Bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1

Bumps [github.com/Azure/go-ntlmssp](https://github.com/Azure/go-ntlmssp) from 0.1.0 to 0.1.1. - [Release notes](https://github.com/Azure/go-ntlmssp/releases) - [Commits](https://github.com/Azure/go-ntlmssp/compare/v0.1.0...v0.1.1) --- updated-dependencies: - dependency-name: github.com/Azure/go-ntlmssp dependency-version: 0.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-30 04:29:57 +00:00 · 2026-05-08 14:32:57 +00:00
263 changed files with 4191 additions and 23876 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -12,7 +12,6 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).

 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -20,66 +20,34 @@ jobs:
              per_page: 100,
            });

-            const modifiedPbFiles = files.filter(
-              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
-            );
-            if (modifiedPbFiles.length === 0) {
-              console.log('No modified .pb.go files to check');
+            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
+            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
+            if (missingPatch.length > 0) {
+              core.setFailed(
+                `Cannot inspect patch data for:\n` +
+                missingPatch.map(f => `- ${f}`).join('\n') +
+                `\nThis can happen with very large PRs. Verify proto versions manually.`
+              );
              return;
            }
-
-            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const baseSha = context.payload.pull_request.base.sha;
-            const headSha = context.payload.pull_request.head.sha;
-
-            async function getVersionHeader(path, ref) {
-              try {
-                const res = await github.rest.repos.getContent({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  path,
-                  ref,
-                });
-                if (!res.data.content) {
-                  return { ok: false, reason: 'no inline content (file too large)' };
-                }
-                const content = Buffer.from(res.data.content, 'base64').toString('utf8');
-                const lines = content
-                  .split('\n')
-                  .slice(0, 20)
-                  .filter(line => versionPattern.test(line));
-                return { ok: true, lines };
-              } catch (e) {
-                return { ok: false, reason: e.message };
-              }
-            }
-
+            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
            const violations = [];
-            for (const file of modifiedPbFiles) {
-              const [base, head] = await Promise.all([
-                getVersionHeader(file.filename, baseSha),
-                getVersionHeader(file.filename, headSha),
-              ]);
-              if (!base.ok || !head.ok) {
-                core.warning(
-                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
-                );
-                continue;
-              }
-              if (base.lines.join('\n') !== head.lines.join('\n')) {
+
+            for (const file of pbFiles) {
+              const changed = file.patch
+                .split('\n')
+                .filter(line => versionPattern.test(line));
+              if (changed.length > 0) {
                violations.push({
                  file: file.filename,
-                  base: base.lines,
-                  head: head.lines,
+                  lines: changed,
                });
              }
            }

            if (violations.length > 0) {
              const details = violations.map(v =>
-                `${v.file}:\n` +
-                `  base:\n${v.base.map(l => '    ' + l).join('\n') || '    (none)'}\n` +
-                `  head:\n${v.head.map(l => '    ' + l).join('\n') || '    (none)'}`
+                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
              ).join('\n\n');

              core.setFailed(
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,7 +15,6 @@ If you haven't already, join our slack workspace [here](https://docs.netbird.io/
 - [Contributing to NetBird](#contributing-to-netbird)
    - [Contents](#contents)
    - [Code of conduct](#code-of-conduct)
-    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
    - [Directory structure](#directory-structure)
    - [Development setup](#development-setup)
        - [Requirements](#requirements)
@@ -34,14 +33,6 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.

-## Discuss changes with the NetBird team first
-
-Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
-
-Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
-
-Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
-
 ## Directory structure

 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.
--- a/README.md
+++ b/README.md
@@ -1,134 +1,147 @@

 <div align="center">
-  <p align="center">
-    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
-  </p>
-  <p align="center">
-    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
-      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
-    </a>
-    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
-    </a>
+<br/>
+  <br/>
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
+  <p>
+   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
+       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
+     </a> 
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+    <br>
    <a href="https://docs.netbird.io/slack-url">
-      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
-    </a>
+        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
    <a href="https://forum.netbird.io">
-      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
-    </a>
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
+     </a>  
+     <br>
    <a href="https://gurubase.io/g/netbird">
-      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
-    </a>
+        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
+     </a>    
  </p>
 </div>

+
 <p align="center">
-  <strong>
-    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
-    <br/>
-    See <a href="https://netbird.io/docs/">Documentation</a>
-    <br/>
-    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  </strong>
+<strong>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
  <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-  <strong>
-    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-  </strong>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  <br/>
+ 
+</strong>
+<br>
+<strong>
+  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+</strong>
+<br>
+<br>
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
+    New: NetBird terraform provider
+  </a> 
 </p>

+<br>
+
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

+### Open Source Network Security in a Single Platform
+
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-host NetBird (video)
-
+### Self-Host NetBird (Video)
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)

 ### Key features

-| Connectivity | Management | Security | Automation | Platforms |
-|---|---|---|---|---|
-| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
-| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
-| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
-| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
-| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
-| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
-| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
-| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
-| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
-| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
-| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
-| | | | | ✓ OpenWRT |
-| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
-| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
-| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
-| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
-| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
-| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
+| Connectivity | Management | Security | Automation| Platforms |
+|----|----|----|----|----|
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
+||||| <ul><li>- \[x] Docker</ui></li> |

 ### Quickstart with NetBird Cloud

- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
- Check the NetBird [admin UI](https://app.netbird.io/).
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.

 ### Quickstart with self-hosted NetBird

-This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.

 **Infrastructure requirements:**
- A Linux VM with at least **1 CPU** and **2 GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
- A **public domain** name pointing to the VM.
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- **Public domain** name pointing to the VM.

 **Software requirements:**
- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`

 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
+- Once finished, you can manage the resources via `docker-compose`

 ### A bit on NetBird internals
- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
+-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
+-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>

 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
- [NetBird installer script](https://github.com/physk/netbird-installer)
- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
+-  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

 ### Support acknowledgement

-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.

 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

-### Acknowledgements
-We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).

 ### Legal
-This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/android/profile_manager.go
+++ b/client/android/profile_manager.go
@@ -137,7 +137,7 @@ func (pm *ProfileManager) SwitchProfile(profileName string) error {
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername, nil); err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}

--- a/client/cmd/owner.go
+++ b/client/cmd/owner.go
@@ -1,84 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strconv"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var ownerCmd = &cobra.Command{
-	Use:   "owner",
-	Short: "Manage daemon owner UIDs",
-	Long: `Manage the list of UIDs allowed to control the NetBird daemon.
-
-Owners are persisted in the active profile config and survive daemon restarts.
-The first call from the user logged in at the GUI / console session claims
-ownership automatically; these subcommands cover the rest of the lifecycle.`,
-}
-
-var ownerAddCmd = &cobra.Command{
-	Use:   "add <uid>",
-	Short: "Add a UID as an owner of the daemon",
-	Long: `Add a UID to the active profile's owner list. Requires root or an
-existing owner. Use this to grant another local user permanent access without
-having them log in at the console first.`,
-	Args: cobra.ExactArgs(1),
-	RunE: addOwnerFunc,
-}
-
-var ownerResetCmd = &cobra.Command{
-	Use:   "reset",
-	Short: "Clear the daemon's owner list",
-	Long: `Clear the active profile's owner list, returning the daemon to its
-unconfigured state. The next call from the active console-session user will
-re-claim ownership. Requires root.`,
-	RunE: resetOwnerFunc,
-}
-
-func addOwnerFunc(cmd *cobra.Command, args []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	uid, err := strconv.ParseUint(args[0], 10, 32)
-	if err != nil {
-		return fmt.Errorf("parse uid %q: %w", args[0], err)
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	if _, err := client.AddOwner(cmd.Context(), &proto.AddOwnerRequest{Uid: uint32(uid)}); err != nil {
-		return fmt.Errorf("add owner: %w", err)
-	}
-
-	cmd.Printf("UID %d added as owner\n", uid)
-	return nil
-}
-
-func resetOwnerFunc(cmd *cobra.Command, _ []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	if _, err := client.ResetOwner(cmd.Context(), &proto.ResetOwnerRequest{}); err != nil {
-		return fmt.Errorf("reset owner: %w", err)
-	}
-
-	cmd.Println("daemon owner list cleared; next call from the active console user will re-claim ownership")
-	return nil
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -23,7 +23,6 @@ import (
 	"google.golang.org/grpc/credentials/insecure"

 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -144,7 +143,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, preSharedKeyFlag, "", "Sets WireGuard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.PersistentFlags().BoolVarP(&anonymizeFlag, "anonymize", "A", false, "anonymize IP addresses and non-netbird.io domains in logs and status output")
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", profilemanager.DefaultConfigPath, "Overrides the default profile file location")
+	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Overrides the default profile file location")

 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)
@@ -157,12 +156,8 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(ownerCmd)
 	rootCmd.AddCommand(exposeCmd)

-	ownerCmd.AddCommand(ownerAddCmd)
-	ownerCmd.AddCommand(ownerResetCmd)
-
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)

@@ -255,24 +250,11 @@ func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, e
 	return grpc.DialContext(
 		ctx,
 		strings.TrimPrefix(addr, "tcp://"),
-		daemonDialTransportOption(addr),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithBlock(),
 	)
 }

-// daemonDialTransportOption returns the appropriate transport credentials for connecting
-// to the daemon. On Unix socket platforms, uses Unix transport credentials so the server
-// can extract the caller's UID for owner verification. Otherwise, uses insecure credentials.
-func daemonDialTransportOption(addr string) grpc.DialOption {
-	if strings.HasPrefix(addr, "unix://") {
-		creds := owner.NewUnixTransportCredentials()
-		if creds != nil {
-			return grpc.WithTransportCredentials(creds)
-		}
-	}
-	return grpc.WithTransportCredentials(insecure.NewCredentials())
-}
-
 // WithBackOff execute function in backoff cycle.
 func WithBackOff(bf func() error) error {
 	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -16,7 +16,6 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"

-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/client/system"
@@ -30,6 +29,9 @@ func (p *program) Start(svc service.Service) error {
 	// Collect static system and platform information
 	system.UpdateStaticInfoAsync()

+	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
+	p.serv = grpc.NewServer()
+
 	split := strings.Split(daemonAddr, "://")
 	switch split[0] {
 	case "unix":
@@ -45,12 +47,6 @@ func (p *program) Start(svc service.Service) error {
 		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
 	}

-	// Set up owner enforcement for Unix sockets.
-	configAdapter := &owner.ConfigAdapter{}
-	serverOpts := ownerServerOpts(split[0], configAdapter)
-
-	p.serv = grpc.NewServer(serverOpts...)
-
 	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
@@ -69,8 +65,6 @@ func (p *program) Start(svc service.Service) error {
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
-
-		configAdapter.SetBackend(serverInstance)
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)

 		p.serverInstanceMu.Lock()
@@ -85,32 +79,6 @@ func (p *program) Start(svc service.Service) error {
 	return nil
 }

-// ownerServerOpts returns gRPC server options for owner enforcement.
-// On Unix socket platforms, this includes transport credentials for peer credential
-// extraction and interceptors that check the caller's UID. On other platforms or TCP,
-// no owner enforcement is applied and a warning is logged so operators know the daemon
-// is running without per-user authorization.
-func ownerServerOpts(protocol string, configAdapter *owner.ConfigAdapter) []grpc.ServerOption {
-	if protocol != "unix" {
-		log.Warnf("daemon socket owner enforcement is not applied for protocol %q", protocol)
-		return nil
-	}
-
-	creds := owner.NewUnixTransportCredentials()
-	if creds == nil {
-		log.Warnf("daemon socket owner enforcement unavailable on this platform; daemon will accept any local connection")
-		return nil
-	}
-
-	interceptor := owner.NewInterceptor(configAdapter)
-
-	return []grpc.ServerOption{
-		grpc.Creds(creds),
-		grpc.ChainUnaryInterceptor(interceptor.UnaryInterceptor()),
-		grpc.ChainStreamInterceptor(interceptor.StreamInterceptor()),
-	}
-}
-
 func (p *program) Stop(srv service.Service) error {
 	p.serverInstanceMu.Lock()
 	if p.serverInstance != nil {
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -43,16 +43,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
-	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -11,7 +11,7 @@ import (
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"

-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"

 	nbcache "github.com/netbirdio/netbird/management/server/cache"

@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}

-	iv, _ := validator.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -44,9 +44,6 @@ const (

 	profileNameFlag = "profile"
 	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
-
-	claimOwnerFlag = "owner"
-	claimOwnerDesc = "claim owner privileges for this profile, restricting daemon control to the current user and root"
 )

 var (
@@ -57,7 +54,6 @@ var (
 	showQR             bool
 	profileName        string
 	configPath         string
-	claimOwner         bool

 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -91,7 +87,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) NetBird config file location. ")
-	upCmd.PersistentFlags().BoolVar(&claimOwner, claimOwnerFlag, false, claimOwnerDesc)

 }

@@ -336,7 +331,6 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	if _, err := client.Up(ctx, &proto.UpRequest{
 		ProfileName: &activeProf.Name,
 		Username:    &username,
-		ClaimOwner:  claimOwner,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
 	}
--- a/client/cmd/up_daemon_test.go
+++ b/client/cmd/up_daemon_test.go
@@ -29,7 +29,7 @@ func TestUpDaemon(t *testing.T) {
 	}

 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username, nil)
+	err = sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -12,7 +12,6 @@ import (
 	"sync"

 	"github.com/sirupsen/logrus"
-	wgdevice "golang.zx2c4.com/wireguard/device"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface"
@@ -85,12 +84,6 @@ type Options struct {
 	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// BlockLANAccess blocks the embedded peer from reaching the host's
-	// LAN (RFC 1918, link-local, loopback) when it's used as a routing
-	// peer. Mirrors profilemanager.ConfigInput.BlockLANAccess. Useful
-	// when the embedded client must never act as a stepping stone into
-	// the host's local network (e.g. the proxy's overlay peer).
-	BlockLANAccess bool
 	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the tunnel interface.
@@ -101,26 +94,6 @@ type Options struct {
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
-	// Performance configures the tunnel's buffer pool cap and batch size.
-	Performance Performance
-}
-
-// Performance configures the embedded client's tunnel memory/throughput knobs.
-//
-// These settings are process-global: any non-nil field also becomes the
-// default for Clients constructed by later embed.New calls in the same
-// process. Nil fields are ignored.
-type Performance struct {
-	// PreallocatedBuffersPerPool caps the per-tunnel buffer pool. Zero
-	// leaves the pool unbounded. Lower values trade throughput for a
-	// tighter memory ceiling. May also be changed on a running Client via
-	// Client.SetPerformance, provided this field was nonzero at construction.
-	PreallocatedBuffersPerPool *uint32
-	// MaxBatchSize overrides the number of packets the tunnel reads or
-	// writes per syscall, which also bounds eager buffer allocation per
-	// worker. Zero uses the platform default. Applied at construction
-	// only; ignored by Client.SetPerformance.
-	MaxBatchSize *uint32
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -202,7 +175,6 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
-		BlockLANAccess:      &opts.BlockLANAccess,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
@@ -220,13 +192,6 @@ func New(opts Options) (*Client, error) {
 		config.PrivateKey = opts.PrivateKey
 	}

-	if opts.Performance.PreallocatedBuffersPerPool != nil {
-		wgdevice.SetPreallocatedBuffersPerPool(*opts.Performance.PreallocatedBuffersPerPool)
-	}
-	if opts.Performance.MaxBatchSize != nil {
-		wgdevice.SetMaxBatchSizeOverride(*opts.Performance.MaxBatchSize)
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
@@ -371,7 +336,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := net.JoinHostPort(addr.String(), port)
+	listenAddr := fmt.Sprintf("%s:%s", addr, port)

 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -392,7 +357,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := net.JoinHostPort(addr.String(), port)
+	listenAddr := fmt.Sprintf("%s:%s", addr, port)

 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {
@@ -440,21 +405,6 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 	}, nil
 }

-// IdentityForIP looks up a remote peer by its tunnel IP using the
-// embedded client's status recorder. Returns the peer's WireGuard public
-// key and FQDN. ok=false means the IP isn't in this client's peer
-// roster — callers should treat that as "unknown peer".
-func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
-	if !ip.IsValid() || c.recorder == nil {
-		return "", "", false
-	}
-	state, found := c.recorder.PeerStateByIP(ip.String())
-	if !found {
-		return "", "", false
-	}
-	return state.PubKey, state.FQDN, true
-}
-
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
@@ -523,25 +473,6 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }

-// SetPerformance retunes a running Client. Only PreallocatedBuffersPerPool
-// takes effect, and only when it was nonzero at construction;
-// MaxBatchSize is construction-only and returns an error if set here.
-//
-// Returns ErrClientNotStarted / ErrEngineNotStarted if the Client is not
-// running yet.
-func (c *Client) SetPerformance(t Performance) error {
-	if t.MaxBatchSize != nil {
-		return errors.New("MaxBatchSize is construction-only and cannot be changed at runtime")
-	}
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-	return engine.SetPerformance(internal.Performance{
-		PreallocatedBuffersPerPool: t.PreallocatedBuffersPerPool,
-	})
-}
-
 // StartCapture begins capturing packets on this client's tunnel device.
 // Only one capture can be active at a time; starting a new one stops the previous.
 // Call StopCapture (or CaptureSession.Stop) to end it.
--- a/client/firewall/nftables/external_chain_monitor_linux.go
+++ b/client/firewall/nftables/external_chain_monitor_linux.go
@@ -52,10 +52,9 @@ func (m *externalChainMonitor) start() {

 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	done := make(chan struct{})
-	m.done = done
+	m.done = make(chan struct{})

-	go m.run(ctx, done)
+	go m.run(ctx)
 }

 func (m *externalChainMonitor) stop() {
@@ -73,8 +72,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }

-func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
-	defer close(done)
+func (m *externalChainMonitor) run(ctx context.Context) {
+	defer close(m.done)

 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,
--- a/client/firewall/uspfilter/conntrack/cap_test.go
+++ b/client/firewall/uspfilter/conntrack/cap_test.go
@@ -1,125 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-)
-
-func TestTCPCapEvicts(t *testing.T) {
-	t.Setenv(EnvTCPMaxEntries, "4")
-
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-	require.Equal(t, 4, tracker.maxEntries)
-
-	src := netip.MustParseAddr("100.64.0.1")
-	dst := netip.MustParseAddr("100.64.0.2")
-
-	for i := 0; i < 10; i++ {
-		tracker.TrackOutbound(src, dst, uint16(10000+i), 80, TCPSyn, 0)
-	}
-	require.LessOrEqual(t, len(tracker.connections), 4,
-		"TCP table must not exceed the configured cap")
-	require.Greater(t, len(tracker.connections), 0,
-		"some entries must remain after eviction")
-
-	// The most recently admitted flow must be present: eviction must make
-	// room for new entries, not silently drop them.
-	require.Contains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10009), DstPort: 80},
-		"newest TCP flow must be admitted after eviction")
-	// A pre-cap flow must have been evicted to fit the last one.
-	require.NotContains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10000), DstPort: 80},
-		"oldest TCP flow should have been evicted")
-}
-
-func TestTCPCapPrefersTombstonedForEviction(t *testing.T) {
-	t.Setenv(EnvTCPMaxEntries, "3")
-
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	src := netip.MustParseAddr("100.64.0.1")
-	dst := netip.MustParseAddr("100.64.0.2")
-
-	// Fill to cap with 3 live connections.
-	for i := 0; i < 3; i++ {
-		tracker.TrackOutbound(src, dst, uint16(20000+i), 80, TCPSyn, 0)
-	}
-	require.Len(t, tracker.connections, 3)
-
-	// Tombstone one by sending RST through IsValidInbound.
-	tombstonedKey := ConnKey{SrcIP: src, DstIP: dst, SrcPort: 20001, DstPort: 80}
-	require.True(t, tracker.IsValidInbound(dst, src, 80, 20001, TCPRst|TCPAck, 0))
-	require.True(t, tracker.connections[tombstonedKey].IsTombstone())
-
-	// Another live connection forces eviction. The tombstone must go first.
-	tracker.TrackOutbound(src, dst, uint16(29999), 80, TCPSyn, 0)
-
-	_, tombstonedStillPresent := tracker.connections[tombstonedKey]
-	require.False(t, tombstonedStillPresent,
-		"tombstoned entry should be evicted before live entries")
-	require.LessOrEqual(t, len(tracker.connections), 3)
-
-	// Both live pre-cap entries must survive: eviction must prefer the
-	// tombstone, not just satisfy the size bound by dropping any entry.
-	require.Contains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20000), DstPort: 80},
-		"live entries must not be evicted while a tombstone exists")
-	require.Contains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20002), DstPort: 80},
-		"live entries must not be evicted while a tombstone exists")
-}
-
-func TestUDPCapEvicts(t *testing.T) {
-	t.Setenv(EnvUDPMaxEntries, "5")
-
-	tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
-	defer tracker.Close()
-	require.Equal(t, 5, tracker.maxEntries)
-
-	src := netip.MustParseAddr("100.64.0.1")
-	dst := netip.MustParseAddr("100.64.0.2")
-
-	for i := 0; i < 12; i++ {
-		tracker.TrackOutbound(src, dst, uint16(30000+i), 53, 0)
-	}
-	require.LessOrEqual(t, len(tracker.connections), 5)
-	require.Greater(t, len(tracker.connections), 0)
-
-	require.Contains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30011), DstPort: 53},
-		"newest UDP flow must be admitted after eviction")
-	require.NotContains(t, tracker.connections,
-		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30000), DstPort: 53},
-		"oldest UDP flow should have been evicted")
-}
-
-func TestICMPCapEvicts(t *testing.T) {
-	t.Setenv(EnvICMPMaxEntries, "3")
-
-	tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
-	defer tracker.Close()
-	require.Equal(t, 3, tracker.maxEntries)
-
-	src := netip.MustParseAddr("100.64.0.1")
-	dst := netip.MustParseAddr("100.64.0.2")
-
-	echoReq := layers.CreateICMPv4TypeCode(uint8(layers.ICMPv4TypeEchoRequest), 0)
-	for i := 0; i < 8; i++ {
-		tracker.TrackOutbound(src, dst, uint16(i), echoReq, nil, 64)
-	}
-	require.LessOrEqual(t, len(tracker.connections), 3)
-	require.Greater(t, len(tracker.connections), 0)
-
-	require.Contains(t, tracker.connections,
-		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(7)},
-		"newest ICMP flow must be admitted after eviction")
-	require.NotContains(t, tracker.connections,
-		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(0)},
-		"oldest ICMP flow should have been evicted")
-}
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -3,61 +3,15 @@ package conntrack
 import (
 	"net"
 	"net/netip"
-	"os"
 	"strconv"
 	"sync/atomic"
 	"time"

 	"github.com/google/uuid"

-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

-// evictSampleSize bounds how many map entries we scan per eviction call.
-// Keeps eviction O(1) even at cap under sustained load; the sampled-LRU
-// heuristic is good enough for a conntrack table that only overflows under
-// abuse.
-const evictSampleSize = 8
-
-// envDuration parses an os.Getenv(name) as a time.Duration. Falls back to
-// def on empty or invalid; logs a warning on invalid.
-func envDuration(logger *nblog.Logger, name string, def time.Duration) time.Duration {
-	v := os.Getenv(name)
-	if v == "" {
-		return def
-	}
-	d, err := time.ParseDuration(v)
-	if err != nil {
-		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
-		return def
-	}
-	if d <= 0 {
-		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
-		return def
-	}
-	return d
-}
-
-// envInt parses an os.Getenv(name) as an int. Falls back to def on empty,
-// invalid, or non-positive. Logs a warning on invalid input.
-func envInt(logger *nblog.Logger, name string, def int) int {
-	v := os.Getenv(name)
-	if v == "" {
-		return def
-	}
-	n, err := strconv.Atoi(v)
-	switch {
-	case err != nil:
-		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
-		return def
-	case n <= 0:
-		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
-		return def
-	}
-	return n
-}
-
 // BaseConnTrack provides common fields and locking for all connection types
 type BaseConnTrack struct {
 	FlowId    uuid.UUID
--- a/client/firewall/uspfilter/conntrack/defaults_desktop.go
+++ b/client/firewall/uspfilter/conntrack/defaults_desktop.go
@@ -1,11 +0,0 @@
-//go:build !ios && !android
-
-package conntrack
-
-// Default per-tracker entry caps on desktop/server platforms. These mirror
-// typical Linux netfilter nf_conntrack_max territory with ample headroom.
-const (
-	DefaultMaxTCPEntries  = 65536
-	DefaultMaxUDPEntries  = 16384
-	DefaultMaxICMPEntries = 2048
-)
--- a/client/firewall/uspfilter/conntrack/defaults_mobile.go
+++ b/client/firewall/uspfilter/conntrack/defaults_mobile.go
@@ -1,13 +0,0 @@
-//go:build ios || android
-
-package conntrack
-
-// Default per-tracker entry caps on mobile platforms. iOS network extensions
-// are capped at ~50 MB; Android runs under aggressive memory pressure. These
-// values keep conntrack footprint well under 5 MB worst case (TCPConnTrack
-// is ~200 B plus map overhead).
-const (
-	DefaultMaxTCPEntries  = 4096
-	DefaultMaxUDPEntries  = 2048
-	DefaultMaxICMPEntries = 512
-)
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -50,9 +50,6 @@ type ICMPConnTrack struct {
 	ICMPCode uint8
 }

-// EnvICMPMaxEntries caps the ICMP conntrack table size.
-const EnvICMPMaxEntries = "NB_CONNTRACK_ICMP_MAX"
-
 // ICMPTracker manages ICMP connection states
 type ICMPTracker struct {
 	logger        *nblog.Logger
@@ -61,7 +58,6 @@ type ICMPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
-	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }

@@ -175,7 +171,6 @@ func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nfty
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
 		tickerCancel:  cancel,
-		maxEntries:    envInt(logger, EnvICMPMaxEntries, DefaultMaxICMPEntries),
 		flowLogger:    flowLogger,
 	}

@@ -262,9 +257,7 @@ func (t *ICMPTracker) track(

 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		if t.logger.Enabled(nblog.LevelTrace) {
-			t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
-		}
+		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -283,15 +276,10 @@ func (t *ICMPTracker) track(
 	conn.UpdateCounters(direction, size)

 	t.mutex.Lock()
-	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
-		t.evictOneLocked()
-	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	if t.logger.Enabled(nblog.LevelTrace) {
-		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
-	}
+	t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }

@@ -335,34 +323,6 @@ func (t *ICMPTracker) cleanupRoutine(ctx context.Context) {
 	}
 }

-// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
-// Bounded sample scan: picks the oldest among up to evictSampleSize entries.
-func (t *ICMPTracker) evictOneLocked() {
-	var candKey ICMPConnKey
-	var candSeen int64
-	haveCand := false
-	sampled := 0
-
-	for k, c := range t.connections {
-		seen := c.lastSeen.Load()
-		if !haveCand || seen < candSeen {
-			candKey = k
-			candSeen = seen
-			haveCand = true
-		}
-		sampled++
-		if sampled >= evictSampleSize {
-			break
-		}
-	}
-	if haveCand {
-		if evicted := t.connections[candKey]; evicted != nil {
-			t.sendEvent(nftypes.TypeEnd, evicted, nil)
-		}
-		delete(t.connections, candKey)
-	}
-}
-
 func (t *ICMPTracker) cleanup() {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
@@ -371,10 +331,8 @@ func (t *ICMPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			if t.logger.Enabled(nblog.LevelTrace) {
-				t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
-					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			}
+			t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
+				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -38,27 +38,6 @@ const (
 	TCPHandshakeTimeout = 60 * time.Second
 	// TCPCleanupInterval is how often we check for stale connections
 	TCPCleanupInterval = 5 * time.Minute
-	// FinWaitTimeout bounds FIN_WAIT_1 / FIN_WAIT_2 / CLOSING states.
-	// Matches Linux netfilter nf_conntrack_tcp_timeout_fin_wait.
-	FinWaitTimeout = 60 * time.Second
-	// CloseWaitTimeout bounds CLOSE_WAIT. Matches Linux default; apps
-	// holding CloseWait longer than this should bump the env var.
-	CloseWaitTimeout = 60 * time.Second
-	// LastAckTimeout bounds LAST_ACK. Matches Linux default.
-	LastAckTimeout = 30 * time.Second
-)
-
-// Env vars to override per-state teardown timeouts. Values parsed by
-// time.ParseDuration (e.g. "120s", "2m"). Invalid values fall back to the
-// defaults above with a warning.
-const (
-	EnvTCPFinWaitTimeout   = "NB_CONNTRACK_TCP_FIN_WAIT_TIMEOUT"
-	EnvTCPCloseWaitTimeout = "NB_CONNTRACK_TCP_CLOSE_WAIT_TIMEOUT"
-	EnvTCPLastAckTimeout   = "NB_CONNTRACK_TCP_LAST_ACK_TIMEOUT"
-
-	// EnvTCPMaxEntries caps the TCP conntrack table size. Oldest entries
-	// (tombstones first) are evicted when the cap is reached.
-	EnvTCPMaxEntries = "NB_CONNTRACK_TCP_MAX"
 )

 // TCPState represents the state of a TCP connection
@@ -154,18 +133,14 @@ func (t *TCPConnTrack) SetTombstone() {

 // TCPTracker manages TCP connection states
 type TCPTracker struct {
-	logger           *nblog.Logger
-	connections      map[ConnKey]*TCPConnTrack
-	mutex            sync.RWMutex
-	cleanupTicker    *time.Ticker
-	tickerCancel     context.CancelFunc
-	timeout          time.Duration
-	waitTimeout      time.Duration
-	finWaitTimeout   time.Duration
-	closeWaitTimeout time.Duration
-	lastAckTimeout   time.Duration
-	maxEntries       int
-	flowLogger       nftypes.FlowLogger
+	logger        *nblog.Logger
+	connections   map[ConnKey]*TCPConnTrack
+	mutex         sync.RWMutex
+	cleanupTicker *time.Ticker
+	tickerCancel  context.CancelFunc
+	timeout       time.Duration
+	waitTimeout   time.Duration
+	flowLogger    nftypes.FlowLogger
 }

 // NewTCPTracker creates a new TCP connection tracker
@@ -180,17 +155,13 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	ctx, cancel := context.WithCancel(context.Background())

 	tracker := &TCPTracker{
-		logger:           logger,
-		connections:      make(map[ConnKey]*TCPConnTrack),
-		cleanupTicker:    time.NewTicker(TCPCleanupInterval),
-		tickerCancel:     cancel,
-		timeout:          timeout,
-		waitTimeout:      waitTimeout,
-		finWaitTimeout:   envDuration(logger, EnvTCPFinWaitTimeout, FinWaitTimeout),
-		closeWaitTimeout: envDuration(logger, EnvTCPCloseWaitTimeout, CloseWaitTimeout),
-		lastAckTimeout:   envDuration(logger, EnvTCPLastAckTimeout, LastAckTimeout),
-		maxEntries:       envInt(logger, EnvTCPMaxEntries, DefaultMaxTCPEntries),
-		flowLogger:       flowLogger,
+		logger:        logger,
+		connections:   make(map[ConnKey]*TCPConnTrack),
+		cleanupTicker: time.NewTicker(TCPCleanupInterval),
+		tickerCancel:  cancel,
+		timeout:       timeout,
+		waitTimeout:   waitTimeout,
+		flowLogger:    flowLogger,
 	}

 	go tracker.cleanupRoutine(ctx)
@@ -238,12 +209,6 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
-	// Reject illegal SYN combinations (SYN+FIN, SYN+RST, …) so they don't
-	// create spurious conntrack entries. Not mandated by RFC 9293 but a
-	// common hardening (Linux netfilter/nftables rejects these too).
-	if !isValidFlagCombination(flags) {
-		return
-	}

 	conn := &TCPConnTrack{
 		BaseConnTrack: BaseConnTrack{
@@ -260,65 +225,20 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	conn.state.Store(int32(TCPStateNew))
 	conn.DNATOrigPort.Store(uint32(origPort))

-	if t.logger.Enabled(nblog.LevelTrace) {
-		if origPort != 0 {
-			t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-		} else {
-			t.logger.Trace2("New %s TCP connection: %s", direction, key)
-		}
+	if origPort != 0 {
+		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+	} else {
+		t.logger.Trace2("New %s TCP connection: %s", direction, key)
 	}
 	t.updateState(key, conn, flags, direction, size)

 	t.mutex.Lock()
-	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
-		t.evictOneLocked()
-	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }

-// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
-// Bounded scan: samples up to evictSampleSize pseudo-random entries (Go map
-// iteration order is randomized), preferring a tombstone. If no tombstone
-// found in the sample, evicts the oldest among the sampled entries. O(1)
-// worst case — cheap enough to run on every insert at cap during abuse.
-func (t *TCPTracker) evictOneLocked() {
-	var candKey ConnKey
-	var candSeen int64
-	haveCand := false
-	sampled := 0
-
-	for k, c := range t.connections {
-		if c.IsTombstone() {
-			delete(t.connections, k)
-			return
-		}
-		seen := c.lastSeen.Load()
-		if !haveCand || seen < candSeen {
-			candKey = k
-			candSeen = seen
-			haveCand = true
-		}
-		sampled++
-		if sampled >= evictSampleSize {
-			break
-		}
-	}
-	if haveCand {
-		if evicted := t.connections[candKey]; evicted != nil {
-			// TypeEnd is already emitted at the state transition to
-			// TimeWait and when a connection is tombstoned. Only emit
-			// here when we're reaping a still-active flow.
-			if evicted.GetState() != TCPStateTimeWait && !evicted.IsTombstone() {
-				t.sendEvent(nftypes.TypeEnd, evicted, nil)
-			}
-		}
-		delete(t.connections, candKey)
-	}
-}
-
 // IsValidInbound checks if an inbound TCP packet matches a tracked connection
 func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) bool {
 	key := ConnKey{
@@ -336,19 +256,12 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 		return false
 	}

-	// Reject illegal flag combinations regardless of state. These never belong
-	// to a legitimate flow and must not advance or tear down state.
-	if !isValidFlagCombination(flags) {
-		if t.logger.Enabled(nblog.LevelWarn) {
-			t.logger.Warn3("TCP illegal flag combination %x for connection %s (state %s)", flags, key, conn.GetState())
-		}
-		return false
-	}
-
 	currentState := conn.GetState()
 	if !t.isValidStateForFlags(currentState, flags) {
-		if t.logger.Enabled(nblog.LevelWarn) {
-			t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
+		t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
+		// allow all flags for established for now
+		if currentState == TCPStateEstablished {
+			return true
 		}
 		return false
 	}
@@ -357,208 +270,116 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	return true
 }

-// updateState updates the TCP connection state based on flags.
+// updateState updates the TCP connection state based on flags
 func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, packetDir nftypes.Direction, size int) {
-	conn.UpdateCounters(packetDir, size)
-
-	// Malformed flag combinations must not refresh lastSeen or drive state,
-	// otherwise spoofed packets keep a dead flow alive past its timeout.
-	if !isValidFlagCombination(flags) {
-		return
-	}
-
 	conn.UpdateLastSeen()
+	conn.UpdateCounters(packetDir, size)

 	currentState := conn.GetState()

 	if flags&TCPRst != 0 {
-		// Hardening beyond RFC 9293 §3.10.7.4: without sequence tracking we
-		// cannot apply the RFC 5961 in-window RST check, so we conservatively
-		// reject RSTs that the spec would accept (TIME-WAIT with in-window
-		// SEQ, SynSent from same direction as own SYN, etc.).
-		t.handleRst(key, conn, currentState, packetDir)
-		return
-	}
-
-	newState := nextState(currentState, conn.Direction, packetDir, flags)
-	if newState == 0 || !conn.CompareAndSwapState(currentState, newState) {
-		return
-	}
-	t.onTransition(key, conn, currentState, newState, packetDir)
-}
-
-// handleRst processes a RST segment. Late RSTs in TimeWait and spoofed RSTs
-// from the SYN direction are ignored; otherwise the flow is tombstoned.
-func (t *TCPTracker) handleRst(key ConnKey, conn *TCPConnTrack, currentState TCPState, packetDir nftypes.Direction) {
-	// TimeWait exists to absorb late segments; don't let a late RST
-	// tombstone the entry and break same-4-tuple reuse.
-	if currentState == TCPStateTimeWait {
-		return
-	}
-	// A RST from the same direction as the SYN cannot be a legitimate
-	// response and must not tear down a half-open connection.
-	if currentState == TCPStateSynSent && packetDir == conn.Direction {
-		return
-	}
-	if !conn.CompareAndSwapState(currentState, TCPStateClosed) {
-		return
-	}
-	conn.SetTombstone()
-	if t.logger.Enabled(nblog.LevelTrace) {
-		t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-			key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-	}
-	t.sendEvent(nftypes.TypeEnd, conn, nil)
-}
-
-// stateTransition describes one state's transition logic. It receives the
-// packet's flags plus whether the packet direction matches the connection's
-// origin direction (same=true means same side as the SYN initiator). Return 0
-// for no transition.
-type stateTransition func(flags uint8, connDir nftypes.Direction, same bool) TCPState
-
-// stateTable maps each state to its transition function. Centralized here so
-// nextState stays trivial and each rule is easy to read in isolation.
-var stateTable = map[TCPState]stateTransition{
-	TCPStateNew:         transNew,
-	TCPStateSynSent:     transSynSent,
-	TCPStateSynReceived: transSynReceived,
-	TCPStateEstablished: transEstablished,
-	TCPStateFinWait1:    transFinWait1,
-	TCPStateFinWait2:    transFinWait2,
-	TCPStateClosing:     transClosing,
-	TCPStateCloseWait:   transCloseWait,
-	TCPStateLastAck:     transLastAck,
-}
-
-// nextState returns the target TCP state for the given current state and
-// packet, or 0 if the packet does not trigger a transition.
-func nextState(currentState TCPState, connDir, packetDir nftypes.Direction, flags uint8) TCPState {
-	fn, ok := stateTable[currentState]
-	if !ok {
-		return 0
-	}
-	return fn(flags, connDir, packetDir == connDir)
-}
-
-func transNew(flags uint8, connDir nftypes.Direction, _ bool) TCPState {
-	if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-		if connDir == nftypes.Egress {
-			return TCPStateSynSent
+		if conn.CompareAndSwapState(currentState, TCPStateClosed) {
+			conn.SetTombstone()
+			t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+				key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
-		return TCPStateSynReceived
+		return
 	}
-	return 0
-}

-func transSynSent(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-		if same {
-			return TCPStateSynReceived // simultaneous open
+	var newState TCPState
+	switch currentState {
+	case TCPStateNew:
+		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
+			if conn.Direction == nftypes.Egress {
+				newState = TCPStateSynSent
+			} else {
+				newState = TCPStateSynReceived
+			}
 		}
-		return TCPStateEstablished
-	}
-	return 0
-}

-func transSynReceived(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPAck != 0 && flags&TCPSyn == 0 && same {
-		return TCPStateEstablished
-	}
-	return 0
-}
+	case TCPStateSynSent:
+		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
+			if packetDir != conn.Direction {
+				newState = TCPStateEstablished
+			} else {
+				// Simultaneous open
+				newState = TCPStateSynReceived
+			}
+		}

-func transEstablished(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPFin == 0 {
-		return 0
-	}
-	if same {
-		return TCPStateFinWait1
-	}
-	return TCPStateCloseWait
-}
+	case TCPStateSynReceived:
+		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
+			if packetDir == conn.Direction {
+				newState = TCPStateEstablished
+			}
+		}

-// transFinWait1 handles the active-close peer response. A FIN carrying our
-// ACK piggybacked goes straight to TIME-WAIT (RFC 9293 §3.10.7.4, FIN-WAIT-1:
-// "if our FIN has been ACKed... enter the TIME-WAIT state"); a lone FIN moves
-// to CLOSING; a pure ACK of our FIN moves to FIN-WAIT-2.
-func transFinWait1(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if same {
-		return 0
-	}
-	if flags&TCPFin != 0 && flags&TCPAck != 0 {
-		return TCPStateTimeWait
-	}
-	switch {
-	case flags&TCPFin != 0:
-		return TCPStateClosing
-	case flags&TCPAck != 0:
-		return TCPStateFinWait2
-	}
-	return 0
-}
+	case TCPStateEstablished:
+		if flags&TCPFin != 0 {
+			if packetDir == conn.Direction {
+				newState = TCPStateFinWait1
+			} else {
+				newState = TCPStateCloseWait
+			}
+		}

-// transFinWait2 ignores own-side FIN retransmits; only the peer's FIN advances.
-func transFinWait2(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPFin != 0 && !same {
-		return TCPStateTimeWait
-	}
-	return 0
-}
+	case TCPStateFinWait1:
+		if packetDir != conn.Direction {
+			switch {
+			case flags&TCPFin != 0 && flags&TCPAck != 0:
+				newState = TCPStateClosing
+			case flags&TCPFin != 0:
+				newState = TCPStateClosing
+			case flags&TCPAck != 0:
+				newState = TCPStateFinWait2
+			}
+		}

-// transClosing completes a simultaneous close on the peer's ACK.
-func transClosing(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPAck != 0 && !same {
-		return TCPStateTimeWait
-	}
-	return 0
-}
+	case TCPStateFinWait2:
+		if flags&TCPFin != 0 {
+			newState = TCPStateTimeWait
+		}

-// transCloseWait only advances to LastAck when WE send FIN, ignoring peer retransmits.
-func transCloseWait(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPFin != 0 && same {
-		return TCPStateLastAck
-	}
-	return 0
-}
+	case TCPStateClosing:
+		if flags&TCPAck != 0 {
+			newState = TCPStateTimeWait
+		}

-// transLastAck closes the flow only on the peer's ACK (not our own ACK retransmits).
-func transLastAck(flags uint8, _ nftypes.Direction, same bool) TCPState {
-	if flags&TCPAck != 0 && !same {
-		return TCPStateClosed
-	}
-	return 0
-}
+	case TCPStateCloseWait:
+		if flags&TCPFin != 0 {
+			newState = TCPStateLastAck
+		}

-// onTransition handles logging and flow-event emission after a successful
-// state transition. TimeWait and Closed are terminal for flow accounting.
-func (t *TCPTracker) onTransition(key ConnKey, conn *TCPConnTrack, from, to TCPState, packetDir nftypes.Direction) {
-	traceOn := t.logger.Enabled(nblog.LevelTrace)
-	if traceOn {
-		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, from, to, packetDir)
+	case TCPStateLastAck:
+		if flags&TCPAck != 0 {
+			newState = TCPStateClosed
+		}
 	}

-	switch to {
-	case TCPStateTimeWait:
-		if traceOn {
+	if newState != 0 && conn.CompareAndSwapState(currentState, newState) {
+		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, currentState, newState, packetDir)
+
+		switch newState {
+		case TCPStateTimeWait:
 			t.logger.Trace5("TCP connection %s completed [in: %d Pkts/%d B, out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-		}
-		t.sendEvent(nftypes.TypeEnd, conn, nil)
-	case TCPStateClosed:
-		conn.SetTombstone()
-		if traceOn {
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
+
+		case TCPStateClosed:
+			conn.SetTombstone()
 			t.logger.Trace5("TCP connection %s closed gracefully [in: %d Pkts/%d, B out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
-		t.sendEvent(nftypes.TypeEnd, conn, nil)
 	}
 }

-// isValidStateForFlags checks if the TCP flags are valid for the current
-// connection state. Caller must have already verified the flag combination is
-// legal via isValidFlagCombination.
+// isValidStateForFlags checks if the TCP flags are valid for the current connection state
 func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
+	if !isValidFlagCombination(flags) {
+		return false
+	}
 	if flags&TCPRst != 0 {
 		if state == TCPStateSynSent {
 			return flags&TCPAck != 0
@@ -628,24 +449,15 @@ func (t *TCPTracker) cleanup() {
 			timeout = t.waitTimeout
 		case TCPStateEstablished:
 			timeout = t.timeout
-		case TCPStateFinWait1, TCPStateFinWait2, TCPStateClosing:
-			timeout = t.finWaitTimeout
-		case TCPStateCloseWait:
-			timeout = t.closeWaitTimeout
-		case TCPStateLastAck:
-			timeout = t.lastAckTimeout
 		default:
-			// SynSent / SynReceived / New
 			timeout = TCPHandshakeTimeout
 		}

 		if conn.timeoutExceeded(timeout) {
 			delete(t.connections, key)

-			if t.logger.Enabled(nblog.LevelTrace) {
-				t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-					key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			}
+			t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
+				key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())

 			// event already handled by state change
 			if currentState != TCPStateTimeWait {
--- a/client/firewall/uspfilter/conntrack/tcp_rst_bugs_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_rst_bugs_test.go
@@ -1,100 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-// RST hygiene tests: the tracker currently closes the flow on any RST that
-// matches the 4-tuple, regardless of direction or state. These tests cover
-// the minimum checks we want (no SEQ tracking).
-
-func TestTCPRstInSynSentWrongDirection(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateSynSent, conn.GetState())
-
-	// A RST arriving in the same direction as the SYN (i.e. TrackOutbound)
-	// cannot be a legitimate response. It must not close the connection.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPRst|TCPAck, 0)
-	require.Equal(t, TCPStateSynSent, conn.GetState(),
-		"RST in same direction as SYN must not close connection")
-	require.False(t, conn.IsTombstone())
-}
-
-func TestTCPRstInTimeWaitIgnored(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	// Drive to TIME-WAIT via active close.
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateTimeWait, conn.GetState())
-	require.False(t, conn.IsTombstone(), "TIME-WAIT must not be tombstoned")
-
-	// Late RST during TIME-WAIT must not tombstone the entry (TIME-WAIT
-	// exists to absorb late segments).
-	tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-	require.Equal(t, TCPStateTimeWait, conn.GetState(),
-		"RST in TIME-WAIT must not transition state")
-	require.False(t, conn.IsTombstone(),
-		"RST in TIME-WAIT must not tombstone the entry")
-}
-
-func TestTCPIllegalFlagCombos(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-	conn := tracker.connections[key]
-
-	// Illegal combos must be rejected and must not change state.
-	combos := []struct {
-		name  string
-		flags uint8
-	}{
-		{"SYN+RST", TCPSyn | TCPRst},
-		{"FIN+RST", TCPFin | TCPRst},
-		{"SYN+FIN", TCPSyn | TCPFin},
-		{"SYN+FIN+RST", TCPSyn | TCPFin | TCPRst},
-	}
-
-	for _, c := range combos {
-		t.Run(c.name, func(t *testing.T) {
-			before := conn.GetState()
-			valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, c.flags, 0)
-			require.False(t, valid, "illegal flag combo must be rejected: %s", c.name)
-			require.Equal(t, before, conn.GetState(),
-				"illegal flag combo must not change state")
-			require.False(t, conn.IsTombstone())
-		})
-	}
-}
--- a/client/firewall/uspfilter/conntrack/tcp_state_bugs_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_state_bugs_test.go
@@ -1,235 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-// These tests exercise cases where the TCP state machine currently advances
-// on retransmitted or wrong-direction segments and tears the flow down
-// prematurely. They are expected to fail until the direction checks are added.
-
-func TestTCPCloseWaitRetransmittedPeerFIN(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-	// Peer sends FIN -> CloseWait (our app has not yet closed).
-	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-	require.True(t, valid)
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateCloseWait, conn.GetState())
-
-	// Peer retransmits their FIN (ACK may have been delayed). We have NOT
-	// sent our FIN yet, so state must remain CloseWait.
-	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-	require.True(t, valid, "retransmitted peer FIN must still be accepted")
-	require.Equal(t, TCPStateCloseWait, conn.GetState(),
-		"retransmitted peer FIN must not advance CloseWait to LastAck")
-
-	// Our app finally closes -> LastAck.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	require.Equal(t, TCPStateLastAck, conn.GetState())
-
-	// Peer ACK closes.
-	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-	require.True(t, valid)
-	require.Equal(t, TCPStateClosed, conn.GetState())
-}
-
-func TestTCPFinWait2RetransmittedOwnFIN(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-	// We initiate close.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-	require.True(t, valid)
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-	// Stray retransmit of our own FIN (same direction as originator) must
-	// NOT advance FinWait2 to TimeWait; only the peer's FIN should.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	require.Equal(t, TCPStateFinWait2, conn.GetState(),
-		"own FIN retransmit must not advance FinWait2 to TimeWait")
-
-	// Peer FIN -> TimeWait.
-	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-	require.True(t, valid)
-	require.Equal(t, TCPStateTimeWait, conn.GetState())
-}
-
-func TestTCPLastAckDirectionCheck(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-	// Drive to LastAck: peer FIN -> CloseWait, our FIN -> LastAck.
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateLastAck, conn.GetState())
-
-	// Our own ACK retransmit (same direction as originator) must NOT close.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-	require.Equal(t, TCPStateLastAck, conn.GetState(),
-		"own ACK retransmit in LastAck must not transition to Closed")
-
-	// Peer's ACK -> Closed.
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
-	require.Equal(t, TCPStateClosed, conn.GetState())
-}
-
-func TestTCPFinWait1OwnAckDoesNotAdvance(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-	conn := tracker.connections[key]
-	require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-	// Our own ACK retransmit (same direction as originator) must not advance.
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-	require.Equal(t, TCPStateFinWait1, conn.GetState(),
-		"own ACK in FinWait1 must not advance to FinWait2")
-}
-
-func TestTCPPerStateTeardownTimeouts(t *testing.T) {
-	// Verify cleanup reaps entries in each teardown state at the configured
-	// per-state timeout, not at the single handshake timeout.
-	t.Setenv(EnvTCPFinWaitTimeout, "50ms")
-	t.Setenv(EnvTCPCloseWaitTimeout, "80ms")
-	t.Setenv(EnvTCPLastAckTimeout, "30ms")
-
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	dstPort := uint16(80)
-
-	// Drives a connection to the target state, forces its lastSeen well
-	// beyond the configured timeout, runs cleanup, and asserts reaping.
-	cases := []struct {
-		name string
-		// drive takes a fresh tracker and returns the conn key after
-		// transitioning the flow into the intended teardown state.
-		drive func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState)
-	}{
-		{
-			name: "FinWait1",
-			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
-				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
-				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0) // → FinWait1
-				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait1
-			},
-		},
-		{
-			name: "FinWait2",
-			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
-				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
-				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)              // FinWait1
-				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))   // → FinWait2
-				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait2
-			},
-		},
-		{
-			name: "CloseWait",
-			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
-				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
-				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // → CloseWait
-				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateCloseWait
-			},
-		},
-		{
-			name: "LastAck",
-			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
-				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
-				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // CloseWait
-				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)                   // → LastAck
-				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateLastAck
-			},
-		},
-	}
-
-	// Use a unique source port per subtest so nothing aliases.
-	port := uint16(12345)
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-			defer tracker.Close()
-
-			require.Equal(t, 50*time.Millisecond, tracker.finWaitTimeout)
-			require.Equal(t, 80*time.Millisecond, tracker.closeWaitTimeout)
-			require.Equal(t, 30*time.Millisecond, tracker.lastAckTimeout)
-
-			srcIP := netip.MustParseAddr("100.64.0.1")
-			port++
-			key, wantState := c.drive(t, tracker, srcIP, port)
-			conn := tracker.connections[key]
-			require.NotNil(t, conn)
-			require.Equal(t, wantState, conn.GetState())
-
-			// Age the entry past the largest per-state timeout.
-			conn.lastSeen.Store(time.Now().Add(-500 * time.Millisecond).UnixNano())
-			tracker.cleanup()
-			_, exists := tracker.connections[key]
-			require.False(t, exists, "%s entry should be reaped", c.name)
-		})
-	}
-}
-
-func TestTCPEstablishedPSHACKInFinStates(t *testing.T) {
-	// Verifies FIN|PSH|ACK and bare ACK keepalives are not dropped in FIN
-	// teardown states, which some stacks emit during close.
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-	// Peer FIN -> CloseWait.
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
-
-	// Peer pushes trailing data + FIN|PSH|ACK (legal).
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPPush|TCPAck, 100),
-		"FIN|PSH|ACK in CloseWait must be accepted")
-
-	// Bare ACK keepalive from peer in CloseWait must be accepted.
-	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0),
-		"bare ACK in CloseWait must be accepted")
-}
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -17,9 +17,6 @@ const (
 	DefaultUDPTimeout = 30 * time.Second
 	// UDPCleanupInterval is how often we check for stale connections
 	UDPCleanupInterval = 15 * time.Second
-
-	// EnvUDPMaxEntries caps the UDP conntrack table size.
-	EnvUDPMaxEntries = "NB_CONNTRACK_UDP_MAX"
 )

 // UDPConnTrack represents a UDP connection state
@@ -37,7 +34,6 @@ type UDPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
-	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }

@@ -55,7 +51,6 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(UDPCleanupInterval),
 		tickerCancel:  cancel,
-		maxEntries:    envInt(logger, EnvUDPMaxEntries, DefaultMaxUDPEntries),
 		flowLogger:    flowLogger,
 	}

@@ -122,18 +117,13 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	conn.UpdateCounters(direction, size)

 	t.mutex.Lock()
-	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
-		t.evictOneLocked()
-	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	if t.logger.Enabled(nblog.LevelTrace) {
-		if origPort != 0 {
-			t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-		} else {
-			t.logger.Trace2("New %s UDP connection: %s", direction, key)
-		}
+	if origPort != 0 {
+		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+	} else {
+		t.logger.Trace2("New %s UDP connection: %s", direction, key)
 	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
@@ -161,34 +151,6 @@ func (t *UDPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	return true
 }

-// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
-// Bounded sample: picks the oldest among up to evictSampleSize entries.
-func (t *UDPTracker) evictOneLocked() {
-	var candKey ConnKey
-	var candSeen int64
-	haveCand := false
-	sampled := 0
-
-	for k, c := range t.connections {
-		seen := c.lastSeen.Load()
-		if !haveCand || seen < candSeen {
-			candKey = k
-			candSeen = seen
-			haveCand = true
-		}
-		sampled++
-		if sampled >= evictSampleSize {
-			break
-		}
-	}
-	if haveCand {
-		if evicted := t.connections[candKey]; evicted != nil {
-			t.sendEvent(nftypes.TypeEnd, evicted, nil)
-		}
-		delete(t.connections, candKey)
-	}
-}
-
 // cleanupRoutine periodically removes stale connections
 func (t *UDPTracker) cleanupRoutine(ctx context.Context) {
 	defer t.cleanupTicker.Stop()
@@ -211,10 +173,8 @@ func (t *UDPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			if t.logger.Enabled(nblog.LevelTrace) {
-				t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			}
+			t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -787,9 +787,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {

 	srcIP, dstIP := m.extractIPs(d)
 	if !srcIP.IsValid() {
-		if m.logger.Enabled(nblog.LevelError) {
-			m.logger.Error1("Unknown network layer: %v", d.decoded[0])
-		}
+		m.logger.Error1("Unknown network layer: %v", d.decoded[0])
 		return false
 	}

@@ -903,9 +901,7 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if m.logger.Enabled(nblog.LevelTrace) {
-		m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, mssClampValue)
-	}
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, mssClampValue)
 	return true
 }

@@ -1048,13 +1044,11 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {

 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
-		if m.logger.Enabled(nblog.LevelTrace) {
-			if d.decoded[0] == layers.LayerTypeIPv4 {
-				m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
-					srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
-			} else {
-				m.logger.Trace2("packet is an IPv6 fragment: src=%v dst=%v", srcIP, dstIP)
-			}
+		if d.decoded[0] == layers.LayerTypeIPv4 {
+			m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+				srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		} else {
+			m.logger.Trace2("packet is an IPv6 fragment: src=%v dst=%v", srcIP, dstIP)
 		}
 		return false
 	}
@@ -1097,10 +1091,8 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)

-		if m.logger.Enabled(nblog.LevelTrace) {
-			m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-				ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
-		}
+		m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
+			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)

 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
@@ -1150,10 +1142,8 @@ func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
 func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	// Drop if routing is disabled
 	if !m.routingEnabled.Load() {
-		if m.logger.Enabled(nblog.LevelTrace) {
-			m.logger.Trace2("Dropping routed packet (routing disabled): src=%s dst=%s",
-				srcIP, dstIP)
-		}
+		m.logger.Trace2("Dropping routed packet (routing disabled): src=%s dst=%s",
+			srcIP, dstIP)
 		return true
 	}

@@ -1170,10 +1160,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	if !pass {
 		proto := getProtocolFromPacket(d)

-		if m.logger.Enabled(nblog.LevelTrace) {
-			m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-				ruleID, proto, srcIP, srcPort, dstIP, dstPort)
-		}
+		m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
+			ruleID, proto, srcIP, srcPort, dstIP, dstPort)

 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
@@ -1299,9 +1287,7 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	if err := d.decodePacket(packetData); err != nil {
-		if m.logger.Enabled(nblog.LevelTrace) {
-			m.logger.Trace1("couldn't decode packet, err: %s", err)
-		}
+		m.logger.Trace1("couldn't decode packet, err: %s", err)
 		return false, false
 	}

--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -13,7 +13,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"

-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

@@ -98,10 +97,8 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 		return nil, fmt.Errorf("write ICMP packet: %w", err)
 	}

-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
-			epID(id), icmpType, icmpCode)
-	}
+	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
+		epID(id), icmpType, icmpCode)

 	return conn, nil
 }
@@ -124,14 +121,12 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 	txBytes := f.handleEchoResponse(conn, id, v6)
 	rtt := time.Since(sendTime).Round(10 * time.Microsecond)

-	if f.logger.Enabled(nblog.LevelTrace) {
-		proto := "ICMP"
-		if v6 {
-			proto = "ICMPv6"
-		}
-		f.logger.Trace5("forwarder: Forwarded %s echo reply %v type %v code %v (rtt=%v, raw socket)",
-			proto, epID(id), icmpType, icmpCode, rtt)
+	proto := "ICMP"
+	if v6 {
+		proto = "ICMPv6"
 	}
+	f.logger.Trace5("forwarder: Forwarded %s echo reply %v type %v code %v (rtt=%v, raw socket)",
+		proto, epID(id), icmpType, icmpCode, rtt)

 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
@@ -229,17 +224,13 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	}
 	rtt := time.Since(pingStart).Round(10 * time.Microsecond)

-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
-			epID(id), icmpType, icmpCode)
-	}
+	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)

 	txBytes := f.synthesizeEchoReply(id, icmpData)

-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
-			epID(id), icmpType, icmpCode, rtt)
-	}
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+		epID(id), icmpType, icmpCode, rtt)

 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -1,8 +1,11 @@
 package forwarder

 import (
+	"context"
+	"io"
 	"net"
 	"strconv"
+	"sync"

 	"github.com/google/uuid"

@@ -12,9 +15,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/waiter"

-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	"github.com/netbirdio/netbird/util/netrelay"
 )

 // handleTCP is called by the TCP forwarder for new connections.
@@ -36,9 +37,7 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
 		r.Complete(true)
-		if f.logger.Enabled(nblog.LevelTrace) {
-			f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
-		}
+		f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
 		return
 	}

@@ -61,22 +60,64 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	inConn := gonet.NewTCPConn(&wq, ep)

 	success = true
-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace1("forwarder: established TCP connection %v", epID(id))
-	}
+	f.logger.Trace1("forwarder: established TCP connection %v", epID(id))

 	go f.proxyTCP(id, inConn, outConn, ep, flowID)
 }

 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
-	// netrelay.Relay copies bidirectionally with proper half-close propagation
-	// and fully closes both conns before returning.
-	bytesFromInToOut, bytesFromOutToIn := netrelay.Relay(f.ctx, inConn, outConn, netrelay.Options{
-		Logger: f.logger,
-	})

-	// Close the netstack endpoint after both conns are drained.
-	ep.Close()
+	ctx, cancel := context.WithCancel(f.ctx)
+	defer cancel()
+
+	go func() {
+		<-ctx.Done()
+		// Close connections and endpoint.
+		if err := inConn.Close(); err != nil && !isClosedError(err) {
+			f.logger.Debug1("forwarder: inConn close error: %v", err)
+		}
+		if err := outConn.Close(); err != nil && !isClosedError(err) {
+			f.logger.Debug1("forwarder: outConn close error: %v", err)
+		}
+
+		ep.Close()
+	}()
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	var (
+		bytesFromInToOut int64 // bytes from client to server (tx for client)
+		bytesFromOutToIn int64 // bytes from server to client (rx for client)
+		errInToOut       error
+		errOutToIn       error
+	)
+
+	go func() {
+		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
+		cancel()
+		wg.Done()
+	}()
+
+	go func() {
+
+		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
+		cancel()
+		wg.Done()
+	}()
+
+	wg.Wait()
+
+	if errInToOut != nil {
+		if !isClosedError(errInToOut) {
+			f.logger.Error2("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
+		}
+	}
+	if errOutToIn != nil {
+		if !isClosedError(errOutToIn) {
+			f.logger.Error2("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
+		}
+	}

 	var rxPackets, txPackets uint64
 	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
@@ -85,9 +126,7 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 		txPackets = tcpStats.SegmentsReceived.Value()
 	}

-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
-	}
+	f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)

 	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -125,9 +125,7 @@ func (f *udpForwarder) cleanup() {
 				delete(f.conns, idle.id)
 				f.Unlock()

-				if f.logger.Enabled(nblog.LevelTrace) {
-					f.logger.Trace1("forwarder: cleaned up idle UDP connection %v", epID(idle.id))
-				}
+				f.logger.Trace1("forwarder: cleaned up idle UDP connection %v", epID(idle.id))
 			}
 		}
 	}
@@ -146,9 +144,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	_, exists := f.udpForwarder.conns[id]
 	f.udpForwarder.RUnlock()
 	if exists {
-		if f.logger.Enabled(nblog.LevelTrace) {
-			f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
-		}
+		f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
 		return true
 	}

@@ -210,9 +206,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	f.udpForwarder.Unlock()

 	success = true
-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace1("forwarder: established UDP connection %v", epID(id))
-	}
+	f.logger.Trace1("forwarder: established UDP connection %v", epID(id))

 	go f.proxyUDP(connCtx, pConn, id, ep)
 	return true
@@ -271,9 +265,7 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 		txPackets = udpStats.PacketsReceived.Value()
 	}

-	if f.logger.Enabled(nblog.LevelTrace) {
-		f.logger.Trace5("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
-	}
+	f.logger.Trace5("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)

 	f.udpForwarder.Lock()
 	delete(f.udpForwarder.conns, id)
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -53,17 +53,16 @@ var levelStrings = map[Level]string{
 }

 type logMessage struct {
-	level    Level
-	argCount uint8
-	format   string
-	arg1     any
-	arg2     any
-	arg3     any
-	arg4     any
-	arg5     any
-	arg6     any
-	arg7     any
-	arg8     any
+	level  Level
+	format string
+	arg1   any
+	arg2   any
+	arg3   any
+	arg4   any
+	arg5   any
+	arg6   any
+	arg7   any
+	arg8   any
 }

 // Logger is a high-performance, non-blocking logger
@@ -108,13 +107,6 @@ func (l *Logger) SetLevel(level Level) {
 	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
 }

-// Enabled reports whether the given level is currently logged. Callers on the
-// hot path should guard log sites with this to avoid boxing arguments into
-// any when the level is off.
-func (l *Logger) Enabled(level Level) bool {
-	return l.level.Load() >= uint32(level)
-}
-
 func (l *Logger) Error(format string) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
@@ -163,7 +155,7 @@ func (l *Logger) Trace(format string) {
 func (l *Logger) Error1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelError, argCount: 1, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelError, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -172,16 +164,7 @@ func (l *Logger) Error1(format string, arg1 any) {
 func (l *Logger) Error2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelError, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
-		default:
-		}
-	}
-}
-
-func (l *Logger) Warn2(format string, arg1, arg2 any) {
-	if l.level.Load() >= uint32(LevelWarn) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelError, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -190,7 +173,7 @@ func (l *Logger) Warn2(format string, arg1, arg2 any) {
 func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelWarn) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
@@ -199,7 +182,7 @@ func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
 	if l.level.Load() >= uint32(LevelWarn) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 4, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
 		default:
 		}
 	}
@@ -208,7 +191,7 @@ func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
 func (l *Logger) Debug1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 1, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -217,7 +200,7 @@ func (l *Logger) Debug1(format string, arg1 any) {
 func (l *Logger) Debug2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -226,59 +209,16 @@ func (l *Logger) Debug2(format string, arg1, arg2 any) {
 func (l *Logger) Debug3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
 }

-// Debugf is the variadic shape. Dispatches to Debug/Debug1/Debug2/Debug3
-// to avoid allocating an args slice on the fast path when the arg count is
-// known (0-3). Args beyond 3 land on the general variadic path; callers on
-// the hot path should prefer DebugN for known counts.
-func (l *Logger) Debugf(format string, args ...any) {
-	if l.level.Load() < uint32(LevelDebug) {
-		return
-	}
-	switch len(args) {
-	case 0:
-		l.Debug(format)
-	case 1:
-		l.Debug1(format, args[0])
-	case 2:
-		l.Debug2(format, args[0], args[1])
-	case 3:
-		l.Debug3(format, args[0], args[1], args[2])
-	default:
-		l.sendVariadic(LevelDebug, format, args)
-	}
-}
-
-// sendVariadic packs a slice of arguments into a logMessage and non-blocking
-// enqueues it. Used for arg counts beyond the fixed-arity fast paths. Args
-// beyond the 8-arg slot limit are dropped so callers don't produce silently
-// empty log lines via uint8 wraparound in argCount.
-func (l *Logger) sendVariadic(level Level, format string, args []any) {
-	const maxArgs = 8
-	n := len(args)
-	if n > maxArgs {
-		n = maxArgs
-	}
-	msg := logMessage{level: level, argCount: uint8(n), format: format}
-	slots := [maxArgs]*any{&msg.arg1, &msg.arg2, &msg.arg3, &msg.arg4, &msg.arg5, &msg.arg6, &msg.arg7, &msg.arg8}
-	for i := 0; i < n; i++ {
-		*slots[i] = args[i]
-	}
-	select {
-	case l.msgChannel <- msg:
-	default:
-	}
-}
-
 func (l *Logger) Trace1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 1, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -287,7 +227,7 @@ func (l *Logger) Trace1(format string, arg1 any) {
 func (l *Logger) Trace2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -296,7 +236,7 @@ func (l *Logger) Trace2(format string, arg1, arg2 any) {
 func (l *Logger) Trace3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
@@ -305,7 +245,7 @@ func (l *Logger) Trace3(format string, arg1, arg2, arg3 any) {
 func (l *Logger) Trace4(format string, arg1, arg2, arg3, arg4 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 4, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
 		default:
 		}
 	}
@@ -314,7 +254,7 @@ func (l *Logger) Trace4(format string, arg1, arg2, arg3, arg4 any) {
 func (l *Logger) Trace5(format string, arg1, arg2, arg3, arg4, arg5 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 5, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5}:
 		default:
 		}
 	}
@@ -323,7 +263,7 @@ func (l *Logger) Trace5(format string, arg1, arg2, arg3, arg4, arg5 any) {
 func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 6, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6}:
 		default:
 		}
 	}
@@ -333,7 +273,7 @@ func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 func (l *Logger) Trace8(format string, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 8, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
+		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
 		default:
 		}
 	}
@@ -346,8 +286,35 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 	*buf = append(*buf, levelStrings[msg.level]...)
 	*buf = append(*buf, ' ')

+	// Count non-nil arguments for switch
+	argCount := 0
+	if msg.arg1 != nil {
+		argCount++
+		if msg.arg2 != nil {
+			argCount++
+			if msg.arg3 != nil {
+				argCount++
+				if msg.arg4 != nil {
+					argCount++
+					if msg.arg5 != nil {
+						argCount++
+						if msg.arg6 != nil {
+							argCount++
+							if msg.arg7 != nil {
+								argCount++
+								if msg.arg8 != nil {
+									argCount++
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
 	var formatted string
-	switch msg.argCount {
+	switch argCount {
 	case 0:
 		formatted = msg.format
 	case 1:
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -11,7 +11,6 @@ import (
 	"github.com/google/gopacket/layers"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 )

 var (
@@ -263,15 +262,11 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	}

 	if err := m.rewritePacketIP(packetData, d, translatedIP, false); err != nil {
-		if m.logger.Enabled(nblog.LevelError) {
-			m.logger.Error1("failed to rewrite packet destination: %v", err)
-		}
+		m.logger.Error1("failed to rewrite packet destination: %v", err)
 		return false
 	}

-	if m.logger.Enabled(nblog.LevelTrace) {
-		m.logger.Trace2("DNAT: %s -> %s", dstIP, translatedIP)
-	}
+	m.logger.Trace2("DNAT: %s -> %s", dstIP, translatedIP)
 	return true
 }

@@ -288,15 +283,11 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	}

 	if err := m.rewritePacketIP(packetData, d, originalIP, true); err != nil {
-		if m.logger.Enabled(nblog.LevelError) {
-			m.logger.Error1("failed to rewrite packet source: %v", err)
-		}
+		m.logger.Error1("failed to rewrite packet source: %v", err)
 		return false
 	}

-	if m.logger.Enabled(nblog.LevelTrace) {
-		m.logger.Trace2("Reverse DNAT: %s -> %s", srcIP, originalIP)
-	}
+	m.logger.Trace2("Reverse DNAT: %s -> %s", srcIP, originalIP)
 	return true
 }

@@ -621,9 +612,7 @@ func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP neti
 		}

 		if err := rewriteFn(packetData, d, rule.targetPort, destinationPortOffset); err != nil {
-			if m.logger.Enabled(nblog.LevelError) {
-				m.logger.Error1("failed to rewrite port: %v", err)
-			}
+			m.logger.Error1("failed to rewrite port: %v", err)
 			return false
 		}
 		d.dnatOrigPort = rule.origPort
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -116,6 +116,7 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
+	dnsAddresses []netip.AddrPort,
 	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
@@ -125,6 +126,7 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
+		HostDNSAddresses:      dnsAddresses,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, "")
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -45,11 +45,8 @@ netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Detailed system routing table in tabular format including destination, gateway, interface, metrics, and protocol information, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
-iptables.txt: Anonymized iptables (IPv4) rules with packet counters, if --system-info flag was provided.
-ip6tables.txt: Anonymized ip6tables (IPv6) rules with packet counters, if --system-info flag was provided.
-ipset.txt: Anonymized ipset list output, if --system-info flag was provided.
-nftables.txt: Anonymized nftables rules with packet counters across all families (ip, ip6, inet, etc.), if --system-info flag was provided.
-sysctls.txt: Forwarding, reverse-path filter, source-validation, and conntrack accounting sysctl values that the NetBird client may read or modify, if --system-info flag was provided (Linux only).
+iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
@@ -168,33 +165,22 @@ The config.txt file contains anonymized configuration information of the NetBird
 Other non-sensitive configuration options are included without anonymization.

 Firewall Rules (Linux only)
-The bundle includes the following firewall-related files:
+The bundle includes two separate firewall rule files:

 iptables.txt:
- IPv4 iptables ruleset with packet counters using 'iptables-save' and 'iptables -v -n -L'
+- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
 - Includes all tables (filter, nat, mangle, raw, security)
 - Shows packet and byte counters for each rule
 - All IP addresses are anonymized
 - Chain names, table names, and other non-sensitive information remain unchanged

-ip6tables.txt:
- IPv6 ip6tables ruleset with packet counters using 'ip6tables-save' and 'ip6tables -v -n -L'
- Same table coverage and anonymization as iptables.txt
- Omitted when ip6tables is not installed or no IPv6 rules are present
-
-ipset.txt:
- Output of 'ipset list' (family-agnostic)
- IP addresses are anonymized; set names and types remain unchanged
-
 nftables.txt:
- Complete nftables ruleset across all families (ip, ip6, inet, arp, bridge, netdev) via 'nft -a list ruleset'
+- Complete nftables ruleset obtained via 'nft -a list ruleset'
 - Includes rule handle numbers and packet counters
- All IP addresses are anonymized; chain/table names remain unchanged
-
-sysctls.txt:
- Forwarding (IPv4 + IPv6, global and per-interface), reverse-path filter, source-validation, conntrack accounting, and TCP-related sysctls that netbird may read or modify
- Per-interface keys are enumerated from /proc/sys/net/ipv{4,6}/conf
- Interface names anonymized when --anonymize is set
+- All tables, chains, and rules are included
+- Shows packet and byte counters for each rule
+- All IP addresses are anonymized
+- Chain names, table names, and other non-sensitive information remain unchanged

 IP Rules (Linux only)
 The ip_rules.txt file contains detailed IP routing rule information:
@@ -426,10 +412,6 @@ func (g *BundleGenerator) addSystemInfo() {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}

-	if err := g.addSysctls(); err != nil {
-		log.Errorf("failed to add sysctls to debug bundle: %v", err)
-	}
-
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}
--- a/client/internal/debug/debug_linux.go
+++ b/client/internal/debug/debug_linux.go
@@ -124,18 +124,15 @@ func getSystemdLogs(serviceName string) (string, error) {
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
-	g.addIPTablesRulesToBundle("iptables-save", "iptables", "iptables.txt")
-	g.addIPTablesRulesToBundle("ip6tables-save", "ip6tables", "ip6tables.txt")
-
-	ipsetOutput, err := collectIPSets()
+	iptablesRules, err := collectIPTablesRules()
 	if err != nil {
-		log.Warnf("Failed to collect ipset information: %v", err)
+		log.Warnf("Failed to collect iptables rules: %v", err)
 	} else {
 		if g.anonymize {
-			ipsetOutput = g.anonymizer.AnonymizeString(ipsetOutput)
+			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
 		}
-		if err := g.addFileToZip(strings.NewReader(ipsetOutput), "ipset.txt"); err != nil {
-			log.Warnf("Failed to add ipset output to bundle: %v", err)
+		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
+			log.Warnf("Failed to add iptables rules to bundle: %v", err)
 		}
 	}

@@ -154,65 +151,44 @@ func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }

-// addIPTablesRulesToBundle collects iptables/ip6tables rules and writes them to the bundle.
-func (g *BundleGenerator) addIPTablesRulesToBundle(saveBin, listBin, filename string) {
-	rules, err := collectIPTablesRules(saveBin, listBin)
-	if err != nil {
-		log.Warnf("Failed to collect %s rules: %v", listBin, err)
-		return
-	}
-	if g.anonymize {
-		rules = g.anonymizer.AnonymizeString(rules)
-	}
-	if err := g.addFileToZip(strings.NewReader(rules), filename); err != nil {
-		log.Warnf("Failed to add %s rules to bundle: %v", listBin, err)
-	}
-}
-
-// collectIPTablesRules collects rules using both <saveBin> and verbose listing via <listBin>.
-// Returns an error when neither command produced any output (e.g. the binary is missing),
-// so the caller can skip writing an empty file.
-func collectIPTablesRules(saveBin, listBin string) (string, error) {
+// collectIPTablesRules collects rules using both iptables-save and verbose listing
+func collectIPTablesRules() (string, error) {
 	var builder strings.Builder
-	var collected bool
-	var firstErr error

-	saveOutput, err := runCommand(saveBin)
-	switch {
-	case err != nil:
-		firstErr = err
-		log.Warnf("Failed to collect %s output: %v", saveBin, err)
-	case strings.TrimSpace(saveOutput) == "":
-		log.Debugf("%s produced no output, skipping", saveBin)
-	default:
-		builder.WriteString(fmt.Sprintf("=== %s output ===\n", saveBin))
+	saveOutput, err := collectIPTablesSave()
+	if err != nil {
+		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
+	} else {
+		builder.WriteString("=== iptables-save output ===\n")
 		builder.WriteString(saveOutput)
 		builder.WriteString("\n")
-		collected = true
 	}

-	listHeader := fmt.Sprintf("=== %s -v -n -L output ===\n", listBin)
-	builder.WriteString(listHeader)
+	ipsetOutput, err := collectIPSets()
+	if err != nil {
+		log.Warnf("Failed to collect ipset information: %v", err)
+	} else {
+		builder.WriteString("=== ipset list output ===\n")
+		builder.WriteString(ipsetOutput)
+		builder.WriteString("\n")
+	}
+
+	builder.WriteString("=== iptables -v -n -L output ===\n")

 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
+
 	for _, table := range tables {
-		stats, err := runCommand(listBin, "-v", "-n", "-L", "-t", table)
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
+
+		stats, err := getTableStatistics(table)
 		if err != nil {
-			if firstErr == nil {
-				firstErr = err
-			}
-			log.Warnf("Failed to get %s statistics for table %s: %v", listBin, table, err)
+			log.Warnf("Failed to get statistics for table %s: %v", table, err)
 			continue
 		}
-		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		builder.WriteString(stats)
 		builder.WriteString("\n")
-		collected = true
 	}

-	if !collected {
-		return "", fmt.Errorf("collect %s rules: %w", listBin, firstErr)
-	}
 	return builder.String(), nil
 }

@@ -238,15 +214,34 @@ func collectIPSets() (string, error) {
 	return ipsets, nil
 }

-// runCommand executes a command and returns its stdout, wrapping stderr in the error on failure.
-func runCommand(name string, args ...string) (string, error) {
-	cmd := exec.Command(name, args...)
+// collectIPTablesSave uses iptables-save to get rule definitions
+func collectIPTablesSave() (string, error) {
+	cmd := exec.Command("iptables-save")
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr

 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute %s: %w (stderr: %s)", name, err, stderr.String())
+		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
+	}
+
+	rules := stdout.String()
+	if strings.TrimSpace(rules) == "" {
+		return "", fmt.Errorf("no iptables rules found")
+	}
+
+	return rules, nil
+}
+
+// getTableStatistics gets verbose statistics for an entire table using iptables command
+func getTableStatistics(table string) (string, error) {
+	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
 	}

 	return stdout.String(), nil
@@ -809,91 +804,3 @@ func formatSetKeyType(keyType nftables.SetDatatype) string {
 		return fmt.Sprintf("type-%v", keyType)
 	}
 }
-
-// addSysctls collects forwarding and netbird-managed sysctl values and writes them to the bundle.
-func (g *BundleGenerator) addSysctls() error {
-	log.Info("Collecting sysctls")
-	content := collectSysctls()
-	if g.anonymize {
-		content = g.anonymizer.AnonymizeString(content)
-	}
-	if err := g.addFileToZip(strings.NewReader(content), "sysctls.txt"); err != nil {
-		return fmt.Errorf("add sysctls to bundle: %w", err)
-	}
-	return nil
-}
-
-// collectSysctls reads every sysctl that the netbird client may modify, plus
-// global IPv4/IPv6 forwarding, and returns a formatted dump grouped by topic.
-// Per-interface values are enumerated by listing /proc/sys/net/ipv{4,6}/conf.
-func collectSysctls() string {
-	var builder strings.Builder
-
-	writeSysctlGroup(&builder, "forwarding", []string{
-		"net.ipv4.ip_forward",
-		"net.ipv6.conf.all.forwarding",
-		"net.ipv6.conf.default.forwarding",
-	})
-	writeSysctlGroup(&builder, "ipv4 per-interface forwarding", listInterfaceSysctls("ipv4", "forwarding"))
-	writeSysctlGroup(&builder, "ipv6 per-interface forwarding", listInterfaceSysctls("ipv6", "forwarding"))
-	writeSysctlGroup(&builder, "rp_filter", append(
-		[]string{"net.ipv4.conf.all.rp_filter", "net.ipv4.conf.default.rp_filter"},
-		listInterfaceSysctls("ipv4", "rp_filter")...,
-	))
-	writeSysctlGroup(&builder, "src_valid_mark", append(
-		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
-		listInterfaceSysctls("ipv4", "src_valid_mark")...,
-	))
-	writeSysctlGroup(&builder, "conntrack", []string{
-		"net.netfilter.nf_conntrack_acct",
-		"net.netfilter.nf_conntrack_tcp_loose",
-	})
-	writeSysctlGroup(&builder, "tcp", []string{
-		"net.ipv4.tcp_tw_reuse",
-	})
-
-	return builder.String()
-}
-
-func writeSysctlGroup(builder *strings.Builder, title string, keys []string) {
-	builder.WriteString(fmt.Sprintf("=== %s ===\n", title))
-	for _, key := range keys {
-		value, err := readSysctl(key)
-		if err != nil {
-			builder.WriteString(fmt.Sprintf("%s = <error: %v>\n", key, err))
-			continue
-		}
-		builder.WriteString(fmt.Sprintf("%s = %s\n", key, value))
-	}
-	builder.WriteString("\n")
-}
-
-// listInterfaceSysctls returns net.ipvX.conf.<iface>.<leaf> keys for every
-// interface present in /proc/sys/net/ipvX/conf, skipping "all" and "default"
-// (callers add those explicitly so they appear first).
-func listInterfaceSysctls(family, leaf string) []string {
-	dir := fmt.Sprintf("/proc/sys/net/%s/conf", family)
-	entries, err := os.ReadDir(dir)
-	if err != nil {
-		return nil
-	}
-	var keys []string
-	for _, e := range entries {
-		name := e.Name()
-		if name == "all" || name == "default" {
-			continue
-		}
-		keys = append(keys, fmt.Sprintf("net.%s.conf.%s.%s", family, name, leaf))
-	}
-	sort.Strings(keys)
-	return keys
-}
-
-func readSysctl(key string) (string, error) {
-	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
-	value, err := os.ReadFile(path)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(value)), nil
-}
--- a/client/internal/debug/debug_nonlinux.go
+++ b/client/internal/debug/debug_nonlinux.go
@@ -17,8 +17,3 @@ func (g *BundleGenerator) addIPRules() error {
 	// IP rules are only supported on Linux
 	return nil
 }
-
-func (g *BundleGenerator) addSysctls() error {
-	// Sysctl collection is only supported on Linux
-	return nil
-}
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -339,7 +339,8 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	case entry.Pattern == ".":
 		return true
 	case entry.IsWildcard:
-		return strings.HasSuffix(qname, "."+entry.Pattern)
+		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
 	default:
 		// For non-wildcard patterns:
 		// If handler wants subdomain matching, allow suffix match
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -164,54 +164,6 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 			matchSubdomains: true,
 			shouldMatch:     true,
 		},
-		{
-			name:            "wildcard label-boundary mismatch (suffix overlap)",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.ab.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard label-boundary match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard multi-label match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.y.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard no match on multi-label apex",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard no match on unrelated suffix containment",
-			handlerDomain:   "*.example.com.",
-			queryDomain:     "notexample.com.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard accepts pattern registered without trailing dot",
-			handlerDomain:   "*.b.test",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
 	}

 	for _, tt := range tests {
@@ -321,19 +273,6 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			expectedCalls:   1,
 			expectedHandler: 2, // highest priority matching handler should be called
 		},
-		{
-			name: "overlapping wildcard suffixes route to correct handler",
-			handlers: []struct {
-				pattern  string
-				priority int
-			}{
-				{pattern: "*.b.test.", priority: nbdns.PriorityDNSRoute},
-				{pattern: "*.ab.test.", priority: nbdns.PriorityDNSRoute},
-			},
-			queryDomain:     "app.ab.test.",
-			expectedCalls:   1,
-			expectedHandler: 1,
-		},
 		{
 			name: "root zone with specific domain",
 			handlers: []struct {
--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -16,10 +16,6 @@ type hostManager interface {
 	restoreHostDNS() error
 	supportCustomPort() bool
 	string() string
-	// getOriginalNameservers returns the OS-side resolvers used as PriorityFallback
-	// upstreams: pre-takeover snapshots on desktop, the OS-pushed list on Android,
-	// hardcoded Quad9 on iOS, nil for noop / mock.
-	getOriginalNameservers() []netip.Addr
 }

 type SystemDNSSettings struct {
@@ -135,11 +131,3 @@ func (n noopHostConfigurator) supportCustomPort() bool {
 func (n noopHostConfigurator) string() string {
 	return "noop"
 }
-
-func (n noopHostConfigurator) getOriginalNameservers() []netip.Addr {
-	return nil
-}
-
-func (m *mockHostConfigurator) getOriginalNameservers() []netip.Addr {
-	return nil
-}
--- a/client/internal/dns/host_android.go
+++ b/client/internal/dns/host_android.go
@@ -1,20 +1,14 @@
 package dns

 import (
-	"net/netip"
-
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-// androidHostManager is a noop on the OS side (Android's VPN service handles
-// DNS for us) but tracks the OS-reported resolver list pushed via
-// OnUpdatedHostDNSServer so it can serve as the fallback nameserver source.
 type androidHostManager struct {
-	holder *hostsDNSHolder
 }

-func newHostManager(holder *hostsDNSHolder) (*androidHostManager, error) {
-	return &androidHostManager{holder: holder}, nil
+func newHostManager() (*androidHostManager, error) {
+	return &androidHostManager{}, nil
 }

 func (a androidHostManager) applyDNSConfig(HostDNSConfig, *statemanager.Manager) error {
@@ -32,12 +26,3 @@ func (a androidHostManager) supportCustomPort() bool {
 func (a androidHostManager) string() string {
 	return "none"
 }
-
-func (a androidHostManager) getOriginalNameservers() []netip.Addr {
-	hosts := a.holder.get()
-	out := make([]netip.Addr, 0, len(hosts))
-	for ap := range hosts {
-		out = append(out, ap.Addr())
-	}
-	return out
-}
--- a/client/internal/dns/host_ios.go
+++ b/client/internal/dns/host_ios.go
@@ -3,7 +3,6 @@ package dns
 import (
 	"encoding/json"
 	"fmt"
-	"net/netip"

 	log "github.com/sirupsen/logrus"

@@ -21,14 +20,6 @@ func newHostManager(dnsManager IosDnsManager) (*iosHostManager, error) {
 	}, nil
 }

-func (a iosHostManager) getOriginalNameservers() []netip.Addr {
-	// Quad9 v4+v6: 9.9.9.9, 2620:fe::fe.
-	return []netip.Addr{
-		netip.AddrFrom4([4]byte{9, 9, 9, 9}),
-		netip.AddrFrom16([16]byte{0x26, 0x20, 0x00, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xfe}),
-	}
-}
-
 func (a iosHostManager) applyDNSConfig(config HostDNSConfig, _ *statemanager.Manager) error {
 	jsonData, err := json.Marshal(config)
 	if err != nil {
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -7,7 +7,6 @@ import (
 	"io"
 	"net/netip"
 	"os/exec"
-	"slices"
 	"strings"
 	"syscall"
 	"time"
@@ -45,11 +44,9 @@ const (

 	nrptMaxDomainsPerRule = 50

-	interfaceConfigPath           = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
-	interfaceConfigPathV6         = `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces`
-	interfaceConfigNameServerKey  = "NameServer"
-	interfaceConfigDhcpNameSrvKey = "DhcpNameServer"
-	interfaceConfigSearchListKey  = "SearchList"
+	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
+	interfaceConfigNameServerKey = "NameServer"
+	interfaceConfigSearchListKey = "SearchList"

 	// Network interface DNS registration settings
 	disableDynamicUpdateKey           = "DisableDynamicUpdate"
@@ -70,11 +67,10 @@ const (
 )

 type registryConfigurator struct {
-	guid            string
-	routingAll      bool
-	gpo             bool
-	nrptEntryCount  int
-	origNameservers []netip.Addr
+	guid           string
+	routingAll     bool
+	gpo            bool
+	nrptEntryCount int
 }

 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -98,17 +94,6 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 		gpo:  useGPO,
 	}

-	origNameservers, err := configurator.captureOriginalNameservers()
-	switch {
-	case err != nil:
-		log.Warnf("capture original nameservers from non-WG adapters: %v", err)
-	case len(origNameservers) == 0:
-		log.Warnf("no original nameservers captured from non-WG adapters; DNS fallback will be empty")
-	default:
-		log.Debugf("captured %d original nameservers from non-WG adapters: %v", len(origNameservers), origNameservers)
-	}
-	configurator.origNameservers = origNameservers
-
 	if err := configurator.configureInterface(); err != nil {
 		log.Errorf("failed to configure interface settings: %v", err)
 	}
@@ -116,98 +101,6 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	return configurator, nil
 }

-// captureOriginalNameservers reads DNS addresses from every Tcpip(6) interface
-// registry key except the WG adapter. v4 and v6 servers live in separate
-// hives (Tcpip vs Tcpip6) keyed by the same interface GUID.
-func (r *registryConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
-	seen := make(map[netip.Addr]struct{})
-	var out []netip.Addr
-	var merr *multierror.Error
-	for _, root := range []string{interfaceConfigPath, interfaceConfigPathV6} {
-		addrs, err := r.captureFromTcpipRoot(root)
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", root, err))
-			continue
-		}
-		for _, addr := range addrs {
-			if _, dup := seen[addr]; dup {
-				continue
-			}
-			seen[addr] = struct{}{}
-			out = append(out, addr)
-		}
-	}
-	return out, nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *registryConfigurator) captureFromTcpipRoot(rootPath string) ([]netip.Addr, error) {
-	root, err := registry.OpenKey(registry.LOCAL_MACHINE, rootPath, registry.READ)
-	if err != nil {
-		return nil, fmt.Errorf("open key: %w", err)
-	}
-	defer closer(root)
-
-	guids, err := root.ReadSubKeyNames(-1)
-	if err != nil {
-		return nil, fmt.Errorf("read subkeys: %w", err)
-	}
-
-	var out []netip.Addr
-	for _, guid := range guids {
-		if strings.EqualFold(guid, r.guid) {
-			continue
-		}
-		out = append(out, readInterfaceNameservers(rootPath, guid)...)
-	}
-	return out, nil
-}
-
-func readInterfaceNameservers(rootPath, guid string) []netip.Addr {
-	keyPath := rootPath + "\\" + guid
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, keyPath, registry.QUERY_VALUE)
-	if err != nil {
-		return nil
-	}
-	defer closer(k)
-
-	// Static NameServer wins over DhcpNameServer for actual resolution.
-	for _, name := range []string{interfaceConfigNameServerKey, interfaceConfigDhcpNameSrvKey} {
-		raw, _, err := k.GetStringValue(name)
-		if err != nil || raw == "" {
-			continue
-		}
-		if out := parseRegistryNameservers(raw); len(out) > 0 {
-			return out
-		}
-	}
-	return nil
-}
-
-func parseRegistryNameservers(raw string) []netip.Addr {
-	var out []netip.Addr
-	for _, field := range strings.FieldsFunc(raw, func(r rune) bool { return r == ',' || r == ' ' || r == '\t' }) {
-		addr, err := netip.ParseAddr(strings.TrimSpace(field))
-		if err != nil {
-			continue
-		}
-		addr = addr.Unmap()
-		if !addr.IsValid() || addr.IsUnspecified() {
-			continue
-		}
-		// Drop unzoned link-local: not routable without a scope id. If
-		// the user wrote "fe80::1%eth0" ParseAddr preserves the zone.
-		if addr.IsLinkLocalUnicast() && addr.Zone() == "" {
-			continue
-		}
-		out = append(out, addr)
-	}
-	return out
-}
-
-func (r *registryConfigurator) getOriginalNameservers() []netip.Addr {
-	return slices.Clone(r.origNameservers)
-}
-
 func (r *registryConfigurator) supportCustomPort() bool {
 	return false
 }
--- a/client/internal/dns/hosts_dns_holder.go
+++ b/client/internal/dns/hosts_dns_holder.go
@@ -25,7 +25,6 @@ func (h *hostsDNSHolder) set(list []netip.AddrPort) {
 	h.mutex.Unlock()
 }

-//nolint:unused
 func (h *hostsDNSHolder) get() map[netip.AddrPort]struct{} {
 	h.mutex.RLock()
 	l := h.unprotectedDNSList
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -26,19 +26,6 @@ type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }

-// PeerConnectivity reports whether a tunnel IP belongs to a peer the
-// client knows about and whether that peer is currently connected. The
-// local resolver uses this to suppress A/AAAA answers whose RDATA points
-// at a disconnected peer (typical case: a synthesized private-service
-// record pointing at an embedded proxy peer that just went offline).
-//
-// known=false means the IP isn't in the local peerstore at all — the
-// record is left alone (it points at something outside our mesh, e.g.
-// a non-peer upstream).
-type PeerConnectivity interface {
-	IsConnectedByIP(ip string) (known, connected bool)
-}
-
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
@@ -46,11 +33,6 @@ type Resolver struct {
 	// zones maps zone domain -> NonAuthoritative (true = non-authoritative, user-created zone)
 	zones    map[domain.Domain]bool
 	resolver resolver
-	// peerConn, when non-nil, is consulted on every A/AAAA answer to
-	// drop records pointing at disconnected peers. nil disables the
-	// filter and preserves the legacy "return whatever is registered"
-	// behaviour for callers that never wire a status source.
-	peerConn PeerConnectivity

 	ctx    context.Context
 	cancel context.CancelFunc
@@ -67,15 +49,6 @@ func NewResolver() *Resolver {
 	}
 }

-// SetPeerConnectivity wires the per-IP connectivity check used to filter
-// out A/AAAA answers pointing at disconnected peers. Pass nil to disable.
-// Safe to call multiple times; the latest value wins.
-func (d *Resolver) SetPeerConnectivity(p PeerConnectivity) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	d.peerConn = p
-}
-
 func (d *Resolver) MatchSubdomains() bool {
 	return true
 }
@@ -103,6 +76,8 @@ func (d *Resolver) ID() types.HandlerID {
 	return "local-resolver"
 }

+func (d *Resolver) ProbeAvailability(context.Context) {}
+
 // ServeDNS handles a DNS request
 func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	logger := log.WithFields(log.Fields{
@@ -122,7 +97,6 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	replyMessage.RecursionAvailable = true

 	result := d.lookupRecords(logger, question)
-	result.records = d.filterDisconnectedPeerAnswers(logger, question, result.records)
 	replyMessage.Authoritative = !result.hasExternalData
 	replyMessage.Answer = result.records
 	replyMessage.Rcode = d.determineRcode(question, result)
@@ -464,78 +438,6 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 	}
 }

-// filterDisconnectedPeerAnswers drops A/AAAA records whose RDATA matches
-// a known but disconnected peer. The synthesized private-service zones
-// emit one A record per connected proxy peer in a cluster; when a peer
-// goes offline, the server-side refresh removes the record from the
-// next netmap, but the client may still hold the previous netmap for a
-// short window. This filter is the local belt to that braces — even on
-// the stale netmap, the resolver hides the offline target.
-//
-// Records pointing at unknown IPs (outside the local peerstore, e.g.
-// non-mesh upstreams) are never dropped. Non-A/AAAA records pass
-// through untouched.
-//
-// Escape hatch: if filtering would leave the answer empty AND at least
-// one record was filtered, the original list is returned. Better to
-// hand the client a record that may not respond than NXDOMAIN it
-// completely when every proxy peer is offline (the upstream may still
-// be reachable some other way, or the peerstore may be stale).
-func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
-	if len(records) == 0 {
-		return records
-	}
-	d.mu.RLock()
-	checker := d.peerConn
-	d.mu.RUnlock()
-	if checker == nil {
-		return records
-	}
-
-	kept := make([]dns.RR, 0, len(records))
-	var dropped int
-	for _, rr := range records {
-		ip := extractRecordIP(rr)
-		if ip == "" {
-			kept = append(kept, rr)
-			continue
-		}
-		known, connected := checker.IsConnectedByIP(ip)
-		if known && !connected {
-			dropped++
-			continue
-		}
-		kept = append(kept, rr)
-	}
-	if dropped == 0 {
-		return records
-	}
-	if len(kept) == 0 {
-		logger.Debugf("all %d answers for %s point at disconnected peers; returning the original list", dropped, question.Name)
-		return records
-	}
-	logger.Tracef("dropped %d disconnected-peer answer(s) for %s, returning %d", dropped, question.Name, len(kept))
-	return kept
-}
-
-// extractRecordIP returns the dotted-decimal / colon-hex IP carried by
-// an A or AAAA record, or "" for any other record type.
-func extractRecordIP(rr dns.RR) string {
-	switch r := rr.(type) {
-	case *dns.A:
-		if r.A == nil {
-			return ""
-		}
-		return r.A.String()
-	case *dns.AAAA:
-		if r.AAAA == nil {
-			return ""
-		}
-		return r.AAAA.String()
-	}
-	return ""
-}
-
 // Update replaces all zones and their records
 func (d *Resolver) Update(customZones []nbdns.CustomZone) {
 	d.mu.Lock()
--- a/client/internal/dns/local/local_test.go
+++ b/client/internal/dns/local/local_test.go
@@ -30,21 +30,6 @@ func (m *mockResolver) LookupNetIP(ctx context.Context, network, host string) ([
 	return nil, nil
 }

-// mockPeerConnectivity returns canned (known, connected) results per IP.
-// Used by the disconnected-peer filter tests below. IPs not in the map
-// are reported as unknown so the filter leaves them alone.
-type mockPeerConnectivity struct {
-	byIP map[string]struct{ known, connected bool }
-}
-
-func (m mockPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
-	v, ok := m.byIP[ip]
-	if !ok {
-		return false, false
-	}
-	return v.known, v.connected
-}
-
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
@@ -2667,114 +2652,3 @@ func BenchmarkIsInManagedZone_ManyZones(b *testing.B) {
 		resolver.isInManagedZone(qname)
 	}
 }
-
-// TestLocalResolver_FilterDisconnectedPeerAnswers verifies the
-// connectivity-aware filtering layered on top of lookupRecords:
-// when an A record's IP belongs to a known peer that's disconnected,
-// the record is dropped from the answer. Records for unknown IPs pass
-// through. If filtering would empty the answer entirely and at least
-// one record was dropped, the original list is restored (escape hatch
-// for the "all proxies offline" case).
-func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
-	zone := "svc.cluster.netbird."
-	connectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.10",
-	}
-	disconnectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.11",
-	}
-	unknownRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "203.0.113.5",
-	}
-
-	type ipState struct{ known, connected bool }
-	tests := []struct {
-		name        string
-		records     []nbdns.SimpleRecord
-		connByIP    map[string]ipState
-		wantInOrder []string
-	}{
-		{
-			name:    "drops disconnected peer, keeps connected",
-			records: []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: true},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.10"},
-		},
-		{
-			name:    "unknown IPs pass through untouched",
-			records: []nbdns.SimpleRecord{unknownRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"203.0.113.5"},
-		},
-		{
-			name:    "all disconnected falls back to original list",
-			records: []nbdns.SimpleRecord{disconnectedRec, connectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: false},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.11", "100.64.0.10"},
-		},
-		{
-			name:        "no checker wired returns all records",
-			records:     []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP:    nil,
-			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			resolver := NewResolver()
-			if tc.connByIP != nil {
-				cm := mockPeerConnectivity{byIP: make(map[string]struct{ known, connected bool }, len(tc.connByIP))}
-				for ip, st := range tc.connByIP {
-					cm.byIP[ip] = struct{ known, connected bool }{st.known, st.connected}
-				}
-				resolver.SetPeerConnectivity(cm)
-			}
-			resolver.Update([]nbdns.CustomZone{{
-				Domain:           strings.TrimSuffix(zone, "."),
-				Records:          tc.records,
-				NonAuthoritative: true,
-			}})
-
-			var got *dns.Msg
-			writer := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					got = m
-					return nil
-				},
-			}
-			req := new(dns.Msg).SetQuestion(zone, dns.TypeA)
-			resolver.ServeDNS(writer, req)
-
-			require.NotNil(t, got, "resolver must produce a response")
-			require.Len(t, got.Answer, len(tc.wantInOrder),
-				"answer count must match expected: %v", tc.wantInOrder)
-			for i, want := range tc.wantInOrder {
-				a, ok := got.Answer[i].(*dns.A)
-				require.True(t, ok, "answer[%d] must be an A record", i)
-				assert.Equal(t, want, a.A.String(),
-					"answer[%d] expected %s got %s", i, want, a.A.String())
-			}
-		})
-	}
-}
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -9,7 +9,6 @@ import (

 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

@@ -71,6 +70,10 @@ func (m *MockServer) SearchDomains() []string {
 	return make([]string, 0)
 }

+// ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
+func (m *MockServer) ProbeAvailability() {
+}
+
 func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 	if m.UpdateServerConfigFunc != nil {
 		return m.UpdateServerConfigFunc(domains)
@@ -82,8 +85,8 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }

-// SetRouteSources mock implementation of SetRouteSources from Server interface
-func (m *MockServer) SetRouteSources(selected, active func() route.HAMap) {
+// SetRouteChecker mock implementation of SetRouteChecker from Server interface
+func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
 	// Mock implementation - no-op
 }

--- a/client/internal/dns/network_manager_unix.go
+++ b/client/internal/dns/network_manager_unix.go
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"slices"
 	"strings"
 	"time"

@@ -33,15 +32,6 @@ const (
 	networkManagerDbusDeviceGetAppliedConnectionMethod                              = networkManagerDbusDeviceInterface + ".GetAppliedConnection"
 	networkManagerDbusDeviceReapplyMethod                                           = networkManagerDbusDeviceInterface + ".Reapply"
 	networkManagerDbusDeviceDeleteMethod                                            = networkManagerDbusDeviceInterface + ".Delete"
-	networkManagerDbusDeviceIp4ConfigProperty                                       = networkManagerDbusDeviceInterface + ".Ip4Config"
-	networkManagerDbusDeviceIp6ConfigProperty                                       = networkManagerDbusDeviceInterface + ".Ip6Config"
-	networkManagerDbusDeviceIfaceProperty                                           = networkManagerDbusDeviceInterface + ".Interface"
-	networkManagerDbusGetDevicesMethod                                              = networkManagerDest + ".GetDevices"
-	networkManagerDbusIp4ConfigInterface                                            = "org.freedesktop.NetworkManager.IP4Config"
-	networkManagerDbusIp6ConfigInterface                                            = "org.freedesktop.NetworkManager.IP6Config"
-	networkManagerDbusIp4ConfigNameserverDataProperty                               = networkManagerDbusIp4ConfigInterface + ".NameserverData"
-	networkManagerDbusIp4ConfigNameserversProperty                                  = networkManagerDbusIp4ConfigInterface + ".Nameservers"
-	networkManagerDbusIp6ConfigNameserversProperty                                  = networkManagerDbusIp6ConfigInterface + ".Nameservers"
 	networkManagerDbusDefaultBehaviorFlag              networkManagerConfigBehavior = 0
 	networkManagerDbusIPv4Key                                                       = "ipv4"
 	networkManagerDbusIPv6Key                                                       = "ipv6"
@@ -61,10 +51,9 @@ var supportedNetworkManagerVersionConstraints = []string{
 }

 type networkManagerDbusConfigurator struct {
-	dbusLinkObject  dbus.ObjectPath
-	routingAll      bool
-	ifaceName       string
-	origNameservers []netip.Addr
+	dbusLinkObject dbus.ObjectPath
+	routingAll     bool
+	ifaceName      string
 }

 // the types below are based on dbus specification, each field is mapped to a dbus type
@@ -103,200 +92,10 @@ func newNetworkManagerDbusConfigurator(wgInterface string) (*networkManagerDbusC

 	log.Debugf("got network manager dbus Link Object: %s from net interface %s", s, wgInterface)

-	c := &networkManagerDbusConfigurator{
+	return &networkManagerDbusConfigurator{
 		dbusLinkObject: dbus.ObjectPath(s),
 		ifaceName:      wgInterface,
-	}
-
-	origNameservers, err := c.captureOriginalNameservers()
-	switch {
-	case err != nil:
-		log.Warnf("capture original nameservers from NetworkManager: %v", err)
-	case len(origNameservers) == 0:
-		log.Warnf("no original nameservers captured from non-WG NetworkManager devices; DNS fallback will be empty")
-	default:
-		log.Debugf("captured %d original nameservers from non-WG NetworkManager devices: %v", len(origNameservers), origNameservers)
-	}
-	c.origNameservers = origNameservers
-	return c, nil
-}
-
-// captureOriginalNameservers reads DNS servers from every NM device's
-// IP4Config / IP6Config except our WG device.
-func (n *networkManagerDbusConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
-	devices, err := networkManagerListDevices()
-	if err != nil {
-		return nil, fmt.Errorf("list devices: %w", err)
-	}
-
-	seen := make(map[netip.Addr]struct{})
-	var out []netip.Addr
-	for _, dev := range devices {
-		if dev == n.dbusLinkObject {
-			continue
-		}
-		ifaceName := readNetworkManagerDeviceInterface(dev)
-		for _, addr := range readNetworkManagerDeviceDNS(dev) {
-			addr = addr.Unmap()
-			if !addr.IsValid() || addr.IsUnspecified() {
-				continue
-			}
-			// IP6Config.Nameservers is a byte slice without zone info;
-			// reattach the device's interface name so a captured fe80::…
-			// stays routable.
-			if addr.IsLinkLocalUnicast() && ifaceName != "" {
-				addr = addr.WithZone(ifaceName)
-			}
-			if _, dup := seen[addr]; dup {
-				continue
-			}
-			seen[addr] = struct{}{}
-			out = append(out, addr)
-		}
-	}
-	return out, nil
-}
-
-func readNetworkManagerDeviceInterface(devicePath dbus.ObjectPath) string {
-	obj, closeConn, err := getDbusObject(networkManagerDest, devicePath)
-	if err != nil {
-		return ""
-	}
-	defer closeConn()
-	v, err := obj.GetProperty(networkManagerDbusDeviceIfaceProperty)
-	if err != nil {
-		return ""
-	}
-	s, _ := v.Value().(string)
-	return s
-}
-
-func networkManagerListDevices() ([]dbus.ObjectPath, error) {
-	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusObjectNode)
-	if err != nil {
-		return nil, fmt.Errorf("dbus NetworkManager: %w", err)
-	}
-	defer closeConn()
-	var devs []dbus.ObjectPath
-	if err := obj.Call(networkManagerDbusGetDevicesMethod, dbusDefaultFlag).Store(&devs); err != nil {
-		return nil, err
-	}
-	return devs, nil
-}
-
-func readNetworkManagerDeviceDNS(devicePath dbus.ObjectPath) []netip.Addr {
-	obj, closeConn, err := getDbusObject(networkManagerDest, devicePath)
-	if err != nil {
-		return nil
-	}
-	defer closeConn()
-
-	var out []netip.Addr
-	if path := readNetworkManagerConfigPath(obj, networkManagerDbusDeviceIp4ConfigProperty); path != "" {
-		out = append(out, readIPv4ConfigDNS(path)...)
-	}
-	if path := readNetworkManagerConfigPath(obj, networkManagerDbusDeviceIp6ConfigProperty); path != "" {
-		out = append(out, readIPv6ConfigDNS(path)...)
-	}
-	return out
-}
-
-func readNetworkManagerConfigPath(obj dbus.BusObject, property string) dbus.ObjectPath {
-	v, err := obj.GetProperty(property)
-	if err != nil {
-		return ""
-	}
-	path, ok := v.Value().(dbus.ObjectPath)
-	if !ok || path == "/" {
-		return ""
-	}
-	return path
-}
-
-func readIPv4ConfigDNS(path dbus.ObjectPath) []netip.Addr {
-	obj, closeConn, err := getDbusObject(networkManagerDest, path)
-	if err != nil {
-		return nil
-	}
-	defer closeConn()
-
-	// NameserverData (NM 1.13+) carries strings; older NMs only expose the
-	// legacy uint32 Nameservers property.
-	if out := readIPv4NameserverData(obj); len(out) > 0 {
-		return out
-	}
-	return readIPv4LegacyNameservers(obj)
-}
-
-func readIPv4NameserverData(obj dbus.BusObject) []netip.Addr {
-	v, err := obj.GetProperty(networkManagerDbusIp4ConfigNameserverDataProperty)
-	if err != nil {
-		return nil
-	}
-	entries, ok := v.Value().([]map[string]dbus.Variant)
-	if !ok {
-		return nil
-	}
-	var out []netip.Addr
-	for _, entry := range entries {
-		addrVar, ok := entry["address"]
-		if !ok {
-			continue
-		}
-		s, ok := addrVar.Value().(string)
-		if !ok {
-			continue
-		}
-		if a, err := netip.ParseAddr(s); err == nil {
-			out = append(out, a)
-		}
-	}
-	return out
-}
-
-func readIPv4LegacyNameservers(obj dbus.BusObject) []netip.Addr {
-	v, err := obj.GetProperty(networkManagerDbusIp4ConfigNameserversProperty)
-	if err != nil {
-		return nil
-	}
-	raw, ok := v.Value().([]uint32)
-	if !ok {
-		return nil
-	}
-	out := make([]netip.Addr, 0, len(raw))
-	for _, n := range raw {
-		var b [4]byte
-		binary.LittleEndian.PutUint32(b[:], n)
-		out = append(out, netip.AddrFrom4(b))
-	}
-	return out
-}
-
-func readIPv6ConfigDNS(path dbus.ObjectPath) []netip.Addr {
-	obj, closeConn, err := getDbusObject(networkManagerDest, path)
-	if err != nil {
-		return nil
-	}
-	defer closeConn()
-	v, err := obj.GetProperty(networkManagerDbusIp6ConfigNameserversProperty)
-	if err != nil {
-		return nil
-	}
-	raw, ok := v.Value().([][]byte)
-	if !ok {
-		return nil
-	}
-	out := make([]netip.Addr, 0, len(raw))
-	for _, b := range raw {
-		if a, ok := netip.AddrFromSlice(b); ok {
-			out = append(out, a)
-		}
-	}
-	return out
-}
-
-func (n *networkManagerDbusConfigurator) getOriginalNameservers() []netip.Addr {
-	return slices.Clone(n.origNameservers)
+	}, nil
 }

 func (n *networkManagerDbusConfigurator) supportCustomPort() bool {
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
--- a/client/internal/dns/server_android.go
+++ b/client/internal/dns/server_android.go
@@ -1,5 +1,5 @@
 package dns

 func (s *DefaultServer) initialize() (manager hostManager, err error) {
-	return newHostManager(s.hostsDNSHolder)
+	return newHostManager()
 }
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -6,7 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"runtime"
+	"strings"
 	"testing"
 	"time"

@@ -15,7 +15,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

@@ -32,10 +31,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

@@ -104,17 +101,16 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }

-func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolverBase {
+func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamResolverBase {
 	var srvs []netip.AddrPort
 	for _, srv := range servers {
 		srvs = append(srvs, srv.AddrPort())
 	}
-	u := &upstreamResolverBase{
-		domain: domain.Domain(d),
-		cancel: func() {},
+	return &upstreamResolverBase{
+		domain:          domain,
+		upstreamServers: srvs,
+		cancel:          func() {},
 	}
-	u.addRace(srvs)
-	return u
 }

 func TestUpdateDNSServer(t *testing.T) {
@@ -657,8 +653,74 @@ func TestDNSServerStartStop(t *testing.T) {
 	}
 }

+func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
+	hostManager := &mockHostConfigurator{}
+	server := DefaultServer{
+		ctx:           context.Background(),
+		service:       NewServiceViaMemory(&mocWGIface{}),
+		localResolver: local.NewResolver(),
+		handlerChain:  NewHandlerChain(),
+		hostManager:   hostManager,
+		currentConfig: HostDNSConfig{
+			Domains: []DomainConfig{
+				{false, "domain0", false},
+				{false, "domain1", false},
+				{false, "domain2", false},
+			},
+		},
+		statusRecorder: peer.NewRecorder("mgm"),
+	}
+
+	var domainsUpdate string
+	hostManager.applyDNSConfigFunc = func(config HostDNSConfig, statemanager *statemanager.Manager) error {
+		domains := []string{}
+		for _, item := range config.Domains {
+			if item.Disabled {
+				continue
+			}
+			domains = append(domains, item.Domain)
+		}
+		domainsUpdate = strings.Join(domains, ",")
+		return nil
+	}
+
+	deactivate, reactivate := server.upstreamCallbacks(&nbdns.NameServerGroup{
+		Domains: []string{"domain1"},
+		NameServers: []nbdns.NameServer{
+			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
+		},
+	}, nil, 0)
+
+	deactivate(nil)
+	expected := "domain0,domain2"
+	domains := []string{}
+	for _, item := range server.currentConfig.Domains {
+		if item.Disabled {
+			continue
+		}
+		domains = append(domains, item.Domain)
+	}
+	got := strings.Join(domains, ",")
+	if expected != got {
+		t.Errorf("expected domains list: %q, got %q", expected, got)
+	}
+
+	reactivate()
+	expected = "domain0,domain1,domain2"
+	domains = []string{}
+	for _, item := range server.currentConfig.Domains {
+		if item.Disabled {
+			continue
+		}
+		domains = append(domains, item.Domain)
+	}
+	got = strings.Join(domains, ",")
+	if expected != got {
+		t.Errorf("expected domains list: %q, got %q", expected, domainsUpdate)
+	}
+}
+
 func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
-	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -686,7 +748,6 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 }

 func TestDNSPermanent_updateUpstream(t *testing.T) {
-	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -780,7 +841,6 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 }

 func TestDNSPermanent_matchOnly(t *testing.T) {
-	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -853,18 +913,6 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	}
 }

-// skipUnlessAndroid marks tests that exercise the mobile-permanent DNS path,
-// which only matches a real production setup on android (NewDefaultServerPermanentUpstream
-// + androidHostManager). On non-android the desktop host manager replaces it
-// during Initialize and the assertion stops making sense. Skipped here until we
-// have an android CI runner.
-func skipUnlessAndroid(t *testing.T) {
-	t.Helper()
-	if runtime.GOOS != "android" {
-		t.Skip("requires android runner; mobile-permanent path doesn't match production on this OS")
-	}
-}
-
 func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	t.Helper()
 	ov := os.Getenv("NB_WG_KERNEL_DISABLED")
@@ -1017,6 +1065,7 @@ type mockHandler struct {

 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
 func (m *mockHandler) Stop()                                 {}
+func (m *mockHandler) ProbeAvailability(context.Context)     {}
 func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }

 type mockService struct{}
@@ -2036,598 +2085,6 @@ func TestLocalResolverPriorityConstants(t *testing.T) {
 	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
 }

-// TestBuildUpstreamHandler_MergesGroupsPerDomain verifies that multiple
-// admin-defined nameserver groups targeting the same domain collapse into a
-// single handler with each group preserved as a sequential inner list.
-func TestBuildUpstreamHandler_MergesGroupsPerDomain(t *testing.T) {
-	wgInterface := &mocWGIface{}
-	service := NewServiceViaMemory(wgInterface)
-	server := &DefaultServer{
-		ctx:           context.Background(),
-		wgInterface:   wgInterface,
-		service:       service,
-		localResolver: local.NewResolver(),
-		handlerChain:  NewHandlerChain(),
-		hostManager:   &noopHostConfigurator{},
-		dnsMuxMap:     make(registeredHandlerMap),
-	}
-
-	groups := []*nbdns.NameServerGroup{
-		{
-			NameServers: []nbdns.NameServer{
-				{IP: netip.MustParseAddr("192.0.2.1"), NSType: nbdns.UDPNameServerType, Port: 53},
-			},
-			Domains: []string{"example.com"},
-		},
-		{
-			NameServers: []nbdns.NameServer{
-				{IP: netip.MustParseAddr("192.0.2.2"), NSType: nbdns.UDPNameServerType, Port: 53},
-				{IP: netip.MustParseAddr("192.0.2.3"), NSType: nbdns.UDPNameServerType, Port: 53},
-			},
-			Domains: []string{"example.com"},
-		},
-	}
-
-	muxUpdates, err := server.buildUpstreamHandlerUpdate(groups)
-	require.NoError(t, err)
-	require.Len(t, muxUpdates, 1, "same-domain groups should merge into one handler")
-	assert.Equal(t, "example.com", muxUpdates[0].domain)
-	assert.Equal(t, PriorityUpstream, muxUpdates[0].priority)
-
-	handler := muxUpdates[0].handler.(*upstreamResolver)
-	require.Len(t, handler.upstreamServers, 2, "handler should have two groups")
-	assert.Equal(t, upstreamRace{netip.MustParseAddrPort("192.0.2.1:53")}, handler.upstreamServers[0])
-	assert.Equal(t, upstreamRace{
-		netip.MustParseAddrPort("192.0.2.2:53"),
-		netip.MustParseAddrPort("192.0.2.3:53"),
-	}, handler.upstreamServers[1])
-}
-
-// TestEvaluateNSGroupHealth covers the records-only verdict. The gate
-// (overlay route selected-but-no-active-peer) is intentionally NOT an
-// input to the evaluator anymore: the verdict drives the Enabled flag,
-// which must always reflect what we actually observed. Gate-aware event
-// suppression is tested separately in the projection test.
-//
-// Matrix per upstream: {no record, fresh Ok, fresh Fail, stale Fail,
-// stale Ok, Ok newer than Fail, Fail newer than Ok}.
-// Group verdict: any fresh-working → Healthy; any fresh-broken with no
-// fresh-working → Unhealthy; otherwise Undecided.
-func TestEvaluateNSGroupHealth(t *testing.T) {
-	now := time.Now()
-	a := netip.MustParseAddrPort("192.0.2.1:53")
-	b := netip.MustParseAddrPort("192.0.2.2:53")
-
-	recentOk := UpstreamHealth{LastOk: now.Add(-2 * time.Second)}
-	recentFail := UpstreamHealth{LastFail: now.Add(-1 * time.Second), LastErr: "timeout"}
-	staleOk := UpstreamHealth{LastOk: now.Add(-10 * time.Minute)}
-	staleFail := UpstreamHealth{LastFail: now.Add(-10 * time.Minute), LastErr: "timeout"}
-	okThenFail := UpstreamHealth{
-		LastOk:   now.Add(-10 * time.Second),
-		LastFail: now.Add(-1 * time.Second),
-		LastErr:  "timeout",
-	}
-	failThenOk := UpstreamHealth{
-		LastOk:   now.Add(-1 * time.Second),
-		LastFail: now.Add(-10 * time.Second),
-		LastErr:  "timeout",
-	}
-
-	tests := []struct {
-		name         string
-		health       map[netip.AddrPort]UpstreamHealth
-		servers      []netip.AddrPort
-		wantVerdict  nsGroupVerdict
-		wantErrSubst string
-	}{
-		{
-			name:        "no record, undecided",
-			servers:     []netip.AddrPort{a},
-			wantVerdict: nsVerdictUndecided,
-		},
-		{
-			name:        "fresh success, healthy",
-			health:      map[netip.AddrPort]UpstreamHealth{a: recentOk},
-			servers:     []netip.AddrPort{a},
-			wantVerdict: nsVerdictHealthy,
-		},
-		{
-			name:         "fresh failure, unhealthy",
-			health:       map[netip.AddrPort]UpstreamHealth{a: recentFail},
-			servers:      []netip.AddrPort{a},
-			wantVerdict:  nsVerdictUnhealthy,
-			wantErrSubst: "timeout",
-		},
-		{
-			name:        "only stale success, undecided",
-			health:      map[netip.AddrPort]UpstreamHealth{a: staleOk},
-			servers:     []netip.AddrPort{a},
-			wantVerdict: nsVerdictUndecided,
-		},
-		{
-			name:        "only stale failure, undecided",
-			health:      map[netip.AddrPort]UpstreamHealth{a: staleFail},
-			servers:     []netip.AddrPort{a},
-			wantVerdict: nsVerdictUndecided,
-		},
-		{
-			name:         "both fresh, fail newer, unhealthy",
-			health:       map[netip.AddrPort]UpstreamHealth{a: okThenFail},
-			servers:      []netip.AddrPort{a},
-			wantVerdict:  nsVerdictUnhealthy,
-			wantErrSubst: "timeout",
-		},
-		{
-			name:        "both fresh, ok newer, healthy",
-			health:      map[netip.AddrPort]UpstreamHealth{a: failThenOk},
-			servers:     []netip.AddrPort{a},
-			wantVerdict: nsVerdictHealthy,
-		},
-		{
-			name: "two upstreams, one success wins",
-			health: map[netip.AddrPort]UpstreamHealth{
-				a: recentFail,
-				b: recentOk,
-			},
-			servers:     []netip.AddrPort{a, b},
-			wantVerdict: nsVerdictHealthy,
-		},
-		{
-			name: "two upstreams, one fail one unseen, unhealthy",
-			health: map[netip.AddrPort]UpstreamHealth{
-				a: recentFail,
-			},
-			servers:      []netip.AddrPort{a, b},
-			wantVerdict:  nsVerdictUnhealthy,
-			wantErrSubst: "timeout",
-		},
-		{
-			name: "two upstreams, all recent failures, unhealthy",
-			health: map[netip.AddrPort]UpstreamHealth{
-				a: {LastFail: now.Add(-5 * time.Second), LastErr: "timeout"},
-				b: {LastFail: now.Add(-1 * time.Second), LastErr: "SERVFAIL"},
-			},
-			servers:      []netip.AddrPort{a, b},
-			wantVerdict:  nsVerdictUnhealthy,
-			wantErrSubst: "SERVFAIL",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			verdict, err := evaluateNSGroupHealth(tc.health, tc.servers, now)
-			assert.Equal(t, tc.wantVerdict, verdict, "verdict mismatch")
-			if tc.wantErrSubst != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.wantErrSubst)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-// healthStubHandler is a minimal dnsMuxMap entry that exposes a fixed
-// UpstreamHealth snapshot, letting tests drive recomputeNSGroupStates
-// without spinning up real handlers.
-type healthStubHandler struct {
-	health map[netip.AddrPort]UpstreamHealth
-}
-
-func (h *healthStubHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (h *healthStubHandler) Stop()                                 {}
-func (h *healthStubHandler) ID() types.HandlerID                   { return "health-stub" }
-func (h *healthStubHandler) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
-	return h.health
-}
-
-// TestProjection_SteadyStateIsSilent guards against duplicate events:
-// while a group stays Unhealthy tick after tick, only the first
-// Unhealthy transition may emit. Same for staying Healthy.
-func TestProjection_SteadyStateIsSilent(t *testing.T) {
-	fx := newProjTestFixture(t)
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "first fail emits warning")
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.tick()
-	fx.expectNoEvent("staying unhealthy must not re-emit")
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-	fx.expectEvent("recovered", "recovery on transition")
-
-	fx.tick()
-	fx.tick()
-	fx.expectNoEvent("staying healthy must not re-emit")
-}
-
-// projTestFixture is the common setup for the projection tests: a
-// single-upstream group whose route classification the test can flip by
-// assigning to selected/active. Callers drive failures/successes by
-// mutating stub.health and calling refreshHealth.
-type projTestFixture struct {
-	t        *testing.T
-	recorder *peer.Status
-	events   <-chan *proto.SystemEvent
-	server   *DefaultServer
-	stub     *healthStubHandler
-	group    *nbdns.NameServerGroup
-	srv      netip.AddrPort
-	selected route.HAMap
-	active   route.HAMap
-}
-
-func newProjTestFixture(t *testing.T) *projTestFixture {
-	t.Helper()
-	recorder := peer.NewRecorder("mgm")
-	sub := recorder.SubscribeToEvents()
-	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
-
-	srv := netip.MustParseAddrPort("100.64.0.1:53")
-	fx := &projTestFixture{
-		t:        t,
-		recorder: recorder,
-		events:   sub.Events(),
-		stub:     &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{}},
-		srv:      srv,
-		group: &nbdns.NameServerGroup{
-			Domains:     []string{"example.com"},
-			NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
-		},
-	}
-	fx.server = &DefaultServer{
-		ctx:              context.Background(),
-		wgInterface:      &mocWGIface{},
-		statusRecorder:   recorder,
-		dnsMuxMap:        make(registeredHandlerMap),
-		selectedRoutes:   func() route.HAMap { return fx.selected },
-		activeRoutes:     func() route.HAMap { return fx.active },
-		warningDelayBase: defaultWarningDelayBase,
-	}
-	fx.server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}
-
-	fx.server.mux.Lock()
-	fx.server.updateNSGroupStates([]*nbdns.NameServerGroup{fx.group})
-	fx.server.mux.Unlock()
-	return fx
-}
-
-func (f *projTestFixture) setHealth(h UpstreamHealth) {
-	f.stub.health = map[netip.AddrPort]UpstreamHealth{f.srv: h}
-}
-
-func (f *projTestFixture) tick() []peer.NSGroupState {
-	f.server.refreshHealth()
-	return f.recorder.GetDNSStates()
-}
-
-func (f *projTestFixture) expectNoEvent(why string) {
-	f.t.Helper()
-	select {
-	case evt := <-f.events:
-		f.t.Fatalf("unexpected event (%s): %+v", why, evt)
-	case <-time.After(100 * time.Millisecond):
-	}
-}
-
-func (f *projTestFixture) expectEvent(substr, why string) *proto.SystemEvent {
-	f.t.Helper()
-	select {
-	case evt := <-f.events:
-		assert.Contains(f.t, evt.Message, substr, why)
-		return evt
-	case <-time.After(time.Second):
-		f.t.Fatalf("expected event (%s) with %q", why, substr)
-		return nil
-	}
-}
-
-var overlayNetForTest = netip.MustParsePrefix("100.64.0.0/16")
-var overlayMapForTest = route.HAMap{"overlay": {{Network: overlayNetForTest}}}
-
-// TestProjection_PublicFailEmitsImmediately covers rule 1: an upstream
-// that is not inside any selected route (public DNS) fires the warning
-// on the first Unhealthy tick, no grace period.
-func TestProjection_PublicFailEmitsImmediately(t *testing.T) {
-	fx := newProjTestFixture(t)
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	states := fx.tick()
-	require.Len(t, states, 1)
-	assert.False(t, states[0].Enabled)
-	fx.expectEvent("unreachable", "public DNS failure")
-}
-
-// TestProjection_OverlayConnectedFailEmitsImmediately covers rule 2:
-// the upstream is inside a selected route AND the route has a Connected
-// peer. Tunnel is up, failure is real, emit immediately.
-func TestProjection_OverlayConnectedFailEmitsImmediately(t *testing.T) {
-	fx := newProjTestFixture(t)
-	fx.selected = overlayMapForTest
-	fx.active = overlayMapForTest
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	states := fx.tick()
-	require.Len(t, states, 1)
-	assert.False(t, states[0].Enabled)
-	fx.expectEvent("unreachable", "overlay + connected failure")
-}
-
-// TestProjection_OverlayNotConnectedDelaysWarning covers rule 3: the
-// upstream is routed but no peer is Connected (Connecting/Idle/missing).
-// First tick: Unhealthy display, no warning. After the grace window
-// elapses with no recovery, the warning fires.
-func TestProjection_OverlayNotConnectedDelaysWarning(t *testing.T) {
-	grace := 50 * time.Millisecond
-	fx := newProjTestFixture(t)
-	fx.server.warningDelayBase = grace
-	fx.selected = overlayMapForTest
-	// active stays nil: routed but not connected.
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	states := fx.tick()
-	require.Len(t, states, 1)
-	assert.False(t, states[0].Enabled, "display must reflect failure even during grace window")
-	fx.expectNoEvent("first fail tick within grace window")
-
-	time.Sleep(grace + 10*time.Millisecond)
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "warning after grace window")
-}
-
-// TestProjection_OverlayAddrNoRouteDelaysWarning covers an upstream
-// whose address is inside the WireGuard overlay range but is not
-// covered by any selected route (peer-to-peer DNS without an explicit
-// route). Until a peer reports Connected for that address, startup
-// failures must be held just like the routed case.
-func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
-	recorder := peer.NewRecorder("mgm")
-	sub := recorder.SubscribeToEvents()
-	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
-
-	overlayPeer := netip.MustParseAddrPort("100.66.100.5:53")
-	server := &DefaultServer{
-		ctx:              context.Background(),
-		wgInterface:      &mocWGIface{},
-		statusRecorder:   recorder,
-		dnsMuxMap:        make(registeredHandlerMap),
-		selectedRoutes:   func() route.HAMap { return nil },
-		activeRoutes:     func() route.HAMap { return nil },
-		warningDelayBase: 50 * time.Millisecond,
-	}
-	group := &nbdns.NameServerGroup{
-		Domains:     []string{"example.com"},
-		NameServers: []nbdns.NameServer{{IP: overlayPeer.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlayPeer.Port())}},
-	}
-	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{
-		overlayPeer: {LastFail: time.Now(), LastErr: "timeout"},
-	}}
-	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
-
-	server.mux.Lock()
-	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
-	server.mux.Unlock()
-	server.refreshHealth()
-
-	select {
-	case evt := <-sub.Events():
-		t.Fatalf("unexpected event during grace window: %+v", evt)
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	time.Sleep(60 * time.Millisecond)
-	stub.health = map[netip.AddrPort]UpstreamHealth{overlayPeer: {LastFail: time.Now(), LastErr: "timeout"}}
-	server.refreshHealth()
-
-	select {
-	case evt := <-sub.Events():
-		assert.Contains(t, evt.Message, "unreachable")
-	case <-time.After(time.Second):
-		t.Fatal("expected warning after grace window")
-	}
-}
-
-// TestProjection_StopClearsHealthState verifies that Stop wipes the
-// per-group projection state so a subsequent Start doesn't inherit
-// sticky flags (notably everHealthy) that would bypass the grace
-// window during the next peer handshake.
-func TestProjection_StopClearsHealthState(t *testing.T) {
-	wgIface := &mocWGIface{}
-	server := &DefaultServer{
-		ctx:               context.Background(),
-		wgInterface:       wgIface,
-		service:           NewServiceViaMemory(wgIface),
-		hostManager:       &noopHostConfigurator{},
-		extraDomains:      map[domain.Domain]int{},
-		dnsMuxMap:         make(registeredHandlerMap),
-		statusRecorder:    peer.NewRecorder("mgm"),
-		selectedRoutes:    func() route.HAMap { return nil },
-		activeRoutes:      func() route.HAMap { return nil },
-		warningDelayBase:  defaultWarningDelayBase,
-		currentConfigHash: ^uint64(0),
-	}
-	server.ctx, server.ctxCancel = context.WithCancel(context.Background())
-
-	srv := netip.MustParseAddrPort("8.8.8.8:53")
-	group := &nbdns.NameServerGroup{
-		Domains:     []string{"example.com"},
-		NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
-	}
-	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{srv: {LastOk: time.Now()}}}
-	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
-
-	server.mux.Lock()
-	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
-	server.mux.Unlock()
-	server.refreshHealth()
-
-	server.healthProjectMu.Lock()
-	p, ok := server.nsGroupProj[generateGroupKey(group)]
-	server.healthProjectMu.Unlock()
-	require.True(t, ok, "projection state should exist after tick")
-	require.True(t, p.everHealthy, "tick with success must set everHealthy")
-
-	server.Stop()
-
-	server.healthProjectMu.Lock()
-	cleared := server.nsGroupProj == nil
-	server.healthProjectMu.Unlock()
-	assert.True(t, cleared, "Stop must clear nsGroupProj")
-}
-
-// TestProjection_OverlayRecoversDuringGrace covers the happy path of
-// rule 3: startup failures while the peer is handshaking, then the peer
-// comes up and a query succeeds before the grace window elapses. No
-// warning should ever have fired, and no recovery either.
-func TestProjection_OverlayRecoversDuringGrace(t *testing.T) {
-	fx := newProjTestFixture(t)
-	fx.server.warningDelayBase = 200 * time.Millisecond
-	fx.selected = overlayMapForTest
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectNoEvent("fail within grace, warning suppressed")
-
-	fx.active = overlayMapForTest
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	states := fx.tick()
-	require.Len(t, states, 1)
-	assert.True(t, states[0].Enabled)
-	fx.expectNoEvent("recovery without prior warning must not emit")
-}
-
-// TestProjection_RecoveryOnlyAfterWarning enforces the invariant the
-// whole design leans on: recovery events only appear when a warning
-// event was actually emitted for the current streak. A Healthy verdict
-// without a prior warning is silent, so the user never sees "recovered"
-// out of thin air.
-func TestProjection_RecoveryOnlyAfterWarning(t *testing.T) {
-	fx := newProjTestFixture(t)
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	states := fx.tick()
-	require.Len(t, states, 1)
-	assert.True(t, states[0].Enabled)
-	fx.expectNoEvent("first healthy tick should not recover anything")
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "public fail emits immediately")
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-	fx.expectEvent("recovered", "recovery follows real warning")
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "second cycle warning")
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-	fx.expectEvent("recovered", "second cycle recovery")
-}
-
-// TestProjection_EverHealthyOverridesDelay covers rule 4: once a group
-// has ever been Healthy, subsequent failures skip the grace window even
-// if classification says "routed + not connected". The system has
-// proved it can work, so any new failure is real.
-func TestProjection_EverHealthyOverridesDelay(t *testing.T) {
-	fx := newProjTestFixture(t)
-	// Large base so any emission must come from the everHealthy bypass, not elapsed time.
-	fx.server.warningDelayBase = time.Hour
-	fx.selected = overlayMapForTest
-	fx.active = overlayMapForTest
-
-	// Establish "ever healthy".
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-	fx.expectNoEvent("first healthy tick")
-
-	// Peer drops. Query fails. Routed + not connected → normally grace,
-	// but everHealthy flag bypasses it.
-	fx.active = nil
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "failure after ever-healthy must be immediate")
-}
-
-// TestProjection_ReconnectBlipEmitsPair covers the explicit tradeoff
-// from the design discussion: once a group has been healthy, a brief
-// reconnect that produces a failing tick will fire warning + recovery.
-// This is by design: user-visible blips are accurate signal, not noise.
-func TestProjection_ReconnectBlipEmitsPair(t *testing.T) {
-	fx := newProjTestFixture(t)
-	fx.selected = overlayMapForTest
-	fx.active = overlayMapForTest
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-
-	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
-	fx.tick()
-	fx.expectEvent("unreachable", "blip warning")
-
-	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
-	fx.tick()
-	fx.expectEvent("recovered", "blip recovery")
-}
-
-// TestProjection_MixedGroupEmitsImmediately covers the multi-upstream
-// rule: a group with at least one public upstream is in the "immediate"
-// category regardless of the other upstreams' routing, because the
-// public one has no peer-startup excuse. Prevents public-DNS failures
-// from being hidden behind a routed sibling.
-func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
-	recorder := peer.NewRecorder("mgm")
-	sub := recorder.SubscribeToEvents()
-	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
-	events := sub.Events()
-
-	public := netip.MustParseAddrPort("8.8.8.8:53")
-	overlay := netip.MustParseAddrPort("100.64.0.1:53")
-	overlayMap := route.HAMap{"overlay": {{Network: netip.MustParsePrefix("100.64.0.0/16")}}}
-
-	server := &DefaultServer{
-		ctx:              context.Background(),
-		statusRecorder:   recorder,
-		dnsMuxMap:        make(registeredHandlerMap),
-		selectedRoutes:   func() route.HAMap { return overlayMap },
-		activeRoutes:     func() route.HAMap { return nil },
-		warningDelayBase: time.Hour,
-	}
-	group := &nbdns.NameServerGroup{
-		Domains: []string{"example.com"},
-		NameServers: []nbdns.NameServer{
-			{IP: public.Addr(), NSType: nbdns.UDPNameServerType, Port: int(public.Port())},
-			{IP: overlay.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlay.Port())},
-		},
-	}
-	stub := &healthStubHandler{
-		health: map[netip.AddrPort]UpstreamHealth{
-			public:  {LastFail: time.Now(), LastErr: "servfail"},
-			overlay: {LastFail: time.Now(), LastErr: "timeout"},
-		},
-	}
-	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
-
-	server.mux.Lock()
-	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
-	server.mux.Unlock()
-	server.refreshHealth()
-
-	select {
-	case evt := <-events:
-		assert.Contains(t, evt.Message, "unreachable")
-	case <-time.After(time.Second):
-		t.Fatal("expected immediate warning because group contains a public upstream")
-	}
-}
-
 func TestDNSLoopPrevention(t *testing.T) {
 	wgInterface := &mocWGIface{}
 	service := NewServiceViaMemory(wgInterface)
@@ -2726,18 +2183,17 @@ func TestDNSLoopPrevention(t *testing.T) {

 			if tt.expectedHandlers > 0 {
 				handler := muxUpdates[0].handler.(*upstreamResolver)
-				flat := handler.flatUpstreams()
-				assert.Len(t, flat, len(tt.expectedServers))
+				assert.Len(t, handler.upstreamServers, len(tt.expectedServers))

 				if tt.shouldFilterOwnIP {
-					for _, upstream := range flat {
+					for _, upstream := range handler.upstreamServers {
 						assert.NotEqual(t, dnsServerIP, upstream.Addr())
 					}
 				}

 				for _, expected := range tt.expectedServers {
 					found := false
-					for _, upstream := range flat {
+					for _, upstream := range handler.upstreamServers {
 						if upstream.Addr() == expected {
 							found = true
 							break
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"slices"
 	"time"

 	"github.com/godbus/dbus/v5"
@@ -41,17 +40,10 @@ const (
 )

 type systemdDbusConfigurator struct {
-	dbusLinkObject  dbus.ObjectPath
-	ifaceName       string
-	wgIndex         int
-	origNameservers []netip.Addr
+	dbusLinkObject dbus.ObjectPath
+	ifaceName      string
 }

-const (
-	systemdDbusLinkDNSProperty          = systemdDbusLinkInterface + ".DNS"
-	systemdDbusLinkDefaultRouteProperty = systemdDbusLinkInterface + ".DefaultRoute"
-)
-
 // the types below are based on dbus specification, each field is mapped to a dbus type
 // see https://dbus.freedesktop.org/doc/dbus-specification.html#basic-types for more details on dbus types
 // see https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html on resolve1 input types
@@ -87,145 +79,10 @@ func newSystemdDbusConfigurator(wgInterface string) (*systemdDbusConfigurator, e

 	log.Debugf("got dbus Link interface: %s from net interface %s and index %d", s, iface.Name, iface.Index)

-	c := &systemdDbusConfigurator{
+	return &systemdDbusConfigurator{
 		dbusLinkObject: dbus.ObjectPath(s),
 		ifaceName:      wgInterface,
-		wgIndex:        iface.Index,
-	}
-
-	origNameservers, err := c.captureOriginalNameservers()
-	switch {
-	case err != nil:
-		log.Warnf("capture original nameservers from systemd-resolved: %v", err)
-	case len(origNameservers) == 0:
-		log.Warnf("no original nameservers captured from systemd-resolved default-route links; DNS fallback will be empty")
-	default:
-		log.Debugf("captured %d original nameservers from systemd-resolved default-route links: %v", len(origNameservers), origNameservers)
-	}
-	c.origNameservers = origNameservers
-	return c, nil
-}
-
-// captureOriginalNameservers reads per-link DNS from systemd-resolved for
-// every default-route link except our own WG link. Non-default-route links
-// (VPNs, docker bridges) are skipped because their upstreams wouldn't
-// actually serve host queries.
-func (s *systemdDbusConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
-	ifaces, err := net.Interfaces()
-	if err != nil {
-		return nil, fmt.Errorf("list interfaces: %w", err)
-	}
-
-	seen := make(map[netip.Addr]struct{})
-	var out []netip.Addr
-	for _, iface := range ifaces {
-		if !s.isCandidateLink(iface) {
-			continue
-		}
-		linkPath, err := getSystemdLinkPath(iface.Index)
-		if err != nil || !isSystemdLinkDefaultRoute(linkPath) {
-			continue
-		}
-		for _, addr := range readSystemdLinkDNS(linkPath) {
-			addr = normalizeSystemdAddr(addr, iface.Name)
-			if !addr.IsValid() {
-				continue
-			}
-			if _, dup := seen[addr]; dup {
-				continue
-			}
-			seen[addr] = struct{}{}
-			out = append(out, addr)
-		}
-	}
-	return out, nil
-}
-
-func (s *systemdDbusConfigurator) isCandidateLink(iface net.Interface) bool {
-	if iface.Index == s.wgIndex {
-		return false
-	}
-	if iface.Flags&net.FlagLoopback != 0 || iface.Flags&net.FlagUp == 0 {
-		return false
-	}
-	return true
-}
-
-// normalizeSystemdAddr unmaps v4-mapped-v6, drops unspecified, and reattaches
-// the link's iface name as zone for link-local v6 (Link.DNS strips it).
-// Returns the zero Addr to signal "skip this entry".
-func normalizeSystemdAddr(addr netip.Addr, ifaceName string) netip.Addr {
-	addr = addr.Unmap()
-	if !addr.IsValid() || addr.IsUnspecified() {
-		return netip.Addr{}
-	}
-	if addr.IsLinkLocalUnicast() {
-		return addr.WithZone(ifaceName)
-	}
-	return addr
-}
-
-func getSystemdLinkPath(ifIndex int) (dbus.ObjectPath, error) {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
-	if err != nil {
-		return "", fmt.Errorf("dbus resolve1: %w", err)
-	}
-	defer closeConn()
-	var p string
-	if err := obj.Call(systemdDbusGetLinkMethod, dbusDefaultFlag, int32(ifIndex)).Store(&p); err != nil {
-		return "", err
-	}
-	return dbus.ObjectPath(p), nil
-}
-
-func isSystemdLinkDefaultRoute(linkPath dbus.ObjectPath) bool {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, linkPath)
-	if err != nil {
-		return false
-	}
-	defer closeConn()
-	v, err := obj.GetProperty(systemdDbusLinkDefaultRouteProperty)
-	if err != nil {
-		return false
-	}
-	b, ok := v.Value().(bool)
-	return ok && b
-}
-
-func readSystemdLinkDNS(linkPath dbus.ObjectPath) []netip.Addr {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, linkPath)
-	if err != nil {
-		return nil
-	}
-	defer closeConn()
-	v, err := obj.GetProperty(systemdDbusLinkDNSProperty)
-	if err != nil {
-		return nil
-	}
-	entries, ok := v.Value().([][]any)
-	if !ok {
-		return nil
-	}
-	var out []netip.Addr
-	for _, entry := range entries {
-		if len(entry) < 2 {
-			continue
-		}
-		raw, ok := entry[1].([]byte)
-		if !ok {
-			continue
-		}
-		addr, ok := netip.AddrFromSlice(raw)
-		if !ok {
-			continue
-		}
-		out = append(out, addr)
-	}
-	return out
-}
-
-func (s *systemdDbusConfigurator) getOriginalNameservers() []netip.Addr {
-	return slices.Clone(s.origNameservers)
+	}, nil
 }

 func (s *systemdDbusConfigurator) supportCustomPort() bool {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -1,32 +1,3 @@
-// Package dns implements the client-side DNS stack: listener/service on the
-// peer's tunnel address, handler chain that routes questions by domain and
-// priority, and upstream resolvers that forward what remains to configured
-// nameservers.
-//
-// # Upstream resolution and the race model
-//
-// When two or more nameserver groups target the same domain, DefaultServer
-// merges them into one upstream handler whose state is:
-//
-//	upstreamResolverBase
-//	  └── upstreamServers []upstreamRace   // one entry per source NS group
-//	        └── []netip.AddrPort           // primary, fallback, ...
-//
-// Each source nameserver group contributes one upstreamRace. Within a race
-// upstreams are tried in order: the next is used only on failure (timeout,
-// SERVFAIL, REFUSED, no response). NXDOMAIN is a valid answer and stops
-// the walk. When more than one race exists, ServeDNS fans out one
-// goroutine per race and returns the first valid answer, cancelling the
-// rest. A handler with a single race skips the fan-out.
-//
-// # Health projection
-//
-// Query outcomes are recorded per-upstream in UpstreamHealth. The server
-// periodically merges these snapshots across handlers and projects them
-// into peer.NSGroupState. There is no active probing: a group is marked
-// unhealthy only when every seen upstream has a recent failure and none
-// has a recent success. Healthy→unhealthy fires a single
-// SystemEvent_WARNING; steady-state refreshes do not duplicate it.
 package dns

 import (
@@ -40,8 +11,11 @@ import (
 	"slices"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

+	"github.com/cenkalti/backoff/v4"
+	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
@@ -51,33 +25,11 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/client/proto"
 )

 var currentMTU uint16 = iface.DefaultMTU

-// nonRetryableEDECodes lists EDE info codes (RFC 8914) for which a SERVFAIL
-// from one upstream means another upstream would return the same answer:
-// DNSSEC validation outcomes and policy-based blocks. Transient errors
-// (network, cached, not ready) are not included.
-var nonRetryableEDECodes = map[uint16]struct{}{
-	dns.ExtendedErrorCodeUnsupportedDNSKEYAlgorithm: {},
-	dns.ExtendedErrorCodeUnsupportedDSDigestType:    {},
-	dns.ExtendedErrorCodeDNSSECIndeterminate:        {},
-	dns.ExtendedErrorCodeDNSBogus:                   {},
-	dns.ExtendedErrorCodeSignatureExpired:           {},
-	dns.ExtendedErrorCodeSignatureNotYetValid:       {},
-	dns.ExtendedErrorCodeDNSKEYMissing:              {},
-	dns.ExtendedErrorCodeRRSIGsMissing:              {},
-	dns.ExtendedErrorCodeNoZoneKeyBitSet:            {},
-	dns.ExtendedErrorCodeNSECMissing:                {},
-	dns.ExtendedErrorCodeBlocked:                    {},
-	dns.ExtendedErrorCodeCensored:                   {},
-	dns.ExtendedErrorCodeFiltered:                   {},
-	dns.ExtendedErrorCodeProhibited:                 {},
-}
-
 // privateClientIface is the subset of the WireGuard interface needed by GetClientPrivate.
 type privateClientIface interface {
 	Name() string
@@ -94,18 +46,16 @@ const (
 	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
 	ClientTimeout = 5 * time.Second

+	reactivatePeriod = 30 * time.Second
+	probeTimeout     = 2 * time.Second
+
 	// ipv6HeaderSize + udpHeaderSize, used to derive the maximum DNS UDP
 	// payload from the tunnel MTU.
 	ipUDPHeaderSize = 60 + 8
-
-	// raceMaxTotalTimeout caps the combined time spent walking all upstreams
-	// within one race, so a slow primary can't eat the whole race budget.
-	raceMaxTotalTimeout = 5 * time.Second
-	// raceMinPerUpstreamTimeout is the floor applied when dividing
-	// raceMaxTotalTimeout across upstreams within a race.
-	raceMinPerUpstreamTimeout = 2 * time.Second
 )

+const testRecord = "com."
+
 const (
 	protoUDP = "udp"
 	protoTCP = "tcp"
@@ -113,69 +63,6 @@ const (

 type dnsProtocolKey struct{}

-type upstreamProtocolKey struct{}
-
-// upstreamProtocolResult holds the protocol used for the upstream exchange.
-// Stored as a pointer in context so the exchange function can set it.
-type upstreamProtocolResult struct {
-	protocol string
-}
-
-type upstreamClient interface {
-	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-type UpstreamResolver interface {
-	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
-	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-// upstreamRace is an ordered list of upstreams derived from one configured
-// nameserver group. Order matters: the first upstream is tried first, the
-// second only on failure, and so on. Multiple upstreamRace values coexist
-// inside one resolver when overlapping nameserver groups target the same
-// domain; those races run in parallel and the first valid answer wins.
-type upstreamRace []netip.AddrPort
-
-// UpstreamHealth is the last query-path outcome for a single upstream,
-// consumed by nameserver-group status projection.
-type UpstreamHealth struct {
-	LastOk   time.Time
-	LastFail time.Time
-	LastErr  string
-}
-
-type upstreamResolverBase struct {
-	ctx             context.Context
-	cancel          context.CancelFunc
-	upstreamClient  upstreamClient
-	upstreamServers []upstreamRace
-	domain          domain.Domain
-	upstreamTimeout time.Duration
-
-	healthMu sync.RWMutex
-	health   map[netip.AddrPort]*UpstreamHealth
-
-	statusRecorder *peer.Status
-	// selectedRoutes returns the current set of client routes the admin
-	// has enabled. Called lazily from the query hot path when an upstream
-	// might need a tunnel-bound client (iOS) and from health projection.
-	selectedRoutes func() route.HAMap
-}
-
-type upstreamFailure struct {
-	upstream netip.AddrPort
-	reason   string
-}
-
-type raceResult struct {
-	msg      *dns.Msg
-	upstream netip.AddrPort
-	protocol string
-	ede      string
-	failures []upstreamFailure
-}
-
 // contextWithDNSProtocol stores the inbound DNS protocol ("udp" or "tcp") in context.
 func contextWithDNSProtocol(ctx context.Context, network string) context.Context {
 	return context.WithValue(ctx, dnsProtocolKey{}, network)
@@ -192,8 +79,16 @@ func dnsProtocolFromContext(ctx context.Context) string {
 	return ""
 }

-// contextWithUpstreamProtocolResult stores a mutable result holder in the context.
-func contextWithUpstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
+type upstreamProtocolKey struct{}
+
+// upstreamProtocolResult holds the protocol used for the upstream exchange.
+// Stored as a pointer in context so the exchange function can set it.
+type upstreamProtocolResult struct {
+	protocol string
+}
+
+// contextWithupstreamProtocolResult stores a mutable result holder in the context.
+func contextWithupstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
 	r := &upstreamProtocolResult{}
 	return context.WithValue(ctx, upstreamProtocolKey{}, r), r
 }
@@ -208,37 +103,67 @@ func setUpstreamProtocol(ctx context.Context, protocol string) {
 	}
 }

-func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d domain.Domain) *upstreamResolverBase {
+type upstreamClient interface {
+	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+type UpstreamResolver interface {
+	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
+	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+type upstreamResolverBase struct {
+	ctx              context.Context
+	cancel           context.CancelFunc
+	upstreamClient   upstreamClient
+	upstreamServers  []netip.AddrPort
+	domain           string
+	disabled         bool
+	successCount     atomic.Int32
+	mutex            sync.Mutex
+	reactivatePeriod time.Duration
+	upstreamTimeout  time.Duration
+	wg               sync.WaitGroup
+
+	deactivate     func(error)
+	reactivate     func()
+	statusRecorder *peer.Status
+	routeMatch     func(netip.Addr) bool
+}
+
+type upstreamFailure struct {
+	upstream netip.AddrPort
+	reason   string
+}
+
+func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, domain string) *upstreamResolverBase {
 	ctx, cancel := context.WithCancel(ctx)

 	return &upstreamResolverBase{
-		ctx:             ctx,
-		cancel:          cancel,
-		domain:          d,
-		upstreamTimeout: UpstreamTimeout,
-		statusRecorder:  statusRecorder,
+		ctx:              ctx,
+		cancel:           cancel,
+		domain:           domain,
+		upstreamTimeout:  UpstreamTimeout,
+		reactivatePeriod: reactivatePeriod,
+		statusRecorder:   statusRecorder,
 	}
 }

 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("Upstream %s", u.flatUpstreams())
+	return fmt.Sprintf("Upstream %s", u.upstreamServers)
 }

-// ID returns the unique handler ID. Race groupings and within-race
-// ordering are both part of the identity: [[A,B]] and [[A],[B]] query
-// the same servers but with different semantics (serial fallback vs
-// parallel race), so their handlers must not collide.
+// ID returns the unique handler ID
 func (u *upstreamResolverBase) ID() types.HandlerID {
+	servers := slices.Clone(u.upstreamServers)
+	slices.SortFunc(servers, func(a, b netip.AddrPort) int { return a.Compare(b) })
+
 	hash := sha256.New()
-	hash.Write([]byte(u.domain.PunycodeString() + ":"))
-	for _, race := range u.upstreamServers {
-		hash.Write([]byte("["))
-		for _, s := range race {
-			hash.Write([]byte(s.String()))
-			hash.Write([]byte("|"))
-		}
-		hash.Write([]byte("]"))
+	hash.Write([]byte(u.domain + ":"))
+	for _, s := range servers {
+		hash.Write([]byte(s.String()))
+		hash.Write([]byte("|"))
 	}
 	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
@@ -248,31 +173,13 @@ func (u *upstreamResolverBase) MatchSubdomains() bool {
 }

 func (u *upstreamResolverBase) Stop() {
-	log.Debugf("stopping serving DNS for upstreams %s", u.flatUpstreams())
+	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
-}

-// flatUpstreams is for logging and ID hashing only, not for dispatch.
-func (u *upstreamResolverBase) flatUpstreams() []netip.AddrPort {
-	var out []netip.AddrPort
-	for _, g := range u.upstreamServers {
-		out = append(out, g...)
-	}
-	return out
-}
+	u.mutex.Lock()
+	u.wg.Wait()
+	u.mutex.Unlock()

-// setSelectedRoutes swaps the accessor used to classify overlay-routed
-// upstreams. Called when route sources are wired after the handler was
-// built (permanent / iOS constructors).
-func (u *upstreamResolverBase) setSelectedRoutes(selected func() route.HAMap) {
-	u.selectedRoutes = selected
-}
-
-func (u *upstreamResolverBase) addRace(servers []netip.AddrPort) {
-	if len(servers) == 0 {
-		return
-	}
-	u.upstreamServers = append(u.upstreamServers, slices.Clone(servers))
 }

 // ServeDNS handles a DNS request
@@ -314,226 +221,59 @@ func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 }

 func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) (bool, []upstreamFailure) {
-	groups := u.upstreamServers
-	switch len(groups) {
-	case 0:
-		return false, nil
-	case 1:
-		return u.tryOnlyRace(ctx, w, r, groups[0], logger)
-	default:
-		return u.raceAll(ctx, w, r, groups, logger)
-	}
-}
-
-func (u *upstreamResolverBase) tryOnlyRace(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, group upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
-	res := u.tryRace(ctx, r, group)
-	if res.msg == nil {
-		return false, res.failures
-	}
-	if res.ede != "" {
-		resutil.SetMeta(w, "ede", res.ede)
-	}
-	u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
-	return true, res.failures
-}
-
-// raceAll runs one worker per group in parallel, taking the first valid
-// answer and cancelling the rest.
-func (u *upstreamResolverBase) raceAll(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, groups []upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
-	raceCtx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	// Buffer sized to len(groups) so workers never block on send, even
-	// after the coordinator has returned.
-	results := make(chan raceResult, len(groups))
-	for _, g := range groups {
-		// tryRace clones the request per attempt, so workers never share
-		// a *dns.Msg and concurrent EDNS0 mutations can't race.
-		go func(g upstreamRace) {
-			results <- u.tryRace(raceCtx, r, g)
-		}(g)
+	timeout := u.upstreamTimeout
+	if len(u.upstreamServers) > 1 {
+		maxTotal := 5 * time.Second
+		minPerUpstream := 2 * time.Second
+		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
+		if scaledTimeout > minPerUpstream {
+			timeout = scaledTimeout
+		} else {
+			timeout = minPerUpstream
+		}
 	}

 	var failures []upstreamFailure
-	for range groups {
-		select {
-		case res := <-results:
-			failures = append(failures, res.failures...)
-			if res.msg != nil {
-				if res.ede != "" {
-					resutil.SetMeta(w, "ede", res.ede)
-				}
-				u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
-				return true, failures
-			}
-		case <-ctx.Done():
-			return false, failures
+	for _, upstream := range u.upstreamServers {
+		if failure := u.queryUpstream(ctx, w, r, upstream, timeout, logger); failure != nil {
+			failures = append(failures, *failure)
+		} else {
+			return true, failures
 		}
 	}
 	return false, failures
 }

-func (u *upstreamResolverBase) tryRace(ctx context.Context, r *dns.Msg, group upstreamRace) raceResult {
-	timeout := u.upstreamTimeout
-	if len(group) > 1 {
-		// Cap the whole walk at raceMaxTotalTimeout: per-upstream timeouts
-		// still honor raceMinPerUpstreamTimeout as a floor for correctness
-		// on slow links, but the outer context ensures the combined walk
-		// cannot exceed the cap regardless of group size.
-		timeout = max(raceMaxTotalTimeout/time.Duration(len(group)), raceMinPerUpstreamTimeout)
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, raceMaxTotalTimeout)
+// queryUpstream queries a single upstream server. Returns nil on success, or failure info to try next upstream.
+func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) *upstreamFailure {
+	var rm *dns.Msg
+	var t time.Duration
+	var err error
+
+	var startTime time.Time
+	var upstreamProto *upstreamProtocolResult
+	func() {
+		ctx, cancel := context.WithTimeout(parentCtx, timeout)
 		defer cancel()
-	}
-
-	var failures []upstreamFailure
-	for _, upstream := range group {
-		if ctx.Err() != nil {
-			return raceResult{failures: failures}
-		}
-		// Clone the request per attempt: the exchange path mutates EDNS0
-		// options in-place, so reusing the same *dns.Msg across sequential
-		// upstreams would carry those mutations (e.g. a reduced UDP size)
-		// into the next attempt.
-		res, failure := u.queryUpstream(ctx, r.Copy(), upstream, timeout)
-		if failure != nil {
-			failures = append(failures, *failure)
-			continue
-		}
-		res.failures = failures
-		return res
-	}
-	return raceResult{failures: failures}
-}
-
-func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration) (raceResult, *upstreamFailure) {
-	ctx, cancel := context.WithTimeout(parentCtx, timeout)
-	defer cancel()
-	ctx, upstreamProto := contextWithUpstreamProtocolResult(ctx)
-
-	// Advertise EDNS0 so the upstream may include Extended DNS Errors
-	// (RFC 8914) in failure responses; we use those to short-circuit
-	// failover for definitive answers like DNSSEC validation failures.
-	// The caller already passed a per-attempt copy, so we can mutate r
-	// directly; hadEdns reflects the original client request's state and
-	// controls whether we strip the OPT from the response.
-	hadEdns := r.IsEdns0() != nil
-	if !hadEdns {
-		r.SetEdns0(upstreamUDPSize(), false)
-	}
-
-	startTime := time.Now()
-	rm, _, err := u.upstreamClient.exchange(ctx, upstream.String(), r)
+		ctx, upstreamProto = contextWithupstreamProtocolResult(ctx)
+		startTime = time.Now()
+		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
+	}()

 	if err != nil {
-		// A parent cancellation (e.g., another race won and the coordinator
-		// cancelled the losers) is not an upstream failure. Check both the
-		// error chain and the parent context: a transport may surface the
-		// cancellation as a read/deadline error rather than context.Canceled.
-		if errors.Is(err, context.Canceled) || errors.Is(parentCtx.Err(), context.Canceled) {
-			return raceResult{}, &upstreamFailure{upstream: upstream, reason: "canceled"}
-		}
-		failure := u.handleUpstreamError(err, upstream, startTime)
-		u.markUpstreamFail(upstream, failure.reason)
-		return raceResult{}, failure
+		return u.handleUpstreamError(err, upstream, startTime)
 	}

 	if rm == nil || !rm.Response {
-		u.markUpstreamFail(upstream, "no response")
-		return raceResult{}, &upstreamFailure{upstream: upstream, reason: "no response"}
-	}
-
-	proto := ""
-	if upstreamProto != nil {
-		proto = upstreamProto.protocol
+		return &upstreamFailure{upstream: upstream, reason: "no response"}
 	}

 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
-		if code, ok := nonRetryableEDE(rm); ok {
-			if !hadEdns {
-				stripOPT(rm)
-			}
-			u.markUpstreamOk(upstream)
-			return raceResult{msg: rm, upstream: upstream, protocol: proto, ede: edeName(code)}, nil
-		}
-		reason := dns.RcodeToString[rm.Rcode]
-		u.markUpstreamFail(upstream, reason)
-		return raceResult{}, &upstreamFailure{upstream: upstream, reason: reason}
+		return &upstreamFailure{upstream: upstream, reason: dns.RcodeToString[rm.Rcode]}
 	}

-	if !hadEdns {
-		stripOPT(rm)
-	}
-
-	u.markUpstreamOk(upstream)
-	return raceResult{msg: rm, upstream: upstream, protocol: proto}, nil
-}
-
-// healthEntry returns the mutable health record for addr, lazily creating
-// the map and the entry. Caller must hold u.healthMu.
-func (u *upstreamResolverBase) healthEntry(addr netip.AddrPort) *UpstreamHealth {
-	if u.health == nil {
-		u.health = make(map[netip.AddrPort]*UpstreamHealth)
-	}
-	h := u.health[addr]
-	if h == nil {
-		h = &UpstreamHealth{}
-		u.health[addr] = h
-	}
-	return h
-}
-
-func (u *upstreamResolverBase) markUpstreamOk(addr netip.AddrPort) {
-	u.healthMu.Lock()
-	defer u.healthMu.Unlock()
-	h := u.healthEntry(addr)
-	h.LastOk = time.Now()
-	h.LastFail = time.Time{}
-	h.LastErr = ""
-}
-
-func (u *upstreamResolverBase) markUpstreamFail(addr netip.AddrPort, reason string) {
-	u.healthMu.Lock()
-	defer u.healthMu.Unlock()
-	h := u.healthEntry(addr)
-	h.LastFail = time.Now()
-	h.LastErr = reason
-}
-
-// UpstreamHealth returns a snapshot of per-upstream query outcomes.
-func (u *upstreamResolverBase) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
-	u.healthMu.RLock()
-	defer u.healthMu.RUnlock()
-	out := make(map[netip.AddrPort]UpstreamHealth, len(u.health))
-	for k, v := range u.health {
-		out[k] = *v
-	}
-	return out
-}
-
-// upstreamUDPSize returns the EDNS0 UDP buffer size we advertise to upstreams,
-// derived from the tunnel MTU and bounded against underflow.
-func upstreamUDPSize() uint16 {
-	if currentMTU > ipUDPHeaderSize {
-		return currentMTU - ipUDPHeaderSize
-	}
-	return dns.MinMsgSize
-}
-
-// stripOPT removes any OPT pseudo-RRs from the response's Extra section so
-// the response complies with RFC 6891 when the client did not advertise EDNS0.
-func stripOPT(rm *dns.Msg) {
-	if len(rm.Extra) == 0 {
-		return
-	}
-	out := rm.Extra[:0]
-	for _, rr := range rm.Extra {
-		if _, ok := rr.(*dns.OPT); ok {
-			continue
-		}
-		out = append(out, rr)
-	}
-	rm.Extra = out
+	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
+	return nil
 }

 func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, startTime time.Time) *upstreamFailure {
@@ -549,23 +289,12 @@ func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.Add
 	return &upstreamFailure{upstream: upstream, reason: reason}
 }

-func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
-	if u.statusRecorder == nil {
-		return ""
-	}
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, upstreamProto *upstreamProtocolResult, logger *log.Entry) bool {
+	u.successCount.Add(1)

-	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
-	if peerInfo == nil {
-		return ""
-	}
-
-	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
-}
-
-func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, proto string, logger *log.Entry) {
 	resutil.SetMeta(w, "upstream", upstream.String())
-	if proto != "" {
-		resutil.SetMeta(w, "upstream_protocol", proto)
+	if upstreamProto != nil && upstreamProto.protocol != "" {
+		resutil.SetMeta(w, "upstream_protocol", upstreamProto.protocol)
 	}

 	// Clear Zero bit from external responses to prevent upstream servers from
@@ -574,11 +303,14 @@ func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dn

 	if err := w.WriteMsg(rm); err != nil {
 		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
+		return true
 	}
+
+	return true
 }

 func (u *upstreamResolverBase) logUpstreamFailures(domain string, failures []upstreamFailure, succeeded bool, logger *log.Entry) {
-	totalUpstreams := len(u.flatUpstreams())
+	totalUpstreams := len(u.upstreamServers)
 	failedCount := len(failures)
 	failureSummary := formatFailures(failures)

@@ -605,32 +337,117 @@ func formatFailures(failures []upstreamFailure) string {
 	return strings.Join(parts, ", ")
 }

-// nonRetryableEDE returns the first non-retryable EDE code carried in the
-// response, if any.
-func nonRetryableEDE(rm *dns.Msg) (uint16, bool) {
-	opt := rm.IsEdns0()
-	if opt == nil {
-		return 0, false
+// ProbeAvailability tests all upstream servers simultaneously and
+// disables the resolver if none work
+func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+
+	// avoid probe if upstreams could resolve at least one query
+	if u.successCount.Load() > 0 {
+		return
 	}
-	for _, o := range opt.Option {
-		ede, ok := o.(*dns.EDNS0_EDE)
-		if !ok {
-			continue
-		}
-		if _, ok := nonRetryableEDECodes[ede.InfoCode]; ok {
-			return ede.InfoCode, true
-		}
+
+	var success bool
+	var mu sync.Mutex
+	var wg sync.WaitGroup
+
+	var errs *multierror.Error
+	for _, upstream := range u.upstreamServers {
+		wg.Add(1)
+		go func(upstream netip.AddrPort) {
+			defer wg.Done()
+			err := u.testNameserver(u.ctx, ctx, upstream, 500*time.Millisecond)
+			if err != nil {
+				mu.Lock()
+				errs = multierror.Append(errs, err)
+				mu.Unlock()
+				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
+				return
+			}
+
+			mu.Lock()
+			success = true
+			mu.Unlock()
+		}(upstream)
+	}
+
+	wg.Wait()
+
+	select {
+	case <-ctx.Done():
+		return
+	case <-u.ctx.Done():
+		return
+	default:
+	}
+
+	// didn't find a working upstream server, let's disable and try later
+	if !success {
+		u.disable(errs.ErrorOrNil())
+
+		if u.statusRecorder == nil {
+			return
+		}
+
+		u.statusRecorder.PublishEvent(
+			proto.SystemEvent_WARNING,
+			proto.SystemEvent_DNS,
+			"All upstream servers failed (probe failed)",
+			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
+			map[string]string{"upstreams": u.upstreamServersString()},
+		)
 	}
-	return 0, false
 }

-// edeName returns a human-readable name for an EDE code, falling back to
-// the numeric code when unknown.
-func edeName(code uint16) string {
-	if name, ok := dns.ExtendedErrorCodeToString[code]; ok {
-		return name
+// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
+func (u *upstreamResolverBase) waitUntilResponse() {
+	exponentialBackOff := &backoff.ExponentialBackOff{
+		InitialInterval:     500 * time.Millisecond,
+		RandomizationFactor: 0.5,
+		Multiplier:          1.1,
+		MaxInterval:         u.reactivatePeriod,
+		MaxElapsedTime:      0,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
 	}
-	return fmt.Sprintf("EDE %d", code)
+
+	operation := func() error {
+		select {
+		case <-u.ctx.Done():
+			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServersString()))
+		default:
+		}
+
+		for _, upstream := range u.upstreamServers {
+			if err := u.testNameserver(u.ctx, nil, upstream, probeTimeout); err != nil {
+				log.Tracef("upstream check for %s: %s", upstream, err)
+			} else {
+				// at least one upstream server is available, stop probing
+				return nil
+			}
+		}
+
+		log.Tracef("checking connectivity with upstreams %s failed. Retrying in %s", u.upstreamServersString(), exponentialBackOff.NextBackOff())
+		return fmt.Errorf("upstream check call error")
+	}
+
+	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
+	if err != nil {
+		if errors.Is(err, context.Canceled) {
+			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
+		} else {
+			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
+		}
+		return
+	}
+
+	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
+	u.successCount.Add(1)
+	u.reactivate()
+	u.mutex.Lock()
+	u.disabled = false
+	u.mutex.Unlock()
 }

 // isTimeout returns true if the given error is a network timeout error.
@@ -644,6 +461,45 @@ func isTimeout(err error) bool {
 	return false
 }

+func (u *upstreamResolverBase) disable(err error) {
+	if u.disabled {
+		return
+	}
+
+	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
+	u.successCount.Store(0)
+	u.deactivate(err)
+	u.disabled = true
+	u.wg.Add(1)
+	go func() {
+		defer u.wg.Done()
+		u.waitUntilResponse()
+	}()
+}
+
+func (u *upstreamResolverBase) upstreamServersString() string {
+	var servers []string
+	for _, server := range u.upstreamServers {
+		servers = append(servers, server.String())
+	}
+	return strings.Join(servers, ", ")
+}
+
+func (u *upstreamResolverBase) testNameserver(baseCtx context.Context, externalCtx context.Context, server netip.AddrPort, timeout time.Duration) error {
+	mergedCtx, cancel := context.WithTimeout(baseCtx, timeout)
+	defer cancel()
+
+	if externalCtx != nil {
+		stop2 := context.AfterFunc(externalCtx, cancel)
+		defer stop2()
+	}
+
+	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)
+
+	_, _, err := u.upstreamClient.exchange(mergedCtx, server.String(), r)
+	return err
+}
+
 // clientUDPMaxSize returns the maximum UDP response size the client accepts.
 func clientUDPMaxSize(r *dns.Msg) int {
 	if opt := r.IsEdns0(); opt != nil {
@@ -655,10 +511,13 @@ func clientUDPMaxSize(r *dns.Msg) int {
 // ExchangeWithFallback exchanges a DNS message with the upstream server.
 // It first tries to use UDP, and if it is truncated, it falls back to TCP.
 // If the inbound request came over TCP (via context), it skips the UDP attempt.
+// If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// If the request came in over TCP, go straight to TCP upstream.
 	if dnsProtocolFromContext(ctx) == protoTCP {
-		rm, t, err := toTCPClient(client).ExchangeContext(ctx, r, upstream)
+		tcpClient := *client
+		tcpClient.Net = protoTCP
+		rm, t, err := tcpClient.ExchangeContext(ctx, r, upstream)
 		if err != nil {
 			return nil, t, fmt.Errorf("with tcp: %w", err)
 		}
@@ -678,7 +537,18 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 		opt.SetUDPSize(maxUDPPayload)
 	}

-	rm, t, err := client.ExchangeContext(ctx, r, upstream)
+	var (
+		rm  *dns.Msg
+		t   time.Duration
+		err error
+	)
+
+	if ctx == nil {
+		rm, t, err = client.Exchange(r, upstream)
+	} else {
+		rm, t, err = client.ExchangeContext(ctx, r, upstream)
+	}
+
 	if err != nil {
 		return nil, t, fmt.Errorf("with udp: %w", err)
 	}
@@ -692,7 +562,15 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	// data than the client's buffer, we could truncate locally and skip
 	// the TCP retry.

-	rm, t, err = toTCPClient(client).ExchangeContext(ctx, r, upstream)
+	tcpClient := *client
+	tcpClient.Net = protoTCP
+
+	if ctx == nil {
+		rm, t, err = tcpClient.Exchange(r, upstream)
+	} else {
+		rm, t, err = tcpClient.ExchangeContext(ctx, r, upstream)
+	}
+
 	if err != nil {
 		return nil, t, fmt.Errorf("with tcp: %w", err)
 	}
@@ -706,25 +584,6 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	return rm, t, nil
 }

-// toTCPClient returns a copy of c configured for TCP. If c's Dialer has a
-// *net.UDPAddr bound as LocalAddr (iOS does this to keep the source IP on
-// the tunnel interface), it is converted to the equivalent *net.TCPAddr
-// so net.Dialer doesn't reject the TCP dial with "mismatched local
-// address type".
-func toTCPClient(c *dns.Client) *dns.Client {
-	tcp := *c
-	tcp.Net = protoTCP
-	if tcp.Dialer == nil {
-		return &tcp
-	}
-	d := *tcp.Dialer
-	if ua, ok := d.LocalAddr.(*net.UDPAddr); ok {
-		d.LocalAddr = &net.TCPAddr{IP: ua.IP, Port: ua.Port, Zone: ua.Zone}
-	}
-	tcp.Dialer = &d
-	return &tcp
-}
-
 // ExchangeWithNetstack performs a DNS exchange using netstack for dialing.
 // This is needed when netstack is enabled to reach peer IPs through the tunnel.
 func ExchangeWithNetstack(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream string) (*dns.Msg, error) {
@@ -866,36 +725,15 @@ func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
 	return bestMatch
 }

-// haMapRouteCount returns the total number of routes across all HA
-// groups in the map. route.HAMap is keyed by HAUniqueID with slices of
-// routes per key, so len(hm) is the number of HA groups, not routes.
-func haMapRouteCount(hm route.HAMap) int {
-	total := 0
-	for _, routes := range hm {
-		total += len(routes)
+func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
+	if u.statusRecorder == nil {
+		return ""
 	}
-	return total
-}

-// haMapContains checks whether ip is covered by any concrete prefix in
-// the HA map. haveDynamic is reported separately: dynamic (domain-based)
-// routes carry a placeholder Network that can't be prefix-checked, so we
-// can't know at this point whether ip is reached through one. Callers
-// decide how to interpret the unknown: health projection treats it as
-// "possibly routed" to avoid emitting false-positive warnings during
-// startup, while iOS dial selection requires a concrete match before
-// binding to the tunnel.
-func haMapContains(hm route.HAMap, ip netip.Addr) (matched, haveDynamic bool) {
-	for _, routes := range hm {
-		for _, r := range routes {
-			if r.IsDynamic() {
-				haveDynamic = true
-				continue
-			}
-			if r.Network.Contains(ip) {
-				return true, haveDynamic
-			}
-		}
+	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+	if peerInfo == nil {
+		return ""
 	}
-	return false, haveDynamic
+
+	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
 }
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -11,7 +11,6 @@ import (

 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbnet "github.com/netbirdio/netbird/client/net"
-	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolver struct {
@@ -27,9 +26,9 @@ func newUpstreamResolver(
 	_ WGIface,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
-	d domain.Domain,
+	domain string,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
 	c := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		hostsDNSHolder:       hostsDNSHolder,
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -12,7 +12,6 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolver struct {
@@ -25,9 +24,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	d domain.Domain,
+	domain string,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
 	nonIOS := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		nsNet:                wgIface.GetNet(),
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -15,7 +15,6 @@ import (
 	"golang.org/x/sys/unix"

 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolverIOS struct {
@@ -28,9 +27,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	d domain.Domain,
+	domain string,
 ) (*upstreamResolverIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)

 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
@@ -63,16 +62,9 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		upstreamIP = upstreamIP.Unmap()
 	}
 	addr := u.wgIface.Address()
-	var routed bool
-	if u.selectedRoutes != nil {
-		// Only a concrete prefix match binds to the tunnel: dialing
-		// through a private client for an upstream we can't prove is
-		// routed would break public resolvers.
-		routed, _ = haMapContains(u.selectedRoutes(), upstreamIP)
-	}
 	needsPrivate := addr.Network.Contains(upstreamIP) ||
 		addr.IPv6Net.Contains(upstreamIP) ||
-		routed
+		(u.routeMatch != nil && u.routeMatch(upstreamIP))
 	if needsPrivate {
 		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
 		client, err = GetClientPrivate(u.wgIface, upstreamIP, timeout)
@@ -81,7 +73,8 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		}
 	}

-	return ExchangeWithFallback(ctx, client, r, upstream)
+	// Cannot use client.ExchangeContext because it overwrites our Dialer
+	return ExchangeWithFallback(nil, client, r, upstream)
 }

 // GetClientPrivate returns a new DNS client bound to the local IP of the Netbird interface.
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"strings"
-	"sync/atomic"
 	"testing"
 	"time"

@@ -74,7 +73,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 					servers = append(servers, netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()))
 				}
 			}
-			resolver.addRace(servers)
+			resolver.upstreamServers = servers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
 				cancel()
@@ -133,10 +132,20 @@ func (m *mockNetstackProvider) GetInterfaceGUIDString() (string, error) {
 	return "", nil
 }

+type mockUpstreamResolver struct {
+	r   *dns.Msg
+	rtt time.Duration
+	err error
+}
+
+// exchange mock implementation of exchange from upstreamResolver
+func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
+	return c.r, c.rtt, c.err
+}
+
 type mockUpstreamResponse struct {
-	msg   *dns.Msg
-	err   error
-	delay time.Duration
+	msg *dns.Msg
+	err error
 }

 type mockUpstreamResolverPerServer struct {
@@ -144,19 +153,63 @@ type mockUpstreamResolverPerServer struct {
 	rtt       time.Duration
 }

-func (c mockUpstreamResolverPerServer) exchange(ctx context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
-	r, ok := c.responses[upstream]
-	if !ok {
-		return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
+func (c mockUpstreamResolverPerServer) exchange(_ context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
+	if r, ok := c.responses[upstream]; ok {
+		return r.msg, c.rtt, r.err
 	}
-	if r.delay > 0 {
-		select {
-		case <-time.After(r.delay):
-		case <-ctx.Done():
-			return nil, c.rtt, ctx.Err()
-		}
+	return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
+}
+
+func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
+	mockClient := &mockUpstreamResolver{
+		err: dns.ErrTime,
+		r:   new(dns.Msg),
+		rtt: time.Millisecond,
+	}
+
+	resolver := &upstreamResolverBase{
+		ctx:              context.TODO(),
+		upstreamClient:   mockClient,
+		upstreamTimeout:  UpstreamTimeout,
+		reactivatePeriod: time.Microsecond * 100,
+	}
+	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
+	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
+
+	failed := false
+	resolver.deactivate = func(error) {
+		failed = true
+		// After deactivation, make the mock client work again
+		mockClient.err = nil
+	}
+
+	reactivated := false
+	resolver.reactivate = func() {
+		reactivated = true
+	}
+
+	resolver.ProbeAvailability(context.TODO())
+
+	if !failed {
+		t.Errorf("expected that resolving was deactivated")
+		return
+	}
+
+	if !resolver.disabled {
+		t.Errorf("resolver should be Disabled")
+		return
+	}
+
+	time.Sleep(time.Millisecond * 200)
+
+	if !reactivated {
+		t.Errorf("expected that resolving was reactivated")
+		return
+	}
+
+	if resolver.disabled {
+		t.Errorf("should be enabled")
 	}
-	return r.msg, c.rtt, r.err
 }

 func TestUpstreamResolver_Failover(t *testing.T) {
@@ -286,9 +339,9 @@ func TestUpstreamResolver_Failover(t *testing.T) {
 			resolver := &upstreamResolverBase{
 				ctx:             ctx,
 				upstreamClient:  trackingClient,
+				upstreamServers: []netip.AddrPort{upstream1, upstream2},
 				upstreamTimeout: UpstreamTimeout,
 			}
-			resolver.addRace([]netip.AddrPort{upstream1, upstream2})

 			var responseMSG *dns.Msg
 			responseWriter := &test.MockResponseWriter{
@@ -368,9 +421,9 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	resolver := &upstreamResolverBase{
 		ctx:             ctx,
 		upstreamClient:  mockClient,
+		upstreamServers: []netip.AddrPort{upstream},
 		upstreamTimeout: UpstreamTimeout,
 	}
-	resolver.addRace([]netip.AddrPort{upstream})

 	var responseMSG *dns.Msg
 	responseWriter := &test.MockResponseWriter{
@@ -387,136 +440,6 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode, "single upstream SERVFAIL should return SERVFAIL")
 }

-// TestUpstreamResolver_RaceAcrossGroups covers two nameserver groups
-// configured for the same domain, with one broken group. The merge+race
-// path should answer as fast as the working group and not pay the timeout
-// of the broken one on every query.
-func TestUpstreamResolver_RaceAcrossGroups(t *testing.T) {
-	broken := netip.MustParseAddrPort("192.0.2.1:53")
-	working := netip.MustParseAddrPort("192.0.2.2:53")
-	successAnswer := "192.0.2.100"
-	timeoutErr := &net.OpError{Op: "read", Err: fmt.Errorf("i/o timeout")}
-
-	mockClient := &mockUpstreamResolverPerServer{
-		responses: map[string]mockUpstreamResponse{
-			// Force the broken upstream to only unblock via timeout /
-			// cancellation so the assertion below can't pass if races
-			// were run serially.
-			broken.String():  {err: timeoutErr, delay: 500 * time.Millisecond},
-			working.String(): {msg: buildMockResponse(dns.RcodeSuccess, successAnswer)},
-		},
-		rtt: time.Millisecond,
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	resolver := &upstreamResolverBase{
-		ctx:             ctx,
-		upstreamClient:  mockClient,
-		upstreamTimeout: 250 * time.Millisecond,
-	}
-	resolver.addRace([]netip.AddrPort{broken})
-	resolver.addRace([]netip.AddrPort{working})
-
-	var responseMSG *dns.Msg
-	responseWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			responseMSG = m
-			return nil
-		},
-	}
-
-	inputMSG := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-	start := time.Now()
-	resolver.ServeDNS(responseWriter, inputMSG)
-	elapsed := time.Since(start)
-
-	require.NotNil(t, responseMSG, "should write a response")
-	assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode)
-	require.NotEmpty(t, responseMSG.Answer)
-	assert.Contains(t, responseMSG.Answer[0].String(), successAnswer)
-	// Working group answers in a single RTT; the broken group's
-	// timeout (100ms) must not block the response.
-	assert.Less(t, elapsed, 100*time.Millisecond, "race must not wait for broken group's timeout")
-}
-
-// TestUpstreamResolver_AllGroupsFail checks that when every group fails the
-// resolver returns SERVFAIL rather than leaking a partial response.
-func TestUpstreamResolver_AllGroupsFail(t *testing.T) {
-	a := netip.MustParseAddrPort("192.0.2.1:53")
-	b := netip.MustParseAddrPort("192.0.2.2:53")
-
-	mockClient := &mockUpstreamResolverPerServer{
-		responses: map[string]mockUpstreamResponse{
-			a.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
-			b.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
-		},
-		rtt: time.Millisecond,
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	resolver := &upstreamResolverBase{
-		ctx:             ctx,
-		upstreamClient:  mockClient,
-		upstreamTimeout: UpstreamTimeout,
-	}
-	resolver.addRace([]netip.AddrPort{a})
-	resolver.addRace([]netip.AddrPort{b})
-
-	var responseMSG *dns.Msg
-	responseWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			responseMSG = m
-			return nil
-		},
-	}
-
-	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
-	require.NotNil(t, responseMSG)
-	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode)
-}
-
-// TestUpstreamResolver_HealthTracking verifies that query-path results are
-// recorded into per-upstream health, which is what projects back to
-// NSGroupState for status reporting.
-func TestUpstreamResolver_HealthTracking(t *testing.T) {
-	ok := netip.MustParseAddrPort("192.0.2.10:53")
-	bad := netip.MustParseAddrPort("192.0.2.11:53")
-
-	mockClient := &mockUpstreamResolverPerServer{
-		responses: map[string]mockUpstreamResponse{
-			ok.String():  {msg: buildMockResponse(dns.RcodeSuccess, "192.0.2.100")},
-			bad.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
-		},
-		rtt: time.Millisecond,
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	resolver := &upstreamResolverBase{
-		ctx:             ctx,
-		upstreamClient:  mockClient,
-		upstreamTimeout: UpstreamTimeout,
-	}
-	resolver.addRace([]netip.AddrPort{ok, bad})
-
-	responseWriter := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { return nil }}
-	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
-
-	health := resolver.UpstreamHealth()
-	require.Contains(t, health, ok)
-	assert.False(t, health[ok].LastOk.IsZero(), "ok upstream should have LastOk set")
-	assert.Empty(t, health[ok].LastErr)
-
-	// bad upstream was never tried because ok answered first; its health
-	// should remain unset.
-	assert.NotContains(t, health, bad, "sibling upstream should not be queried when primary answers")
-}
-
 func TestFormatFailures(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -742,10 +665,10 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	// Verify that a client EDNS0 larger than our MTU-derived limit gets
 	// capped in the outgoing request so the upstream doesn't send a
 	// response larger than our read buffer.
-	var receivedUDPSize atomic.Uint32
+	var receivedUDPSize uint16
 	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
 		if opt := r.IsEdns0(); opt != nil {
-			receivedUDPSize.Store(uint32(opt.UDPSize()))
+			receivedUDPSize = opt.UDPSize()
 		}
 		m := new(dns.Msg)
 		m.SetReply(r)
@@ -776,7 +699,7 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	require.NotNil(t, rm)

 	expectedMax := uint16(currentMTU - ipUDPHeaderSize)
-	assert.Equal(t, expectedMax, uint16(receivedUDPSize.Load()),
+	assert.Equal(t, expectedMax, receivedUDPSize,
 		"upstream should see capped EDNS0, not the client's 4096")
 }

@@ -847,132 +770,3 @@ func TestExchangeWithFallback_TCPTruncatesToClientSize(t *testing.T) {
 	assert.Less(t, len(rm2.Answer), 20, "small EDNS0 client should get fewer records")
 	assert.True(t, rm2.Truncated, "response should be truncated for small buffer client")
 }
-
-func msgWithEDE(rcode int, codes ...uint16) *dns.Msg {
-	m := new(dns.Msg)
-	m.Response = true
-	m.Rcode = rcode
-	if len(codes) == 0 {
-		return m
-	}
-	opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
-	opt.SetUDPSize(dns.MinMsgSize)
-	for _, c := range codes {
-		opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: c})
-	}
-	m.Extra = append(m.Extra, opt)
-	return m
-}
-
-func TestNonRetryableEDE(t *testing.T) {
-	tests := []struct {
-		name     string
-		msg      *dns.Msg
-		wantOK   bool
-		wantCode uint16
-	}{
-		{name: "no edns0", msg: msgWithEDE(dns.RcodeServerFailure)},
-		{
-			name: "opt without ede",
-			msg: func() *dns.Msg {
-				m := msgWithEDE(dns.RcodeServerFailure)
-				opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
-				opt.Option = append(opt.Option, &dns.EDNS0_NSID{Code: dns.EDNS0NSID})
-				m.Extra = []dns.RR{opt}
-				return m
-			}(),
-		},
-		{name: "ede dnsbogus", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeDNSBogus), wantOK: true, wantCode: dns.ExtendedErrorCodeDNSBogus},
-		{name: "ede signature expired", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeSignatureExpired), wantOK: true, wantCode: dns.ExtendedErrorCodeSignatureExpired},
-		{name: "ede blocked", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeBlocked), wantOK: true, wantCode: dns.ExtendedErrorCodeBlocked},
-		{name: "ede prohibited", msg: msgWithEDE(dns.RcodeRefused, dns.ExtendedErrorCodeProhibited), wantOK: true, wantCode: dns.ExtendedErrorCodeProhibited},
-		{name: "ede cached error retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeCachedError)},
-		{name: "ede network error retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNetworkError)},
-		{name: "ede not ready retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNotReady)},
-		{
-			name:     "first non-retryable wins",
-			msg:      msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNetworkError, dns.ExtendedErrorCodeDNSBogus),
-			wantOK:   true,
-			wantCode: dns.ExtendedErrorCodeDNSBogus,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			code, ok := nonRetryableEDE(tc.msg)
-			assert.Equal(t, tc.wantOK, ok, "ok should match")
-			if tc.wantOK {
-				assert.Equal(t, tc.wantCode, code, "code should match")
-			}
-		})
-	}
-}
-
-func TestEDEName(t *testing.T) {
-	assert.Equal(t, "DNSSEC Bogus", edeName(dns.ExtendedErrorCodeDNSBogus))
-	assert.Equal(t, "Signature Expired", edeName(dns.ExtendedErrorCodeSignatureExpired))
-	assert.Equal(t, "EDE 9999", edeName(9999), "unknown code falls back to numeric")
-}
-
-func TestStripOPT(t *testing.T) {
-	rm := &dns.Msg{
-		Extra: []dns.RR{
-			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
-			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
-		},
-	}
-	stripOPT(rm)
-	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
-	_, isOPT := rm.Extra[0].(*dns.OPT)
-	assert.False(t, isOPT, "remaining record must not be OPT")
-}
-
-func TestUpstreamResolver_NonRetryableEDEShortCircuits(t *testing.T) {
-	upstream1 := netip.MustParseAddrPort("192.0.2.1:53")
-	upstream2 := netip.MustParseAddrPort("192.0.2.2:53")
-
-	servfailWithEDE := msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeDNSBogus)
-	successResp := buildMockResponse(dns.RcodeSuccess, "192.0.2.100")
-
-	var queried []string
-	tracking := &trackingMockClient{
-		inner: &mockUpstreamResolverPerServer{
-			responses: map[string]mockUpstreamResponse{
-				upstream1.String(): {msg: servfailWithEDE},
-				upstream2.String(): {msg: successResp},
-			},
-			rtt: time.Millisecond,
-		},
-		queriedUpstreams: &queried,
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	resolver := &upstreamResolverBase{
-		ctx:             ctx,
-		upstreamClient:  tracking,
-		upstreamServers: []upstreamRace{{upstream1, upstream2}},
-		upstreamTimeout: UpstreamTimeout,
-	}
-
-	var written *dns.Msg
-	w := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			written = m
-			return nil
-		},
-	}
-
-	// Client query without EDNS0 must not see an OPT in the response.
-	q := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-	resolver.ServeDNS(w, q)
-
-	require.NotNil(t, written, "response must be written")
-	assert.Equal(t, dns.RcodeServerFailure, written.Rcode, "SERVFAIL must propagate")
-	assert.Len(t, queried, 1, "only first upstream should be queried")
-	assert.Equal(t, upstream1.String(), queried[0])
-	for _, rr := range written.Extra {
-		_, isOPT := rr.(*dns.OPT)
-		assert.False(t, isOPT, "synthetic OPT must not leak to a non-EDNS0 client")
-	}
-}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -512,7 +512,16 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

-	e.dnsServer.SetRouteSources(e.routeManager.GetSelectedClientRoutes, e.routeManager.GetActiveClientRoutes)
+	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
+		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
+			for _, r := range routes {
+				if r.Network.Contains(ip) {
+					return true
+				}
+			}
+		}
+		return false
+	})

 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
@@ -1377,6 +1386,9 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {

 	e.networkSerial = serial

+	// Test received (upstream) servers for availability right away instead of upon usage.
+	// If no server of a server group responds this will disable the respective handler and retry later.
+	go e.dnsServer.ProbeAvailability()
 	return nil
 }

@@ -1920,7 +1932,7 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil

 	case "ios":
-		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder, e.config.DisableDNS)
+		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.mobileDep.HostDNSAddresses, e.statusRecorder, e.config.DisableDNS)
 		return dnsServer, nil

 	default:
@@ -1967,29 +1979,6 @@ func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
 	return e.clientMetrics
 }

-// Performance bundles runtime-adjustable tunnel pool knobs.
-// See Engine.SetPerformance. Nil fields are ignored.
-type Performance struct {
-	PreallocatedBuffersPerPool *uint32
-}
-
-// SetPerformance applies the given tuning to this engine's live Device.
-func (e *Engine) SetPerformance(t Performance) error {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	if e.wgInterface == nil {
-		return fmt.Errorf("wg interface not initialized")
-	}
-	dev := e.wgInterface.GetWGDevice()
-	if dev == nil {
-		return fmt.Errorf("wg device not initialized")
-	}
-	if t.PreallocatedBuffersPerPool != nil {
-		dev.SetPreallocatedBuffersPerPool(*t.PreallocatedBuffersPerPool)
-	}
-	return nil
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -27,7 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/management/server/job"

-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -66,8 +66,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/shared/netiputil"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1641,7 +1641,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		return nil, "", err
 	}

-	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -50,7 +50,7 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 		switch msg.Type {
 		// handle route changes
 		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, flags, err := parseRouteMessage(buf[:n])
+			route, err := parseRouteMessage(buf[:n])
 			if err != nil {
 				log.Debugf("Network monitor: error parsing routing message: %v", err)
 				continue
@@ -66,10 +66,6 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 			}
 			switch msg.Type {
 			case unix.RTM_ADD:
-				if systemops.IgnoreAddedDefaultRoute(flags) {
-					log.Debugf("Network monitor: ignoring added default route via %s, interface %s, flags %#x", route.Gw, intf, flags)
-					continue
-				}
 				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 				return nil
 			case unix.RTM_DELETE:
@@ -82,26 +78,22 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 	}
 }

-func parseRouteMessage(buf []byte) (*systemops.Route, int, error) {
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
 	if err != nil {
-		return nil, 0, fmt.Errorf("parse RIB: %v", err)
+		return nil, fmt.Errorf("parse RIB: %v", err)
 	}

 	if len(msgs) != 1 {
-		return nil, 0, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
 	}

 	msg, ok := msgs[0].(*route.RouteMessage)
 	if !ok {
-		return nil, 0, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
 	}

-	r, err := systemops.MsgToRoute(msg)
-	if err != nil {
-		return nil, 0, err
-	}
-	return r, msg.Flags, nil
+	return systemops.MsgToRoute(msg)
 }

 // waitReadable blocks until fd has data to read, or ctx is cancelled.
--- a/client/internal/owner/config.go
+++ b/client/internal/owner/config.go
@@ -1,46 +0,0 @@
-package owner
-
-import (
-	"fmt"
-	"sync"
-)
-
-// ConfigAdapter is a thread-safe OwnerConfig that delegates to a lazily-set backend.
-// This allows the interceptor to be created before the daemon server (and its config)
-// is initialized, which is necessary because gRPC interceptors are set at server creation time.
-type ConfigAdapter struct {
-	mu      sync.RWMutex
-	backend OwnerConfig
-}
-
-// SetBackend sets the actual config implementation. Must be called before any RPCs are served.
-func (a *ConfigAdapter) SetBackend(backend OwnerConfig) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.backend = backend
-}
-
-// GetOwnerUIDs delegates to the backend.
-func (a *ConfigAdapter) GetOwnerUIDs() []UID {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.backend == nil {
-		// No backend yet, return empty (root-only).
-		return []UID{}
-	}
-
-	return a.backend.GetOwnerUIDs()
-}
-
-// AddOwnerUID delegates to the backend.
-func (a *ConfigAdapter) AddOwnerUID(uid UID) error {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.backend == nil {
-		return fmt.Errorf("owner config backend not initialized")
-	}
-
-	return a.backend.AddOwnerUID(uid)
-}
--- a/client/internal/owner/consoleuser/consoleuser.go
+++ b/client/internal/owner/consoleuser/consoleuser.go
@@ -1,17 +0,0 @@
-// Package consoleuser provides the OS-level "active console user" UID lookup
-// used to gate ownership TOFU. The active console user is the local user
-// physically at the machine (or in the foreground GUI session): the user that
-// can legitimately claim the daemon as theirs on first run.
-package consoleuser
-
-// ActiveUID returns the UID of the currently active console / GUI session
-// user, and true if such a user exists. Returns 0, false on platforms without
-// a console concept (ios, android), on headless servers with no active
-// session, or on lookup failure.
-//
-// Implementations must fail closed: any error or ambiguity returns (0, false)
-// so that the caller treats the result as "no console user" rather than
-// granting access to an unverified UID.
-func ActiveUID() (uint32, bool) {
-	return activeUID()
-}
--- a/client/internal/owner/consoleuser/consoleuser_darwin.go
+++ b/client/internal/owner/consoleuser/consoleuser_darwin.go
@@ -1,58 +0,0 @@
-package consoleuser
-
-import (
-	"unsafe"
-
-	"github.com/ebitengine/purego"
-)
-
-// activeUID returns the UID of the user currently logged into the macOS GUI
-// console session. Uses SCDynamicStoreCopyConsoleUser from the
-// SystemConfiguration framework via purego (no cgo).
-func activeUID() (uint32, bool) {
-	sc, err := purego.Dlopen(
-		"/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration",
-		purego.RTLD_NOW|purego.RTLD_GLOBAL,
-	)
-	if err != nil {
-		return 0, false
-	}
-
-	cf, err := purego.Dlopen(
-		"/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation",
-		purego.RTLD_NOW|purego.RTLD_GLOBAL,
-	)
-	if err != nil {
-		return 0, false
-	}
-
-	// CFStringRef SCDynamicStoreCopyConsoleUser(SCDynamicStoreRef store,
-	//     uid_t *uid, gid_t *gid);
-	//
-	// We pass nil for the store (NULL is accepted; the framework creates a
-	// transient one), discard the returned CFStringRef username (we only
-	// need the UID), and read uid via the out-pointer.
-	var copyConsoleUser func(store uintptr, uidPtr, gidPtr unsafe.Pointer) uintptr
-	purego.RegisterLibFunc(&copyConsoleUser, sc, "SCDynamicStoreCopyConsoleUser")
-
-	var cfRelease func(uintptr)
-	purego.RegisterLibFunc(&cfRelease, cf, "CFRelease")
-
-	var uid uint32
-	var gid uint32
-
-	cfStr := copyConsoleUser(0, unsafe.Pointer(&uid), unsafe.Pointer(&gid))
-	if cfStr == 0 {
-		return 0, false
-	}
-	cfRelease(cfStr)
-
-	// loginwindow / no GUI session reports uid 0. We don't want the
-	// console-user path to grant anything to root (root is already always
-	// allowed by the interceptor), so treat uid 0 as "no console user".
-	if uid == 0 {
-		return 0, false
-	}
-
-	return uid, true
-}
--- a/client/internal/owner/consoleuser/consoleuser_freebsd.go
+++ b/client/internal/owner/consoleuser/consoleuser_freebsd.go
@@ -1,34 +0,0 @@
-package consoleuser
-
-import (
-	"fmt"
-	"os"
-	"syscall"
-)
-
-// activeUID returns the UID of the user currently logged into the FreeBSD
-// console. FreeBSD's vt(4) chowns the active virtual terminal device to the
-// logged-in user, so a non-root owner of any /dev/ttyvN reliably identifies
-// the console user.
-//
-// We scan /dev/ttyv0../dev/ttyv9 and return the first non-root owner. Network
-// ptys (pts) are intentionally not considered: SSH'd users are not "at the
-// console" and must not TOFU-claim ownership.
-func activeUID() (uint32, bool) {
-	for i := 0; i < 10; i++ {
-		path := fmt.Sprintf("/dev/ttyv%d", i)
-		fi, err := os.Stat(path)
-		if err != nil {
-			continue
-		}
-		st, ok := fi.Sys().(*syscall.Stat_t)
-		if !ok {
-			continue
-		}
-		if st.Uid == 0 {
-			continue
-		}
-		return st.Uid, true
-	}
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_linux.go
+++ b/client/internal/owner/consoleuser/consoleuser_linux.go
@@ -1,64 +0,0 @@
-package consoleuser
-
-import (
-	"github.com/godbus/dbus/v5"
-)
-
-const (
-	loginDest      = "org.freedesktop.login1"
-	loginPath      = dbus.ObjectPath("/org/freedesktop/login1")
-	loginInterface = "org.freedesktop.login1.Manager"
-	listSessions   = loginInterface + ".ListSessions"
-
-	sessionInterface = "org.freedesktop.login1.Session"
-	sessionActive    = sessionInterface + ".Active"
-	sessionClass     = sessionInterface + ".Class"
-)
-
-// activeUID queries systemd-logind for the active local user session and
-// returns that user's UID. Falls back to (0, false) on any error or when no
-// active user session exists (headless box, no GUI, no login at the console).
-func activeUID() (uint32, bool) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return 0, false
-	}
-
-	mgr := conn.Object(loginDest, loginPath)
-
-	// ListSessions returns []struct{ID string; UID uint32; User string;
-	// Seat string; Path dbus.ObjectPath}.
-	var sessions []struct {
-		ID   string
-		UID  uint32
-		User string
-		Seat string
-		Path dbus.ObjectPath
-	}
-	if err := mgr.Call(listSessions, 0).Store(&sessions); err != nil {
-		return 0, false
-	}
-
-	for _, s := range sessions {
-		obj := conn.Object(loginDest, s.Path)
-
-		active, err := obj.GetProperty(sessionActive)
-		if err != nil || active.Value() != true {
-			continue
-		}
-
-		class, err := obj.GetProperty(sessionClass)
-		if err != nil {
-			continue
-		}
-		// Only "user" sessions count; "greeter" / "lock-screen" / etc. are
-		// not someone we should grant ownership to.
-		if classStr, ok := class.Value().(string); !ok || classStr != "user" {
-			continue
-		}
-
-		return s.UID, true
-	}
-
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_other.go
+++ b/client/internal/owner/consoleuser/consoleuser_other.go
@@ -1,9 +0,0 @@
-//go:build !linux && !darwin && !freebsd && !windows
-
-package consoleuser
-
-// activeUID has no meaning on platforms without a console-user concept
-// (ios, android). Returns no-user so TOFU never fires.
-func activeUID() (uint32, bool) {
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_windows.go
+++ b/client/internal/owner/consoleuser/consoleuser_windows.go
@@ -1,59 +0,0 @@
-package consoleuser
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-// activeUID returns a synthetic UID (the user SID's RID) for the currently
-// active Windows console session. The owner package treats UIDs as opaque
-// uint32 identifiers; on Windows we use the user account RID, which is stable
-// per-account on a given machine.
-//
-// Returns (0, false) when there is no active console session, the session has
-// no logged-in user, or any lookup fails.
-func activeUID() (uint32, bool) {
-	sessionID := windows.WTSGetActiveConsoleSessionId()
-	if sessionID == 0xFFFFFFFF {
-		return 0, false
-	}
-
-	var token windows.Token
-	if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
-		return 0, false
-	}
-	defer token.Close()
-
-	user, err := tokenUserSID(token)
-	if err != nil || user == nil {
-		return 0, false
-	}
-
-	subCount := user.SubAuthorityCount()
-	if subCount == 0 {
-		return 0, false
-	}
-	rid := user.SubAuthority(uint32(subCount) - 1)
-	if rid == 0 {
-		return 0, false
-	}
-	return rid, true
-}
-
-// tokenUserSID returns the user SID associated with the given access token.
-func tokenUserSID(token windows.Token) (*windows.SID, error) {
-	var size uint32
-	err := windows.GetTokenInformation(token, windows.TokenUser, nil, 0, &size)
-	if err != windows.ERROR_INSUFFICIENT_BUFFER {
-		return nil, err
-	}
-
-	buf := make([]byte, size)
-	if err := windows.GetTokenInformation(token, windows.TokenUser, &buf[0], size, &size); err != nil {
-		return nil, err
-	}
-
-	tu := (*windows.Tokenuser)(unsafe.Pointer(&buf[0]))
-	return tu.User.Sid, nil
-}
--- a/client/internal/owner/creds.go
+++ b/client/internal/owner/creds.go
@@ -1,37 +0,0 @@
-package owner
-
-import (
-	"context"
-
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/peer"
-)
-
-// UnixAuthInfo implements credentials.AuthInfo carrying the peer's UID from SO_PEERCRED.
-type UnixAuthInfo struct {
-	credentials.CommonAuthInfo
-	UID UID
-	GID uint32
-	PID int32
-}
-
-// AuthType returns the authentication type.
-func (u UnixAuthInfo) AuthType() string {
-	return "unix_peercred"
-}
-
-// UIDFromContext extracts the caller's UID from the gRPC peer context.
-// Returns uid and true if Unix credentials were available, 0 and false otherwise.
-func UIDFromContext(ctx context.Context) (UID, bool) {
-	p, ok := peer.FromContext(ctx)
-	if !ok {
-		return 0, false
-	}
-
-	info, ok := p.AuthInfo.(UnixAuthInfo)
-	if !ok {
-		return 0, false
-	}
-
-	return info.UID, true
-}
--- a/client/internal/owner/env.go
+++ b/client/internal/owner/env.go
@@ -1,48 +0,0 @@
-package owner
-
-import (
-	"os"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// EnvOwnerUID is the environment variable that seeds the owner UID list for new config files.
-// MDM deployments can set this (e.g. via --service-env NB_OWNER_UID=1000) so the first
-// config created by the daemon pre-populates the owner without requiring "netbird up --owner".
-// Multiple UIDs can be comma-separated: NB_OWNER_UID=1000,1001
-const EnvOwnerUID = "NB_OWNER_UID"
-
-// OwnerUIDsFromEnv parses NB_OWNER_UID into a UID slice.
-// Returns nil if the variable is unset, allowing the caller to distinguish
-// "not configured" from "explicitly empty".
-func OwnerUIDsFromEnv() []UID {
-	val := os.Getenv(EnvOwnerUID)
-	if val == "" {
-		return nil
-	}
-
-	parts := strings.Split(val, ",")
-	uids := make([]UID, 0, len(parts))
-	for _, p := range parts {
-		p = strings.TrimSpace(p)
-		if p == "" {
-			continue
-		}
-		uid, err := strconv.ParseUint(p, 10, 32)
-		if err != nil {
-			log.Warnf("ignoring invalid UID %q in %s: %v", p, EnvOwnerUID, err)
-			continue
-		}
-		uids = append(uids, UID(uid))
-	}
-
-	if len(uids) == 0 {
-		log.Warnf("%s set but contains no valid UIDs, defaulting to root-only", EnvOwnerUID)
-		return []UID{}
-	}
-
-	log.Infof("seeding owner UIDs from %s: %v", EnvOwnerUID, uids)
-	return uids
-}
--- a/client/internal/owner/env_test.go
+++ b/client/internal/owner/env_test.go
@@ -1,81 +0,0 @@
-package owner
-
-import (
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestOwnerUIDsFromEnv(t *testing.T) {
-	tests := []struct {
-		name     string
-		envValue string
-		unset    bool
-		want     []UID
-	}{
-		{
-			name:  "unset returns nil",
-			unset: true,
-			want:  nil,
-		},
-		{
-			name:     "empty string returns nil",
-			envValue: "",
-			want:     nil,
-		},
-		{
-			name:     "single UID",
-			envValue: "1000",
-			want:     []UID{1000},
-		},
-		{
-			name:     "multiple UIDs",
-			envValue: "1000,1001,1002",
-			want:     []UID{1000, 1001, 1002},
-		},
-		{
-			name:     "spaces around UIDs",
-			envValue: " 1000 , 1001 ",
-			want:     []UID{1000, 1001},
-		},
-		{
-			name:     "invalid UID skipped",
-			envValue: "1000,notanumber,1001",
-			want:     []UID{1000, 1001},
-		},
-		{
-			name:     "all invalid returns empty slice",
-			envValue: "abc,def",
-			want:     []UID{},
-		},
-		{
-			name:     "trailing comma",
-			envValue: "1000,",
-			want:     []UID{1000},
-		},
-		{
-			name:     "zero UID is valid",
-			envValue: "0",
-			want:     []UID{0},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Setenv(EnvOwnerUID, tt.envValue)
-			if tt.unset {
-				os.Unsetenv(EnvOwnerUID)
-			}
-
-			got := OwnerUIDsFromEnv()
-
-			if tt.want == nil {
-				require.Nil(t, got)
-			} else {
-				assert.Equal(t, tt.want, got)
-			}
-		})
-	}
-}
--- a/client/internal/owner/interceptor.go
+++ b/client/internal/owner/interceptor.go
@@ -1,170 +0,0 @@
-package owner
-
-import (
-	"context"
-	"slices"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/owner/consoleuser"
-)
-
-const servicePath = "/daemon.DaemonService/"
-
-// profileBypassMethods skip the active-profile owner check. They either
-// operate on a specific target profile (and the handler enforces target-profile
-// owner-or-root itself) or are per-user listings/creations that don't affect
-// the active session and shouldn't require active-profile ownership. Peer
-// credentials are still required.
-var profileBypassMethods = map[string]bool{
-	servicePath + "AddProfile":    true,
-	servicePath + "ListProfiles":  true,
-	servicePath + "RemoveProfile": true,
-	servicePath + "SwitchProfile": true,
-}
-
-// Error messages returned to denied callers. They are multi-line so the
-// suggested commands sit on their own line for easy triple-click copy-paste.
-const (
-	errNoPeerCreds = "peer credentials unavailable; rerun via the netbird CLI"
-
-	errNoOwnerConfigured = `no daemon owner is configured and no console-session user matches your UID.
-Run as root for one-off use:
-    sudo netbird ...
-Or call from the active console session: the first call from the user logged in
-at the GUI/console claims ownership automatically.`
-
-	errOwnerRequired = `this operation requires root or the daemon owner (uid %d is not an owner).
-Run as root for one-off use:
-    sudo netbird ...
-Or ask an existing owner (or root) to add you:
-    sudo netbird owner add %[1]d`
-)
-
-// consoleUIDLookup is the function used to look up the active console UID.
-// Overridable in tests; defaults to the platform implementation.
-var consoleUIDLookup = consoleuser.ActiveUID
-
-// OwnerConfig provides access to the current owner UIDs setting.
-// The interceptor reads and writes through this interface so it can
-// work with the profile manager's config without a direct dependency.
-type OwnerConfig interface {
-	// GetOwnerUIDs returns the current owner UIDs.
-	// nil means legacy/migration TOFU (field absent from existing config).
-	// empty means fresh install (root-only with console-user TOFU exception).
-	// populated means those UIDs plus root may control the daemon.
-	GetOwnerUIDs() []UID
-
-	// AddOwnerUID adds the given UID to the owner list and persists it.
-	AddOwnerUID(uid UID) error
-}
-
-// Interceptor enforces owner restrictions on the daemon gRPC socket.
-type Interceptor struct {
-	config OwnerConfig
-	// mu serializes the read-then-write of OwnerUIDs during TOFU/claim flows
-	// so two concurrent first-callers can't both end up persisted as owners.
-	// Holds across the OwnerConfig.AddOwnerUID call; safe because no callback
-	// path takes this mutex.
-	mu sync.Mutex
-}
-
-// NewInterceptor creates an owner interceptor backed by the given config.
-func NewInterceptor(config OwnerConfig) *Interceptor {
-	return &Interceptor{config: config}
-}
-
-// UnaryInterceptor returns a gRPC unary server interceptor that enforces owner policy.
-func (i *Interceptor) UnaryInterceptor() grpc.UnaryServerInterceptor {
-	return func(
-		ctx context.Context,
-		req any,
-		info *grpc.UnaryServerInfo,
-		handler grpc.UnaryHandler,
-	) (any, error) {
-		if err := i.authorize(ctx, info.FullMethod); err != nil {
-			return nil, err
-		}
-		return handler(ctx, req)
-	}
-}
-
-// StreamInterceptor returns a gRPC stream server interceptor that enforces owner policy.
-func (i *Interceptor) StreamInterceptor() grpc.StreamServerInterceptor {
-	return func(
-		srv any,
-		ss grpc.ServerStream,
-		info *grpc.StreamServerInfo,
-		handler grpc.StreamHandler,
-	) error {
-		if err := i.authorize(ss.Context(), info.FullMethod); err != nil {
-			return err
-		}
-		return handler(srv, ss)
-	}
-}
-
-// authorize checks whether the caller is allowed to call the given method.
-// Every RPC is gated; root is always allowed. Non-root callers are accepted
-// when they are existing owners, when the config is in legacy TOFU state
-// (claim on first call, preserves pre-enforcement behavior), or when the
-// config is in fresh-install state and they match the active console user.
-func (i *Interceptor) authorize(ctx context.Context, fullMethod string) error {
-	uid, ok := UIDFromContext(ctx)
-	if !ok {
-		return status.Error(codes.PermissionDenied, errNoPeerCreds)
-	}
-
-	if uid == 0 {
-		return nil
-	}
-
-	// Profile-management RPCs do their own per-target authorization in the
-	// handler. The interceptor only confirms peer credentials are present.
-	if profileBypassMethods[fullMethod] {
-		return nil
-	}
-
-	i.mu.Lock()
-	defer i.mu.Unlock()
-
-	ownerUIDs := i.config.GetOwnerUIDs()
-
-	switch {
-	case ownerUIDs == nil:
-		// Legacy / migration TOFU: existing pre-enforcement config has no
-		// owners field. Any non-root local caller claims on first call so
-		// upgrades don't break.
-		return i.claim(uid, "migration TOFU")
-
-	case len(ownerUIDs) == 0:
-		// Fresh-install root-only mode with a console-user exception so the
-		// GUI/CLI just works for the user physically at the machine. SSH'd
-		// or otherwise non-console callers are denied.
-		consoleUID, ok := consoleUIDLookup()
-		if ok && uint32(uid) == consoleUID {
-			return i.claim(uid, "console-user TOFU")
-		}
-		return status.Error(codes.PermissionDenied, errNoOwnerConfigured)
-
-	case slices.Contains(ownerUIDs, uid):
-		return nil
-
-	default:
-		return status.Errorf(codes.PermissionDenied, errOwnerRequired, uid)
-	}
-}
-
-// claim adds uid to the owner list and persists it. The caller must hold i.mu.
-func (i *Interceptor) claim(uid UID, reason string) error {
-	log.Infof("%s: claiming owner for UID %d", reason, uid)
-	if err := i.config.AddOwnerUID(uid); err != nil {
-		log.Errorf("persist owner UID: %v", err)
-		return status.Error(codes.Internal, "persist owner UID")
-	}
-	return nil
-}
--- a/client/internal/owner/interceptor_test.go
+++ b/client/internal/owner/interceptor_test.go
@@ -1,277 +0,0 @@
-package owner
-
-import (
-	"context"
-	"net"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
-)
-
-type mockOwnerConfig struct {
-	uids []UID
-	err  error
-}
-
-func (m *mockOwnerConfig) GetOwnerUIDs() []UID {
-	return m.uids
-}
-
-func (m *mockOwnerConfig) AddOwnerUID(uid UID) error {
-	if m.err != nil {
-		return m.err
-	}
-	m.uids = append(m.uids, uid)
-	return nil
-}
-
-func peerContext(uid UID) context.Context {
-	return peer.NewContext(context.Background(), &peer.Peer{
-		Addr: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
-		AuthInfo: UnixAuthInfo{
-			CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-			UID:            uid,
-		},
-	})
-}
-
-func noPeerContext() context.Context {
-	return context.Background()
-}
-
-// withConsoleUID overrides the platform console-user lookup for a single test.
-func withConsoleUID(t *testing.T, uid uint32, ok bool) {
-	t.Helper()
-	prev := consoleUIDLookup
-	consoleUIDLookup = func() (uint32, bool) { return uid, ok }
-	t.Cleanup(func() { consoleUIDLookup = prev })
-}
-
-func TestInterceptor_RootAlwaysAllowed(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	for _, method := range []string{
-		"/daemon.DaemonService/Up",
-		"/daemon.DaemonService/Status",
-		"/daemon.DaemonService/Down",
-	} {
-		err := interceptor.authorize(peerContext(0), method)
-		assert.NoError(t, err, "root should always be allowed for %s", method)
-	}
-}
-
-func TestInterceptor_NoPeerCreds_AlwaysDenies(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	for _, method := range []string{
-		"/daemon.DaemonService/Status",
-		"/daemon.DaemonService/Up",
-		"/daemon.DaemonService/SomeNewMethod",
-	} {
-		err := interceptor.authorize(noPeerContext(), method)
-		require.Error(t, err, "method %s should be denied without peer creds", method)
-		assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	}
-}
-
-// TestInterceptor_LegacyMigration covers the nil-OwnerUIDs branch:
-// pre-enforcement configs upgraded to this version. Any non-root local caller
-// can claim on first call.
-func TestInterceptor_LegacyMigration_AnyCallerClaims(t *testing.T) {
-	withConsoleUID(t, 0, false) // no console; should not matter for nil
-	cfg := &mockOwnerConfig{uids: nil}
-	interceptor := NewInterceptor(cfg)
-
-	// First call from any UID claims regardless of method.
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
-	require.NoError(t, err)
-	require.Equal(t, []UID{1000}, cfg.uids)
-
-	// After claim, a different UID is denied.
-	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Status")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-// TestInterceptor_FreshInstall covers the empty-OwnerUIDs branch: console-user
-// can claim, others denied.
-func TestInterceptor_FreshInstall_ConsoleUserClaims(t *testing.T) {
-	withConsoleUID(t, 1000, true)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
-	require.NoError(t, err)
-	require.Equal(t, []UID{1000}, cfg.uids)
-}
-
-func TestInterceptor_FreshInstall_NonConsoleDenied(t *testing.T) {
-	withConsoleUID(t, 1000, true)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	assert.Empty(t, cfg.uids, "non-console caller must not claim")
-}
-
-func TestInterceptor_FreshInstall_NoConsole_Denied(t *testing.T) {
-	withConsoleUID(t, 0, false)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Up")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_OwnerUID_AllowsOwner(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
-	assert.NoError(t, err)
-}
-
-func TestInterceptor_OwnerUID_DeniesOther(t *testing.T) {
-	withConsoleUID(t, 9999, true) // console-user TOFU should not apply once owners exist
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_MultipleOwners(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000, 2000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
-	assert.NoError(t, err)
-
-	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
-	assert.NoError(t, err)
-
-	err = interceptor.authorize(peerContext(3000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-// TestInterceptor_UnknownMethodRequiresOwner pins the safe-by-default invariant:
-// any future RPC still goes through owner enforcement.
-func TestInterceptor_UnknownMethodRequiresOwner(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/SomeFutureMethod")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-
-	err = interceptor.authorize(peerContext(1000), "/daemon.DaemonService/SomeFutureMethod")
-	assert.NoError(t, err)
-}
-
-func TestInterceptor_ErrorMessageActionable(t *testing.T) {
-	withConsoleUID(t, 9999, true)
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	msg := status.Convert(err).Message()
-	assert.Contains(t, msg, "sudo netbird")
-	assert.Contains(t, msg, "owner add")
-}
-
-func TestInterceptor_UnaryIntegration(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	unary := interceptor.UnaryInterceptor()
-
-	resp, err := unary(peerContext(1000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
-		return "ok", nil
-	})
-	require.NoError(t, err)
-	assert.Equal(t, "ok", resp)
-
-	_, err = unary(peerContext(2000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
-		t.Fatal("handler should not be called")
-		return nil, nil
-	})
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_StreamIntegration(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	stream := interceptor.StreamInterceptor()
-
-	called := false
-	err := stream(nil, &mockServerStream{ctx: peerContext(1000)},
-		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
-		func(srv any, stream grpc.ServerStream) error {
-			called = true
-			return nil
-		})
-	require.NoError(t, err)
-	assert.True(t, called)
-
-	err = stream(nil, &mockServerStream{ctx: peerContext(2000)},
-		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
-		func(srv any, stream grpc.ServerStream) error {
-			t.Fatal("handler should not be called")
-			return nil
-		})
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-type mockServerStream struct {
-	grpc.ServerStream
-	ctx context.Context
-}
-
-func (m *mockServerStream) Context() context.Context { return m.ctx }
-
-// TestInterceptor_ProfileBypass pins that profile-management methods reach
-// the handler regardless of active-profile ownership; the handler enforces
-// per-target-profile auth itself.
-func TestInterceptor_ProfileBypass(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	// Caller UID 2000 is not an owner of the active profile but must be
-	// allowed through for these methods.
-	for _, method := range []string{
-		"/daemon.DaemonService/AddProfile",
-		"/daemon.DaemonService/ListProfiles",
-		"/daemon.DaemonService/RemoveProfile",
-		"/daemon.DaemonService/SwitchProfile",
-	} {
-		err := interceptor.authorize(peerContext(2000), method)
-		assert.NoError(t, err, "profile method %s should bypass active-owner check", method)
-	}
-
-	// Without peer creds, even bypass methods are denied.
-	for _, method := range []string{
-		"/daemon.DaemonService/AddProfile",
-		"/daemon.DaemonService/SwitchProfile",
-	} {
-		err := interceptor.authorize(noPeerContext(), method)
-		require.Error(t, err, "bypass method %s still requires peer creds", method)
-		assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	}
-}
--- a/client/internal/owner/transport_bsd.go
+++ b/client/internal/owner/transport_bsd.go
@@ -1,66 +0,0 @@
-//go:build darwin || freebsd
-
-package owner
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/sys/unix"
-	"google.golang.org/grpc/credentials"
-)
-
-// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
-// peer UID from Unix socket connections via LOCAL_PEERCRED (Xucred).
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-type unixCreds struct{}
-
-func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	return conn, UnixAuthInfo{}, nil
-}
-
-// ServerHandshake extracts peer credentials from the Unix connection using LOCAL_PEERCRED.
-// Returns an error if credentials cannot be extracted (fail-closed).
-func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	uc, ok := conn.(*net.UnixConn)
-	if !ok {
-		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
-	}
-
-	raw, err := uc.SyscallConn()
-	if err != nil {
-		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
-	}
-
-	var xucred *unix.Xucred
-	var credErr error
-	if err := raw.Control(func(fd uintptr) {
-		xucred, credErr = unix.GetsockoptXucred(int(fd), unix.SOL_LOCAL, unix.LOCAL_PEERCRED)
-	}); err != nil {
-		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
-	}
-	if credErr != nil {
-		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
-	}
-
-	return conn, UnixAuthInfo{
-		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-		UID:            UID(xucred.Uid),
-	}, nil
-}
-
-func (c *unixCreds) Info() credentials.ProtocolInfo {
-	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
-}
-
-func (c *unixCreds) Clone() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-func (c *unixCreds) OverrideServerName(_ string) error {
-	return nil
-}
--- a/client/internal/owner/transport_generic.go
+++ b/client/internal/owner/transport_generic.go
@@ -1,11 +0,0 @@
-//go:build !linux && !darwin && !freebsd
-
-package owner
-
-import "google.golang.org/grpc/credentials"
-
-// NewUnixTransportCredentials returns nil on platforms without Unix socket peer credentials.
-// The daemon should use insecure credentials and skip owner enforcement.
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return nil
-}
--- a/client/internal/owner/transport_linux.go
+++ b/client/internal/owner/transport_linux.go
@@ -1,66 +0,0 @@
-package owner
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/sys/unix"
-	"google.golang.org/grpc/credentials"
-)
-
-// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
-// peer UID/GID/PID from Unix socket connections via SO_PEERCRED.
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-type unixCreds struct{}
-
-func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	return conn, UnixAuthInfo{}, nil
-}
-
-// ServerHandshake extracts peer credentials from the Unix connection.
-// Returns an error if credentials cannot be extracted (fail-closed).
-func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	uc, ok := conn.(*net.UnixConn)
-	if !ok {
-		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
-	}
-
-	raw, err := uc.SyscallConn()
-	if err != nil {
-		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
-	}
-
-	var ucred *unix.Ucred
-	var credErr error
-	if err := raw.Control(func(fd uintptr) {
-		ucred, credErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
-	}); err != nil {
-		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
-	}
-	if credErr != nil {
-		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
-	}
-
-	return conn, UnixAuthInfo{
-		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-		UID:            UID(ucred.Uid),
-		GID:            ucred.Gid,
-		PID:            ucred.Pid,
-	}, nil
-}
-
-func (c *unixCreds) Info() credentials.ProtocolInfo {
-	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
-}
-
-func (c *unixCreds) Clone() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-func (c *unixCreds) OverrideServerName(_ string) error {
-	return nil
-}
--- a/client/internal/owner/transport_test.go
+++ b/client/internal/owner/transport_test.go
@@ -1,107 +0,0 @@
-package owner
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/credentials"
-)
-
-func TestUnixTransportCredentials_ServerHandshake(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	sockPath := filepath.Join(t.TempDir(), "test.sock")
-
-	ln, err := net.Listen("unix", sockPath)
-	require.NoError(t, err)
-	t.Cleanup(func() { ln.Close() })
-
-	done := make(chan struct{})
-	var serverConn net.Conn
-	var serverAuth credentials.AuthInfo
-	var serverErr error
-
-	go func() {
-		defer close(done)
-		raw, err := ln.Accept()
-		if err != nil {
-			serverErr = err
-			return
-		}
-		serverConn, serverAuth, serverErr = creds.ServerHandshake(raw)
-	}()
-
-	client, err := net.Dial("unix", sockPath)
-	require.NoError(t, err)
-	t.Cleanup(func() { client.Close() })
-
-	<-done
-	require.NoError(t, serverErr)
-	require.NotNil(t, serverConn)
-	t.Cleanup(func() { serverConn.Close() })
-
-	authInfo, ok := serverAuth.(UnixAuthInfo)
-	require.True(t, ok, "expected UnixAuthInfo, got %T", serverAuth)
-	assert.Equal(t, UID(os.Getuid()), authInfo.UID, "UID should match current user")
-}
-
-func TestUnixTransportCredentials_ServerHandshake_NonUnixConn(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	// Use a TCP connection, which is not *net.UnixConn.
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-	t.Cleanup(func() { ln.Close() })
-
-	done := make(chan struct{})
-	var handshakeErr error
-
-	go func() {
-		defer close(done)
-		raw, err := ln.Accept()
-		if err != nil {
-			handshakeErr = err
-			return
-		}
-		defer raw.Close()
-		_, _, handshakeErr = creds.ServerHandshake(raw)
-	}()
-
-	client, err := net.Dial("tcp", ln.Addr().String())
-	require.NoError(t, err)
-	t.Cleanup(func() { client.Close() })
-
-	<-done
-	require.Error(t, handshakeErr, "ServerHandshake must fail for non-Unix connections")
-}
-
-func TestUnixTransportCredentials_Info(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	info := creds.Info()
-	assert.Equal(t, "unix_peercred", info.SecurityProtocol)
-}
-
-func TestUnixTransportCredentials_Clone(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	cloned := creds.Clone()
-	require.NotNil(t, cloned)
-	assert.Equal(t, creds.Info(), cloned.Info())
-}
--- a/client/internal/owner/uid.go
+++ b/client/internal/owner/uid.go
@@ -1,5 +0,0 @@
-package owner
-
-// UID is a Unix user ID. Defined as a distinct type so it can't be silently
-// swapped with GID, PID, or other uint32 values at call sites.
-type UID uint32
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/portforward"
-	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -900,7 +899,7 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	}

 	// Fallback to deterministic key if no NetBird PSK is configured
-	determKey, err := rosenpass.DeterministicSeedKey(conn.config.LocalKey, conn.config.Key)
+	determKey, err := conn.rosenpassDetermKey()
 	if err != nil {
 		conn.Log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return nil
@@ -909,6 +908,26 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	return determKey
 }

+// todo: move this logic into Rosenpass package
+func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
+	lk := []byte(conn.config.LocalKey)
+	rk := []byte(conn.config.Key) // remote key
+	var keyInput []byte
+	if string(lk) > string(rk) {
+		//nolint:gocritic
+		keyInput = append(lk[:16], rk[:16]...)
+	} else {
+		//nolint:gocritic
+		keyInput = append(rk[:16], lk[:16]...)
+	}
+
+	key, err := wgtypes.NewKey(keyInput)
+	if err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -185,12 +185,9 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 	return s.eventsChan
 }

-// Status holds a state of peers, signal, management connections and relays.
-// mux is an RWMutex so hot read paths (notably PeerStateByIP, called for
-// every private-service request) don't contend against each other.
-// Pure read methods take RLock; anything that mutates state takes Lock.
+// Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux                   sync.RWMutex
+	mux                   sync.Mutex
 	peers                 map[string]State
 	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState           bool
@@ -286,8 +283,8 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)

 // GetPeer adds peer to Daemon status map
 func (d *Status) GetPeer(peerPubKey string) (State, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	state, ok := d.peers[peerPubKey]
 	if !ok {
@@ -297,8 +294,8 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {
 }

 func (d *Status) PeerByIP(ip string) (string, bool) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	for _, state := range d.peers {
 		if state.IP == ip {
@@ -308,25 +305,6 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 	return "", false
 }

-// PeerStateByIP returns the full peer State for the given tunnel IP.
-// Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Returns the
-// zero State and false when no peer matches or the input is empty.
-func (d *Status) PeerStateByIP(ip string) (State, bool) {
-	if ip == "" {
-		return State{}, false
-	}
-	d.mux.RLock()
-	defer d.mux.RUnlock()
-
-	for _, state := range d.peers {
-		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
-			return state, true
-		}
-	}
-	return State{}, false
-}
-
 // RemovePeer removes peer from Daemon status map
 func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
@@ -724,8 +702,8 @@ func (d *Status) UnsubscribePeerStateChanges(subscription *StatusChangeSubscript

 // GetLocalPeerState returns the local peer state
 func (d *Status) GetLocalPeerState() LocalPeerState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.localPeer.Clone()
 }

@@ -931,8 +909,8 @@ func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
 }

 func (d *Status) GetRosenpassState() RosenpassState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return RosenpassState{
 		d.rosenpassEnabled,
 		d.rosenpassPermissive,
@@ -940,14 +918,14 @@ func (d *Status) GetRosenpassState() RosenpassState {
 }

 func (d *Status) GetLazyConnection() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.lazyConnectionEnabled
 }

 func (d *Status) GetManagementState() ManagementState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return ManagementState{
 		d.mgmAddress,
 		d.managementState,
@@ -973,8 +951,8 @@ func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {

 // IsLoginRequired determines if a peer's login has expired.
 func (d *Status) IsLoginRequired() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	// if peer is connected to the management then login is not expired
 	if d.managementState {
@@ -989,8 +967,8 @@ func (d *Status) IsLoginRequired() bool {
 }

 func (d *Status) GetSignalState() SignalState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return SignalState{
 		d.signalAddress,
 		d.signalState,
@@ -1000,8 +978,8 @@ func (d *Status) GetSignalState() SignalState {

 // GetRelayStates returns the stun/turn/permanent relay states
 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.relayMgr == nil {
 		return d.relayStates
 	}
@@ -1030,8 +1008,8 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 }

 func (d *Status) ForwardingRules() []firewall.ForwardRule {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.ingressGwMgr == nil {
 		return nil
 	}
@@ -1040,16 +1018,16 @@ func (d *Status) ForwardingRules() []firewall.ForwardRule {
 }

 func (d *Status) GetDNSStates() []NSGroupState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	// shallow copy is good enough, as slices fields are currently not updated
 	return slices.Clone(d.nsGroupStates)
 }

 func (d *Status) GetResolvedDomainsStates() map[domain.Domain]ResolvedDomainInfo {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return maps.Clone(d.resolvedDomainsStates)
 }

@@ -1065,8 +1043,8 @@ func (d *Status) GetFullStatus() FullStatus {
 		LazyConnectionEnabled: d.GetLazyConnection(),
 	}

-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	fullStatus.LocalPeerState = d.localPeer

@@ -1241,8 +1219,8 @@ func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 }

 func (d *Status) PeersStatus() (*configurer.Stats, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.wgIface == nil {
 		return nil, fmt.Errorf("wgInterface is nil, cannot retrieve peers status")
 	}
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -63,33 +63,6 @@ func TestUpdatePeerState(t *testing.T) {
 	assert.Equal(t, ip, state.IP, "ip should be equal")
 }

-func TestStatus_PeerStateByIP(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", ""))
-	req.NoError(status.AddPeer("pk-2", "peer-2.netbird", "100.64.0.11", ""))
-
-	state, ok := status.PeerStateByIP("100.64.0.10")
-	req.True(ok, "known tunnel IP should resolve to a peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-	req.Equal("peer-1.netbird", state.FQDN, "matching state must carry the right FQDN")
-
-	_, ok = status.PeerStateByIP("100.64.0.99")
-	req.False(ok, "unknown IP must report ok=false")
-}
-
-func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
-
-	state, ok := status.PeerStateByIP("fd00::1")
-	req.True(ok, "IPv6-only match must resolve to the peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-}
-
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -21,7 +21,6 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
@@ -100,10 +99,6 @@ type ConfigInput struct {
 	LazyConnectionEnabled *bool

 	MTU *uint16
-
-	// OwnerUIDs sets the UIDs of users allowed to control the daemon.
-	// When non-nil, replaces the config's OwnerUIDs.
-	OwnerUIDs []owner.UID
 }

 // Config Configuration type
@@ -179,12 +174,6 @@ type Config struct {
 	LazyConnectionEnabled bool

 	MTU uint16
-
-	// OwnerUIDs controls who can perform privileged daemon operations via the gRPC socket.
-	// nil (absent from JSON): TOFU mode, first privileged caller claims ownership (backward compat for existing installs).
-	// [] (empty slice): root-only, no non-root owners until explicitly set via "netbird up --owner".
-	// [uid1, uid2, ...]: these UIDs plus root can perform privileged operations.
-	OwnerUIDs []owner.UID `json:"OwnerUIDs"`
 }

 var ConfigDirOverride string
@@ -245,18 +234,10 @@ func fileExists(path string) (bool, error) {

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
-	// Seed owner UIDs from environment if set (for MDM deployments),
-	// otherwise default to root-only (empty slice).
-	ownerUIDs := owner.OwnerUIDsFromEnv()
-	if ownerUIDs == nil {
-		ownerUIDs = []owner.UID{}
-	}
-
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
 		WgPort:           iface.DefaultWgPort,
-		OwnerUIDs:        ownerUIDs,
 	}

 	if _, err := config.apply(input); err != nil {
@@ -631,14 +612,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

-	if input.OwnerUIDs != nil {
-		if !slices.Equal(config.OwnerUIDs, input.OwnerUIDs) {
-			log.Infof("updating owner UIDs to %v", input.OwnerUIDs)
-			config.OwnerUIDs = input.OwnerUIDs
-			updated = true
-		}
-	}
-
 	return updated, nil
 }

--- a/client/internal/profilemanager/service.go
+++ b/client/internal/profilemanager/service.go
@@ -13,7 +13,6 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/util"
 )

@@ -244,10 +243,7 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }

-// AddProfile creates a new profile with the given name. inheritOwnerUIDs is
-// applied to the new profile's OwnerUIDs (pass the active profile's owners so
-// the caller stays authorized; pass nil to leave the default empty/env-seeded).
-func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUIDs []owner.UID) error {
+func (s *ServiceManager) AddProfile(profileName, username string) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
 		return fmt.Errorf("failed to get config directory: %w", err)
@@ -268,7 +264,7 @@ func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUI
 		return ErrProfileAlreadyExists
 	}

-	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath, OwnerUIDs: inheritOwnerUIDs})
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
 		return fmt.Errorf("failed to create new config: %w", err)
 	}
--- a/client/internal/rosenpass/manager.go
+++ b/client/internal/rosenpass/manager.go
@@ -28,15 +28,6 @@ func hashRosenpassKey(key []byte) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }

-// rpServer is the subset of rp.Server used by Manager. Defined as an interface
-// so tests can substitute a mock without spinning up a real UDP server.
-type rpServer interface {
-	AddPeer(rp.PeerConfig) (rp.PeerID, error)
-	RemovePeer(rp.PeerID) error
-	Run() error
-	Close() error
-}
-
 type Manager struct {
 	ifaceName    string
 	spk          []byte
@@ -45,7 +36,7 @@ type Manager struct {
 	preSharedKey *[32]byte
 	rpPeerIDs    map[string]*rp.PeerID
 	rpWgHandler  *NetbirdHandler
-	server       rpServer
+	server       *rp.Server
 	lock         sync.Mutex
 	port         int
 	wgIface      PresharedKeySetter
@@ -60,22 +51,7 @@ func NewManager(preSharedKey *wgtypes.Key, wgIfaceName string) (*Manager, error)

 	rpKeyHash := hashRosenpassKey(public)
 	log.Tracef("generated new rosenpass key pair with public key %s", rpKeyHash)
-	return &Manager{
-		ifaceName:    wgIfaceName,
-		rpKeyHash:    rpKeyHash,
-		spk:          public,
-		ssk:          secret,
-		preSharedKey: (*[32]byte)(preSharedKey),
-		rpPeerIDs:    make(map[string]*rp.PeerID),
-		// rpWgHandler is created here (instead of only in generateConfig) so it
-		// is never nil between NewManager and Run(). Otherwise an early
-		// OnConnected call (race observed on Android, issue #4341) panics on
-		// nil receiver in addPeer -> m.rpWgHandler.AddPeer. generateConfig will
-		// replace it with a fresh handler on each Run() to clear stale peer
-		// state from previous engine sessions.
-		rpWgHandler: NewNetbirdHandler(),
-		lock:        sync.Mutex{},
-	}, nil
+	return &Manager{ifaceName: wgIfaceName, rpKeyHash: rpKeyHash, spk: public, ssk: secret, preSharedKey: (*[32]byte)(preSharedKey), rpPeerIDs: make(map[string]*rp.PeerID), lock: sync.Mutex{}}, nil
 }

 func (m *Manager) GetPubKey() []byte {
@@ -89,16 +65,6 @@ func (m *Manager) GetAddress() *net.UDPAddr {

 // addPeer adds a new peer to the Rosenpass server
 func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuardIP string, wireGuardPubKey string) error {
-	// Defense in depth against issue #4341 (Android crash): if Run() has not
-	// completed yet, m.server / m.rpWgHandler may be nil. Return an explicit
-	// error instead of panicking on nil-receiver dereference.
-	if m.server == nil {
-		return fmt.Errorf("rosenpass server not initialized")
-	}
-	if m.rpWgHandler == nil {
-		return fmt.Errorf("rosenpass wg handler not initialized")
-	}
-
 	var err error
 	pcfg := rp.PeerConfig{PublicKey: rosenpassPubKey}
 	if m.preSharedKey != nil {
@@ -113,16 +79,6 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
-		// Our local Rosenpass UDP server binds on the IPv6 wildcard ([::]) — see
-		// GetAddress(). The remote peer's endpoint (pcfg.Endpoint) is the destination
-		// our server will sendto when initiating handshakes. ResolveUDPAddr returns a
-		// 4-byte IPv4 for IPv4 hosts, which the kernel rejects (EDESTADDRREQ) when
-		// sent from an AF_INET6 socket. Normalize the remote endpoint to IPv4-mapped
-		// IPv6 so its address family matches our listening socket.
-		// TODO: maybe bind the Rosenpass UDP server to the peer wg IP addr
-		if v4 := pcfg.Endpoint.IP.To4(); v4 != nil {
-			pcfg.Endpoint.IP = v4.To16()
-		}
 	}
 	peerID, err := m.server.AddPeer(pcfg)
 	if err != nil {
@@ -226,31 +182,24 @@ func (m *Manager) Run() error {
 		return err
 	}

-	server, err := rp.NewUDPServer(conf)
+	m.server, err = rp.NewUDPServer(conf)
 	if err != nil {
 		return err
 	}

-	m.lock.Lock()
-	m.server = server
-	m.lock.Unlock()
-
 	log.Infof("starting rosenpass server on port %d", m.port)

-	return server.Run()
+	return m.server.Run()
 }

 // Close closes the Rosenpass server
 func (m *Manager) Close() error {
-	m.lock.Lock()
-	server := m.server
-	m.server = nil
-	m.lock.Unlock()
-	if server == nil {
-		return nil
-	}
-	if err := server.Close(); err != nil {
-		log.Errorf("failed closing local rosenpass server: %v", err)
+	if m.server != nil {
+		err := m.server.Close()
+		if err != nil {
+			log.Errorf("failed closing local rosenpass server")
+		}
+		m.server = nil
 	}
 	return nil
 }
--- a/client/internal/rosenpass/manager_test.go
+++ b/client/internal/rosenpass/manager_test.go
@@ -1,412 +1,14 @@
 package rosenpass

 import (
-	"errors"
-	"os"
-	"sync"
 	"testing"

-	rp "cunicu.li/go-rosenpass"
 	"github.com/stretchr/testify/require"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// --- test doubles -----------------------------------------------------------
-
-type addPeerCall struct {
-	cfg rp.PeerConfig
-}
-
-type removePeerCall struct {
-	id rp.PeerID
-}
-
-type mockServer struct {
-	mu         sync.Mutex
-	addCalls   []addPeerCall
-	removed    []removePeerCall
-	nextID     rp.PeerID
-	addErr     error
-	removeErr  error
-	closed     bool
-	ran        bool
-}
-
-func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.addCalls = append(m.addCalls, addPeerCall{cfg: cfg})
-	if m.addErr != nil {
-		return rp.PeerID{}, m.addErr
-	}
-	// Increment a byte in nextID so distinct peers get distinct IDs.
-	m.nextID[0]++
-	return m.nextID, nil
-}
-
-func (m *mockServer) RemovePeer(id rp.PeerID) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.removed = append(m.removed, removePeerCall{id: id})
-	return m.removeErr
-}
-
-func (m *mockServer) Run() error  { m.ran = true; return nil }
-func (m *mockServer) Close() error { m.closed = true; return nil }
-
-type setPSKCall struct {
-	peerKey    string
-	psk        wgtypes.Key
-	updateOnly bool
-}
-
-type mockIface struct {
-	mu    sync.Mutex
-	calls []setPSKCall
-	err   error
-}
-
-func (m *mockIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.calls = append(m.calls, setPSKCall{peerKey: peerKey, psk: psk, updateOnly: updateOnly})
-	return m.err
-}
-
-// newTestManager builds a Manager with deterministic spk so tie-break
-// against a peer pubkey is controllable from tests. The provided spk byte
-// becomes the first byte; remaining bytes are zero.
-func newTestManager(spkFirstByte byte, mock *mockServer) *Manager {
-	spk := make([]byte, 32)
-	spk[0] = spkFirstByte
-	return &Manager{
-		ifaceName:   "wt0",
-		spk:         spk,
-		ssk:         make([]byte, 32),
-		rpKeyHash:   "test-hash",
-		rpPeerIDs:   make(map[string]*rp.PeerID),
-		rpWgHandler: NewNetbirdHandler(),
-		server:      mock,
-	}
-}
-
-// validWGKey returns a deterministic 32-byte wireguard public key (base64).
-func validWGKey(t *testing.T, lastByte byte) string {
-	t.Helper()
-	var k wgtypes.Key
-	k[31] = lastByte
-	return k.String()
-}
-
-// --- pure helpers ----------------------------------------------------------
-
-func TestHashRosenpassKey_Deterministic(t *testing.T) {
-	key := []byte("hello-rosenpass")
-	require.Equal(t, hashRosenpassKey(key), hashRosenpassKey(key))
-	require.Len(t, hashRosenpassKey(key), 64) // sha256 hex
-}
-
-func TestHashRosenpassKey_DifferentInputsDifferOutputs(t *testing.T) {
-	require.NotEqual(t, hashRosenpassKey([]byte("a")), hashRosenpassKey([]byte("b")))
-}
-
-func TestGetLogLevel_DefaultWhenUnset(t *testing.T) {
-	// Snapshot + unset to exercise the LookupEnv ok=false branch. t.Setenv
-	// can only set, not delete, so do it manually with restore via t.Cleanup.
-	prev, hadPrev := os.LookupEnv(defaultLogLevelVar)
-	require.NoError(t, os.Unsetenv(defaultLogLevelVar))
-	t.Cleanup(func() {
-		if hadPrev {
-			_ = os.Setenv(defaultLogLevelVar, prev)
-		} else {
-			_ = os.Unsetenv(defaultLogLevelVar)
-		}
-	})
-	require.Equal(t, defaultLog.String(), getLogLevel().String())
-}
-
-func TestGetLogLevel_Cases(t *testing.T) {
-	cases := map[string]string{
-		"debug":   "DEBUG",
-		"info":    "INFO",
-		"warn":    "WARN",
-		"error":   "ERROR",
-		"unknown": "INFO", // default fallback
-	}
-	for input, wantStr := range cases {
-		input, wantStr := input, wantStr
-		t.Run(input, func(t *testing.T) {
-			t.Setenv(defaultLogLevelVar, input)
-			require.Equal(t, wantStr, getLogLevel().String())
-		})
-	}
-}
-
 func TestFindRandomAvailableUDPPort(t *testing.T) {
 	port, err := findRandomAvailableUDPPort()
 	require.NoError(t, err)
 	require.Greater(t, port, 0)
 	require.LessOrEqual(t, port, 65535)
 }
-
-// --- addPeer ---------------------------------------------------------------
-
-func TestAddPeer_HigherLocalPubkey_SetsEndpoint(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // local spk lexicographically larger
-
-	remotePubKey := make([]byte, 32) // remote spk = all zeros (smaller)
-	err := m.addPeer(remotePubKey, "rosenpass-host:7000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-	require.Len(t, srv.addCalls, 1)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep, "initiator side must set Endpoint")
-	require.Equal(t, 7000, ep.Port)
-	require.Equal(t, "100.1.1.1", ep.IP.String())
-}
-
-func TestAddPeer_HigherLocalPubkey_EndpointIPIsIPv4Mapped(t *testing.T) {
-	// Regression guard for the EDESTADDRREQ fix: Endpoint.IP must be 16-byte
-	// (IPv4-mapped IPv6) so it matches the AF_INET6 listening socket family.
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep)
-	require.Len(t, ep.IP, 16, "IPv4 endpoint must be normalized to 16-byte v4-mapped form")
-	require.True(t, ep.IP.To4() != nil, "Endpoint must still be detected as IPv4")
-}
-
-func TestAddPeer_LowerLocalPubkey_LeavesEndpointNil(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0x00, srv) // local spk smaller
-
-	remotePubKey := make([]byte, 32)
-	remotePubKey[0] = 0xFF
-	err := m.addPeer(remotePubKey, "rp:5000", "100.1.1.1", validWGKey(t, 2))
-	require.NoError(t, err)
-
-	require.Nil(t, srv.addCalls[0].cfg.Endpoint, "responder side must NOT set Endpoint")
-}
-
-func TestAddPeer_PresharedKeyPropagated(t *testing.T) {
-	srv := &mockServer{}
-	psk := &wgtypes.Key{0x42}
-	m := newTestManager(0xFF, srv)
-	m.preSharedKey = (*[32]byte)(psk)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 3))
-	require.NoError(t, err)
-	require.Equal(t, [32]byte(*psk), [32]byte(srv.addCalls[0].cfg.PresharedKey))
-}
-
-func TestAddPeer_InvalidRosenpassAddr_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // initiator path → parses rosenpassAddr
-
-	err := m.addPeer(make([]byte, 32), "not-a-host-port", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Empty(t, srv.addCalls, "server.AddPeer must not run when address parse fails")
-}
-
-func TestAddPeer_InvalidWireGuardPubKey_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", "not-a-valid-key")
-	require.Error(t, err)
-}
-
-func TestAddPeer_ServerError_Propagates(t *testing.T) {
-	srv := &mockServer{addErr: errors.New("boom")}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-}
-
-// Regression guard for issue #4341 (Android crash). If Run() has not completed
-// before OnConnected fires, m.rpWgHandler or m.server may be nil. Without the
-// nil guards, m.rpWgHandler.AddPeer panics on nil receiver.
-func TestAddPeer_NilHandler_ReturnsErrorNoCrash(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	m.rpWgHandler = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "wg handler not initialized")
-}
-
-func TestAddPeer_NilServer_ReturnsErrorNoCrash(t *testing.T) {
-	m := newTestManager(0xFF, nil)
-	m.server = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "server not initialized")
-}
-
-// NewManager must pre-initialize rpWgHandler so the nil-receiver crash from
-// issue #4341 cannot occur in the window between NewManager and Run().
-func TestNewManager_PreInitializesHandler(t *testing.T) {
-	psk := wgtypes.Key{}
-	m, err := NewManager(&psk, "wt0")
-	require.NoError(t, err)
-	require.NotNil(t, m.rpWgHandler, "rpWgHandler must be initialized in NewManager")
-}
-
-func TestAddPeer_RecordsPeerID(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 5)
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey)
-	require.NoError(t, err)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-// --- OnConnected / OnDisconnected ------------------------------------------
-
-func TestOnConnected_NilRemotePubKey_NoAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnConnected(validWGKey(t, 1), nil, "100.1.1.1", "rp:5000")
-	require.Empty(t, srv.addCalls, "nil remote rosenpass pubkey must skip AddPeer")
-	require.Empty(t, m.rpPeerIDs)
-}
-
-func TestOnConnected_ValidPubKey_CallsAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	m.OnConnected(wgKey, make([]byte, 32), "100.1.1.1", "rp:5000")
-	require.Len(t, srv.addCalls, 1)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-func TestOnDisconnected_UnknownPeer_NoOp(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnDisconnected(validWGKey(t, 99))
-	require.Empty(t, srv.removed, "unknown peer key must not call RemovePeer")
-}
-
-func TestOnDisconnected_KnownPeer_CallsRemoveAndForgets(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.Contains(t, m.rpPeerIDs, wgKey)
-
-	m.OnDisconnected(wgKey)
-	require.Len(t, srv.removed, 1)
-	require.NotContains(t, m.rpPeerIDs, wgKey, "peer must be forgotten after disconnect")
-}
-
-// --- IsPresharedKeyInitialized ---------------------------------------------
-
-func TestIsPresharedKeyInitialized_UnknownPeer_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	require.False(t, m.IsPresharedKeyInitialized(validWGKey(t, 1)))
-}
-
-func TestIsPresharedKeyInitialized_AddedButNotHandshaken_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 2)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.False(t, m.IsPresharedKeyInitialized(wgKey))
-}
-
-// --- NetbirdHandler.outputKey ----------------------------------------------
-
-func TestHandler_OutputKey_FirstCallUsesUpdateOnlyFalse(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x01}
-	wgKey := wgtypes.Key{0xAA}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	psk := rp.Key{0xBB}
-	h.HandshakeCompleted(pid, psk)
-
-	require.Len(t, iface.calls, 1)
-	require.False(t, iface.calls[0].updateOnly, "first PSK rotation must use updateOnly=false")
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}
-
-func TestHandler_OutputKey_SubsequentCallsUseUpdateOnlyTrue(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x02}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xCC}))
-
-	h.HandshakeCompleted(pid, rp.Key{0x01}) // first
-	h.HandshakeCompleted(pid, rp.Key{0x02}) // second
-
-	require.Len(t, iface.calls, 2)
-	require.False(t, iface.calls[0].updateOnly)
-	require.True(t, iface.calls[1].updateOnly, "subsequent rotations must use updateOnly=true")
-}
-
-func TestHandler_OutputKey_NilInterface_NoCrashNoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	// no SetInterface — iface remains nil
-	pid := rp.PeerID{0x03}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{}))
-
-	// Must not panic.
-	h.HandshakeCompleted(pid, rp.Key{})
-}
-
-func TestHandler_OutputKey_UnknownPeer_NoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	h.HandshakeCompleted(rp.PeerID{0xFF}, rp.Key{})
-	require.Empty(t, iface.calls, "unknown peer id must not trigger SetPresharedKey")
-}
-
-func TestHandler_RemovePeer_ClearsInitializedState(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x04}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xDD}))
-	h.HandshakeCompleted(pid, rp.Key{0x01})
-	require.True(t, h.IsPeerInitialized(pid))
-
-	h.RemovePeer(pid)
-	require.False(t, h.IsPeerInitialized(pid), "RemovePeer must clear initialized flag")
-}
-
-func TestHandler_SetInterfaceAfterAddPeer_StillReceivesKey(t *testing.T) {
-	h := NewNetbirdHandler()
-	pid := rp.PeerID{0x05}
-	wgKey := wgtypes.Key{0xEE}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	iface := &mockIface{}
-	h.SetInterface(iface) // set after AddPeer
-
-	h.HandshakeCompleted(pid, rp.Key{0x42})
-	require.Len(t, iface.calls, 1)
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}
--- a/client/internal/rosenpass/seed.go
+++ b/client/internal/rosenpass/seed.go
@@ -1,42 +0,0 @@
-package rosenpass
-
-import (
-	"fmt"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-// DeterministicSeedKey derives a 32-byte WireGuard preshared key from a pair
-// of peer public keys. Both peers, given the same key pair, produce the same
-// output regardless of which side runs the function: the inputs are ordered
-// lexicographically before concatenation.
-//
-// NetBird uses this value as the initial Rosenpass-side preshared key when no
-// explicit account-level PSK is configured, so both peers converge on the same
-// PSK before the first post-quantum handshake completes.
-//
-// The resulting key MUST NOT be treated as quantum-safe: it is deterministic
-// from public keys and exists only to seed WireGuard until Rosenpass rotates
-// in a real post-quantum PSK.
-func DeterministicSeedKey(localKey, remoteKey string) (*wgtypes.Key, error) {
-	lk := []byte(localKey)
-	rk := []byte(remoteKey)
-	if len(lk) < 16 || len(rk) < 16 {
-		return nil, fmt.Errorf("rosenpass: peer keys must be at least 16 bytes (got local=%d, remote=%d)", len(lk), len(rk))
-	}
-
-	var keyInput []byte
-	if localKey > remoteKey {
-		keyInput = append(keyInput, lk[:16]...)
-		keyInput = append(keyInput, rk[:16]...)
-	} else {
-		keyInput = append(keyInput, rk[:16]...)
-		keyInput = append(keyInput, lk[:16]...)
-	}
-
-	key, err := wgtypes.NewKey(keyInput)
-	if err != nil {
-		return nil, fmt.Errorf("rosenpass: deterministic seed key: %w", err)
-	}
-	return &key, nil
-}
--- a/client/internal/rosenpass/seed_test.go
+++ b/client/internal/rosenpass/seed_test.go
@@ -1,44 +0,0 @@
-package rosenpass
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestDeterministicSeedKey_SameForBothSides(t *testing.T) {
-	// Peer A and peer B must derive the same PSK regardless of which side
-	// computes it: the function orders inputs internally.
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyBA, err := DeterministicSeedKey(b, a)
-	require.NoError(t, err)
-	require.Equal(t, keyAB.String(), keyBA.String(), "swapping arguments must yield identical key")
-}
-
-func TestDeterministicSeedKey_ChangesWithKeys(t *testing.T) {
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-	c := strings.Repeat("c", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyAC, err := DeterministicSeedKey(a, c)
-	require.NoError(t, err)
-	require.NotEqual(t, keyAB.String(), keyAC.String(), "different peer pair must yield different key")
-}
-
-func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
-	short := "short" // < 16 bytes
-	long := strings.Repeat("x", 32)
-
-	_, err := DeterministicSeedKey(short, long)
-	require.Error(t, err)
-	_, err = DeterministicSeedKey(long, short)
-	require.Error(t, err)
-}
-
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -53,7 +53,6 @@ type Manager interface {
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
 	GetSelectedClientRoutes() route.HAMap
-	GetActiveClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -486,39 +485,6 @@ func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
 	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
 }

-// GetActiveClientRoutes returns the subset of selected client routes
-// that are currently reachable: the route's peer is Connected and is
-// the one actively carrying the route (not just an HA sibling).
-func (m *DefaultManager) GetActiveClientRoutes() route.HAMap {
-	m.mux.Lock()
-	selected := m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
-	recorder := m.statusRecorder
-	m.mux.Unlock()
-
-	if recorder == nil {
-		return selected
-	}
-
-	out := make(route.HAMap, len(selected))
-	for id, routes := range selected {
-		for _, r := range routes {
-			st, err := recorder.GetPeer(r.Peer)
-			if err != nil {
-				continue
-			}
-			if st.ConnStatus != peer.StatusConnected {
-				continue
-			}
-			if _, hasRoute := st.GetRoutes()[r.Network.String()]; !hasRoute {
-				continue
-			}
-			out[id] = routes
-			break
-		}
-	}
-	return out
-}
-
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()
@@ -738,10 +704,7 @@ func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeI
 }

 func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
-	if len(routes) == 0 {
-		return false
-	}
-	return route.IsV4DefaultRoute(routes[0].Network) || route.IsV6DefaultRoute(routes[0].Network)
+	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
 }

 func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -19,7 +19,6 @@ type MockManager struct {
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
 	GetSelectedClientRoutesFunc  func() route.HAMap
-	GetActiveClientRoutesFunc    func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -79,14 +78,6 @@ func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
 	return nil
 }

-// GetActiveClientRoutes mock implementation of GetActiveClientRoutes from the Manager interface
-func (m *MockManager) GetActiveClientRoutes() route.HAMap {
-	if m.GetActiveClientRoutesFunc != nil {
-		return m.GetActiveClientRoutesFunc()
-	}
-	return nil
-}
-
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {
--- a/client/internal/routemanager/systemops/routeflags_addfilter_bsd.go
+++ b/client/internal/routemanager/systemops/routeflags_addfilter_bsd.go
@@ -1,9 +0,0 @@
-//go:build dragonfly || freebsd || netbsd || openbsd
-
-package systemops
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	return filterRoutesByFlags(flags)
-}
--- a/client/internal/routemanager/systemops/routeflags_addfilter_darwin.go
+++ b/client/internal/routemanager/systemops/routeflags_addfilter_darwin.go
@@ -1,21 +0,0 @@
-//go:build darwin
-
-package systemops
-
-import "golang.org/x/sys/unix"
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor. Scoped routes
-// (RTF_IFSCOPE) are tied to a specific interface index and cannot replace the
-// unscoped default the kernel uses for general egress, so flapping ones (e.g.
-// Wi-Fi calling IMS tunnels on ipsec0, Docker bridges, scoped utun defaults)
-// must not trigger an engine restart.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	if filterRoutesByFlags(flags) {
-		return true
-	}
-	if flags&unix.RTF_IFSCOPE != 0 {
-		return true
-	}
-	return false
-}
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
-	"strings"
 	"sync"

 	"github.com/hashicorp/go-multierror"
@@ -13,6 +12,10 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

+const (
+	exitNodeCIDR = "0.0.0.0/0"
+)
+
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
@@ -121,7 +124,13 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	return rs.isSelectedLocked(routeID)
+	if rs.deselectAll {
+		return false
+	}
+
+	_, deselected := rs.deselectedRoutes[routeID]
+	isSelected := !deselected
+	return isSelected
 }

 // FilterSelected removes unselected routes from the provided map.
@@ -135,22 +144,23 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {

 	filtered := route.HAMap{}
 	for id, rt := range routes {
-		if !rs.isDeselectedLocked(id.NetID()) {
+		netID := id.NetID()
+		_, deselected := rs.deselectedRoutes[netID]
+		if !deselected {
 			filtered[id] = rt
 		}
 	}
 	return filtered
 }

-// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this route.
-// Intended for exit-node code paths: a v6 exit-node pair (e.g. "MyExit-v6") with no explicit state of
-// its own inherits its v4 base's state, so legacy persisted selections that predate v6 pairing
-// transparently apply to the synthesized v6 entry.
+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
 func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	return rs.hasUserSelectionForRouteLocked(rs.effectiveNetID(routeID))
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
 }

 func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
@@ -164,7 +174,7 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	filtered := make(route.HAMap, len(routes))
 	for id, rt := range routes {
 		netID := id.NetID()
-		if rs.isDeselectedLocked(netID) {
+		if rs.isDeselected(netID) {
 			continue
 		}

@@ -179,48 +189,13 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	return filtered
 }

-// effectiveNetID returns the v4 base for a "-v6" exit pair entry that has no explicit
-// state of its own, so selections made on the v4 entry govern the v6 entry automatically.
-// Only call this from exit-node-specific code paths: applying it to a non-exit "-v6" route
-// would make it inherit unrelated v4 state. Must be called with rs.mu held.
-func (rs *RouteSelector) effectiveNetID(id route.NetID) route.NetID {
-	name := string(id)
-	if !strings.HasSuffix(name, route.V6ExitSuffix) {
-		return id
-	}
-	if _, ok := rs.selectedRoutes[id]; ok {
-		return id
-	}
-	if _, ok := rs.deselectedRoutes[id]; ok {
-		return id
-	}
-	return route.NetID(strings.TrimSuffix(name, route.V6ExitSuffix))
-}
-
-func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
-	if rs.deselectAll {
-		return false
-	}
-	_, deselected := rs.deselectedRoutes[routeID]
-	return !deselected
-}
-
-func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
-	if rs.deselectAll {
-		return true
-	}
+func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
 	_, deselected := rs.deselectedRoutes[netID]
-	return deselected
-}
-
-func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
-	_, selected := rs.selectedRoutes[routeID]
-	_, deselected := rs.deselectedRoutes[routeID]
-	return selected || deselected
+	return deselected || rs.deselectAll
 }

 func isExitNode(rt []*route.Route) bool {
-	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
+	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
 }

 func (rs *RouteSelector) applyExitNodeFilter(
@@ -229,23 +204,26 @@ func (rs *RouteSelector) applyExitNodeFilter(
 	rt []*route.Route,
 	out route.HAMap,
 ) {
-	// Exit-node path: apply the v4/v6 pair mirror so a deselect on the v4 base also
-	// drops the synthesized v6 entry that lacks its own explicit state.
-	effective := rs.effectiveNetID(netID)
-	if rs.hasUserSelectionForRouteLocked(effective) {
-		if rs.isSelectedLocked(effective) {
+
+	if rs.hasUserSelections() {
+		// user made explicit selects/deselects
+		if rs.IsSelected(netID) {
 			out[id] = rt
 		}
 		return
 	}

-	// no explicit selection for this route: defer to management's SkipAutoApply flag
+	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }

+func (rs *RouteSelector) hasUserSelections() bool {
+	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
+}
+
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -330,137 +330,6 @@ func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
 	assert.Len(t, filtered, 0) // No routes should be selected
 }

-// TestRouteSelector_V6ExitPairInherits covers the v4/v6 exit-node pair selection
-// mirror. The mirror is scoped to exit-node code paths: HasUserSelectionForRoute
-// and FilterSelectedExitNodes resolve a "-v6" entry without explicit state to its
-// v4 base, so legacy persisted selections that predate v6 pairing transparently
-// apply to the synthesized v6 entry. General lookups (IsSelected, FilterSelected)
-// stay literal so unrelated routes named "*-v6" don't inherit unrelated state.
-func TestRouteSelector_V6ExitPairInherits(t *testing.T) {
-	all := []route.NetID{"exit1", "exit1-v6", "exit2", "exit2-v6", "corp", "corp-v6"}
-
-	t.Run("HasUserSelectionForRoute mirrors deselected v4 base", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 pair sees v4 base's user selection")
-
-		// unrelated v6 with no v4 base touched is unaffected
-		assert.False(t, rs.HasUserSelectionForRoute("exit2-v6"))
-	})
-
-	t.Run("IsSelected stays literal for non-exit lookups", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
-
-		// A non-exit route literally named "corp-v6" must not inherit "corp"'s state
-		// via the mirror; the mirror only applies in exit-node code paths.
-		assert.False(t, rs.IsSelected("corp"))
-		assert.True(t, rs.IsSelected("corp-v6"), "non-exit *-v6 routes must not inherit unrelated v4 state")
-	})
-
-	t.Run("explicit v6 state overrides v4 base in filter", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1-v6"}, true, all))
-
-		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
-		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
-		routes := route.HAMap{
-			"exit1|0.0.0.0/0": {v4Route},
-			"exit1-v6|::/0":   {v6Route},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.NotContains(t, filtered, route.HAUniqueID("exit1|0.0.0.0/0"))
-		assert.Contains(t, filtered, route.HAUniqueID("exit1-v6|::/0"), "explicit v6 select wins over v4 base")
-	})
-
-	t.Run("non-v6-suffix routes unaffected", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		// A route literally named "exit1-something" must not pair-resolve.
-		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
-	})
-
-	t.Run("filter v6 paired with deselected v4 base", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-
-		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
-		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
-		routes := route.HAMap{
-			"exit1|0.0.0.0/0": {v4Route},
-			"exit1-v6|::/0":   {v6Route},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.Empty(t, filtered, "deselecting v4 base must also drop the v6 pair")
-	})
-
-	t.Run("non-exit *-v6 routes pass through FilterSelectedExitNodes", func(t *testing.T) {
-		rs := routeselector.NewRouteSelector()
-		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
-
-		// A non-default-route entry named "corp-v6" is not an exit node and
-		// must not be skipped because its v4 base "corp" is deselected.
-		corpV6 := &route.Route{NetID: "corp-v6", Network: netip.MustParsePrefix("10.0.0.0/8")}
-		routes := route.HAMap{
-			"corp-v6|10.0.0.0/8": {corpV6},
-		}
-
-		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.Contains(t, filtered, route.HAUniqueID("corp-v6|10.0.0.0/8"),
-			"non-exit *-v6 routes must not inherit unrelated v4 state in FilterSelectedExitNodes")
-	})
-}
-
-// TestRouteSelector_SkipAutoApplyPerRoute verifies that management's
-// SkipAutoApply flag governs each untouched route independently, even when
-// the user has explicit selections on other routes.
-func TestRouteSelector_SkipAutoApplyPerRoute(t *testing.T) {
-	autoApplied := &route.Route{
-		NetID:         "Auto",
-		Network:       netip.MustParsePrefix("0.0.0.0/0"),
-		SkipAutoApply: false,
-	}
-	skipApply := &route.Route{
-		NetID:         "Skip",
-		Network:       netip.MustParsePrefix("0.0.0.0/0"),
-		SkipAutoApply: true,
-	}
-	routes := route.HAMap{
-		"Auto|0.0.0.0/0": {autoApplied},
-		"Skip|0.0.0.0/0": {skipApply},
-	}
-
-	rs := routeselector.NewRouteSelector()
-	// User makes an unrelated explicit selection elsewhere.
-	require.NoError(t, rs.DeselectRoutes([]route.NetID{"Unrelated"}, []route.NetID{"Auto", "Skip", "Unrelated"}))
-
-	filtered := rs.FilterSelectedExitNodes(routes)
-	assert.Contains(t, filtered, route.HAUniqueID("Auto|0.0.0.0/0"), "AutoApply route should be included")
-	assert.NotContains(t, filtered, route.HAUniqueID("Skip|0.0.0.0/0"), "SkipAutoApply route should be excluded without explicit user selection")
-}
-
-// TestRouteSelector_V6ExitIsExitNode verifies that ::/0 routes are recognized
-// as exit nodes by the selector's filter path.
-func TestRouteSelector_V6ExitIsExitNode(t *testing.T) {
-	v6Exit := &route.Route{
-		NetID:         "V6Only",
-		Network:       netip.MustParsePrefix("::/0"),
-		SkipAutoApply: true,
-	}
-	routes := route.HAMap{
-		"V6Only|::/0": {v6Exit},
-	}
-
-	rs := routeselector.NewRouteSelector()
-	filtered := rs.FilterSelectedExitNodes(routes)
-	assert.Empty(t, filtered, "::/0 should be treated as an exit node and respect SkipAutoApply")
-}
-
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}
--- a/client/internal/sleep/detector_darwin.go
+++ b/client/internal/sleep/detector_darwin.go
@@ -188,9 +188,7 @@ func (d *Detector) triggerCallback(event EventType, cb func(event EventType), do
 	}

 	doneChan := make(chan struct{})
-	// macOS forces sleep ~30s after kIOMessageSystemWillSleep, so block long
-	// enough for teardown to finish while staying under that deadline.
-	timeout := time.NewTimer(20 * time.Second)
+	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()

 	go func() {
--- a/client/internal/statemanager/manager.go
+++ b/client/internal/statemanager/manager.go
@@ -96,19 +96,17 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}

 	m.mu.Lock()
-	cancel := m.cancel
-	done := m.done
-	m.mu.Unlock()
+	defer m.mu.Unlock()

-	if cancel == nil {
+	if m.cancel == nil {
 		return nil
 	}
-	cancel()
+	m.cancel()

 	select {
 	case <-ctx.Done():
 		return ctx.Err()
-	case <-done:
+	case <-m.done:
 	}

 	return nil
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -162,7 +162,11 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	cfg.WgIface = interfaceName

 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
+	hostDNS := []netip.AddrPort{
+		netip.MustParseAddrPort("9.9.9.9:53"),
+		netip.MustParseAddrPort("149.112.112.112:53"),
+	}
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, hostDNS, c.stateFile)
 }

 // Stop the internal client and free the resources
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -91,15 +91,6 @@ service DaemonService {

  rpc GetActiveProfile(GetActiveProfileRequest) returns (GetActiveProfileResponse) {}

-  // AddOwner adds a UID to the active profile's owner list. Requires
-  // root or an existing owner.
-  rpc AddOwner(AddOwnerRequest) returns (AddOwnerResponse) {}
-
-  // ResetOwner clears the active profile's owner list, returning it to
-  // the unconfigured state. The next call from the active console-session
-  // user will then re-claim ownership. Requires root.
-  rpc ResetOwner(ResetOwnerRequest) returns (ResetOwnerResponse) {}
-
  // Logout disconnects from the network and deletes the peer from the management server
  rpc Logout(LogoutRequest) returns (LogoutResponse) {}

@@ -236,10 +227,6 @@ message UpRequest {
  optional string profileName = 1;
  optional string username = 2;
  reserved 3;
-  // When true, the caller claims owner privileges for this profile.
-  // Requires root or current owner; for new installs (root-only mode),
-  // the calling UID becomes an owner.
-  bool claimOwner = 4;
 }

 message UpResponse {}
@@ -702,16 +689,6 @@ message AddProfileRequest {

 message AddProfileResponse {}

-message AddOwnerRequest {
-  uint32 uid = 1;
-}
-
-message AddOwnerResponse {}
-
-message ResetOwnerRequest {}
-
-message ResetOwnerResponse {}
-
 message RemoveProfileRequest {
  string username = 1;
  string profileName = 2;
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -48,8 +48,6 @@ const (
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
-	DaemonService_AddOwner_FullMethodName                   = "/daemon.DaemonService/AddOwner"
-	DaemonService_ResetOwner_FullMethodName                 = "/daemon.DaemonService/ResetOwner"
 	DaemonService_Logout_FullMethodName                     = "/daemon.DaemonService/Logout"
 	DaemonService_GetFeatures_FullMethodName                = "/daemon.DaemonService/GetFeatures"
 	DaemonService_TriggerUpdate_FullMethodName              = "/daemon.DaemonService/TriggerUpdate"
@@ -117,13 +115,6 @@ type DaemonServiceClient interface {
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
-	// AddOwner adds a UID to the active profile's owner list. Requires
-	// root or an existing owner.
-	AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error)
-	// ResetOwner clears the active profile's owner list, returning it to
-	// the unconfigured state. The next call from the active console-session
-	// user will then re-claim ownership. Requires root.
-	ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
 	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
@@ -461,26 +452,6 @@ func (c *daemonServiceClient) GetActiveProfile(ctx context.Context, in *GetActiv
 	return out, nil
 }

-func (c *daemonServiceClient) AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(AddOwnerResponse)
-	err := c.cc.Invoke(ctx, DaemonService_AddOwner_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *daemonServiceClient) ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(ResetOwnerResponse)
-	err := c.cc.Invoke(ctx, DaemonService_ResetOwner_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *daemonServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LogoutResponse)
@@ -645,13 +616,6 @@ type DaemonServiceServer interface {
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
-	// AddOwner adds a UID to the active profile's owner list. Requires
-	// root or an existing owner.
-	AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error)
-	// ResetOwner clears the active profile's owner list, returning it to
-	// the unconfigured state. The next call from the active console-session
-	// user will then re-claim ownership. Requires root.
-	ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
 	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
@@ -768,12 +732,6 @@ func (UnimplementedDaemonServiceServer) ListProfiles(context.Context, *ListProfi
 func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetActiveProfile not implemented")
 }
-func (UnimplementedDaemonServiceServer) AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method AddOwner not implemented")
-}
-func (UnimplementedDaemonServiceServer) ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method ResetOwner not implemented")
-}
 func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method Logout not implemented")
 }
@@ -1333,42 +1291,6 @@ func _DaemonService_GetActiveProfile_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_AddOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(AddOwnerRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).AddOwner(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_AddOwner_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).AddOwner(ctx, req.(*AddOwnerRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _DaemonService_ResetOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ResetOwnerRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).ResetOwner(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_ResetOwner_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).ResetOwner(ctx, req.(*ResetOwnerRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _DaemonService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(LogoutRequest)
 	if err := dec(in); err != nil {
@@ -1657,14 +1579,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetActiveProfile",
 			Handler:    _DaemonService_GetActiveProfile_Handler,
 		},
-		{
-			MethodName: "AddOwner",
-			Handler:    _DaemonService_AddOwner_Handler,
-		},
-		{
-			MethodName: "ResetOwner",
-			Handler:    _DaemonService_ResetOwner_Handler,
-		},
 		{
 			MethodName: "Logout",
 			Handler:    _DaemonService_Logout_Handler,
--- a/client/server/login_overrides_test.go
+++ b/client/server/login_overrides_test.go
@@ -1,93 +0,0 @@
-package server
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-)
-
-func TestPersistLoginOverrides(t *testing.T) {
-	strPtr := func(s string) *string { return &s }
-
-	tests := []struct {
-		name           string
-		initialMgmtURL string
-		initialPSK     string
-		newMgmtURL     string
-		newPSK         *string
-		wantMgmtURL    string
-		wantPSK        string
-	}{
-		{
-			name:           "persist new management URL",
-			initialMgmtURL: "https://old.example.com:33073",
-			newMgmtURL:     "https://new.example.com:33073",
-			wantMgmtURL:    "https://new.example.com:33073",
-		},
-		{
-			name:           "persist new pre-shared key",
-			initialMgmtURL: "https://existing.example.com:33073",
-			initialPSK:     "old-key",
-			newPSK:         strPtr("new-key"),
-			wantMgmtURL:    "https://existing.example.com:33073",
-			wantPSK:        "new-key",
-		},
-		{
-			name:           "persist both",
-			initialMgmtURL: "https://old.example.com:33073",
-			initialPSK:     "old-key",
-			newMgmtURL:     "https://new.example.com:33073",
-			newPSK:         strPtr("new-key"),
-			wantMgmtURL:    "https://new.example.com:33073",
-			wantPSK:        "new-key",
-		},
-		{
-			name:           "no inputs preserves existing",
-			initialMgmtURL: "https://existing.example.com:33073",
-			initialPSK:     "existing-key",
-			wantMgmtURL:    "https://existing.example.com:33073",
-			wantPSK:        "existing-key",
-		},
-		{
-			name:           "empty PSK pointer is ignored",
-			initialMgmtURL: "https://existing.example.com:33073",
-			initialPSK:     "existing-key",
-			newPSK:         strPtr(""),
-			wantMgmtURL:    "https://existing.example.com:33073",
-			wantPSK:        "existing-key",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			origDefault := profilemanager.DefaultConfigPath
-			t.Cleanup(func() { profilemanager.DefaultConfigPath = origDefault })
-
-			dir := t.TempDir()
-			profilemanager.DefaultConfigPath = filepath.Join(dir, "default.json")
-
-			seed := profilemanager.ConfigInput{
-				ConfigPath:    profilemanager.DefaultConfigPath,
-				ManagementURL: tt.initialMgmtURL,
-			}
-			if tt.initialPSK != "" {
-				seed.PreSharedKey = strPtr(tt.initialPSK)
-			}
-			_, err := profilemanager.UpdateOrCreateConfig(seed)
-			require.NoError(t, err, "seed config")
-
-			activeProf := &profilemanager.ActiveProfileState{Name: "default"}
-			err = persistLoginOverrides(activeProf, tt.newMgmtURL, tt.newPSK)
-			require.NoError(t, err, "persistLoginOverrides")
-
-			cfg, err := profilemanager.ReadConfig(profilemanager.DefaultConfigPath)
-			require.NoError(t, err, "read back config")
-
-			require.Equal(t, tt.wantMgmtURL, cfg.ManagementURL.String(), "management URL")
-			require.Equal(t, tt.wantPSK, cfg.PreSharedKey, "pre-shared key")
-		})
-	}
-}
--- a/client/server/owner.go
+++ b/client/server/owner.go
@@ -1,172 +0,0 @@
-package server
-
-import (
-	"context"
-	"fmt"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/owner"
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-// authorizeTargetProfile enforces the "match or root" rule for operations
-// that target a specific profile (Remove/Switch). The caller must be root
-// or appear in the target profile config's OwnerUIDs. A target profile in
-// legacy TOFU state (nil OwnerUIDs) is treated as unowned and therefore
-// accessible to any peer-creds caller, which matches pre-enforcement
-// behavior on upgraded installs.
-func (s *Server) authorizeTargetProfile(ctx context.Context, profileName, username string) error {
-	uid, ok := owner.UIDFromContext(ctx)
-	if !ok {
-		return status.Error(codes.PermissionDenied, "peer credentials unavailable")
-	}
-	if uid == 0 {
-		return nil
-	}
-
-	cfg, err := s.readProfileConfig(profileName, username)
-	if err != nil {
-		return fmt.Errorf("read target profile config: %w", err)
-	}
-
-	// Legacy / never-claimed target: allow, mirroring the migration TOFU
-	// semantics in the interceptor.
-	if cfg.OwnerUIDs == nil {
-		return nil
-	}
-
-	if slices.Contains(cfg.OwnerUIDs, uid) {
-		return nil
-	}
-
-	return status.Errorf(codes.PermissionDenied,
-		"profile %q is owned by another user (uid %d is not in its owner list)", profileName, uid)
-}
-
-// readProfileConfig loads a profile's config from disk without making it
-// active. Used by authorizeTargetProfile.
-func (s *Server) readProfileConfig(profileName, username string) (*profilemanager.Config, error) {
-	state := &profilemanager.ActiveProfileState{Name: profileName, Username: username}
-	path, err := state.FilePath()
-	if err != nil {
-		return nil, fmt.Errorf("resolve profile path: %w", err)
-	}
-	cfg, err := profilemanager.GetConfig(path)
-	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", path, err)
-	}
-	return cfg, nil
-}
-
-// GetOwnerUIDs returns the current owner UIDs from the active config.
-// nil means TOFU mode, empty means root-only, populated means those UIDs are owners.
-func (s *Server) GetOwnerUIDs() []owner.UID {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.config == nil {
-		return nil
-	}
-
-	return s.config.OwnerUIDs
-}
-
-// AddOwnerUID adds the given UID to the owner list in the active profile config.
-func (s *Server) AddOwnerUID(uid owner.UID) error {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	return s.addOwnerUIDLocked(uid)
-}
-
-// addOwnerUIDLocked adds uid to the active profile's owner list and persists it.
-// The caller must hold s.mutex.
-func (s *Server) addOwnerUIDLocked(uid owner.UID) error {
-	if s.config == nil {
-		return fmt.Errorf("config not loaded")
-	}
-
-	if slices.Contains(s.config.OwnerUIDs, uid) {
-		return nil
-	}
-
-	s.config.OwnerUIDs = append(s.config.OwnerUIDs, uid)
-
-	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err != nil {
-		return fmt.Errorf("get active profile: %w", err)
-	}
-
-	cfgPath, err := activeProf.FilePath()
-	if err != nil {
-		return fmt.Errorf("get profile file path: %w", err)
-	}
-
-	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
-		return fmt.Errorf("write config: %w", err)
-	}
-
-	log.Infof("owner UID %d added in %s (owners: %v)", uid, cfgPath, s.config.OwnerUIDs)
-	return nil
-}
-
-// AddOwner handles the AddOwner RPC. The interceptor has already gated this
-// call (caller must be root or an existing owner); the handler just persists
-// the new UID into the active profile config.
-func (s *Server) AddOwner(_ context.Context, msg *proto.AddOwnerRequest) (*proto.AddOwnerResponse, error) {
-	if msg == nil || msg.Uid == 0 {
-		return nil, status.Error(codes.InvalidArgument, "uid must be non-zero")
-	}
-	if err := s.AddOwnerUID(owner.UID(msg.Uid)); err != nil {
-		return nil, fmt.Errorf("add owner: %w", err)
-	}
-	return &proto.AddOwnerResponse{}, nil
-}
-
-// ResetOwner clears the active profile's owner list. Only callable by root
-// (the interceptor enforces this: a non-owner non-root caller is denied
-// before reaching the handler, and only owners or root can reach Add/Reset
-// at all; we additionally require root here so existing owners can't reset
-// each other out).
-func (s *Server) ResetOwner(ctx context.Context, _ *proto.ResetOwnerRequest) (*proto.ResetOwnerResponse, error) {
-	uid, ok := owner.UIDFromContext(ctx)
-	if !ok {
-		return nil, status.Error(codes.PermissionDenied, "peer credentials unavailable")
-	}
-	if uid != 0 {
-		return nil, status.Error(codes.PermissionDenied, "reset-owner requires root")
-	}
-
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.config == nil {
-		return nil, fmt.Errorf("config not loaded")
-	}
-
-	// Reset to the fresh-install state (empty, not nil): only root and the
-	// active console-session user can reclaim. nil would be legacy migration
-	// TOFU, where any non-root caller (including SSH) could reclaim.
-	s.config.OwnerUIDs = []owner.UID{}
-
-	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err != nil {
-		return nil, fmt.Errorf("get active profile: %w", err)
-	}
-	cfgPath, err := activeProf.FilePath()
-	if err != nil {
-		return nil, fmt.Errorf("get profile file path: %w", err)
-	}
-	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
-		return nil, fmt.Errorf("write config: %w", err)
-	}
-
-	log.Infof("owner list reset; next call from the active console user will re-claim ownership")
-	return &proto.ResetOwnerResponse{}, nil
-}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -22,7 +22,6 @@ import (

 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
@@ -491,11 +490,6 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro

 	s.mutex.Unlock()

-	if err := persistLoginOverrides(activeProf, msg.ManagementUrl, msg.OptionalPreSharedKey); err != nil {
-		log.Errorf("failed to persist login overrides: %v", err)
-		return nil, fmt.Errorf("persist login overrides: %w", err)
-	}
-
 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
 		log.Errorf("failed to get active profile config: %v", err)
@@ -736,18 +730,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 	s.config = config

-	// An explicit --owner claim locks the active profile to the calling user
-	// (plus root). Root has no specific UID to claim, so only non-root callers
-	// take effect here; the interceptor has already authorized the call.
-	if msg != nil && msg.ClaimOwner {
-		if uid, ok := owner.UIDFromContext(callerCtx); ok && uid != 0 {
-			if err := s.addOwnerUIDLocked(uid); err != nil {
-				s.mutex.Unlock()
-				return nil, fmt.Errorf("claim owner: %w", err)
-			}
-		}
-	}
-
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)

@@ -813,18 +795,6 @@ func (s *Server) switchProfileIfNeeded(profileName string, userName *string, act

 // SwitchProfile switches the active profile in the daemon.
 func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfileRequest) (*proto.SwitchProfileResponse, error) {
-	// Switching downs the current session and starts another, so the caller
-	// must own the target profile (or be root).
-	if msg != nil && msg.ProfileName != nil {
-		username := ""
-		if msg.Username != nil {
-			username = *msg.Username
-		}
-		if err := s.authorizeTargetProfile(callerCtx, *msg.ProfileName, username); err != nil {
-			return nil, err
-		}
-	}
-
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -994,7 +964,7 @@ func (s *Server) handleActiveProfileLogout(ctx context.Context) (*proto.LogoutRe
 	return &proto.LogoutResponse{}, nil
 }

-// getConfig reads config file and returns Config and whether the config file already existed. Errors out if it does not exist
+// GetConfig reads config file and returns Config and whether the config file already existed. Errors out if it does not exist
 func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*profilemanager.Config, bool, error) {
 	cfgPath, err := activeProf.FilePath()
 	if err != nil {
@@ -1589,17 +1559,7 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}

-	// New profiles auto-claim the caller as their sole owner so the user who
-	// just created the profile retains control (and other local users can't
-	// touch it via SwitchProfile/RemoveProfile). When called by root, leave
-	// OwnerUIDs at the default (empty/env-seeded); root explicitly didn't
-	// claim ownership for any specific user.
-	var initialOwners []owner.UID
-	if uid, ok := owner.UIDFromContext(ctx); ok && uid != 0 {
-		initialOwners = []owner.UID{uid}
-	}
-
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username, initialOwners); err != nil {
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
@@ -1609,10 +1569,6 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (

 // RemoveProfile removes a profile from the daemon.
 func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequest) (*proto.RemoveProfileResponse, error) {
-	if err := s.authorizeTargetProfile(ctx, msg.ProfileName, msg.Username); err != nil {
-		return nil, err
-	}
-
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -1810,29 +1766,3 @@ func sendTerminalNotification() error {

 	return wallCmd.Wait()
 }
-
-// persistLoginOverrides writes management URL and pre-shared key from a LoginRequest to the
-// active profile config so that subsequent reads pick them up. Empty/nil values are ignored.
-func persistLoginOverrides(activeProf *profilemanager.ActiveProfileState, managementURL string, preSharedKey *string) error {
-	if preSharedKey != nil && *preSharedKey == "" {
-		preSharedKey = nil
-	}
-	if managementURL == "" && preSharedKey == nil {
-		return nil
-	}
-
-	cfgPath, err := activeProf.FilePath()
-	if err != nil {
-		return fmt.Errorf("active profile file path: %w", err)
-	}
-
-	input := profilemanager.ConfigInput{
-		ConfigPath:    cfgPath,
-		ManagementURL: managementURL,
-		PreSharedKey:  preSharedKey,
-	}
-	if _, err := profilemanager.UpdateOrCreateConfig(input); err != nil {
-		return fmt.Errorf("update config: %w", err)
-	}
-	return nil
-}
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"

-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -315,7 +315,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 		return nil, "", err
 	}

-	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
--- a/client/ssh/client/client.go
+++ b/client/ssh/client/client.go
@@ -25,7 +25,6 @@ import (
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/ssh/detection"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/netrelay"
 )

 const (
@@ -537,7 +536,7 @@ func (c *Client) LocalPortForward(ctx context.Context, localAddr, remoteAddr str
 				continue
 			}

-			go c.handleLocalForward(ctx, localConn, remoteAddr)
+			go c.handleLocalForward(localConn, remoteAddr)
 		}
 	}()

@@ -549,7 +548,7 @@ func (c *Client) LocalPortForward(ctx context.Context, localAddr, remoteAddr str
 }

 // handleLocalForward handles a single local port forwarding connection
-func (c *Client) handleLocalForward(ctx context.Context, localConn net.Conn, remoteAddr string) {
+func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
 	defer func() {
 		if err := localConn.Close(); err != nil {
 			log.Debugf("local port forwarding: close local connection: %v", err)
@@ -572,7 +571,7 @@ func (c *Client) handleLocalForward(ctx context.Context, localConn net.Conn, rem
 		}
 	}()

-	netrelay.Relay(ctx, localConn, channel, netrelay.Options{Logger: log.NewEntry(log.StandardLogger())})
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }

 // RemotePortForward sets up remote port forwarding, binding on remote and forwarding to localAddr
@@ -654,19 +653,16 @@ func (c *Client) handleRemoteForwardChannels(ctx context.Context, localAddr stri
 		select {
 		case <-ctx.Done():
 			return
-		case newChan, ok := <-channelRequests:
-			if !ok {
-				return
-			}
+		case newChan := <-channelRequests:
 			if newChan != nil {
-				go c.handleRemoteForwardChannel(ctx, newChan, localAddr)
+				go c.handleRemoteForwardChannel(newChan, localAddr)
 			}
 		}
 	}
 }

 // handleRemoteForwardChannel handles a single forwarded-tcpip channel
-func (c *Client) handleRemoteForwardChannel(ctx context.Context, newChan ssh.NewChannel, localAddr string) {
+func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr string) {
 	channel, reqs, err := newChan.Accept()
 	if err != nil {
 		return
@@ -679,14 +675,8 @@ func (c *Client) handleRemoteForwardChannel(ctx context.Context, newChan ssh.New

 	go ssh.DiscardRequests(reqs)

-	// Bound the dial so a black-holed localAddr can't pin the accepted SSH
-	// channel open indefinitely; the relay itself runs under the outer ctx.
-	dialCtx, cancelDial := context.WithTimeout(ctx, 10*time.Second)
-	var dialer net.Dialer
-	localConn, err := dialer.DialContext(dialCtx, "tcp", localAddr)
-	cancelDial()
+	localConn, err := net.Dial("tcp", localAddr)
 	if err != nil {
-		log.Debugf("remote port forwarding: dial %s: %v", localAddr, err)
 		return
 	}
 	defer func() {
@@ -695,7 +685,7 @@ func (c *Client) handleRemoteForwardChannel(ctx context.Context, newChan ssh.New
 		}
 	}()

-	netrelay.Relay(ctx, localConn, channel, netrelay.Options{Logger: log.NewEntry(log.StandardLogger())})
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }

 // tcpipForwardMsg represents the structure for tcpip-forward requests
--- a/Show More
+++ b/Show More