidateTunnelPeer against AccessGroups instead of SSO. HTTP-only.
-	Private bool
-	// AccessGroups is the group ID allowlist for inbound peers on private services. Mutually exclusive with bearer SSO.
-	AccessGroups []string `json:"access_groups,omitempty" gorm:"serializer:json"`
 }
 
 // InitNewRecord generates a new unique ID and resets metadata for a newly created
@@ -309,12 +299,6 @@ func (s *Service) ToAPIResponse() *api.Service {
 		Mode:               &mode,
 		ListenPort:         &listenPort,
 		PortAutoAssigned:   &s.PortAutoAssigned,
-		Private:            &s.Private,
-	}
-
-	if len(s.AccessGroups) > 0 {
-		groups := append([]string(nil), s.AccessGroups...)
-		resp.AccessGroups = &groups
 	}
 
 	if s.ProxyCluster != "" {
@@ -324,7 +308,6 @@ func (s *Service) ToAPIResponse() *api.Service {
 	return resp
 }
 
-// ToProtoMapping converts the service into the wire format the proxy consumes.
 func (s *Service) ToProtoMapping(operation Operation, authToken string, oidcConfig proxy.OIDCValidationConfig) *proto.ProxyMapping {
 	pathMappings := s.buildPathMappings()
 
@@ -366,7 +349,6 @@ func (s *Service) ToProtoMapping(operation Operation, authToken string, oidcConf
 		RewriteRedirects: s.RewriteRedirects,
 		Mode:             s.Mode,
 		ListenPort:       int32(s.ListenPort), //nolint:gosec
-		Private:          s.Private,
 	}
 
 	if r := restrictionsToProto(s.Restrictions); r != nil {
@@ -399,14 +381,13 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 		}
 
 		// HTTP/HTTPS: build full URL
-		hostNoBrackets := strings.TrimSuffix(strings.TrimPrefix(target.Host, "["), "]")
 		targetURL := url.URL{
 			Scheme: target.Protocol,
-			Host:   bracketIPv6Host(hostNoBrackets),
+			Host:   target.Host,
 			Path:   "/",
 		}
 		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
-			targetURL.Host = net.JoinHostPort(hostNoBrackets, strconv.FormatUint(uint64(target.Port), 10))
+			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.FormatUint(uint64(target.Port), 10))
 		}
 
 		path := "/"
@@ -424,19 +405,6 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 	return pathMappings
 }
 
-// bracketIPv6Host wraps host in square brackets when it is an IPv6 literal, as
-// required for the Host field of net/url.URL (RFC 3986 §3.2.2). v4-mapped IPv6
-// addresses are bracketed too since their textual form contains colons.
-func bracketIPv6Host(host string) string {
-	if strings.HasPrefix(host, "[") {
-		return host
-	}
-	if addr, err := netip.ParseAddr(host); err == nil && addr.Is6() {
-		return "[" + host + "]"
-	}
-	return host
-}
-
 func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
 	switch op {
 	case Create:
@@ -473,8 +441,7 @@ func pathRewriteToProto(mode PathRewriteMode) proto.PathRewriteMode {
 }
 
 func targetOptionsToAPI(opts TargetOptions) *api.ServiceTargetOptions {
-	if !opts.SkipTLSVerify && opts.RequestTimeout == 0 && opts.SessionIdleTimeout == 0 &&
-		opts.PathRewrite == "" && len(opts.CustomHeaders) == 0 && !opts.DirectUpstream {
+	if !opts.SkipTLSVerify && opts.RequestTimeout == 0 && opts.SessionIdleTimeout == 0 && opts.PathRewrite == "" && len(opts.CustomHeaders) == 0 {
 		return nil
 	}
 	apiOpts := &api.ServiceTargetOptions{}
@@ -496,22 +463,17 @@ func targetOptionsToAPI(opts TargetOptions) *api.ServiceTargetOptions {
 	if len(opts.CustomHeaders) > 0 {
 		apiOpts.CustomHeaders = &opts.CustomHeaders
 	}
-	if opts.DirectUpstream {
-		apiOpts.DirectUpstream = &opts.DirectUpstream
-	}
 	return apiOpts
 }
 
 func targetOptionsToProto(opts TargetOptions) *proto.PathTargetOptions {
-	if !opts.SkipTLSVerify && opts.PathRewrite == "" && opts.RequestTimeout == 0 &&
-		len(opts.CustomHeaders) == 0 && !opts.DirectUpstream {
+	if !opts.SkipTLSVerify && opts.PathRewrite == "" && opts.RequestTimeout == 0 && len(opts.CustomHeaders) == 0 {
 		return nil
 	}
 	popts := &proto.PathTargetOptions{
-		SkipTlsVerify:  opts.SkipTLSVerify,
-		PathRewrite:    pathRewriteToProto(opts.PathRewrite),
-		CustomHeaders:  opts.CustomHeaders,
-		DirectUpstream: opts.DirectUpstream,
+		SkipTlsVerify: opts.SkipTLSVerify,
+		PathRewrite:   pathRewriteToProto(opts.PathRewrite),
+		CustomHeaders: opts.CustomHeaders,
 	}
 	if opts.RequestTimeout != 0 {
 		popts.RequestTimeout = durationpb.New(opts.RequestTimeout)
@@ -561,9 +523,6 @@ func targetOptionsFromAPI(idx int, o *api.ServiceTargetOptions) (TargetOptions,
 	if o.CustomHeaders != nil {
 		opts.CustomHeaders = *o.CustomHeaders
 	}
-	if o.DirectUpstream != nil {
-		opts.DirectUpstream = *o.DirectUpstream
-	}
 	return opts, nil
 }
 
@@ -578,14 +537,6 @@ func (s *Service) FromAPIRequest(req *api.ServiceRequest, accountID string) erro
 	if req.ListenPort != nil {
 		s.ListenPort = uint16(*req.ListenPort) //nolint:gosec
 	}
-	if req.Private != nil {
-		s.Private = *req.Private
-	}
-	if req.AccessGroups != nil {
-		s.AccessGroups = append([]string(nil), *req.AccessGroups...)
-	} else {
-		s.AccessGroups = nil
-	}
 
 	targets, err := targetsFromAPI(accountID, req.Targets)
 	if err != nil {
@@ -775,9 +726,6 @@ func (s *Service) Validate() error {
 	if err := validateAccessRestrictions(&s.Restrictions); err != nil {
 		return err
 	}
-	if err := s.validatePrivateRequirements(); err != nil {
-		return err
-	}
 
 	switch s.Mode {
 	case ModeHTTP:
@@ -791,23 +739,6 @@ func (s *Service) Validate() error {
 	}
 }
 
-// validatePrivateRequirements enforces the private-service contract: HTTP mode, ≥1 access group, no bearer auth.
-func (s *Service) validatePrivateRequirements() error {
-	if !s.Private {
-		return nil
-	}
-	if s.Mode != "" && s.Mode != ModeHTTP {
-		return fmt.Errorf("private services only support HTTP mode, got %q", s.Mode)
-	}
-	if len(s.AccessGroups) == 0 {
-		return errors.New("private services require at least one access group")
-	}
-	if s.Auth.BearerAuth != nil && s.Auth.BearerAuth.Enabled {
-		return errors.New("private services cannot enable bearer auth (SSO): NetBird-only access and SSO are mutually exclusive")
-	}
-	return nil
-}
-
 func (s *Service) validateHTTPMode() error {
 	if s.Domain == "" {
 		return errors.New("service domain is required")
@@ -854,21 +785,11 @@ func (s *Service) validateHTTPTargets() error {
 	for i, target := range s.Targets {
 		switch target.TargetType {
 		case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
-			// Host is normally overwritten by replaceHostByLookup with the
-			// resolved peer IP / resource address; operator-supplied values
-			// are honored only when DirectUpstream is set. Validate the
-			// override here so misconfigured hosts fail fast at API time.
-			if err := validateDirectUpstreamHost(i, target); err != nil {
-				return err
-			}
+			// host field will be ignored
 		case TargetTypeSubnet:
 			if target.Host == "" {
 				return fmt.Errorf("target %d has empty host but target_type is %q", i, target.TargetType)
 			}
-		case TargetTypeCluster:
-			if err := validateClusterTarget(i, target); err != nil {
-				return err
-			}
 		default:
 			return fmt.Errorf("target %d has invalid target_type %q", i, target.TargetType)
 		}
@@ -886,67 +807,25 @@ func (s *Service) validateHTTPTargets() error {
 	return nil
 }
 
-// validateClusterTarget cluster targets should not have empty hosts and should have direct upstream enabled.
-func validateClusterTarget(idx int, target *Target) error {
-	host := strings.TrimSpace(target.Host)
-	if host == "" {
-		return fmt.Errorf("target %d: has empty host", idx)
-	}
-	if !target.Options.DirectUpstream {
-		return fmt.Errorf("target %d: %s has direct upstream disabled", idx, target.Host)
-	}
-	return validateDirectUpstreamHost(idx, target)
-}
-
-// validateDirectUpstreamHost validates the operator-supplied Host on a
-// peer/host/domain target when DirectUpstream is set. Empty Host is
-// allowed — the lookup fills in the default peer IP / resource address.
-// Without DirectUpstream the Host value is silently overwritten by
-// replaceHostByLookup, so we don't validate it (preserves the historical
-// behaviour where APIs accepted any value and dropped it). Non-empty
-// Host with DirectUpstream must look like a hostname or IP and must
-// not carry a port (port lives on Target.Port).
-func validateDirectUpstreamHost(idx int, target *Target) error {
-	if !target.Options.DirectUpstream {
-		return nil
-	}
-	host := strings.TrimSpace(target.Host)
-	if host == "" {
-		return nil
-	}
-	if strings.ContainsAny(host, " \t/") {
-		return fmt.Errorf("target %d: host %q contains invalid characters", idx, host)
-	}
-	if _, _, err := net.SplitHostPort(host); err == nil {
-		return fmt.Errorf("target %d: host %q must not include a port (set target.port instead)", idx, host)
-	}
-	return nil
-}
-
 func (s *Service) validateL4Target(target *Target) error {
 	// L4 services have a single target; per-target disable is meaningless
 	// (use the service-level Enabled flag instead). Force it on so that
 	// buildPathMappings always includes the target in the proto.
 	target.Enabled = true
 
+	if target.Port == 0 {
+		return errors.New("target port is required for L4 services")
+	}
 	if target.TargetId == "" {
 		return errors.New("target_id is required for L4 services")
 	}
-	if target.TargetType != TargetTypeCluster && target.Port == 0 {
-		return errors.New("target port is required for L4 services")
-	}
 	switch target.TargetType {
 	case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
-		if err := validateDirectUpstreamHost(0, target); err != nil {
-			return err
-		}
+		// OK
 	case TargetTypeSubnet:
 		if target.Host == "" {
 			return errors.New("target host is required for subnet targets")
 		}
-	case TargetTypeCluster:
-		// target_id carries the cluster address; the proxy resolves
-		// the upstream at request time.
 	default:
 		return fmt.Errorf("invalid target_type %q for L4 service", target.TargetType)
 	}
@@ -1281,11 +1160,6 @@ func (s *Service) Copy() *Service {
 		}
 	}
 
-	var accessGroups []string
-	if len(s.AccessGroups) > 0 {
-		accessGroups = append([]string(nil), s.AccessGroups...)
-	}
-
 	return &Service{
 		ID:                s.ID,
 		AccountID:         s.AccountID,
@@ -1307,8 +1181,6 @@ func (s *Service) Copy() *Service {
 		Mode:              s.Mode,
 		ListenPort:        s.ListenPort,
 		PortAutoAssigned:  s.PortAutoAssigned,
-		Private:           s.Private,
-		AccessGroups:      accessGroups,
 	}
 }
 

management/internals/modules/reverseproxy/service/service_test.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
@@ -352,83 +351,6 @@ func TestToProtoMapping_PortInTargetURL(t *testing.T) {
 			port:       80,
 			wantTarget: "https://10.0.0.1:80/",
 		},
-		{
-			name:       "domain host without port is unchanged",
-			protocol:   "http",
-			host:       "example.com",
-			port:       0,
-			wantTarget: "http://example.com/",
-		},
-		{
-			name:       "domain host with non-default port is unchanged",
-			protocol:   "http",
-			host:       "example.com",
-			port:       8080,
-			wantTarget: "http://example.com:8080/",
-		},
-		{
-			name:       "ipv6 host without port is bracketed",
-			protocol:   "http",
-			host:       "fb00:cafe:1::3",
-			port:       0,
-			wantTarget: "http://[fb00:cafe:1::3]/",
-		},
-		{
-			name:       "ipv6 host with default port omits port and brackets host",
-			protocol:   "http",
-			host:       "fb00:cafe:1::3",
-			port:       80,
-			wantTarget: "http://[fb00:cafe:1::3]/",
-		},
-		{
-			name:       "ipv6 host with non-default port is bracketed",
-			protocol:   "http",
-			host:       "fb00:cafe:1::3",
-			port:       8080,
-			wantTarget: "http://[fb00:cafe:1::3]:8080/",
-		},
-		{
-			name:       "ipv6 loopback without port is bracketed",
-			protocol:   "http",
-			host:       "::1",
-			port:       0,
-			wantTarget: "http://[::1]/",
-		},
-		{
-			name:       "ipv6 host with 5-digit port is bracketed",
-			protocol:   "http",
-			host:       "fb00:cafe::1",
-			port:       18080,
-			wantTarget: "http://[fb00:cafe::1]:18080/",
-		},
-		{
-			name:       "pre-bracketed ipv6 without port stays single-bracketed",
-			protocol:   "http",
-			host:       "[fb00:cafe::1]",
-			port:       0,
-			wantTarget: "http://[fb00:cafe::1]/",
-		},
-		{
-			name:       "pre-bracketed ipv6 with port is not double-bracketed",
-			protocol:   "http",
-			host:       "[fb00:cafe::1]",
-			port:       8080,
-			wantTarget: "http://[fb00:cafe::1]:8080/",
-		},
-		{
-			name:       "v4-mapped ipv6 host without port is bracketed",
-			protocol:   "http",
-			host:       "::ffff:10.0.0.1",
-			port:       0,
-			wantTarget: "http://[::ffff:10.0.0.1]/",
-		},
-		{
-			name:       "full-form 8-group ipv6 without port is bracketed",
-			protocol:   "http",
-			host:       "fb00:cafe:1:0:0:0:0:3",
-			port:       0,
-			wantTarget: "http://[fb00:cafe:1:0:0:0:0:3]/",
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1117,191 +1039,3 @@ func TestValidate_HeaderAuths(t *testing.T) {
 		assert.Contains(t, err.Error(), "exceeds maximum length")
 	})
 }
-
-func TestValidate_HTTPClusterTarget(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	require.NoError(t, rp.Validate(), "HTTP cluster target with target_id, host, and direct_upstream must validate")
-}
-
-func TestValidate_HTTPClusterTarget_RequiresTargetId(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = []*Target{{
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "empty target_id", "cluster target must reject empty target_id")
-}
-
-// TestValidate_HTTPClusterTarget_RequiresHost pins the new cluster-target
-// rule that operator-supplied Host is mandatory: cluster targets dial the
-// upstream via the host network stack (direct_upstream is implied), so an
-// empty Host leaves the proxy with nothing to dial.
-func TestValidate_HTTPClusterTarget_RequiresHost(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "empty host", "cluster target must reject empty host")
-}
-
-// TestValidate_HTTPClusterTarget_RequiresDirectUpstream pins the second
-// half of the cluster-target rule: DirectUpstream must be true so the
-// stdlib transport branch in MultiTransport is taken. Without it the
-// embedded NetBird client would try to dial the cluster address through
-// the WG tunnel, which is the wrong network for a cluster upstream.
-func TestValidate_HTTPClusterTarget_RequiresDirectUpstream(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "direct upstream disabled", "cluster target must reject direct_upstream=false")
-}
-
-func TestValidate_L4ClusterTarget(t *testing.T) {
-	rp := validProxy()
-	rp.Mode = ModeTCP
-	rp.ListenPort = 9000
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "tcp",
-		Enabled:    true,
-	}}
-	require.NoError(t, rp.Validate(), "L4 cluster target must validate without an explicit port")
-}
-
-func TestService_Copy_RoundtripsPrivate(t *testing.T) {
-	svc := validProxy()
-	svc.Private = true
-	svc.AccessGroups = []string{"grp-admins", "grp-ops"}
-	cp := svc.Copy()
-	require.NotNil(t, cp)
-	assert.True(t, cp.Private)
-	assert.Equal(t, []string{"grp-admins", "grp-ops"}, cp.AccessGroups)
-
-	cp.Private = false
-	assert.True(t, svc.Private)
-
-	cp.AccessGroups[0] = "grp-other"
-	assert.Equal(t, []string{"grp-admins", "grp-ops"}, svc.AccessGroups)
-}
-
-func TestService_APIRoundtrip_Private(t *testing.T) {
-	enabled := true
-	private := true
-	accessGroups := []string{"grp-admins"}
-	targets := []api.ServiceTarget{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: api.ServiceTargetTargetType("cluster"),
-		Protocol:   "http",
-		Port:       80,
-		Enabled:    true,
-	}}
-	req := &api.ServiceRequest{
-		Name:         "svc-private",
-		Domain:       "myapp.eu.proxy.netbird.io",
-		Enabled:      enabled,
-		Private:      &private,
-		AccessGroups: &accessGroups,
-		Targets:      &targets,
-	}
-
-	svc := &Service{}
-	require.NoError(t, svc.FromAPIRequest(req, "acc-1"))
-	assert.True(t, svc.Private)
-	assert.Equal(t, []string{"grp-admins"}, svc.AccessGroups)
-
-	resp := svc.ToAPIResponse()
-	require.NotNil(t, resp.Private)
-	assert.True(t, *resp.Private)
-	require.NotNil(t, resp.AccessGroups)
-	assert.Equal(t, []string{"grp-admins"}, *resp.AccessGroups)
-}
-
-func TestValidate_Private_RequiresAccessGroups(t *testing.T) {
-	rp := validProxy()
-	rp.Private = true
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "access group")
-}
-
-func TestValidate_Private_RejectsBearerAuth(t *testing.T) {
-	rp := validProxy()
-	rp.Private = true
-	rp.AccessGroups = []string{"grp-admins"}
-	rp.Auth.BearerAuth = &BearerAuthConfig{
-		Enabled:            true,
-		DistributionGroups: []string{"grp-sso"},
-	}
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "mutually exclusive")
-}
-
-func TestValidate_Private_AcceptsNonClusterTargets(t *testing.T) {
-	rp := validProxy()
-	rp.Private = true
-	rp.AccessGroups = []string{"grp-admins"}
-	require.NoError(t, rp.Validate())
-}
-
-func TestValidate_Private_AcceptsClusterTargetWithAccessGroups(t *testing.T) {
-	rp := validProxy()
-	rp.Private = true
-	rp.AccessGroups = []string{"grp-admins"}
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "http",
-		Host:       "backend.lan",
-		Options:    TargetOptions{DirectUpstream: true},
-		Enabled:    true,
-	}}
-	require.NoError(t, rp.Validate())
-}
-
-func TestValidate_Private_RejectsNonHTTPMode(t *testing.T) {
-	rp := validProxy()
-	rp.Private = true
-	rp.AccessGroups = []string{"grp-admins"}
-	rp.Mode = ModeTCP
-	rp.Targets = []*Target{{
-		TargetId:   "eu.proxy.netbird.io",
-		TargetType: TargetTypeCluster,
-		Protocol:   "tcp",
-		Enabled:    true,
-	}}
-	assert.ErrorContains(t, rp.Validate(), "HTTP")
-}

management/internals/modules/reverseproxy/sessionkey/sessionkey.go

@@ -20,20 +20,6 @@ type KeyPair struct {
 type Claims struct {
 	jwt.RegisteredClaims
 	Method auth.Method `json:"method"`
-	// Email is the calling user's email address. Carried so the
-	// proxy can stamp identity on upstream requests (e.g.
-	// x-litellm-end-user-id) without an extra management
-	// round-trip on every cookie-bearing request.
-	Email string `json:"email,omitempty"`
-	// Groups carries the user's group IDs so the proxy can stamp them
-	// onto upstream requests (X-NetBird-Groups) from the cookie path
-	// without an extra management round-trip.
-	Groups []string `json:"groups,omitempty"`
-	// GroupNames carries the human-readable display names for the ids
-	// in Groups, ordered identically (positional pairing). Slice may be
-	// shorter than Groups for tokens minted before names were
-	// resolvable; the consumer falls back to ids for missing positions.
-	GroupNames []string `json:"group_names,omitempty"`
 }
 
 func GenerateKeyPair() (*KeyPair, error) {
@@ -48,13 +34,7 @@ func GenerateKeyPair() (*KeyPair, error) {
 	}, nil
 }
 
-// SignToken mints a session JWT for the given user and domain. email,
-// groups, and groupNames, when non-empty, are embedded so the proxy can
-// authorise and stamp identity for policy-aware middlewares without a
-// management round-trip on every cookie-bearing request. groupNames
-// pairs positionally with groups; pass nil when names couldn't be
-// resolved.
-func SignToken(privKeyB64, userID, email, domain string, method auth.Method, groups, groupNames []string, expiration time.Duration) (string, error) {
+func SignToken(privKeyB64, userID, domain string, method auth.Method, expiration time.Duration) (string, error) {
 	privKeyBytes, err := base64.StdEncoding.DecodeString(privKeyB64)
 	if err != nil {
 		return "", fmt.Errorf("decode private key: %w", err)
@@ -76,10 +56,7 @@ func SignToken(privKeyB64, userID, email, domain string, method auth.Method, gro
 			IssuedAt:  jwt.NewNumericDate(now),
 			NotBefore: jwt.NewNumericDate(now),
 		},
-		Method:     method,
-		Email:      email,
-		Groups:     append([]string(nil), groups...),
-		GroupNames: append([]string(nil), groupNames...),
+		Method: method,
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)

management/internals/server/boot.go

@@ -10,10 +10,8 @@ import (
 	"slices"
 	"time"
 
-	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
-	"github.com/rs/cors"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -21,6 +19,7 @@ import (
 	"google.golang.org/grpc/keepalive"
 
 	cachestore "github.com/eko/gocache/lib/v4/store"
+	"github.com/netbirdio/management-integrations/integrations"
 
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
@@ -28,20 +27,16 @@ import (
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/activity"
-	activitystore "github.com/netbirdio/netbird/management/server/activity/store"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
 	nbhttp "github.com/netbirdio/netbird/management/server/http"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
-	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util/crypt"
 )
 
-const apiPrefix = "/api"
-
 var (
 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
@@ -99,17 +94,12 @@ func (s *BaseServer) Store() store.Store {
 
 func (s *BaseServer) EventStore() activity.Store {
 	return Create(s, func() activity.Store {
-		var err error
-		key := s.Config.DataStoreEncryptionKey
-		if key == "" {
-			log.Debugf("generate new activity store encryption key")
-			key, err = crypt.GenerateKey()
-			if err != nil {
-				log.Fatalf("failed to generate event store encryption key: %v", err)
-			}
+		integrationMetrics, err := integrations.InitIntegrationMetrics(context.Background(), s.Metrics())
+		if err != nil {
+			log.Fatalf("failed to initialize integration metrics: %v", err)
 		}
 
-		eventStore, err := activitystore.NewSqlStore(context.Background(), s.Config.Datadir, key)
+		eventStore, _, err := integrations.InitEventStore(context.Background(), s.Config.Datadir, s.Config.DataStoreEncryptionKey, integrationMetrics)
 		if err != nil {
 			log.Fatalf("failed to initialize event store: %v", err)
 		}
@@ -120,7 +110,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter(), s.IsValidChildAccount)
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -128,22 +118,6 @@ func (s *BaseServer) APIHandler() http.Handler {
 	})
 }
 
-// IDPHandler returns the HTTP handler for the embedded IdP (Dex), or nil if
-// the deployment isn't using the embedded variant.
-func (s *BaseServer) IDPHandler() http.Handler {
-	embeddedIdP, ok := s.IdpManager().(*idp.EmbeddedIdPManager)
-	if !ok || embeddedIdP == nil {
-		return nil
-	}
-	return cors.AllowAll().Handler(embeddedIdP.Handler())
-}
-
-func (s *BaseServer) Router() *mux.Router {
-	return Create(s, func() *mux.Router {
-		return mux.NewRouter().PathPrefix(apiPrefix).Subrouter()
-	})
-}
-
 func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
 	return Create(s, func() *middleware.APIRateLimiter {
 		cfg, enabled := middleware.RateLimiterConfigFromEnv()

management/internals/server/controllers.go

@@ -19,7 +19,6 @@ import (
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
 	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
@@ -39,7 +38,7 @@ func (s *BaseServer) JobManager() *job.Manager {
 
 func (s *BaseServer) IntegratedValidator() integrated_validator.IntegratedValidator {
 	return Create(s, func() integrated_validator.IntegratedValidator {
-		integratedPeerValidator, err := validator.NewIntegratedValidator(
+		integratedPeerValidator, err := integrations.NewIntegratedValidator(
 			context.Background(),
 			s.PeersManager(),
 			s.SettingsManager(),
@@ -113,11 +112,7 @@ func (s *BaseServer) AuthManager() auth.Manager {
 
 func (s *BaseServer) EphemeralManager() ephemeral.Manager {
 	return Create(s, func() ephemeral.Manager {
-		em := manager.NewEphemeralManager(s.Store(), s.PeersManager())
-		if metrics := s.Metrics(); metrics != nil {
-			em.SetMetrics(metrics.EphemeralPeersMetrics())
-		}
-		return em
+		return manager.NewEphemeralManager(s.Store(), s.PeersManager())
 	})
 }
 

management/internals/server/modules.go

@@ -57,7 +57,13 @@ func (s *BaseServer) GeoLocationManager() geolocation.Geolocation {
 
 func (s *BaseServer) PermissionsManager() permissions.Manager {
 	return Create(s, func() permissions.Manager {
-		return permissions.NewManager(s.Store())
+		manager := integrations.InitPermissionsManager(s.Store(), s.Metrics().GetMeter())
+
+		s.AfterInit(func(s *BaseServer) {
+			manager.SetAccountManager(s.AccountManager())
+		})
+
+		return manager
 	})
 }
 
@@ -147,6 +153,7 @@ func (s *BaseServer) IdpManager() idp.Manager {
 			return idpManager
 		}
 
+
 		return nil
 	})
 }
@@ -228,7 +235,3 @@ func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
 		return &m
 	})
 }
-
-func (s *BaseServer) IsValidChildAccount(_ context.Context, _, _, _ string) bool {
-	return false
-}

management/internals/server/server.go

@@ -188,7 +188,7 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		log.WithContext(srvCtx).Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
 	}
 
-	rootHandler := s.handlerFunc(srvCtx, s.GRPCServer(), s.APIHandler(), s.IDPHandler(), s.Metrics().GetMeter())
+	rootHandler := s.handlerFunc(srvCtx, s.GRPCServer(), s.APIHandler(), s.Metrics().GetMeter())
 	switch {
 	case s.certManager != nil:
 		// a call to certManager.Listener() always creates a new listener so we do it once
@@ -299,7 +299,7 @@ func (s *BaseServer) SetHandlerFunc(handler http.Handler) {
 	log.Tracef("custom handler set successfully")
 }
 
-func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, httpHandler http.Handler, idpHandler http.Handler, meter metric.Meter) http.Handler {
+func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, httpHandler http.Handler, meter metric.Meter) http.Handler {
 	// Check if a custom handler was set (for multiplexing additional services)
 	if customHandler, ok := s.GetContainer("customHandler"); ok {
 		if handler, ok := customHandler.(http.Handler); ok {
@@ -318,8 +318,6 @@ func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, ht
 			gRPCHandler.ServeHTTP(writer, request)
 		case request.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
 			wsProxy.Handler().ServeHTTP(writer, request)
-		case idpHandler != nil && strings.HasPrefix(request.URL.Path, "/oauth2"):
-			idpHandler.ServeHTTP(writer, request)
 		default:
 			httpHandler.ServeHTTP(writer, request)
 		}

management/internals/shared/grpc/proxy.go

@@ -9,7 +9,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -137,12 +136,9 @@ type proxyConnection struct {
 	tokenID      string
 	capabilities *proto.ProxyCapabilities
 	stream       proto.ProxyService_GetMappingUpdateServer
-	// syncStream is set when the proxy connected via SyncMappings.
-	// When non-nil, the sender goroutine uses this instead of stream.
-	syncStream proto.ProxyService_SyncMappingsServer
-	sendChan   chan *proto.GetMappingUpdateResponse
-	ctx        context.Context
-	cancel     context.CancelFunc
+	sendChan     chan *proto.GetMappingUpdateResponse
+	ctx          context.Context
+	cancel       context.CancelFunc
 }
 
 func enforceAccountScope(ctx context.Context, requestAccountID string) error {
@@ -210,323 +206,145 @@ func (s *ProxyServiceServer) SetProxyController(proxyController proxy.Controller
 	s.proxyController = proxyController
 }
 
-// proxyConnectParams holds the validated parameters extracted from either
-// a GetMappingUpdateRequest or a SyncMappingsInit message.
-type proxyConnectParams struct {
-	proxyID      string
-	address      string
-	capabilities *proto.ProxyCapabilities
-}
-
 // GetMappingUpdate handles the control stream with proxy clients
 func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	params, err := s.validateProxyConnect(req.GetProxyId(), req.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = req.GetCapabilities()
+	ctx := stream.Context()
 
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		stream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshot(stream.Context(), conn); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, false)
-}
-
-// SyncMappings implements the bidirectional SyncMappings RPC.
-// It mirrors GetMappingUpdate but provides application-level back-pressure:
-// management waits for an ack from the proxy before sending the next batch.
-func (s *ProxyServiceServer) SyncMappings(stream proto.ProxyService_SyncMappingsServer) error {
-	init, err := recvSyncInit(stream)
-	if err != nil {
-		return err
-	}
-
-	params, err := s.validateProxyConnect(init.GetProxyId(), init.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = init.GetCapabilities()
-
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		syncStream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshotSync(stream.Context(), conn, stream); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-	go s.drainRecv(stream, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, true)
-}
-
-// recvSyncInit receives and validates the first message on a SyncMappings stream.
-func recvSyncInit(stream proto.ProxyService_SyncMappingsServer) (*proto.SyncMappingsInit, error) {
-	firstMsg, err := stream.Recv()
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "receive init: %v", err)
-	}
-	init := firstMsg.GetInit()
-	if init == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "first message must be init")
-	}
-	return init, nil
-}
-
-// validateProxyConnect validates the proxy ID and address, and checks cluster
-// address availability for account-scoped tokens.
-func (s *ProxyServiceServer) validateProxyConnect(proxyID, address string, ctx context.Context) (proxyConnectParams, error) {
-	if proxyID == "" {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy_id is required")
-	}
-	if !isProxyAddressValid(address) {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy address is invalid")
-	}
-
-	token := GetProxyTokenFromContext(ctx)
-	if token != nil && token.AccountID != nil {
-		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, address, *token.AccountID)
-		if err != nil {
-			return proxyConnectParams{}, status.Errorf(codes.Internal, "check cluster address: %v", err)
-		}
-		if !available {
-			return proxyConnectParams{}, status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", address)
-		}
-	}
-
-	return proxyConnectParams{proxyID: proxyID, address: address}, nil
-}
-
-// registerProxyConnection creates a proxyConnection, registers it with the
-// proxy manager and cluster, and stores it in connectedProxies. The caller
-// provides a partially initialised connSeed with stream-specific fields set;
-// the remaining fields are filled in here.
-func (s *ProxyServiceServer) registerProxyConnection(ctx context.Context, params proxyConnectParams, connSeed *proxyConnection) (*proxyConnection, *proxy.Proxy, error) {
 	peerInfo := PeerIPFromContext(ctx)
+	log.Infof("New proxy connection from %s", peerInfo)
+
+	proxyID := req.GetProxyId()
+	if proxyID == "" {
+		return status.Errorf(codes.InvalidArgument, "proxy_id is required")
+	}
+
+	proxyAddress := req.GetAddress()
+	if !isProxyAddressValid(proxyAddress) {
+		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
+	}
 
 	var accountID *string
-	var tokenID string
-	if token := GetProxyTokenFromContext(ctx); token != nil {
-		if token.AccountID != nil {
-			accountID = token.AccountID
+	token := GetProxyTokenFromContext(ctx)
+	if token != nil && token.AccountID != nil {
+		accountID = token.AccountID
+
+		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, proxyAddress, *accountID)
+		if err != nil {
+			return status.Errorf(codes.Internal, "check cluster address: %v", err)
 		}
+		if !available {
+			return status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", proxyAddress)
+		}
+	}
+
+	var tokenID string
+	if token != nil {
 		tokenID = token.ID
 	}
 
 	sessionID := uuid.NewString()
-	s.supersedePriorConnection(params.proxyID, sessionID)
 
-	connCtx, cancel := context.WithCancel(ctx)
-	connSeed.proxyID = params.proxyID
-	connSeed.sessionID = sessionID
-	connSeed.address = params.address
-	connSeed.accountID = accountID
-	connSeed.tokenID = tokenID
-	connSeed.capabilities = params.capabilities
-	connSeed.sendChan = make(chan *proto.GetMappingUpdateResponse, 100)
-	connSeed.ctx = connCtx
-	connSeed.cancel = cancel
-
-	var caps *proxy.Capabilities
-	if c := params.capabilities; c != nil {
-		caps = &proxy.Capabilities{
-			SupportsCustomPorts: c.SupportsCustomPorts,
-			RequireSubdomain:    c.RequireSubdomain,
-			SupportsCrowdsec:    c.SupportsCrowdsec,
-			Private:             c.Private,
-		}
-	}
-
-	proxyRecord, err := s.proxyManager.Connect(ctx, params.proxyID, sessionID, params.address, peerInfo, accountID, caps)
-	if err != nil {
-		cancel()
-		if accountID != nil {
-			return nil, nil, status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
-		}
-		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", params.proxyID, err)
-		return nil, nil, status.Errorf(codes.Internal, "register proxy in database: %v", err)
-	}
-
-	s.connectedProxies.Store(params.proxyID, connSeed)
-	if err := s.proxyController.RegisterProxyToCluster(ctx, params.address, params.proxyID); err != nil {
-		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", params.proxyID, err)
-	}
-
-	return connSeed, proxyRecord, nil
-}
-
-// supersedePriorConnection cancels any existing connection for the given proxy.
-func (s *ProxyServiceServer) supersedePriorConnection(proxyID, newSessionID string) {
 	if old, loaded := s.connectedProxies.Load(proxyID); loaded {
 		oldConn := old.(*proxyConnection)
 		log.WithFields(log.Fields{
 			"proxy_id":       proxyID,
 			"old_session_id": oldConn.sessionID,
-			"new_session_id": newSessionID,
+			"new_session_id": sessionID,
 		}).Info("Superseding existing proxy connection")
 		oldConn.cancel()
 	}
-}
 
-// cleanupFailedSnapshot removes the connection from the cluster and store
-// after a snapshot send failure.
-func (s *ProxyServiceServer) cleanupFailedSnapshot(ctx context.Context, conn *proxyConnection) {
-	if s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
+	connCtx, cancel := context.WithCancel(ctx)
+	conn := &proxyConnection{
+		proxyID:      proxyID,
+		sessionID:    sessionID,
+		address:      proxyAddress,
+		accountID:    accountID,
+		tokenID:      tokenID,
+		capabilities: req.GetCapabilities(),
+		stream:       stream,
+		sendChan:     make(chan *proto.GetMappingUpdateResponse, 100),
+		ctx:          connCtx,
+		cancel:       cancel,
+	}
+
+	var caps *proxy.Capabilities
+	if c := req.GetCapabilities(); c != nil {
+		caps = &proxy.Capabilities{
+			SupportsCustomPorts: c.SupportsCustomPorts,
+			RequireSubdomain:    c.RequireSubdomain,
+			SupportsCrowdsec:    c.SupportsCrowdsec,
 		}
 	}
-	conn.cancel()
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
-	}
-}
-
-// drainRecv consumes and discards messages from a bidirectional stream.
-// The proxy sends an ack for every incremental update; we don't need them
-// after the snapshot phase. Recv errors are forwarded to errChan.
-func (s *ProxyServiceServer) drainRecv(stream proto.ProxyService_SyncMappingsServer, errChan chan<- error) {
-	for {
-		if _, err := stream.Recv(); err != nil {
-			errChan <- err
-			return
+	proxyRecord, err := s.proxyManager.Connect(ctx, proxyID, sessionID, proxyAddress, peerInfo, accountID, caps)
+	if err != nil {
+		cancel()
+		if accountID != nil {
+			return status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
 		}
+		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", proxyID, err)
+		return status.Errorf(codes.Internal, "register proxy in database: %v", err)
 	}
-}
 
-// serveProxyConnection runs the post-snapshot lifecycle: heartbeat, sender,
-// and wait for termination. When bidi is true, normal stream closure (EOF,
-// canceled) is treated as a clean disconnect rather than an error.
-func (s *ProxyServiceServer) serveProxyConnection(conn *proxyConnection, proxyRecord *proxy.Proxy, errChan <-chan error, bidi bool) error {
+	s.connectedProxies.Store(proxyID, conn)
+	if err := s.proxyController.RegisterProxyToCluster(ctx, conn.address, proxyID); err != nil {
+		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", proxyID, err)
+	}
+
+	if err := s.sendSnapshot(ctx, conn); err != nil {
+		if s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			if unregErr := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); unregErr != nil {
+				log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, unregErr)
+			}
+		}
+		cancel()
+		if disconnErr := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); disconnErr != nil {
+			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, disconnErr)
+		}
+		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
+	}
+
+	errChan := make(chan error, 2)
+	go s.sender(conn, errChan)
+
 	log.WithFields(log.Fields{
-		"proxy_id":      conn.proxyID,
-		"session_id":    conn.sessionID,
-		"address":       conn.address,
-		"cluster_addr":  conn.address,
-		"account_id":    conn.accountID,
+		"proxy_id":      proxyID,
+		"session_id":    sessionID,
+		"address":       proxyAddress,
+		"cluster_addr":  proxyAddress,
+		"account_id":    accountID,
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
+	defer func() {
+		if !s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", proxyID, sessionID)
+			cancel()
+			return
+		}
 
-	defer s.disconnectProxy(conn)
-	go s.heartbeat(conn.ctx, conn, proxyRecord)
+		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); err != nil {
+			log.Warnf("Failed to unregister proxy %s from cluster: %v", proxyID, err)
+		}
+		if err := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); err != nil {
+			log.Warnf("Failed to mark proxy %s as disconnected: %v", proxyID, err)
+		}
+
+		cancel()
+		log.Infof("Proxy %s session %s disconnected", proxyID, sessionID)
+	}()
+
+	go s.heartbeat(connCtx, conn, proxyRecord)
 
 	select {
 	case err := <-errChan:
-		if bidi && isStreamClosed(err) {
-			log.Infof("Proxy %s stream closed", conn.proxyID)
-			return nil
-		}
-		log.Warnf("Failed to send update: %v", err)
-		return fmt.Errorf("send update to proxy %s: %w", conn.proxyID, err)
-	case <-conn.ctx.Done():
-		log.Infof("Proxy %s context canceled", conn.proxyID)
-		return conn.ctx.Err()
+		log.WithContext(ctx).Warnf("Failed to send update: %v", err)
+		return fmt.Errorf("send update to proxy %s: %w", proxyID, err)
+	case <-connCtx.Done():
+		log.WithContext(ctx).Infof("Proxy %s context canceled", proxyID)
+		return connCtx.Err()
 	}
 }
 
-// disconnectProxy removes the connection from cluster and store, unless it
-// has already been superseded by a newer connection.
-func (s *ProxyServiceServer) disconnectProxy(conn *proxyConnection) {
-	if !s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", conn.proxyID, conn.sessionID)
-		conn.cancel()
-		return
-	}
-
-	if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-		log.Warnf("Failed to unregister proxy %s from cluster: %v", conn.proxyID, err)
-	}
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.Warnf("Failed to mark proxy %s as disconnected: %v", conn.proxyID, err)
-	}
-
-	conn.cancel()
-	log.Infof("Proxy %s session %s disconnected", conn.proxyID, conn.sessionID)
-}
-
-// sendSnapshotSync sends the initial snapshot with back-pressure: it sends
-// one batch, then waits for the proxy to ack before sending the next.
-func (s *ProxyServiceServer) sendSnapshotSync(ctx context.Context, conn *proxyConnection, stream proto.ProxyService_SyncMappingsServer) error {
-	if !isProxyAddressValid(conn.address) {
-		return fmt.Errorf("proxy address is invalid")
-	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
-
-	mappings, err := s.snapshotServiceMappings(ctx, conn)
-	if err != nil {
-		return err
-	}
-
-	for i := 0; i < len(mappings); i += s.snapshotBatchSize {
-		end := i + s.snapshotBatchSize
-		if end > len(mappings) {
-			end = len(mappings)
-		}
-		for _, m := range mappings[i:end] {
-			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
-			if err != nil {
-				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
-			}
-			m.AuthToken = token
-		}
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			Mapping:             mappings[i:end],
-			InitialSyncComplete: end == len(mappings),
-		}); err != nil {
-			return fmt.Errorf("send snapshot batch: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	if len(mappings) == 0 {
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			InitialSyncComplete: true,
-		}); err != nil {
-			return fmt.Errorf("send snapshot completion: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func waitForAck(stream proto.ProxyService_SyncMappingsServer) error {
-	msg, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive ack: %w", err)
-	}
-	if msg.GetAck() == nil {
-		return fmt.Errorf("expected ack, got %T", msg.GetMsg())
-	}
-	return nil
-}
-
 // heartbeat updates the proxy's last_seen timestamp every minute and
 // disconnects the proxy if its access token has been revoked.
 func (s *ProxyServiceServer) heartbeat(ctx context.Context, conn *proxyConnection, p *proxy.Proxy) {
@@ -563,9 +381,6 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 	if !isProxyAddressValid(conn.address) {
 		return fmt.Errorf("proxy address is invalid")
 	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
 
 	mappings, err := s.snapshotServiceMappings(ctx, conn)
 	if err != nil {
@@ -579,13 +394,6 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		if end > len(mappings) {
 			end = len(mappings)
 		}
-		for _, m := range mappings[i:end] {
-			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
-			if err != nil {
-				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
-			}
-			m.AuthToken = token
-		}
 		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
 			Mapping:             mappings[i:end],
 			InitialSyncComplete: end == len(mappings),
@@ -617,14 +425,18 @@ func (s *ProxyServiceServer) snapshotServiceMappings(ctx context.Context, conn *
 		return nil, fmt.Errorf("get services from store: %w", err)
 	}
 
-	oidcCfg := s.GetOIDCValidationConfig()
 	var mappings []*proto.ProxyMapping
 	for _, service := range services {
 		if !service.Enabled || service.ProxyCluster == "" || service.ProxyCluster != conn.address {
 			continue
 		}
 
-		m := service.ToProtoMapping(rpservice.Create, "", oidcCfg)
+		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, s.proxyTokenTTL())
+		if err != nil {
+			return nil, fmt.Errorf("generate auth token for service %s: %w", service.ID, err)
+		}
+
+		m := service.ToProtoMapping(rpservice.Create, token, s.GetOIDCValidationConfig())
 		if !proxyAcceptsMapping(conn, m) {
 			continue
 		}
@@ -645,26 +457,12 @@ func isProxyAddressValid(addr string) bool {
 	return err == nil
 }
 
-// isStreamClosed returns true for errors that indicate normal stream
-// termination: io.EOF, context cancellation, or gRPC Canceled.
-func isStreamClosed(err error) bool {
-	if err == nil {
-		return false
-	}
-	if errors.Is(err, io.EOF) || errors.Is(err, context.Canceled) {
-		return true
-	}
-	return status.Code(err) == codes.Canceled
-}
-
-// sender handles sending messages to proxy.
-// When conn.syncStream is set the message is sent as SyncMappingsResponse;
-// otherwise the legacy GetMappingUpdateResponse stream is used.
+// sender handles sending messages to proxy
 func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error) {
 	for {
 		select {
 		case resp := <-conn.sendChan:
-			if err := conn.sendResponse(resp); err != nil {
+			if err := conn.stream.Send(resp); err != nil {
 				errChan <- err
 				return
 			}
@@ -674,17 +472,6 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 	}
 }
 
-// sendResponse sends a mapping update on whichever stream the proxy connected with.
-func (conn *proxyConnection) sendResponse(resp *proto.GetMappingUpdateResponse) error {
-	if conn.syncStream != nil {
-		return conn.syncStream.Send(&proto.SyncMappingsResponse{
-			Mapping:             resp.Mapping,
-			InitialSyncComplete: resp.InitialSyncComplete,
-		})
-	}
-	return conn.stream.Send(resp)
-}
-
 // SendAccessLog processes access log from proxy
 func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendAccessLogRequest) (*proto.SendAccessLogResponse, error) {
 	accessLog := req.GetLog()
@@ -751,15 +538,10 @@ func (s *ProxyServiceServer) SendServiceUpdate(update *proto.GetMappingUpdateRes
 				return true
 			}
 			connUpdate = &proto.GetMappingUpdateResponse{
-				Mapping:             filtered,
-				InitialSyncComplete: update.InitialSyncComplete,
+				Mapping:              filtered,
+				InitialSyncComplete:  update.InitialSyncComplete,
 			}
 		}
-		// Drop mappings the proxy lacks capability for (e.g. private without SupportsPrivateService).
-		connUpdate = filterMappingsForProxy(conn, connUpdate)
-		if connUpdate == nil || len(connUpdate.Mapping) == 0 {
-			return true
-		}
 		resp := s.perProxyMessage(connUpdate, conn.proxyID)
 		if resp == nil {
 			log.Warnf("Token generation failed for proxy %s, disconnecting to force resync", conn.proxyID)
@@ -888,20 +670,16 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(ctx context.Context, upd
 	}
 }
 
-// proxyAcceptsMapping returns whether the proxy can receive this mapping.
-// Private mappings require SupportsPrivateService; custom-port L4 mappings
-// require SupportsCustomPorts. Remove operations always pass so proxies can
-// clean up.
+// proxyAcceptsMapping returns whether the proxy should receive this mapping.
+// Old proxies that never reported capabilities are skipped for non-TLS L4
+// mappings with a custom listen port, since they don't understand the
+// protocol. Proxies that report capabilities (even SupportsCustomPorts=false)
+// are new enough to handle the mapping. TLS uses SNI routing and works on
+// any proxy. Delete operations are always sent so proxies can clean up.
 func proxyAcceptsMapping(conn *proxyConnection, mapping *proto.ProxyMapping) bool {
 	if mapping.Type == proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED {
 		return true
 	}
-	if mapping.GetPrivate() {
-		caps := conn.capabilities
-		if caps == nil || caps.SupportsPrivateService == nil || !*caps.SupportsPrivateService {
-			return false
-		}
-	}
 	if mapping.ListenPort == 0 || mapping.Mode == "tls" {
 		return true
 	}
@@ -910,29 +688,6 @@ func proxyAcceptsMapping(conn *proxyConnection, mapping *proto.ProxyMapping) boo
 	return conn.capabilities != nil && conn.capabilities.SupportsCustomPorts != nil
 }
 
-// filterMappingsForProxy drops mappings the proxy cannot safely receive
-// (e.g. private mappings to a proxy without SupportsPrivateService).
-// Returns the input unchanged when no filtering is needed.
-func filterMappingsForProxy(conn *proxyConnection, update *proto.GetMappingUpdateResponse) *proto.GetMappingUpdateResponse {
-	if update == nil || len(update.Mapping) == 0 {
-		return update
-	}
-	kept := make([]*proto.ProxyMapping, 0, len(update.Mapping))
-	for _, m := range update.Mapping {
-		if !proxyAcceptsMapping(conn, m) {
-			continue
-		}
-		kept = append(kept, m)
-	}
-	if len(kept) == len(update.Mapping) {
-		return update
-	}
-	return &proto.GetMappingUpdateResponse{
-		Mapping:             kept,
-		InitialSyncComplete: update.InitialSyncComplete,
-	}
-}
-
 // perProxyMessage returns a copy of update with a fresh one-time token for
 // create/update operations. For delete operations the original mapping is
 // used unchanged because proxies do not need to authenticate for removal.
@@ -994,10 +749,7 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 
 	authenticated, userId, method := s.authenticateRequest(ctx, req, service)
 
-	// Non-OIDC schemes (PIN/Password/Header) authenticate against per-service
-	// secrets and have no user-level group context, so groups stay nil. Email
-	// is also empty — these schemes don't resolve a user record at sign time.
-	token, err := s.generateSessionToken(ctx, authenticated, service, userId, "", method, nil, nil)
+	token, err := s.generateSessionToken(ctx, authenticated, service, userId, method)
 	if err != nil {
 		return nil, err
 	}
@@ -1086,7 +838,7 @@ func (s *ProxyServiceServer) logAuthenticationError(ctx context.Context, err err
 	}
 }
 
-func (s *ProxyServiceServer) generateSessionToken(ctx context.Context, authenticated bool, service *rpservice.Service, userId, userEmail string, method proxyauth.Method, groupIDs, groupNames []string) (string, error) {
+func (s *ProxyServiceServer) generateSessionToken(ctx context.Context, authenticated bool, service *rpservice.Service, userId string, method proxyauth.Method) (string, error) {
 	if !authenticated || service.SessionPrivateKey == "" {
 		return "", nil
 	}
@@ -1094,11 +846,8 @@ func (s *ProxyServiceServer) generateSessionToken(ctx context.Context, authentic
 	token, err := sessionkey.SignToken(
 		service.SessionPrivateKey,
 		userId,
-		userEmail,
 		service.Domain,
 		method,
-		groupIDs,
-		groupNames,
 		proxyauth.DefaultSessionExpiry,
 	)
 	if err != nil {
@@ -1109,26 +858,6 @@ func (s *ProxyServiceServer) generateSessionToken(ctx context.Context, authentic
 	return token, nil
 }
 
-// pairGroupIDsAndNames splits a slice of resolved *types.Group records
-// into parallel id and name slices. ids[i] and names[i] always pair to
-// the same group. nil entries (orphan ids the manager couldn't resolve)
-// are skipped so the consumer can rely on positional pairing.
-func pairGroupIDsAndNames(groups []*types.Group) (ids, names []string) {
-	if len(groups) == 0 {
-		return nil, nil
-	}
-	ids = make([]string, 0, len(groups))
-	names = make([]string, 0, len(groups))
-	for _, g := range groups {
-		if g == nil {
-			continue
-		}
-		ids = append(ids, g.ID)
-		names = append(names, g.Name)
-	}
-	return ids, names
-}
-
 // SendStatusUpdate handles status updates from proxy clients.
 func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.SendStatusUpdateRequest) (*proto.SendStatusUpdateResponse, error) {
 	if err := enforceAccountScope(ctx, req.GetAccountId()); err != nil {
@@ -1393,9 +1122,7 @@ func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL
 	return verifier, redirectURL, nil
 }
 
-// GenerateSessionToken creates a signed session JWT for the given domain and
-// user. The user's group memberships are embedded in the token so policy-aware
-// middlewares on the proxy can authorise without an extra management round-trip.
+// GenerateSessionToken creates a signed session JWT for the given domain and user.
 func (s *ProxyServiceServer) GenerateSessionToken(ctx context.Context, domain, userID string, method proxyauth.Method) (string, error) {
 	service, err := s.getServiceByDomain(ctx, domain)
 	if err != nil {
@@ -1406,29 +1133,11 @@ func (s *ProxyServiceServer) GenerateSessionToken(ctx context.Context, domain, u
 		return "", fmt.Errorf("no session key configured for domain: %s", domain)
 	}
 
-	var (
-		email      string
-		groupIDs   []string
-		groupNames []string
-	)
-	if s.usersManager != nil {
-		user, userGroups, uerr := s.usersManager.GetUserWithGroups(ctx, userID)
-		if uerr != nil {
-			log.WithContext(ctx).Debugf("session token mint: lookup user %s: %v", userID, uerr)
-		} else if user != nil {
-			email = user.Email
-			groupIDs, groupNames = pairGroupIDsAndNames(userGroups)
-		}
-	}
-
 	return sessionkey.SignToken(
 		service.SessionPrivateKey,
 		userID,
-		email,
 		domain,
 		method,
-		groupIDs,
-		groupNames,
 		proxyauth.DefaultSessionExpiry,
 	)
 }
@@ -1532,7 +1241,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 		}, nil
 	}
 
-	userID, _, _, _, _, err := proxyauth.ValidateSessionJWT(sessionToken, domain, pubKeyBytes)
+	userID, _, err := proxyauth.ValidateSessionJWT(sessionToken, domain, pubKeyBytes)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"domain": domain,
@@ -1545,7 +1254,7 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 		}, nil
 	}
 
-	user, userGroups, err := s.usersManager.GetUserWithGroups(ctx, userID)
+	user, err := s.usersManager.GetUser(ctx, userID)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"domain":  domain,
@@ -1579,15 +1288,12 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_id": userID,
 			"error":   err.Error(),
 		}).Debug("ValidateSession: access denied")
-		groupIDs, groupNames := pairGroupIDsAndNames(userGroups)
 		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
-			Valid:          false,
-			UserId:         user.Id,
-			UserEmail:      user.Email,
-			DeniedReason:   "not_in_group",
-			PeerGroupIds:   groupIDs,
-			PeerGroupNames: groupNames,
+			Valid:        false,
+			UserId:       user.Id,
+			UserEmail:    user.Email,
+			DeniedReason: "not_in_group",
 		}, nil
 	}
 
@@ -1597,13 +1303,10 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 		"email":   user.Email,
 	}).Debug("ValidateSession: access granted")
 
-	groupIDs, groupNames := pairGroupIDsAndNames(userGroups)
 	return &proto.ValidateSessionResponse{
-		Valid:          true,
-		UserId:         user.Id,
-		UserEmail:      user.Email,
-		PeerGroupIds:   groupIDs,
-		PeerGroupNames: groupNames,
+		Valid:     true,
+		UserId:    user.Id,
+		UserEmail: user.Email,
 	}, nil
 }
 
@@ -1636,154 +1339,3 @@ func (s *ProxyServiceServer) checkGroupAccess(service *rpservice.Service, user *
 }
 
 func ptr[T any](v T) *T { return &v }
-
-// ValidateTunnelPeer resolves an inbound peer by its WireGuard tunnel IP and
-// checks the peer's group membership against the service's access groups.
-// Peers without a user (machine agents, automation workloads) are first-class
-// callers; authorisation runs off peer-group memberships rather than the
-// optional owning user's auto-groups. On success a session JWT is minted so
-// the proxy can install a cookie and skip subsequent management round-trips.
-func (s *ProxyServiceServer) ValidateTunnelPeer(ctx context.Context, req *proto.ValidateTunnelPeerRequest) (*proto.ValidateTunnelPeerResponse, error) {
-	domain := req.GetDomain()
-	tunnelIPStr := req.GetTunnelIp()
-
-	if domain == "" || tunnelIPStr == "" {
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:        false,
-			DeniedReason: "missing domain or tunnel_ip",
-		}, nil
-	}
-
-	tunnelIP := net.ParseIP(tunnelIPStr)
-	if tunnelIP == nil {
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:        false,
-			DeniedReason: "invalid_tunnel_ip",
-		}, nil
-	}
-
-	service, err := s.getServiceByDomain(ctx, domain)
-	if err != nil {
-		log.WithFields(log.Fields{"domain": domain, "error": err.Error()}).Debug("ValidateTunnelPeer: service not found")
-		//nolint:nilerr
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:        false,
-			DeniedReason: "service_not_found",
-		}, nil
-	}
-
-	// Mirror ValidateSession: account-scoped (BYOP) proxy tokens may only
-	// validate and mint session cookies for their own account's domains.
-	if err := enforceAccountScope(ctx, service.AccountID); err != nil {
-		return nil, err
-	}
-
-	peer, err := s.peersManager.GetPeerByTunnelIP(ctx, service.AccountID, tunnelIP)
-	if err != nil || peer == nil {
-		log.WithFields(log.Fields{"domain": domain, "tunnel_ip": tunnelIPStr}).Debug("ValidateTunnelPeer: peer not found")
-		//nolint:nilerr
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:        false,
-			DeniedReason: "peer_not_found",
-		}, nil
-	}
-
-	_, peerGroups, err := s.peersManager.GetPeerWithGroups(ctx, service.AccountID, peer.ID)
-	if err != nil {
-		log.WithFields(log.Fields{"domain": domain, "peer_id": peer.ID, "error": err.Error()}).Debug("ValidateTunnelPeer: peer groups lookup failed")
-		//nolint:nilerr
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:        false,
-			DeniedReason: "peer_not_found",
-		}, nil
-	}
-
-	groupIDs, groupNames := pairGroupIDsAndNames(peerGroups)
-
-	// Resolve the principal: when the peer is linked to a user, the human
-	// is the principal so multiple peers owned by the same user share a
-	// single identity. Unlinked peers (machine agents) are their own
-	// principal keyed on peer.ID. displayIdentity is what upstream gateways
-	// tag spend with — user.Email when linked, peer.Name when not.
-	principalID := peer.ID
-	displayIdentity := peer.Name
-	if peer.UserID != "" {
-		if user, uerr := s.usersManager.GetUser(ctx, peer.UserID); uerr == nil && user != nil {
-			principalID = user.Id
-			if user.Email != "" {
-				displayIdentity = user.Email
-			}
-		}
-	}
-
-	if err := checkPeerGroupAccess(service, groupIDs); err != nil {
-		log.WithFields(log.Fields{"domain": domain, "peer_id": peer.ID, "error": err.Error()}).Debug("ValidateTunnelPeer: access denied")
-		//nolint:nilerr
-		return &proto.ValidateTunnelPeerResponse{
-			Valid:          false,
-			UserId:         principalID,
-			UserEmail:      displayIdentity,
-			DeniedReason:   "not_in_group",
-			PeerGroupIds:   groupIDs,
-			PeerGroupNames: groupNames,
-		}, nil
-	}
-
-	token, err := s.generateSessionToken(ctx, true, service, principalID, displayIdentity, proxyauth.MethodOIDC, groupIDs, groupNames)
-	if err != nil {
-		return nil, err
-	}
-
-	log.WithFields(log.Fields{
-		"domain":       domain,
-		"tunnel_ip":    tunnelIPStr,
-		"peer_id":      peer.ID,
-		"principal_id": principalID,
-	}).Debug("ValidateTunnelPeer: access granted")
-
-	return &proto.ValidateTunnelPeerResponse{
-		Valid:          true,
-		UserId:         principalID,
-		UserEmail:      displayIdentity,
-		SessionToken:   token,
-		PeerGroupIds:   groupIDs,
-		PeerGroupNames: groupNames,
-	}, nil
-}
-
-// checkPeerGroupAccess gates ValidateTunnelPeer by the service's required
-// groups. Private services authorise against AccessGroups (empty list fails
-// closed — Validate() rejects that at save time but the RPC is the security
-// boundary and must not trust upstream state). Bearer-auth services authorise
-// against DistributionGroups when populated. Non-private non-bearer services
-// are open.
-func checkPeerGroupAccess(service *rpservice.Service, peerGroupIDs []string) error {
-	if service.Private {
-		if len(service.AccessGroups) == 0 {
-			return fmt.Errorf("private service has no access groups")
-		}
-		return matchAnyGroup(service.AccessGroups, peerGroupIDs)
-	}
-	if service.Auth.BearerAuth != nil && service.Auth.BearerAuth.Enabled && len(service.Auth.BearerAuth.DistributionGroups) > 0 {
-		return matchAnyGroup(service.Auth.BearerAuth.DistributionGroups, peerGroupIDs)
-	}
-	return nil
-}
-
-// matchAnyGroup returns nil when peerGroupIDs intersects allowedGroups,
-// else a non-nil error.
-func matchAnyGroup(allowedGroups, peerGroupIDs []string) error {
-	if len(allowedGroups) == 0 {
-		return fmt.Errorf("no allowed groups configured")
-	}
-	allowed := make(map[string]struct{}, len(allowedGroups))
-	for _, g := range allowedGroups {
-		allowed[g] = struct{}{}
-	}
-	for _, g := range peerGroupIDs {
-		if _, ok := allowed[g]; ok {
-			return nil
-		}
-	}
-	return fmt.Errorf("peer not in allowed groups")
-}

management/internals/shared/grpc/proxy_group_access_test.go

@@ -109,7 +109,7 @@ func (m *mockReverseProxyManager) GetServiceByDomain(_ context.Context, domain s
 	return nil, errors.New("service not found for domain: " + domain)
 }
 
-func (m *mockReverseProxyManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *mockReverseProxyManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 
@@ -129,14 +129,6 @@ func (m *mockUsersManager) GetUser(ctx context.Context, userID string) (*types.U
 	return user, nil
 }
 
-func (m *mockUsersManager) GetUserWithGroups(ctx context.Context, userID string) (*types.User, []*types.Group, error) {
-	user, err := m.GetUser(ctx, userID)
-	if err != nil {
-		return nil, nil, err
-	}
-	return user, nil, nil
-}
-
 func TestValidateUserGroupAccess(t *testing.T) {
 	tests := []struct {
 		name             string
@@ -428,46 +420,3 @@ func TestGetAccountProxyByDomain(t *testing.T) {
 		})
 	}
 }
-
-func TestCheckPeerGroupAccess(t *testing.T) {
-	t.Run("private with empty AccessGroups denies", func(t *testing.T) {
-		svc := &service.Service{Private: true, AccessGroups: nil}
-		err := checkPeerGroupAccess(svc, []string{"grp-admins"})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "no access groups")
-	})
-
-	t.Run("private with peer in AccessGroups allows", func(t *testing.T) {
-		svc := &service.Service{Private: true, AccessGroups: []string{"grp-admins", "grp-ops"}}
-		assert.NoError(t, checkPeerGroupAccess(svc, []string{"grp-other", "grp-ops"}))
-	})
-
-	t.Run("private with peer outside AccessGroups denies", func(t *testing.T) {
-		svc := &service.Service{Private: true, AccessGroups: []string{"grp-admins"}}
-		assert.Error(t, checkPeerGroupAccess(svc, []string{"grp-other"}))
-	})
-
-	t.Run("bearer enabled with empty DistributionGroups allows", func(t *testing.T) {
-		svc := &service.Service{
-			Auth: service.AuthConfig{BearerAuth: &service.BearerAuthConfig{Enabled: true}},
-		}
-		assert.NoError(t, checkPeerGroupAccess(svc, []string{"grp-anyone"}))
-	})
-
-	t.Run("bearer enabled gates on DistributionGroups", func(t *testing.T) {
-		svc := &service.Service{
-			Auth: service.AuthConfig{
-				BearerAuth: &service.BearerAuthConfig{
-					Enabled:            true,
-					DistributionGroups: []string{"grp-allowed"},
-				},
-			},
-		}
-		assert.NoError(t, checkPeerGroupAccess(svc, []string{"grp-allowed"}))
-		assert.Error(t, checkPeerGroupAccess(svc, []string{"grp-other"}))
-	})
-
-	t.Run("non-private non-bearer is open", func(t *testing.T) {
-		assert.NoError(t, checkPeerGroupAccess(&service.Service{}, nil))
-	})
-}

management/internals/shared/grpc/proxy_snapshot_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"testing"
-	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -173,55 +172,3 @@ func TestSendSnapshot_EmptySnapshot(t *testing.T) {
 	assert.Empty(t, stream.messages[0].Mapping)
 	assert.True(t, stream.messages[0].InitialSyncComplete)
 }
-
-type hookingStream struct {
-	grpc.ServerStream
-	onSend func(*proto.GetMappingUpdateResponse)
-}
-
-func (s *hookingStream) Send(m *proto.GetMappingUpdateResponse) error {
-	if s.onSend != nil {
-		s.onSend(m)
-	}
-	return nil
-}
-
-func (s *hookingStream) Context() context.Context     { return context.Background() }
-func (s *hookingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *hookingStream) SendHeader(metadata.MD) error { return nil }
-func (s *hookingStream) SetTrailer(metadata.MD)       {}
-func (s *hookingStream) SendMsg(any) error            { return nil }
-func (s *hookingStream) RecvMsg(any) error            { return nil }
-
-func TestSendSnapshot_TokensRemainValidUnderSlowSend(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 6
-	const ttl = 100 * time.Millisecond
-	const sendDelay = 200 * time.Millisecond
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-	s.tokenTTL = ttl
-
-	var validateErrs []error
-	stream := &hookingStream{
-		onSend: func(resp *proto.GetMappingUpdateResponse) {
-			for _, m := range resp.Mapping {
-				if err := s.tokenStore.ValidateAndConsume(m.AuthToken, m.AccountId, m.Id); err != nil {
-					validateErrs = append(validateErrs, fmt.Errorf("svc %s: %w", m.Id, err))
-				}
-			}
-			time.Sleep(sendDelay)
-		},
-	}
-	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
-
-	require.NoError(t, s.sendSnapshot(context.Background(), conn))
-	require.Empty(t, validateErrs,
-		"tokens must remain valid even when batches are sent slowly: lazy per-batch generation guarantees freshness")
-}

management/internals/shared/grpc/server.go

@@ -522,11 +522,10 @@ func (s *Server) sendJob(ctx context.Context, peerKey wgtypes.Key, job *job.Even
 }
 
 func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
-	uncanceledCTX := context.WithoutCancel(ctx)
-	unlock := s.acquirePeerLockByUID(uncanceledCTX, peer.Key)
+	unlock := s.acquirePeerLockByUID(ctx, peer.Key)
 	defer unlock()
 
-	s.cancelPeerRoutinesWithoutLock(uncanceledCTX, accountID, peer, streamStartTime)
+	s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, streamStartTime)
 }
 
 func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {

management/internals/shared/grpc/sync_mappings_test.go

@@ -1,411 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/metadata"
-
-	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// syncRecordingStream is a mock ProxyService_SyncMappingsServer that records
-// sent messages and returns pre-loaded ack responses from Recv.
-type syncRecordingStream struct {
-	grpc.ServerStream
-
-	mu       sync.Mutex
-	sent     []*proto.SyncMappingsResponse
-	recvMsgs []*proto.SyncMappingsRequest
-	recvIdx  int
-}
-
-func (s *syncRecordingStream) Send(m *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	s.sent = append(s.sent, m)
-	return nil
-}
-
-func (s *syncRecordingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.recvIdx >= len(s.recvMsgs) {
-		return nil, fmt.Errorf("no more recv messages")
-	}
-	msg := s.recvMsgs[s.recvIdx]
-	s.recvIdx++
-	return msg, nil
-}
-
-func (s *syncRecordingStream) Context() context.Context     { return context.Background() }
-func (s *syncRecordingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *syncRecordingStream) SendHeader(metadata.MD) error { return nil }
-func (s *syncRecordingStream) SetTrailer(metadata.MD)       {}
-func (s *syncRecordingStream) SendMsg(any) error            { return nil }
-func (s *syncRecordingStream) RecvMsg(any) error            { return nil }
-
-func ackMsg() *proto.SyncMappingsRequest {
-	return &proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-	}
-}
-
-func TestSendSnapshotSync_BatchesWithAcks(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 3
-	const totalServices = 7 // 3 + 3 + 1 → 3 batches, 3 acks (one per batch, including final)
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg(), ackMsg(), ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 3, "should send ceil(7/3) = 3 batches")
-
-	assert.Len(t, stream.sent[0].Mapping, 3)
-	assert.False(t, stream.sent[0].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[1].Mapping, 3)
-	assert.False(t, stream.sent[1].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[2].Mapping, 1)
-	assert.True(t, stream.sent[2].InitialSyncComplete)
-
-	// All 3 acks consumed — including the final batch.
-	assert.Equal(t, 3, stream.recvIdx)
-}
-
-func TestSendSnapshotSync_SingleBatchWaitsForAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 100
-	const totalServices = 5
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, totalServices)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "final batch ack must be consumed")
-}
-
-func TestSendSnapshotSync_EmptySnapshot(t *testing.T) {
-	const cluster = "cluster.example.com"
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(nil, nil)
-
-	s := newSnapshotTestServer(t, 500)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1, "empty snapshot must still send sync-complete")
-	assert.Empty(t, stream.sent[0].Mapping)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "empty snapshot ack must be consumed")
-}
-
-func TestSendSnapshotSync_MissingAckReturnsError(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4 // 2 batches → 1 ack needed, but we provide none
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// No acks available — Recv will return error.
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "receive ack")
-	// First batch should have been sent before the error.
-	require.Len(t, stream.sent, 1)
-}
-
-func TestSendSnapshotSync_WrongMessageInsteadOfAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// Send an init message instead of an ack.
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{
-			{Msg: &proto.SyncMappingsRequest_Init{Init: &proto.SyncMappingsInit{ProxyId: "bad"}}},
-		},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "expected ack")
-}
-
-func TestSendSnapshotSync_BackPressureOrdering(t *testing.T) {
-	// Verify batches are sent strictly sequentially — batch N+1 is not sent
-	// until the ack for batch N is received, including the final batch.
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 6 // 3 batches, 3 acks
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	var mu sync.Mutex
-	var events []string
-
-	// Build a stream that logs send/recv events so we can verify ordering.
-	ackCh := make(chan struct{}, 3)
-	stream := &orderTrackingStream{
-		mu:     &mu,
-		events: &events,
-		ackCh:  ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	// Feed acks asynchronously after a short delay to simulate real proxy.
-	go func() {
-		for range 3 {
-			time.Sleep(10 * time.Millisecond)
-			ackCh <- struct{}{}
-		}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	mu.Lock()
-	defer mu.Unlock()
-
-	// Expected: send, recv-ack, send, recv-ack, send, recv-ack.
-	require.Len(t, events, 6)
-	assert.Equal(t, "send", events[0])
-	assert.Equal(t, "recv", events[1])
-	assert.Equal(t, "send", events[2])
-	assert.Equal(t, "recv", events[3])
-	assert.Equal(t, "send", events[4])
-	assert.Equal(t, "recv", events[5])
-}
-
-// orderTrackingStream logs "send" and "recv" events and blocks Recv until
-// an ack is signaled via ackCh.
-type orderTrackingStream struct {
-	grpc.ServerStream
-	mu     *sync.Mutex
-	events *[]string
-	ackCh  chan struct{}
-}
-
-func (s *orderTrackingStream) Send(_ *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	*s.events = append(*s.events, "send")
-	s.mu.Unlock()
-	return nil
-}
-
-func (s *orderTrackingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	s.mu.Lock()
-	*s.events = append(*s.events, "recv")
-	s.mu.Unlock()
-	return ackMsg(), nil
-}
-
-func (s *orderTrackingStream) Context() context.Context     { return context.Background() }
-func (s *orderTrackingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *orderTrackingStream) SendHeader(metadata.MD) error { return nil }
-func (s *orderTrackingStream) SetTrailer(metadata.MD)       {}
-func (s *orderTrackingStream) SendMsg(any) error            { return nil }
-func (s *orderTrackingStream) RecvMsg(any) error            { return nil }
-
-func TestSendSnapshotSync_TokensGeneratedPerBatch(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-	const ttl = 100 * time.Millisecond
-	const ackDelay = 200 * time.Millisecond
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-	s.tokenTTL = ttl
-
-	// Build a stream that validates tokens immediately on Send, then
-	// delays the ack to ensure the next batch's tokens are generated fresh.
-	var validateErrs []error
-	ackCh := make(chan struct{}, 2)
-	stream := &tokenValidatingSyncStream{
-		tokenStore:   s.tokenStore,
-		validateErrs: &validateErrs,
-		ackCh:        ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	go func() {
-		// Delay first ack so that if tokens were all generated upfront they'd expire.
-		time.Sleep(ackDelay)
-		ackCh <- struct{}{}
-		// Final batch ack — immediate.
-		ackCh <- struct{}{}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-	require.Empty(t, validateErrs,
-		"tokens must remain valid: per-batch generation guarantees freshness")
-}
-
-type tokenValidatingSyncStream struct {
-	grpc.ServerStream
-	tokenStore   *OneTimeTokenStore
-	validateErrs *[]error
-	ackCh        chan struct{}
-}
-
-func (s *tokenValidatingSyncStream) Send(m *proto.SyncMappingsResponse) error {
-	for _, mapping := range m.Mapping {
-		if err := s.tokenStore.ValidateAndConsume(mapping.AuthToken, mapping.AccountId, mapping.Id); err != nil {
-			*s.validateErrs = append(*s.validateErrs, fmt.Errorf("svc %s: %w", mapping.Id, err))
-		}
-	}
-	return nil
-}
-
-func (s *tokenValidatingSyncStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	return ackMsg(), nil
-}
-
-func (s *tokenValidatingSyncStream) Context() context.Context     { return context.Background() }
-func (s *tokenValidatingSyncStream) SetHeader(metadata.MD) error  { return nil }
-func (s *tokenValidatingSyncStream) SendHeader(metadata.MD) error { return nil }
-func (s *tokenValidatingSyncStream) SetTrailer(metadata.MD)       {}
-func (s *tokenValidatingSyncStream) SendMsg(any) error            { return nil }
-func (s *tokenValidatingSyncStream) RecvMsg(any) error            { return nil }
-
-func TestConnectionSendResponse_RoutesToSyncStream(t *testing.T) {
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		syncStream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-1", AccountId: "acct-1", Domain: "example.com"},
-		},
-		InitialSyncComplete: true,
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, 1)
-	assert.Equal(t, "svc-1", stream.sent[0].Mapping[0].Id)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-}
-
-func TestConnectionSendResponse_RoutesToLegacyStream(t *testing.T) {
-	stream := &recordingStream{}
-	conn := &proxyConnection{
-		stream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-2", AccountId: "acct-2"},
-		},
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.messages, 1)
-	assert.Equal(t, "svc-2", stream.messages[0].Mapping[0].Id)
-}

management/internals/shared/grpc/validate_session_test.go

@@ -102,7 +102,7 @@ func generateSessionKeyPair(t *testing.T) (string, string) {
 
 func createSessionToken(t *testing.T, privKeyB64, userID, domain string) string {
 	t.Helper()
-	token, err := sessionkey.SignToken(privKeyB64, userID, domain, auth.MethodOIDC, nil, time.Hour)
+	token, err := sessionkey.SignToken(privKeyB64, userID, domain, auth.MethodOIDC, time.Hour)
 	require.NoError(t, err)
 	return token
 }
@@ -125,7 +125,6 @@ func TestValidateSession_UserAllowed(t *testing.T) {
 	assert.True(t, resp.Valid, "User should be allowed access")
 	assert.Equal(t, "allowedUserId", resp.UserId)
 	assert.Empty(t, resp.DeniedReason)
-	assert.Equal(t, []string{"allowedGroupId"}, resp.GetPeerGroupIds(), "PeerGroupIds must mirror the resolved user's group memberships")
 }
 
 func TestValidateSession_UserNotInAllowedGroup(t *testing.T) {
@@ -146,7 +145,6 @@ func TestValidateSession_UserNotInAllowedGroup(t *testing.T) {
 	assert.False(t, resp.Valid, "User not in group should be denied")
 	assert.Equal(t, "not_in_group", resp.DeniedReason)
 	assert.Equal(t, "nonGroupUserId", resp.UserId)
-	assert.Empty(t, resp.GetPeerGroupIds(), "PeerGroupIds must mirror the resolved user's actual (empty) memberships on denial")
 }
 
 func TestValidateSession_UserInDifferentAccount(t *testing.T) {
@@ -324,29 +322,21 @@ func (m *testValidateSessionServiceManager) GetServiceByDomain(ctx context.Conte
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testValidateSessionServiceManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *testValidateSessionServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 
-func (m *testValidateSessionServiceManager) DeleteAccountCluster(_ context.Context, _, _, _ string) error {
-	return nil
-}
-
 type testValidateSessionProxyManager struct{}
 
-func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _, _ string, _ *string, _ *proxy.Capabilities) (*proxy.Proxy, error) {
-	return nil, nil
-}
-
-func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _, _ string) error {
+func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _ string, _ *string, _ *proxy.Capabilities) error {
 	return nil
 }
 
-func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _ *proxy.Proxy) error {
+func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _ string) error {
 	return nil
 }
 
-func (m *testValidateSessionProxyManager) DeleteAccountCluster(_ context.Context, _, _ string) error {
+func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _, _, _ string) error {
 	return nil
 }
 

management/server/account.go

@@ -291,15 +291,10 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	// Canonicalize the incoming range so a caller-supplied prefix with host bits
-	// (e.g. 100.64.1.1/16) compares equal to the masked form stored on network.Net.
-	newSettings.NetworkRange = newSettings.NetworkRange.Masked()
-
 	var oldSettings *types.Settings
 	var updateAccountPeers bool
 	var groupChangesAffectPeers bool
 	var reloadReverseProxy bool
-	var effectiveOldNetworkRange netip.Prefix
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var groupsUpdated bool
@@ -313,16 +308,6 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			return err
 		}
 
-		// No lock: the transaction already holds Settings(Update), and network.Net is
-		// only mutated by reallocateAccountPeerIPs, which is reachable only through
-		// this same code path. A Share lock here would extend an unnecessary row lock
-		// and complicate ordering against updatePeerIPv6InTransaction.
-		network, err := transaction.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
-		if err != nil {
-			return fmt.Errorf("get account network: %w", err)
-		}
-		effectiveOldNetworkRange = prefixFromIPNet(network.Net)
-
 		if oldSettings.Extra != nil && newSettings.Extra != nil &&
 			oldSettings.Extra.PeerApprovalEnabled && !newSettings.Extra.PeerApprovalEnabled {
 			approvedCount, err := transaction.ApproveAccountPeers(ctx, accountID)
@@ -336,7 +321,7 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			}
 		}
 
-		if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
+		if oldSettings.NetworkRange != newSettings.NetworkRange {
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
@@ -411,9 +396,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountDNSDomainUpdated, eventMeta)
 	}
-	if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
+	if oldSettings.NetworkRange != newSettings.NetworkRange {
 		eventMeta := map[string]any{
-			"old_network_range": effectiveOldNetworkRange.String(),
+			"old_network_range": oldSettings.NetworkRange.String(),
 			"new_network_range": newSettings.NetworkRange.String(),
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountNetworkRangeUpdated, eventMeta)
@@ -458,22 +443,6 @@ func ipv6SettingsChanged(old, updated *types.Settings) bool {
 	return !slices.Equal(oldGroups, newGroups)
 }
 
-// prefixFromIPNet returns the overlay prefix actually allocated on the account
-// network, or an invalid prefix if none is set. Settings.NetworkRange is a
-// user-facing override that is empty on legacy accounts, so the effective
-// range must be read from network.Net to compare against an incoming update.
-func prefixFromIPNet(ipNet net.IPNet) netip.Prefix {
-	if ipNet.IP == nil {
-		return netip.Prefix{}
-	}
-	addr, ok := netip.AddrFromSlice(ipNet.IP)
-	if !ok {
-		return netip.Prefix{}
-	}
-	ones, _ := ipNet.Mask.Size()
-	return netip.PrefixFrom(addr.Unmap(), ones)
-}
-
 func (am *DefaultAccountManager) validateSettingsUpdate(ctx context.Context, transaction store.Store, newSettings, oldSettings *types.Settings, userID, accountID string) error {
 	halfYearLimit := 180 * 24 * time.Hour
 	if newSettings.PeerLoginExpiration > halfYearLimit {
@@ -1868,32 +1837,35 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth auth.UserAu
 	return domainCategory == types.PrivateCategory || userAuth.DomainCategory != types.PrivateCategory || domain != userAuth.Domain
 }
 
-// SyncAndMarkPeer is the per-Sync entry point: it refreshes the peer's
-// network map and then marks the peer connected with a session token
-// derived from syncTime (the moment the gRPC stream opened). Any
-// concurrent stream that started earlier loses the optimistic-lock race
-// in MarkPeerConnected and bails without writing.
 func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, 0, fmt.Errorf("error syncing peer: %w", err)
 	}
 
-	if err := am.MarkPeerConnected(ctx, peerPubKey, realIP, accountID, syncTime.UnixNano()); err != nil {
+	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID, syncTime)
+	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}
 
 	return peer, netMap, postureChecks, dnsfwdPort, nil
 }
 
-// OnPeerDisconnected is invoked when a sync stream ends. It marks the
-// peer disconnected only when the stored SessionStartedAt matches the
-// nanosecond token derived from streamStartTime — i.e. only when this
-// is the stream that currently owns the peer's session. A mismatch
-// means a newer stream has already replaced us, so the disconnect is
-// dropped.
 func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
-	if err := am.MarkPeerDisconnected(ctx, peerPubKey, accountID, streamStartTime.UnixNano()); err != nil {
+	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to get peer %s for disconnect check: %v", peerPubKey, err)
+		return nil
+	}
+
+	if peer.Status.LastSeen.After(streamStartTime) {
+		log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s > streamStart=%s), skipping disconnect",
+			peerPubKey, peer.Status.LastSeen.Format(time.RFC3339), streamStartTime.Format(time.RFC3339))
+		return nil
+	}
+
+	err = am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID, time.Now().UTC())
+	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}
 	return nil
@@ -2515,18 +2487,6 @@ func (am *DefaultAccountManager) buildIPv6AllowedPeers(ctx context.Context, tran
 			allowedPeers[peerID] = struct{}{}
 		}
 	}
-
-	// Embedded proxy peers sit outside regular group membership but must
-	// participate in any v6-enabled overlay to reach v6-only peers.
-	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
-	if err != nil {
-		return nil, fmt.Errorf("get peers: %w", err)
-	}
-	for _, p := range peers {
-		if p.ProxyMeta.Embedded {
-			allowedPeers[p.ID] = struct{}{}
-		}
-	}
 	return allowedPeers, nil
 }
 

management/server/account/manager.go

@@ -61,8 +61,7 @@ type Manager interface {
 	GetUserFromUserAuth(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsers(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnected(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error
-	MarkPeerDisconnected(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error
+	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error
 	DeletePeer(ctx context.Context, accountID, peerID, userID string) error
 	UpdatePeer(ctx context.Context, accountID, userID string, p *nbpeer.Peer) (*nbpeer.Peer, error)
 	UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error

management/server/account/manager_mock.go

@@ -1305,31 +1305,17 @@ func (mr *MockManagerMockRecorder) LoginPeer(ctx, login interface{}) *gomock.Cal
 }
 
 // MarkPeerConnected mocks base method.
-func (m *MockManager) MarkPeerConnected(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error {
+func (m *MockManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerConnected", ctx, peerKey, realIP, accountID, sessionStartedAt)
+	ret := m.ctrl.Call(m, "MarkPeerConnected", ctx, peerKey, connected, realIP, accountID, syncTime)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // MarkPeerConnected indicates an expected call of MarkPeerConnected.
-func (mr *MockManagerMockRecorder) MarkPeerConnected(ctx, peerKey, realIP, accountID, sessionStartedAt interface{}) *gomock.Call {
+func (mr *MockManagerMockRecorder) MarkPeerConnected(ctx, peerKey, connected, realIP, accountID, syncTime interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnected", reflect.TypeOf((*MockManager)(nil).MarkPeerConnected), ctx, peerKey, realIP, accountID, sessionStartedAt)
-}
-
-// MarkPeerDisconnected mocks base method.
-func (m *MockManager) MarkPeerDisconnected(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerDisconnected", ctx, peerKey, accountID, sessionStartedAt)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// MarkPeerDisconnected indicates an expected call of MarkPeerDisconnected.
-func (mr *MockManagerMockRecorder) MarkPeerDisconnected(ctx, peerKey, accountID, sessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerDisconnected", reflect.TypeOf((*MockManager)(nil).MarkPeerDisconnected), ctx, peerKey, accountID, sessionStartedAt)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnected", reflect.TypeOf((*MockManager)(nil).MarkPeerConnected), ctx, peerKey, connected, realIP, accountID, syncTime)
 }
 
 // OnPeerDisconnected mocks base method.

management/server/account_test.go

@@ -1813,7 +1813,7 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
@@ -1884,7 +1884,7 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	require.NoError(t, err, "unable to get the account")
 
 	// when we mark peer as connected, the peer login expiration routine should trigger
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	failed := waitTimeout(wg, time.Second)
@@ -1910,16 +1910,15 @@ func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
 	}, false)
 	require.NoError(t, err, "unable to add peer")
 
-	t.Run("disconnect peer when session token matches", func(t *testing.T) {
-		streamStartTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, streamStartTime.UnixNano())
+	t.Run("disconnect peer when streamStartTime is after LastSeen", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
 		require.NoError(t, err, "unable to mark peer connected")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err, "unable to get peer")
 		require.True(t, peer.Status.Connected, "peer should be connected")
-		require.Equal(t, streamStartTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should equal the token we passed in")
+
+		streamStartTime := time.Now().UTC()
 
 		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
 		require.NoError(t, err)
@@ -1927,127 +1926,49 @@ func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.False(t, peer.Status.Connected, "peer should be disconnected")
-		require.Equal(t, int64(0), peer.Status.SessionStartedAt, "SessionStartedAt should be reset to 0")
 	})
 
-	t.Run("skip disconnect when stored session is newer (zombie stream protection)", func(t *testing.T) {
-		// Newer stream wins on connect (sets SessionStartedAt = now ns).
-		streamStartTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, streamStartTime.UnixNano())
+	t.Run("skip disconnect when LastSeen is after streamStartTime (zombie stream protection)", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
 		require.NoError(t, err, "unable to mark peer connected")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should be connected")
 
-		// Older stream tries to mark disconnect with its own (older) session token —
-		// fencing kicks in and the write is dropped.
-		staleStreamStartTime := streamStartTime.Add(-1 * time.Hour)
+		streamStartTime := peer.Status.LastSeen.Add(-1 * time.Hour)
 
-		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, staleStreamStartTime)
+		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
 		require.NoError(t, err)
 
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected,
-			"peer should remain connected because the stored session is newer than the disconnect token")
-		require.Equal(t, streamStartTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should still hold the winning stream's token")
+			"peer should remain connected because LastSeen > streamStartTime (zombie stream protection)")
 	})
 
-	t.Run("skip stale connect when stored session is newer (blocked goroutine protection)", func(t *testing.T) {
+	t.Run("skip stale connect when peer already has newer LastSeen (blocked goroutine protection)", func(t *testing.T) {
 		node2SyncTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, node2SyncTime.UnixNano())
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node2SyncTime)
 		require.NoError(t, err, "node 2 should connect peer")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should be connected")
-		require.Equal(t, node2SyncTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should equal node2SyncTime token")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(), "LastSeen should be node2SyncTime")
 
 		node1StaleSyncTime := node2SyncTime.Add(-1 * time.Minute)
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, node1StaleSyncTime.UnixNano())
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node1StaleSyncTime)
 		require.NoError(t, err, "stale connect should not return error")
 
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should still be connected")
-		require.Equal(t, node2SyncTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should NOT be overwritten by stale token from blocked goroutine")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(),
+			"LastSeen should NOT be overwritten by stale syncTime from blocked goroutine")
 	})
 }
 
-// TestDefaultAccountManager_MarkPeerConnected_ConcurrentRace exercises the
-// fencing protocol under contention: many goroutines race to mark the
-// same peer connected with distinct session tokens at the same time.
-// The contract is that the highest token always wins and is what remains
-// in the store, regardless of execution order.
-func TestDefaultAccountManager_MarkPeerConnected_ConcurrentRace(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to get account")
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err, "unable to generate WireGuard key")
-	peerPubKey := key.PublicKey().String()
-
-	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  peerPubKey,
-		Meta: nbpeer.PeerSystemMeta{Hostname: "race-peer"},
-	}, false)
-	require.NoError(t, err, "unable to add peer")
-
-	const workers = 16
-	base := time.Now().UTC().UnixNano()
-	tokens := make([]int64, workers)
-	for i := range tokens {
-		// Spread tokens by 1ms so the comparison is unambiguous; the
-		// largest is index workers-1.
-		tokens[i] = base + int64(i)*int64(time.Millisecond)
-	}
-	expected := tokens[workers-1]
-
-	var ready sync.WaitGroup
-	ready.Add(workers)
-	var start sync.WaitGroup
-	start.Add(1)
-	var done sync.WaitGroup
-	done.Add(workers)
-
-	// require.* calls t.FailNow which is documented as unsafe from
-	// non-test goroutines (it calls runtime.Goexit on the wrong stack and
-	// races with the WaitGroup). Collect errors here and assert from the
-	// main goroutine after done.Wait().
-	errs := make(chan error, workers)
-
-	for i := 0; i < workers; i++ {
-		token := tokens[i]
-		go func() {
-			defer done.Done()
-			ready.Done()
-			start.Wait()
-			errs <- manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, token)
-		}()
-	}
-
-	ready.Wait()
-	start.Done()
-	done.Wait()
-	close(errs)
-	for err := range errs {
-		require.NoError(t, err, "MarkPeerConnected must not error under contention")
-	}
-
-	peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-	require.NoError(t, err)
-	require.True(t, peer.Status.Connected, "peer should be connected after the race")
-	require.Equal(t, expected, peer.Status.SessionStartedAt,
-		"the largest token must win regardless of execution order")
-}
-
 func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *testing.T) {
 	manager, _, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
@@ -2070,7 +1991,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 	account, err := manager.Store.GetAccount(context.Background(), accountID)
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	wg := &sync.WaitGroup{}
@@ -4049,96 +3970,6 @@ func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangeChange(t *testi
 	}
 }
 
-// TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved guards against
-// peer IP reallocation when a settings update carries the network range that is already
-// in use. Legacy accounts have Settings.NetworkRange unset in the DB while network.Net
-// holds the actual allocated overlay; the dashboard backfills the GET response from
-// network.Net and echoes the value back on PUT, so the diff must be against the
-// effective range to avoid renumbering every peer on an unrelated settings change.
-func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved(t *testing.T) {
-	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
-	ctx := context.Background()
-
-	settings, err := manager.Store.GetAccountSettings(ctx, store.LockingStrengthNone, account.Id)
-	require.NoError(t, err)
-	require.False(t, settings.NetworkRange.IsValid(), "precondition: new accounts leave Settings.NetworkRange unset")
-
-	network, err := manager.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, account.Id)
-	require.NoError(t, err)
-	require.NotNil(t, network.Net.IP, "precondition: network.Net should be allocated")
-	addr, ok := netip.AddrFromSlice(network.Net.IP)
-	require.True(t, ok)
-	ones, _ := network.Net.Mask.Size()
-	effective := netip.PrefixFrom(addr.Unmap(), ones)
-	require.True(t, effective.IsValid())
-
-	before := map[string]netip.Addr{peer1.ID: peer1.IP, peer2.ID: peer2.IP, peer3.ID: peer3.IP}
-
-	// Round-trip the effective range as if the dashboard echoed back the GET-backfilled value.
-	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
-		PeerLoginExpirationEnabled: true,
-		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
-		NetworkRange:               effective,
-		Extra:                      &types.ExtraSettings{},
-	})
-	require.NoError(t, err)
-
-	peers, err := manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
-	require.NoError(t, err)
-	require.Len(t, peers, len(before))
-	for _, p := range peers {
-		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when range matches effective", p.ID)
-	}
-
-	// Carrying the same range with host bits set must also be a no-op once canonicalized.
-	hostBitsForm := netip.PrefixFrom(peer1.IP, ones)
-	require.NotEqual(t, effective, hostBitsForm, "precondition: host-bit form should differ before masking")
-	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
-		PeerLoginExpirationEnabled: true,
-		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
-		NetworkRange:               hostBitsForm,
-		Extra:                      &types.ExtraSettings{},
-	})
-	require.NoError(t, err)
-
-	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
-	require.NoError(t, err)
-	for _, p := range peers {
-		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change for host-bit-set equivalent range", p.ID)
-	}
-
-	// Omitting NetworkRange (invalid prefix) must also be a no-op.
-	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
-		PeerLoginExpirationEnabled: true,
-		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
-		Extra:                      &types.ExtraSettings{},
-	})
-	require.NoError(t, err)
-
-	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
-	require.NoError(t, err)
-	for _, p := range peers {
-		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when NetworkRange omitted", p.ID)
-	}
-
-	// Sanity: an actually different range still triggers reallocation.
-	newRange := netip.MustParsePrefix("100.99.0.0/16")
-	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
-		PeerLoginExpirationEnabled: true,
-		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
-		NetworkRange:               newRange,
-		Extra:                      &types.ExtraSettings{},
-	})
-	require.NoError(t, err)
-
-	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
-	require.NoError(t, err)
-	for _, p := range peers {
-		assert.True(t, newRange.Contains(p.IP), "peer %s should be in new range %s, got %s", p.ID, newRange, p.IP)
-		assert.NotEqual(t, before[p.ID], p.IP, "peer %s IP should change on real range update", p.ID)
-	}
-}
-
 func TestDefaultAccountManager_UpdateAccountSettings_IPv6EnabledGroups(t *testing.T) {
 	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
 	ctx := context.Background()

management/server/http/handler.go

@@ -15,13 +15,15 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxytoken"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxytoken"
 	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service/manager"
 
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"
 
+	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -30,10 +32,12 @@ import (
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/settings"
 
+	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 
 	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 
+	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbgroups "github.com/netbirdio/netbird/management/server/groups"
@@ -52,14 +56,17 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	nbinstance "github.com/netbirdio/netbird/management/server/instance"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	nbnetworks "github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
 
+const apiPrefix = "/api"
+
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, permissionsManager permissions.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter, isValidChildAccount middleware.IsValidChildAccountFunc) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -93,16 +100,25 @@ func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager accou
 		accountManager.GetUserFromUserAuth,
 		rateLimiter,
 		appMetrics.GetMeter(),
-		isValidChildAccount,
 	)
 
 	corsMiddleware := cors.AllowAll()
 
+	rootRouter := mux.NewRouter()
 	metricsMiddleware := appMetrics.HTTPMiddleware()
 
+	prefix := apiPrefix
+	router := rootRouter.PathPrefix(prefix).Subrouter()
+
 	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler)
 
-	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), idpManager)
+	if _, err := integrations.RegisterHandlers(ctx, prefix, router, accountManager, integratedValidator, appMetrics.GetMeter(), permissionsManager, peersManager, proxyController, settingsManager); err != nil {
+		return nil, fmt.Errorf("register integrations endpoints: %w", err)
+	}
+
+	// Check if embedded IdP is enabled for instance manager
+	embeddedIdP, embeddedIdpEnabled := idpManager.(*idpmanager.EmbeddedIdPManager)
+	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), embeddedIdP)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create instance manager: %w", err)
 	}
@@ -138,5 +154,10 @@ func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager accou
 		oauthHandler.RegisterEndpoints(router)
 	}
 
-	return router, nil
+	// Mount embedded IdP handler at /oauth2 path if configured
+	if embeddedIdpEnabled {
+		rootRouter.PathPrefix("/oauth2").Handler(corsMiddleware.Handler(embeddedIdP.Handler()))
+	}
+
+	return rootRouter, nil
 }

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -444,7 +444,7 @@ func (m *testServiceManager) GetServiceByDomain(ctx context.Context, domain stri
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testServiceManager) GetClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
+func (m *testServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
 	return nil, nil
 }
 

management/server/http/middleware/auth_middleware.go

@@ -11,6 +11,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"
 
+	"github.com/netbirdio/management-integrations/integrations"
+
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -25,8 +27,6 @@ type SyncUserJWTGroupsFunc func(ctx context.Context, userAuth auth.UserAuth) err
 
 type GetUserFromUserAuthFunc func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 
-type IsValidChildAccountFunc func(ctx context.Context, userID, accountID, childAccountID string) bool
-
 // AuthMiddleware middleware to verify personal access tokens (PAT) and JWT tokens
 type AuthMiddleware struct {
 	authManager         serverauth.Manager
@@ -35,7 +35,6 @@ type AuthMiddleware struct {
 	syncUserJWTGroups   SyncUserJWTGroupsFunc
 	rateLimiter         *APIRateLimiter
 	patUsageTracker     *PATUsageTracker
-	isValidChildAccount IsValidChildAccountFunc
 }
 
 // NewAuthMiddleware instance constructor
@@ -46,7 +45,6 @@ func NewAuthMiddleware(
 	getUserFromUserAuth GetUserFromUserAuthFunc,
 	rateLimiter *APIRateLimiter,
 	meter metric.Meter,
-	isValidChildAccount IsValidChildAccountFunc,
 ) *AuthMiddleware {
 	var patUsageTracker *PATUsageTracker
 	if meter != nil {
@@ -64,7 +62,6 @@ func NewAuthMiddleware(
 		getUserFromUserAuth: getUserFromUserAuth,
 		rateLimiter:         rateLimiter,
 		patUsageTracker:     patUsageTracker,
-		isValidChildAccount: isValidChildAccount,
 	}
 }
 
@@ -127,7 +124,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if m.isValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+		if integrations.IsValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
 			userAuth.AccountId = impersonate[0]
 			userAuth.IsChild = true
 		}
@@ -206,7 +203,7 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if m.isValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+		if integrations.IsValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
 			userAuth.AccountId = impersonate[0]
 			userAuth.IsChild = true
 		}

management/server/http/middleware/auth_middleware_test.go

@@ -211,7 +211,6 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
-		func(_ context.Context, _, _, _ string) bool { return false },
 	)
 
 	handlerToTest := authMiddleware.Handler(nextHandler)
@@ -271,7 +270,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -324,7 +322,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -368,7 +365,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -413,7 +409,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -478,7 +473,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -538,7 +532,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -594,7 +587,6 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
-			func(_ context.Context, _, _, _ string) bool { return false },
 		)
 
 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -695,7 +687,6 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
-		func(_ context.Context, _, _, _ string) bool { return false },
 	)
 
 	for _, tc := range tt {