[relay] Let relay accept any origin (#4426 )

[management] Add user approval (#4411 )
This PR adds user approval functionality to the management system, allowing administrators to manually approve new users joining via domain matching. When enabled, users are blocked with pending approval status until explicitly approved by an admin. Adds UserApprovalRequired setting to control manual user approval requirement Introduces user approval and rejection endpoints with corresponding business logic Prevents pending approval users from adding peers or logging in
2026-04-16 23:36:39 +00:00 · 2025-09-01 19:51:06 +02:00 · 2025-09-01 18:00:45 +02:00 · 2025-09-01 10:42:01 +02:00 · 2025-08-31 17:19:56 +02:00 · 2025-08-30 12:47:13 +02:00
166 changed files with 5381 additions and 1716 deletions
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -16,19 +16,29 @@ jobs:
    steps:
      - name: Read PR body
        id: body
+        shell: bash
        run: |
-          BODY=$(jq -r '.pull_request.body // ""' "$GITHUB_EVENT_PATH")
-          echo "body<<EOF" >> $GITHUB_OUTPUT
-          echo "$BODY" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          BODY_B64=$(jq -r '.pull_request.body // "" | @base64' "$GITHUB_EVENT_PATH")
+          {
+            echo "body_b64=$BODY_B64"
+          } >> "$GITHUB_OUTPUT"

      - name: Validate checkbox selection
        id: validate
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
        run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          if ! body="$(printf '%s' "$BODY_B64" | base64 -d)"; then
+            echo "::error::Failed to decode PR body from base64. Data may be corrupted or missing."
+            exit 1
+          fi
+
+          added_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*I added/updated documentation' | wc -l | tr -d '[:space:]' || true)
+          noneed_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*Documentation is \*\*not needed\*\*' | wc -l | tr -d '[:space:]' || true)

-          added_checked=$(printf "%s" "$body" | grep -E '^- \[x\] I added/updated documentation' -i | wc -l | tr -d ' ')
-          noneed_checked=$(printf "%s" "$body" | grep -E '^- \[x\] Documentation is \*\*not needed\*\*' -i | wc -l | tr -d ' ')

          if [ "$added_checked" -eq 1 ] && [ "$noneed_checked" -eq 1 ]; then
            echo "::error::Choose exactly one: either 'docs added' OR 'not needed'."
@@ -41,30 +51,35 @@ jobs:
          fi

          if [ "$added_checked" -eq 1 ]; then
-            echo "mode=added" >> $GITHUB_OUTPUT
+            echo "mode=added" >> "$GITHUB_OUTPUT"
          else
-            echo "mode=noneed" >> $GITHUB_OUTPUT
+            echo "mode=noneed" >> "$GITHUB_OUTPUT"
          fi

      - name: Extract docs PR URL (when 'docs added')
        if: steps.validate.outputs.mode == 'added'
        id: extract
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
        run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          body="$(printf '%s' "$BODY_B64" | base64 -d)"

          # Strictly require HTTPS and that it's a PR in netbirdio/docs
-          # Examples accepted:
-          #   https://github.com/netbirdio/docs/pull/1234
-          url=$(printf "%s" "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)
+          # e.g., https://github.com/netbirdio/docs/pull/1234
+          url="$(printf '%s' "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)"

-          if [ -z "$url" ]; then
+          if [ -z "${url:-}" ]; then
            echo "::error::You checked 'docs added' but didn't include a valid HTTPS PR link to netbirdio/docs (e.g., https://github.com/netbirdio/docs/pull/1234)."
            exit 1
          fi

-          pr_number=$(echo "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')
-          echo "url=$url" >> $GITHUB_OUTPUT
-          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          pr_number="$(printf '%s' "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')"
+          {
+            echo "url=$url"
+            echo "pr_number=$pr_number"
+          } >> "$GITHUB_OUTPUT"

      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -382,6 +382,32 @@ jobs:
        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
+      - name: Create Docker network
+        run: docker network create promnet
+
+      - name: Start Prometheus Pushgateway
+        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
+
+      - name: Start Prometheus (for Pushgateway forwarding)
+        run: |
+          echo '
+          global:
+            scrape_interval: 15s
+          scrape_configs:
+            - job_name: "pushgateway"
+              static_configs:
+                - targets: ["pushgateway:9091"]
+          remote_write:
+            - url: ${{ secrets.GRAFANA_URL }}
+              basic_auth:
+                username: ${{ secrets.GRAFANA_USER }}
+                password: ${{ secrets.GRAFANA_API_KEY }}
+          ' > prometheus.yml
+
+          docker run -d --name prometheus --network promnet \
+            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
+            -p 9090:9090 \
+            prom/prometheus
      - name: Install Go
        uses: actions/setup-go@v5
        with:
@@ -428,9 +454,10 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
+          GIT_BRANCH=${{ github.ref_name }} \
          go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/...
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+          -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)

  api_benchmark:
    name: "Management / Benchmark (API)"
@@ -521,7 +548,7 @@ jobs:
            -run=^$ \
            -bench=. \
            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/... ./shared/management/...
+            -timeout 20m ./management/server/http/...

  api_integration_test:
    name: "Management / Integration"
@@ -571,4 +598,4 @@ jobs:
          CI=true \
          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/...
+          -timeout 20m ./management/server/http/...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,7 +63,7 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV

      - name: test
        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -39,6 +39,7 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
+	mtuFlag                  = "mtu"
 )

 var (
@@ -72,6 +73,7 @@ var (
 	anonymizeFlag           bool
 	dnsRouteInterval        time.Duration
 	lazyConnEnabled         bool
+	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool

--- a/client/cmd/root_test.go
+++ b/client/cmd/root_test.go
@@ -54,6 +54,7 @@ func TestSetFlagsFromEnvVars(t *testing.T) {
 	cmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	cmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "Enable Rosenpass feature Rosenpass.")
 	cmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
+	cmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")

 	t.Setenv("NB_EXTERNAL_IP_MAP", "abc,dec")
 	t.Setenv("NB_INTERFACE_NAME", "test-name")
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -63,6 +63,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
+	upCmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
 		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
@@ -357,6 +358,11 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.WireguardPort = &p
 	}

+	if cmd.Flag(mtuFlag).Changed {
+		m := int64(mtu)
+		req.Mtu = &m
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		req.NetworkMonitor = &networkMonitor
 	}
@@ -436,6 +442,13 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.WireguardPort = &p
 	}

+	if cmd.Flag(mtuFlag).Changed {
+		if err := iface.ValidateMTU(mtu); err != nil {
+			return nil, err
+		}
+		ic.MTU = &mtu
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		ic.NetworkMonitor = &networkMonitor
 	}
@@ -533,6 +546,14 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.WireguardPort = &wp
 	}

+	if cmd.Flag(mtuFlag).Changed {
+		if err := iface.ValidateMTU(mtu); err != nil {
+			return nil, err
+		}
+		m := int64(mtu)
+		loginRequest.Mtu = &m
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		loginRequest.NetworkMonitor = &networkMonitor
 	}
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -8,7 +8,7 @@ import (
 	"runtime"
 	"sync"

-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/ipv4"
@@ -56,10 +56,11 @@ type ICEBind struct {
 	muUDPMux         sync.Mutex
 	udpMux           *UniversalUDPMuxDefault
 	address          wgaddr.Address
+	mtu              uint16
 	activityRecorder *ActivityRecorder
 }

-func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
@@ -69,6 +70,7 @@ func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Ad
 		endpoints:        make(map[netip.Addr]net.Conn),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		mtu:              mtu,
 		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
@@ -80,6 +82,10 @@ func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Ad
 	return ib
 }

+func (s *ICEBind) MTU() uint16 {
+	return s.mtu
+}
+
 func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 	s.closed = false
 	s.closedChanMu.Lock()
@@ -158,6 +164,7 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
+			MTU:       s.mtu,
 		},
 	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
--- a/client/iface/bind/udp_mux.go
+++ b/client/iface/bind/udp_mux.go
@@ -8,9 +8,9 @@ import (
 	"strings"
 	"sync"

-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	"github.com/pion/logging"
-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
--- a/client/iface/bind/udp_mux_ios.go
+++ b/client/iface/bind/udp_mux_ios.go
@@ -4,4 +4,4 @@ package bind

 func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
 	// iOS doesn't support nbnet hooks, so this is a no-op
-}
+}
--- a/client/iface/bind/udp_mux_universal.go
+++ b/client/iface/bind/udp_mux_universal.go
@@ -15,9 +15,10 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/pion/logging"
-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"

+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

@@ -44,6 +45,7 @@ type UniversalUDPMuxParams struct {
 	Net                   transport.Net
 	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
+	MTU                   uint16
 }

 // NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
@@ -84,7 +86,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 // just ignore other packets printing an warning message.
 // It is a blocking method, consider running in a go routine.
 func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
-	buf := make([]byte, 1500)
+	buf := make([]byte, m.params.MTU+bufsize.WGBufferOverhead)
 	for {
 		select {
 		case <-ctx.Done():
--- a/client/iface/bufsize/bufsize.go
+++ b/client/iface/bufsize/bufsize.go
@@ -0,0 +1,9 @@
+package bufsize
+
+const (
+	// WGBufferOverhead represents the additional buffer space needed beyond MTU
+	// for WireGuard packet encapsulation (WG header + UDP + IP + safety margin)
+	// Original hardcoded buffers were 1500, default MTU is 1280, so overhead = 220
+	// TODO: Calculate this properly based on actual protocol overhead instead of using hardcoded difference
+	WGBufferOverhead = 220
+)
--- a/client/iface/device.go
+++ b/client/iface/device.go
@@ -17,6 +17,7 @@ type WGTunDevice interface {
 	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
+	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -21,7 +21,7 @@ type WGTunDevice struct {
 	address    wgaddr.Address
 	port       int
 	key        string
-	mtu        int
+	mtu        uint16
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
 	disableDNS bool
@@ -33,7 +33,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }

-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -58,7 +58,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}

-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
@@ -137,6 +137,10 @@ func (t *WGTunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *WGTunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }
--- a/client/iface/device/device_darwin.go
+++ b/client/iface/device/device_darwin.go
@@ -21,7 +21,7 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind

 	device         *device.Device
@@ -30,7 +30,7 @@ type TunDevice struct {
 	configurer     WGConfigurer
 }

-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -42,7 +42,7 @@ func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu
 }

 func (t *TunDevice) Create() (WGConfigurer, error) {
-	tunDevice, err := tun.CreateTUN(t.name, t.mtu)
+	tunDevice, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -111,6 +111,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }
--- a/client/iface/device/device_ios.go
+++ b/client/iface/device/device_ios.go
@@ -22,6 +22,7 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
+	mtu     uint16
 	iceBind *bind.ICEBind
 	tunFd   int

@@ -31,12 +32,13 @@ type TunDevice struct {
 	configurer     WGConfigurer
 }

-func NewTunDevice(name string, address wgaddr.Address, port int, key string, iceBind *bind.ICEBind, tunFd int) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
 		key:     key,
+		mtu:     mtu,
 		iceBind: iceBind,
 		tunFd:   tunFd,
 	}
@@ -125,6 +127,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
 	// todo implement
 	return nil
--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -24,7 +24,7 @@ type TunKernelDevice struct {
 	address      wgaddr.Address
 	wgPort       int
 	key          string
-	mtu          int
+	mtu          uint16
 	ctx          context.Context
 	ctxCancel    context.CancelFunc
 	transportNet transport.Net
@@ -36,7 +36,7 @@ type TunKernelDevice struct {
 	filterFn bind.FilterFn
 }

-func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, transportNet transport.Net) *TunKernelDevice {
+func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &TunKernelDevice{
 		ctx:          ctx,
@@ -66,7 +66,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	// TODO: do a MTU discovery
 	log.Debugf("setting MTU: %d interface: %s", t.mtu, t.name)

-	if err := link.setMTU(t.mtu); err != nil {
+	if err := link.setMTU(int(t.mtu)); err != nil {
 		return nil, fmt.Errorf("set mtu: %w", err)
 	}

@@ -96,7 +96,7 @@ func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}

-	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter())
+	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter(), t.mtu)
 	if err != nil {
 		return nil, err
 	}
@@ -111,6 +111,7 @@ func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
+		MTU:       t.mtu,
 	}
 	mux := bind.NewUniversalUDPMuxDefault(bindParams)
 	go mux.ReadFromConn(t.ctx)
@@ -158,6 +159,10 @@ func (t *TunKernelDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *TunKernelDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunKernelDevice) DeviceName() string {
 	return t.name
 }
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -1,6 +1,3 @@
-//go:build !android
-// +build !android
-
 package device

 import (
@@ -22,7 +19,7 @@ type TunNetstackDevice struct {
 	address       wgaddr.Address
 	port          int
 	key           string
-	mtu           int
+	mtu           uint16
 	listenAddress string
 	iceBind       *bind.ICEBind

@@ -35,7 +32,7 @@ type TunNetstackDevice struct {
 	net *netstack.Net
 }

-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -47,7 +44,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 	}
 }

-func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
+func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")

 	// TODO: get from service listener runtime IP
@@ -57,7 +54,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	}

 	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {
@@ -125,6 +122,10 @@ func (t *TunNetstackDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *TunNetstackDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunNetstackDevice) DeviceName() string {
 	return t.name
 }
--- a/client/iface/device/device_netstack_android.go
+++ b/client/iface/device/device_netstack_android.go
@@ -0,0 +1,7 @@
+//go:build android
+
+package device
+
+func (t *TunNetstackDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
+	return t.create()
+}
--- a/client/iface/device/device_netstack_generic.go
+++ b/client/iface/device/device_netstack_generic.go
@@ -0,0 +1,7 @@
+//go:build !android
+
+package device
+
+func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
+	return t.create()
+}
--- a/client/iface/device/device_usp_unix.go
+++ b/client/iface/device/device_usp_unix.go
@@ -20,7 +20,7 @@ type USPDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind

 	device         *device.Device
@@ -29,7 +29,7 @@ type USPDevice struct {
 	configurer     WGConfigurer
 }

-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *USPDevice {
+func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
 	log.Infof("using userspace bind mode")

 	return &USPDevice{
@@ -44,9 +44,9 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu

 func (t *USPDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
-	tunIface, err := tun.CreateTUN(t.name, t.mtu)
+	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
-		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, t.mtu, err)
+		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, int(t.mtu), err)
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
 	t.filteredDevice = newDeviceFilter(tunIface)
@@ -118,6 +118,10 @@ func (t *USPDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *USPDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *USPDevice) DeviceName() string {
 	return t.name
 }
--- a/client/iface/device/device_windows.go
+++ b/client/iface/device/device_windows.go
@@ -23,7 +23,7 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind

 	device          *device.Device
@@ -33,7 +33,7 @@ type TunDevice struct {
 	configurer      WGConfigurer
 }

-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -59,7 +59,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, err
 	}
 	log.Info("create tun interface")
-	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, t.mtu)
+	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, int(t.mtu))
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -144,6 +144,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }
--- a/client/iface/device_android.go
+++ b/client/iface/device_android.go
@@ -15,6 +15,7 @@ type WGTunDevice interface {
 	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
+	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -26,6 +26,8 @@ import (

 const (
 	DefaultMTU         = 1280
+	MinMTU             = 576
+	MaxMTU             = 8192
 	DefaultWgPort      = 51820
 	WgInterfaceDefault = configurer.WgInterfaceDefault
 )
@@ -35,6 +37,17 @@ var (
 	ErrIfaceNotFound = fmt.Errorf("wireguard interface not found")
 )

+// ValidateMTU validates that MTU is within acceptable range
+func ValidateMTU(mtu uint16) error {
+	if mtu < MinMTU {
+		return fmt.Errorf("MTU %d below minimum (%d bytes)", mtu, MinMTU)
+	}
+	if mtu > MaxMTU {
+		return fmt.Errorf("MTU %d exceeds maximum supported size (%d bytes)", mtu, MaxMTU)
+	}
+	return nil
+}
+
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	Free() error
@@ -45,7 +58,7 @@ type WGIFaceOpts struct {
 	Address      string
 	WGPort       int
 	WGPrivKey    string
-	MTU          int
+	MTU          uint16
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
@@ -82,6 +95,10 @@ func (w *WGIface) Address() wgaddr.Address {
 	return w.tun.WgAddress()
 }

+func (w *WGIface) MTU() uint16 {
+	return w.tun.MTU()
+}
+
 // ToInterface returns the net.Interface for the Wireguard interface
 func (r *WGIface) ToInterface() *net.Interface {
 	name := r.tun.DeviceName()
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -3,6 +3,7 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
@@ -14,7 +15,16 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}

-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+
+	if netstack.IsEnabled() {
+		wgIFace := &WGIface{
+			userspaceBind:  true,
+			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		}
+		return wgIFace, nil
+	}

 	wgIFace := &WGIface{
 		userspaceBind:  true,
--- a/client/iface/iface_new_darwin.go
+++ b/client/iface/iface_new_darwin.go
@@ -17,7 +17,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}

-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)

 	var tun WGTunDevice
 	if netstack.IsEnabled() {
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -16,10 +16,10 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}

-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)

 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
--- a/client/iface/iface_new_unix.go
+++ b/client/iface/iface_new_unix.go
@@ -22,7 +22,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{}

 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
 		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
@@ -31,11 +31,11 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {

 	if device.WireGuardModuleIsLoaded() {
 		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort)
+		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
 		return wgIFace, nil
 	}
 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
 		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
--- a/client/iface/iface_new_windows.go
+++ b/client/iface/iface_new_windows.go
@@ -14,7 +14,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)

 	var tun WGTunDevice
 	if netstack.IsEnabled() {
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )

@@ -135,7 +136,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()

 	for {
-		buf := make([]byte, 1500)
+		buf := make([]byte, p.Bind.MTU()+bufsize.WGBufferOverhead)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
--- a/client/iface/wgproxy/ebpf/proxy.go
+++ b/client/iface/wgproxy/ebpf/proxy.go
@@ -17,6 +17,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
 	nbnet "github.com/netbirdio/netbird/util/net"
@@ -29,6 +30,7 @@ const (
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
+	mtu               uint16

 	ebpfManager   ebpfMgr.Manager
 	turnConnStore map[uint16]net.Conn
@@ -43,10 +45,11 @@ type WGEBPFProxy struct {
 }

 // NewWGEBPFProxy create new WGEBPFProxy instance
-func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
+func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
+		mtu:               mtu,
 		ebpfManager:       ebpf.GetEbpfManagerInstance(),
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
@@ -138,7 +141,7 @@ func (p *WGEBPFProxy) Free() error {
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for p.ctx.Err() == nil {
 		if err := p.readAndForwardPacket(buf); err != nil {
 			if p.ctx.Err() != nil {
--- a/client/iface/wgproxy/ebpf/proxy_test.go
+++ b/client/iface/wgproxy/ebpf/proxy_test.go
@@ -7,7 +7,7 @@ import (
 )

 func TestWGEBPFProxy_connStore(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)

 	p, _ := wgProxy.storeTurnConn(nil)
 	if p != 1 {
@@ -27,7 +27,7 @@ func TestWGEBPFProxy_connStore(t *testing.T) {
 }

 func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)

 	_, _ = wgProxy.storeTurnConn(nil)
 	wgProxy.lastUsedPort = 65535
@@ -43,7 +43,7 @@ func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
 }

 func TestWGEBPFProxy_portCalculation_maxConn(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)

 	for i := 0; i < 65535; i++ {
 		_, _ = wgProxy.storeTurnConn(nil)
--- a/client/iface/wgproxy/ebpf/wrapper.go
+++ b/client/iface/wgproxy/ebpf/wrapper.go
@@ -12,6 +12,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )

@@ -103,7 +104,7 @@ func (e *ProxyWrapper) CloseConn() error {
 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
 	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))

-	buf := make([]byte, 1500)
+	buf := make([]byte, p.WgeBPFProxy.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {
--- a/client/iface/wgproxy/factory_kernel.go
+++ b/client/iface/wgproxy/factory_kernel.go
@@ -11,16 +11,18 @@ import (

 type KernelFactory struct {
 	wgPort int
+	mtu    uint16

 	ebpfProxy *ebpf.WGEBPFProxy
 }

-func NewKernelFactory(wgPort int) *KernelFactory {
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 	f := &KernelFactory{
 		wgPort: wgPort,
+		mtu:    mtu,
 	}

-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort)
+	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
@@ -33,7 +35,7 @@ func NewKernelFactory(wgPort int) *KernelFactory {

 func (w *KernelFactory) GetProxy() Proxy {
 	if w.ebpfProxy == nil {
-		return udpProxy.NewWGUDPProxy(w.wgPort)
+		return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
 	}

 	return ebpf.NewProxyWrapper(w.ebpfProxy)
--- a/client/iface/wgproxy/factory_kernel_freebsd.go
+++ b/client/iface/wgproxy/factory_kernel_freebsd.go
@@ -9,19 +9,21 @@ import (
 // KernelFactory todo: check eBPF support on FreeBSD
 type KernelFactory struct {
 	wgPort int
+	mtu    uint16
 }

-func NewKernelFactory(wgPort int) *KernelFactory {
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 	f := &KernelFactory{
 		wgPort: wgPort,
+		mtu:    mtu,
 	}

 	return f
 }

 func (w *KernelFactory) GetProxy() Proxy {
-	return udpProxy.NewWGUDPProxy(w.wgPort)
+	return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
 }

 func (w *KernelFactory) Free() error {
--- a/client/iface/wgproxy/proxy_linux_test.go
+++ b/client/iface/wgproxy/proxy_linux_test.go
@@ -16,7 +16,7 @@ func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
 	}
 	ctx := context.Background()

-	ebpfProxy := ebpf.NewWGEBPFProxy(51831)
+	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %s", err)
 	}
--- a/client/iface/wgproxy/proxy_test.go
+++ b/client/iface/wgproxy/proxy_test.go
@@ -84,12 +84,12 @@ func TestProxyCloseByRemoteConn(t *testing.T) {
 	}{
 		{
 			name:  "userspace proxy",
-			proxy: udpProxy.NewWGUDPProxy(51830),
+			proxy: udpProxy.NewWGUDPProxy(51830, 1280),
 		},
 	}

 	if runtime.GOOS == "linux" && os.Getenv("GITHUB_ACTIONS") != "true" {
-		ebpfProxy := ebpf.NewWGEBPFProxy(51831)
+		ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 		if err := ebpfProxy.Listen(); err != nil {
 			t.Fatalf("failed to initialize ebpf proxy: %s", err)
 		}
--- a/client/iface/wgproxy/udp/proxy.go
+++ b/client/iface/wgproxy/udp/proxy.go
@@ -12,12 +12,14 @@ import (
 	log "github.com/sirupsen/logrus"

 	cerrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )

 // WGUDPProxy proxies
 type WGUDPProxy struct {
 	localWGListenPort int
+	mtu               uint16

 	remoteConn net.Conn
 	localConn  net.Conn
@@ -34,10 +36,11 @@ type WGUDPProxy struct {
 }

 // NewWGUDPProxy instantiate a UDP based WireGuard proxy. This is not a thread safe implementation
-func NewWGUDPProxy(wgPort int) *WGUDPProxy {
+func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 	log.Debugf("Initializing new user space proxy with port %d", wgPort)
 	p := &WGUDPProxy{
 		localWGListenPort: wgPort,
+		mtu:               mtu,
 		closeListener:     listener.NewCloseListener(),
 	}
 	return p
@@ -144,7 +147,7 @@ func (p *WGUDPProxy) proxyToRemote(ctx context.Context) {
 		}
 	}()

-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for ctx.Err() == nil {
 		n, err := p.localConn.Read(buf)
 		if err != nil {
@@ -179,7 +182,7 @@ func (p *WGUDPProxy) proxyToLocal(ctx context.Context) {
 		}
 	}()

-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.remoteConnRead(ctx, buf)
 		if err != nil {
--- a/client/internal/auth/device_flow_test.go
+++ b/client/internal/auth/device_flow_test.go
@@ -3,15 +3,17 @@ package auth
 import (
 	"context"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
 )

 type mockHTTPClient struct {
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -18,6 +18,7 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -244,7 +245,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()

 		relayURLs, token := parseRelayInfo(loginResp)
-		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String())
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
 		if len(relayURLs) > 0 {
 			if token != nil {
@@ -259,14 +268,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 		}

-		peerConfig := loginResp.GetPeerConfig()
-
-		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
-		if err != nil {
-			log.Error(err)
-			return wrapErr(err)
-		}
-
 		checks := loginResp.GetChecks()

 		c.engineMutex.Lock()
@@ -274,11 +275,12 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engineMutex.Unlock()

-		if err := c.engine.Start(); err != nil {
+		if err := c.engine.Start(loginResp.GetNetbirdConfig(), c.config.ManagementURL); err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}

+
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)

@@ -444,6 +446,8 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		BlockInbound:        config.BlockInbound,

 		LazyConnectionEnabled: config.LazyConnectionEnabled,
+
+		MTU: selectMTU(config.MTU, peerConfig.Mtu),
 	}

 	if config.PreSharedKey != "" {
@@ -466,6 +470,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	return engineConf, nil
 }

+func selectMTU(localMTU uint16, peerMTU int32) uint16 {
+	var finalMTU uint16 = iface.DefaultMTU
+	if localMTU > 0 {
+		finalMTU = localMTU
+	} else if peerMTU > 0 {
+		finalMTU = uint16(peerMTU)
+	}
+
+	// Set global DNS MTU
+	dns.SetCurrentMTU(finalMTU)
+
+	return finalMTU
+}
+
 // connectToSignal creates Signal Service client and established a connection
 func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
 	var sigTLSEnabled bool
--- a/client/internal/dns/config/domains.go
+++ b/client/internal/dns/config/domains.go
@@ -0,0 +1,201 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"net/url"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/shared/management/domain"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+var (
+	ErrEmptyURL     = errors.New("empty URL")
+	ErrEmptyHost    = errors.New("empty host")
+	ErrIPNotAllowed = errors.New("IP address not allowed")
+)
+
+// ServerDomains represents the management server domains extracted from NetBird configuration
+type ServerDomains struct {
+	Signal domain.Domain
+	Relay  []domain.Domain
+	Flow   domain.Domain
+	Stuns  []domain.Domain
+	Turns  []domain.Domain
+}
+
+// ExtractFromNetbirdConfig extracts domain information from NetBird protobuf configuration
+func ExtractFromNetbirdConfig(config *mgmProto.NetbirdConfig) ServerDomains {
+	if config == nil {
+		return ServerDomains{}
+	}
+
+	domains := ServerDomains{}
+
+	domains.Signal = extractSignalDomain(config)
+	domains.Relay = extractRelayDomains(config)
+	domains.Flow = extractFlowDomain(config)
+	domains.Stuns = extractStunDomains(config)
+	domains.Turns = extractTurnDomains(config)
+
+	return domains
+}
+
+// ExtractValidDomain extracts a valid domain from a URL, filtering out IP addresses
+func ExtractValidDomain(rawURL string) (domain.Domain, error) {
+	if rawURL == "" {
+		return "", ErrEmptyURL
+	}
+
+	parsedURL, err := url.Parse(rawURL)
+	if err == nil {
+		if domain, err := extractFromParsedURL(parsedURL); err != nil || domain != "" {
+			return domain, err
+		}
+	}
+
+	return extractFromRawString(rawURL)
+}
+
+// extractFromParsedURL handles domain extraction from successfully parsed URLs
+func extractFromParsedURL(parsedURL *url.URL) (domain.Domain, error) {
+	if parsedURL.Hostname() != "" {
+		return extractDomainFromHost(parsedURL.Hostname())
+	}
+
+	if parsedURL.Opaque == "" || parsedURL.Scheme == "" {
+		return "", nil
+	}
+
+	// Handle URLs with opaque content (e.g., stun:host:port)
+	if strings.Contains(parsedURL.Scheme, ".") {
+		// This is likely "domain.com:port" being parsed as scheme:opaque
+		reconstructed := parsedURL.Scheme + ":" + parsedURL.Opaque
+		if host, _, err := net.SplitHostPort(reconstructed); err == nil {
+			return extractDomainFromHost(host)
+		}
+		return extractDomainFromHost(parsedURL.Scheme)
+	}
+
+	// Valid scheme with opaque content (e.g., stun:host:port)
+	host := parsedURL.Opaque
+	if queryIndex := strings.Index(host, "?"); queryIndex > 0 {
+		host = host[:queryIndex]
+	}
+
+	if hostOnly, _, err := net.SplitHostPort(host); err == nil {
+		return extractDomainFromHost(hostOnly)
+	}
+
+	return extractDomainFromHost(host)
+}
+
+// extractFromRawString handles domain extraction when URL parsing fails or returns no results
+func extractFromRawString(rawURL string) (domain.Domain, error) {
+	if host, _, err := net.SplitHostPort(rawURL); err == nil {
+		return extractDomainFromHost(host)
+	}
+
+	return extractDomainFromHost(rawURL)
+}
+
+// extractDomainFromHost extracts domain from a host string, filtering out IP addresses
+func extractDomainFromHost(host string) (domain.Domain, error) {
+	if host == "" {
+		return "", ErrEmptyHost
+	}
+
+	if _, err := netip.ParseAddr(host); err == nil {
+		return "", fmt.Errorf("%w: %s", ErrIPNotAllowed, host)
+	}
+
+	d, err := domain.FromString(host)
+	if err != nil {
+		return "", fmt.Errorf("invalid domain: %v", err)
+	}
+
+	return d, nil
+}
+
+// extractSingleDomain extracts a single domain from a URL with error logging
+func extractSingleDomain(url, serviceType string) domain.Domain {
+	if url == "" {
+		return ""
+	}
+
+	d, err := ExtractValidDomain(url)
+	if err != nil {
+		log.Debugf("Skipping %s: %v", serviceType, err)
+		return ""
+	}
+
+	return d
+}
+
+// extractMultipleDomains extracts multiple domains from URLs with error logging
+func extractMultipleDomains(urls []string, serviceType string) []domain.Domain {
+	var domains []domain.Domain
+	for _, url := range urls {
+		if url == "" {
+			continue
+		}
+		d, err := ExtractValidDomain(url)
+		if err != nil {
+			log.Debugf("Skipping %s: %v", serviceType, err)
+			continue
+		}
+		domains = append(domains, d)
+	}
+	return domains
+}
+
+// extractSignalDomain extracts the signal domain from NetBird configuration.
+func extractSignalDomain(config *mgmProto.NetbirdConfig) domain.Domain {
+	if config.Signal != nil {
+		return extractSingleDomain(config.Signal.Uri, "signal")
+	}
+	return ""
+}
+
+// extractRelayDomains extracts relay server domains from NetBird configuration.
+func extractRelayDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	if config.Relay != nil {
+		return extractMultipleDomains(config.Relay.Urls, "relay")
+	}
+	return nil
+}
+
+// extractFlowDomain extracts the traffic flow domain from NetBird configuration.
+func extractFlowDomain(config *mgmProto.NetbirdConfig) domain.Domain {
+	if config.Flow != nil {
+		return extractSingleDomain(config.Flow.Url, "flow")
+	}
+	return ""
+}
+
+// extractStunDomains extracts STUN server domains from NetBird configuration.
+func extractStunDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	var urls []string
+	for _, stun := range config.Stuns {
+		if stun != nil && stun.Uri != "" {
+			urls = append(urls, stun.Uri)
+		}
+	}
+	return extractMultipleDomains(urls, "STUN")
+}
+
+// extractTurnDomains extracts TURN server domains from NetBird configuration.
+func extractTurnDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	var urls []string
+	for _, turn := range config.Turns {
+		if turn != nil && turn.HostConfig != nil && turn.HostConfig.Uri != "" {
+			urls = append(urls, turn.HostConfig.Uri)
+		}
+	}
+	return extractMultipleDomains(urls, "TURN")
+}
--- a/client/internal/dns/config/domains_test.go
+++ b/client/internal/dns/config/domains_test.go
@@ -0,0 +1,213 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestExtractValidDomain(t *testing.T) {
+	tests := []struct {
+		name        string
+		url         string
+		expected    string
+		expectError bool
+	}{
+		{
+			name:     "HTTPS URL with port",
+			url:      "https://api.netbird.io:443",
+			expected: "api.netbird.io",
+		},
+		{
+			name:     "HTTP URL without port",
+			url:      "http://signal.example.com",
+			expected: "signal.example.com",
+		},
+		{
+			name:     "Host with port (no scheme)",
+			url:      "signal.netbird.io:443",
+			expected: "signal.netbird.io",
+		},
+		{
+			name:     "STUN URL",
+			url:      "stun:stun.netbird.io:443",
+			expected: "stun.netbird.io",
+		},
+		{
+			name:     "STUN URL with different port",
+			url:      "stun:stun.netbird.io:5555",
+			expected: "stun.netbird.io",
+		},
+		{
+			name:     "TURNS URL with query params",
+			url:      "turns:turn.netbird.io:443?transport=tcp",
+			expected: "turn.netbird.io",
+		},
+		{
+			name:     "TURN URL",
+			url:      "turn:turn.example.com:3478",
+			expected: "turn.example.com",
+		},
+		{
+			name:     "REL URL",
+			url:      "rel://relay.example.com:443",
+			expected: "relay.example.com",
+		},
+		{
+			name:     "RELS URL",
+			url:      "rels://relay.netbird.io:443",
+			expected: "relay.netbird.io",
+		},
+		{
+			name:     "Raw hostname",
+			url:      "example.org",
+			expected: "example.org",
+		},
+		{
+			name:        "IP address should be rejected",
+			url:         "192.168.1.1",
+			expectError: true,
+		},
+		{
+			name:        "IP address with port should be rejected",
+			url:         "192.168.1.1:443",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 address should be rejected",
+			url:         "2001:db8::1",
+			expectError: true,
+		},
+		{
+			name:        "HTTP URL with IPv4 should be rejected",
+			url:         "http://192.168.1.1:8080",
+			expectError: true,
+		},
+		{
+			name:        "HTTPS URL with IPv4 should be rejected",
+			url:         "https://10.0.0.1:443",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL with IPv4 should be rejected",
+			url:         "stun:192.168.1.1:3478",
+			expectError: true,
+		},
+		{
+			name:        "TURN URL with IPv4 should be rejected",
+			url:         "turn:10.0.0.1:3478",
+			expectError: true,
+		},
+		{
+			name:        "TURNS URL with IPv4 should be rejected",
+			url:         "turns:172.16.0.1:5349",
+			expectError: true,
+		},
+		{
+			name:        "HTTP URL with IPv6 should be rejected",
+			url:         "http://[2001:db8::1]:8080",
+			expectError: true,
+		},
+		{
+			name:        "HTTPS URL with IPv6 should be rejected",
+			url:         "https://[::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL with IPv6 should be rejected",
+			url:         "stun:[2001:db8::1]:3478",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 with port should be rejected",
+			url:         "[2001:db8::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "Localhost IPv4 should be rejected",
+			url:         "127.0.0.1:8080",
+			expectError: true,
+		},
+		{
+			name:        "Localhost IPv6 should be rejected",
+			url:         "[::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "REL URL with IPv4 should be rejected",
+			url:         "rel://192.168.1.1:443",
+			expectError: true,
+		},
+		{
+			name:        "RELS URL with IPv4 should be rejected",
+			url:         "rels://10.0.0.1:443",
+			expectError: true,
+		},
+		{
+			name:        "Empty URL",
+			url:         "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := ExtractValidDomain(tt.url)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected error for URL: %s", tt.url)
+			} else {
+				assert.NoError(t, err, "Unexpected error for URL: %s", tt.url)
+				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for URL: %s", tt.url)
+			}
+		})
+	}
+}
+
+func TestExtractDomainFromHost(t *testing.T) {
+	tests := []struct {
+		name        string
+		host        string
+		expected    string
+		expectError bool
+	}{
+		{
+			name:     "Valid domain",
+			host:     "example.com",
+			expected: "example.com",
+		},
+		{
+			name:     "Subdomain",
+			host:     "api.example.com",
+			expected: "api.example.com",
+		},
+		{
+			name:        "IPv4 address",
+			host:        "192.168.1.1",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 address",
+			host:        "2001:db8::1",
+			expectError: true,
+		},
+		{
+			name:        "Empty host",
+			host:        "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := extractDomainFromHost(tt.host)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected error for host: %s", tt.host)
+			} else {
+				assert.NoError(t, err, "Unexpected error for host: %s", tt.host)
+				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for host: %s", tt.host)
+			}
+		})
+	}
+}
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -11,11 +11,12 @@ import (
 )

 const (
-	PriorityLocal    = 100
-	PriorityDNSRoute = 75
-	PriorityUpstream = 50
-	PriorityDefault  = 1
-	PriorityFallback = -100
+	PriorityMgmtCache = 150
+	PriorityLocal     = 100
+	PriorityDNSRoute  = 75
+	PriorityUpstream  = 50
+	PriorityDefault   = 1
+	PriorityFallback  = -100
 )

 type SubdomainMatcher interface {
@@ -182,7 +183,10 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {

 			// If handler wants to continue, try next handler
 			if chainWriter.shouldContinue {
-				log.Tracef("handler requested continue to next handler for domain=%s", qname)
+				// Only log continue for non-management cache handlers to reduce noise
+				if entry.Priority != PriorityMgmtCache {
+					log.Tracef("handler requested continue to next handler for domain=%s", qname)
+				}
 				continue
 			}
 			return
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -166,9 +166,10 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {

 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
-		err := s.recordSystemDNSSettings(true)
-		log.Errorf("Unable to get system DNS configuration")
-		return err
+		if err := s.recordSystemDNSSettings(true); err != nil {
+			log.Errorf("Unable to get system DNS configuration")
+			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
+		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
 	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -34,7 +34,7 @@ func (d *Resolver) MatchSubdomains() bool {

 // String returns a string representation of the local resolver
 func (d *Resolver) String() string {
-	return fmt.Sprintf("local resolver [%d records]", len(d.records))
+	return fmt.Sprintf("LocalResolver [%d records]", len(d.records))
 }

 func (d *Resolver) Stop() {}
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -0,0 +1,360 @@
+package mgmt
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+const dnsTimeout = 5 * time.Second
+
+// Resolver caches critical NetBird infrastructure domains
+type Resolver struct {
+	records       map[dns.Question][]dns.RR
+	mgmtDomain    *domain.Domain
+	serverDomains *dnsconfig.ServerDomains
+	mutex         sync.RWMutex
+}
+
+// NewResolver creates a new management domains cache resolver.
+func NewResolver() *Resolver {
+	return &Resolver{
+		records: make(map[dns.Question][]dns.RR),
+	}
+}
+
+// String returns a string representation of the resolver.
+func (m *Resolver) String() string {
+	return "MgmtCacheResolver"
+}
+
+// ServeDNS implements dns.Handler interface.
+func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		m.continueToNext(w, r)
+		return
+	}
+
+	question := r.Question[0]
+	question.Name = strings.ToLower(dns.Fqdn(question.Name))
+
+	if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA {
+		m.continueToNext(w, r)
+		return
+	}
+
+	m.mutex.RLock()
+	records, found := m.records[question]
+	m.mutex.RUnlock()
+
+	if !found {
+		m.continueToNext(w, r)
+		return
+	}
+
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Authoritative = false
+	resp.RecursionAvailable = true
+
+	resp.Answer = append(resp.Answer, records...)
+
+	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)
+
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write response: %v", err)
+	}
+}
+
+// MatchSubdomains returns false since this resolver only handles exact domain matches
+// for NetBird infrastructure domains (signal, relay, flow, etc.), not their subdomains.
+func (m *Resolver) MatchSubdomains() bool {
+	return false
+}
+
+// continueToNext signals the handler chain to continue to the next handler.
+func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetRcode(r, dns.RcodeNameError)
+	resp.MsgHdr.Zero = true
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write continue signal: %v", err)
+	}
+}
+
+// AddDomain manually adds a domain to cache by resolving it.
+func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
+	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
+
+	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
+	defer cancel()
+
+	ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
+	if err != nil {
+		return fmt.Errorf("resolve domain %s: %w", d.SafeString(), err)
+	}
+
+	var aRecords, aaaaRecords []dns.RR
+	for _, ip := range ips {
+		if ip.Is4() {
+			rr := &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				A: ip.AsSlice(),
+			}
+			aRecords = append(aRecords, rr)
+		} else if ip.Is6() {
+			rr := &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				AAAA: ip.AsSlice(),
+			}
+			aaaaRecords = append(aaaaRecords, rr)
+		}
+	}
+
+	m.mutex.Lock()
+
+	if len(aRecords) > 0 {
+		aQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aQuestion] = aRecords
+	}
+
+	if len(aaaaRecords) > 0 {
+		aaaaQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aaaaQuestion] = aaaaRecords
+	}
+
+	m.mutex.Unlock()
+
+	log.Debugf("added domain=%s with %d A records and %d AAAA records",
+		d.SafeString(), len(aRecords), len(aaaaRecords))
+
+	return nil
+}
+
+// PopulateFromConfig extracts and caches domains from the client configuration.
+func (m *Resolver) PopulateFromConfig(ctx context.Context, mgmtURL *url.URL) error {
+	if mgmtURL == nil {
+		return nil
+	}
+
+	d, err := dnsconfig.ExtractValidDomain(mgmtURL.String())
+	if err != nil {
+		return fmt.Errorf("extract domain from URL: %w", err)
+	}
+
+	m.mutex.Lock()
+	m.mgmtDomain = &d
+	m.mutex.Unlock()
+
+	if err := m.AddDomain(ctx, d); err != nil {
+		return fmt.Errorf("add domain: %w", err)
+	}
+
+	return nil
+}
+
+// RemoveDomain removes a domain from the cache.
+func (m *Resolver) RemoveDomain(d domain.Domain) error {
+	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
+
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	aQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aQuestion)
+
+	aaaaQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeAAAA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aaaaQuestion)
+
+	log.Debugf("removed domain=%s from cache", d.SafeString())
+	return nil
+}
+
+// GetCachedDomains returns a list of all cached domains.
+func (m *Resolver) GetCachedDomains() domain.List {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	domainSet := make(map[domain.Domain]struct{})
+	for question := range m.records {
+		domainName := strings.TrimSuffix(question.Name, ".")
+		domainSet[domain.Domain(domainName)] = struct{}{}
+	}
+
+	domains := make(domain.List, 0, len(domainSet))
+	for d := range domainSet {
+		domains = append(domains, d)
+	}
+
+	return domains
+}
+
+// UpdateFromServerDomains updates the cache with server domains from network configuration.
+// It merges new domains with existing ones, replacing entire domain types when updated.
+// Empty updates are ignored to prevent clearing infrastructure domains during partial updates.
+func (m *Resolver) UpdateFromServerDomains(ctx context.Context, serverDomains dnsconfig.ServerDomains) (domain.List, error) {
+	newDomains := m.extractDomainsFromServerDomains(serverDomains)
+	var removedDomains domain.List
+
+	if len(newDomains) > 0 {
+		m.mutex.Lock()
+		if m.serverDomains == nil {
+			m.serverDomains = &dnsconfig.ServerDomains{}
+		}
+		updatedServerDomains := m.mergeServerDomains(*m.serverDomains, serverDomains)
+		m.serverDomains = &updatedServerDomains
+		m.mutex.Unlock()
+
+		allDomains := m.extractDomainsFromServerDomains(updatedServerDomains)
+		currentDomains := m.GetCachedDomains()
+		removedDomains = m.removeStaleDomains(currentDomains, allDomains)
+	}
+
+	m.addNewDomains(ctx, newDomains)
+
+	return removedDomains, nil
+}
+
+// removeStaleDomains removes cached domains not present in the target domain list.
+// Management domains are preserved and never removed during server domain updates.
+func (m *Resolver) removeStaleDomains(currentDomains, newDomains domain.List) domain.List {
+	var removedDomains domain.List
+
+	for _, currentDomain := range currentDomains {
+		if m.isDomainInList(currentDomain, newDomains) {
+			continue
+		}
+
+		if m.isManagementDomain(currentDomain) {
+			continue
+		}
+
+		removedDomains = append(removedDomains, currentDomain)
+		if err := m.RemoveDomain(currentDomain); err != nil {
+			log.Warnf("failed to remove domain=%s: %v", currentDomain.SafeString(), err)
+		}
+	}
+
+	return removedDomains
+}
+
+// mergeServerDomains merges new server domains with existing ones.
+// When a domain type is provided in the new domains, it completely replaces that type.
+func (m *Resolver) mergeServerDomains(existing, incoming dnsconfig.ServerDomains) dnsconfig.ServerDomains {
+	merged := existing
+
+	if incoming.Signal != "" {
+		merged.Signal = incoming.Signal
+	}
+	if len(incoming.Relay) > 0 {
+		merged.Relay = incoming.Relay
+	}
+	if incoming.Flow != "" {
+		merged.Flow = incoming.Flow
+	}
+	if len(incoming.Stuns) > 0 {
+		merged.Stuns = incoming.Stuns
+	}
+	if len(incoming.Turns) > 0 {
+		merged.Turns = incoming.Turns
+	}
+
+	return merged
+}
+
+// isDomainInList checks if domain exists in the list
+func (m *Resolver) isDomainInList(domain domain.Domain, list domain.List) bool {
+	for _, d := range list {
+		if domain.SafeString() == d.SafeString() {
+			return true
+		}
+	}
+	return false
+}
+
+// isManagementDomain checks if domain is the protected management domain
+func (m *Resolver) isManagementDomain(domain domain.Domain) bool {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	return m.mgmtDomain != nil && domain == *m.mgmtDomain
+}
+
+// addNewDomains resolves and caches all domains from the update
+func (m *Resolver) addNewDomains(ctx context.Context, newDomains domain.List) {
+	for _, newDomain := range newDomains {
+		if err := m.AddDomain(ctx, newDomain); err != nil {
+			log.Warnf("failed to add/update domain=%s: %v", newDomain.SafeString(), err)
+		} else {
+			log.Debugf("added/updated management cache domain=%s", newDomain.SafeString())
+		}
+	}
+}
+
+func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.ServerDomains) domain.List {
+	var domains domain.List
+
+	if serverDomains.Signal != "" {
+		domains = append(domains, serverDomains.Signal)
+	}
+
+	for _, relay := range serverDomains.Relay {
+		if relay != "" {
+			domains = append(domains, relay)
+		}
+	}
+
+	if serverDomains.Flow != "" {
+		domains = append(domains, serverDomains.Flow)
+	}
+
+	for _, stun := range serverDomains.Stuns {
+		if stun != "" {
+			domains = append(domains, stun)
+		}
+	}
+
+	for _, turn := range serverDomains.Turns {
+		if turn != "" {
+			domains = append(domains, turn)
+		}
+	}
+
+	return domains
+}
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -0,0 +1,416 @@
+package mgmt
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+func TestResolver_NewResolver(t *testing.T) {
+	resolver := NewResolver()
+
+	assert.NotNil(t, resolver)
+	assert.NotNil(t, resolver.records)
+	assert.False(t, resolver.MatchSubdomains())
+}
+
+func TestResolver_ExtractDomainFromURL(t *testing.T) {
+	tests := []struct {
+		name        string
+		urlStr      string
+		expectedDom string
+		expectError bool
+	}{
+		{
+			name:        "HTTPS URL with port",
+			urlStr:      "https://api.netbird.io:443",
+			expectedDom: "api.netbird.io",
+			expectError: false,
+		},
+		{
+			name:        "HTTP URL without port",
+			urlStr:      "http://signal.example.com",
+			expectedDom: "signal.example.com",
+			expectError: false,
+		},
+		{
+			name:        "URL with path",
+			urlStr:      "https://relay.netbird.io/status",
+			expectedDom: "relay.netbird.io",
+			expectError: false,
+		},
+		{
+			name:        "Invalid URL",
+			urlStr:      "not-a-valid-url",
+			expectedDom: "not-a-valid-url",
+			expectError: false,
+		},
+		{
+			name:        "Empty URL",
+			urlStr:      "",
+			expectedDom: "",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL",
+			urlStr:      "stun:stun.example.com:3478",
+			expectedDom: "stun.example.com",
+			expectError: false,
+		},
+		{
+			name:        "TURN URL",
+			urlStr:      "turn:turn.example.com:3478",
+			expectedDom: "turn.example.com",
+			expectError: false,
+		},
+		{
+			name:        "REL URL",
+			urlStr:      "rel://relay.example.com:443",
+			expectedDom: "relay.example.com",
+			expectError: false,
+		},
+		{
+			name:        "RELS URL",
+			urlStr:      "rels://relay.example.com:443",
+			expectedDom: "relay.example.com",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var parsedURL *url.URL
+			var err error
+
+			if tt.urlStr != "" {
+				parsedURL, err = url.Parse(tt.urlStr)
+				if err != nil && !tt.expectError {
+					t.Fatalf("Failed to parse URL: %v", err)
+				}
+			}
+
+			domain, err := extractDomainFromURL(parsedURL)
+
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expectedDom, domain.SafeString())
+			}
+		})
+	}
+}
+
+func TestResolver_PopulateFromConfig(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := NewResolver()
+
+	// Test with IP address - should return error since IP addresses are rejected
+	mgmtURL, _ := url.Parse("https://127.0.0.1")
+
+	err := resolver.PopulateFromConfig(ctx, mgmtURL)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, dnsconfig.ErrIPNotAllowed)
+
+	// No domains should be cached when using IP addresses
+	domains := resolver.GetCachedDomains()
+	assert.Equal(t, 0, len(domains), "No domains should be cached when using IP addresses")
+}
+
+func TestResolver_ServeDNS(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Add a test domain to the cache - use example.org which is reserved for testing
+	testDomain, err := domain.FromString("example.org")
+	if err != nil {
+		t.Fatalf("Failed to create domain: %v", err)
+	}
+	err = resolver.AddDomain(ctx, testDomain)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Test A record query for cached domain
+	t.Run("Cached domain A record", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		req := new(dns.Msg)
+		req.SetQuestion("example.org.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
+		assert.True(t, len(capturedMsg.Answer) > 0, "Should have at least one answer")
+	})
+
+	// Test uncached domain signals to continue to next handler
+	t.Run("Uncached domain signals continue to next handler", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		req := new(dns.Msg)
+		req.SetQuestion("unknown.example.com.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
+		// Zero flag set to true signals the handler chain to continue to next handler
+		assert.True(t, capturedMsg.MsgHdr.Zero, "Zero flag should be set to signal continuation to next handler")
+		assert.Empty(t, capturedMsg.Answer, "Should have no answers for uncached domain")
+	})
+
+	// Test that subdomains of cached domains are NOT resolved
+	t.Run("Subdomains of cached domains are not resolved", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		// Query for a subdomain of our cached domain
+		req := new(dns.Msg)
+		req.SetQuestion("sub.example.org.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
+		assert.True(t, capturedMsg.MsgHdr.Zero, "Should signal continuation to next handler for subdomains")
+		assert.Empty(t, capturedMsg.Answer, "Should have no answers for subdomains")
+	})
+
+	// Test case-insensitive matching
+	t.Run("Case-insensitive domain matching", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		// Query with different casing
+		req := new(dns.Msg)
+		req.SetQuestion("EXAMPLE.ORG.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
+		assert.True(t, len(capturedMsg.Answer) > 0, "Should resolve regardless of case")
+	})
+}
+
+func TestResolver_GetCachedDomains(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	testDomain, err := domain.FromString("example.org")
+	if err != nil {
+		t.Fatalf("Failed to create domain: %v", err)
+	}
+	err = resolver.AddDomain(ctx, testDomain)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	cachedDomains := resolver.GetCachedDomains()
+
+	assert.Equal(t, 1, len(cachedDomains), "Should return exactly one domain for single added domain")
+	assert.Equal(t, testDomain.SafeString(), cachedDomains[0].SafeString(), "Cached domain should match original")
+	assert.False(t, strings.HasSuffix(cachedDomains[0].PunycodeString(), "."), "Domain should not have trailing dot")
+}
+
+func TestResolver_ManagementDomainProtection(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	mgmtURL, _ := url.Parse("https://example.org")
+	err := resolver.PopulateFromConfig(ctx, mgmtURL)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	initialDomains := resolver.GetCachedDomains()
+	if len(initialDomains) == 0 {
+		t.Skip("Management domain failed to resolve, skipping test")
+	}
+	assert.Equal(t, 1, len(initialDomains), "Should have management domain cached")
+	assert.Equal(t, "example.org", initialDomains[0].SafeString())
+
+	serverDomains := dnsconfig.ServerDomains{
+		Signal: "google.com",
+		Relay:  []domain.Domain{"cloudflare.com"},
+	}
+
+	_, err = resolver.UpdateFromServerDomains(ctx, serverDomains)
+	if err != nil {
+		t.Logf("Server domains update failed: %v", err)
+	}
+
+	finalDomains := resolver.GetCachedDomains()
+
+	managementStillCached := false
+	for _, d := range finalDomains {
+		if d.SafeString() == "example.org" {
+			managementStillCached = true
+			break
+		}
+	}
+	assert.True(t, managementStillCached, "Management domain should never be removed")
+}
+
+// extractDomainFromURL extracts a domain from a URL - test helper function
+func extractDomainFromURL(u *url.URL) (domain.Domain, error) {
+	if u == nil {
+		return "", fmt.Errorf("URL is nil")
+	}
+	return dnsconfig.ExtractValidDomain(u.String())
+}
+
+func TestResolver_EmptyUpdateDoesNotRemoveDomains(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Verify domains were added
+	cachedDomains := resolver.GetCachedDomains()
+	assert.Len(t, cachedDomains, 3)
+
+	// Update with empty ServerDomains (simulating partial network map update)
+	emptyDomains := dnsconfig.ServerDomains{}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, emptyDomains)
+	assert.NoError(t, err)
+
+	// Verify no domains were removed
+	assert.Len(t, removedDomains, 0, "No domains should be removed when update is empty")
+
+	// Verify all original domains are still cached
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 3, "All original domains should still be cached")
+}
+
+func TestResolver_PartialUpdateReplacesOnlyUpdatedTypes(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial complete domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+	assert.Len(t, resolver.GetCachedDomains(), 3)
+
+	// Update with partial ServerDomains (only signal domain - this should replace signal but preserve stun/turn)
+	partialDomains := dnsconfig.ServerDomains{
+		Signal: "github.com",
+	}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Should remove only the old signal domain
+	assert.Len(t, removedDomains, 1, "Should remove only the old signal domain")
+	assert.Equal(t, "example.org", removedDomains[0].SafeString())
+
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 3, "Should have new signal plus preserved stun/turn domains")
+
+	domainStrings := make([]string, len(finalDomains))
+	for i, d := range finalDomains {
+		domainStrings[i] = d.SafeString()
+	}
+	assert.Contains(t, domainStrings, "github.com")
+	assert.Contains(t, domainStrings, "google.com")
+	assert.Contains(t, domainStrings, "cloudflare.com")
+	assert.NotContains(t, domainStrings, "example.org")
+}
+
+func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial complete domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+	assert.Len(t, resolver.GetCachedDomains(), 3)
+
+	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
+	partialDomains := dnsconfig.ServerDomains{
+		Flow: "github.com",
+	}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")
+
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")
+
+	domainStrings := make([]string, len(finalDomains))
+	for i, d := range finalDomains {
+		domainStrings[i] = d.SafeString()
+	}
+	assert.Contains(t, domainStrings, "example.org")
+	assert.Contains(t, domainStrings, "google.com")
+	assert.Contains(t, domainStrings, "cloudflare.com")
+	assert.Contains(t, domainStrings, "github.com")
+}
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -3,20 +3,23 @@ package dns
 import (
 	"fmt"
 	"net/netip"
+	"net/url"

 	"github.com/miekg/dns"

+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

 // MockServer is the mock instance of a dns server
 type MockServer struct {
-	InitializeFunc        func() error
-	StopFunc              func()
-	UpdateDNSServerFunc   func(serial uint64, update nbdns.Config) error
-	RegisterHandlerFunc   func(domain.List, dns.Handler, int)
-	DeregisterHandlerFunc func(domain.List, int)
+	InitializeFunc         func() error
+	StopFunc               func()
+	UpdateDNSServerFunc    func(serial uint64, update nbdns.Config) error
+	RegisterHandlerFunc    func(domain.List, dns.Handler, int)
+	DeregisterHandlerFunc  func(domain.List, int)
+	UpdateServerConfigFunc func(domains dnsconfig.ServerDomains) error
 }

 func (m *MockServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -70,3 +73,14 @@ func (m *MockServer) SearchDomains() []string {
 // ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
 func (m *MockServer) ProbeAvailability() {
 }
+
+func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
+	if m.UpdateServerConfigFunc != nil {
+		return m.UpdateServerConfigFunc(domains)
+	}
+	return nil
+}
+
+func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
+	return nil
+}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"net/url"
 	"runtime"
 	"strings"
 	"sync"
@@ -15,7 +16,9 @@ import (
 	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/client/iface/netstack"
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dns/local"
+	"github.com/netbirdio/netbird/client/internal/dns/mgmt"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -45,6 +48,8 @@ type Server interface {
 	OnUpdatedHostDNSServer(addrs []netip.AddrPort)
 	SearchDomains() []string
 	ProbeAvailability()
+	UpdateServerConfig(domains dnsconfig.ServerDomains) error
+	PopulateManagementDomain(mgmtURL *url.URL) error
 }

 type nsGroupsByDomain struct {
@@ -77,6 +82,8 @@ type DefaultServer struct {
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int

+	mgmtCacheResolver *mgmt.Resolver
+
 	// permanent related properties
 	permanent      bool
 	hostsDNSHolder *hostsDNSHolder
@@ -104,18 +111,20 @@ type handlerWrapper struct {

 type registeredHandlerMap map[types.HandlerID]handlerWrapper

+// DefaultServerConfig holds configuration parameters for NewDefaultServer
+type DefaultServerConfig struct {
+	WgInterface    WGIface
+	CustomAddress  string
+	StatusRecorder *peer.Status
+	StateManager   *statemanager.Manager
+	DisableSys     bool
+}
+
 // NewDefaultServer returns a new dns server
-func NewDefaultServer(
-	ctx context.Context,
-	wgInterface WGIface,
-	customAddress string,
-	statusRecorder *peer.Status,
-	stateManager *statemanager.Manager,
-	disableSys bool,
-) (*DefaultServer, error) {
+func NewDefaultServer(ctx context.Context, config DefaultServerConfig) (*DefaultServer, error) {
 	var addrPort *netip.AddrPort
-	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
+	if config.CustomAddress != "" {
+		parsedAddrPort, err := netip.ParseAddrPort(config.CustomAddress)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
 		}
@@ -123,13 +132,14 @@ func NewDefaultServer(
 	}

 	var dnsService service
-	if wgInterface.IsUserspaceBind() {
-		dnsService = NewServiceViaMemory(wgInterface)
+	if config.WgInterface.IsUserspaceBind() {
+		dnsService = NewServiceViaMemory(config.WgInterface)
 	} else {
-		dnsService = newServiceViaListener(wgInterface, addrPort)
+		dnsService = newServiceViaListener(config.WgInterface, addrPort)
 	}

-	return newDefaultServer(ctx, wgInterface, dnsService, statusRecorder, stateManager, disableSys), nil
+	server := newDefaultServer(ctx, config.WgInterface, dnsService, config.StatusRecorder, config.StateManager, config.DisableSys)
+	return server, nil
 }

 // NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
@@ -178,20 +188,24 @@ func newDefaultServer(
 ) *DefaultServer {
 	handlerChain := NewHandlerChain()
 	ctx, stop := context.WithCancel(ctx)
+
+	mgmtCacheResolver := mgmt.NewResolver()
+
 	defaultServer := &DefaultServer{
-		ctx:            ctx,
-		ctxCancel:      stop,
-		disableSys:     disableSys,
-		service:        dnsService,
-		handlerChain:   handlerChain,
-		extraDomains:   make(map[domain.Domain]int),
-		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver:  local.NewResolver(),
-		wgInterface:    wgInterface,
-		statusRecorder: statusRecorder,
-		stateManager:   stateManager,
-		hostsDNSHolder: newHostsDNSHolder(),
-		hostManager:    &noopHostConfigurator{},
+		ctx:               ctx,
+		ctxCancel:         stop,
+		disableSys:        disableSys,
+		service:           dnsService,
+		handlerChain:      handlerChain,
+		extraDomains:      make(map[domain.Domain]int),
+		dnsMuxMap:         make(registeredHandlerMap),
+		localResolver:     local.NewResolver(),
+		wgInterface:       wgInterface,
+		statusRecorder:    statusRecorder,
+		stateManager:      stateManager,
+		hostsDNSHolder:    newHostsDNSHolder(),
+		hostManager:       &noopHostConfigurator{},
+		mgmtCacheResolver: mgmtCacheResolver,
 	}

 	// register with root zone, handler chain takes care of the routing
@@ -217,7 +231,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
-	log.Debugf("registering handler %s with priority %d", handler, priority)
+	log.Debugf("registering handler %s with priority %d for %v", handler, priority, domains)

 	for _, domain := range domains {
 		if domain == "" {
@@ -246,7 +260,7 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 }

 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
-	log.Debugf("deregistering handler %v with priority %d", domains, priority)
+	log.Debugf("deregistering handler with priority %d for %v", priority, domains)

 	for _, domain := range domains {
 		if domain == "" {
@@ -432,6 +446,29 @@ func (s *DefaultServer) ProbeAvailability() {
 	wg.Wait()
 }

+func (s *DefaultServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	if s.mgmtCacheResolver != nil {
+		removedDomains, err := s.mgmtCacheResolver.UpdateFromServerDomains(s.ctx, domains)
+		if err != nil {
+			return fmt.Errorf("update management cache resolver: %w", err)
+		}
+
+		if len(removedDomains) > 0 {
+			s.deregisterHandler(removedDomains.ToPunycodeList(), PriorityMgmtCache)
+		}
+
+		newDomains := s.mgmtCacheResolver.GetCachedDomains()
+		if len(newDomains) > 0 {
+			s.registerHandler(newDomains.ToPunycodeList(), s.mgmtCacheResolver, PriorityMgmtCache)
+		}
+	}
+
+	return nil
+}
+
 func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	// is the service should be Disabled, we stop the listener or fake resolver
 	if update.ServiceEnable {
@@ -961,3 +998,11 @@ func toZone(d domain.Domain) domain.Domain {
 		),
 	)
 }
+
+// PopulateManagementDomain populates the DNS cache with management domain
+func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
+	if s.mgmtCacheResolver != nil {
+		return s.mgmtCacheResolver.PopulateFromConfig(s.ctx, mgmtURL)
+	}
+	return nil
+}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -363,7 +363,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+				WgInterface:    wgIface,
+				CustomAddress:  "",
+				StatusRecorder: peer.NewRecorder("mgm"),
+				StateManager:   nil,
+				DisableSys:     false,
+			})
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -473,7 +479,13 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}

-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+	dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+		WgInterface:    wgIface,
+		CustomAddress:  "",
+		StatusRecorder: peer.NewRecorder("mgm"),
+		StateManager:   nil,
+		DisableSys:     false,
+	})
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
@@ -575,7 +587,13 @@ func TestDNSServerStartStop(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+				WgInterface:    &mocWGIface{},
+				CustomAddress:  testCase.addrPort,
+				StatusRecorder: peer.NewRecorder("mgm"),
+				StateManager:   nil,
+				DisableSys:     false,
+			})
 			if err != nil {
 				t.Fatalf("%v", err)
 			}
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -26,10 +26,18 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 )

-const (
-	UpstreamTimeout = 15 * time.Second
+var currentMTU uint16 = iface.DefaultMTU
+
+func SetCurrentMTU(mtu uint16) {
+	currentMTU = mtu
+}
+
+const (
+	UpstreamTimeout = 4 * time.Second
+	// ClientTimeout is the timeout for the dns.Client.
+	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
+	ClientTimeout = 5 * time.Second

-	failsTillDeact   = int32(5)
 	reactivatePeriod = 30 * time.Second
 	probeTimeout     = 2 * time.Second
 )
@@ -52,9 +60,7 @@ type upstreamResolverBase struct {
 	upstreamServers  []netip.AddrPort
 	domain           string
 	disabled         bool
-	failsCount       atomic.Int32
 	successCount     atomic.Int32
-	failsTillDeact   int32
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration
@@ -73,14 +79,13 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d
 		domain:           domain,
 		upstreamTimeout:  UpstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
 		statusRecorder:   statusRecorder,
 	}
 }

 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("upstream %s", u.upstreamServers)
+	return fmt.Sprintf("Upstream %s", u.upstreamServers)
 }

 // ID returns the unique handler ID
@@ -110,58 +115,102 @@ func (u *upstreamResolverBase) Stop() {
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	requestID := GenerateRequestID()
 	logger := log.WithField("request_id", requestID)
-	var err error
-	defer func() {
-		u.checkUpstreamFails(err)
-	}()

 	logger.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+
+	u.prepareRequest(r)
+
+	if u.ctx.Err() != nil {
+		logger.Tracef("%s has been stopped", u)
+		return
+	}
+
+	if u.tryUpstreamServers(w, r, logger) {
+		return
+	}
+
+	u.writeErrorResponse(w, r, logger)
+}
+
+func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
+}

-	select {
-	case <-u.ctx.Done():
-		logger.Tracef("%s has been stopped", u)
-		return
-	default:
+func (u *upstreamResolverBase) tryUpstreamServers(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) bool {
+	timeout := u.upstreamTimeout
+	if len(u.upstreamServers) > 1 {
+		maxTotal := 5 * time.Second
+		minPerUpstream := 2 * time.Second
+		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
+		if scaledTimeout > minPerUpstream {
+			timeout = scaledTimeout
+		} else {
+			timeout = minPerUpstream
+		}
 	}

 	for _, upstream := range u.upstreamServers {
-		var rm *dns.Msg
-		var t time.Duration
-
-		func() {
-			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-			defer cancel()
-			rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
-		}()
-
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
-				logger.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
-				continue
-			}
-			logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
-			continue
+		if u.queryUpstream(w, r, upstream, timeout, logger) {
+			return true
 		}
+	}
+	return false
+}

-		if rm == nil || !rm.Response {
-			logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
-			continue
-		}
+func (u *upstreamResolverBase) queryUpstream(w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) bool {
+	var rm *dns.Msg
+	var t time.Duration
+	var err error

-		u.successCount.Add(1)
-		logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
+	var startTime time.Time
+	func() {
+		ctx, cancel := context.WithTimeout(u.ctx, timeout)
+		defer cancel()
+		startTime = time.Now()
+		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
+	}()

-		if err = w.WriteMsg(rm); err != nil {
-			logger.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
-		}
-		// count the fails only if they happen sequentially
-		u.failsCount.Store(0)
+	if err != nil {
+		u.handleUpstreamError(err, upstream, r.Question[0].Name, startTime, timeout, logger)
+		return false
+	}
+
+	if rm == nil || !rm.Response {
+		logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
+		return false
+	}
+
+	return u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, logger)
+}
+
+func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, domain string, startTime time.Time, timeout time.Duration, logger *log.Entry) {
+	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
+		logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, domain, err)
 		return
 	}
-	u.failsCount.Add(1)
+
+	elapsed := time.Since(startTime)
+	timeoutMsg := fmt.Sprintf("upstream %s timed out for question domain=%s after %v (timeout=%v)", upstream, domain, elapsed.Truncate(time.Millisecond), timeout)
+	if peerInfo := u.debugUpstreamTimeout(upstream); peerInfo != "" {
+		timeoutMsg += " " + peerInfo
+	}
+	timeoutMsg += fmt.Sprintf(" - error: %v", err)
+	logger.Warnf(timeoutMsg)
+}
+
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, logger *log.Entry) bool {
+	u.successCount.Add(1)
+	logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, domain)
+
+	if err := w.WriteMsg(rm); err != nil {
+		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
+	}
+	return true
+}
+
+func (u *upstreamResolverBase) writeErrorResponse(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) {
 	logger.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)

 	m := new(dns.Msg)
@@ -171,41 +220,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }

-// checkUpstreamFails counts fails and disables or enables upstream resolving
-//
-// If fails count is greater that failsTillDeact, upstream resolving
-// will be disabled for reactivatePeriod, after that time period fails counter
-// will be reset and upstream will be reactivated.
-func (u *upstreamResolverBase) checkUpstreamFails(err error) {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
-
-	if u.failsCount.Load() < u.failsTillDeact || u.disabled {
-		return
-	}
-
-	select {
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
-	u.disable(err)
-
-	if u.statusRecorder == nil {
-		return
-	}
-
-	u.statusRecorder.PublishEvent(
-		proto.SystemEvent_WARNING,
-		proto.SystemEvent_DNS,
-		"All upstream servers failed (fail count exceeded)",
-		"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-		map[string]string{"upstreams": u.upstreamServersString()},
-		// TODO add domain meta
-	)
-}
-
 // ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
 func (u *upstreamResolverBase) ProbeAvailability() {
@@ -218,8 +232,8 @@ func (u *upstreamResolverBase) ProbeAvailability() {
 	default:
 	}

-	// avoid probe if upstreams could resolve at least one query and fails count is less than failsTillDeact
-	if u.successCount.Load() > 0 && u.failsCount.Load() < u.failsTillDeact {
+	// avoid probe if upstreams could resolve at least one query
+	if u.successCount.Load() > 0 {
 		return
 	}

@@ -306,7 +320,6 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 	}

 	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
-	u.failsCount.Store(0)
 	u.successCount.Add(1)
 	u.reactivate()
 	u.disabled = false
@@ -358,8 +371,8 @@ func (u *upstreamResolverBase) testNameserver(server netip.AddrPort, timeout tim
 // If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// MTU - ip + udp headers
-	// Note: this could be sent out on an interface that is not ours, but our MTU should always be lower.
-	client.UDPSize = iface.DefaultMTU - (60 + 8)
+	// Note: this could be sent out on an interface that is not ours, but higher MTU settings could break truncation handling.
+	client.UDPSize = uint16(currentMTU - (60 + 8))

 	var (
 		rm  *dns.Msg
@@ -410,3 +423,80 @@ func GenerateRequestID() string {
 	}
 	return hex.EncodeToString(bytes)
 }
+
+// FormatPeerStatus formats peer connection status information for debugging DNS timeouts
+func FormatPeerStatus(peerState *peer.State) string {
+	isConnected := peerState.ConnStatus == peer.StatusConnected
+	hasRecentHandshake := !peerState.LastWireguardHandshake.IsZero() &&
+		time.Since(peerState.LastWireguardHandshake) < 3*time.Minute
+
+	statusInfo := fmt.Sprintf("%s:%s", peerState.FQDN, peerState.IP)
+
+	switch {
+	case !isConnected:
+		statusInfo += " DISCONNECTED"
+	case !hasRecentHandshake:
+		statusInfo += " NO_RECENT_HANDSHAKE"
+	default:
+		statusInfo += " connected"
+	}
+
+	if !peerState.LastWireguardHandshake.IsZero() {
+		timeSinceHandshake := time.Since(peerState.LastWireguardHandshake)
+		statusInfo += fmt.Sprintf(" last_handshake=%v_ago", timeSinceHandshake.Truncate(time.Second))
+	} else {
+		statusInfo += " no_handshake"
+	}
+
+	if peerState.Relayed {
+		statusInfo += " via_relay"
+	}
+
+	if peerState.Latency > 0 {
+		statusInfo += fmt.Sprintf(" latency=%v", peerState.Latency)
+	}
+
+	return statusInfo
+}
+
+// findPeerForIP finds which peer handles the given IP address
+func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
+	if statusRecorder == nil {
+		return nil
+	}
+
+	fullStatus := statusRecorder.GetFullStatus()
+	var bestMatch *peer.State
+	var bestPrefixLen int
+
+	for _, peerState := range fullStatus.Peers {
+		routes := peerState.GetRoutes()
+		for route := range routes {
+			prefix, err := netip.ParsePrefix(route)
+			if err != nil {
+				continue
+			}
+
+			if prefix.Contains(ip) && prefix.Bits() > bestPrefixLen {
+				peerStateCopy := peerState
+				bestMatch = &peerStateCopy
+				bestPrefixLen = prefix.Bits()
+			}
+		}
+	}
+
+	return bestMatch
+}
+
+func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
+	if u.statusRecorder == nil {
+		return ""
+	}
+
+	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+	if peerInfo == nil {
+		return ""
+	}
+
+	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+}
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -50,7 +50,9 @@ func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns
 }

 func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{}
+	upstreamExchangeClient := &dns.Client{
+		Timeout: ClientTimeout,
+	}
 	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }

@@ -72,10 +74,11 @@ func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream stri
 	}

 	upstreamExchangeClient := &dns.Client{
-		Dialer: dialer,
+		Dialer:  dialer,
+		Timeout: timeout,
 	}

-	return upstreamExchangeClient.Exchange(r, upstream)
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }

 func (u *upstreamResolver) isLocalResolver(upstream string) bool {
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -34,7 +34,10 @@ func newUpstreamResolver(
 }

 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
+	client := &dns.Client{
+		Timeout: ClientTimeout,
+	}
+	return ExchangeWithFallback(ctx, client, r, upstream)
 }

 func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -47,7 +47,9 @@ func newUpstreamResolver(
 }

 func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	client := &dns.Client{}
+	client := &dns.Client{
+		Timeout: ClientTimeout,
+	}
 	upstreamHost, _, err := net.SplitHostPort(upstream)
 	if err != nil {
 		return nil, 0, fmt.Errorf("error while parsing upstream host: %s", err)
@@ -110,7 +112,8 @@ func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Dura
 		},
 	}
 	client := &dns.Client{
-		Dialer: dialer,
+		Dialer:  dialer,
+		Timeout: dialTimeout,
 	}
 	return client, nil
 }
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -124,29 +124,26 @@ func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg)
 }

 func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
+	mockClient := &mockUpstreamResolver{
+		err: dns.ErrTime,
+		r:   new(dns.Msg),
+		rtt: time.Millisecond,
+	}
+
 	resolver := &upstreamResolverBase{
-		ctx: context.TODO(),
-		upstreamClient: &mockUpstreamResolver{
-			err: nil,
-			r:   new(dns.Msg),
-			rtt: time.Millisecond,
-		},
+		ctx:              context.TODO(),
+		upstreamClient:   mockClient,
 		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
+		reactivatePeriod: time.Microsecond * 100,
 	}
 	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
 	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
-	resolver.failsTillDeact = 0
-	resolver.reactivatePeriod = time.Microsecond * 100
-
-	responseWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error { return nil },
-	}

 	failed := false
 	resolver.deactivate = func(error) {
 		failed = true
+		// After deactivation, make the mock client work again
+		mockClient.err = nil
 	}

 	reactivated := false
@@ -154,7 +151,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		reactivated = true
 	}

-	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA))
+	resolver.ProbeAvailability()

 	if !failed {
 		t.Errorf("expected that resolving was deactivated")
@@ -173,11 +170,6 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		return
 	}

-	if resolver.failsCount.Load() != 0 {
-		t.Errorf("fails count after reactivation should be 0")
-		return
-	}
-
 	if resolver.disabled {
 		t.Errorf("should be enabled")
 	}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"net"
 	"net/netip"
+	"net/url"
 	"os"
 	"reflect"
 	"runtime"
@@ -17,8 +18,8 @@ import (
 	"time"

 	"github.com/hashicorp/go-multierror"
-	"github.com/pion/ice/v3"
-	"github.com/pion/stun/v2"
+	"github.com/pion/ice/v4"
+	"github.com/pion/stun/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -33,6 +34,7 @@ import (
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -125,6 +127,8 @@ type EngineConfig struct {
 	BlockInbound        bool

 	LazyConnectionEnabled bool
+
+	MTU uint16
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -343,10 +347,14 @@ func (e *Engine) Stop() error {
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
-func (e *Engine) Start() error {
+func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

+	if err := iface.ValidateMTU(e.config.MTU); err != nil {
+		return fmt.Errorf("invalid MTU configuration: %w", err)
+	}
+
 	if e.cancel != nil {
 		e.cancel()
 	}
@@ -395,6 +403,11 @@ func (e *Engine) Start() error {
 	}
 	e.dnsServer = dnsServer

+	// Populate DNS cache with NetbirdConfig and management URL for early resolution
+	if err := e.PopulateNetbirdConfig(netbirdConfig, mgmtURL); err != nil {
+		log.Warnf("failed to populate DNS cache: %v", err)
+	}
+
 	e.routeManager = routemanager.NewManager(routemanager.ManagerConfig{
 		Context:             e.ctx,
 		PublicKey:           e.config.WgPrivateKey.PublicKey().String(),
@@ -655,6 +668,30 @@ func (e *Engine) removePeer(peerKey string) error {
 	return nil
 }

+// PopulateNetbirdConfig populates the DNS cache with infrastructure domains from login response
+func (e *Engine) PopulateNetbirdConfig(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
+	if e.dnsServer == nil {
+		return nil
+	}
+
+	// Populate management URL if provided
+	if mgmtURL != nil {
+		if err := e.dnsServer.PopulateManagementDomain(mgmtURL); err != nil {
+			log.Warnf("failed to populate DNS cache with management URL: %v", err)
+		}
+	}
+
+	// Populate NetbirdConfig domains if provided
+	if netbirdConfig != nil {
+		serverDomains := dnsconfig.ExtractFromNetbirdConfig(netbirdConfig)
+		if err := e.dnsServer.UpdateServerConfig(serverDomains); err != nil {
+			return fmt.Errorf("update DNS server config from NetbirdConfig: %w", err)
+		}
+	}
+
+	return nil
+}
+
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
@@ -686,6 +723,10 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return fmt.Errorf("handle the flow configuration: %w", err)
 		}

+		if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
+			log.Warnf("Failed to update DNS server config: %v", err)
+		}
+
 		// todo update signal
 	}

@@ -1111,15 +1152,16 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 		}

 		convertedRoute := &route.Route{
-			ID:          route.ID(protoRoute.ID),
-			Network:     prefix.Masked(),
-			Domains:     domain.FromPunycodeList(protoRoute.Domains),
-			NetID:       route.NetID(protoRoute.NetID),
-			NetworkType: route.NetworkType(protoRoute.NetworkType),
-			Peer:        protoRoute.Peer,
-			Metric:      int(protoRoute.Metric),
-			Masquerade:  protoRoute.Masquerade,
-			KeepRoute:   protoRoute.KeepRoute,
+			ID:            route.ID(protoRoute.ID),
+			Network:       prefix.Masked(),
+			Domains:       domain.FromPunycodeList(protoRoute.Domains),
+			NetID:         route.NetID(protoRoute.NetID),
+			NetworkType:   route.NetworkType(protoRoute.NetworkType),
+			Peer:          protoRoute.Peer,
+			Metric:        int(protoRoute.Metric),
+			Masquerade:    protoRoute.Masquerade,
+			KeepRoute:     protoRoute.KeepRoute,
+			SkipAutoApply: protoRoute.SkipAutoApply,
 		}
 		routes = append(routes, convertedRoute)
 	}
@@ -1491,7 +1533,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		Address:      e.config.WgAddr,
 		WGPort:       e.config.WgPort,
 		WGPrivKey:    e.config.WgPrivateKey.String(),
-		MTU:          iface.DefaultMTU,
+		MTU:          e.config.MTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
 		DisableDNS:   e.config.DisableDNS,
@@ -1550,7 +1592,14 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil

 	default:
-		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress, e.statusRecorder, e.stateManager, e.config.DisableDNS)
+
+		dnsServer, err := dns.NewDefaultServer(e.ctx, dns.DefaultServerConfig{
+			WgInterface:    e.wgInterface,
+			CustomAddress:  e.config.CustomDNSAddress,
+			StatusRecorder: e.statusRecorder,
+			StateManager:   e.stateManager,
+			DisableSys:     e.config.DisableDNS,
+		})
 		if err != nil {
 			return nil, err
 		}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -218,7 +218,7 @@ func TestEngine_SSH(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(
 		ctx, cancel,
 		&signal.MockClient{},
@@ -230,6 +230,7 @@ func TestEngine_SSH(t *testing.T) {
 			WgPrivateKey:     key,
 			WgPort:           33100,
 			ServerSSHAllowed: true,
+			MTU:              iface.DefaultMTU,
 		},
 		MobileDependency{},
 		peer.NewRecorder("https://mgm"),
@@ -265,7 +266,7 @@ func TestEngine_SSH(t *testing.T) {
 			},
 		}, nil
 	}
-	err = engine.Start()
+	err = engine.Start(nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -363,7 +364,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(
 		ctx, cancel,
 		&signal.MockClient{},
@@ -374,6 +375,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			WgAddr:       "100.64.0.1/24",
 			WgPrivateKey: key,
 			WgPort:       33100,
+			MTU:          iface.DefaultMTU,
 		},
 		MobileDependency{},
 		peer.NewRecorder("https://mgm"),
@@ -412,7 +414,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
+	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn, MTU: 1280})
 	engine.ctx = ctx
 	engine.srWatcher = guard.NewSRWatcher(nil, nil, nil, icemaker.Config{})
 	engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, wgIface)
@@ -589,12 +591,13 @@ func TestEngine_Sync(t *testing.T) {
 		}
 		return nil
 	}
-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, relayMgr, &EngineConfig{
 		WgIfaceName:  "utun103",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
+		MTU:          iface.DefaultMTU,
 	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 	engine.ctx = ctx

@@ -609,7 +612,7 @@ func TestEngine_Sync(t *testing.T) {
 		}
 	}()

-	err = engine.Start()
+	err = engine.Start(nil, nil)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -753,12 +756,13 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
+				MTU:          iface.DefaultMTU,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 			newNet, err := stdnet.NewNet()
@@ -954,12 +958,13 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
+				MTU:          iface.DefaultMTU,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx

@@ -1064,7 +1069,7 @@ func TestEngine_MultiplePeers(t *testing.T) {
 			defer mu.Unlock()
 			guid := fmt.Sprintf("{%s}", uuid.New().String())
 			device.CustomWindowsGUIDString = strings.ToLower(guid)
-			err = engine.Start()
+			err = engine.Start(nil, nil)
 			if err != nil {
 				t.Errorf("unable to start engine for peer %d with error %v", j, err)
 				wg.Done()
@@ -1181,6 +1186,7 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 				config: &EngineConfig{
 					IFaceBlackList: testCase.inputBlacklistInterface,
 					NATExternalIPs: testCase.inputMapList,
+					MTU:            iface.DefaultMTU,
 				},
 			}
 			parsedList := engine.parseNATExternalIPMappings()
@@ -1481,9 +1487,10 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgAddr:       resp.PeerConfig.Address,
 		WgPrivateKey: key,
 		WgPort:       wgPort,
+		MTU:          iface.DefaultMTU,
 	}

-	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
+	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil), nil
 	e.ctx = ctx
 	return e, err
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -40,7 +40,7 @@ func IsLoginRequired(ctx context.Context, config *profilemanager.Config) (bool,
 		return false, err
 	}

-	_, err = doMgmLogin(ctx, mgmClient, pubSSHKey, config)
+	_, _, err = doMgmLogin(ctx, mgmClient, pubSSHKey, config)
 	if isLoginNeeded(err) {
 		return true, nil
 	}
@@ -69,14 +69,18 @@ func Login(ctx context.Context, config *profilemanager.Config, setupKey string,
 		return err
 	}

-	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey, config)
+	serverKey, _, err := doMgmLogin(ctx, mgmClient, pubSSHKey, config)
 	if serverKey != nil && isRegistrationNeeded(err) {
 		log.Debugf("peer registration required")
 		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey, config)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
 		return err
 	}

-	return err
+	return nil
 }

 func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm.GrpcClient, error) {
@@ -101,11 +105,11 @@ func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm
 	return mgmClient, err
 }

-func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *profilemanager.Config) (*wgtypes.Key, error) {
+func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *profilemanager.Config) (*wgtypes.Key, *mgmProto.LoginResponse, error) {
 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
 		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, err
+		return nil, nil, err
 	}

 	sysInfo := system.GetInfo(ctx)
@@ -121,8 +125,8 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
 	)
-	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
-	return serverKey, err
+	loginResp, err := mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
+	return serverKey, loginResp, err
 }

 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -11,7 +11,7 @@ import (
 	"sync"
 	"time"

-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

--- a/client/internal/peer/guard/ice_monitor.go
+++ b/client/internal/peer/guard/ice_monitor.go
@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"

-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	log "github.com/sirupsen/logrus"

 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
--- a/client/internal/peer/ice/StunTurn.go
+++ b/client/internal/peer/ice/StunTurn.go
@@ -3,7 +3,7 @@ package ice
 import (
 	"sync/atomic"

-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 )

 type StunTurn atomic.Value
--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -1,9 +1,10 @@
 package ice

 import (
+	"sync"
 	"time"

-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	"github.com/pion/logging"
 	"github.com/pion/randutil"
 	log "github.com/sirupsen/logrus"
@@ -23,7 +24,20 @@ const (
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
 )

-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ice.Agent, error) {
+type ThreadSafeAgent struct {
+	*ice.Agent
+	once sync.Once
+}
+
+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		err = a.Agent.Close()
+	})
+	return err
+}
+
+func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
@@ -61,7 +75,12 @@ func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candida
 		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
 	}

-	return ice.NewAgent(agentConfig)
+	agent, err := ice.NewAgent(agentConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ThreadSafeAgent{Agent: agent}, nil
 }

 func GenerateICECredentials() (string, string, error) {
--- a/client/internal/peer/ice/config.go
+++ b/client/internal/peer/ice/config.go
@@ -1,7 +1,7 @@
 package ice

 import (
-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 )

 type Config struct {
--- a/client/internal/peer/signaler.go
+++ b/client/internal/peer/signaler.go
@@ -1,7 +1,7 @@
 package peer

 import (
-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"

-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"

@@ -42,7 +42,7 @@ type WorkerICE struct {
 	statusRecorder    *Status
 	hasRelayOnLocally bool

-	agent             *ice.Agent
+	agent             *icemaker.ThreadSafeAgent
 	agentDialerCancel context.CancelFunc
 	agentConnecting   bool      // while it is true, drop all incoming offers
 	lastSuccess       time.Time // with this avoid the too frequent ICE agent recreation
@@ -121,6 +121,7 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		if err := w.agent.Close(); err != nil {
 			w.log.Warnf("failed to close ICE agent: %s", err)
 		}
+		w.agent = nil
 		// todo consider to switch to Relay connection while establishing a new ICE connection
 	}

@@ -195,7 +196,7 @@ func (w *WorkerICE) Close() {
 	w.agent = nil
 }

-func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*ice.Agent, error) {
+func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
 	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
@@ -213,10 +214,6 @@ func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []
 		return nil, err
 	}

-	if err := agent.OnSuccessfulSelectedPairBindingResponse(w.onSuccessfulSelectedPairBindingResponse); err != nil {
-		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
-	}
-
 	return agent, nil
 }

@@ -230,7 +227,7 @@ func (w *WorkerICE) SessionID() ICESessionID {
 // will block until connection succeeded
 // but it won't release if ICE Agent went into Disconnected or Failed state,
 // so we have to cancel it with the provided context once agent detected a broken connection
-func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAnswer *OfferAnswer) {
+func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) {
 	w.log.Debugf("gather candidates")
 	if err := agent.GatherCandidates(); err != nil {
 		w.log.Warnf("failed to gather candidates: %s", err)
@@ -239,7 +236,7 @@ func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAn
 	}

 	w.log.Debugf("turn agent dial")
-	remoteConn, err := w.turnAgentDial(ctx, remoteOfferAnswer)
+	remoteConn, err := w.turnAgentDial(ctx, agent, remoteOfferAnswer)
 	if err != nil {
 		w.log.Debugf("failed to dial the remote peer: %s", err)
 		w.closeAgent(agent, w.agentDialerCancel)
@@ -252,6 +249,11 @@ func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAn
 		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
+	if pair == nil {
+		w.log.Warnf("selected candidate pair is nil, cannot proceed")
+		w.closeAgent(agent, w.agentDialerCancel)
+		return
+	}

 	if !isRelayCandidate(pair.Local) {
 		// dynamically set remote WireGuard port if other side specified a different one from the default one
@@ -290,13 +292,14 @@ func (w *WorkerICE) connect(ctx context.Context, agent *ice.Agent, remoteOfferAn
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }

-func (w *WorkerICE) closeAgent(agent *ice.Agent, cancel context.CancelFunc) {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}

 	w.muxAgent.Lock()
+	// todo review does it make sense to generate new session ID all the time when w.agent==agent
 	sessionID, err := NewICESessionID()
 	if err != nil {
 		w.log.Errorf("failed to create new session ID: %s", err)
@@ -377,9 +380,30 @@ func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
 func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
 	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
 		w.config.Key)
+
+	w.muxAgent.Lock()
+
+	pair, err := w.agent.GetSelectedCandidatePair()
+	if err != nil {
+		w.log.Warnf("failed to get selected candidate pair: %s", err)
+		w.muxAgent.Unlock()
+		return
+	}
+	if pair == nil {
+		w.log.Warnf("selected candidate pair is nil, cannot proceed")
+		w.muxAgent.Unlock()
+		return
+	}
+	w.muxAgent.Unlock()
+
+	duration := time.Duration(pair.CurrentRoundTripTime() * float64(time.Second))
+	if err := w.statusRecorder.UpdateLatency(w.config.Key, duration); err != nil {
+		w.log.Debugf("failed to update latency for peer: %s", err)
+		return
+	}
 }

-func (w *WorkerICE) onConnectionStateChange(agent *ice.Agent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
+func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
 	return func(state ice.ConnectionState) {
 		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
 		switch state {
@@ -398,13 +422,6 @@ func (w *WorkerICE) onConnectionStateChange(agent *ice.Agent, dialerCancel conte
 	}
 }

-func (w *WorkerICE) onSuccessfulSelectedPairBindingResponse(pair *ice.CandidatePair) {
-	if err := w.statusRecorder.UpdateLatency(w.config.Key, pair.Latency()); err != nil {
-		w.log.Debugf("failed to update latency for peer: %s", err)
-		return
-	}
-}
-
 func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
 	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
 		return true
@@ -412,18 +429,18 @@ func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool
 	return false
 }

-func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
+func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	isControlling := w.config.LocalKey > w.config.Key
 	if isControlling {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
-		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
 }

 func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive, error) {
 	relatedAdd := candidate.RelatedAddress()
-	return ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
+	ec, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
 		Network:   candidate.NetworkType().String(),
 		Address:   candidate.Address(),
 		Port:      relatedAdd.Port,
@@ -431,6 +448,17 @@ func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive
 		RelAddr:   relatedAdd.Address,
 		RelPort:   relatedAdd.Port,
 	})
+	if err != nil {
+		return nil, err
+	}
+
+	for _, e := range candidate.Extensions() {
+		if err := ec.AddExtension(e); err != nil {
+			return nil, err
+		}
+	}
+
+	return ec, nil
 }

 func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -75,6 +75,8 @@ type ConfigInput struct {
 	DNSLabels domain.List

 	LazyConnectionEnabled *bool
+
+	MTU *uint16
 }

 // Config Configuration type
@@ -141,6 +143,8 @@ type Config struct {
 	ClientCertKeyPair *tls.Certificate `json:"-"`

 	LazyConnectionEnabled bool
+
+	MTU uint16
 }

 var ConfigDirOverride string
@@ -493,6 +497,16 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

+	if input.MTU != nil && *input.MTU != config.MTU {
+		log.Infof("updating MTU to %d (old value %d)", *input.MTU, config.MTU)
+		config.MTU = *input.MTU
+		updated = true
+	} else if config.MTU == 0 {
+		config.MTU = iface.DefaultMTU
+		log.Infof("using default MTU %d", config.MTU)
+		updated = true
+	}
+
 	return updated, nil
 }

--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"

-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/turn/v3"
 	log "github.com/sirupsen/logrus"

--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -2,11 +2,13 @@ package dnsinterceptor

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/netip"
 	"runtime"
 	"strings"
 	"sync"
+	"time"

 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
@@ -26,6 +28,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

+const dnsTimeout = 8 * time.Second
+
 type domainMap map[domain.Domain][]netip.Prefix

 type internalDNATer interface {
@@ -243,7 +247,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}

-	client, err := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), nbdns.UpstreamTimeout)
+	client, err := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), dnsTimeout)
 	if err != nil {
 		d.writeDNSError(w, r, logger, fmt.Sprintf("create DNS client: %v", err))
 		return
@@ -254,9 +258,20 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}

 	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort)
-	reply, _, err := nbdns.ExchangeWithFallback(context.TODO(), client, r, upstream)
+	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
+	defer cancel()
+
+	startTime := time.Now()
+	reply, _, err := nbdns.ExchangeWithFallback(ctx, client, r, upstream)
 	if err != nil {
-		logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
+		if errors.Is(err, context.DeadlineExceeded) {
+			elapsed := time.Since(startTime)
+			peerInfo := d.debugPeerTimeout(upstreamIP, peerKey)
+			logger.Errorf("peer DNS timeout after %v (timeout=%v) for domain=%s to peer %s (%s)%s - error: %v",
+				elapsed.Truncate(time.Millisecond), dnsTimeout, r.Question[0].Name, upstreamIP.String(), peerKey, peerInfo, err)
+		} else {
+			logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
+		}
 		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
 			logger.Errorf("failed writing DNS response: %v", err)
 		}
@@ -568,3 +583,16 @@ func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toR
 	}
 	return
 }
+
+func (d *DnsInterceptor) debugPeerTimeout(peerIP netip.Addr, peerKey string) string {
+	if d.statusRecorder == nil {
+		return ""
+	}
+
+	peerState, err := d.statusRecorder.GetPeer(peerKey)
+	if err != nil {
+		return fmt.Sprintf(" (peer %s state error: %v)", peerKey[:8], err)
+	}
+
+	return fmt.Sprintf(" (peer %s)", nbdns.FormatPeerStatus(&peerState))
+}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -36,8 +36,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/route"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )
@@ -368,7 +368,11 @@ func (m *DefaultManager) UpdateRoutes(

 	var merr *multierror.Error
 	if !m.disableClientRoutes {
-		filteredClientRoutes := m.routeSelector.FilterSelected(clientRoutes)
+
+		// Update route selector based on management server's isSelected status
+		m.updateRouteSelectorFromManagement(clientRoutes)
+
+		filteredClientRoutes := m.routeSelector.FilterSelectedExitNodes(clientRoutes)

 		if err := m.updateSystemRoutes(filteredClientRoutes); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("update system routes: %w", err))
@@ -430,7 +434,7 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 	m.mux.Lock()
 	defer m.mux.Unlock()

-	networks = m.routeSelector.FilterSelected(networks)
+	networks = m.routeSelector.FilterSelectedExitNodes(networks)

 	m.notifier.OnNewRoutes(networks)

@@ -583,3 +587,106 @@ func resolveURLsToIPs(urls []string) []net.IP {
 	}
 	return ips
 }
+
+// updateRouteSelectorFromManagement updates the route selector based on the isSelected status from the management server
+func (m *DefaultManager) updateRouteSelectorFromManagement(clientRoutes route.HAMap) {
+	exitNodeInfo := m.collectExitNodeInfo(clientRoutes)
+	if len(exitNodeInfo.allIDs) == 0 {
+		return
+	}
+
+	m.updateExitNodeSelections(exitNodeInfo)
+	m.logExitNodeUpdate(exitNodeInfo)
+}
+
+type exitNodeInfo struct {
+	allIDs               []route.NetID
+	selectedByManagement []route.NetID
+	userSelected         []route.NetID
+	userDeselected       []route.NetID
+}
+
+func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeInfo {
+	var info exitNodeInfo
+
+	for haID, routes := range clientRoutes {
+		if !m.isExitNodeRoute(routes) {
+			continue
+		}
+
+		netID := haID.NetID()
+		info.allIDs = append(info.allIDs, netID)
+
+		if m.routeSelector.HasUserSelectionForRoute(netID) {
+			m.categorizeUserSelection(netID, &info)
+		} else {
+			m.checkManagementSelection(routes, netID, &info)
+		}
+	}
+
+	return info
+}
+
+func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
+	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
+}
+
+func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {
+	if m.routeSelector.IsSelected(netID) {
+		info.userSelected = append(info.userSelected, netID)
+	} else {
+		info.userDeselected = append(info.userDeselected, netID)
+	}
+}
+
+func (m *DefaultManager) checkManagementSelection(routes []*route.Route, netID route.NetID, info *exitNodeInfo) {
+	for _, route := range routes {
+		if !route.SkipAutoApply {
+			info.selectedByManagement = append(info.selectedByManagement, netID)
+			break
+		}
+	}
+}
+
+func (m *DefaultManager) updateExitNodeSelections(info exitNodeInfo) {
+	routesToDeselect := m.getRoutesToDeselect(info.allIDs)
+	m.deselectExitNodes(routesToDeselect)
+	m.selectExitNodesByManagement(info.selectedByManagement, info.allIDs)
+}
+
+func (m *DefaultManager) getRoutesToDeselect(allIDs []route.NetID) []route.NetID {
+	var routesToDeselect []route.NetID
+	for _, netID := range allIDs {
+		if !m.routeSelector.HasUserSelectionForRoute(netID) {
+			routesToDeselect = append(routesToDeselect, netID)
+		}
+	}
+	return routesToDeselect
+}
+
+func (m *DefaultManager) deselectExitNodes(routesToDeselect []route.NetID) {
+	if len(routesToDeselect) == 0 {
+		return
+	}
+
+	err := m.routeSelector.DeselectRoutes(routesToDeselect, routesToDeselect)
+	if err != nil {
+		log.Warnf("Failed to deselect exit nodes: %v", err)
+	}
+}
+
+func (m *DefaultManager) selectExitNodesByManagement(selectedByManagement []route.NetID, allIDs []route.NetID) {
+	if len(selectedByManagement) == 0 {
+		return
+	}
+
+	err := m.routeSelector.SelectRoutes(selectedByManagement, true, allIDs)
+	if err != nil {
+		log.Warnf("Failed to select exit nodes: %v", err)
+	}
+}
+
+func (m *DefaultManager) logExitNodeUpdate(info exitNodeInfo) {
+	log.Debugf("Updated route selector: %d exit nodes available, %d selected by management, %d user-selected, %d user-deselected",
+		len(info.allIDs), len(info.selectedByManagement), len(info.userSelected), len(info.userDeselected))
+}
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -190,14 +190,15 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			name: "No Small Client Route Should Be Added",
 			inputRoutes: []*route.Route{
 				{
-					ID:          "a",
-					NetID:       "routeA",
-					Peer:        remotePeerKey1,
-					Network:     netip.MustParsePrefix("0.0.0.0/0"),
-					NetworkType: route.IPv4Network,
-					Metric:      9999,
-					Masquerade:  false,
-					Enabled:     true,
+					ID:            "a",
+					NetID:         "routeA",
+					Peer:          remotePeerKey1,
+					Network:       netip.MustParsePrefix("0.0.0.0/0"),
+					NetworkType:   route.IPv4Network,
+					Metric:        9999,
+					Masquerade:    false,
+					Enabled:       true,
+					SkipAutoApply: false,
 				},
 			},
 			inputSerial:                          1,
--- a/client/internal/routemanager/systemops/systemops_windows.go
+++ b/client/internal/routemanager/systemops/systemops_windows.go
@@ -336,7 +336,7 @@ func createIPForwardEntry2(route *MIB_IPFORWARD_ROW2) error {
 		if e1 != 0 {
 			return fmt.Errorf("CreateIpForwardEntry2: %w", e1)
 		}
-		return fmt.Errorf("CreateIpForwardEntry2: code %d", r1)
+		return fmt.Errorf("CreateIpForwardEntry2: code %d", windows.NTStatus(r1))
 	}
 	return nil
 }
--- a/client/internal/routemanager/vars/vars.go
+++ b/client/internal/routemanager/vars/vars.go
@@ -13,4 +13,6 @@ var (

 	Defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
 	Defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+
+	ExitNodeCIDR = "0.0.0.0/0"
 )
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -9,19 +9,27 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )

+const (
+	exitNodeCIDR = "0.0.0.0/0"
+)
+
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
+	selectedRoutes   map[route.NetID]struct{}
 	deselectAll      bool
 }

 func NewRouteSelector() *RouteSelector {
 	return &RouteSelector{
 		deselectedRoutes: map[route.NetID]struct{}{},
+		selectedRoutes:   map[route.NetID]struct{}{},
 		deselectAll:      false,
 	}
 }
@@ -32,7 +40,14 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 	defer rs.mu.Unlock()

 	if !appendRoute || rs.deselectAll {
+		if rs.deselectedRoutes == nil {
+			rs.deselectedRoutes = map[route.NetID]struct{}{}
+		}
+		if rs.selectedRoutes == nil {
+			rs.selectedRoutes = map[route.NetID]struct{}{}
+		}
 		maps.Clear(rs.deselectedRoutes)
+		maps.Clear(rs.selectedRoutes)
 		for _, r := range allRoutes {
 			rs.deselectedRoutes[r] = struct{}{}
 		}
@@ -45,6 +60,7 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 			continue
 		}
 		delete(rs.deselectedRoutes, route)
+		rs.selectedRoutes[route] = struct{}{}
 	}

 	rs.deselectAll = false
@@ -58,7 +74,14 @@ func (rs *RouteSelector) SelectAllRoutes() {
 	defer rs.mu.Unlock()

 	rs.deselectAll = false
+	if rs.deselectedRoutes == nil {
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
+	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
 	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }

 // DeselectRoutes removes specific routes from the selection.
@@ -77,6 +100,7 @@ func (rs *RouteSelector) DeselectRoutes(routes []route.NetID, allRoutes []route.
 			continue
 		}
 		rs.deselectedRoutes[route] = struct{}{}
+		delete(rs.selectedRoutes, route)
 	}

 	return errors.FormatErrorOrNil(err)
@@ -88,7 +112,14 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	defer rs.mu.Unlock()

 	rs.deselectAll = true
+	if rs.deselectedRoutes == nil {
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
+	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
 	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }

 // IsSelected checks if a specific route is selected.
@@ -97,11 +128,14 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()

 	if rs.deselectAll {
+		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}

 	_, deselected := rs.deselectedRoutes[routeID]
-	return !deselected
+	isSelected := !deselected
+	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
+	return isSelected
 }

 // FilterSelected removes unselected routes from the provided map.
@@ -124,15 +158,98 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 	return filtered
 }

+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
+func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
+}
+
+func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
+	if rs.deselectAll {
+		return route.HAMap{}
+	}
+
+	filtered := make(route.HAMap, len(routes))
+	for id, rt := range routes {
+		netID := id.NetID()
+		if rs.isDeselected(netID) {
+			continue
+		}
+
+		if !isExitNode(rt) {
+			filtered[id] = rt
+			continue
+		}
+
+		rs.applyExitNodeFilter(id, netID, rt, filtered)
+	}
+
+	return filtered
+}
+
+func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
+	_, deselected := rs.deselectedRoutes[netID]
+	return deselected || rs.deselectAll
+}
+
+func isExitNode(rt []*route.Route) bool {
+	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
+}
+
+func (rs *RouteSelector) applyExitNodeFilter(
+	id route.HAUniqueID,
+	netID route.NetID,
+	rt []*route.Route,
+	out route.HAMap,
+) {
+
+	if rs.hasUserSelections() {
+		// user made explicit selects/deselects
+		if rs.IsSelected(netID) {
+			out[id] = rt
+		}
+		return
+	}
+
+	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
+	sel := collectSelected(rt)
+	if len(sel) > 0 {
+		out[id] = sel
+	}
+}
+
+func (rs *RouteSelector) hasUserSelections() bool {
+	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
+}
+
+func collectSelected(rt []*route.Route) []*route.Route {
+	var sel []*route.Route
+	for _, r := range rt {
+		if !r.SkipAutoApply {
+			sel = append(sel, r)
+		}
+	}
+	return sel
+}
+
 // MarshalJSON implements the json.Marshaler interface
 func (rs *RouteSelector) MarshalJSON() ([]byte, error) {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

 	return json.Marshal(struct {
+		SelectedRoutes   map[route.NetID]struct{} `json:"selected_routes"`
 		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
 		DeselectAll      bool                     `json:"deselect_all"`
 	}{
+		SelectedRoutes:   rs.selectedRoutes,
 		DeselectedRoutes: rs.deselectedRoutes,
 		DeselectAll:      rs.deselectAll,
 	})
@@ -147,11 +264,13 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 	// Check for null or empty JSON
 	if len(data) == 0 || string(data) == "null" {
 		rs.deselectedRoutes = map[route.NetID]struct{}{}
+		rs.selectedRoutes = map[route.NetID]struct{}{}
 		rs.deselectAll = false
 		return nil
 	}

 	var temp struct {
+		SelectedRoutes   map[route.NetID]struct{} `json:"selected_routes"`
 		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
 		DeselectAll      bool                     `json:"deselect_all"`
 	}
@@ -160,12 +279,16 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 		return err
 	}

+	rs.selectedRoutes = temp.SelectedRoutes
 	rs.deselectedRoutes = temp.DeselectedRoutes
 	rs.deselectAll = temp.DeselectAll

 	if rs.deselectedRoutes == nil {
 		rs.deselectedRoutes = map[route.NetID]struct{}{}
 	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}

 	return nil
 }
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -1,6 +1,7 @@
 package routeselector_test

 import (
+	"net/netip"
 	"slices"
 	"testing"

@@ -273,6 +274,62 @@ func TestRouteSelector_FilterSelected(t *testing.T) {
 	}, filtered)
 }

+func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
+	rs := routeselector.NewRouteSelector()
+
+	// Create test routes
+	exitNode1 := &route.Route{
+		ID:            "route1",
+		NetID:         "net1",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		Peer:          "peer1",
+		SkipAutoApply: false,
+	}
+	exitNode2 := &route.Route{
+		ID:            "route2",
+		NetID:         "net1",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		Peer:          "peer2",
+		SkipAutoApply: true,
+	}
+	normalRoute := &route.Route{
+		ID:            "route3",
+		NetID:         "net2",
+		Network:       netip.MustParsePrefix("192.168.1.0/24"),
+		Peer:          "peer3",
+		SkipAutoApply: false,
+	}
+
+	routes := route.HAMap{
+		"net1|0.0.0.0/0":      {exitNode1, exitNode2},
+		"net2|192.168.1.0/24": {normalRoute},
+	}
+
+	// Test filtering
+	filtered := rs.FilterSelectedExitNodes(routes)
+
+	// Should only include selected exit nodes and all normal routes
+	assert.Len(t, filtered, 2)
+	assert.Len(t, filtered["net1|0.0.0.0/0"], 1) // Only the selected exit node
+	assert.Equal(t, exitNode1.ID, filtered["net1|0.0.0.0/0"][0].ID)
+	assert.Len(t, filtered["net2|192.168.1.0/24"], 1) // Normal route should be included
+	assert.Equal(t, normalRoute.ID, filtered["net2|192.168.1.0/24"][0].ID)
+
+	// Test with deselected routes
+	err := rs.DeselectRoutes([]route.NetID{"net1"}, []route.NetID{"net1", "net2"})
+	assert.NoError(t, err)
+	filtered = rs.FilterSelectedExitNodes(routes)
+	assert.Len(t, filtered, 1) // Only normal route should remain
+	assert.Len(t, filtered["net2|192.168.1.0/24"], 1)
+	assert.Equal(t, normalRoute.ID, filtered["net2|192.168.1.0/24"][0].ID)
+
+	// Test with deselect all
+	rs = routeselector.NewRouteSelector()
+	rs.DeselectAllRoutes()
+	filtered = rs.FilterSelectedExitNodes(routes)
+	assert.Len(t, filtered, 0) // No routes should be selected
+}
+
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}
--- a/client/internal/stdnet/stdnet.go
+++ b/client/internal/stdnet/stdnet.go
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"

+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 )
@@ -32,9 +33,15 @@ type Net struct {
 // NewNetWithDiscover creates a new StdNet instance.
 func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
 	n := &Net{
-		iFaceDiscover:   newMobileIFaceDiscover(iFaceDiscover),
 		interfaceFilter: InterfaceFilter(disallowList),
 	}
+	// current ExternalIFaceDiscover implement in android-client https://github.dev/netbirdio/android-client
+	// so in android cli use pionDiscover
+	if netstack.IsEnabled() {
+		n.iFaceDiscover = pionDiscover{}
+	} else {
+		newMobileIFaceDiscover(iFaceDiscover)
+	}
 	return n, n.UpdateInterfaces()
 }

--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -278,6 +278,7 @@ type LoginRequest struct {
 	BlockInbound          *bool   `protobuf:"varint,29,opt,name=block_inbound,json=blockInbound,proto3,oneof" json:"block_inbound,omitempty"`
 	ProfileName           *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
 	Username              *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
+	Mtu                   *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
 	unknownFields         protoimpl.UnknownFields
 	sizeCache             protoimpl.SizeCache
 }
@@ -530,6 +531,13 @@ func (x *LoginRequest) GetUsername() string {
 	return ""
 }

+func (x *LoginRequest) GetMtu() int64 {
+	if x != nil && x.Mtu != nil {
+		return *x.Mtu
+	}
+	return 0
+}
+
 type LoginResponse struct {
 	state                   protoimpl.MessageState `protogen:"open.v1"`
 	NeedsSSOLogin           bool                   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
@@ -1034,6 +1042,7 @@ type GetConfigResponse struct {
 	AdminURL              string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
 	InterfaceName         string `protobuf:"bytes,6,opt,name=interfaceName,proto3" json:"interfaceName,omitempty"`
 	WireguardPort         int64  `protobuf:"varint,7,opt,name=wireguardPort,proto3" json:"wireguardPort,omitempty"`
+	Mtu                   int64  `protobuf:"varint,8,opt,name=mtu,proto3" json:"mtu,omitempty"`
 	DisableAutoConnect    bool   `protobuf:"varint,9,opt,name=disableAutoConnect,proto3" json:"disableAutoConnect,omitempty"`
 	ServerSSHAllowed      bool   `protobuf:"varint,10,opt,name=serverSSHAllowed,proto3" json:"serverSSHAllowed,omitempty"`
 	RosenpassEnabled      bool   `protobuf:"varint,11,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
@@ -1129,6 +1138,13 @@ func (x *GetConfigResponse) GetWireguardPort() int64 {
 	return 0
 }

+func (x *GetConfigResponse) GetMtu() int64 {
+	if x != nil {
+		return x.Mtu
+	}
+	return 0
+}
+
 func (x *GetConfigResponse) GetDisableAutoConnect() bool {
 	if x != nil {
 		return x.DisableAutoConnect
@@ -3679,6 +3695,7 @@ type SetConfigRequest struct {
 	// cleanDNSLabels clean map list of DNS labels.
 	CleanDNSLabels   bool                 `protobuf:"varint,26,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
 	DnsRouteInterval *durationpb.Duration `protobuf:"bytes,27,opt,name=dnsRouteInterval,proto3,oneof" json:"dnsRouteInterval,omitempty"`
+	Mtu              *int64               `protobuf:"varint,28,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
 	unknownFields    protoimpl.UnknownFields
 	sizeCache        protoimpl.SizeCache
 }
@@ -3902,6 +3919,13 @@ func (x *SetConfigRequest) GetDnsRouteInterval() *durationpb.Duration {
 	return nil
 }

+func (x *SetConfigRequest) GetMtu() int64 {
+	if x != nil && x.Mtu != nil {
+		return *x.Mtu
+	}
+	return 0
+}
+
 type SetConfigResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -4575,7 +4599,7 @@ var File_daemon_proto protoreflect.FileDescriptor
 const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"\fdaemon.proto\x12\x06daemon\x1a google/protobuf/descriptor.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/duration.proto\"\x0e\n" +
-	"\fEmptyRequest\"\xa4\x0e\n" +
+	"\fEmptyRequest\"\xc3\x0e\n" +
 	"\fLoginRequest\x12\x1a\n" +
 	"\bsetupKey\x18\x01 \x01(\tR\bsetupKey\x12&\n" +
 	"\fpreSharedKey\x18\x02 \x01(\tB\x02\x18\x01R\fpreSharedKey\x12$\n" +
@@ -4611,7 +4635,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\x15lazyConnectionEnabled\x18\x1c \x01(\bH\x0fR\x15lazyConnectionEnabled\x88\x01\x01\x12(\n" +
 	"\rblock_inbound\x18\x1d \x01(\bH\x10R\fblockInbound\x88\x01\x01\x12%\n" +
 	"\vprofileName\x18\x1e \x01(\tH\x11R\vprofileName\x88\x01\x01\x12\x1f\n" +
-	"\busername\x18\x1f \x01(\tH\x12R\busername\x88\x01\x01B\x13\n" +
+	"\busername\x18\x1f \x01(\tH\x12R\busername\x88\x01\x01\x12\x15\n" +
+	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -4630,7 +4655,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16_lazyConnectionEnabledB\x10\n" +
 	"\x0e_block_inboundB\x0e\n" +
 	"\f_profileNameB\v\n" +
-	"\t_username\"\xb5\x01\n" +
+	"\t_usernameB\x06\n" +
+	"\x04_mtu\"\xb5\x01\n" +
 	"\rLoginResponse\x12$\n" +
 	"\rneedsSSOLogin\x18\x01 \x01(\bR\rneedsSSOLogin\x12\x1a\n" +
 	"\buserCode\x18\x02 \x01(\tR\buserCode\x12(\n" +
@@ -4661,7 +4687,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\fDownResponse\"P\n" +
 	"\x10GetConfigRequest\x12 \n" +
 	"\vprofileName\x18\x01 \x01(\tR\vprofileName\x12\x1a\n" +
-	"\busername\x18\x02 \x01(\tR\busername\"\xa3\x06\n" +
+	"\busername\x18\x02 \x01(\tR\busername\"\xb5\x06\n" +
 	"\x11GetConfigResponse\x12$\n" +
 	"\rmanagementUrl\x18\x01 \x01(\tR\rmanagementUrl\x12\x1e\n" +
 	"\n" +
@@ -4671,7 +4697,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\fpreSharedKey\x18\x04 \x01(\tR\fpreSharedKey\x12\x1a\n" +
 	"\badminURL\x18\x05 \x01(\tR\badminURL\x12$\n" +
 	"\rinterfaceName\x18\x06 \x01(\tR\rinterfaceName\x12$\n" +
-	"\rwireguardPort\x18\a \x01(\x03R\rwireguardPort\x12.\n" +
+	"\rwireguardPort\x18\a \x01(\x03R\rwireguardPort\x12\x10\n" +
+	"\x03mtu\x18\b \x01(\x03R\x03mtu\x12.\n" +
 	"\x12disableAutoConnect\x18\t \x01(\bR\x12disableAutoConnect\x12*\n" +
 	"\x10serverSSHAllowed\x18\n" +
 	" \x01(\bR\x10serverSSHAllowed\x12*\n" +
@@ -4885,7 +4912,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_username\"\x17\n" +
-	"\x15SwitchProfileResponse\"\xef\f\n" +
+	"\x15SwitchProfileResponse\"\x8e\r\n" +
 	"\x10SetConfigRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
 	"\vprofileName\x18\x02 \x01(\tR\vprofileName\x12$\n" +
@@ -4917,7 +4944,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"dns_labels\x18\x19 \x03(\tR\tdnsLabels\x12&\n" +
 	"\x0ecleanDNSLabels\x18\x1a \x01(\bR\x0ecleanDNSLabels\x12J\n" +
-	"\x10dnsRouteInterval\x18\x1b \x01(\v2\x19.google.protobuf.DurationH\x10R\x10dnsRouteInterval\x88\x01\x01B\x13\n" +
+	"\x10dnsRouteInterval\x18\x1b \x01(\v2\x19.google.protobuf.DurationH\x10R\x10dnsRouteInterval\x88\x01\x01\x12\x15\n" +
+	"\x03mtu\x18\x1c \x01(\x03H\x11R\x03mtu\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -4934,7 +4962,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16_disable_notificationsB\x18\n" +
 	"\x16_lazyConnectionEnabledB\x10\n" +
 	"\x0e_block_inboundB\x13\n" +
-	"\x11_dnsRouteInterval\"\x13\n" +
+	"\x11_dnsRouteIntervalB\x06\n" +
+	"\x04_mtu\"\x13\n" +
 	"\x11SetConfigResponse\"Q\n" +
 	"\x11AddProfileRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -156,6 +156,8 @@ message LoginRequest {

  optional string profileName = 30;
  optional string username = 31;
+
+  optional int64 mtu = 32;
 }

 message LoginResponse {
@@ -223,6 +225,8 @@ message GetConfigResponse {

  int64 wireguardPort = 7;

+  int64 mtu = 8;
+
  bool disableAutoConnect = 9;

  bool serverSSHAllowed = 10;
@@ -538,36 +542,36 @@ message SetConfigRequest {
    string profileName = 2;
    // managementUrl to authenticate.
    string managementUrl = 3;
-  
+
    // adminUrl to manage keys.
    string adminURL = 4;
-        
+
    optional bool rosenpassEnabled = 5;
-  
+
    optional string interfaceName = 6;
-  
+
    optional int64 wireguardPort = 7;
-  
+
    optional string optionalPreSharedKey = 8;
-  
+
    optional bool disableAutoConnect = 9;
-  
+
    optional bool serverSSHAllowed = 10;
-  
+
    optional bool rosenpassPermissive = 11;
-  
+
    optional bool networkMonitor = 12;
-  
+
    optional bool disable_client_routes = 13;
    optional bool disable_server_routes = 14;
    optional bool disable_dns = 15;
    optional bool disable_firewall = 16;
    optional bool block_lan_access = 17;
-  
+
    optional bool disable_notifications = 18;
-  
+
    optional bool lazyConnectionEnabled = 19;
-  
+
    optional bool block_inbound = 20;

    repeated string natExternalIPs = 21;
@@ -583,6 +587,7 @@ message SetConfigRequest {

    optional google.protobuf.Duration dnsRouteInterval = 27;

+    optional int64 mtu = 28;
 }

 message SetConfigResponse{}
@@ -633,4 +638,4 @@ message GetFeaturesRequest{}
 message GetFeaturesResponse{
  bool disable_profiles = 1;
  bool disable_update_settings = 2;
-}
+}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -400,6 +400,11 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	config.LazyConnectionEnabled = msg.LazyConnectionEnabled
 	config.BlockInbound = msg.BlockInbound

+	if msg.Mtu != nil {
+		mtu := uint16(*msg.Mtu)
+		config.MTU = &mtu
+	}
+
 	if _, err := profilemanager.UpdateConfig(config); err != nil {
 		log.Errorf("failed to update profile config: %v", err)
 		return nil, fmt.Errorf("failed to update profile config: %w", err)
@@ -484,6 +489,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		// nolint
 		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, msg.Hostname)
 	}
+
 	s.mutex.Unlock()

 	config, err := s.getConfig(activeProf)
@@ -1105,6 +1111,7 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		AdminURL:              adminURL.String(),
 		InterfaceName:         cfg.WgIface,
 		WireguardPort:         int64(cfg.WgPort),
+		Mtu:                   int64(cfg.MTU),
 		DisableAutoConnect:    cfg.DisableAutoConnect,
 		ServerSSHAllowed:      *cfg.ServerSSHAllowed,
 		RosenpassEnabled:      cfg.RosenpassEnabled,
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -257,6 +257,7 @@ type serviceClient struct {
 	iPreSharedKey  *widget.Entry
 	iInterfaceName *widget.Entry
 	iInterfacePort *widget.Entry
+	iMTU           *widget.Entry

 	// switch elements for settings form
 	sRosenpassPermissive *widget.Check
@@ -272,6 +273,7 @@ type serviceClient struct {
 	RosenpassPermissive bool
 	interfaceName       string
 	interfacePort       int
+	mtu                 uint16
 	networkMonitor      bool
 	disableDNS          bool
 	disableClientRoutes bool
@@ -413,6 +415,7 @@ func (s *serviceClient) showSettingsUI() {
 	s.iPreSharedKey = widget.NewPasswordEntry()
 	s.iInterfaceName = widget.NewEntry()
 	s.iInterfacePort = widget.NewEntry()
+	s.iMTU = widget.NewEntry()

 	s.sRosenpassPermissive = widget.NewCheck("Enable Rosenpass permissive mode", nil)

@@ -446,6 +449,7 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 			{Text: "Quantum-Resistance", Widget: s.sRosenpassPermissive},
 			{Text: "Interface Name", Widget: s.iInterfaceName},
 			{Text: "Interface Port", Widget: s.iInterfacePort},
+			{Text: "MTU", Widget: s.iMTU},
 			{Text: "Management URL", Widget: s.iMngURL},
 			{Text: "Pre-shared Key", Widget: s.iPreSharedKey},
 			{Text: "Log File", Widget: s.iLogFile},
@@ -482,6 +486,21 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 				return
 			}

+			var mtu int64
+			mtuText := strings.TrimSpace(s.iMTU.Text)
+			if mtuText != "" {
+				var err error
+				mtu, err = strconv.ParseInt(mtuText, 10, 64)
+				if err != nil {
+					dialog.ShowError(errors.New("Invalid MTU value"), s.wSettings)
+					return
+				}
+				if mtu < iface.MinMTU || mtu > iface.MaxMTU {
+					dialog.ShowError(fmt.Errorf("MTU must be between %d and %d bytes", iface.MinMTU, iface.MaxMTU), s.wSettings)
+					return
+				}
+			}
+
 			iMngURL := strings.TrimSpace(s.iMngURL.Text)

 			defer s.wSettings.Close()
@@ -490,6 +509,7 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 			if s.managementURL != iMngURL || s.preSharedKey != s.iPreSharedKey.Text ||
 				s.RosenpassPermissive != s.sRosenpassPermissive.Checked ||
 				s.interfaceName != s.iInterfaceName.Text || s.interfacePort != int(port) ||
+				s.mtu != uint16(mtu) ||
 				s.networkMonitor != s.sNetworkMonitor.Checked ||
 				s.disableDNS != s.sDisableDNS.Checked ||
 				s.disableClientRoutes != s.sDisableClientRoutes.Checked ||
@@ -498,6 +518,7 @@ func (s *serviceClient) getSettingsForm() *widget.Form {

 				s.managementURL = iMngURL
 				s.preSharedKey = s.iPreSharedKey.Text
+				s.mtu = uint16(mtu)

 				currUser, err := user.Current()
 				if err != nil {
@@ -508,7 +529,7 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 				var req proto.SetConfigRequest
 				req.ProfileName = activeProf.Name
 				req.Username = currUser.Username
-
+				
 				if iMngURL != "" {
 					req.ManagementUrl = iMngURL
 				}
@@ -516,6 +537,9 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 				req.RosenpassPermissive = &s.sRosenpassPermissive.Checked
 				req.InterfaceName = &s.iInterfaceName.Text
 				req.WireguardPort = &port
+				if mtu > 0 {
+					req.Mtu = &mtu
+				}
 				req.NetworkMonitor = &s.sNetworkMonitor.Checked
 				req.DisableDns = &s.sDisableDNS.Checked
 				req.DisableClientRoutes = &s.sDisableClientRoutes.Checked
@@ -1088,6 +1112,7 @@ func (s *serviceClient) getSrvConfig() {
 	s.RosenpassPermissive = cfg.RosenpassPermissive
 	s.interfaceName = cfg.WgIface
 	s.interfacePort = cfg.WgPort
+	s.mtu = cfg.MTU

 	s.networkMonitor = *cfg.NetworkMonitor
 	s.disableDNS = cfg.DisableDNS
@@ -1100,6 +1125,12 @@ func (s *serviceClient) getSrvConfig() {
 		s.iPreSharedKey.SetText(cfg.PreSharedKey)
 		s.iInterfaceName.SetText(cfg.WgIface)
 		s.iInterfacePort.SetText(strconv.Itoa(cfg.WgPort))
+		if cfg.MTU != 0 {
+			s.iMTU.SetText(strconv.Itoa(int(cfg.MTU)))
+		} else {
+			s.iMTU.SetText("")
+			s.iMTU.SetPlaceHolder(strconv.Itoa(int(iface.DefaultMTU)))
+		}
 		s.sRosenpassPermissive.SetChecked(cfg.RosenpassPermissive)
 		if !cfg.RosenpassEnabled {
 			s.sRosenpassPermissive.Disable()
@@ -1160,6 +1191,12 @@ func protoConfigToConfig(cfg *proto.GetConfigResponse) *profilemanager.Config {
 		config.WgPort = iface.DefaultWgPort
 	}

+	if cfg.Mtu != 0 {
+		config.MTU = uint16(cfg.Mtu)
+	} else {
+		config.MTU = iface.DefaultMTU
+	}
+
 	config.DisableAutoConnect = cfg.DisableAutoConnect
 	config.ServerSSHAllowed = &cfg.ServerSSHAllowed
 	config.RosenpassEnabled = cfg.RosenpassEnabled
--- a/go.mod
+++ b/go.mod
@@ -6,26 +6,24 @@ require (
 	cunicu.li/go-rosenpass v0.4.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/kardianos/service v1.2.3-0.20240613133416-becf2eb62b83
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
-	github.com/pion/ice/v3 v3.0.2
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.3.0
-	golang.org/x/crypto v0.37.0
-	golang.org/x/sys v0.32.0
+	golang.org/x/crypto v0.40.0
+	golang.org/x/sys v0.34.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.64.1
-	google.golang.org/protobuf v1.36.6
+	google.golang.org/grpc v1.73.0
+	google.golang.org/protobuf v1.36.8
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )

@@ -48,6 +46,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
@@ -63,16 +62,18 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203
-	github.com/pion/logging v0.2.2
+	github.com/pion/ice/v4 v4.0.0-00010101000000-000000000000
+	github.com/pion/logging v0.2.4
 	github.com/pion/randutil v0.1.0
 	github.com/pion/stun/v2 v2.0.0
-	github.com/pion/transport/v3 v3.0.1
+	github.com/pion/stun/v3 v3.0.0
+	github.com/pion/transport/v3 v3.0.7
 	github.com/pion/turn/v3 v3.0.1
 	github.com/prometheus/client_golang v1.22.0
 	github.com/quic-go/quic-go v0.48.2
@@ -93,18 +94,18 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
-	go.opentelemetry.io/otel v1.26.0
+	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/metric v1.26.0
-	go.opentelemetry.io/otel/sdk/metric v1.26.0
+	go.opentelemetry.io/otel/metric v1.35.0
+	go.opentelemetry.io/otel/sdk/metric v1.35.0
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a
-	golang.org/x/net v0.39.0
-	golang.org/x/oauth2 v0.27.0
-	golang.org/x/sync v0.13.0
-	golang.org/x/term v0.31.0
+	golang.org/x/net v0.42.0
+	golang.org/x/oauth2 v0.28.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/term v0.33.0
 	google.golang.org/api v0.177.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
@@ -117,7 +118,7 @@ require (
 require (
 	cloud.google.com/go/auth v0.3.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
@@ -212,8 +213,10 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
-	github.com/pion/mdns v0.0.12 // indirect
+	github.com/pion/dtls/v3 v3.0.7 // indirect
+	github.com/pion/mdns/v2 v2.0.7 // indirect
 	github.com/pion/transport/v2 v2.2.4 // indirect
+	github.com/pion/turn/v4 v4.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
@@ -229,22 +232,23 @@ require (
 	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	github.com/wlynxg/anet v0.0.3 // indirect
 	github.com/yuin/goldmark v1.7.1 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.26.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/tools v0.34.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )
@@ -257,6 +261,6 @@ replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-2

 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6

-replace github.com/pion/ice/v3 => github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e
+replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250827161942-426799a23107

 replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
--- a/go.sum
+++ b/go.sum
@@ -29,8 +29,8 @@ cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUM
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
+cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
@@ -246,8 +246,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -501,10 +501,10 @@ github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJE
 github.com/neelance/sourcemap v0.0.0-20200213170602-2833bce08e4c/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
-github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
-github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e h1:S85laGfx1UP+nmRF9smP6/TY965kLWz41PbBK1TX8g0=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e/go.mod h1:Jjve0+eUjOLKL3PJtAhjfM2iJ0SxWio5elHqlV1ymP8=
+github.com/netbirdio/ice/v4 v4.0.0-20250827161942-426799a23107 h1:ZJwhKexMlK15B/Ld+1T8VYE2Mt1lk1kf2DlXr46EHcw=
+github.com/netbirdio/ice/v4 v4.0.0-20250827161942-426799a23107/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190 h1:/ZbExdcDwRq6XgTpTf5I1DPqnC3eInEf0fcmkqR8eSg=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190/go.mod h1:v0nUbbHbuQnqR7yKIYnKzsLBCswLtp2JctmKYmGgVhc=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -546,21 +546,29 @@ github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203/go.mod h1:pxMtw7c
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
 github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
-github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
+github.com/pion/dtls/v3 v3.0.7 h1:bItXtTYYhZwkPFk4t1n3Kkf5TDrfj6+4wG+CZR8uI9Q=
+github.com/pion/dtls/v3 v3.0.7/go.mod h1:uDlH5VPrgOQIw59irKYkMudSFprY9IEFCqz/eTz16f8=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/mdns v0.0.12 h1:CiMYlY+O0azojWDmxdNr7ADGrnZ+V6Ilfner+6mSVK8=
-github.com/pion/mdns v0.0.12/go.mod h1:VExJjv8to/6Wqm1FXK+Ii/Z9tsVk/F5sD/N70cnYFbk=
+github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
+github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
+github.com/pion/mdns/v2 v2.0.7 h1:c9kM8ewCgjslaAmicYMFQIde2H9/lrZpjBkN8VwoVtM=
+github.com/pion/mdns/v2 v2.0.7/go.mod h1:vAdSYNAT0Jy3Ru0zl2YiW3Rm/fJCwIeM0nToenfOJKA=
 github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA=
 github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8=
 github.com/pion/stun/v2 v2.0.0 h1:A5+wXKLAypxQri59+tmQKVs7+l6mMM+3d+eER9ifRU0=
 github.com/pion/stun/v2 v2.0.0/go.mod h1:22qRSh08fSEttYUmJZGlriq9+03jtVmXNODgLccj8GQ=
+github.com/pion/stun/v3 v3.0.0 h1:4h1gwhWLWuZWOJIJR9s2ferRO+W3zA/b6ijOI6mKzUw=
+github.com/pion/stun/v3 v3.0.0/go.mod h1:HvCN8txt8mwi4FBvS3EmDghW6aQJ24T+y+1TKjB5jyU=
 github.com/pion/transport/v2 v2.2.1/go.mod h1:cXXWavvCnFF6McHTft3DWS9iic2Mftcz1Aq29pGcU5g=
 github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QAlo=
 github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
-github.com/pion/transport/v3 v3.0.1 h1:gDTlPJwROfSfz6QfSi0ZmeCSkFcnWWiiR9ES0ouANiM=
 github.com/pion/transport/v3 v3.0.1/go.mod h1:UY7kiITrlMv7/IKgd5eTUcaahZx5oUN3l9SzK5f5xE0=
+github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
+github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
 github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
+github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
+github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -588,8 +596,8 @@ github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
@@ -681,6 +689,8 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU
 github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
+github.com/wlynxg/anet v0.0.3 h1:PvR53psxFXstc12jelG6f1Lv4MWqE0tI76/hHGjh9rg=
+github.com/wlynxg/anet v0.0.3/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -712,26 +722,28 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
-go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
-go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
-go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
-go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y=
-go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE=
-go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
-go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -759,8 +771,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -806,8 +818,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -853,8 +865,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -868,8 +880,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -883,8 +895,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -952,8 +964,8 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -961,8 +973,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -976,8 +988,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1040,8 +1052,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.8-0.20211022200916-316ba0b74098/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1124,10 +1136,11 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 h1:OpXbo8JnN8+jZGPrL4SSfaDjSCjupr8lXyBAbexEm/U=
-google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434/go.mod h1:FfiGhwUm6CJviekPrc0oJ+7h29e+DmWU6UtjX0ZvI7Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1148,8 +1161,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
-google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1164,11 +1177,10 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
--- a/infrastructure_files/nginx.tmpl.conf
+++ b/infrastructure_files/nginx.tmpl.conf
@@ -17,7 +17,7 @@ upstream signal {
    server 127.0.0.1:10000;
 }
 upstream management {
-    # insert the grpc+http port of your signal container here
+    # insert the grpc+http port of your management container here
    server 127.0.0.1:8012;
 }

@@ -75,4 +75,4 @@ server {

    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/certs/ssl-cert-snakeoil.pem;
-}
+}
--- a/management/README.md
+++ b/management/README.md
@@ -111,3 +111,6 @@ Generate gRpc code:
 #!/bin/bash
 protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.
 ```
+
+
+
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -104,6 +104,8 @@ type DefaultAccountManager struct {
 	accountUpdateLocks               sync.Map
 	updateAccountPeersBufferInterval atomic.Int64

+	loginFilter *loginFilter
+
 	disableDefaultPolicy bool
 }

@@ -211,6 +213,7 @@ func BuildManager(
 		proxyController:          proxyController,
 		settingsManager:          settingsManager,
 		permissionsManager:       permissionsManager,
+		loginFilter:              newLoginFilter(),
 		disableDefaultPolicy:     disableDefaultPolicy,
 	}

@@ -297,9 +300,6 @@ func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
 // User that performs the update has to belong to the account.
 // Returns an updated Settings
 func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
@@ -345,13 +345,17 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			}
 		}

+		if err = transaction.SaveAccountSettings(ctx, accountID, newSettings); err != nil {
+			return err
+		}
+
 		if updateAccountPeers || groupsUpdated {
 			if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
 				return err
 			}
 		}

-		return transaction.SaveAccountSettings(ctx, accountID, newSettings)
+		return nil
 	})
 	if err != nil {
 		return nil, err
@@ -495,8 +499,6 @@ func (am *DefaultAccountManager) peerLoginExpirationJob(ctx context.Context, acc
 		ctx := context.WithValue(ctx, nbcontext.AccountIDKey, accountID)
 		//nolint
 		ctx = context.WithValue(ctx, hook.ExecutionContextKey, fmt.Sprintf("%s-PEER-EXPIRATION", hook.SystemSource))
-		unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-		defer unlock()

 		expiredPeers, err := am.getExpiredPeers(ctx, accountID)
 		if err != nil {
@@ -532,9 +534,6 @@ func (am *DefaultAccountManager) schedulePeerLoginExpiration(ctx context.Context
 // peerInactivityExpirationJob marks login expired for all inactive peers and returns the minimum duration in which the next peer of the account will expire by inactivity if found
 func (am *DefaultAccountManager) peerInactivityExpirationJob(ctx context.Context, accountID string) func() (time.Duration, bool) {
 	return func() (time.Duration, bool) {
-		unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-		defer unlock()
-
 		inactivePeers, err := am.getInactivePeers(ctx, accountID)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed getting inactive peers for account %s", accountID)
@@ -675,8 +674,6 @@ func (am *DefaultAccountManager) isCacheCold(ctx context.Context, store cacheSto

 // DeleteAccount deletes an account and all its users from local store and from the remote IDP if the requester is an admin and account owner
 func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, userID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
 	account, err := am.Store.GetAccount(ctx, accountID)
 	if err != nil {
 		return err
@@ -1045,9 +1042,6 @@ func (am *DefaultAccountManager) updateAccountDomainAttributesIfNotUpToDate(ctx
 		return nil
 	}

-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlockAccount()
-
 	accountDomain, domainCategory, err := am.Store.GetAccountDomainAndCategory(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("error getting account domain and category: %v", err)
@@ -1140,12 +1134,20 @@ func (am *DefaultAccountManager) addNewPrivateAccount(ctx context.Context, domai
 }

 func (am *DefaultAccountManager) addNewUserToDomainAccount(ctx context.Context, domainAccountID string, userAuth nbcontext.UserAuth) (string, error) {
-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, domainAccountID)
-	defer unlockAccount()
-
 	newUser := types.NewRegularUser(userAuth.UserId)
 	newUser.AccountID = domainAccountID
-	err := am.Store.SaveUser(ctx, newUser)
+
+	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, domainAccountID)
+	if err != nil {
+		return "", err
+	}
+
+	if settings != nil && settings.Extra != nil && settings.Extra.UserApprovalRequired {
+		newUser.Blocked = true
+		newUser.PendingApproval = true
+	}
+
+	err = am.Store.SaveUser(ctx, newUser)
 	if err != nil {
 		return "", err
 	}
@@ -1155,7 +1157,11 @@ func (am *DefaultAccountManager) addNewUserToDomainAccount(ctx context.Context,
 		return "", err
 	}

-	am.StoreEvent(ctx, userAuth.UserId, userAuth.UserId, domainAccountID, activity.UserJoined, nil)
+	if newUser.PendingApproval {
+		am.StoreEvent(ctx, userAuth.UserId, userAuth.UserId, domainAccountID, activity.UserJoined, map[string]any{"pending_approval": true})
+	} else {
+		am.StoreEvent(ctx, userAuth.UserId, userAuth.UserId, domainAccountID, activity.UserJoined, nil)
+	}

 	return domainAccountID, nil
 }
@@ -1354,13 +1360,6 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 		return nil
 	}

-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, userAuth.AccountId)
-	defer func() {
-		if unlockAccount != nil {
-			unlockAccount()
-		}
-	}()
-
 	var addNewGroups []string
 	var removeOldGroups []string
 	var hasChanges bool
@@ -1423,8 +1422,6 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 				return fmt.Errorf("error incrementing network serial: %w", err)
 			}
 		}
-		unlockAccount()
-		unlockAccount = nil

 		return nil
 	})
@@ -1633,17 +1630,16 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth nbcontext.U
 	return domainCategory == types.PrivateCategory || userAuth.DomainCategory != types.PrivateCategory || domain != userAuth.Domain
 }

+func (am *DefaultAccountManager) AllowSync(wgPubKey string, metahash uint64) bool {
+	return am.loginFilter.allowLogin(wgPubKey, metahash)
+}
+
 func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
 	start := time.Now()
 	defer func() {
 		log.WithContext(ctx).Debugf("SyncAndMarkPeer: took %v", time.Since(start))
 	}()

-	accountUnlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer accountUnlock()
-	peerUnlock := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer peerUnlock()
-
 	peer, netMap, postureChecks, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error syncing peer: %w", err)
@@ -1654,22 +1650,18 @@ func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}

+	metahash := metaHash(meta, realIP.String())
+	am.loginFilter.addLogin(peerPubKey, metahash)
+
 	return peer, netMap, postureChecks, nil
 }

 func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error {
-	accountUnlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer accountUnlock()
-	peerUnlock := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer peerUnlock()
-
 	err := am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}
-
 	return nil
-
 }

 func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error {
@@ -1678,12 +1670,6 @@ func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey st
 		return err
 	}

-	unlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer unlock()
-
-	unlockPeer := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer unlockPeer()
-
 	_, _, _, err = am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta, UpdateAccountPeers: true}, accountID)
 	if err != nil {
 		return mapError(ctx, err)
@@ -1824,6 +1810,9 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string, dis
 			PeerInactivityExpirationEnabled: false,
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 			RoutingPeerDNSResolutionEnabled: true,
+			Extra: &types.ExtraSettings{
+				UserApprovalRequired: true,
+			},
 		},
 		Onboarding: types.AccountOnboarding{
 			OnboardingFlowPending: true,
@@ -1930,6 +1919,9 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 				PeerInactivityExpirationEnabled: false,
 				PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 				RoutingPeerDNSResolutionEnabled: true,
+				Extra: &types.ExtraSettings{
+					UserApprovalRequired: true,
+				},
 			},
 		}

@@ -2115,9 +2107,6 @@ func (am *DefaultAccountManager) validateIPForUpdate(account *types.Account, pee
 }

 func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
 	if err != nil {
 		return fmt.Errorf("validate user permissions: %w", err)
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -32,6 +32,8 @@ type Manager interface {
 	DeleteUser(ctx context.Context, accountID, initiatorUserID string, targetUserID string) error
 	DeleteRegularUsers(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
 	InviteUser(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) error
+	ApproveUser(ctx context.Context, accountID, initiatorUserID, targetUserID string) (*types.UserInfo, error)
+	RejectUser(ctx context.Context, accountID, initiatorUserID, targetUserID string) error
 	ListSetupKeys(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error)
 	SaveUser(ctx context.Context, accountID, initiatorUserID string, update *types.User) (*types.UserInfo, error)
 	SaveOrAddUser(ctx context.Context, accountID, initiatorUserID string, update *types.User, addIfNotExists bool) (*types.UserInfo, error)
@@ -77,7 +79,7 @@ type Manager interface {
 	DeletePolicy(ctx context.Context, accountID, policyID, userID string) error
 	ListPolicies(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
 	GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
-	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool, skipAutoApply bool) (*route.Route, error)
 	SaveRoute(ctx context.Context, accountID, userID string, route *route.Route) error
 	DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error
 	ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error)
@@ -123,4 +125,5 @@ type Manager interface {
 	UpdateToPrimaryAccount(ctx context.Context, accountId string) error
 	GetOwnerInfo(ctx context.Context, accountId string) (*types.UserInfo, error)
 	GetCurrentUserInfo(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
+	AllowSync(string, uint64) bool
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -15,6 +15,7 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
+	"github.com/prometheus/client_golang/prometheus/push"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -25,6 +26,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/cache"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -3046,19 +3048,14 @@ func BenchmarkSyncAndMarkPeer(b *testing.B) {
 			msPerOp := float64(duration.Nanoseconds()) / float64(b.N) / 1e6
 			b.ReportMetric(msPerOp, "ms/op")

-			minExpected := bc.minMsPerOpLocal
 			maxExpected := bc.maxMsPerOpLocal
 			if os.Getenv("CI") == "true" {
-				minExpected = bc.minMsPerOpCICD
 				maxExpected = bc.maxMsPerOpCICD
+				testing_tools.EvaluateBenchmarkResults(b, bc.name, time.Since(start), "sync", "syncAndMark")
 			}

-			if msPerOp < minExpected {
-				b.Fatalf("Benchmark %s failed: too fast (%.2f ms/op, minimum %.2f ms/op)", bc.name, msPerOp, minExpected)
-			}
-
-			if msPerOp > (maxExpected * 1.1) {
-				b.Fatalf("Benchmark %s failed: too slow (%.2f ms/op, maximum %.2f ms/op)", bc.name, msPerOp, maxExpected)
+			if msPerOp > maxExpected {
+				b.Logf("Benchmark %s: too slow (%.2f ms/op, max %.2f ms/op)", bc.name, msPerOp, maxExpected)
 			}
 		})
 	}
@@ -3121,19 +3118,14 @@ func BenchmarkLoginPeer_ExistingPeer(b *testing.B) {
 			msPerOp := float64(duration.Nanoseconds()) / float64(b.N) / 1e6
 			b.ReportMetric(msPerOp, "ms/op")

-			minExpected := bc.minMsPerOpLocal
 			maxExpected := bc.maxMsPerOpLocal
 			if os.Getenv("CI") == "true" {
-				minExpected = bc.minMsPerOpCICD
 				maxExpected = bc.maxMsPerOpCICD
+				testing_tools.EvaluateBenchmarkResults(b, bc.name, time.Since(start), "login", "existingPeer")
 			}

-			if msPerOp < minExpected {
-				b.Fatalf("Benchmark %s failed: too fast (%.2f ms/op, minimum %.2f ms/op)", bc.name, msPerOp, minExpected)
-			}
-
-			if msPerOp > (maxExpected * 1.1) {
-				b.Fatalf("Benchmark %s failed: too slow (%.2f ms/op, maximum %.2f ms/op)", bc.name, msPerOp, maxExpected)
+			if msPerOp > maxExpected {
+				b.Logf("Benchmark %s: too slow (%.2f ms/op, max %.2f ms/op)", bc.name, msPerOp, maxExpected)
 			}
 		})
 	}
@@ -3196,24 +3188,44 @@ func BenchmarkLoginPeer_NewPeer(b *testing.B) {
 			msPerOp := float64(duration.Nanoseconds()) / float64(b.N) / 1e6
 			b.ReportMetric(msPerOp, "ms/op")

-			minExpected := bc.minMsPerOpLocal
 			maxExpected := bc.maxMsPerOpLocal
 			if os.Getenv("CI") == "true" {
-				minExpected = bc.minMsPerOpCICD
 				maxExpected = bc.maxMsPerOpCICD
+				testing_tools.EvaluateBenchmarkResults(b, bc.name, time.Since(start), "login", "newPeer")
 			}

-			if msPerOp < minExpected {
-				b.Fatalf("Benchmark %s failed: too fast (%.2f ms/op, minimum %.2f ms/op)", bc.name, msPerOp, minExpected)
-			}
-
-			if msPerOp > (maxExpected * 1.1) {
-				b.Fatalf("Benchmark %s failed: too slow (%.2f ms/op, maximum %.2f ms/op)", bc.name, msPerOp, maxExpected)
+			if msPerOp > maxExpected {
+				b.Logf("Benchmark %s: too slow (%.2f ms/op, max %.2f ms/op)", bc.name, msPerOp, maxExpected)
 			}
 		})
 	}
 }

+func TestMain(m *testing.M) {
+	exitCode := m.Run()
+
+	if exitCode == 0 && os.Getenv("CI") == "true" {
+		runID := os.Getenv("GITHUB_RUN_ID")
+		storeEngine := os.Getenv("NETBIRD_STORE_ENGINE")
+		err := push.New("http://localhost:9091", "account_manager_benchmark").
+			Collector(testing_tools.BenchmarkDuration).
+			Grouping("ci_run", runID).
+			Grouping("store_engine", storeEngine).
+			Push()
+		if err != nil {
+			log.Printf("Failed to push metrics: %v", err)
+		} else {
+			time.Sleep(1 * time.Minute)
+			_ = push.New("http://localhost:9091", "account_manager_benchmark").
+				Grouping("ci_run", runID).
+				Grouping("store_engine", storeEngine).
+				Delete()
+		}
+	}
+
+	os.Exit(exitCode)
+}
+
 func Test_GetCreateAccountByPrivateDomain(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -3594,3 +3606,93 @@ func TestDefaultAccountManager_UpdatePeerIP(t *testing.T) {
 		require.Error(t, err, "should fail with invalid peer ID")
 	})
 }
+
+func TestAddNewUserToDomainAccountWithApproval(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a domain-based account with user approval enabled
+	existingAccountID := "existing-account"
+	account := newAccountWithId(context.Background(), existingAccountID, "owner-user", "example.com", false)
+	account.Settings.Extra = &types.ExtraSettings{
+		UserApprovalRequired: true,
+	}
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	// Set the account as domain primary account
+	account.IsDomainPrimaryAccount = true
+	account.DomainCategory = types.PrivateCategory
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	// Test adding new user to existing account with approval required
+	newUserID := "new-user-id"
+	userAuth := nbcontext.UserAuth{
+		UserId:         newUserID,
+		Domain:         "example.com",
+		DomainCategory: types.PrivateCategory,
+	}
+
+	acc, err := manager.Store.GetAccount(context.Background(), existingAccountID)
+	require.NoError(t, err)
+	require.True(t, acc.IsDomainPrimaryAccount, "Account should be primary for the domain")
+	require.Equal(t, "example.com", acc.Domain, "Account domain should match")
+
+	returnedAccountID, err := manager.getAccountIDWithAuthorizationClaims(context.Background(), userAuth)
+	require.NoError(t, err)
+	require.Equal(t, existingAccountID, returnedAccountID)
+
+	// Verify user was created with pending approval
+	user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthNone, newUserID)
+	require.NoError(t, err)
+	assert.True(t, user.Blocked, "User should be blocked when approval is required")
+	assert.True(t, user.PendingApproval, "User should be pending approval")
+	assert.Equal(t, existingAccountID, user.AccountID)
+}
+
+func TestAddNewUserToDomainAccountWithoutApproval(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a domain-based account without user approval
+	ownerUserAuth := nbcontext.UserAuth{
+		UserId:         "owner-user",
+		Domain:         "example.com",
+		DomainCategory: types.PrivateCategory,
+	}
+	existingAccountID, err := manager.getAccountIDWithAuthorizationClaims(context.Background(), ownerUserAuth)
+	require.NoError(t, err)
+
+	// Modify the account to disable user approval
+	account, err := manager.Store.GetAccount(context.Background(), existingAccountID)
+	require.NoError(t, err)
+	account.Settings.Extra = &types.ExtraSettings{
+		UserApprovalRequired: false,
+	}
+	err = manager.Store.SaveAccount(context.Background(), account)
+	require.NoError(t, err)
+
+	// Test adding new user to existing account without approval required
+	newUserID := "new-user-id"
+	userAuth := nbcontext.UserAuth{
+		UserId:         newUserID,
+		Domain:         "example.com",
+		DomainCategory: types.PrivateCategory,
+	}
+
+	returnedAccountID, err := manager.getAccountIDWithAuthorizationClaims(context.Background(), userAuth)
+	require.NoError(t, err)
+	require.Equal(t, existingAccountID, returnedAccountID)
+
+	// Verify user was created without pending approval
+	user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthNone, newUserID)
+	require.NoError(t, err)
+	assert.False(t, user.Blocked, "User should not be blocked when approval is not required")
+	assert.False(t, user.PendingApproval, "User should not be pending approval")
+	assert.Equal(t, existingAccountID, user.AccountID)
+}
--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -177,6 +177,8 @@ const (

 	AccountNetworkRangeUpdated Activity = 87
 	PeerIPUpdated              Activity = 88
+	UserApproved               Activity = 89
+	UserRejected               Activity = 90

 	AccountDeleted Activity = 99999
 )
@@ -284,6 +286,8 @@ var activityMap = map[Activity]Code{
 	AccountNetworkRangeUpdated: {"Account network range updated", "account.network.range.update"},

 	PeerIPUpdated: {"Peer IP updated", "peer.ip.update"},
+	UserApproved:  {"User approved", "user.approve"},
+	UserRejected:  {"User rejected", "user.reject"},
 }

 // StringCode returns a string code of the activity
--- a/management/server/auth/jwt/extractor.go
+++ b/management/server/auth/jwt/extractor.go
@@ -5,7 +5,7 @@ import (
 	"net/url"
 	"time"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"

 	nbcontext "github.com/netbirdio/netbird/management/server/context"
--- a/management/server/auth/jwt/validator.go
+++ b/management/server/auth/jwt/validator.go
@@ -17,7 +17,7 @@ import (
 	"sync"
 	"time"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"

 	log "github.com/sirupsen/logrus"
 )
@@ -63,12 +63,10 @@ type Validator struct {
 }

 var (
-	errKeyNotFound     = errors.New("unable to find appropriate key")
-	errInvalidAudience = errors.New("invalid audience")
-	errInvalidIssuer   = errors.New("invalid issuer")
-	errTokenEmpty      = errors.New("required authorization token not found")
-	errTokenInvalid    = errors.New("token is invalid")
-	errTokenParsing    = errors.New("token could not be parsed")
+	errKeyNotFound  = errors.New("unable to find appropriate key")
+	errTokenEmpty   = errors.New("required authorization token not found")
+	errTokenInvalid = errors.New("token is invalid")
+	errTokenParsing = errors.New("token could not be parsed")
 )

 func NewValidator(issuer string, audienceList []string, keysLocation string, idpSignkeyRefreshEnabled bool) *Validator {
@@ -88,24 +86,6 @@ func NewValidator(issuer string, audienceList []string, keysLocation string, idp

 func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 	return func(token *jwt.Token) (interface{}, error) {
-		// Verify 'aud' claim
-		var checkAud bool
-		for _, audience := range v.audienceList {
-			checkAud = token.Claims.(jwt.MapClaims).VerifyAudience(audience, false)
-			if checkAud {
-				break
-			}
-		}
-		if !checkAud {
-			return token, errInvalidAudience
-		}
-
-		// Verify 'issuer' claim
-		checkIss := token.Claims.(jwt.MapClaims).VerifyIssuer(v.issuer, false)
-		if !checkIss {
-			return token, errInvalidIssuer
-		}
-
 		// If keys are rotated, verify the keys prior to token validation
 		if v.idpSignkeyRefreshEnabled {
 			// If the keys are invalid, retrieve new ones
@@ -144,7 +124,7 @@ func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 }

 // ValidateAndParse validates the token and returns the parsed token
-func (m *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.Token, error) {
+func (v *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.Token, error) {
 	// If the token is empty...
 	if token == "" {
 		// If we get here, the required token is missing
@@ -153,7 +133,13 @@ func (m *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.To
 	}

 	// Now parse the token
-	parsedToken, err := jwt.Parse(token, m.getKeyFunc(ctx))
+	parsedToken, err := jwt.Parse(
+		token,
+		v.getKeyFunc(ctx),
+		jwt.WithAudience(v.audienceList...),
+		jwt.WithIssuer(v.issuer),
+		jwt.WithIssuedAt(),
+	)

 	// Check if there was an error in parsing...
 	if err != nil {
--- a/management/server/auth/manager.go
+++ b/management/server/auth/manager.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"hash/crc32"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"

 	"github.com/netbirdio/netbird/base62"
 	nbjwt "github.com/netbirdio/netbird/management/server/auth/jwt"
--- a/management/server/auth/manager_mock.go
+++ b/management/server/auth/manager_mock.go
@@ -3,7 +3,7 @@ package auth
 import (
 	"context"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"

 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/types"
--- a/management/server/auth/manager_test.go
+++ b/management/server/auth/manager_test.go
@@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

--- a/management/server/dns.go
+++ b/management/server/dns.go
@@ -113,11 +113,11 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		events := am.prepareDNSSettingsEvents(ctx, transaction, accountID, userID, addedGroups, removedGroups)
 		eventsToStore = append(eventsToStore, events...)

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.SaveDNSSettings(ctx, accountID, dnsSettingsToSave); err != nil {
 			return err
 		}

-		return transaction.SaveDNSSettings(ctx, accountID, dnsSettingsToSave)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -67,9 +67,6 @@ func (am *DefaultAccountManager) GetGroupByName(ctx context.Context, groupName,

 // CreateGroup object of the peers
 func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
@@ -96,10 +93,6 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
-			return err
-		}
-
 		if err := transaction.CreateGroup(ctx, newGroup); err != nil {
 			return status.Errorf(status.Internal, "failed to create group: %v", err)
 		}
@@ -109,7 +102,8 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 				return status.Errorf(status.Internal, "failed to add peer %s to group %s: %v", peerID, newGroup.ID, err)
 			}
 		}
-		return nil
+
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -128,9 +122,6 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use

 // UpdateGroup object of the peers
 func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
@@ -176,11 +167,11 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.UpdateGroup(ctx, newGroup); err != nil {
 			return err
 		}

-		return transaction.UpdateGroup(ctx, newGroup)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -211,35 +202,45 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 	}

 	var eventsToStore []func()
-	var groupsToSave []*types.Group
 	var updateAccountPeers bool

-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		groupIDs := make([]string, 0, len(groups))
-		for _, newGroup := range groups {
+	var globalErr error
+	groupIDs := make([]string, 0, len(groups))
+	for _, newGroup := range groups {
+		err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 			if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 				return err
 			}

 			newGroup.AccountID = accountID
-			groupsToSave = append(groupsToSave, newGroup)
+
+			if err = transaction.CreateGroup(ctx, newGroup); err != nil {
+				return err
+			}
+
+			err = transaction.IncrementNetworkSerial(ctx, accountID)
+			if err != nil {
+				return err
+			}
+
 			groupIDs = append(groupIDs, newGroup.ID)

 			events := am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 			eventsToStore = append(eventsToStore, events...)
-		}

-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, groupIDs)
+			return nil
+		})
 		if err != nil {
-			return err
+			log.WithContext(ctx).Errorf("failed to update group %s: %v", newGroup.ID, err)
+			if len(groupIDs) == 1 {
+				return err
+			}
+			globalErr = errors.Join(globalErr, err)
+			// continue updating other groups
 		}
+	}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
-			return err
-		}
-
-		return transaction.CreateGroups(ctx, accountID, groupsToSave)
-	})
+	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
 	if err != nil {
 		return err
 	}
@@ -252,7 +253,7 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 		am.UpdateAccountPeers(ctx, accountID)
 	}

-	return nil
+	return globalErr
 }

 // UpdateGroups updates groups in the account.
@@ -269,35 +270,45 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 	}

 	var eventsToStore []func()
-	var groupsToSave []*types.Group
 	var updateAccountPeers bool

-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		groupIDs := make([]string, 0, len(groups))
-		for _, newGroup := range groups {
+	var globalErr error
+	groupIDs := make([]string, 0, len(groups))
+	for _, newGroup := range groups {
+		err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 			if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 				return err
 			}

 			newGroup.AccountID = accountID
-			groupsToSave = append(groupsToSave, newGroup)
-			groupIDs = append(groupIDs, newGroup.ID)
+
+			if err = transaction.UpdateGroup(ctx, newGroup); err != nil {
+				return err
+			}
+
+			err = transaction.IncrementNetworkSerial(ctx, accountID)
+			if err != nil {
+				return err
+			}

 			events := am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 			eventsToStore = append(eventsToStore, events...)
-		}

-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, groupIDs)
+			groupIDs = append(groupIDs, newGroup.ID)
+
+			return nil
+		})
 		if err != nil {
-			return err
+			log.WithContext(ctx).Errorf("failed to update group %s: %v", newGroup.ID, err)
+			if len(groups) == 1 {
+				return err
+			}
+			globalErr = errors.Join(globalErr, err)
+			// continue updating other groups
 		}
+	}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
-			return err
-		}
-
-		return transaction.UpdateGroups(ctx, accountID, groupsToSave)
-	})
+	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
 	if err != nil {
 		return err
 	}
@@ -310,7 +321,7 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 		am.UpdateAccountPeers(ctx, accountID)
 	}

-	return nil
+	return globalErr
 }

 // prepareGroupEvents prepares a list of event functions to be stored.
@@ -382,8 +393,6 @@ func (am *DefaultAccountManager) prepareGroupEvents(ctx context.Context, transac

 // DeleteGroup object of the peers.
 func (am *DefaultAccountManager) DeleteGroup(ctx context.Context, accountID, userID, groupID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
 	return am.DeleteGroups(ctx, accountID, userID, []string{groupID})
 }

@@ -423,11 +432,11 @@ func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, us
 			deletedGroups = append(deletedGroups, group)
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.DeleteGroups(ctx, accountID, groupIDsToDelete); err != nil {
 			return err
 		}

-		return transaction.DeleteGroups(ctx, accountID, groupIDsToDelete)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -442,9 +451,6 @@ func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, us

 // GroupAddPeer appends peer to the group
 func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	var updateAccountPeers bool
 	var err error

@@ -454,11 +460,11 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.AddPeerToGroup(ctx, accountID, peerID, groupID); err != nil {
 			return err
 		}

-		return transaction.AddPeerToGroup(ctx, accountID, peerID, groupID)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -473,9 +479,6 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr

 // GroupAddResource appends resource to the group
 func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	var group *types.Group
 	var updateAccountPeers bool
 	var err error
@@ -495,11 +498,11 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.UpdateGroup(ctx, group); err != nil {
 			return err
 		}

-		return transaction.UpdateGroup(ctx, group)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -514,9 +517,6 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID

 // GroupDeletePeer removes peer from the group
 func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	var updateAccountPeers bool
 	var err error

@@ -526,11 +526,11 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.RemovePeerFromGroup(ctx, peerID, groupID); err != nil {
 			return err
 		}

-		return transaction.RemovePeerFromGroup(ctx, peerID, groupID)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -545,9 +545,6 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,

 // GroupDeleteResource removes resource from the group
 func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	var group *types.Group
 	var updateAccountPeers bool
 	var err error
@@ -567,11 +564,11 @@ func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accoun
 			return err
 		}

-		if err = transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+		if err = transaction.UpdateGroup(ctx, group); err != nil {
 			return err
 		}

-		return transaction.UpdateGroup(ctx, group)
+		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
@@ -607,13 +604,6 @@ func validateNewGroup(ctx context.Context, transaction store.Store, accountID st
 		newGroup.ID = xid.New().String()
 	}

-	for _, peerID := range newGroup.Peers {
-		_, err := transaction.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
-		if err != nil {
-			return status.Errorf(status.InvalidArgument, "peer with ID \"%s\" not found", peerID)
-		}
-	}
-
 	return nil
 }

--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@@ -648,7 +648,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 		_, err := manager.CreateRoute(
 			context.Background(), account.Id, newRoute.Network, newRoute.NetworkType, newRoute.Domains, newRoute.Peer,
 			newRoute.PeerGroups, newRoute.Description, newRoute.NetID, newRoute.Masquerade, newRoute.Metric,
-			newRoute.Groups, []string{}, true, userID, newRoute.KeepRoute,
+			newRoute.Groups, []string{}, true, userID, newRoute.KeepRoute, newRoute.SkipAutoApply,
 		)
 		require.NoError(t, err)

--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -2,9 +2,11 @@ package server

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -38,20 +40,28 @@ import (
 	internalStatus "github.com/netbirdio/netbird/shared/management/status"
 )

+const (
+	envLogBlockedPeers = "NB_LOG_BLOCKED_PEERS"
+	envBlockPeers      = "NB_BLOCK_SAME_PEERS"
+)
+
 // GRPCServer an instance of a Management gRPC API server
 type GRPCServer struct {
 	accountManager  account.Manager
 	settingsManager settings.Manager
 	wgKey           wgtypes.Key
 	proto.UnimplementedManagementServiceServer
-	peersUpdateManager      *PeersUpdateManager
-	config                  *nbconfig.Config
-	secretsManager          SecretsManager
-	appMetrics              telemetry.AppMetrics
-	ephemeralManager        *EphemeralManager
-	peerLocks               sync.Map
-	authManager             auth.Manager
-	integratedPeerValidator integrated_validator.IntegratedValidator
+	peersUpdateManager *PeersUpdateManager
+	config             *nbconfig.Config
+	secretsManager     SecretsManager
+	appMetrics         telemetry.AppMetrics
+	ephemeralManager   *EphemeralManager
+	peerLocks          sync.Map
+	authManager        auth.Manager
+
+	logBlockedPeers          bool
+	blockPeersWithSameConfig bool
+	integratedPeerValidator  integrated_validator.IntegratedValidator
 }

 // NewServer creates a new Management server
@@ -82,18 +92,23 @@ func NewServer(
 		}
 	}

+	logBlockedPeers := strings.ToLower(os.Getenv(envLogBlockedPeers)) == "true"
+	blockPeersWithSameConfig := strings.ToLower(os.Getenv(envBlockPeers)) == "true"
+
 	return &GRPCServer{
 		wgKey: key,
 		// peerKey -> event channel
-		peersUpdateManager:      peersUpdateManager,
-		accountManager:          accountManager,
-		settingsManager:         settingsManager,
-		config:                  config,
-		secretsManager:          secretsManager,
-		authManager:             authManager,
-		appMetrics:              appMetrics,
-		ephemeralManager:        ephemeralManager,
-		integratedPeerValidator: integratedPeerValidator,
+		peersUpdateManager:       peersUpdateManager,
+		accountManager:           accountManager,
+		settingsManager:          settingsManager,
+		config:                   config,
+		secretsManager:           secretsManager,
+		authManager:              authManager,
+		appMetrics:               appMetrics,
+		ephemeralManager:         ephemeralManager,
+		logBlockedPeers:          logBlockedPeers,
+		blockPeersWithSameConfig: blockPeersWithSameConfig,
+		integratedPeerValidator:  integratedPeerValidator,
 	}, nil
 }

@@ -136,9 +151,6 @@ func getRealIP(ctx context.Context) net.IP {
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
 	reqStart := time.Now()
-	if s.appMetrics != nil {
-		s.appMetrics.GRPCMetrics().CountSyncRequest()
-	}

 	ctx := srv.Context()

@@ -147,6 +159,25 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	if err != nil {
 		return err
 	}
+	realIP := getRealIP(ctx)
+	sRealIP := realIP.String()
+	peerMeta := extractPeerMeta(ctx, syncReq.GetMeta())
+	metahashed := metaHash(peerMeta, sRealIP)
+	if !s.accountManager.AllowSync(peerKey.String(), metahashed) {
+		if s.appMetrics != nil {
+			s.appMetrics.GRPCMetrics().CountSyncRequestBlocked()
+		}
+		if s.logBlockedPeers {
+			log.WithContext(ctx).Warnf("peer %s with meta hash %d is blocked from syncing", peerKey.String(), metahashed)
+		}
+		if s.blockPeersWithSameConfig {
+			return mapError(ctx, internalStatus.ErrPeerAlreadyLoggedIn)
+		}
+	}
+
+	if s.appMetrics != nil {
+		s.appMetrics.GRPCMetrics().CountSyncRequest()
+	}

 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, nbContext.PeerIDKey, peerKey.String())
@@ -172,14 +203,13 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, nbContext.AccountIDKey, accountID)

-	realIP := getRealIP(ctx)
-	log.WithContext(ctx).Debugf("Sync request from peer [%s] [%s]", req.WgPubKey, realIP.String())
+	log.WithContext(ctx).Debugf("Sync request from peer [%s] [%s]", req.WgPubKey, sRealIP)

 	if syncReq.GetMeta() == nil {
 		log.WithContext(ctx).Tracef("peer system meta has to be provided on sync. Peer %s, remote addr %s", peerKey.String(), realIP)
 	}

-	peer, netMap, postureChecks, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), extractPeerMeta(ctx, syncReq.GetMeta()), realIP)
+	peer, netMap, postureChecks, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while syncing peer %s: %v", peerKey.String(), err)
 		return mapError(ctx, err)
@@ -198,7 +228,7 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	s.secretsManager.SetupRefresh(ctx, accountID, peer.ID)

 	if s.appMetrics != nil {
-		s.appMetrics.GRPCMetrics().CountSyncRequestDuration(time.Since(reqStart))
+		s.appMetrics.GRPCMetrics().CountSyncRequestDuration(time.Since(reqStart), accountID)
 	}

 	unlock()
@@ -345,6 +375,9 @@ func mapError(ctx context.Context, err error) error {
 		default:
 		}
 	}
+	if errors.Is(err, internalStatus.ErrPeerAlreadyLoggedIn) {
+		return status.Error(codes.PermissionDenied, internalStatus.ErrPeerAlreadyLoggedIn.Error())
+	}
 	log.WithContext(ctx).Errorf("got an unhandled error: %s", err)
 	return status.Errorf(codes.Internal, "failed handling request")
 }
@@ -436,16 +469,9 @@ func (s *GRPCServer) parseRequest(ctx context.Context, req *proto.EncryptedMessa
 // In case of the successful registration login is also successful
 func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
 	reqStart := time.Now()
-	defer func() {
-		if s.appMetrics != nil {
-			s.appMetrics.GRPCMetrics().CountLoginRequestDuration(time.Since(reqStart))
-		}
-	}()
-	if s.appMetrics != nil {
-		s.appMetrics.GRPCMetrics().CountLoginRequest()
-	}
 	realIP := getRealIP(ctx)
-	log.WithContext(ctx).Debugf("Login request from peer [%s] [%s]", req.WgPubKey, realIP.String())
+	sRealIP := realIP.String()
+	log.WithContext(ctx).Debugf("Login request from peer [%s] [%s]", req.WgPubKey, sRealIP)

 	loginReq := &proto.LoginRequest{}
 	peerKey, err := s.parseRequest(ctx, req, loginReq)
@@ -453,6 +479,24 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 		return nil, err
 	}

+	peerMeta := extractPeerMeta(ctx, loginReq.GetMeta())
+	metahashed := metaHash(peerMeta, sRealIP)
+	if !s.accountManager.AllowSync(peerKey.String(), metahashed) {
+		if s.logBlockedPeers {
+			log.WithContext(ctx).Warnf("peer %s with meta hash %d is blocked from login", peerKey.String(), metahashed)
+		}
+		if s.appMetrics != nil {
+			s.appMetrics.GRPCMetrics().CountLoginRequestBlocked()
+		}
+		if s.blockPeersWithSameConfig {
+			return nil, internalStatus.ErrPeerAlreadyLoggedIn
+		}
+	}
+
+	if s.appMetrics != nil {
+		s.appMetrics.GRPCMetrics().CountLoginRequest()
+	}
+
 	//nolint
 	ctx = context.WithValue(ctx, nbContext.PeerIDKey, peerKey.String())
 	accountID, err := s.accountManager.GetAccountIDForPeerKey(ctx, peerKey.String())
@@ -463,6 +507,12 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	//nolint
 	ctx = context.WithValue(ctx, nbContext.AccountIDKey, accountID)

+	defer func() {
+		if s.appMetrics != nil {
+			s.appMetrics.GRPCMetrics().CountLoginRequestDuration(time.Since(reqStart), accountID)
+		}
+	}()
+
 	if loginReq.GetMeta() == nil {
 		msg := status.Errorf(codes.FailedPrecondition,
 			"peer system meta has to be provided to log in. Peer %s, remote addr %s", peerKey.String(), realIP)
@@ -483,7 +533,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	peer, netMap, postureChecks, err := s.accountManager.LoginPeer(ctx, types.PeerLogin{
 		WireGuardPubKey: peerKey.String(),
 		SSHKey:          string(sshKey),
-		Meta:            extractPeerMeta(ctx, loginReq.GetMeta()),
+		Meta:            peerMeta,
 		UserID:          userID,
 		SetupKey:        loginReq.GetSetupKey(),
 		ConnectionIP:    realIP,
@@ -949,8 +999,6 @@ func (s *GRPCServer) Logout(ctx context.Context, req *proto.EncryptedMessage) (*
 		return nil, mapError(ctx, err)
 	}

-	s.accountManager.BufferUpdateAccountPeers(ctx, peer.AccountID)
-
 	log.WithContext(ctx).Debugf("peer %s logged out successfully after %s", peerKey.String(), time.Since(start))

 	return &proto.Empty{}, nil
--- a/management/server/http/handlers/accounts/accounts_handler.go
+++ b/management/server/http/handlers/accounts/accounts_handler.go
@@ -11,11 +11,11 @@ import (

 	"github.com/netbirdio/netbird/management/server/account"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
-	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/shared/management/status"
-	"github.com/netbirdio/netbird/management/server/types"
 )

 const (
@@ -198,6 +198,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 	if req.Settings.Extra != nil {
 		settings.Extra = &types.ExtraSettings{
 			PeerApprovalEnabled:      req.Settings.Extra.PeerApprovalEnabled,
+			UserApprovalRequired:     req.Settings.Extra.UserApprovalRequired,
 			FlowEnabled:              req.Settings.Extra.NetworkTrafficLogsEnabled,
 			FlowGroups:               req.Settings.Extra.NetworkTrafficLogsGroups,
 			FlowPacketCounterEnabled: req.Settings.Extra.NetworkTrafficPacketCounterEnabled,
@@ -327,6 +328,7 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 	if settings.Extra != nil {
 		apiSettings.Extra = &api.AccountExtraSettings{
 			PeerApprovalEnabled:                settings.Extra.PeerApprovalEnabled,
+			UserApprovalRequired:               settings.Extra.UserApprovalRequired,
 			NetworkTrafficLogsEnabled:          settings.Extra.FlowEnabled,
 			NetworkTrafficLogsGroups:           settings.Extra.FlowGroups,
 			NetworkTrafficPacketCounterEnabled: settings.Extra.FlowPacketCounterEnabled,
--- a/management/server/http/handlers/accounts/accounts_handler_test.go
+++ b/management/server/http/handlers/accounts/accounts_handler_test.go
@@ -15,11 +15,11 @@ import (
 	"github.com/stretchr/testify/assert"

 	nbcontext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/shared/management/status"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/status"
 )

 func initAccountsTestData(t *testing.T, account *types.Account) *handler {
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -14,11 +14,11 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/shared/management/status"
-	"github.com/netbirdio/netbird/management/server/types"
 )

 // Handler is a handler that returns peers of the account
@@ -354,7 +354,7 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 	}

 	return &api.Peer{
-		CreatedAt:                  peer.CreatedAt,
+		CreatedAt:                   peer.CreatedAt,
 		Id:                          peer.ID,
 		Name:                        peer.Name,
 		Ip:                          peer.IP.String(),
@@ -391,33 +391,33 @@ func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dn
 	}

 	return &api.PeerBatch{
-		CreatedAt:             peer.CreatedAt,
-		Id:                     peer.ID,
-		Name:                   peer.Name,
-		Ip:                     peer.IP.String(),
-		ConnectionIp:           peer.Location.ConnectionIP.String(),
-		Connected:              peer.Status.Connected,
-		LastSeen:               peer.Status.LastSeen,
-		Os:                     fmt.Sprintf("%s %s", peer.Meta.OS, osVersion),
-		KernelVersion:          peer.Meta.KernelVersion,
-		GeonameId:              int(peer.Location.GeoNameID),
-		Version:                peer.Meta.WtVersion,
-		Groups:                 groupsInfo,
-		SshEnabled:             peer.SSHEnabled,
-		Hostname:               peer.Meta.Hostname,
-		UserId:                 peer.UserID,
-		UiVersion:              peer.Meta.UIVersion,
-		DnsLabel:               fqdn(peer, dnsDomain),
-		ExtraDnsLabels:         fqdnList(peer.ExtraDNSLabels, dnsDomain),
-		LoginExpirationEnabled: peer.LoginExpirationEnabled,
-		LastLogin:              peer.GetLastLogin(),
-		LoginExpired:           peer.Status.LoginExpired,
-		AccessiblePeersCount:   accessiblePeersCount,
-		CountryCode:            peer.Location.CountryCode,
-		CityName:               peer.Location.CityName,
-		SerialNumber:           peer.Meta.SystemSerialNumber,
-
+		CreatedAt:                   peer.CreatedAt,
+		Id:                          peer.ID,
+		Name:                        peer.Name,
+		Ip:                          peer.IP.String(),
+		ConnectionIp:                peer.Location.ConnectionIP.String(),
+		Connected:                   peer.Status.Connected,
+		LastSeen:                    peer.Status.LastSeen,
+		Os:                          fmt.Sprintf("%s %s", peer.Meta.OS, osVersion),
+		KernelVersion:               peer.Meta.KernelVersion,
+		GeonameId:                   int(peer.Location.GeoNameID),
+		Version:                     peer.Meta.WtVersion,
+		Groups:                      groupsInfo,
+		SshEnabled:                  peer.SSHEnabled,
+		Hostname:                    peer.Meta.Hostname,
+		UserId:                      peer.UserID,
+		UiVersion:                   peer.Meta.UIVersion,
+		DnsLabel:                    fqdn(peer, dnsDomain),
+		ExtraDnsLabels:              fqdnList(peer.ExtraDNSLabels, dnsDomain),
+		LoginExpirationEnabled:      peer.LoginExpirationEnabled,
+		LastLogin:                   peer.GetLastLogin(),
+		LoginExpired:                peer.Status.LoginExpired,
+		AccessiblePeersCount:        accessiblePeersCount,
+		CountryCode:                 peer.Location.CountryCode,
+		CityName:                    peer.Location.CityName,
+		SerialNumber:                peer.Meta.SystemSerialNumber,
 		InactivityExpirationEnabled: peer.InactivityExpirationEnabled,
+		Ephemeral:                   peer.Ephemeral,
 	}
 }

--- a/management/server/http/handlers/routes/routes_handler.go
+++ b/management/server/http/handlers/routes/routes_handler.go
@@ -8,17 +8,19 @@ import (

 	"github.com/gorilla/mux"

-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/management/server/account"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
-	"github.com/netbirdio/netbird/route"
 )

 const failedToConvertRoute = "failed to convert route to response: %v"

+const exitNodeCIDR = "0.0.0.0/0"
+
 // handler is the routes handler of the account
 type handler struct {
 	accountManager account.Manager
@@ -124,8 +126,16 @@ func (h *handler) createRoute(w http.ResponseWriter, r *http.Request) {
 		accessControlGroupIds = *req.AccessControlGroups
 	}

+	// Set default skipAutoApply value for exit nodes (0.0.0.0/0 routes)
+	skipAutoApply := false
+	if req.SkipAutoApply != nil {
+		skipAutoApply = *req.SkipAutoApply
+	} else if newPrefix.String() == exitNodeCIDR {
+		skipAutoApply = false
+	}
+
 	newRoute, err := h.accountManager.CreateRoute(r.Context(), accountID, newPrefix, networkType, domains, peerId, peerGroupIds,
-		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, accessControlGroupIds, req.Enabled, userID, req.KeepRoute)
+		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, accessControlGroupIds, req.Enabled, userID, req.KeepRoute, skipAutoApply)

 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -142,23 +152,31 @@ func (h *handler) createRoute(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) validateRoute(req api.PostApiRoutesJSONRequestBody) error {
-	if req.Network != nil && req.Domains != nil {
+	return h.validateRouteCommon(req.Network, req.Domains, req.Peer, req.PeerGroups, req.NetworkId)
+}
+
+func (h *handler) validateRouteUpdate(req api.PutApiRoutesRouteIdJSONRequestBody) error {
+	return h.validateRouteCommon(req.Network, req.Domains, req.Peer, req.PeerGroups, req.NetworkId)
+}
+
+func (h *handler) validateRouteCommon(network *string, domains *[]string, peer *string, peerGroups *[]string, networkId string) error {
+	if network != nil && domains != nil {
 		return status.Errorf(status.InvalidArgument, "only one of 'network' or 'domains' should be provided")
 	}

-	if req.Network == nil && req.Domains == nil {
+	if network == nil && domains == nil {
 		return status.Errorf(status.InvalidArgument, "either 'network' or 'domains' should be provided")
 	}

-	if req.Peer == nil && req.PeerGroups == nil {
+	if peer == nil && peerGroups == nil {
 		return status.Errorf(status.InvalidArgument, "either 'peer' or 'peer_groups' should be provided")
 	}

-	if req.Peer != nil && req.PeerGroups != nil {
+	if peer != nil && peerGroups != nil {
 		return status.Errorf(status.InvalidArgument, "only one of 'peer' or 'peer_groups' should be provided")
 	}

-	if utf8.RuneCountInString(req.NetworkId) > route.MaxNetIDChar || req.NetworkId == "" {
+	if utf8.RuneCountInString(networkId) > route.MaxNetIDChar || networkId == "" {
 		return status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d characters",
 			route.MaxNetIDChar)
 	}
@@ -195,7 +213,7 @@ func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.validateRoute(req); err != nil {
+	if err := h.validateRouteUpdate(req); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
@@ -205,15 +223,24 @@ func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request) {
 		peerID = *req.Peer
 	}

+	// Set default skipAutoApply value for exit nodes (0.0.0.0/0 routes)
+	skipAutoApply := false
+	if req.SkipAutoApply != nil {
+		skipAutoApply = *req.SkipAutoApply
+	} else if req.Network != nil && *req.Network == exitNodeCIDR {
+		skipAutoApply = false
+	}
+
 	newRoute := &route.Route{
-		ID:          route.ID(routeID),
-		NetID:       route.NetID(req.NetworkId),
-		Masquerade:  req.Masquerade,
-		Metric:      req.Metric,
-		Description: req.Description,
-		Enabled:     req.Enabled,
-		Groups:      req.Groups,
-		KeepRoute:   req.KeepRoute,
+		ID:            route.ID(routeID),
+		NetID:         route.NetID(req.NetworkId),
+		Masquerade:    req.Masquerade,
+		Metric:        req.Metric,
+		Description:   req.Description,
+		Enabled:       req.Enabled,
+		Groups:        req.Groups,
+		KeepRoute:     req.KeepRoute,
+		SkipAutoApply: skipAutoApply,
 	}

 	if req.Domains != nil {
@@ -321,18 +348,19 @@ func toRouteResponse(serverRoute *route.Route) (*api.Route, error) {
 	}
 	network := serverRoute.Network.String()
 	route := &api.Route{
-		Id:          string(serverRoute.ID),
-		Description: serverRoute.Description,
-		NetworkId:   string(serverRoute.NetID),
-		Enabled:     serverRoute.Enabled,
-		Peer:        &serverRoute.Peer,
-		Network:     &network,
-		Domains:     &domains,
-		NetworkType: serverRoute.NetworkType.String(),
-		Masquerade:  serverRoute.Masquerade,
-		Metric:      serverRoute.Metric,
-		Groups:      serverRoute.Groups,
-		KeepRoute:   serverRoute.KeepRoute,
+		Id:            string(serverRoute.ID),
+		Description:   serverRoute.Description,
+		NetworkId:     string(serverRoute.NetID),
+		Enabled:       serverRoute.Enabled,
+		Peer:          &serverRoute.Peer,
+		Network:       &network,
+		Domains:       &domains,
+		NetworkType:   serverRoute.NetworkType.String(),
+		Masquerade:    serverRoute.Masquerade,
+		Metric:        serverRoute.Metric,
+		Groups:        serverRoute.Groups,
+		KeepRoute:     serverRoute.KeepRoute,
+		SkipAutoApply: &serverRoute.SkipAutoApply,
 	}

 	if len(serverRoute.PeerGroups) > 0 {
--- a/management/server/http/handlers/routes/routes_handler_test.go
+++ b/management/server/http/handlers/routes/routes_handler_test.go
@@ -15,13 +15,13 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/netbirdio/netbird/shared/management/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/management/server/mock_server"
-	"github.com/netbirdio/netbird/shared/management/status"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/status"
 )

 const (
@@ -62,21 +62,22 @@ func initRoutesTestData() *handler {
 	return &handler{
 		accountManager: &mock_server.MockAccountManager{
 			GetRouteFunc: func(_ context.Context, _ string, routeID route.ID, _ string) (*route.Route, error) {
-				if routeID == existingRouteID {
+				switch routeID {
+				case existingRouteID:
 					return baseExistingRoute, nil
-				}
-				if routeID == existingRouteID2 {
+				case existingRouteID2:
 					route := baseExistingRoute.Copy()
 					route.PeerGroups = []string{existingGroupID}
 					return route, nil
-				} else if routeID == existingRouteID3 {
+				case existingRouteID3:
 					route := baseExistingRoute.Copy()
 					route.Domains = domain.List{existingDomain}
 					return route, nil
+				default:
+					return nil, status.Errorf(status.NotFound, "route with ID %s not found", routeID)
 				}
-				return nil, status.Errorf(status.NotFound, "route with ID %s not found", routeID)
 			},
-			CreateRouteFunc: func(_ context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroups []string, enabled bool, _ string, keepRoute bool) (*route.Route, error) {
+			CreateRouteFunc: func(_ context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroups []string, enabled bool, _ string, keepRoute bool, skipAutoApply bool) (*route.Route, error) {
 				if peerID == notFoundPeerID {
 					return nil, status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
 				}
@@ -103,6 +104,7 @@ func initRoutesTestData() *handler {
 					Groups:              groups,
 					KeepRoute:           keepRoute,
 					AccessControlGroups: accessControlGroups,
+					SkipAutoApply:       skipAutoApply,
 				}, nil
 			},
 			SaveRouteFunc: func(_ context.Context, _, _ string, r *route.Route) error {
@@ -190,19 +192,20 @@ func TestRoutesHandlers(t *testing.T) {
 			requestType: http.MethodPost,
 			requestPath: "/api/routes",
 			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf(`{"Description":"Post","Network":"192.168.0.0/16","network_id":"awesomeNet","Peer":"%s","groups":["%s"]}`, existingPeerID, existingGroupID))),
+				[]byte(fmt.Sprintf(`{"Description":"Post","Network":"192.168.0.0/16","network_id":"awesomeNet","Peer":"%s","groups":["%s"],"skip_auto_apply":false}`, existingPeerID, existingGroupID))),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
-				Id:          existingRouteID,
-				Description: "Post",
-				NetworkId:   "awesomeNet",
-				Network:     util.ToPtr("192.168.0.0/16"),
-				Peer:        &existingPeerID,
-				NetworkType: route.IPv4NetworkString,
-				Masquerade:  false,
-				Enabled:     false,
-				Groups:      []string{existingGroupID},
+				Id:            existingRouteID,
+				Description:   "Post",
+				NetworkId:     "awesomeNet",
+				Network:       util.ToPtr("192.168.0.0/16"),
+				Peer:          &existingPeerID,
+				NetworkType:   route.IPv4NetworkString,
+				Masquerade:    false,
+				Enabled:       false,
+				Groups:        []string{existingGroupID},
+				SkipAutoApply: util.ToPtr(false),
 			},
 		},
 		{
@@ -210,21 +213,22 @@ func TestRoutesHandlers(t *testing.T) {
 			requestType: http.MethodPost,
 			requestPath: "/api/routes",
 			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf(`{"description":"Post","domains":["example.com"],"network_id":"domainNet","peer":"%s","groups":["%s"],"keep_route":true}`, existingPeerID, existingGroupID))),
+				[]byte(fmt.Sprintf(`{"description":"Post","domains":["example.com"],"network_id":"domainNet","peer":"%s","groups":["%s"],"keep_route":true,"skip_auto_apply":false}`, existingPeerID, existingGroupID))),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
-				Id:          existingRouteID,
-				Description: "Post",
-				NetworkId:   "domainNet",
-				Network:     util.ToPtr("invalid Prefix"),
-				KeepRoute:   true,
-				Domains:     &[]string{existingDomain},
-				Peer:        &existingPeerID,
-				NetworkType: route.DomainNetworkString,
-				Masquerade:  false,
-				Enabled:     false,
-				Groups:      []string{existingGroupID},
+				Id:            existingRouteID,
+				Description:   "Post",
+				NetworkId:     "domainNet",
+				Network:       util.ToPtr("invalid Prefix"),
+				KeepRoute:     true,
+				Domains:       &[]string{existingDomain},
+				Peer:          &existingPeerID,
+				NetworkType:   route.DomainNetworkString,
+				Masquerade:    false,
+				Enabled:       false,
+				Groups:        []string{existingGroupID},
+				SkipAutoApply: util.ToPtr(false),
 			},
 		},
 		{
@@ -232,7 +236,7 @@ func TestRoutesHandlers(t *testing.T) {
 			requestType: http.MethodPost,
 			requestPath: "/api/routes",
 			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\",\"groups\":[\"%s\"],\"access_control_groups\":[\"%s\"]}", existingPeerID, existingGroupID, existingGroupID))),
+				[]byte(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\",\"groups\":[\"%s\"],\"access_control_groups\":[\"%s\"],\"skip_auto_apply\":false}", existingPeerID, existingGroupID, existingGroupID))),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
@@ -246,6 +250,7 @@ func TestRoutesHandlers(t *testing.T) {
 				Enabled:             false,
 				Groups:              []string{existingGroupID},
 				AccessControlGroups: &[]string{existingGroupID},
+				SkipAutoApply:       util.ToPtr(false),
 			},
 		},
 		{
@@ -336,60 +341,63 @@ func TestRoutesHandlers(t *testing.T) {
 			name:           "Network PUT OK",
 			requestType:    http.MethodPut,
 			requestPath:    "/api/routes/" + existingRouteID,
-			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\",\"groups\":[\"%s\"]}", existingPeerID, existingGroupID)),
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\",\"groups\":[\"%s\"],\"is_selected\":true}", existingPeerID, existingGroupID)),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
-				Id:          existingRouteID,
-				Description: "Post",
-				NetworkId:   "awesomeNet",
-				Network:     util.ToPtr("192.168.0.0/16"),
-				Peer:        &existingPeerID,
-				NetworkType: route.IPv4NetworkString,
-				Masquerade:  false,
-				Enabled:     false,
-				Groups:      []string{existingGroupID},
+				Id:            existingRouteID,
+				Description:   "Post",
+				NetworkId:     "awesomeNet",
+				Network:       util.ToPtr("192.168.0.0/16"),
+				Peer:          &existingPeerID,
+				NetworkType:   route.IPv4NetworkString,
+				Masquerade:    false,
+				Enabled:       false,
+				Groups:        []string{existingGroupID},
+				SkipAutoApply: util.ToPtr(false),
 			},
 		},
 		{
 			name:           "Domains PUT OK",
 			requestType:    http.MethodPut,
 			requestPath:    "/api/routes/" + existingRouteID,
-			requestBody:    bytes.NewBufferString(fmt.Sprintf(`{"Description":"Post","domains":["example.com"],"network_id":"awesomeNet","Peer":"%s","groups":["%s"],"keep_route":true}`, existingPeerID, existingGroupID)),
+			requestBody:    bytes.NewBufferString(fmt.Sprintf(`{"Description":"Post","domains":["example.com"],"network_id":"awesomeNet","Peer":"%s","groups":["%s"],"keep_route":true,"skip_auto_apply":false}`, existingPeerID, existingGroupID)),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
-				Id:          existingRouteID,
-				Description: "Post",
-				NetworkId:   "awesomeNet",
-				Network:     util.ToPtr("invalid Prefix"),
-				Domains:     &[]string{existingDomain},
-				Peer:        &existingPeerID,
-				NetworkType: route.DomainNetworkString,
-				Masquerade:  false,
-				Enabled:     false,
-				Groups:      []string{existingGroupID},
-				KeepRoute:   true,
+				Id:            existingRouteID,
+				Description:   "Post",
+				NetworkId:     "awesomeNet",
+				Network:       util.ToPtr("invalid Prefix"),
+				Domains:       &[]string{existingDomain},
+				Peer:          &existingPeerID,
+				NetworkType:   route.DomainNetworkString,
+				Masquerade:    false,
+				Enabled:       false,
+				Groups:        []string{existingGroupID},
+				KeepRoute:     true,
+				SkipAutoApply: util.ToPtr(false),
 			},
 		},
 		{
 			name:           "PUT OK when peer_groups provided",
 			requestType:    http.MethodPut,
 			requestPath:    "/api/routes/" + existingRouteID,
-			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"peer_groups\":[\"%s\"],\"groups\":[\"%s\"]}", existingGroupID, existingGroupID)),
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"peer_groups\":[\"%s\"],\"groups\":[\"%s\"],\"skip_auto_apply\":false}", existingGroupID, existingGroupID)),
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedRoute: &api.Route{
-				Id:          existingRouteID,
-				Description: "Post",
-				NetworkId:   "awesomeNet",
-				Network:     util.ToPtr("192.168.0.0/16"),
-				Peer:        &emptyString,
-				PeerGroups:  &[]string{existingGroupID},
-				NetworkType: route.IPv4NetworkString,
-				Masquerade:  false,
-				Enabled:     false,
-				Groups:      []string{existingGroupID},
+				Id:            existingRouteID,
+				Description:   "Post",
+				NetworkId:     "awesomeNet",
+				Network:       util.ToPtr("192.168.0.0/16"),
+				Peer:          &emptyString,
+				PeerGroups:    &[]string{existingGroupID},
+				NetworkType:   route.IPv4NetworkString,
+				Masquerade:    false,
+				Enabled:       false,
+				Groups:        []string{existingGroupID},
+				SkipAutoApply: util.ToPtr(false),
 			},
 		},
 		{
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	71e944fa57	[relay] Let relay accept any origin (#4426 )	2025-09-01 19:51:06 +02:00
Maycon Santos	d39fcfd62a	[management] Add user approval (#4411 ) This PR adds user approval functionality to the management system, allowing administrators to manually approve new users joining via domain matching. When enabled, users are blocked with pending approval status until explicitly approved by an admin. Adds UserApprovalRequired setting to control manual user approval requirement Introduces user approval and rejection endpoints with corresponding business logic Prevents pending approval users from adding peers or logging in	2025-09-01 18:00:45 +02:00
Zoltan Papp	21368b38d9	[client] Update Pion ICE to the latest version (#4388 ) - Update Pion version - Update protobuf version	2025-09-01 10:42:01 +02:00
Maycon Santos	d817584f52	[misc] fix Windows client and management bench tests (#4424 ) Windows tests had too many directories, causing issues to the payload via psexec. Also migrated all checked benchmarks to send data to grafana.	2025-08-31 17:19:56 +02:00
Pascal Fischer	4d3dc3475d	[management] remove duplicated removal of groups on peer delete (#4421 )	2025-08-30 12:47:13 +02:00
Pascal Fischer	6fc50a438f	[management] remove withContext from store methods (#4422 )	2025-08-30 12:46:54 +02:00
Vlad	149559a06b	[management] login filter to fix multiple peers connected with the same pub key (#3986 )	2025-08-29 19:48:40 +02:00
Pascal Fischer	e14c6de203	[management] fix ephemeral flag on peer batch response (#4420 )	2025-08-29 17:41:20 +02:00
Viktor Liu	d4c067f0af	[client] Don't deactivate upstream resolvers on failure (#4128 )	2025-08-29 17:40:05 +02:00
Pascal Fischer	dbefa8bd9f	[management] remove lock and continue user update on failure (#4410 )	2025-08-28 17:50:12 +02:00
Pascal Fischer	4fd10b9447	[management] split high latency grpc metrics (#4408 )	2025-08-28 13:25:40 +02:00
Viktor Liu	aa595c3073	[client] Fix shared sock buffer allocation (#4409 )	2025-08-28 13:25:16 +02:00
Vlad	99bd34c02a	[signal] fix goroutines and memory leak on forward messages between peers (#3896 )	2025-08-27 19:30:49 +03:00
Krzysztof Nazarewski (kdn)	7ce5507c05	[client] fix darwin dns always throwing err (#4403 ) * fix: dns/host_darwin.go was missing if err != nil before throwing error	2025-08-27 09:59:39 +02:00
Pascal Fischer	0320bb7b35	[management] Report sync duration and login duration by accountID (#4406 )	2025-08-26 22:32:12 +02:00
Viktor Liu	f063866ce8	[client] Add flag to configure MTU (#4213 )	2025-08-26 16:00:14 +02:00
plusls	9f84165763	[client] Add netstack support for Android cli (#4319 )	2025-08-26 15:40:01 +02:00
Pascal Fischer	3488a516c9	[management] Move increment network serial as last step of each transaction (#4397 )	2025-08-25 17:27:07 +02:00
Pascal Fischer	5e273c121a	[management] Remove store locks 3 (#4390 )	2025-08-21 20:47:28 +02:00
Bethuel Mmbaga	968d95698e	[management] Bump github.com/golang-jwt/jwt from 3.2.2+incompatible to 5.3.0 (#4375 )	2025-08-21 15:02:51 +03:00
Pascal Fischer	28bef26537	[management] Remove Store Locks 2 (#4385 )	2025-08-21 12:23:49 +02:00
Pascal Fischer	0d2845ea31	[management] optimize proxy network map (#4324 )	2025-08-20 19:04:19 +02:00
Zoltan Papp	f425870c8e	[client] Avoid duplicated agent close (#4383 )	2025-08-20 18:50:51 +02:00
Pascal Fischer	f9d64a06c2	[management] Remove all store locks from grpc side (#4374 )	2025-08-20 12:41:14 +02:00
hakansa	86555c44f7	refactor doc workflow (#4373 ) refactor doc workflow (#4373)	2025-08-20 10:59:32 +03:00
Bastien Jeannelle	48792c64cd	[misc] Fix confusing comment (#4376 )	2025-08-20 00:12:00 +02:00
hakansa	533d93eb17	[management,client] Feat/exit node auto apply (#4272 ) [management,client] Feat/exit node auto apply (#4272)	2025-08-19 18:19:24 +03:00