2.Merge remote-tracking branch 'upstream/main' into feature/remote-debug

This reverts commit 6d6333058c, reversing
changes made to 446aded1f7.

.github/workflows/docs-ack.yml

@@ -16,29 +16,19 @@ jobs:
     steps:
       - name: Read PR body
         id: body
-        shell: bash
         run: |
-          set -euo pipefail
+          BODY=$(jq -r '.pull_request.body // ""' "$GITHUB_EVENT_PATH")
-          BODY_B64=$(jq -r '.pull_request.body // "" | @base64' "$GITHUB_EVENT_PATH")
+          echo "body<<EOF" >> $GITHUB_OUTPUT
-          {
+          echo "$BODY" >> $GITHUB_OUTPUT
-            echo "body_b64=$BODY_B64"
+          echo "EOF" >> $GITHUB_OUTPUT
-          } >> "$GITHUB_OUTPUT"
 
       - name: Validate checkbox selection
         id: validate
-        shell: bash
-        env:
-          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          set -euo pipefail
+          body='${{ steps.body.outputs.body }}'
-          if ! body="$(printf '%s' "$BODY_B64" | base64 -d)"; then
-            echo "::error::Failed to decode PR body from base64. Data may be corrupted or missing."
-            exit 1
-          fi
-
-          added_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*I added/updated documentation' | wc -l | tr -d '[:space:]' || true)
-          noneed_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*Documentation is \*\*not needed\*\*' | wc -l | tr -d '[:space:]' || true)
 
+          added_checked=$(printf "%s" "$body" | grep -E '^- \[x\] I added/updated documentation' -i | wc -l | tr -d ' ')
+          noneed_checked=$(printf "%s" "$body" | grep -E '^- \[x\] Documentation is \*\*not needed\*\*' -i | wc -l | tr -d ' ')
 
           if [ "$added_checked" -eq 1 ] && [ "$noneed_checked" -eq 1 ]; then
             echo "::error::Choose exactly one: either 'docs added' OR 'not needed'."
@@ -51,35 +41,30 @@ jobs:
           fi
 
           if [ "$added_checked" -eq 1 ]; then
-            echo "mode=added" >> "$GITHUB_OUTPUT"
+            echo "mode=added" >> $GITHUB_OUTPUT
           else
-            echo "mode=noneed" >> "$GITHUB_OUTPUT"
+            echo "mode=noneed" >> $GITHUB_OUTPUT
           fi
 
       - name: Extract docs PR URL (when 'docs added')
         if: steps.validate.outputs.mode == 'added'
         id: extract
-        shell: bash
-        env:
-          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          set -euo pipefail
+          body='${{ steps.body.outputs.body }}'
-          body="$(printf '%s' "$BODY_B64" | base64 -d)"
 
           # Strictly require HTTPS and that it's a PR in netbirdio/docs
-          # e.g., https://github.com/netbirdio/docs/pull/1234
+          # Examples accepted:
-          url="$(printf '%s' "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)"
+          #   https://github.com/netbirdio/docs/pull/1234
+          url=$(printf "%s" "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)
 
-          if [ -z "${url:-}" ]; then
+          if [ -z "$url" ]; then
             echo "::error::You checked 'docs added' but didn't include a valid HTTPS PR link to netbirdio/docs (e.g., https://github.com/netbirdio/docs/pull/1234)."
             exit 1
           fi
 
-          pr_number="$(printf '%s' "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')"
+          pr_number=$(echo "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')
-          {
+          echo "url=$url" >> $GITHUB_OUTPUT
-            echo "url=$url"
+          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
-            echo "pr_number=$pr_number"
-          } >> "$GITHUB_OUTPUT"
 
       - name: Verify docs PR exists (and is open or merged)
         if: steps.validate.outputs.mode == 'added'

.github/workflows/golang-test-linux.yml

@@ -382,32 +382,6 @@ jobs:
         store: [ 'sqlite', 'postgres' ]
     runs-on: ubuntu-22.04
     steps:
-      - name: Create Docker network
-        run: docker network create promnet
-
-      - name: Start Prometheus Pushgateway
-        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
-
-      - name: Start Prometheus (for Pushgateway forwarding)
-        run: |
-          echo '
-          global:
-            scrape_interval: 15s
-          scrape_configs:
-            - job_name: "pushgateway"
-              static_configs:
-                - targets: ["pushgateway:9091"]
-          remote_write:
-            - url: ${{ secrets.GRAFANA_URL }}
-              basic_auth:
-                username: ${{ secrets.GRAFANA_USER }}
-                password: ${{ secrets.GRAFANA_API_KEY }}
-          ' > prometheus.yml
-
-          docker run -d --name prometheus --network promnet \
-            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
-            -p 9090:9090 \
-            prom/prometheus
       - name: Install Go
         uses: actions/setup-go@v5
         with:
@@ -454,10 +428,9 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
           CI=true \
-          GIT_BRANCH=${{ github.ref_name }} \
           go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)
+          -timeout 20m ./management/... ./shared/management/...
 
   api_benchmark:
     name: "Management / Benchmark (API)"
@@ -548,7 +521,7 @@ jobs:
             -run=^$ \
             -bench=. \
             -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/server/http/...
+            -timeout 20m ./management/... ./shared/management/...
 
   api_integration_test:
     name: "Management / Integration"
@@ -598,4 +571,4 @@ jobs:
           CI=true \
           go test -tags=integration \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/server/http/...
+          -timeout 20m ./management/... ./shared/management/...

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
           skip: go.mod,go.sum
   golangci:
     strategy:

.github/workflows/wasm-build-validation.yml

@@ -0,0 +1,67 @@
+name: Wasm
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  js_lint:
+    name: "JS / Lint"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+      - name: Install golangci-lint
+        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
+        with:
+          version: latest
+          install-mode: binary
+          skip-cache: true
+          skip-pkg-cache: true
+          skip-build-cache: true
+      - name: Run golangci-lint for WASM
+        run: |
+          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
+        continue-on-error: true
+
+  js_build:
+    name: "JS / Build"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+      - name: Build Wasm client
+        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
+        env:
+          CGO_ENABLED: 0
+      - name: Check Wasm build size
+        run: |
+          echo "Wasm build size:"
+          ls -lh netbird.wasm
+
+          SIZE=$(stat -c%s netbird.wasm)
+          SIZE_MB=$((SIZE / 1024 / 1024))
+
+          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
+
+          if [ ${SIZE} -gt 52428800 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
+            exit 1
+          fi
+

.goreleaser.yaml

@@ -2,6 +2,18 @@ version: 2
 
 project_name: netbird
 builds:
+  - id: netbird-wasm
+    dir: client/wasm/cmd
+    binary: netbird
+    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
+    goos:
+      - js
+    goarch:
+      - wasm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
   - id: netbird
     dir: client
     binary: netbird
@@ -115,6 +127,11 @@ archives:
   - builds:
       - netbird
       - netbird-static
+  - id: netbird-wasm
+    builds:
+      - netbird-wasm
+    name_template: "{{ .ProjectName }}_{{ .Version }}"
+    format: binary
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

client/android/client.go

@@ -112,7 +112,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, "")
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 
@@ -138,7 +138,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, "")
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 

client/cmd/debug.go

@@ -308,7 +308,7 @@ func getStatusOutput(cmd *cobra.Command, anon bool) string {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
+			nbstatus.ConvertToStatusOutputOverview(statusResp.GetFullStatus(), anon, statusResp.GetDaemonVersion(), "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString

client/cmd/debug_js.go

@@ -0,0 +1,8 @@
+package cmd
+
+import "context"
+
+// SetupDebugHandler is a no-op for WASM
+func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
+	// Debug handler not needed for WASM
+}

client/cmd/root.go

@@ -39,7 +39,6 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
-	mtuFlag                  = "mtu"
 )
 
 var (
@@ -73,7 +72,6 @@ var (
 	anonymizeFlag           bool
 	dnsRouteInterval        time.Duration
 	lazyConnEnabled         bool
-	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
 

client/cmd/root_test.go

@@ -54,7 +54,6 @@ func TestSetFlagsFromEnvVars(t *testing.T) {
 	cmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	cmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "Enable Rosenpass feature Rosenpass.")
 	cmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
-	cmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 
 	t.Setenv("NB_EXTERNAL_IP_MAP", "abc,dec")
 	t.Setenv("NB_INTERFACE_NAME", "test-name")

client/cmd/status.go

@@ -99,7 +99,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), anonymizeFlag, resp.GetDaemonVersion(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:

client/cmd/testutil_test.go

@@ -10,10 +10,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
+	"github.com/netbirdio/management-integrations/integrations"
+
+	clientProto "github.com/netbirdio/netbird/client/proto"
+	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -86,6 +91,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	t.Cleanup(cleanUp)
 
 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
+	jobManager := mgmt.NewJobManager(nil, store)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
@@ -106,13 +112,13 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, jobManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -63,7 +63,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
-	upCmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
 		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
@@ -197,7 +196,8 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()
 
-	connectClient := internal.NewConnectClient(ctx, config, r)
+	//todo: do we need to pass logFile here ?
+	connectClient := internal.NewConnectClient(ctx, config, r, "")
 	SetupDebugHandler(ctx, config, r, connectClient, "")
 
 	return connectClient.Run(nil)
@@ -358,11 +358,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.WireguardPort = &p
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		m := int64(mtu)
-		req.Mtu = &m
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		req.NetworkMonitor = &networkMonitor
 	}
@@ -442,13 +437,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.WireguardPort = &p
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		if err := iface.ValidateMTU(mtu); err != nil {
-			return nil, err
-		}
-		ic.MTU = &mtu
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		ic.NetworkMonitor = &networkMonitor
 	}
@@ -546,14 +534,6 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.WireguardPort = &wp
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		if err := iface.ValidateMTU(mtu); err != nil {
-			return nil, err
-		}
-		m := int64(mtu)
-		loginRequest.Mtu = &m
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		loginRequest.NetworkMonitor = &networkMonitor
 	}

client/embed/embed.go

@@ -23,23 +23,29 @@ import (
 
 var ErrClientAlreadyStarted = errors.New("client already started")
 var ErrClientNotStarted = errors.New("client not started")
+var ErrConfigNotInitialized = errors.New("config not initialized")
 
-// Client manages a netbird embedded client instance
+// Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
+	jwtToken   string
 	connect    *internal.ConnectClient
 }
 
-// Options configures a new Client
+// Options configures a new Client.
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
+	// JWTToken is used for JWT-based authentication
+	JWTToken string
+	// PrivateKey is used for direct private key authentication
+	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -58,8 +64,35 @@ type Options struct {
 	DisableClientRoutes bool
 }
 
-// New creates a new netbird embedded client
+// validateCredentials checks that exactly one credential type is provided
+func (opts *Options) validateCredentials() error {
+	credentialsProvided := 0
+	if opts.SetupKey != "" {
+		credentialsProvided++
+	}
+	if opts.JWTToken != "" {
+		credentialsProvided++
+	}
+	if opts.PrivateKey != "" {
+		credentialsProvided++
+	}
+
+	if credentialsProvided == 0 {
+		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
+	}
+	if credentialsProvided > 1 {
+		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
+	}
+
+	return nil
+}
+
+// New creates a new netbird embedded client.
 func New(opts Options) (*Client, error) {
+	if err := opts.validateCredentials(); err != nil {
+		return nil, err
+	}
+
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -107,9 +140,14 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}
 
+	if opts.PrivateKey != "" {
+		config.PrivateKey = opts.PrivateKey
+	}
+
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
+		jwtToken:   opts.JWTToken,
 		config:     config,
 	}, nil
 }
@@ -126,12 +164,14 @@ func (c *Client) Start(startCtx context.Context) error {
 	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
 
 	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-	client := internal.NewConnectClient(ctx, c.config, recorder)
+
+	//todo: do we need to pass logFile here ?
+	client := internal.NewConnectClient(ctx, c.config, recorder, "")
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
@@ -187,6 +227,16 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }
 
+// GetConfig returns a copy of the internal client config.
+func (c *Client) GetConfig() (profilemanager.Config, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.config == nil {
+		return profilemanager.Config{}, ErrConfigNotInitialized
+	}
+	return *c.config, nil
+}
+
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
@@ -211,7 +261,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
-// ListenTCP listens on the given address in the netbird network
+// ListenTCP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -232,7 +282,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }
 
-// ListenUDP listens on the given address in the netbird network
+// ListenUDP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()

client/iface/bind/error.go

@@ -0,0 +1,7 @@
+package bind
+
+import "fmt"
+
+var (
+	ErrUDPMUXNotSupported = fmt.Errorf("UDPMUX is not supported in WASM")
+)

client/iface/bind/ice_bind.go

@@ -1,6 +1,9 @@
+//go:build !js
+
 package bind
 
 import (
+	"context"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -15,15 +18,11 @@ import (
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-type RecvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}
-
 type receiverCreator struct {
 	iceBind *ICEBind
 }
@@ -41,37 +40,38 @@ func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UD
 // use the port because in the Send function the wgConn.Endpoint the port info is not exported.
 type ICEBind struct {
 	*wgConn.StdNetBind
-	RecvChan chan RecvMessage
 
 	transportNet transport.Net
-	filterFn     FilterFn
+	filterFn     udpmux.FilterFn
-	endpoints    map[netip.Addr]net.Conn
+	address      wgaddr.Address
-	endpointsMu  sync.Mutex
+	mtu          uint16
+
+	endpoints   map[netip.Addr]net.Conn
+	endpointsMu sync.Mutex
+	recvChan    chan recvMessage
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
 	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan   chan struct{}
+	closedChan       chan struct{}
-	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
+	closedChanMu     sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed       bool
+	closed           bool
-
-	muUDPMux         sync.Mutex
-	udpMux           *UniversalUDPMuxDefault
-	address          wgaddr.Address
-	mtu              uint16
 	activityRecorder *ActivityRecorder
+
+	muUDPMux sync.Mutex
+	udpMux   *udpmux.UniversalUDPMuxDefault
 }
 
-func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
-		RecvChan:         make(chan RecvMessage, 1),
 		transportNet:     transportNet,
 		filterFn:         filterFn,
+		address:          address,
+		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
+		recvChan:         make(chan recvMessage, 1),
 		closedChan:       make(chan struct{}),
 		closed:           true,
-		mtu:              mtu,
-		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
 
@@ -82,10 +82,6 @@ func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Ad
 	return ib
 }
 
-func (s *ICEBind) MTU() uint16 {
-	return s.mtu
-}
-
 func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 	s.closed = false
 	s.closedChanMu.Lock()
@@ -115,7 +111,7 @@ func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
+func (s *ICEBind) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 	if s.udpMux == nil {
@@ -138,6 +134,16 @@ func (b *ICEBind) RemoveEndpoint(fakeIP netip.Addr) {
 	delete(b.endpoints, fakeIP)
 }
 
+func (b *ICEBind) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
+	select {
+	case <-b.closedChan:
+		return
+	case <-ctx.Done():
+		return
+	case b.recvChan <- recvMessage{ep, buf}:
+	}
+}
+
 func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	b.endpointsMu.Lock()
 	conn, ok := b.endpoints[ep.DstIP()]
@@ -158,8 +164,8 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = NewUniversalUDPMuxDefault(
+	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		UniversalUDPMuxParams{
+		udpmux.UniversalUDPMuxParams{
 			UDPConn:   nbnet.WrapPacketConn(conn),
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
@@ -270,7 +276,7 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 	select {
 	case <-c.closedChan:
 		return 0, net.ErrClosed
-	case msg, ok := <-c.RecvChan:
+	case msg, ok := <-c.recvChan:
 		if !ok {
 			return 0, net.ErrClosed
 		}

client/iface/bind/recv_msg.go

@@ -0,0 +1,6 @@
+package bind
+
+type recvMessage struct {
+	Endpoint *Endpoint
+	Buffer   []byte
+}

client/iface/bind/relay_bind.go

@@ -0,0 +1,125 @@
+package bind
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+
+	"github.com/netbirdio/netbird/client/iface/udpmux"
+)
+
+// RelayBindJS is a conn.Bind implementation for WebAssembly environments.
+// Do not limit to build only js, because we want to be able to run tests
+type RelayBindJS struct {
+	*conn.StdNetBind
+
+	recvChan         chan recvMessage
+	endpoints        map[netip.Addr]net.Conn
+	endpointsMu      sync.Mutex
+	activityRecorder *ActivityRecorder
+	ctx              context.Context
+	cancel           context.CancelFunc
+}
+
+func NewRelayBindJS() *RelayBindJS {
+	return &RelayBindJS{
+		recvChan:         make(chan recvMessage, 100),
+		endpoints:        make(map[netip.Addr]net.Conn),
+		activityRecorder: NewActivityRecorder(),
+	}
+}
+
+// Open creates a receive function for handling relay packets in WASM.
+func (s *RelayBindJS) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
+	log.Debugf("Open: creating receive function for port %d", uport)
+
+	s.ctx, s.cancel = context.WithCancel(context.Background())
+
+	receiveFn := func(bufs [][]byte, sizes []int, eps []conn.Endpoint) (int, error) {
+		select {
+		case <-s.ctx.Done():
+			return 0, net.ErrClosed
+		case msg, ok := <-s.recvChan:
+			if !ok {
+				return 0, net.ErrClosed
+			}
+			copy(bufs[0], msg.Buffer)
+			sizes[0] = len(msg.Buffer)
+			eps[0] = conn.Endpoint(msg.Endpoint)
+			return 1, nil
+		}
+	}
+
+	log.Debugf("Open: receive function created, returning port %d", uport)
+	return []conn.ReceiveFunc{receiveFn}, uport, nil
+}
+
+func (s *RelayBindJS) Close() error {
+	if s.cancel == nil {
+		return nil
+	}
+	log.Debugf("close RelayBindJS")
+	s.cancel()
+	return nil
+}
+
+func (s *RelayBindJS) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
+	select {
+	case <-s.ctx.Done():
+		return
+	case <-ctx.Done():
+		return
+	case s.recvChan <- recvMessage{ep, buf}:
+	}
+}
+
+// Send forwards packets through the relay connection for WASM.
+func (s *RelayBindJS) Send(bufs [][]byte, ep conn.Endpoint) error {
+	if ep == nil {
+		return nil
+	}
+
+	fakeIP := ep.DstIP()
+
+	s.endpointsMu.Lock()
+	relayConn, ok := s.endpoints[fakeIP]
+	s.endpointsMu.Unlock()
+
+	if !ok {
+		return nil
+	}
+
+	for _, buf := range bufs {
+		if _, err := relayConn.Write(buf); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (b *RelayBindJS) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
+	b.endpointsMu.Lock()
+	b.endpoints[fakeIP] = conn
+	b.endpointsMu.Unlock()
+}
+
+func (s *RelayBindJS) RemoveEndpoint(fakeIP netip.Addr) {
+	s.endpointsMu.Lock()
+	defer s.endpointsMu.Unlock()
+
+	delete(s.endpoints, fakeIP)
+}
+
+// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
+func (s *RelayBindJS) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
+	return nil, ErrUDPMUXNotSupported
+}
+
+func (s *RelayBindJS) ActivityRecorder() *ActivityRecorder {
+	return s.activityRecorder
+}

client/iface/bind/udp_mux.go

@@ -8,9 +8,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	"github.com/pion/logging"
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"

client/iface/bind/udp_mux_ios.go

@@ -4,4 +4,4 @@ package bind
 
 func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
 	// iOS doesn't support nbnet hooks, so this is a no-op
-}
+}

client/iface/bind/udp_mux_universal.go

@@ -15,10 +15,9 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/pion/logging"
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -45,7 +44,6 @@ type UniversalUDPMuxParams struct {
 	Net                   transport.Net
 	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
-	MTU                   uint16
 }
 
 // NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
@@ -86,7 +84,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 // just ignore other packets printing an warning message.
 // It is a blocking method, consider running in a go routine.
 func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
-	buf := make([]byte, m.params.MTU+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for {
 		select {
 		case <-ctx.Done():

client/iface/bufsize/bufsize.go

@@ -1,9 +0,0 @@
-package bufsize
-
-const (
-	// WGBufferOverhead represents the additional buffer space needed beyond MTU
-	// for WireGuard packet encapsulation (WG header + UDP + IP + safety margin)
-	// Original hardcoded buffers were 1500, default MTU is 1280, so overhead = 220
-	// TODO: Calculate this properly based on actual protocol overhead instead of using hardcoded difference
-	WGBufferOverhead = 220
-)

client/iface/configurer/name.go

@@ -1,4 +1,4 @@
-//go:build linux || windows || freebsd
+//go:build linux || windows || freebsd || js || wasip1
 
 package configurer
 

client/iface/configurer/uapi.go

@@ -1,4 +1,4 @@
-//go:build !windows
+//go:build !windows && !js
 
 package configurer
 

client/iface/configurer/uapi_js.go

@@ -0,0 +1,23 @@
+package configurer
+
+import (
+	"net"
+)
+
+type noopListener struct{}
+
+func (n *noopListener) Accept() (net.Conn, error) {
+	return nil, net.ErrClosed
+}
+
+func (n *noopListener) Close() error {
+	return nil
+}
+
+func (n *noopListener) Addr() net.Addr {
+	return nil
+}
+
+func openUAPI(deviceName string) (net.Listener, error) {
+	return &noopListener{}, nil
+}

client/iface/device.go

@@ -17,7 +17,6 @@ type WGTunDevice interface {
 	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
-	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/device/device_android.go

@@ -21,7 +21,7 @@ type WGTunDevice struct {
 	address    wgaddr.Address
 	port       int
 	key        string
-	mtu        uint16
+	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
 	disableDNS bool
@@ -33,7 +33,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -58,7 +58,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}
 
-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
@@ -137,10 +137,6 @@ func (t *WGTunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *WGTunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }

client/iface/device/device_darwin.go

@@ -21,7 +21,7 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device         *device.Device
@@ -30,7 +30,7 @@ type TunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -42,7 +42,7 @@ func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu
 }
 
 func (t *TunDevice) Create() (WGConfigurer, error) {
-	tunDevice, err := tun.CreateTUN(t.name, int(t.mtu))
+	tunDevice, err := tun.CreateTUN(t.name, t.mtu)
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -111,10 +111,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_ios.go

@@ -22,7 +22,6 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
 	iceBind *bind.ICEBind
 	tunFd   int
 
@@ -32,13 +31,12 @@ type TunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, iceBind *bind.ICEBind, tunFd int) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
 		key:     key,
-		mtu:     mtu,
 		iceBind: iceBind,
 		tunFd:   tunFd,
 	}
@@ -127,10 +125,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
 	// todo implement
 	return nil

client/iface/device/device_kernel_unix.go

@@ -24,7 +24,7 @@ type TunKernelDevice struct {
 	address      wgaddr.Address
 	wgPort       int
 	key          string
-	mtu          uint16
+	mtu          int
 	ctx          context.Context
 	ctxCancel    context.CancelFunc
 	transportNet transport.Net
@@ -36,7 +36,7 @@ type TunKernelDevice struct {
 	filterFn bind.FilterFn
 }
 
-func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
+func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, transportNet transport.Net) *TunKernelDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &TunKernelDevice{
 		ctx:          ctx,
@@ -66,7 +66,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	// TODO: do a MTU discovery
 	log.Debugf("setting MTU: %d interface: %s", t.mtu, t.name)
 
-	if err := link.setMTU(int(t.mtu)); err != nil {
+	if err := link.setMTU(t.mtu); err != nil {
 		return nil, fmt.Errorf("set mtu: %w", err)
 	}
 
@@ -96,7 +96,7 @@ func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter(), t.mtu)
+	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter())
 	if err != nil {
 		return nil, err
 	}
@@ -111,7 +111,6 @@ func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
-		MTU:       t.mtu,
 	}
 	mux := bind.NewUniversalUDPMuxDefault(bindParams)
 	go mux.ReadFromConn(t.ctx)
@@ -159,10 +158,6 @@ func (t *TunKernelDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunKernelDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunKernelDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack.go

@@ -1,9 +1,14 @@
+//go:build !android
+// +build !android
+
 package device
 
 import (
+	"errors"
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
@@ -14,14 +19,20 @@ import (
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
+type Bind interface {
+	conn.Bind
+	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
+	ActivityRecorder() *bind.ActivityRecorder
+}
+
 type TunNetstackDevice struct {
 	name          string
 	address       wgaddr.Address
 	port          int
 	key           string
-	mtu           uint16
+	mtu           int
 	listenAddress string
-	iceBind       *bind.ICEBind
+	bind          Bind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
@@ -32,7 +43,7 @@ type TunNetstackDevice struct {
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -40,11 +51,11 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		key:           key,
 		mtu:           mtu,
 		listenAddress: listenAddress,
-		iceBind:       iceBind,
+		bind:          bind,
 	}
 }
 
-func (t *TunNetstackDevice) create() (WGConfigurer, error) {
+func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
@@ -54,7 +65,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	}
 
 	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {
@@ -65,11 +76,11 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 
 	t.device = device.NewDevice(
 		t.filteredDevice,
-		t.iceBind,
+		t.bind,
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
@@ -90,11 +101,15 @@ func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	udpMux, err := t.iceBind.GetICEMux()
+	udpMux, err := t.bind.GetICEMux()
-	if err != nil {
+	if err != nil && !errors.Is(err, bind.ErrUDPMUXNotSupported) {
 		return nil, err
 	}
-	t.udpMux = udpMux
+
+	if udpMux != nil {
+		t.udpMux = udpMux
+	}
+
 	log.Debugf("netstack device is ready to use")
 	return udpMux, nil
 }
@@ -122,10 +137,6 @@ func (t *TunNetstackDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunNetstackDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunNetstackDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack_android.go

@@ -1,7 +0,0 @@
-//go:build android
-
-package device
-
-func (t *TunNetstackDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
-	return t.create()
-}

client/iface/device/device_netstack_generic.go

@@ -1,7 +0,0 @@
-//go:build !android
-
-package device
-
-func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
-	return t.create()
-}

client/iface/device/device_netstack_test.go

@@ -0,0 +1,27 @@
+package device
+
+import (
+	"testing"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+)
+
+func TestNewNetstackDevice(t *testing.T) {
+	privateKey, _ := wgtypes.GeneratePrivateKey()
+	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
+
+	relayBind := bind.NewRelayBindJS()
+	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
+
+	cfgr, err := nsTun.Create()
+	if err != nil {
+		t.Fatalf("failed to create netstack device: %v", err)
+	}
+	if cfgr == nil {
+		t.Fatal("expected non-nil configurer")
+	}
+}

client/iface/device/device_usp_unix.go

@@ -20,7 +20,7 @@ type USPDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device         *device.Device
@@ -29,7 +29,7 @@ type USPDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
+func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *USPDevice {
 	log.Infof("using userspace bind mode")
 
 	return &USPDevice{
@@ -44,9 +44,9 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu
 
 func (t *USPDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
-	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
+	tunIface, err := tun.CreateTUN(t.name, t.mtu)
 	if err != nil {
-		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, int(t.mtu), err)
+		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, t.mtu, err)
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
 	t.filteredDevice = newDeviceFilter(tunIface)
@@ -118,10 +118,6 @@ func (t *USPDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *USPDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *USPDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_windows.go

@@ -23,7 +23,7 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device          *device.Device
@@ -33,7 +33,7 @@ type TunDevice struct {
 	configurer      WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -59,7 +59,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, err
 	}
 	log.Info("create tun interface")
-	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, int(t.mtu))
+	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, t.mtu)
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -144,10 +144,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device_android.go

@@ -15,7 +15,6 @@ type WGTunDevice interface {
 	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
-	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/iface.go

@@ -26,8 +26,6 @@ import (
 
 const (
 	DefaultMTU         = 1280
-	MinMTU             = 576
-	MaxMTU             = 8192
 	DefaultWgPort      = 51820
 	WgInterfaceDefault = configurer.WgInterfaceDefault
 )
@@ -37,17 +35,6 @@ var (
 	ErrIfaceNotFound = fmt.Errorf("wireguard interface not found")
 )
 
-// ValidateMTU validates that MTU is within acceptable range
-func ValidateMTU(mtu uint16) error {
-	if mtu < MinMTU {
-		return fmt.Errorf("MTU %d below minimum (%d bytes)", mtu, MinMTU)
-	}
-	if mtu > MaxMTU {
-		return fmt.Errorf("MTU %d exceeds maximum supported size (%d bytes)", mtu, MaxMTU)
-	}
-	return nil
-}
-
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	Free() error
@@ -58,7 +45,7 @@ type WGIFaceOpts struct {
 	Address      string
 	WGPort       int
 	WGPrivKey    string
-	MTU          uint16
+	MTU          int
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
@@ -95,10 +82,6 @@ func (w *WGIface) Address() wgaddr.Address {
 	return w.tun.WgAddress()
 }
 
-func (w *WGIface) MTU() uint16 {
-	return w.tun.MTU()
-}
-
 // ToInterface returns the net.Interface for the Wireguard interface
 func (r *WGIface) ToInterface() *net.Interface {
 	name := r.tun.DeviceName()

client/iface/iface_destroy_js.go

@@ -0,0 +1,6 @@
+package iface
+
+// Destroy is a no-op on WASM
+func (w *WGIface) Destroy() error {
+	return nil
+}

client/iface/iface_new_android.go

@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		wgIFace := &WGIface{
 			userspaceBind:  true,
 			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-			wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 		}
 		return wgIFace, nil
 	}
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_darwin.go

@@ -17,7 +17,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_freebsd.go

@@ -0,0 +1,41 @@
+//go:build freebsd
+
+package iface
+
+import (
+	"fmt"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface/wgproxy"
+)
+
+// NewWGIFace Creates a new WireGuard interface instance
+func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
+	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
+	if err != nil {
+		return nil, err
+	}
+
+	wgIFace := &WGIface{}
+
+	if netstack.IsEnabled() {
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
+		wgIFace.userspaceBind = true
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		return wgIFace, nil
+	}
+
+	if device.ModuleTunIsLoaded() {
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
+		wgIFace.userspaceBind = true
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		return wgIFace, nil
+	}
+
+	return nil, fmt.Errorf("couldn't check or load tun module")
+}

client/iface/iface_new_ios.go

@@ -16,12 +16,12 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_js.go

@@ -0,0 +1,27 @@
+package iface
+
+import (
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface/wgproxy"
+)
+
+// NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
+func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
+	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
+	if err != nil {
+		return nil, err
+	}
+
+	relayBind := bind.NewRelayBindJS()
+
+	wgIface := &WGIface{
+		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
+		userspaceBind:  true,
+		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
+	}
+
+	return wgIface, nil
+}

client/iface/iface_new_unix.go

@@ -22,23 +22,23 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{}
 
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
 		return wgIFace, nil
 	}
 
 	if device.WireGuardModuleIsLoaded() {
 		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort)
 		return wgIFace, nil
 	}
 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
 		return wgIFace, nil
 	}
 

client/iface/iface_new_windows.go

@@ -14,7 +14,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
@@ -26,7 +26,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil
 

client/iface/netstack/env.go

@@ -1,3 +1,5 @@
+//go:build !js
+
 package netstack
 
 import (

client/iface/netstack/env_js.go

@@ -0,0 +1,12 @@
+package netstack
+
+const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
+
+// IsEnabled always returns true for js since it's the only mode available
+func IsEnabled() bool {
+	return true
+}
+
+func ListenAddr() string {
+	return ""
+}

client/iface/wgproxy/bind/proxy.go

@@ -12,32 +12,41 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
-type ProxyBind struct {
+type Bind interface {
-	Bind *bind.ICEBind
+	SetEndpoint(addr netip.Addr, conn net.Conn)
+	RemoveEndpoint(addr netip.Addr)
+	ReceiveFromEndpoint(ctx context.Context, ep *bind.Endpoint, buf []byte)
+}
 
-	fakeNetIP      *netip.AddrPort
+type ProxyBind struct {
-	wgBindEndpoint *bind.Endpoint
+	bind Bind
-	remoteConn     net.Conn
+
-	ctx            context.Context
+	// wgRelayedEndpoint is a fake address that generated by the Bind.SetEndpoint based on the remote NetBird peer address
-	cancel         context.CancelFunc
+	wgRelayedEndpoint *bind.Endpoint
-	closeMu        sync.Mutex
+	wgCurrentUsed     *bind.Endpoint
-	closed         bool
+	remoteConn        net.Conn
+	ctx               context.Context
+	cancel            context.CancelFunc
+	closeMu           sync.Mutex
+	closed            bool
 
 	pausedMu  sync.Mutex
 	paused    bool
 	isStarted bool
 
 	closeListener *listener.CloseListener
+	mtu           uint16
 }
 
-func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
+func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
 	p := &ProxyBind{
 		Bind:          bind,
 		closeListener: listener.NewCloseListener(),
+		pausedCond:    sync.NewCond(&sync.Mutex{}),
+		mtu:           mtu + bufsize.WGBufferOverhead,
 	}
 
 	return p
@@ -136,7 +145,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()
 
 	for {
-		buf := make([]byte, p.Bind.MTU()+bufsize.WGBufferOverhead)
+		buf := make([]byte, p.mtu)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
@@ -153,12 +162,8 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			continue
 		}
 
-		msg := bind.RecvMessage{
+		p.bind.ReceiveFromEndpoint(ctx, p.wgCurrentUsed, buf[:n])
-			Endpoint: p.wgBindEndpoint,
+		p.pausedCond.L.Unlock()
-			Buffer:   buf[:n],
-		}
-		p.Bind.RecvChan <- msg
-		p.pausedMu.Unlock()
 	}
 }
 

client/iface/wgproxy/ebpf/proxy.go

@@ -17,7 +17,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
 	nbnet "github.com/netbirdio/netbird/util/net"
@@ -30,7 +29,6 @@ const (
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
-	mtu               uint16
 
 	ebpfManager   ebpfMgr.Manager
 	turnConnStore map[uint16]net.Conn
@@ -45,11 +43,10 @@ type WGEBPFProxy struct {
 }
 
 // NewWGEBPFProxy create new WGEBPFProxy instance
-func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
+func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
-		mtu:               mtu,
 		ebpfManager:       ebpf.GetEbpfManagerInstance(),
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
@@ -141,7 +138,7 @@ func (p *WGEBPFProxy) Free() error {
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
-	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for p.ctx.Err() == nil {
 		if err := p.readAndForwardPacket(buf); err != nil {
 			if p.ctx.Err() != nil {

client/iface/wgproxy/ebpf/proxy_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestWGEBPFProxy_connStore(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	p, _ := wgProxy.storeTurnConn(nil)
 	if p != 1 {
@@ -27,7 +27,7 @@ func TestWGEBPFProxy_connStore(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	_, _ = wgProxy.storeTurnConn(nil)
 	wgProxy.lastUsedPort = 65535
@@ -43,7 +43,7 @@ func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_maxConn(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	for i := 0; i < 65535; i++ {
 		_, _ = wgProxy.storeTurnConn(nil)

client/iface/wgproxy/ebpf/wrapper.go

@@ -12,7 +12,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
@@ -104,7 +103,7 @@ func (e *ProxyWrapper) CloseConn() error {
 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
 	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))
 
-	buf := make([]byte, p.WgeBPFProxy.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {

client/iface/wgproxy/factory_kernel.go

@@ -11,18 +11,16 @@ import (
 
 type KernelFactory struct {
 	wgPort int
-	mtu    uint16
 
 	ebpfProxy *ebpf.WGEBPFProxy
 }
 
-func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
+func NewKernelFactory(wgPort int) *KernelFactory {
 	f := &KernelFactory{
 		wgPort: wgPort,
-		mtu:    mtu,
 	}
 
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
+	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
@@ -35,7 +33,7 @@ func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 
 func (w *KernelFactory) GetProxy() Proxy {
 	if w.ebpfProxy == nil {
-		return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
+		return udpProxy.NewWGUDPProxy(w.wgPort)
 	}
 
 	return ebpf.NewProxyWrapper(w.ebpfProxy)

client/iface/wgproxy/factory_kernel_freebsd.go

@@ -9,21 +9,19 @@ import (
 // KernelFactory todo: check eBPF support on FreeBSD
 type KernelFactory struct {
 	wgPort int
-	mtu    uint16
 }
 
-func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
+func NewKernelFactory(wgPort int) *KernelFactory {
 	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 	f := &KernelFactory{
 		wgPort: wgPort,
-		mtu:    mtu,
 	}
 
 	return f
 }
 
 func (w *KernelFactory) GetProxy() Proxy {
-	return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
+	return udpProxy.NewWGUDPProxy(w.wgPort)
 }
 
 func (w *KernelFactory) Free() error {

client/iface/wgproxy/factory_usp.go

@@ -3,24 +3,25 @@ package wgproxy
 import (
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
 	proxyBind "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 )
 
 type USPFactory struct {
-	bind *bind.ICEBind
+	bind proxyBind.Bind
+	mtu  uint16
 }
 
-func NewUSPFactory(iceBind *bind.ICEBind) *USPFactory {
+func NewUSPFactory(bind proxyBind.Bind, mtu uint16) *USPFactory {
 	log.Infof("WireGuard Proxy Factory will produce bind proxy")
 	f := &USPFactory{
-		bind: iceBind,
+		bind: bind,
+		mtu:  mtu,
 	}
 	return f
 }
 
 func (w *USPFactory) GetProxy() Proxy {
-	return proxyBind.NewProxyBind(w.bind)
+	return proxyBind.NewProxyBind(w.bind, w.mtu)
 }
 
 func (w *USPFactory) Free() error {

client/iface/wgproxy/proxy_linux_test.go

@@ -16,7 +16,7 @@ func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
 	}
 	ctx := context.Background()
 
-	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
+	ebpfProxy := ebpf.NewWGEBPFProxy(51831)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %s", err)
 	}
@@ -27,30 +27,30 @@ func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
 		}
 	}()
 
-	tests := []struct {
+	pUDP := proxyInstance{
-		name  string
+		name:    "udp kernel proxy",
-		proxy Proxy
+		proxy:   udp.NewWGUDPProxy(51832, 1280),
-	}{
+		wgPort:  51832,
-		{
+		closeFn: func() error { return nil },
-			name: "ebpf proxy",
+	}
-			proxy: &ebpf.ProxyWrapper{
+	pl = append(pl, pUDP)
-				WgeBPFProxy: ebpfProxy,
+	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-			},
+	if err != nil {
-		},
+		return nil, err
+	}
+	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
+	endpointAddress := &net.UDPAddr{
+		IP:   net.IPv4(10, 0, 0, 1),
+		Port: 1234,
 	}
 
-	for _, tt := range tests {
+	pBind := proxyInstance{
-		t.Run(tt.name, func(t *testing.T) {
+		name:         "bind proxy",
-			relayedConn := newMockConn()
+		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
+		endpointAddr: endpointAddress,
-			if err != nil {
+		closeFn:      func() error { return nil },
-				t.Errorf("error: %v", err)
-			}
-
-			_ = relayedConn.Close()
-			if err := tt.proxy.CloseConn(); err != nil {
-				t.Errorf("error: %v", err)
-			}
-		})
 	}
+	pl = append(pl, pBind)
+
+	return pl, nil
 }

client/iface/wgproxy/proxy_seed_test.go

@@ -0,0 +1,39 @@
+//go:build !linux
+
+package wgproxy
+
+import (
+	"net"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
+)
+
+func seedProxies() ([]proxyInstance, error) {
+	// todo extend with Bind proxy
+	pl := make([]proxyInstance, 0)
+	return pl, nil
+}
+
+func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
+	pl := make([]proxyInstance, 0)
+	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
+	if err != nil {
+		return nil, err
+	}
+	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
+	endpointAddress := &net.UDPAddr{
+		IP:   net.IPv4(10, 0, 0, 1),
+		Port: 1234,
+	}
+
+	pBind := proxyInstance{
+		name:         "bind proxy",
+		proxy:        bindproxy.NewProxyBind(iceBind, 0),
+		endpointAddr: endpointAddress,
+		closeFn:      func() error { return nil },
+	}
+	pl = append(pl, pBind)
+	return pl, nil
+}

client/iface/wgproxy/proxy_test.go

@@ -84,12 +84,12 @@ func TestProxyCloseByRemoteConn(t *testing.T) {
 	}{
 		{
 			name:  "userspace proxy",
-			proxy: udpProxy.NewWGUDPProxy(51830, 1280),
+			proxy: udpProxy.NewWGUDPProxy(51830),
 		},
 	}
 
 	if runtime.GOOS == "linux" && os.Getenv("GITHUB_ACTIONS") != "true" {
-		ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
+		ebpfProxy := ebpf.NewWGEBPFProxy(51831)
 		if err := ebpfProxy.Listen(); err != nil {
 			t.Fatalf("failed to initialize ebpf proxy: %s", err)
 		}

client/iface/wgproxy/udp/proxy.go

@@ -12,14 +12,12 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	cerrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
 // WGUDPProxy proxies
 type WGUDPProxy struct {
 	localWGListenPort int
-	mtu               uint16
 
 	remoteConn net.Conn
 	localConn  net.Conn
@@ -36,11 +34,10 @@ type WGUDPProxy struct {
 }
 
 // NewWGUDPProxy instantiate a UDP based WireGuard proxy. This is not a thread safe implementation
-func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
+func NewWGUDPProxy(wgPort int) *WGUDPProxy {
 	log.Debugf("Initializing new user space proxy with port %d", wgPort)
 	p := &WGUDPProxy{
 		localWGListenPort: wgPort,
-		mtu:               mtu,
 		closeListener:     listener.NewCloseListener(),
 	}
 	return p
@@ -147,7 +144,7 @@ func (p *WGUDPProxy) proxyToRemote(ctx context.Context) {
 		}
 	}()
 
-	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for ctx.Err() == nil {
 		n, err := p.localConn.Read(buf)
 		if err != nil {
@@ -182,7 +179,7 @@ func (p *WGUDPProxy) proxyToLocal(ctx context.Context) {
 		}
 	}()
 
-	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for {
 		n, err := p.remoteConnRead(ctx, buf)
 		if err != nil {

client/internal/auth/device_flow_test.go

@@ -3,17 +3,15 @@ package auth
 import (
 	"context"
 	"fmt"
+	"github.com/golang-jwt/jwt"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal"
 )
 
 type mockHTTPClient struct {

client/internal/connect.go

@@ -18,7 +18,6 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -46,17 +45,19 @@ type ConnectClient struct {
 	engineMutex    sync.Mutex
 
 	persistSyncResponse bool
+	LogFile             string
 }
 
 func NewConnectClient(
 	ctx context.Context,
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
-
+	logFile string,
 ) *ConnectClient {
 	return &ConnectClient{
 		ctx:            ctx,
 		config:         config,
+		LogFile:        logFile,
 		statusRecorder: statusRecorder,
 		engineMutex:    sync.Mutex{},
 	}
@@ -245,15 +246,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()
 
 		relayURLs, token := parseRelayInfo(loginResp)
-		peerConfig := loginResp.GetPeerConfig()
+		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String())
-
-		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
-		if err != nil {
-			log.Error(err)
-			return wrapErr(err)
-		}
-
-		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
 		if len(relayURLs) > 0 {
 			if token != nil {
@@ -268,18 +261,25 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 		}
 
-		checks := loginResp.GetChecks()
+		peerConfig := loginResp.GetPeerConfig()
 
-		c.engineMutex.Lock()
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig, c.LogFile)
-		c.engine = NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks)
+		if err != nil {
-		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
+			log.Error(err)
-		c.engineMutex.Unlock()
-
-		if err := c.engine.Start(loginResp.GetNetbirdConfig(), c.config.ManagementURL); err != nil {
-			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}
 
+		checks := loginResp.GetChecks()
+
+		c.engineMutex.Lock()
+		c.engine = NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, c.config)
+		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
+		c.engineMutex.Unlock()
+
+		if err := c.engine.Start(); err != nil {
+			log.Errorf("error while starting Netbird Connection Engine: %s", err)
+			return wrapErr(err)
+		}
 
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
@@ -417,7 +417,7 @@ func (c *ConnectClient) SetSyncResponsePersistence(enabled bool) {
 }
 
 // createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConfig *mgmProto.PeerConfig, logFile string) (*EngineConfig, error) {
 	nm := false
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
@@ -446,8 +446,9 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		BlockInbound:        config.BlockInbound,
 
 		LazyConnectionEnabled: config.LazyConnectionEnabled,
+		LogFile:               logFile,
 
-		MTU: selectMTU(config.MTU, peerConfig.Mtu),
+		ProfileConfig: config,
 	}
 
 	if config.PreSharedKey != "" {
@@ -470,20 +471,6 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	return engineConf, nil
 }
 
-func selectMTU(localMTU uint16, peerMTU int32) uint16 {
-	var finalMTU uint16 = iface.DefaultMTU
-	if localMTU > 0 {
-		finalMTU = localMTU
-	} else if peerMTU > 0 {
-		finalMTU = uint16(peerMTU)
-	}
-
-	// Set global DNS MTU
-	dns.SetCurrentMTU(finalMTU)
-
-	return finalMTU
-}
-
 // connectToSignal creates Signal Service client and established a connection
 func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
 	var sigTLSEnabled bool

client/internal/debug/upload.go

@@ -0,0 +1,101 @@
+package debug
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+
+	"github.com/netbirdio/netbird/upload-server/types"
+)
+
+const maxBundleUploadSize = 50 * 1024 * 1024
+
+func UploadDebugBundle(ctx context.Context, url, managementURL, filePath string) (key string, err error) {
+	response, err := getUploadURL(ctx, url, managementURL)
+	if err != nil {
+		return "", err
+	}
+
+	err = upload(ctx, filePath, response)
+	if err != nil {
+		return "", err
+	}
+	return response.Key, nil
+}
+
+func upload(ctx context.Context, filePath string, response *types.GetURLResponse) error {
+	fileData, err := os.Open(filePath)
+	if err != nil {
+		return fmt.Errorf("open file: %w", err)
+	}
+
+	defer fileData.Close()
+
+	stat, err := fileData.Stat()
+	if err != nil {
+		return fmt.Errorf("stat file: %w", err)
+	}
+
+	if stat.Size() > maxBundleUploadSize {
+		return fmt.Errorf("file size exceeds maximum limit of %d bytes", maxBundleUploadSize)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "PUT", response.URL, fileData)
+	if err != nil {
+		return fmt.Errorf("create PUT request: %w", err)
+	}
+
+	req.ContentLength = stat.Size()
+	req.Header.Set("Content-Type", "application/octet-stream")
+
+	putResp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("upload failed: %v", err)
+	}
+	defer putResp.Body.Close()
+
+	if putResp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(putResp.Body)
+		return fmt.Errorf("upload status %d: %s", putResp.StatusCode, string(body))
+	}
+	return nil
+}
+
+func getUploadURL(ctx context.Context, url string, managementURL string) (*types.GetURLResponse, error) {
+	id := getURLHash(managementURL)
+	getReq, err := http.NewRequestWithContext(ctx, "GET", url+"?id="+id, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create GET request: %w", err)
+	}
+
+	getReq.Header.Set(types.ClientHeader, types.ClientHeaderValue)
+
+	resp, err := http.DefaultClient.Do(getReq)
+	if err != nil {
+		return nil, fmt.Errorf("get presigned URL: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("get presigned URL status %d: %s", resp.StatusCode, string(body))
+	}
+
+	urlBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("read response body: %w", err)
+	}
+	var response types.GetURLResponse
+	if err := json.Unmarshal(urlBytes, &response); err != nil {
+		return nil, fmt.Errorf("unmarshal response: %w", err)
+	}
+	return &response, nil
+}
+
+func getURLHash(url string) string {
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(url)))
+}

client/internal/debug/upload_test.go

@@ -1,4 +1,4 @@
-package server
+package debug
 
 import (
 	"context"
@@ -38,7 +38,7 @@ func TestUpload(t *testing.T) {
 	fileContent := []byte("test file content")
 	err := os.WriteFile(file, fileContent, 0640)
 	require.NoError(t, err)
-	key, err := uploadDebugBundle(context.Background(), testURL+types.GetURLPath, testURL, file)
+	key, err := UploadDebugBundle(context.Background(), testURL+types.GetURLPath, testURL, file)
 	require.NoError(t, err)
 	id := getURLHash(testURL)
 	require.Contains(t, key, id+"/")

client/internal/dns/config/domains.go

@@ -1,201 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"net/url"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-var (
-	ErrEmptyURL     = errors.New("empty URL")
-	ErrEmptyHost    = errors.New("empty host")
-	ErrIPNotAllowed = errors.New("IP address not allowed")
-)
-
-// ServerDomains represents the management server domains extracted from NetBird configuration
-type ServerDomains struct {
-	Signal domain.Domain
-	Relay  []domain.Domain
-	Flow   domain.Domain
-	Stuns  []domain.Domain
-	Turns  []domain.Domain
-}
-
-// ExtractFromNetbirdConfig extracts domain information from NetBird protobuf configuration
-func ExtractFromNetbirdConfig(config *mgmProto.NetbirdConfig) ServerDomains {
-	if config == nil {
-		return ServerDomains{}
-	}
-
-	domains := ServerDomains{}
-
-	domains.Signal = extractSignalDomain(config)
-	domains.Relay = extractRelayDomains(config)
-	domains.Flow = extractFlowDomain(config)
-	domains.Stuns = extractStunDomains(config)
-	domains.Turns = extractTurnDomains(config)
-
-	return domains
-}
-
-// ExtractValidDomain extracts a valid domain from a URL, filtering out IP addresses
-func ExtractValidDomain(rawURL string) (domain.Domain, error) {
-	if rawURL == "" {
-		return "", ErrEmptyURL
-	}
-
-	parsedURL, err := url.Parse(rawURL)
-	if err == nil {
-		if domain, err := extractFromParsedURL(parsedURL); err != nil || domain != "" {
-			return domain, err
-		}
-	}
-
-	return extractFromRawString(rawURL)
-}
-
-// extractFromParsedURL handles domain extraction from successfully parsed URLs
-func extractFromParsedURL(parsedURL *url.URL) (domain.Domain, error) {
-	if parsedURL.Hostname() != "" {
-		return extractDomainFromHost(parsedURL.Hostname())
-	}
-
-	if parsedURL.Opaque == "" || parsedURL.Scheme == "" {
-		return "", nil
-	}
-
-	// Handle URLs with opaque content (e.g., stun:host:port)
-	if strings.Contains(parsedURL.Scheme, ".") {
-		// This is likely "domain.com:port" being parsed as scheme:opaque
-		reconstructed := parsedURL.Scheme + ":" + parsedURL.Opaque
-		if host, _, err := net.SplitHostPort(reconstructed); err == nil {
-			return extractDomainFromHost(host)
-		}
-		return extractDomainFromHost(parsedURL.Scheme)
-	}
-
-	// Valid scheme with opaque content (e.g., stun:host:port)
-	host := parsedURL.Opaque
-	if queryIndex := strings.Index(host, "?"); queryIndex > 0 {
-		host = host[:queryIndex]
-	}
-
-	if hostOnly, _, err := net.SplitHostPort(host); err == nil {
-		return extractDomainFromHost(hostOnly)
-	}
-
-	return extractDomainFromHost(host)
-}
-
-// extractFromRawString handles domain extraction when URL parsing fails or returns no results
-func extractFromRawString(rawURL string) (domain.Domain, error) {
-	if host, _, err := net.SplitHostPort(rawURL); err == nil {
-		return extractDomainFromHost(host)
-	}
-
-	return extractDomainFromHost(rawURL)
-}
-
-// extractDomainFromHost extracts domain from a host string, filtering out IP addresses
-func extractDomainFromHost(host string) (domain.Domain, error) {
-	if host == "" {
-		return "", ErrEmptyHost
-	}
-
-	if _, err := netip.ParseAddr(host); err == nil {
-		return "", fmt.Errorf("%w: %s", ErrIPNotAllowed, host)
-	}
-
-	d, err := domain.FromString(host)
-	if err != nil {
-		return "", fmt.Errorf("invalid domain: %v", err)
-	}
-
-	return d, nil
-}
-
-// extractSingleDomain extracts a single domain from a URL with error logging
-func extractSingleDomain(url, serviceType string) domain.Domain {
-	if url == "" {
-		return ""
-	}
-
-	d, err := ExtractValidDomain(url)
-	if err != nil {
-		log.Debugf("Skipping %s: %v", serviceType, err)
-		return ""
-	}
-
-	return d
-}
-
-// extractMultipleDomains extracts multiple domains from URLs with error logging
-func extractMultipleDomains(urls []string, serviceType string) []domain.Domain {
-	var domains []domain.Domain
-	for _, url := range urls {
-		if url == "" {
-			continue
-		}
-		d, err := ExtractValidDomain(url)
-		if err != nil {
-			log.Debugf("Skipping %s: %v", serviceType, err)
-			continue
-		}
-		domains = append(domains, d)
-	}
-	return domains
-}
-
-// extractSignalDomain extracts the signal domain from NetBird configuration.
-func extractSignalDomain(config *mgmProto.NetbirdConfig) domain.Domain {
-	if config.Signal != nil {
-		return extractSingleDomain(config.Signal.Uri, "signal")
-	}
-	return ""
-}
-
-// extractRelayDomains extracts relay server domains from NetBird configuration.
-func extractRelayDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
-	if config.Relay != nil {
-		return extractMultipleDomains(config.Relay.Urls, "relay")
-	}
-	return nil
-}
-
-// extractFlowDomain extracts the traffic flow domain from NetBird configuration.
-func extractFlowDomain(config *mgmProto.NetbirdConfig) domain.Domain {
-	if config.Flow != nil {
-		return extractSingleDomain(config.Flow.Url, "flow")
-	}
-	return ""
-}
-
-// extractStunDomains extracts STUN server domains from NetBird configuration.
-func extractStunDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
-	var urls []string
-	for _, stun := range config.Stuns {
-		if stun != nil && stun.Uri != "" {
-			urls = append(urls, stun.Uri)
-		}
-	}
-	return extractMultipleDomains(urls, "STUN")
-}
-
-// extractTurnDomains extracts TURN server domains from NetBird configuration.
-func extractTurnDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
-	var urls []string
-	for _, turn := range config.Turns {
-		if turn != nil && turn.HostConfig != nil && turn.HostConfig.Uri != "" {
-			urls = append(urls, turn.HostConfig.Uri)
-		}
-	}
-	return extractMultipleDomains(urls, "TURN")
-}

client/internal/dns/config/domains_test.go

@@ -1,213 +0,0 @@
-package config
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestExtractValidDomain(t *testing.T) {
-	tests := []struct {
-		name        string
-		url         string
-		expected    string
-		expectError bool
-	}{
-		{
-			name:     "HTTPS URL with port",
-			url:      "https://api.netbird.io:443",
-			expected: "api.netbird.io",
-		},
-		{
-			name:     "HTTP URL without port",
-			url:      "http://signal.example.com",
-			expected: "signal.example.com",
-		},
-		{
-			name:     "Host with port (no scheme)",
-			url:      "signal.netbird.io:443",
-			expected: "signal.netbird.io",
-		},
-		{
-			name:     "STUN URL",
-			url:      "stun:stun.netbird.io:443",
-			expected: "stun.netbird.io",
-		},
-		{
-			name:     "STUN URL with different port",
-			url:      "stun:stun.netbird.io:5555",
-			expected: "stun.netbird.io",
-		},
-		{
-			name:     "TURNS URL with query params",
-			url:      "turns:turn.netbird.io:443?transport=tcp",
-			expected: "turn.netbird.io",
-		},
-		{
-			name:     "TURN URL",
-			url:      "turn:turn.example.com:3478",
-			expected: "turn.example.com",
-		},
-		{
-			name:     "REL URL",
-			url:      "rel://relay.example.com:443",
-			expected: "relay.example.com",
-		},
-		{
-			name:     "RELS URL",
-			url:      "rels://relay.netbird.io:443",
-			expected: "relay.netbird.io",
-		},
-		{
-			name:     "Raw hostname",
-			url:      "example.org",
-			expected: "example.org",
-		},
-		{
-			name:        "IP address should be rejected",
-			url:         "192.168.1.1",
-			expectError: true,
-		},
-		{
-			name:        "IP address with port should be rejected",
-			url:         "192.168.1.1:443",
-			expectError: true,
-		},
-		{
-			name:        "IPv6 address should be rejected",
-			url:         "2001:db8::1",
-			expectError: true,
-		},
-		{
-			name:        "HTTP URL with IPv4 should be rejected",
-			url:         "http://192.168.1.1:8080",
-			expectError: true,
-		},
-		{
-			name:        "HTTPS URL with IPv4 should be rejected",
-			url:         "https://10.0.0.1:443",
-			expectError: true,
-		},
-		{
-			name:        "STUN URL with IPv4 should be rejected",
-			url:         "stun:192.168.1.1:3478",
-			expectError: true,
-		},
-		{
-			name:        "TURN URL with IPv4 should be rejected",
-			url:         "turn:10.0.0.1:3478",
-			expectError: true,
-		},
-		{
-			name:        "TURNS URL with IPv4 should be rejected",
-			url:         "turns:172.16.0.1:5349",
-			expectError: true,
-		},
-		{
-			name:        "HTTP URL with IPv6 should be rejected",
-			url:         "http://[2001:db8::1]:8080",
-			expectError: true,
-		},
-		{
-			name:        "HTTPS URL with IPv6 should be rejected",
-			url:         "https://[::1]:443",
-			expectError: true,
-		},
-		{
-			name:        "STUN URL with IPv6 should be rejected",
-			url:         "stun:[2001:db8::1]:3478",
-			expectError: true,
-		},
-		{
-			name:        "IPv6 with port should be rejected",
-			url:         "[2001:db8::1]:443",
-			expectError: true,
-		},
-		{
-			name:        "Localhost IPv4 should be rejected",
-			url:         "127.0.0.1:8080",
-			expectError: true,
-		},
-		{
-			name:        "Localhost IPv6 should be rejected",
-			url:         "[::1]:443",
-			expectError: true,
-		},
-		{
-			name:        "REL URL with IPv4 should be rejected",
-			url:         "rel://192.168.1.1:443",
-			expectError: true,
-		},
-		{
-			name:        "RELS URL with IPv4 should be rejected",
-			url:         "rels://10.0.0.1:443",
-			expectError: true,
-		},
-		{
-			name:        "Empty URL",
-			url:         "",
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := ExtractValidDomain(tt.url)
-
-			if tt.expectError {
-				assert.Error(t, err, "Expected error for URL: %s", tt.url)
-			} else {
-				assert.NoError(t, err, "Unexpected error for URL: %s", tt.url)
-				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for URL: %s", tt.url)
-			}
-		})
-	}
-}
-
-func TestExtractDomainFromHost(t *testing.T) {
-	tests := []struct {
-		name        string
-		host        string
-		expected    string
-		expectError bool
-	}{
-		{
-			name:     "Valid domain",
-			host:     "example.com",
-			expected: "example.com",
-		},
-		{
-			name:     "Subdomain",
-			host:     "api.example.com",
-			expected: "api.example.com",
-		},
-		{
-			name:        "IPv4 address",
-			host:        "192.168.1.1",
-			expectError: true,
-		},
-		{
-			name:        "IPv6 address",
-			host:        "2001:db8::1",
-			expectError: true,
-		},
-		{
-			name:        "Empty host",
-			host:        "",
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := extractDomainFromHost(tt.host)
-
-			if tt.expectError {
-				assert.Error(t, err, "Expected error for host: %s", tt.host)
-			} else {
-				assert.NoError(t, err, "Unexpected error for host: %s", tt.host)
-				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for host: %s", tt.host)
-			}
-		})
-	}
-}

client/internal/dns/handler_chain.go

@@ -11,12 +11,11 @@ import (
 )
 
 const (
-	PriorityMgmtCache = 150
+	PriorityLocal    = 100
-	PriorityLocal     = 100
+	PriorityDNSRoute = 75
-	PriorityDNSRoute  = 75
+	PriorityUpstream = 50
-	PriorityUpstream  = 50
+	PriorityDefault  = 1
-	PriorityDefault   = 1
+	PriorityFallback = -100
-	PriorityFallback  = -100
 )
 
 type SubdomainMatcher interface {
@@ -183,10 +182,7 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 			// If handler wants to continue, try next handler
 			if chainWriter.shouldContinue {
-				// Only log continue for non-management cache handlers to reduce noise
+				log.Tracef("handler requested continue to next handler for domain=%s", qname)
-				if entry.Priority != PriorityMgmtCache {
-					log.Tracef("handler requested continue to next handler for domain=%s", qname)
-				}
 				continue
 			}
 			return

client/internal/dns/host_darwin.go

@@ -166,10 +166,9 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 
 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
-		if err := s.recordSystemDNSSettings(true); err != nil {
+		err := s.recordSystemDNSSettings(true)
-			log.Errorf("Unable to get system DNS configuration")
+		log.Errorf("Unable to get system DNS configuration")
-			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
+		return err
-		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
 	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {

client/internal/dns/host_windows.go

@@ -240,15 +240,19 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
 	for i, domain := range domains {
-		policyPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
-		if r.gpo {
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
-			policyPath = fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
-		}
 
 		singleDomain := []string{domain}
 
-		if err := r.configureDNSPolicy(policyPath, singleDomain, ip); err != nil {
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
-			return i, fmt.Errorf("configure DNS policy for domain %s: %w", domain, err)
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
+		}
+
+		if r.gpo {
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
+			}
 		}
 
 		log.Debugf("added NRPT entry for domain: %s", domain)

client/internal/dns/local/local.go

@@ -34,7 +34,7 @@ func (d *Resolver) MatchSubdomains() bool {
 
 // String returns a string representation of the local resolver
 func (d *Resolver) String() string {
-	return fmt.Sprintf("LocalResolver [%d records]", len(d.records))
+	return fmt.Sprintf("local resolver [%d records]", len(d.records))
 }
 
 func (d *Resolver) Stop() {}

client/internal/dns/mgmt/mgmt.go

@@ -1,360 +0,0 @@
-package mgmt
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/url"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-const dnsTimeout = 5 * time.Second
-
-// Resolver caches critical NetBird infrastructure domains
-type Resolver struct {
-	records       map[dns.Question][]dns.RR
-	mgmtDomain    *domain.Domain
-	serverDomains *dnsconfig.ServerDomains
-	mutex         sync.RWMutex
-}
-
-// NewResolver creates a new management domains cache resolver.
-func NewResolver() *Resolver {
-	return &Resolver{
-		records: make(map[dns.Question][]dns.RR),
-	}
-}
-
-// String returns a string representation of the resolver.
-func (m *Resolver) String() string {
-	return "MgmtCacheResolver"
-}
-
-// ServeDNS implements dns.Handler interface.
-func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	if len(r.Question) == 0 {
-		m.continueToNext(w, r)
-		return
-	}
-
-	question := r.Question[0]
-	question.Name = strings.ToLower(dns.Fqdn(question.Name))
-
-	if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA {
-		m.continueToNext(w, r)
-		return
-	}
-
-	m.mutex.RLock()
-	records, found := m.records[question]
-	m.mutex.RUnlock()
-
-	if !found {
-		m.continueToNext(w, r)
-		return
-	}
-
-	resp := &dns.Msg{}
-	resp.SetReply(r)
-	resp.Authoritative = false
-	resp.RecursionAvailable = true
-
-	resp.Answer = append(resp.Answer, records...)
-
-	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)
-
-	if err := w.WriteMsg(resp); err != nil {
-		log.Errorf("failed to write response: %v", err)
-	}
-}
-
-// MatchSubdomains returns false since this resolver only handles exact domain matches
-// for NetBird infrastructure domains (signal, relay, flow, etc.), not their subdomains.
-func (m *Resolver) MatchSubdomains() bool {
-	return false
-}
-
-// continueToNext signals the handler chain to continue to the next handler.
-func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
-	resp := &dns.Msg{}
-	resp.SetRcode(r, dns.RcodeNameError)
-	resp.MsgHdr.Zero = true
-	if err := w.WriteMsg(resp); err != nil {
-		log.Errorf("failed to write continue signal: %v", err)
-	}
-}
-
-// AddDomain manually adds a domain to cache by resolving it.
-func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
-	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
-
-	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
-	defer cancel()
-
-	ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
-	if err != nil {
-		return fmt.Errorf("resolve domain %s: %w", d.SafeString(), err)
-	}
-
-	var aRecords, aaaaRecords []dns.RR
-	for _, ip := range ips {
-		if ip.Is4() {
-			rr := &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				A: ip.AsSlice(),
-			}
-			aRecords = append(aRecords, rr)
-		} else if ip.Is6() {
-			rr := &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeAAAA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				AAAA: ip.AsSlice(),
-			}
-			aaaaRecords = append(aaaaRecords, rr)
-		}
-	}
-
-	m.mutex.Lock()
-
-	if len(aRecords) > 0 {
-		aQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aQuestion] = aRecords
-	}
-
-	if len(aaaaRecords) > 0 {
-		aaaaQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aaaaQuestion] = aaaaRecords
-	}
-
-	m.mutex.Unlock()
-
-	log.Debugf("added domain=%s with %d A records and %d AAAA records",
-		d.SafeString(), len(aRecords), len(aaaaRecords))
-
-	return nil
-}
-
-// PopulateFromConfig extracts and caches domains from the client configuration.
-func (m *Resolver) PopulateFromConfig(ctx context.Context, mgmtURL *url.URL) error {
-	if mgmtURL == nil {
-		return nil
-	}
-
-	d, err := dnsconfig.ExtractValidDomain(mgmtURL.String())
-	if err != nil {
-		return fmt.Errorf("extract domain from URL: %w", err)
-	}
-
-	m.mutex.Lock()
-	m.mgmtDomain = &d
-	m.mutex.Unlock()
-
-	if err := m.AddDomain(ctx, d); err != nil {
-		return fmt.Errorf("add domain: %w", err)
-	}
-
-	return nil
-}
-
-// RemoveDomain removes a domain from the cache.
-func (m *Resolver) RemoveDomain(d domain.Domain) error {
-	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
-
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	aQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aQuestion)
-
-	aaaaQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeAAAA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aaaaQuestion)
-
-	log.Debugf("removed domain=%s from cache", d.SafeString())
-	return nil
-}
-
-// GetCachedDomains returns a list of all cached domains.
-func (m *Resolver) GetCachedDomains() domain.List {
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	domainSet := make(map[domain.Domain]struct{})
-	for question := range m.records {
-		domainName := strings.TrimSuffix(question.Name, ".")
-		domainSet[domain.Domain(domainName)] = struct{}{}
-	}
-
-	domains := make(domain.List, 0, len(domainSet))
-	for d := range domainSet {
-		domains = append(domains, d)
-	}
-
-	return domains
-}
-
-// UpdateFromServerDomains updates the cache with server domains from network configuration.
-// It merges new domains with existing ones, replacing entire domain types when updated.
-// Empty updates are ignored to prevent clearing infrastructure domains during partial updates.
-func (m *Resolver) UpdateFromServerDomains(ctx context.Context, serverDomains dnsconfig.ServerDomains) (domain.List, error) {
-	newDomains := m.extractDomainsFromServerDomains(serverDomains)
-	var removedDomains domain.List
-
-	if len(newDomains) > 0 {
-		m.mutex.Lock()
-		if m.serverDomains == nil {
-			m.serverDomains = &dnsconfig.ServerDomains{}
-		}
-		updatedServerDomains := m.mergeServerDomains(*m.serverDomains, serverDomains)
-		m.serverDomains = &updatedServerDomains
-		m.mutex.Unlock()
-
-		allDomains := m.extractDomainsFromServerDomains(updatedServerDomains)
-		currentDomains := m.GetCachedDomains()
-		removedDomains = m.removeStaleDomains(currentDomains, allDomains)
-	}
-
-	m.addNewDomains(ctx, newDomains)
-
-	return removedDomains, nil
-}
-
-// removeStaleDomains removes cached domains not present in the target domain list.
-// Management domains are preserved and never removed during server domain updates.
-func (m *Resolver) removeStaleDomains(currentDomains, newDomains domain.List) domain.List {
-	var removedDomains domain.List
-
-	for _, currentDomain := range currentDomains {
-		if m.isDomainInList(currentDomain, newDomains) {
-			continue
-		}
-
-		if m.isManagementDomain(currentDomain) {
-			continue
-		}
-
-		removedDomains = append(removedDomains, currentDomain)
-		if err := m.RemoveDomain(currentDomain); err != nil {
-			log.Warnf("failed to remove domain=%s: %v", currentDomain.SafeString(), err)
-		}
-	}
-
-	return removedDomains
-}
-
-// mergeServerDomains merges new server domains with existing ones.
-// When a domain type is provided in the new domains, it completely replaces that type.
-func (m *Resolver) mergeServerDomains(existing, incoming dnsconfig.ServerDomains) dnsconfig.ServerDomains {
-	merged := existing
-
-	if incoming.Signal != "" {
-		merged.Signal = incoming.Signal
-	}
-	if len(incoming.Relay) > 0 {
-		merged.Relay = incoming.Relay
-	}
-	if incoming.Flow != "" {
-		merged.Flow = incoming.Flow
-	}
-	if len(incoming.Stuns) > 0 {
-		merged.Stuns = incoming.Stuns
-	}
-	if len(incoming.Turns) > 0 {
-		merged.Turns = incoming.Turns
-	}
-
-	return merged
-}
-
-// isDomainInList checks if domain exists in the list
-func (m *Resolver) isDomainInList(domain domain.Domain, list domain.List) bool {
-	for _, d := range list {
-		if domain.SafeString() == d.SafeString() {
-			return true
-		}
-	}
-	return false
-}
-
-// isManagementDomain checks if domain is the protected management domain
-func (m *Resolver) isManagementDomain(domain domain.Domain) bool {
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	return m.mgmtDomain != nil && domain == *m.mgmtDomain
-}
-
-// addNewDomains resolves and caches all domains from the update
-func (m *Resolver) addNewDomains(ctx context.Context, newDomains domain.List) {
-	for _, newDomain := range newDomains {
-		if err := m.AddDomain(ctx, newDomain); err != nil {
-			log.Warnf("failed to add/update domain=%s: %v", newDomain.SafeString(), err)
-		} else {
-			log.Debugf("added/updated management cache domain=%s", newDomain.SafeString())
-		}
-	}
-}
-
-func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.ServerDomains) domain.List {
-	var domains domain.List
-
-	if serverDomains.Signal != "" {
-		domains = append(domains, serverDomains.Signal)
-	}
-
-	for _, relay := range serverDomains.Relay {
-		if relay != "" {
-			domains = append(domains, relay)
-		}
-	}
-
-	if serverDomains.Flow != "" {
-		domains = append(domains, serverDomains.Flow)
-	}
-
-	for _, stun := range serverDomains.Stuns {
-		if stun != "" {
-			domains = append(domains, stun)
-		}
-	}
-
-	for _, turn := range serverDomains.Turns {
-		if turn != "" {
-			domains = append(domains, turn)
-		}
-	}
-
-	return domains
-}

client/internal/dns/mgmt/mgmt_test.go

@@ -1,416 +0,0 @@
-package mgmt
-
-import (
-	"context"
-	"fmt"
-	"net/url"
-	"strings"
-	"testing"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-func TestResolver_NewResolver(t *testing.T) {
-	resolver := NewResolver()
-
-	assert.NotNil(t, resolver)
-	assert.NotNil(t, resolver.records)
-	assert.False(t, resolver.MatchSubdomains())
-}
-
-func TestResolver_ExtractDomainFromURL(t *testing.T) {
-	tests := []struct {
-		name        string
-		urlStr      string
-		expectedDom string
-		expectError bool
-	}{
-		{
-			name:        "HTTPS URL with port",
-			urlStr:      "https://api.netbird.io:443",
-			expectedDom: "api.netbird.io",
-			expectError: false,
-		},
-		{
-			name:        "HTTP URL without port",
-			urlStr:      "http://signal.example.com",
-			expectedDom: "signal.example.com",
-			expectError: false,
-		},
-		{
-			name:        "URL with path",
-			urlStr:      "https://relay.netbird.io/status",
-			expectedDom: "relay.netbird.io",
-			expectError: false,
-		},
-		{
-			name:        "Invalid URL",
-			urlStr:      "not-a-valid-url",
-			expectedDom: "not-a-valid-url",
-			expectError: false,
-		},
-		{
-			name:        "Empty URL",
-			urlStr:      "",
-			expectedDom: "",
-			expectError: true,
-		},
-		{
-			name:        "STUN URL",
-			urlStr:      "stun:stun.example.com:3478",
-			expectedDom: "stun.example.com",
-			expectError: false,
-		},
-		{
-			name:        "TURN URL",
-			urlStr:      "turn:turn.example.com:3478",
-			expectedDom: "turn.example.com",
-			expectError: false,
-		},
-		{
-			name:        "REL URL",
-			urlStr:      "rel://relay.example.com:443",
-			expectedDom: "relay.example.com",
-			expectError: false,
-		},
-		{
-			name:        "RELS URL",
-			urlStr:      "rels://relay.example.com:443",
-			expectedDom: "relay.example.com",
-			expectError: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var parsedURL *url.URL
-			var err error
-
-			if tt.urlStr != "" {
-				parsedURL, err = url.Parse(tt.urlStr)
-				if err != nil && !tt.expectError {
-					t.Fatalf("Failed to parse URL: %v", err)
-				}
-			}
-
-			domain, err := extractDomainFromURL(parsedURL)
-
-			if tt.expectError {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-				assert.Equal(t, tt.expectedDom, domain.SafeString())
-			}
-		})
-	}
-}
-
-func TestResolver_PopulateFromConfig(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	resolver := NewResolver()
-
-	// Test with IP address - should return error since IP addresses are rejected
-	mgmtURL, _ := url.Parse("https://127.0.0.1")
-
-	err := resolver.PopulateFromConfig(ctx, mgmtURL)
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, dnsconfig.ErrIPNotAllowed)
-
-	// No domains should be cached when using IP addresses
-	domains := resolver.GetCachedDomains()
-	assert.Equal(t, 0, len(domains), "No domains should be cached when using IP addresses")
-}
-
-func TestResolver_ServeDNS(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	// Add a test domain to the cache - use example.org which is reserved for testing
-	testDomain, err := domain.FromString("example.org")
-	if err != nil {
-		t.Fatalf("Failed to create domain: %v", err)
-	}
-	err = resolver.AddDomain(ctx, testDomain)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	// Test A record query for cached domain
-	t.Run("Cached domain A record", func(t *testing.T) {
-		var capturedMsg *dns.Msg
-		mockWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				capturedMsg = m
-				return nil
-			},
-		}
-
-		req := new(dns.Msg)
-		req.SetQuestion("example.org.", dns.TypeA)
-
-		resolver.ServeDNS(mockWriter, req)
-
-		assert.NotNil(t, capturedMsg)
-		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
-		assert.True(t, len(capturedMsg.Answer) > 0, "Should have at least one answer")
-	})
-
-	// Test uncached domain signals to continue to next handler
-	t.Run("Uncached domain signals continue to next handler", func(t *testing.T) {
-		var capturedMsg *dns.Msg
-		mockWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				capturedMsg = m
-				return nil
-			},
-		}
-
-		req := new(dns.Msg)
-		req.SetQuestion("unknown.example.com.", dns.TypeA)
-
-		resolver.ServeDNS(mockWriter, req)
-
-		assert.NotNil(t, capturedMsg)
-		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
-		// Zero flag set to true signals the handler chain to continue to next handler
-		assert.True(t, capturedMsg.MsgHdr.Zero, "Zero flag should be set to signal continuation to next handler")
-		assert.Empty(t, capturedMsg.Answer, "Should have no answers for uncached domain")
-	})
-
-	// Test that subdomains of cached domains are NOT resolved
-	t.Run("Subdomains of cached domains are not resolved", func(t *testing.T) {
-		var capturedMsg *dns.Msg
-		mockWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				capturedMsg = m
-				return nil
-			},
-		}
-
-		// Query for a subdomain of our cached domain
-		req := new(dns.Msg)
-		req.SetQuestion("sub.example.org.", dns.TypeA)
-
-		resolver.ServeDNS(mockWriter, req)
-
-		assert.NotNil(t, capturedMsg)
-		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
-		assert.True(t, capturedMsg.MsgHdr.Zero, "Should signal continuation to next handler for subdomains")
-		assert.Empty(t, capturedMsg.Answer, "Should have no answers for subdomains")
-	})
-
-	// Test case-insensitive matching
-	t.Run("Case-insensitive domain matching", func(t *testing.T) {
-		var capturedMsg *dns.Msg
-		mockWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				capturedMsg = m
-				return nil
-			},
-		}
-
-		// Query with different casing
-		req := new(dns.Msg)
-		req.SetQuestion("EXAMPLE.ORG.", dns.TypeA)
-
-		resolver.ServeDNS(mockWriter, req)
-
-		assert.NotNil(t, capturedMsg)
-		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
-		assert.True(t, len(capturedMsg.Answer) > 0, "Should resolve regardless of case")
-	})
-}
-
-func TestResolver_GetCachedDomains(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	testDomain, err := domain.FromString("example.org")
-	if err != nil {
-		t.Fatalf("Failed to create domain: %v", err)
-	}
-	err = resolver.AddDomain(ctx, testDomain)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	cachedDomains := resolver.GetCachedDomains()
-
-	assert.Equal(t, 1, len(cachedDomains), "Should return exactly one domain for single added domain")
-	assert.Equal(t, testDomain.SafeString(), cachedDomains[0].SafeString(), "Cached domain should match original")
-	assert.False(t, strings.HasSuffix(cachedDomains[0].PunycodeString(), "."), "Domain should not have trailing dot")
-}
-
-func TestResolver_ManagementDomainProtection(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	mgmtURL, _ := url.Parse("https://example.org")
-	err := resolver.PopulateFromConfig(ctx, mgmtURL)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	initialDomains := resolver.GetCachedDomains()
-	if len(initialDomains) == 0 {
-		t.Skip("Management domain failed to resolve, skipping test")
-	}
-	assert.Equal(t, 1, len(initialDomains), "Should have management domain cached")
-	assert.Equal(t, "example.org", initialDomains[0].SafeString())
-
-	serverDomains := dnsconfig.ServerDomains{
-		Signal: "google.com",
-		Relay:  []domain.Domain{"cloudflare.com"},
-	}
-
-	_, err = resolver.UpdateFromServerDomains(ctx, serverDomains)
-	if err != nil {
-		t.Logf("Server domains update failed: %v", err)
-	}
-
-	finalDomains := resolver.GetCachedDomains()
-
-	managementStillCached := false
-	for _, d := range finalDomains {
-		if d.SafeString() == "example.org" {
-			managementStillCached = true
-			break
-		}
-	}
-	assert.True(t, managementStillCached, "Management domain should never be removed")
-}
-
-// extractDomainFromURL extracts a domain from a URL - test helper function
-func extractDomainFromURL(u *url.URL) (domain.Domain, error) {
-	if u == nil {
-		return "", fmt.Errorf("URL is nil")
-	}
-	return dnsconfig.ExtractValidDomain(u.String())
-}
-
-func TestResolver_EmptyUpdateDoesNotRemoveDomains(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	// Set up initial domains using resolvable domains
-	initialDomains := dnsconfig.ServerDomains{
-		Signal: "example.org",
-		Stuns:  []domain.Domain{"google.com"},
-		Turns:  []domain.Domain{"cloudflare.com"},
-	}
-
-	// Add initial domains
-	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	// Verify domains were added
-	cachedDomains := resolver.GetCachedDomains()
-	assert.Len(t, cachedDomains, 3)
-
-	// Update with empty ServerDomains (simulating partial network map update)
-	emptyDomains := dnsconfig.ServerDomains{}
-	removedDomains, err := resolver.UpdateFromServerDomains(ctx, emptyDomains)
-	assert.NoError(t, err)
-
-	// Verify no domains were removed
-	assert.Len(t, removedDomains, 0, "No domains should be removed when update is empty")
-
-	// Verify all original domains are still cached
-	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 3, "All original domains should still be cached")
-}
-
-func TestResolver_PartialUpdateReplacesOnlyUpdatedTypes(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	// Set up initial complete domains using resolvable domains
-	initialDomains := dnsconfig.ServerDomains{
-		Signal: "example.org",
-		Stuns:  []domain.Domain{"google.com"},
-		Turns:  []domain.Domain{"cloudflare.com"},
-	}
-
-	// Add initial domains
-	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-	assert.Len(t, resolver.GetCachedDomains(), 3)
-
-	// Update with partial ServerDomains (only signal domain - this should replace signal but preserve stun/turn)
-	partialDomains := dnsconfig.ServerDomains{
-		Signal: "github.com",
-	}
-	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	// Should remove only the old signal domain
-	assert.Len(t, removedDomains, 1, "Should remove only the old signal domain")
-	assert.Equal(t, "example.org", removedDomains[0].SafeString())
-
-	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 3, "Should have new signal plus preserved stun/turn domains")
-
-	domainStrings := make([]string, len(finalDomains))
-	for i, d := range finalDomains {
-		domainStrings[i] = d.SafeString()
-	}
-	assert.Contains(t, domainStrings, "github.com")
-	assert.Contains(t, domainStrings, "google.com")
-	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.NotContains(t, domainStrings, "example.org")
-}
-
-func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
-	resolver := NewResolver()
-	ctx := context.Background()
-
-	// Set up initial complete domains using resolvable domains
-	initialDomains := dnsconfig.ServerDomains{
-		Signal: "example.org",
-		Stuns:  []domain.Domain{"google.com"},
-		Turns:  []domain.Domain{"cloudflare.com"},
-	}
-
-	// Add initial domains
-	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-	assert.Len(t, resolver.GetCachedDomains(), 3)
-
-	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
-	partialDomains := dnsconfig.ServerDomains{
-		Flow: "github.com",
-	}
-	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
-	if err != nil {
-		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
-	}
-
-	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")
-
-	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")
-
-	domainStrings := make([]string, len(finalDomains))
-	for i, d := range finalDomains {
-		domainStrings[i] = d.SafeString()
-	}
-	assert.Contains(t, domainStrings, "example.org")
-	assert.Contains(t, domainStrings, "google.com")
-	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.Contains(t, domainStrings, "github.com")
-}

client/internal/dns/mock_server.go

@@ -3,23 +3,20 @@ package dns
 import (
 	"fmt"
 	"net/netip"
-	"net/url"
 
 	"github.com/miekg/dns"
 
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 // MockServer is the mock instance of a dns server
 type MockServer struct {
-	InitializeFunc         func() error
+	InitializeFunc        func() error
-	StopFunc               func()
+	StopFunc              func()
-	UpdateDNSServerFunc    func(serial uint64, update nbdns.Config) error
+	UpdateDNSServerFunc   func(serial uint64, update nbdns.Config) error
-	RegisterHandlerFunc    func(domain.List, dns.Handler, int)
+	RegisterHandlerFunc   func(domain.List, dns.Handler, int)
-	DeregisterHandlerFunc  func(domain.List, int)
+	DeregisterHandlerFunc func(domain.List, int)
-	UpdateServerConfigFunc func(domains dnsconfig.ServerDomains) error
 }
 
 func (m *MockServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -73,14 +70,3 @@ func (m *MockServer) SearchDomains() []string {
 // ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
 func (m *MockServer) ProbeAvailability() {
 }
-
-func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
-	if m.UpdateServerConfigFunc != nil {
-		return m.UpdateServerConfigFunc(domains)
-	}
-	return nil
-}
-
-func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
-	return nil
-}

client/internal/dns/server.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"net/url"
 	"runtime"
 	"strings"
 	"sync"
@@ -16,9 +15,7 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dns/local"
-	"github.com/netbirdio/netbird/client/internal/dns/mgmt"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -48,8 +45,6 @@ type Server interface {
 	OnUpdatedHostDNSServer(addrs []netip.AddrPort)
 	SearchDomains() []string
 	ProbeAvailability()
-	UpdateServerConfig(domains dnsconfig.ServerDomains) error
-	PopulateManagementDomain(mgmtURL *url.URL) error
 }
 
 type nsGroupsByDomain struct {
@@ -82,8 +77,6 @@ type DefaultServer struct {
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
 
-	mgmtCacheResolver *mgmt.Resolver
-
 	// permanent related properties
 	permanent      bool
 	hostsDNSHolder *hostsDNSHolder
@@ -111,20 +104,18 @@ type handlerWrapper struct {
 
 type registeredHandlerMap map[types.HandlerID]handlerWrapper
 
-// DefaultServerConfig holds configuration parameters for NewDefaultServer
-type DefaultServerConfig struct {
-	WgInterface    WGIface
-	CustomAddress  string
-	StatusRecorder *peer.Status
-	StateManager   *statemanager.Manager
-	DisableSys     bool
-}
-
 // NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, config DefaultServerConfig) (*DefaultServer, error) {
+func NewDefaultServer(
+	ctx context.Context,
+	wgInterface WGIface,
+	customAddress string,
+	statusRecorder *peer.Status,
+	stateManager *statemanager.Manager,
+	disableSys bool,
+) (*DefaultServer, error) {
 	var addrPort *netip.AddrPort
-	if config.CustomAddress != "" {
+	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(config.CustomAddress)
+		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
 		}
@@ -132,14 +123,13 @@ func NewDefaultServer(ctx context.Context, config DefaultServerConfig) (*Default
 	}
 
 	var dnsService service
-	if config.WgInterface.IsUserspaceBind() {
+	if wgInterface.IsUserspaceBind() {
-		dnsService = NewServiceViaMemory(config.WgInterface)
+		dnsService = NewServiceViaMemory(wgInterface)
 	} else {
-		dnsService = newServiceViaListener(config.WgInterface, addrPort)
+		dnsService = newServiceViaListener(wgInterface, addrPort)
 	}
 
-	server := newDefaultServer(ctx, config.WgInterface, dnsService, config.StatusRecorder, config.StateManager, config.DisableSys)
+	return newDefaultServer(ctx, wgInterface, dnsService, statusRecorder, stateManager, disableSys), nil
-	return server, nil
 }
 
 // NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
@@ -188,24 +178,20 @@ func newDefaultServer(
 ) *DefaultServer {
 	handlerChain := NewHandlerChain()
 	ctx, stop := context.WithCancel(ctx)
-
-	mgmtCacheResolver := mgmt.NewResolver()
-
 	defaultServer := &DefaultServer{
-		ctx:               ctx,
+		ctx:            ctx,
-		ctxCancel:         stop,
+		ctxCancel:      stop,
-		disableSys:        disableSys,
+		disableSys:     disableSys,
-		service:           dnsService,
+		service:        dnsService,
-		handlerChain:      handlerChain,
+		handlerChain:   handlerChain,
-		extraDomains:      make(map[domain.Domain]int),
+		extraDomains:   make(map[domain.Domain]int),
-		dnsMuxMap:         make(registeredHandlerMap),
+		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver:     local.NewResolver(),
+		localResolver:  local.NewResolver(),
-		wgInterface:       wgInterface,
+		wgInterface:    wgInterface,
-		statusRecorder:    statusRecorder,
+		statusRecorder: statusRecorder,
-		stateManager:      stateManager,
+		stateManager:   stateManager,
-		hostsDNSHolder:    newHostsDNSHolder(),
+		hostsDNSHolder: newHostsDNSHolder(),
-		hostManager:       &noopHostConfigurator{},
+		hostManager:    &noopHostConfigurator{},
-		mgmtCacheResolver: mgmtCacheResolver,
 	}
 
 	// register with root zone, handler chain takes care of the routing
@@ -231,7 +217,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 }
 
 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
-	log.Debugf("registering handler %s with priority %d for %v", handler, priority, domains)
+	log.Debugf("registering handler %s with priority %d", handler, priority)
 
 	for _, domain := range domains {
 		if domain == "" {
@@ -260,7 +246,7 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 }
 
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
-	log.Debugf("deregistering handler with priority %d for %v", priority, domains)
+	log.Debugf("deregistering handler %v with priority %d", domains, priority)
 
 	for _, domain := range domains {
 		if domain == "" {
@@ -446,29 +432,6 @@ func (s *DefaultServer) ProbeAvailability() {
 	wg.Wait()
 }
 
-func (s *DefaultServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	if s.mgmtCacheResolver != nil {
-		removedDomains, err := s.mgmtCacheResolver.UpdateFromServerDomains(s.ctx, domains)
-		if err != nil {
-			return fmt.Errorf("update management cache resolver: %w", err)
-		}
-
-		if len(removedDomains) > 0 {
-			s.deregisterHandler(removedDomains.ToPunycodeList(), PriorityMgmtCache)
-		}
-
-		newDomains := s.mgmtCacheResolver.GetCachedDomains()
-		if len(newDomains) > 0 {
-			s.registerHandler(newDomains.ToPunycodeList(), s.mgmtCacheResolver, PriorityMgmtCache)
-		}
-	}
-
-	return nil
-}
-
 func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	// is the service should be Disabled, we stop the listener or fake resolver
 	if update.ServiceEnable {
@@ -998,11 +961,3 @@ func toZone(d domain.Domain) domain.Domain {
 		),
 	)
 }
-
-// PopulateManagementDomain populates the DNS cache with management domain
-func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
-	if s.mgmtCacheResolver != nil {
-		return s.mgmtCacheResolver.PopulateFromConfig(s.ctx, mgmtURL)
-	}
-	return nil
-}

client/internal/dns/server_js.go

@@ -0,0 +1,5 @@
+package dns
+
+func (s *DefaultServer) initialize() (hostManager, error) {
+	return &noopHostConfigurator{}, nil
+}

client/internal/dns/server_test.go

@@ -363,13 +363,7 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
-				WgInterface:    wgIface,
-				CustomAddress:  "",
-				StatusRecorder: peer.NewRecorder("mgm"),
-				StateManager:   nil,
-				DisableSys:     false,
-			})
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -479,13 +473,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}
 
-	dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
-		WgInterface:    wgIface,
-		CustomAddress:  "",
-		StatusRecorder: peer.NewRecorder("mgm"),
-		StateManager:   nil,
-		DisableSys:     false,
-	})
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
@@ -587,13 +575,7 @@ func TestDNSServerStartStop(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, peer.NewRecorder("mgm"), nil, false)
-				WgInterface:    &mocWGIface{},
-				CustomAddress:  testCase.addrPort,
-				StatusRecorder: peer.NewRecorder("mgm"),
-				StateManager:   nil,
-				DisableSys:     false,
-			})
 			if err != nil {
 				t.Fatalf("%v", err)
 			}

client/internal/dns/unclean_shutdown_js.go

@@ -0,0 +1,19 @@
+package dns
+
+import (
+	"context"
+)
+
+type ShutdownState struct{}
+
+func (s *ShutdownState) Name() string {
+	return "dns_state"
+}
+
+func (s *ShutdownState) Cleanup() error {
+	return nil
+}
+
+func (s *ShutdownState) RestoreUncleanShutdownConfigs(context.Context) error {
+	return nil
+}

client/internal/dns/upstream.go

@@ -26,18 +26,10 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-var currentMTU uint16 = iface.DefaultMTU
-
-func SetCurrentMTU(mtu uint16) {
-	currentMTU = mtu
-}
-
 const (
-	UpstreamTimeout = 4 * time.Second
+	UpstreamTimeout = 15 * time.Second
-	// ClientTimeout is the timeout for the dns.Client.
-	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
-	ClientTimeout = 5 * time.Second
 
+	failsTillDeact   = int32(5)
 	reactivatePeriod = 30 * time.Second
 	probeTimeout     = 2 * time.Second
 )
@@ -60,7 +52,9 @@ type upstreamResolverBase struct {
 	upstreamServers  []netip.AddrPort
 	domain           string
 	disabled         bool
+	failsCount       atomic.Int32
 	successCount     atomic.Int32
+	failsTillDeact   int32
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration
@@ -79,13 +73,14 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d
 		domain:           domain,
 		upstreamTimeout:  UpstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
+		failsTillDeact:   failsTillDeact,
 		statusRecorder:   statusRecorder,
 	}
 }
 
 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("Upstream %s", u.upstreamServers)
+	return fmt.Sprintf("upstream %s", u.upstreamServers)
 }
 
 // ID returns the unique handler ID
@@ -115,102 +110,58 @@ func (u *upstreamResolverBase) Stop() {
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	requestID := GenerateRequestID()
 	logger := log.WithField("request_id", requestID)
+	var err error
+	defer func() {
+		u.checkUpstreamFails(err)
+	}()
 
 	logger.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
-
-	u.prepareRequest(r)
-
-	if u.ctx.Err() != nil {
-		logger.Tracef("%s has been stopped", u)
-		return
-	}
-
-	if u.tryUpstreamServers(w, r, logger) {
-		return
-	}
-
-	u.writeErrorResponse(w, r, logger)
-}
-
-func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
-}
 
-func (u *upstreamResolverBase) tryUpstreamServers(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) bool {
+	select {
-	timeout := u.upstreamTimeout
+	case <-u.ctx.Done():
-	if len(u.upstreamServers) > 1 {
+		logger.Tracef("%s has been stopped", u)
-		maxTotal := 5 * time.Second
+		return
-		minPerUpstream := 2 * time.Second
+	default:
-		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
-		if scaledTimeout > minPerUpstream {
-			timeout = scaledTimeout
-		} else {
-			timeout = minPerUpstream
-		}
 	}
 
 	for _, upstream := range u.upstreamServers {
-		if u.queryUpstream(w, r, upstream, timeout, logger) {
+		var rm *dns.Msg
-			return true
+		var t time.Duration
+
+		func() {
+			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
+			defer cancel()
+			rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
+		}()
+
+		if err != nil {
+			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
+				logger.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
+				continue
+			}
+			logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
+			continue
 		}
-	}
-	return false
-}
 
-func (u *upstreamResolverBase) queryUpstream(w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) bool {
+		if rm == nil || !rm.Response {
-	var rm *dns.Msg
+			logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
-	var t time.Duration
+			continue
-	var err error
+		}
 
-	var startTime time.Time
+		u.successCount.Add(1)
-	func() {
+		logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
-		ctx, cancel := context.WithTimeout(u.ctx, timeout)
-		defer cancel()
-		startTime = time.Now()
-		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
-	}()
 
-	if err != nil {
+		if err = w.WriteMsg(rm); err != nil {
-		u.handleUpstreamError(err, upstream, r.Question[0].Name, startTime, timeout, logger)
+			logger.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
-		return false
+		}
-	}
+		// count the fails only if they happen sequentially
-
+		u.failsCount.Store(0)
-	if rm == nil || !rm.Response {
-		logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
-		return false
-	}
-
-	return u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, logger)
-}
-
-func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, domain string, startTime time.Time, timeout time.Duration, logger *log.Entry) {
-	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
-		logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, domain, err)
 		return
 	}
-
+	u.failsCount.Add(1)
-	elapsed := time.Since(startTime)
-	timeoutMsg := fmt.Sprintf("upstream %s timed out for question domain=%s after %v (timeout=%v)", upstream, domain, elapsed.Truncate(time.Millisecond), timeout)
-	if peerInfo := u.debugUpstreamTimeout(upstream); peerInfo != "" {
-		timeoutMsg += " " + peerInfo
-	}
-	timeoutMsg += fmt.Sprintf(" - error: %v", err)
-	logger.Warnf(timeoutMsg)
-}
-
-func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, logger *log.Entry) bool {
-	u.successCount.Add(1)
-	logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, domain)
-
-	if err := w.WriteMsg(rm); err != nil {
-		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
-	}
-	return true
-}
-
-func (u *upstreamResolverBase) writeErrorResponse(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) {
 	logger.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
 
 	m := new(dns.Msg)
@@ -220,6 +171,41 @@ func (u *upstreamResolverBase) writeErrorResponse(w dns.ResponseWriter, r *dns.M
 	}
 }
 
+// checkUpstreamFails counts fails and disables or enables upstream resolving
+//
+// If fails count is greater that failsTillDeact, upstream resolving
+// will be disabled for reactivatePeriod, after that time period fails counter
+// will be reset and upstream will be reactivated.
+func (u *upstreamResolverBase) checkUpstreamFails(err error) {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+
+	if u.failsCount.Load() < u.failsTillDeact || u.disabled {
+		return
+	}
+
+	select {
+	case <-u.ctx.Done():
+		return
+	default:
+	}
+
+	u.disable(err)
+
+	if u.statusRecorder == nil {
+		return
+	}
+
+	u.statusRecorder.PublishEvent(
+		proto.SystemEvent_WARNING,
+		proto.SystemEvent_DNS,
+		"All upstream servers failed (fail count exceeded)",
+		"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
+		map[string]string{"upstreams": u.upstreamServersString()},
+		// TODO add domain meta
+	)
+}
+
 // ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
 func (u *upstreamResolverBase) ProbeAvailability() {
@@ -232,8 +218,8 @@ func (u *upstreamResolverBase) ProbeAvailability() {
 	default:
 	}
 
-	// avoid probe if upstreams could resolve at least one query
+	// avoid probe if upstreams could resolve at least one query and fails count is less than failsTillDeact
-	if u.successCount.Load() > 0 {
+	if u.successCount.Load() > 0 && u.failsCount.Load() < u.failsTillDeact {
 		return
 	}
 
@@ -320,6 +306,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 	}
 
 	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
+	u.failsCount.Store(0)
 	u.successCount.Add(1)
 	u.reactivate()
 	u.disabled = false
@@ -371,8 +358,8 @@ func (u *upstreamResolverBase) testNameserver(server netip.AddrPort, timeout tim
 // If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// MTU - ip + udp headers
-	// Note: this could be sent out on an interface that is not ours, but higher MTU settings could break truncation handling.
+	// Note: this could be sent out on an interface that is not ours, but our MTU should always be lower.
-	client.UDPSize = uint16(currentMTU - (60 + 8))
+	client.UDPSize = iface.DefaultMTU - (60 + 8)
 
 	var (
 		rm  *dns.Msg
@@ -423,80 +410,3 @@ func GenerateRequestID() string {
 	}
 	return hex.EncodeToString(bytes)
 }
-
-// FormatPeerStatus formats peer connection status information for debugging DNS timeouts
-func FormatPeerStatus(peerState *peer.State) string {
-	isConnected := peerState.ConnStatus == peer.StatusConnected
-	hasRecentHandshake := !peerState.LastWireguardHandshake.IsZero() &&
-		time.Since(peerState.LastWireguardHandshake) < 3*time.Minute
-
-	statusInfo := fmt.Sprintf("%s:%s", peerState.FQDN, peerState.IP)
-
-	switch {
-	case !isConnected:
-		statusInfo += " DISCONNECTED"
-	case !hasRecentHandshake:
-		statusInfo += " NO_RECENT_HANDSHAKE"
-	default:
-		statusInfo += " connected"
-	}
-
-	if !peerState.LastWireguardHandshake.IsZero() {
-		timeSinceHandshake := time.Since(peerState.LastWireguardHandshake)
-		statusInfo += fmt.Sprintf(" last_handshake=%v_ago", timeSinceHandshake.Truncate(time.Second))
-	} else {
-		statusInfo += " no_handshake"
-	}
-
-	if peerState.Relayed {
-		statusInfo += " via_relay"
-	}
-
-	if peerState.Latency > 0 {
-		statusInfo += fmt.Sprintf(" latency=%v", peerState.Latency)
-	}
-
-	return statusInfo
-}
-
-// findPeerForIP finds which peer handles the given IP address
-func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
-	if statusRecorder == nil {
-		return nil
-	}
-
-	fullStatus := statusRecorder.GetFullStatus()
-	var bestMatch *peer.State
-	var bestPrefixLen int
-
-	for _, peerState := range fullStatus.Peers {
-		routes := peerState.GetRoutes()
-		for route := range routes {
-			prefix, err := netip.ParsePrefix(route)
-			if err != nil {
-				continue
-			}
-
-			if prefix.Contains(ip) && prefix.Bits() > bestPrefixLen {
-				peerStateCopy := peerState
-				bestMatch = &peerStateCopy
-				bestPrefixLen = prefix.Bits()
-			}
-		}
-	}
-
-	return bestMatch
-}
-
-func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
-	if u.statusRecorder == nil {
-		return ""
-	}
-
-	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
-	if peerInfo == nil {
-		return ""
-	}
-
-	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
-}

client/internal/dns/upstream_android.go

@@ -50,9 +50,7 @@ func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns
 }
 
 func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{
+	upstreamExchangeClient := &dns.Client{}
-		Timeout: ClientTimeout,
-	}
 	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
 
@@ -74,11 +72,10 @@ func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream stri
 	}
 
 	upstreamExchangeClient := &dns.Client{
-		Dialer:  dialer,
+		Dialer: dialer,
-		Timeout: timeout,
 	}
 
-	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
+	return upstreamExchangeClient.Exchange(r, upstream)
 }
 
 func (u *upstreamResolver) isLocalResolver(upstream string) bool {

client/internal/dns/upstream_general.go

@@ -34,10 +34,7 @@ func newUpstreamResolver(
 }
 
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	client := &dns.Client{
+	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
-		Timeout: ClientTimeout,
-	}
-	return ExchangeWithFallback(ctx, client, r, upstream)
 }
 
 func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {

client/internal/dns/upstream_ios.go

@@ -47,9 +47,7 @@ func newUpstreamResolver(
 }
 
 func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	client := &dns.Client{
+	client := &dns.Client{}
-		Timeout: ClientTimeout,
-	}
 	upstreamHost, _, err := net.SplitHostPort(upstream)
 	if err != nil {
 		return nil, 0, fmt.Errorf("error while parsing upstream host: %s", err)
@@ -112,8 +110,7 @@ func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Dura
 		},
 	}
 	client := &dns.Client{
-		Dialer:  dialer,
+		Dialer: dialer,
-		Timeout: dialTimeout,
 	}
 	return client, nil
 }

client/internal/dns/upstream_test.go

@@ -124,26 +124,29 @@ func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg)
 }
 
 func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
-	mockClient := &mockUpstreamResolver{
-		err: dns.ErrTime,
-		r:   new(dns.Msg),
-		rtt: time.Millisecond,
-	}
-
 	resolver := &upstreamResolverBase{
-		ctx:              context.TODO(),
+		ctx: context.TODO(),
-		upstreamClient:   mockClient,
+		upstreamClient: &mockUpstreamResolver{
+			err: nil,
+			r:   new(dns.Msg),
+			rtt: time.Millisecond,
+		},
 		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: time.Microsecond * 100,
+		reactivatePeriod: reactivatePeriod,
+		failsTillDeact:   failsTillDeact,
 	}
 	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
 	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
+	resolver.failsTillDeact = 0
+	resolver.reactivatePeriod = time.Microsecond * 100
+
+	responseWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error { return nil },
+	}
 
 	failed := false
 	resolver.deactivate = func(error) {
 		failed = true
-		// After deactivation, make the mock client work again
-		mockClient.err = nil
 	}
 
 	reactivated := false
@@ -151,7 +154,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		reactivated = true
 	}
 
-	resolver.ProbeAvailability()
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA))
 
 	if !failed {
 		t.Errorf("expected that resolving was deactivated")
@@ -170,6 +173,11 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		return
 	}
 
+	if resolver.failsCount.Load() != 0 {
+		t.Errorf("fails count after reactivation should be 0")
+		return
+	}
+
 	if resolver.disabled {
 		t.Errorf("should be enabled")
 	}

client/internal/dnsfwd/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -11,14 +12,18 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+var (
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	listenPort   uint16 = 5353
+	listenPortMu sync.RWMutex
 )
 
 const (
-	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	dnsTTL = 60 //seconds
-	ListenPort = 5353
-	dnsTTL     = 60 //seconds
 )
 
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
@@ -35,12 +40,20 @@ type Manager struct {
 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
+	port         uint16
 }
 
-func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
+func ListenPort() uint16 {
+	listenPortMu.RLock()
+	defer listenPortMu.RUnlock()
+	return listenPort
+}
+
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status, port uint16) *Manager {
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
+		port:           port,
 	}
 }
 
@@ -54,7 +67,13 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
+	if m.port > 0 {
+		listenPortMu.Lock()
+		listenPort = m.port
+		listenPortMu.Unlock()
+	}
+
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -94,7 +113,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{ListenPort},
+		Values:  []uint16{ListenPort()},
 	}
 
 	if m.firewall == nil {

client/internal/engine.go

@@ -7,7 +7,6 @@ import (
 	"math/rand"
 	"net"
 	"net/netip"
-	"net/url"
 	"os"
 	"reflect"
 	"runtime"
@@ -18,8 +17,8 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-multierror"
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -33,8 +32,8 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/acl"
+	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -50,11 +49,13 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 
 	nbssh "github.com/netbirdio/netbird/client/ssh"
+	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -65,6 +66,7 @@ import (
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -128,7 +130,10 @@ type EngineConfig struct {
 
 	LazyConnectionEnabled bool
 
-	MTU uint16
+	// for debug bundle generation
+	ProfileConfig *profilemanager.Config
+
+	LogFile string
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -193,11 +198,18 @@ type Engine struct {
 	stateManager *statemanager.Manager
 	srWatcher    *guard.SRWatcher
 
-	// Sync response persistence
+	// Sync response persistence (protected by syncRespMux)
+	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
 	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager
+
+	jobExecutor   *jobexec.Executor
+	jobExecutorWG sync.WaitGroup
+
+	// dns forwarder port
+	dnsFwdPort uint16
 }
 
 // Peer is an instance of the Connection Peer
@@ -211,17 +223,7 @@ type localIpUpdater interface {
 }
 
 // NewEngine creates a new Connection Engine with probes attached
-func NewEngine(
+func NewEngine(clientCtx context.Context, clientCancel context.CancelFunc, signalClient signal.Client, mgmClient mgm.Client, relayManager *relayClient.Manager, config *EngineConfig, mobileDep MobileDependency, statusRecorder *peer.Status, checks []*mgmProto.Checks, c *profilemanager.Config) *Engine {
-	clientCtx context.Context,
-	clientCancel context.CancelFunc,
-	signalClient signal.Client,
-	mgmClient mgm.Client,
-	relayManager *relayClient.Manager,
-	config *EngineConfig,
-	mobileDep MobileDependency,
-	statusRecorder *peer.Status,
-	checks []*mgmProto.Checks,
-) *Engine {
 	engine := &Engine{
 		clientCtx:      clientCtx,
 		clientCancel:   clientCancel,
@@ -240,6 +242,8 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
+		jobExecutor:    jobexec.NewExecutor(),
+		dnsFwdPort:     dnsfwd.ListenPort(),
 	}
 
 	sm := profilemanager.NewServiceManager("")
@@ -318,6 +322,8 @@ func (e *Engine) Stop() error {
 		e.cancel()
 	}
 
+	e.jobExecutorWG.Wait() // block until job goroutines finish
+
 	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
 	// Removing peers happens in the conn.Close() asynchronously
 	time.Sleep(500 * time.Millisecond)
@@ -347,14 +353,10 @@ func (e *Engine) Stop() error {
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
-func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
+func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
-	if err := iface.ValidateMTU(e.config.MTU); err != nil {
-		return fmt.Errorf("invalid MTU configuration: %w", err)
-	}
-
 	if e.cancel != nil {
 		e.cancel()
 	}
@@ -403,11 +405,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	}
 	e.dnsServer = dnsServer
 
-	// Populate DNS cache with NetbirdConfig and management URL for early resolution
-	if err := e.PopulateNetbirdConfig(netbirdConfig, mgmtURL); err != nil {
-		log.Warnf("failed to populate DNS cache: %v", err)
-	}
-
 	e.routeManager = routemanager.NewManager(routemanager.ManagerConfig{
 		Context:             e.ctx,
 		PublicKey:           e.config.WgPrivateKey.PublicKey().String(),
@@ -457,14 +454,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		return fmt.Errorf("initialize dns server: %w", err)
 	}
 
-	iceCfg := icemaker.Config{
+	iceCfg := e.createICEConfig()
-		StunTurn:             &e.stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		UDPMux:               e.udpMux.UDPMuxDefault,
-		UDPMuxSrflx:          e.udpMux,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-	}
 
 	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface)
 	e.connMgr.Start(e.ctx)
@@ -474,6 +464,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
+	e.receiveJobEvents()
 
 	// starting network monitor at the very last to avoid disruptions
 	e.startNetworkMonitor()
@@ -668,30 +659,6 @@ func (e *Engine) removePeer(peerKey string) error {
 	return nil
 }
 
-// PopulateNetbirdConfig populates the DNS cache with infrastructure domains from login response
-func (e *Engine) PopulateNetbirdConfig(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
-	if e.dnsServer == nil {
-		return nil
-	}
-
-	// Populate management URL if provided
-	if mgmtURL != nil {
-		if err := e.dnsServer.PopulateManagementDomain(mgmtURL); err != nil {
-			log.Warnf("failed to populate DNS cache with management URL: %v", err)
-		}
-	}
-
-	// Populate NetbirdConfig domains if provided
-	if netbirdConfig != nil {
-		serverDomains := dnsconfig.ExtractFromNetbirdConfig(netbirdConfig)
-		if err := e.dnsServer.UpdateServerConfig(serverDomains); err != nil {
-			return fmt.Errorf("update DNS server config from NetbirdConfig: %w", err)
-		}
-	}
-
-	return nil
-}
-
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
@@ -723,10 +690,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return fmt.Errorf("handle the flow configuration: %w", err)
 		}
 
-		if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
-			log.Warnf("Failed to update DNS server config: %v", err)
-		}
-
 		// todo update signal
 	}
 
@@ -739,9 +702,18 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return nil
 	}
 
+	// Persist sync response under the dedicated lock (syncRespMux), not under syncMsgMux.
+	// Read the storage-enabled flag under the syncRespMux too.
+	e.syncRespMux.RLock()
+	enabled := e.persistSyncResponse
+	e.syncRespMux.RUnlock()
+
 	// Store sync response if persistence is enabled
-	if e.persistSyncResponse {
+	if enabled {
+		e.syncRespMux.Lock()
 		e.latestSyncResponse = update
+		e.syncRespMux.Unlock()
+
 		log.Debugf("sync response persisted with serial %d", nm.GetSerial())
 	}
 
@@ -926,6 +898,83 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 
 	return nil
 }
+func (e *Engine) receiveJobEvents() {
+	e.jobExecutorWG.Add(1)
+	go func() {
+		defer e.jobExecutorWG.Done()
+		err := e.mgmClient.Job(e.ctx, func(msg *mgmProto.JobRequest) *mgmProto.JobResponse {
+			resp := mgmProto.JobResponse{
+				ID:     msg.ID,
+				Status: mgmProto.JobStatus_failed,
+			}
+			switch params := msg.WorkloadParameters.(type) {
+			case *mgmProto.JobRequest_Bundle:
+				bundleResult, err := e.handleBundle(params.Bundle)
+				if err != nil {
+					resp.Reason = []byte(err.Error())
+					return &resp
+				}
+				resp.Status = mgmProto.JobStatus_succeeded
+				resp.WorkloadResults = bundleResult
+				return &resp
+			default:
+				return nil
+			}
+		})
+		if err != nil {
+			// happens if management is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
+			e.clientCancel()
+			return
+		}
+		log.Debugf("stopped receiving jobs from Management Service")
+	}()
+	log.Debugf("connecting to Management Service jobs stream")
+}
+
+func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobResponse_Bundle, error) {
+	syncResponse, err := e.GetLatestSyncResponse()
+	if err != nil {
+		return nil, fmt.Errorf("get latest sync response: %w", err)
+	}
+
+	if syncResponse == nil {
+		return nil, errors.New("sync response is not available")
+	}
+
+	// convert fullStatus to statusOutput
+	fullStatus := e.statusRecorder.GetFullStatus()
+	protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
+	overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, params.Anonymize, version.NetbirdVersion(), "", nil, nil, nil, "", "")
+	statusOutput := nbstatus.ParseToFullDetailSummary(overview)
+
+	bundleDeps := debug.GeneratorDependencies{
+		InternalConfig: e.config.ProfileConfig,
+		StatusRecorder: e.statusRecorder,
+		SyncResponse:   syncResponse,
+		LogFile:        e.config.LogFile,
+	}
+
+	bundleJobParams := debug.BundleConfig{
+		Anonymize:         params.Anonymize,
+		ClientStatus:      statusOutput,
+		IncludeSystemInfo: true,
+		LogFileCount:      uint32(params.LogFileCount),
+	}
+
+	uploadKey, err := e.jobExecutor.BundleJob(e.ctx, bundleDeps, bundleJobParams, e.config.ProfileConfig.ManagementURL.String())
+	if err != nil {
+		return nil, err
+	}
+
+	response := &mgmProto.JobResponse_Bundle{
+		Bundle: &mgmProto.BundleResult{
+			UploadKey: uploadKey,
+		},
+	}
+	return response, nil
+}
 
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
@@ -1065,7 +1114,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}
 
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
+	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries, uint16(protoDNSConfig.ForwarderPort))
 
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
@@ -1152,16 +1201,15 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 		}
 
 		convertedRoute := &route.Route{
-			ID:            route.ID(protoRoute.ID),
+			ID:          route.ID(protoRoute.ID),
-			Network:       prefix.Masked(),
+			Network:     prefix.Masked(),
-			Domains:       domain.FromPunycodeList(protoRoute.Domains),
+			Domains:     domain.FromPunycodeList(protoRoute.Domains),
-			NetID:         route.NetID(protoRoute.NetID),
+			NetID:       route.NetID(protoRoute.NetID),
-			NetworkType:   route.NetworkType(protoRoute.NetworkType),
+			NetworkType: route.NetworkType(protoRoute.NetworkType),
-			Peer:          protoRoute.Peer,
+			Peer:        protoRoute.Peer,
-			Metric:        int(protoRoute.Metric),
+			Metric:      int(protoRoute.Metric),
-			Masquerade:    protoRoute.Masquerade,
+			Masquerade:  protoRoute.Masquerade,
-			KeepRoute:     protoRoute.KeepRoute,
+			KeepRoute:   protoRoute.KeepRoute,
-			SkipAutoApply: protoRoute.SkipAutoApply,
 		}
 		routes = append(routes, convertedRoute)
 	}
@@ -1323,14 +1371,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 			Addr:           e.getRosenpassAddr(),
 			PermissiveMode: e.config.RosenpassPermissive,
 		},
-		ICEConfig: icemaker.Config{
+		ICEConfig: e.createICEConfig(),
-			StunTurn:             &e.stunTurn,
-			InterfaceBlackList:   e.config.IFaceBlackList,
-			DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-			UDPMux:               e.udpMux.UDPMuxDefault,
-			UDPMuxSrflx:          e.udpMux,
-			NATExternalIPs:       e.parseNATExternalIPMappings(),
-		},
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
@@ -1533,7 +1574,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		Address:      e.config.WgAddr,
 		WGPort:       e.config.WgPort,
 		WGPrivKey:    e.config.WgPrivateKey.String(),
-		MTU:          e.config.MTU,
+		MTU:          iface.DefaultMTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
 		DisableDNS:   e.config.DisableDNS,
@@ -1592,14 +1633,7 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil
 
 	default:
-
+		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress, e.statusRecorder, e.stateManager, e.config.DisableDNS)
-		dnsServer, err := dns.NewDefaultServer(e.ctx, dns.DefaultServerConfig{
-			WgInterface:    e.wgInterface,
-			CustomAddress:  e.config.CustomDNSAddress,
-			StatusRecorder: e.statusRecorder,
-			StateManager:   e.stateManager,
-			DisableSys:     e.config.DisableDNS,
-		})
 		if err != nil {
 			return nil, err
 		}
@@ -1782,8 +1816,8 @@ func (e *Engine) stopDNSServer() {
 
 // SetSyncResponsePersistence enables or disables sync response persistence
 func (e *Engine) SetSyncResponsePersistence(enabled bool) {
-	e.syncMsgMux.Lock()
+	e.syncRespMux.Lock()
-	defer e.syncMsgMux.Unlock()
+	defer e.syncRespMux.Unlock()
 
 	if enabled == e.persistSyncResponse {
 		return
@@ -1798,20 +1832,22 @@ func (e *Engine) SetSyncResponsePersistence(enabled bool) {
 
 // GetLatestSyncResponse returns the stored sync response if persistence is enabled
 func (e *Engine) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
-	e.syncMsgMux.Lock()
+	e.syncRespMux.RLock()
-	defer e.syncMsgMux.Unlock()
+	enabled := e.persistSyncResponse
+	latest := e.latestSyncResponse
+	e.syncRespMux.RUnlock()
 
-	if !e.persistSyncResponse {
+	if !enabled {
 		return nil, errors.New("sync response persistence is disabled")
 	}
 
-	if e.latestSyncResponse == nil {
+	if latest == nil {
 		//nolint:nilnil
 		return nil, nil
 	}
 
-	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(e.latestSyncResponse))
+	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(latest))
-	sr, ok := proto.Clone(e.latestSyncResponse).(*mgmProto.SyncResponse)
+	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
 	if !ok {
 		return nil, fmt.Errorf("failed to clone sync response")
 	}
@@ -1831,6 +1867,7 @@ func (e *Engine) GetWgAddr() netip.Addr {
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
+	forwarderPort uint16,
 ) {
 	if e.config.DisableServerRoutes {
 		return
@@ -1847,16 +1884,20 @@ func (e *Engine) updateDNSForwarder(
 	}
 
 	if len(fwdEntries) > 0 {
-		if e.dnsForwardMgr == nil {
+		switch {
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+		case e.dnsForwardMgr == nil:
-
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, forwarderPort)
 			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
-
 			log.Infof("started domain router service with %d entries", len(fwdEntries))
-		} else {
+		case e.dnsFwdPort != forwarderPort:
+			log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+			e.restartDnsFwd(fwdEntries, forwarderPort)
+			e.dnsFwdPort = forwarderPort
+
+		default:
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
@@ -1866,6 +1907,20 @@ func (e *Engine) updateDNSForwarder(
 		}
 		e.dnsForwardMgr = nil
 	}
+
+}
+
+func (e *Engine) restartDnsFwd(fwdEntries []*dnsfwd.ForwarderEntry, forwarderPort uint16) {
+	log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+	// stop and start the forwarder to apply the new port
+	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+		log.Errorf("failed to stop DNS forward: %v", err)
+	}
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, forwarderPort)
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+	}
 }
 
 func (e *Engine) GetNet() (*netstack.Net, error) {

client/internal/engine_generic.go

@@ -0,0 +1,19 @@
+//go:build !js
+
+package internal
+
+import (
+	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
+)
+
+// createICEConfig creates ICE configuration for non-WASM environments
+func (e *Engine) createICEConfig() icemaker.Config {
+	return icemaker.Config{
+		StunTurn:             &e.stunTurn,
+		InterfaceBlackList:   e.config.IFaceBlackList,
+		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+		UDPMux:               e.udpMux.SingleSocketUDPMux,
+		UDPMuxSrflx:          e.udpMux,
+		NATExternalIPs:       e.parseNATExternalIPMappings(),
+	}
+}

client/internal/engine_js.go

@@ -0,0 +1,18 @@
+//go:build js
+
+package internal
+
+import (
+	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
+)
+
+// createICEConfig creates ICE configuration for WASM environment.
+func (e *Engine) createICEConfig() icemaker.Config {
+	cfg := icemaker.Config{
+		StunTurn:             &e.stunTurn,
+		InterfaceBlackList:   e.config.IFaceBlackList,
+		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+		NATExternalIPs:       e.parseNATExternalIPMappings(),
+	}
+	return cfg
+}

client/internal/engine_test.go

@@ -27,8 +27,10 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -218,24 +220,14 @@ func TestEngine_SSH(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	engine := NewEngine(
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
-		ctx, cancel,
+		WgIfaceName:      "utun101",
-		&signal.MockClient{},
+		WgAddr:           "100.64.0.1/24",
-		&mgmt.MockClient{},
+		WgPrivateKey:     key,
-		relayMgr,
+		WgPort:           33100,
-		&EngineConfig{
+		ServerSSHAllowed: true,
-			WgIfaceName:      "utun101",
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
-			WgAddr:           "100.64.0.1/24",
-			WgPrivateKey:     key,
-			WgPort:           33100,
-			ServerSSHAllowed: true,
-			MTU:              iface.DefaultMTU,
-		},
-		MobileDependency{},
-		peer.NewRecorder("https://mgm"),
-		nil,
-	)
 
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -266,7 +258,7 @@ func TestEngine_SSH(t *testing.T) {
 			},
 		}, nil
 	}
-	err = engine.Start(nil, nil)
+	err = engine.Start()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -364,22 +356,13 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	engine := NewEngine(
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
-		ctx, cancel,
+		WgIfaceName:  "utun102",
-		&signal.MockClient{},
+		WgAddr:       "100.64.0.1/24",
-		&mgmt.MockClient{},
+		WgPrivateKey: key,
-		relayMgr,
+		WgPort:       33100,
-		&EngineConfig{
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
-			WgIfaceName:  "utun102",
-			WgAddr:       "100.64.0.1/24",
-			WgPrivateKey: key,
-			WgPort:       33100,
-			MTU:          iface.DefaultMTU,
-		},
-		MobileDependency{},
-		peer.NewRecorder("https://mgm"),
-		nil)
 
 	wgIface := &MockWGIface{
 		NameFunc: func() string { return "utun102" },
@@ -414,7 +397,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn, MTU: 1280})
+	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
 	engine.ctx = ctx
 	engine.srWatcher = guard.NewSRWatcher(nil, nil, nil, icemaker.Config{})
 	engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, wgIface)
@@ -591,14 +574,13 @@ func TestEngine_Sync(t *testing.T) {
 		}
 		return nil
 	}
-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, relayMgr, &EngineConfig{
 		WgIfaceName:  "utun103",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-		MTU:          iface.DefaultMTU,
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 	engine.ctx = ctx
 
 	engine.dnsServer = &dns.MockServer{
@@ -612,7 +594,7 @@ func TestEngine_Sync(t *testing.T) {
 		}
 	}()
 
-	err = engine.Start(nil, nil)
+	err = engine.Start()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -756,14 +738,13 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)
 
-			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-				MTU:          iface.DefaultMTU,
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 			newNet, err := stdnet.NewNet()
 			if err != nil {
@@ -958,14 +939,13 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)
 
-			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-				MTU:          iface.DefaultMTU,
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 
 			newNet, err := stdnet.NewNet()
@@ -1069,7 +1049,7 @@ func TestEngine_MultiplePeers(t *testing.T) {
 			defer mu.Unlock()
 			guid := fmt.Sprintf("{%s}", uuid.New().String())
 			device.CustomWindowsGUIDString = strings.ToLower(guid)
-			err = engine.Start(nil, nil)
+			err = engine.Start()
 			if err != nil {
 				t.Errorf("unable to start engine for peer %d with error %v", j, err)
 				wg.Done()
@@ -1186,7 +1166,6 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 				config: &EngineConfig{
 					IFaceBlackList: testCase.inputBlacklistInterface,
 					NATExternalIPs: testCase.inputMapList,
-					MTU:            iface.DefaultMTU,
 				},
 			}
 			parsedList := engine.parseNATExternalIPMappings()
@@ -1487,11 +1466,10 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgAddr:       resp.PeerConfig.Address,
 		WgPrivateKey: key,
 		WgPort:       wgPort,
-		MTU:          iface.DefaultMTU,
 	}
 
-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil), nil
+	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil), nil
 	e.ctx = ctx
 	return e, err
 }
@@ -1551,6 +1529,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	t.Cleanup(cleanUp)
 
 	peersUpdateManager := server.NewPeersUpdateManager(nil)
+	jobManager := server.NewJobManager(nil, store)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
@@ -1575,13 +1554,13 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	permissionsManager := permissions.NewManager(store)
 	groupsManager := groups.NewManagerMock()
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, jobManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}
 
 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{})
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
 	if err != nil {
 		return nil, "", err
 	}

client/internal/login.go

@@ -40,7 +40,7 @@ func IsLoginRequired(ctx context.Context, config *profilemanager.Config) (bool,
 		return false, err
 	}
 
-	_, _, err = doMgmLogin(ctx, mgmClient, pubSSHKey, config)
+	_, err = doMgmLogin(ctx, mgmClient, pubSSHKey, config)
 	if isLoginNeeded(err) {
 		return true, nil
 	}
@@ -69,18 +69,14 @@ func Login(ctx context.Context, config *profilemanager.Config, setupKey string,
 		return err
 	}
 
-	serverKey, _, err := doMgmLogin(ctx, mgmClient, pubSSHKey, config)
+	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey, config)
 	if serverKey != nil && isRegistrationNeeded(err) {
 		log.Debugf("peer registration required")
 		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey, config)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
 		return err
 	}
 
-	return nil
+	return err
 }
 
 func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm.GrpcClient, error) {
@@ -105,11 +101,11 @@ func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm
 	return mgmClient, err
 }
 
-func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *profilemanager.Config) (*wgtypes.Key, *mgmProto.LoginResponse, error) {
+func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *profilemanager.Config) (*wgtypes.Key, error) {
 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
 		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, nil, err
+		return nil, err
 	}
 
 	sysInfo := system.GetInfo(ctx)
@@ -125,8 +121,8 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
 	)
-	loginResp, err := mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
+	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
-	return serverKey, loginResp, err
+	return serverKey, err
 }
 
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.

client/internal/netflow/logger/logger.go

@@ -138,7 +138,7 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
-	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == dnsfwd.ListenPort) {
+	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == uint16(dnsfwd.ListenPort())) {
 		return false
 	}
 

client/internal/networkmonitor/check_change_js.go

@@ -0,0 +1,12 @@
+package networkmonitor
+
+import (
+	"context"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	// No-op for WASM - network changes don't apply
+	return nil
+}

client/internal/peer/conn.go

@@ -11,7 +11,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 

client/internal/peer/guard/ice_monitor.go

@@ -3,10 +3,12 @@ package guard
 import (
 	"context"
 	"fmt"
+	"slices"
+	"sort"
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
@@ -24,8 +26,8 @@ type ICEMonitor struct {
 	iFaceDiscover stdnet.ExternalIFaceDiscover
 	iceConfig     icemaker.Config
 
-	currentCandidates []ice.Candidate
+	currentCandidatesAddress []string
-	candidatesMu      sync.Mutex
+	candidatesMu             sync.Mutex
 }
 
 func NewICEMonitor(iFaceDiscover stdnet.ExternalIFaceDiscover, config icemaker.Config) *ICEMonitor {
@@ -115,16 +117,21 @@ func (cm *ICEMonitor) updateCandidates(newCandidates []ice.Candidate) bool {
 	cm.candidatesMu.Lock()
 	defer cm.candidatesMu.Unlock()
 
-	if len(cm.currentCandidates) != len(newCandidates) {
+	newAddresses := make([]string, len(newCandidates))
-		cm.currentCandidates = newCandidates
+	for i, c := range newCandidates {
+		newAddresses[i] = c.Address()
+	}
+	sort.Strings(newAddresses)
+
+	if len(cm.currentCandidatesAddress) != len(newAddresses) {
+		cm.currentCandidatesAddress = newAddresses
 		return true
 	}
 
-	for i, candidate := range cm.currentCandidates {
+	// Compare elements
-		if candidate.Address() != newCandidates[i].Address() {
+	if !slices.Equal(cm.currentCandidatesAddress, newAddresses) {
-			cm.currentCandidates = newCandidates
+		cm.currentCandidatesAddress = newAddresses
-			return true
+		return true
-		}
 	}
 
 	return false

client/internal/peer/ice/StunTurn.go

@@ -3,7 +3,7 @@ package ice
 import (
 	"sync/atomic"
 
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 )
 
 type StunTurn atomic.Value

client/internal/peer/ice/agent.go

@@ -1,10 +1,9 @@
 package ice
 
 import (
-	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	"github.com/pion/logging"
 	"github.com/pion/randutil"
 	log "github.com/sirupsen/logrus"
@@ -24,20 +23,7 @@ const (
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
 )
 
-type ThreadSafeAgent struct {
+func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ice.Agent, error) {
-	*ice.Agent
-	once sync.Once
-}
-
-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		err = a.Agent.Close()
-	})
-	return err
-}
-
-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
@@ -75,12 +61,7 @@ func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candida
 		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
 	}
 
-	agent, err := ice.NewAgent(agentConfig)
+	return ice.NewAgent(agentConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ThreadSafeAgent{Agent: agent}, nil
 }
 
 func GenerateICECredentials() (string, string, error) {

client/internal/peer/ice/config.go

@@ -1,7 +1,7 @@
 package ice
 
 import (
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 )
 
 type Config struct {

client/internal/peer/signaler.go

@@ -1,7 +1,7 @@
 package peer
 
 import (
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 

client/internal/peer/worker_ice.go

@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
 
@@ -42,7 +42,7 @@ type WorkerICE struct {
 	statusRecorder    *Status
 	hasRelayOnLocally bool
 
-	agent             *icemaker.ThreadSafeAgent
+	agent             *ice.Agent
 	agentDialerCancel context.CancelFunc
 	agentConnecting   bool      // while it is true, drop all incoming offers
 	lastSuccess       time.Time // with this avoid the too frequent ICE agent recreation
@@ -121,7 +121,6 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		if err := w.agent.Close(); err != nil {
 			w.log.Warnf("failed to close ICE agent: %s", err)
 		}
-		w.agent = nil
 		// todo consider to switch to Relay connection while establishing a new ICE connection
 	}
 
@@ -196,7 +195,7 @@ func (w *WorkerICE) Close() {
 	w.agent = nil
 }
 
-func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
+func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*ice.Agent, error) {
 	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
@@ -214,6 +213,10 @@ func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []
 		return nil, err
 	}
 
+	if err := agent.OnSuccessfulSelectedPairBindingResponse(w.onSuccessfulSelectedPairBindingResponse); err != nil {
+		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
+	}
+
 	return agent, nil
 }
 
@@ -227,7 +230,7 @@ func (w *WorkerICE) SessionID() ICESessionID {
 // will block until connection succeeded
 // but it won't release if ICE Agent went into Disconnected or Failed state,
 // so we have to cancel it with the provided context once agent detected a broken connection
-func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) {
+func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAnswer *OfferAnswer) {
 	w.log.Debugf("gather candidates")
 	if err := agent.GatherCandidates(); err != nil {
 		w.log.Warnf("failed to gather candidates: %s", err)
@@ -236,7 +239,7 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	}
 
 	w.log.Debugf("turn agent dial")
-	remoteConn, err := w.turnAgentDial(ctx, agent, remoteOfferAnswer)
+	remoteConn, err := w.turnAgentDial(ctx, remoteOfferAnswer)
 	if err != nil {
 		w.log.Debugf("failed to dial the remote peer: %s", err)
 		w.closeAgent(agent, w.agentDialerCancel)
@@ -249,11 +252,6 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
-	if pair == nil {
-		w.log.Warnf("selected candidate pair is nil, cannot proceed")
-		w.closeAgent(agent, w.agentDialerCancel)
-		return
-	}
 
 	if !isRelayCandidate(pair.Local) {
 		// dynamically set remote WireGuard port if other side specified a different one from the default one
@@ -292,14 +290,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }
 
-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
+func (w *WorkerICE) closeAgent(agent *ice.Agent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}
 
 	w.muxAgent.Lock()
-	// todo review does it make sense to generate new session ID all the time when w.agent==agent
 	sessionID, err := NewICESessionID()
 	if err != nil {
 		w.log.Errorf("failed to create new session ID: %s", err)
@@ -380,30 +377,9 @@ func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
 func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
 	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
 		w.config.Key)
-
-	w.muxAgent.Lock()
-
-	pair, err := w.agent.GetSelectedCandidatePair()
-	if err != nil {
-		w.log.Warnf("failed to get selected candidate pair: %s", err)
-		w.muxAgent.Unlock()
-		return
-	}
-	if pair == nil {
-		w.log.Warnf("selected candidate pair is nil, cannot proceed")
-		w.muxAgent.Unlock()
-		return
-	}
-	w.muxAgent.Unlock()
-
-	duration := time.Duration(pair.CurrentRoundTripTime() * float64(time.Second))
-	if err := w.statusRecorder.UpdateLatency(w.config.Key, duration); err != nil {
-		w.log.Debugf("failed to update latency for peer: %s", err)
-		return
-	}
 }
 
-func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
+func (w *WorkerICE) onConnectionStateChange(agent *ice.Agent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
 	return func(state ice.ConnectionState) {
 		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
 		switch state {
@@ -422,6 +398,13 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 	}
 }
 
+func (w *WorkerICE) onSuccessfulSelectedPairBindingResponse(pair *ice.CandidatePair) {
+	if err := w.statusRecorder.UpdateLatency(w.config.Key, pair.Latency()); err != nil {
+		w.log.Debugf("failed to update latency for peer: %s", err)
+		return
+	}
+}
+
 func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
 	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
 		return true
@@ -429,18 +412,18 @@ func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool
 	return false
 }
 
-func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
+func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	isControlling := w.config.LocalKey > w.config.Key
 	if isControlling {
-		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
-		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
 }
 
 func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive, error) {
 	relatedAdd := candidate.RelatedAddress()
-	ec, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
+	return ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
 		Network:   candidate.NetworkType().String(),
 		Address:   candidate.Address(),
 		Port:      relatedAdd.Port,
@@ -448,17 +431,6 @@ func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive
 		RelAddr:   relatedAdd.Address,
 		RelPort:   relatedAdd.Port,
 	})
-	if err != nil {
-		return nil, err
-	}
-
-	for _, e := range candidate.Extensions() {
-		if err := ec.AddExtension(e); err != nil {
-			return nil, err
-		}
-	}
-
-	return ec, nil
 }
 
 func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {

client/internal/profilemanager/config.go

@@ -75,8 +75,6 @@ type ConfigInput struct {
 	DNSLabels domain.List
 
 	LazyConnectionEnabled *bool
-
-	MTU *uint16
 }
 
 // Config Configuration type
@@ -143,8 +141,6 @@ type Config struct {
 	ClientCertKeyPair *tls.Certificate `json:"-"`
 
 	LazyConnectionEnabled bool
-
-	MTU uint16
 }
 
 var ConfigDirOverride string
@@ -497,16 +493,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.MTU != nil && *input.MTU != config.MTU {
-		log.Infof("updating MTU to %d (old value %d)", *input.MTU, config.MTU)
-		config.MTU = *input.MTU
-		updated = true
-	} else if config.MTU == 0 {
-		config.MTU = iface.DefaultMTU
-		log.Infof("using default MTU %d", config.MTU)
-		updated = true
-	}
-
 	return updated, nil
 }
 

client/internal/relay/relay.go

@@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/turn/v3"
 	log "github.com/sirupsen/logrus"