fix scroll in settings

remove unused lang icons, disable text selection
update auto update wordings, add update available into ui
2026-05-25 01:59:54 +00:00 · 2026-05-22 16:09:55 +02:00 · 2026-05-22 15:59:27 +02:00 · 2026-05-22 13:04:04 +02:00 · 2026-05-22 10:16:13 +02:00 · 2026-05-22 09:53:08 +02:00
354 changed files with 28223 additions and 9195 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,13 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
+        # which fails to compile until the frontend has been built. The Wails UI
+        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
+        # before goreleaser.
+        # `go list -e` lets the listing succeed even though the embed fails to
+        # resolve; the grep then drops the broken package by path. Without -e,
+        # go list aborts with empty stdout and `go test` falls back to the repo
+        # root, which has no Go files.
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -51,7 +51,7 @@ jobs:

      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install 32-bit libpcap
        if: steps.cache.outputs.cache-hit != 'true'
@@ -141,7 +141,7 @@ jobs:
            ${{ runner.os }}-gotest-cache-

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
@@ -154,7 +154,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
+        # which fails to compile until the frontend has been built. The Wails UI
+        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
+        # before goreleaser.
+        # `go list -e` lets the listing succeed even though the embed fails to
+        # resolve; the grep then drops the broken package by path. Without -e,
+        # go list aborts with empty stdout and `go test` falls back to the repo
+        # root, which has no Go files.
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +222,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -e -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
            '

  test_relay:
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -64,8 +64,15 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
      - name: Generate test script
+        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
+        # which fails to compile until the frontend has been built. The Wails UI
+        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
+        # before goreleaser.
+        # `go list -e` lets the listing succeed even though the embed fails to
+        # resolve; the Where-Object pipeline then drops the broken package by
+        # path. Without -e, go list aborts with empty stdout.
        run: |
-          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
+          $packages = go list -e ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' } | Where-Object { $_ -notmatch '/client/ui' }
          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -20,7 +20,7 @@ jobs:
        uses: codespell-project/actions-codespell@v2
        with:
          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
-          skip: go.mod,go.sum,**/proxy/web/**
+          skip: go.mod,go.sum,**/proxy/web/**,**/pnpm-lock.yaml,**/package-lock.json
  golangci:
    strategy:
      fail-fast: false
@@ -50,7 +50,16 @@ jobs:
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+      - name: Stub Wails frontend bundle
+        # client/ui/main.go has //go:embed all:frontend/dist. The
+        # directory is produced by `pnpm run build` and is gitignored, so
+        # lint-only runs (no frontend toolchain) need a placeholder file
+        # for the embed pattern to match.
+        shell: bash
+        run: |
+          mkdir -p client/ui/frontend/dist
+          touch client/ui/frontend/dist/.embed-placeholder
      - name: golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -186,9 +186,9 @@ jobs:
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
-        run: goversioninfo  -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
+        run: goversioninfo  -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
@@ -349,8 +349,18 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code

+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 9
+
      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
+        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev gcc-mingw-w64-x86-64

      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
@@ -369,10 +379,16 @@ jobs:
          echo "/tmp/llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64/bin" >> $GITHUB_PATH
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
+      - name: Install wails3 CLI
+        # Version derived from go.mod so the binding generator always matches
+        # the wails runtime the binary links against.
+        run: |
+          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
+          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
      - name: Generate windows syso amd64
-        run: goversioninfo -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
+        run: goversioninfo -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v4
@@ -439,6 +455,20 @@ jobs:
        run: go mod tidy
      - name: check git status
        run: git --no-pager diff --exit-code
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 9
+      - name: Install wails3 CLI
+        # Version derived from go.mod so the binding generator always matches
+        # the wails runtime the binary links against.
+        run: |
+          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
+          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
      - name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
@@ -528,24 +558,6 @@ jobs:
      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

-      - name: Download Mesa3D (amd64 only)
-        uses: carlosperate/download-file-action@v2
-        id: download-mesa3d
-        if: matrix.arch == 'amd64'
-        with:
-          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
-          file-name: mesa3d.7z
-          location: ${{ env.downloadPath }}
-          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
-
-      - name: Extract Mesa3D driver (amd64 only)
-        if: matrix.arch == 'amd64'
-        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
-
-      - name: Move opengl32.dll into dist (amd64 only)
-        if: matrix.arch == 'amd64'
-        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
-
      - name: Download EnVar plugin for NSIS
        uses: carlosperate/download-file-action@v2
        with:
@@ -568,6 +580,28 @@ jobs:
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"

+      - name: Set up Go for wails3 CLI
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: Install wails3 CLI
+        # Version derived from go.mod so the bootstrapper payload always
+        # matches the wails runtime the binary links against.
+        shell: bash
+        run: |
+          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
+          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
+
+      - name: Stage WebView2 bootstrapper for installers
+        # Both client/installer.nsis and client/netbird.wxs reference
+        # client/MicrosoftEdgeWebview2Setup.exe. wails3 writes it there.
+        # The signing pipeline (netbirdio/sign-pipelines) does the same
+        # step for release builds; this mirrors it for PR sanity testing.
+        shell: bash
+        run: wails3 generate webview2bootstrapper -dir client
+
      - name: Build NSIS installer
        uses: joncloud/makensis-action@v3.3
        with:
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -25,7 +25,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -92,9 +92,6 @@ linters:
      - linters:
          - unused
        path: client/firewall/iptables/rule\.go
-      - linters:
-          - unused
-        path: client/internal/dns/dnsfw/(types|syscall|zsyscall)_windows.*\.go
      - linters:
          - gosec
          - mirror
@@ -117,6 +114,16 @@ linters:
      - linters:
          - staticcheck
        text: "QF1012"
+      # client/ui/main.go uses //go:embed all:frontend/dist; the
+      # directory is populated by `pnpm build` in the release pipeline
+      # and missing at lint time, so the embed parses to "no matching
+      # files found" — surfaced by golangci-lint's typecheck pre-pass.
+      # Suppress just that one diagnostic; the rest of the package
+      # (services/, tray.go, grpc.go, ...) still gets linted normally.
+      - linters:
+          - typecheck
+        path: client/ui/main\.go
+        text: "pattern all:frontend/dist"
    paths:
      - third_party$
      - builtin$
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,6 +1,15 @@
 version: 2

 project_name: netbird-ui
+
+before:
+  hooks:
+    # Bindings are gitignored; regenerate before the frontend build so
+    # the @wailsio/runtime Vite plugin can resolve them (vite refuses to
+    # build without them).
+    - sh -c 'cd client/ui && wails3 generate bindings -clean=true -ts'
+    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
+
 builds:
  - id: netbird-ui
    dir: client/ui
@@ -70,12 +79,15 @@ nfpms:
    scripts:
      postinstall: "release_files/ui-post-install.sh"
    contents:
-      - src: client/ui/build/netbird.desktop
+      - src: client/ui/build/linux/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/assets/netbird.png
+      - src: client/ui/build/appicon.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
+      - libgtk-3-0
+      - libwebkit2gtk-4.1-0
+      - libayatana-appindicator3-1

  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
@@ -89,12 +101,15 @@ nfpms:
    scripts:
      postinstall: "release_files/ui-post-install.sh"
    contents:
-      - src: client/ui/build/netbird.desktop
+      - src: client/ui/build/linux/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/assets/netbird.png
+      - src: client/ui/build/appicon.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
+      - gtk3
+      - webkit2gtk4.1
+      - libayatana-appindicator-gtk3
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -1,6 +1,15 @@
 version: 2

 project_name: netbird-ui
+
+before:
+  hooks:
+    # Bindings are gitignored; regenerate before the frontend build so
+    # the @wailsio/runtime Vite plugin can resolve them (vite refuses to
+    # build without them).
+    - sh -c 'cd client/ui && wails3 generate bindings -clean=true -ts'
+    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
+
 builds:
  - id: netbird-ui-darwin
    dir: client/ui
@@ -20,8 +29,6 @@ builds:
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
-    tags:
-      - load_wgnt_from_rsrc

 universal_binaries:
  - id: netbird-ui-darwin
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -22,11 +22,19 @@ import (
 	"github.com/netbirdio/netbird/util"
 )

+// extendSessionFlag drives the `netbird login --extend` flow: refresh the
+// SSO session expiry on the management server without tearing down the
+// tunnel. Mutually exclusive with setup-key login (a setup-key cannot
+// refresh an SSO-tracked peer — see auth.errSetupKeyOnSSOExpiredPeer).
+var extendSessionFlag bool
+
 func init() {
 	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
 	loginCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	loginCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	loginCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) Netbird config file location")
+	loginCmd.PersistentFlags().BoolVar(&extendSessionFlag, "extend", false,
+		"refresh the SSO session expiry without tearing down the tunnel (requires an active connection)")
 }

 var loginCmd = &cobra.Command{
@@ -61,6 +69,16 @@ var loginCmd = &cobra.Command{
 			return err
 		}

+		if extendSessionFlag {
+			if providedSetupKey != "" {
+				return fmt.Errorf("--extend cannot be combined with a setup key; setup keys can only enrol new peers")
+			}
+			if err := doExtendSession(ctx, cmd); err != nil {
+				return fmt.Errorf("extend session failed: %v", err)
+			}
+			return nil
+		}
+
 		// workaround to run without service
 		if util.FindFirstLogPath(logFiles) == "" {
 			if err := doForegroundLogin(ctx, cmd, providedSetupKey, activeProf); err != nil {
@@ -150,6 +168,65 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 	return nil
 }

+// doExtendSession drives the daemon's RequestExtendAuthSession /
+// WaitExtendAuthSession pair. The user is sent through a regular SSO flow
+// (browser + verification URL) and the resulting JWT is forwarded to the
+// management server's ExtendAuthSession RPC. The tunnel stays up
+// throughout — no Down/Up, no network-map resync.
+func doExtendSession(ctx context.Context, cmd *cobra.Command) error {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		//nolint
+		return fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	req := &proto.RequestExtendAuthSessionRequest{}
+	// Pre-fill the IdP login hint from the active profile so the user
+	// doesn't have to retype their email. Best-effort: we still proceed
+	// without a hint if the lookup fails.
+	pm := profilemanager.NewProfileManager()
+	if active, perr := pm.GetActiveProfile(); perr == nil {
+		if profState, sperr := pm.GetProfileState(active.Name); sperr == nil && profState.Email != "" {
+			req.Hint = &profState.Email
+		}
+	}
+
+	startResp, err := client.RequestExtendAuthSession(ctx, req)
+	if err != nil {
+		return fmt.Errorf("start extend session: %v", err)
+	}
+
+	uri := startResp.GetVerificationURIComplete()
+	if uri == "" {
+		uri = startResp.GetVerificationURI()
+	}
+	openURL(cmd, uri, startResp.GetUserCode(), noBrowser, showQR)
+
+	waitResp, err := client.WaitExtendAuthSession(ctx, &proto.WaitExtendAuthSessionRequest{
+		DeviceCode: startResp.GetDeviceCode(),
+		UserCode:   startResp.GetUserCode(),
+	})
+	if err != nil {
+		return fmt.Errorf("wait for extend session: %v", err)
+	}
+
+	if ts := waitResp.GetSessionExpiresAt(); ts.IsValid() && !ts.AsTime().IsZero() {
+		deadline := ts.AsTime().Local()
+		cmd.Printf("Session extended. New expiry: %s\n", deadline.Format("2006-01-02 15:04:05 MST"))
+	} else {
+		// Management reported the peer is not eligible (e.g. login
+		// expiration disabled on the account). Surface that fact
+		// instead of pretending the call succeeded.
+		cmd.Println("Session extension call completed, but the management server did not return a new deadline (peer may not be SSO-tracked or login expiration is disabled).")
+	}
+	return nil
+}
+
 func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) (*profilemanager.Profile, error) {
 	// switch profile if provided

--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"strings"
+	"time"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -43,16 +44,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
-	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -117,6 +118,11 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}

+	var sessionExpiresAt time.Time
+	if ts := resp.GetSessionExpiresAt(); ts.IsValid() {
+		sessionExpiresAt = ts.AsTime().UTC()
+	}
+
 	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
 		Anonymize:            anonymizeFlag,
 		DaemonVersion:        resp.GetDaemonVersion(),
@@ -127,6 +133,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		IPsFilter:            ipsFilterMap,
 		ConnectionTypeFilter: connectionTypeFilter,
 		ProfileName:          profName,
+		SessionExpiresAt:     sessionExpiresAt,
 	})
 	var statusOutputString string
 	switch {
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -336,7 +336,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -357,7 +357,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -6,7 +6,7 @@
 !define DESCRIPTION "Connect your devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls."
 !define INSTALLER_NAME "netbird-installer.exe"
 !define MAIN_APP_EXE "Netbird"
-!define ICON "ui\\assets\\netbird.ico"
+!define ICON "ui\\build\\windows\\icon.ico"
 !define BANNER "ui\\build\\banner.bmp"
 !define LICENSE_DATA "..\\LICENSE"

@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"

 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"

-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
    DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
    DetailPrint "Autostart not enabled by user"
 ${EndIf}

@@ -280,6 +288,43 @@ CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 SectionEnd

+# Install the Microsoft Edge WebView2 runtime if it isn't already present.
+# Macro adapted from Wails3's NSIS template (wails_tools.nsh): a registry
+# probe followed by a silent install of the embedded evergreen bootstrapper.
+# The MicrosoftEdgeWebview2Setup.exe payload is staged next to this script
+# by the sign-pipelines build step (`wails3 generate webview2bootstrapper`).
+!macro nb.webview2runtime
+    SetRegView 64
+    # Per-machine install marker — populated when the runtime ships with
+    # Edge or has been installed by an admin previously.
+    ReadRegStr $0 HKLM "SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
+    ${If} $0 != ""
+        Goto webview2_ok
+    ${EndIf}
+    # Per-user fallback for HKCU installs.
+    ReadRegStr $0 HKCU "Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
+    ${If} $0 != ""
+        Goto webview2_ok
+    ${EndIf}
+
+    SetDetailsPrint both
+    DetailPrint "Installing: WebView2 Runtime"
+    SetDetailsPrint listonly
+
+    InitPluginsDir
+    CreateDirectory "$pluginsdir\webview2bootstrapper"
+    SetOutPath "$pluginsdir\webview2bootstrapper"
+    File "MicrosoftEdgeWebview2Setup.exe"
+    ExecWait '"$pluginsdir\webview2bootstrapper\MicrosoftEdgeWebview2Setup.exe" /silent /install'
+
+    SetDetailsPrint both
+    webview2_ok:
+!macroend
+
+Section -WebView2
+    !insertmacro nb.webview2runtime
+SectionEnd
+
 Section -Post
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service start'
@@ -299,11 +344,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`

-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64

 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."
@@ -326,9 +376,9 @@ DetailPrint "Deleting application files..."
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
-!if ${ARCH} == "amd64"
+# Legacy: pre-Wails installs shipped opengl32.dll (Mesa3D for Fyne); remove
+# any leftover copy on uninstall so old upgrades don't leave it behind.
 Delete "$INSTDIR\opengl32.dll"
-!endif
 DetailPrint "Removing application directory..."
 RmDir /r "$INSTDIR"

--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"net/url"
+	"strings"
 	"sync"
 	"time"

@@ -21,6 +22,25 @@ import (
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

+// peerLoginExpiredMsg is the exact phrase the management server returns
+// when a previously SSO-enrolled peer's login has expired. Sourced from
+// shared/management/status/error.go (NewPeerLoginExpiredError). Matched
+// by substring so a future server-side rewording that keeps the phrase
+// still triggers the friendly fallback in Login().
+const peerLoginExpiredMsg = "peer login has expired"
+
+// errSetupKeyOnSSOExpiredPeer replaces the raw management error when the
+// user runs `netbird login -k <setup-key>` against a peer that was
+// originally enrolled via SSO. Wrapped in a PermissionDenied gRPC status
+// so callers' existing isPermissionDenied / isAuthError checks still
+// classify it correctly (early-exit from retry backoff, StatusNeedsLogin
+// in the server state machine).
+var errSetupKeyOnSSOExpiredPeer = status.Error(
+	codes.PermissionDenied,
+	"this peer was originally enrolled via SSO and its session has expired. "+
+		"Setup keys can only enrol new peers — run `netbird up` (interactive SSO) to re-login.",
+)
+
 // Auth manages authentication operations with the management server
 // It maintains a long-lived connection and automatically handles reconnection with backoff
 type Auth struct {
@@ -184,6 +204,15 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
+				// The peer pub-key is already on file with the management
+				// server (originally enrolled via SSO) and the session has
+				// expired. The setup-key path can only enrol new peers, so
+				// retrying with -k will keep failing. Replace the raw mgm
+				// message with an actionable hint that tells the user to
+				// re-authenticate via SSO instead.
+				if setupKey != "" && jwtToken == "" && isPeerLoginExpired(err) {
+					err = errSetupKeyOnSSOExpiredPeer
+				}
 				isAuthError = isPermissionDenied(err)
 				return err
 			}
@@ -474,3 +503,16 @@ func isLoginNeeded(err error) bool {
 func isRegistrationNeeded(err error) bool {
 	return isPermissionDenied(err)
 }
+
+// isPeerLoginExpired reports whether err is the management server's
+// "peer login has expired" PermissionDenied response. Used by Login to
+// detect the case where the caller passed a setup-key but the peer is
+// actually an SSO-enrolled record whose session needs refreshing — the
+// setup-key path cannot help there.
+func isPeerLoginExpired(err error) bool {
+	if !isPermissionDenied(err) {
+		return false
+	}
+	s, _ := status.FromError(err)
+	return strings.Contains(s.Message(), peerLoginExpiredMsg)
+}
--- a/client/internal/auth/auth_test.go
+++ b/client/internal/auth/auth_test.go
@@ -0,0 +1,80 @@
+package auth
+
+import (
+	"errors"
+	"strings"
+	"testing"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func TestIsPeerLoginExpired(t *testing.T) {
+	cases := []struct {
+		name string
+		err  error
+		want bool
+	}{
+		{
+			name: "nil",
+			err:  nil,
+			want: false,
+		},
+		{
+			name: "plain error (not a gRPC status)",
+			err:  errors.New("network read: connection reset"),
+			want: false,
+		},
+		{
+			name: "PermissionDenied with different message",
+			err:  status.Error(codes.PermissionDenied, "user is blocked"),
+			want: false,
+		},
+		{
+			name: "Unauthenticated with the expected phrase",
+			// Wrong status code — must still return false.
+			err:  status.Error(codes.Unauthenticated, "peer login has expired, please log in once more"),
+			want: false,
+		},
+		{
+			name: "exact server message",
+			err:  status.Error(codes.PermissionDenied, "peer login has expired, please log in once more"),
+			want: true,
+		},
+		{
+			name: "phrase as substring",
+			// Future-proofing: if mgm reworords but keeps the phrase,
+			// the friendly fallback must still kick in.
+			err:  status.Error(codes.PermissionDenied, "session refused: peer login has expired (account=foo)"),
+			want: true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := isPeerLoginExpired(tc.err); got != tc.want {
+				t.Fatalf("isPeerLoginExpired(%v) = %v, want %v", tc.err, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestErrSetupKeyOnSSOExpiredPeer(t *testing.T) {
+	// Sentinel must surface as PermissionDenied so the upstream
+	// isPermissionDenied / isAuthError checks classify it correctly
+	// (short-circuit retry backoff, set StatusNeedsLogin).
+	if !isPermissionDenied(errSetupKeyOnSSOExpiredPeer) {
+		t.Fatalf("errSetupKeyOnSSOExpiredPeer must be a PermissionDenied gRPC error")
+	}
+
+	// Message must actually mention SSO and `netbird up` so it is
+	// actionable for the end user. Loose substring checks keep the
+	// test resilient to copy edits.
+	s, _ := status.FromError(errSetupKeyOnSSOExpiredPeer)
+	msg := strings.ToLower(s.Message())
+	for _, want := range []string{"sso", "netbird up"} {
+		if !strings.Contains(msg, want) {
+			t.Errorf("sentinel message should contain %q, got %q", want, s.Message())
+		}
+	}
+}
--- a/client/internal/auth/pending_flow.go
+++ b/client/internal/auth/pending_flow.go
@@ -0,0 +1,89 @@
+package auth
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// PendingFlow stores an in-progress OAuth flow between the RPC that
+// initiates it (returns the verification URI to the UI) and the RPC
+// that waits for the user to complete it. The flow handle, the
+// device-code info, and the absolute expiry are kept together so the
+// waiting RPC can validate the device code and reuse the same flow.
+//
+// PendingFlow is safe for concurrent use; callers must not access the
+// stored fields directly.
+type PendingFlow struct {
+	mu         sync.Mutex
+	flow       OAuthFlow
+	info       AuthFlowInfo
+	expiresAt  time.Time
+	waitCancel context.CancelFunc
+}
+
+// NewPendingFlow returns an empty PendingFlow ready to be populated by Set.
+func NewPendingFlow() *PendingFlow {
+	return &PendingFlow{}
+}
+
+// Set stores the flow and its authorization info, computing the absolute
+// expiry from info.ExpiresIn (seconds, as returned by the IdP).
+func (p *PendingFlow) Set(flow OAuthFlow, info AuthFlowInfo) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.flow = flow
+	p.info = info
+	p.expiresAt = time.Now().Add(time.Duration(info.ExpiresIn) * time.Second)
+}
+
+// Get returns the stored flow, info, and whether a flow is currently
+// pending. Returns (nil, zero, false) after Clear or before Set.
+func (p *PendingFlow) Get() (OAuthFlow, AuthFlowInfo, bool) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	if p.flow == nil {
+		return nil, AuthFlowInfo{}, false
+	}
+	return p.flow, p.info, true
+}
+
+// ExpiresAt returns the absolute expiry of the pending flow. Returns
+// the zero time when no flow is pending.
+func (p *PendingFlow) ExpiresAt() time.Time {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.expiresAt
+}
+
+// SetWaitCancel records the cancel function for the goroutine currently
+// blocked in WaitToken so a new RequestAuth can preempt it.
+func (p *PendingFlow) SetWaitCancel(cancel context.CancelFunc) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.waitCancel = cancel
+}
+
+// CancelWait invokes and clears the stored wait-cancel, if any. Safe to
+// call when no wait is in progress.
+func (p *PendingFlow) CancelWait() {
+	p.mu.Lock()
+	cancel := p.waitCancel
+	p.waitCancel = nil
+	p.mu.Unlock()
+	if cancel != nil {
+		cancel()
+	}
+}
+
+// Clear resets the pending flow to empty. Any stored wait-cancel is
+// dropped without being invoked — call CancelWait first if the waiting
+// goroutine must be stopped.
+func (p *PendingFlow) Clear() {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.flow = nil
+	p.info = AuthFlowInfo{}
+	p.expiresAt = time.Time{}
+	p.waitCancel = nil
+}
--- a/client/internal/auth/sessionwatch/event.go
+++ b/client/internal/auth/sessionwatch/event.go
@@ -0,0 +1,74 @@
+package sessionwatch
+
+import (
+	"strconv"
+	"time"
+)
+
+// internal event kinds are no longer exposed: the watcher drives the Sink
+// directly (NotifyStateChange on deadline change/clear, PublishEvent at
+// each warning lead). Tests use a mock Sink to observe what the watcher
+// emits.
+
+// Metadata keys attached by the daemon to session-warning SystemEvents.
+// The UI tray reads these to build a locale-aware notification without
+// relying on the daemon's locale-less UserMessage string, and to
+// disambiguate the T-WarningLead notification from the T-FinalWarningLead
+// fallback that auto-opens the SessionAboutToExpire dialog.
+const (
+	// MetaSessionWarning is set to "true" on both warning events (T-10 and
+	// T-2) so the UI can detect a session-warning SystemEvent without
+	// matching on the message text. Use MetaSessionFinal to distinguish
+	// the two.
+	MetaSessionWarning = "session_warning"
+	// MetaSessionFinal is set to "true" on the T-FinalWarningLead event
+	// only. Consumers that need to auto-open the SessionAboutToExpire
+	// dialog gate on this; T-WarningLead events leave the field unset.
+	MetaSessionFinal = "session_final_warning"
+	// MetaSessionExpiresAt carries the absolute UTC deadline encoded with
+	// FormatExpiresAt; consumers must decode with ParseExpiresAt so a
+	// future format change stays a single edit.
+	MetaSessionExpiresAt = "session_expires_at"
+	// MetaSessionLeadMinutes carries the lead in whole minutes (WarningLead
+	// for the T-10 event, FinalWarningLead for the T-2 event) so the UI
+	// can show "expires in ~N minutes" without hardcoding either constant.
+	MetaSessionLeadMinutes = "lead_minutes"
+)
+
+// expiresAtLayout is the wire format used for MetaSessionExpiresAt.
+// Producer and consumers both go through FormatExpiresAt/ParseExpiresAt
+// so this layout stays a single source of truth.
+const expiresAtLayout = time.RFC3339
+
+// FormatExpiresAt encodes a deadline for MetaSessionExpiresAt. Always
+// emits UTC so a consumer in another timezone reads the same wall-clock
+// deadline.
+func FormatExpiresAt(t time.Time) string {
+	return t.UTC().Format(expiresAtLayout)
+}
+
+// ParseExpiresAt decodes the MetaSessionExpiresAt value back to a UTC
+// time. Returns an error when the field is empty or malformed; the
+// caller decides whether to fall back (zero value) or propagate.
+func ParseExpiresAt(s string) (time.Time, error) {
+	t, err := time.Parse(expiresAtLayout, s)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return t.UTC(), nil
+}
+
+// FormatLeadMinutes encodes a lead duration for MetaSessionLeadMinutes
+// as the integer count of whole minutes. Sub-minute residuals are
+// truncated — the field is informational ("expires in ~N minutes") and
+// fractional minutes don't change what the UI displays.
+func FormatLeadMinutes(d time.Duration) string {
+	return strconv.Itoa(int(d / time.Minute))
+}
+
+// ParseLeadMinutes decodes a MetaSessionLeadMinutes value. Returns 0
+// and the parse error for malformed input; consumers that prefer a
+// silent fallback can simply ignore the error.
+func ParseLeadMinutes(s string) (int, error) {
+	return strconv.Atoi(s)
+}
--- a/client/internal/auth/sessionwatch/watcher.go
+++ b/client/internal/auth/sessionwatch/watcher.go
@@ -0,0 +1,362 @@
+// Package sessionwatch tracks the SSO session expiry deadline that the
+// management server publishes via LoginResponse / SyncResponse and fires
+// two warning events at fixed lead times before expiry: an interactive
+// T-WarningLead notification and a dismiss-gated T-FinalWarningLead
+// fallback dialog.
+//
+// The watcher is idempotent: Update may be called as often as the network
+// map snapshots arrive. Repeating the same deadline is a no-op; a new
+// deadline reschedules the timers and arms a fresh warning cycle.
+//
+// Warning firing is edge-detected. Each unique deadline value fires each
+// warning callback at most once.
+package sessionwatch
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	cProto "github.com/netbirdio/netbird/client/proto"
+)
+
+const (
+	// Skew tolerates a small clock difference between the management
+	// server and this peer before treating a deadline as "in the past".
+	// Slightly above typical NTP drift; tight enough that the UI doesn't
+	// paint a stale expiry as if it were valid.
+	Skew = 30 * time.Second
+
+	// maxDeadlineHorizon caps how far in the future an accepted deadline
+	// can sit. A timestamp beyond this is almost certainly a protocol
+	// glitch, and silently arming a 100-year timer would hide the bug.
+	maxDeadlineHorizon = 10 * 365 * 24 * time.Hour
+
+	// WarningLead is how far before expiry the first (interactive)
+	// warning fires. Drives the T-10 OS notification with
+	// Extend/Dismiss actions.
+	WarningLead = 10 * time.Minute
+
+	// FinalWarningLead is how far before expiry the fallback final
+	// warning fires. Drives the auto-opened SessionAboutToExpire dialog,
+	// but only when the user has not dismissed the T-WarningLead warning
+	// for the same deadline. Must be strictly less than WarningLead.
+	FinalWarningLead = 2 * time.Minute
+)
+
+var (
+	// ErrDeadlineBeforeEpoch is returned by Update when the supplied
+	// deadline pre-dates 1970-01-01.
+	ErrDeadlineBeforeEpoch = errors.New("session deadline before unix epoch")
+
+	// ErrDeadlineTooFarFuture is returned by Update when the supplied
+	// deadline is more than maxDeadlineHorizon in the future.
+	ErrDeadlineTooFarFuture = errors.New("session deadline too far in the future")
+
+	// ErrDeadlineInPast is returned by Update when the supplied deadline
+	// is more than Skew in the past.
+	ErrDeadlineInPast = errors.New("session deadline in the past")
+)
+
+// StatusRecorder is the side-effect surface the watcher drives on every
+// state transition. Production wires this to peer.Status (NotifyStateChange
+// for deadline change/clear, PublishEvent for the two warnings); tests pass
+// a fake recorder so the same surface is observable without an engine.
+//
+// PublishEvent's signature mirrors peer.Status.PublishEvent: the watcher
+// composes the metadata internally so the wire format (MetaSession*) is
+// owned by sessionwatch, not the caller.
+type StatusRecorder interface {
+	NotifyStateChange()
+	PublishEvent(
+		severity cProto.SystemEvent_Severity,
+		category cProto.SystemEvent_Category,
+		message string,
+		userMessage string,
+		metadata map[string]string,
+	)
+}
+
+// Watcher observes the latest session deadline and fires two warnings
+// before it expires: the interactive T-WarningLead notification, and the
+// fallback T-FinalWarningLead dialog (suppressed when the user dismissed
+// the first one for the same deadline). Safe for concurrent use.
+type Watcher struct {
+	lead      time.Duration
+	finalLead time.Duration
+
+	mu           sync.Mutex
+	current      time.Time
+	timer        *time.Timer
+	finalTimer   *time.Timer
+	firedAt      time.Time // deadline value the T-WarningLead callback last fired against
+	finalFiredAt time.Time // deadline value the T-FinalWarningLead callback last fired against
+	dismissedAt  time.Time // deadline value the user dismissed via Dismiss(); gates fireFinal
+	closed       bool
+	recorder     StatusRecorder
+}
+
+// New returns a watcher with the package defaults WarningLead and
+// FinalWarningLead. Pass nil for recorder to silence side effects (handy
+// in unit tests that exercise sanity checks without observing the publish
+// path).
+func New(recorder StatusRecorder) *Watcher {
+	return NewWithLeads(WarningLead, FinalWarningLead, recorder)
+}
+
+// NewWithLeads returns a watcher with custom lead times. Useful for tests.
+// final must be strictly less than lead; otherwise both timers fire in the
+// wrong order or simultaneously and the UI flow breaks. A zero final lead
+// disables the final-warning timer entirely (see armTimerLocked) so a
+// millisecond-scale deadline doesn't flush both timers in one tick.
+func NewWithLeads(lead, final time.Duration, recorder StatusRecorder) *Watcher {
+	return &Watcher{
+		lead:      lead,
+		finalLead: final,
+		recorder:  recorder,
+	}
+}
+
+// Update sets the latest deadline. Pass the zero time to clear (e.g. when
+// a Sync push from the server omits the field because login expiration
+// was disabled).
+//
+// Same-value updates are no-ops. A different non-zero value cancels any
+// pending timer, resets the "already fired" guard, and arms a new one.
+//
+// Returns one of the sentinel Err* values when the deadline fails the
+// sanity checks (pre-epoch, far future, or in the past beyond Skew).
+// In every error case the watcher first clears its state so it stays
+// consistent with what the caller will push into its other sinks (e.g.
+// applySessionDeadline forces a zero deadline into the status recorder
+// after a non-nil error).
+func (w *Watcher) Update(deadline time.Time) error {
+	w.mu.Lock()
+	if w.closed {
+		w.mu.Unlock()
+		return nil
+	}
+
+	if deadline.IsZero() {
+		w.clearLocked()
+		return nil
+	}
+
+	now := time.Now()
+	switch {
+	case deadline.Before(time.Unix(0, 0)):
+		w.clearLocked()
+		return fmt.Errorf("%w: %v", ErrDeadlineBeforeEpoch, deadline)
+	case deadline.After(now.Add(maxDeadlineHorizon)):
+		w.clearLocked()
+		return fmt.Errorf("%w: %v", ErrDeadlineTooFarFuture, deadline)
+	case deadline.Before(now.Add(-Skew)):
+		w.clearLocked()
+		return fmt.Errorf("%w: %v (now=%v)", ErrDeadlineInPast, deadline, now)
+	}
+
+	if deadline.Equal(w.current) {
+		w.mu.Unlock()
+		return nil
+	}
+
+	w.stopTimerLocked()
+	w.current = deadline
+	// Reset every per-deadline guard so a refreshed deadline arms a fresh
+	// warning cycle: both edge triggers and the user Dismiss decision
+	// (the user agreed to the old deadline expiring; a new deadline
+	// restarts the contract).
+	w.firedAt = time.Time{}
+	w.finalFiredAt = time.Time{}
+	w.dismissedAt = time.Time{}
+
+	w.armTimerLocked(deadline)
+	recorder := w.recorder
+	w.mu.Unlock()
+	if recorder != nil {
+		recorder.NotifyStateChange()
+	}
+	log.Infof("auth session deadline set to: %s (in %s)", deadline.Format(time.RFC3339), time.Until(deadline).Round(time.Second))
+	return nil
+}
+
+// Deadline returns the most recently observed deadline. Zero when no
+// deadline is currently tracked.
+func (w *Watcher) Deadline() time.Time {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	return w.current
+}
+
+// Dismiss records the user's "Dismiss" action against the current deadline
+// and suppresses the upcoming final-warning callback for that deadline.
+// Idempotent: repeated calls are no-ops. A subsequent Update with a fresh
+// deadline resets the dismissal so the final-warning cycle re-arms.
+//
+// No-op when the watcher holds no deadline or has been closed.
+func (w *Watcher) Dismiss() {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.closed || w.current.IsZero() {
+		return
+	}
+	if w.dismissedAt.Equal(w.current) {
+		return
+	}
+	w.dismissedAt = w.current
+	// Cancel the armed final-warning timer eagerly. fireFinal would also
+	// gate on dismissedAt, but stopping the timer avoids a wakeup with
+	// nothing to do and makes the intent visible.
+	if w.finalTimer != nil {
+		w.finalTimer.Stop()
+		w.finalTimer = nil
+	}
+	log.Infof("auth session final-warning dismissed for deadline %s", w.current.Format(time.RFC3339))
+}
+
+// Close stops any pending timer. Update calls after Close are ignored.
+func (w *Watcher) Close() {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.closed {
+		return
+	}
+	w.closed = true
+	w.stopTimerLocked()
+}
+
+// clearLocked drops the tracked deadline and notifies the recorder so
+// downstream consumers (SubscribeStatus stream, UI) drop their anchor.
+// The caller must hold w.mu; this helper releases it before invoking
+// the recorder.
+func (w *Watcher) clearLocked() {
+	if w.current.IsZero() {
+		w.mu.Unlock()
+		return
+	}
+	w.stopTimerLocked()
+	w.current = time.Time{}
+	w.firedAt = time.Time{}
+	w.finalFiredAt = time.Time{}
+	w.dismissedAt = time.Time{}
+	recorder := w.recorder
+	w.mu.Unlock()
+	if recorder != nil {
+		recorder.NotifyStateChange()
+	}
+	log.Infof("auth session deadline cleared")
+}
+
+func (w *Watcher) stopTimerLocked() {
+	if w.timer != nil {
+		w.timer.Stop()
+		w.timer = nil
+	}
+	if w.finalTimer != nil {
+		w.finalTimer.Stop()
+		w.finalTimer = nil
+	}
+}
+
+func (w *Watcher) armTimerLocked(deadline time.Time) {
+	w.timer = armOneShotLocked(deadline.Add(-w.lead), func() { w.fire(deadline) })
+	// finalLead <= 0 disables the final-warning timer entirely. Used by
+	// tests that predate the final-warning fallback so a millisecond-scale
+	// deadline does not flush both timers at once.
+	if w.finalLead > 0 {
+		w.finalTimer = armOneShotLocked(deadline.Add(-w.finalLead), func() { w.fireFinal(deadline) })
+	}
+}
+
+func (w *Watcher) fire(armedFor time.Time) {
+	w.mu.Lock()
+	if w.closed || !w.current.Equal(armedFor) {
+		// Deadline moved while we were waiting (e.g. a successful extend).
+		// The reschedule path armed a fresh timer; this one is stale.
+		w.mu.Unlock()
+		return
+	}
+	if !w.firedAt.IsZero() && w.firedAt.Equal(armedFor) {
+		w.mu.Unlock()
+		return
+	}
+	w.firedAt = armedFor
+	recorder := w.recorder
+	w.mu.Unlock()
+	if recorder == nil {
+		return
+	}
+	log.Infof("auth session expiry soon warning fired")
+	publishWarning(recorder, armedFor, false)
+}
+
+// fireFinal mirrors fire for the T-FinalWarningLead timer with an extra
+// dismiss-gate: if the user dismissed the T-WarningLead notification for
+// this deadline, the final warning is suppressed entirely.
+func (w *Watcher) fireFinal(armedFor time.Time) {
+	w.mu.Lock()
+	if w.closed || !w.current.Equal(armedFor) {
+		w.mu.Unlock()
+		return
+	}
+	if !w.finalFiredAt.IsZero() && w.finalFiredAt.Equal(armedFor) {
+		w.mu.Unlock()
+		return
+	}
+	if w.dismissedAt.Equal(armedFor) {
+		w.mu.Unlock()
+		log.Infof("auth session final-warning skipped (dismissed by user)")
+		return
+	}
+	w.finalFiredAt = armedFor
+	recorder := w.recorder
+	w.mu.Unlock()
+	if recorder == nil {
+		return
+	}
+	log.Infof("auth session final-warning fired")
+	publishWarning(recorder, armedFor, true)
+}
+
+// armOneShotLocked schedules cb at fireAt. When fireAt is already in the
+// past it dispatches on the next scheduler tick so a state-change recorder
+// notification (invoked after w.mu is released) lands first. Caller must
+// hold w.mu.
+func armOneShotLocked(fireAt time.Time, cb func()) *time.Timer {
+	delay := time.Until(fireAt)
+	if delay <= 0 {
+		return time.AfterFunc(0, cb)
+	}
+	return time.AfterFunc(delay, cb)
+}
+
+// publishWarning composes the SystemEvent for a watcher-fired warning and
+// pushes it through the recorder. Severity is CRITICAL on both — bypassing
+// the user's Notifications toggle is deliberate: missing the warning
+// window forces the post-mortem SessionExpired flow (tunnel torn down,
+// lock icon, manual re-login), which is the UX we are trying to avoid.
+func publishWarning(recorder StatusRecorder, deadline time.Time, final bool) {
+	lead := WarningLead
+	message := "session expiry warning"
+	meta := map[string]string{
+		MetaSessionWarning:   "true",
+		MetaSessionExpiresAt: FormatExpiresAt(deadline),
+	}
+	if final {
+		lead = FinalWarningLead
+		message = "session expiry final warning"
+		meta[MetaSessionFinal] = "true"
+	}
+	meta[MetaSessionLeadMinutes] = FormatLeadMinutes(lead)
+
+	recorder.PublishEvent(
+		cProto.SystemEvent_CRITICAL,
+		cProto.SystemEvent_AUTHENTICATION,
+		message,
+		"",
+		meta,
+	)
+}
--- a/client/internal/auth/sessionwatch/watcher_test.go
+++ b/client/internal/auth/sessionwatch/watcher_test.go
@@ -0,0 +1,463 @@
+package sessionwatch
+
+import (
+	"errors"
+	"sync"
+	"testing"
+	"time"
+
+	cProto "github.com/netbirdio/netbird/client/proto"
+)
+
+// fakeRecorder satisfies StatusRecorder and records every call so tests
+// can observe what the watcher emits. NotifyStateChange and PublishEvent
+// land in the same ordered events slice (with the Kind distinguishing
+// them) so tests that care about ordering still work.
+type fakeRecorder struct {
+	mu     sync.Mutex
+	events []event
+}
+
+type eventKind int
+
+const (
+	stateChange eventKind = iota
+	publish
+)
+
+type event struct {
+	kind eventKind
+	// Set only for publish events.
+	severity cProto.SystemEvent_Severity
+	category cProto.SystemEvent_Category
+	message  string
+	meta     map[string]string
+}
+
+func (r *fakeRecorder) NotifyStateChange() {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.events = append(r.events, event{kind: stateChange})
+}
+
+func (r *fakeRecorder) PublishEvent(
+	severity cProto.SystemEvent_Severity,
+	category cProto.SystemEvent_Category,
+	message string,
+	_ string,
+	metadata map[string]string,
+) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.events = append(r.events, event{
+		kind:     publish,
+		severity: severity,
+		category: category,
+		message:  message,
+		meta:     metadata,
+	})
+}
+
+func (r *fakeRecorder) snapshot() []event {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	out := make([]event, len(r.events))
+	copy(out, r.events)
+	return out
+}
+
+func (e event) isFinalWarning() bool {
+	return e.kind == publish && e.meta[MetaSessionFinal] == "true"
+}
+
+func (e event) isWarning() bool {
+	return e.kind == publish && e.meta[MetaSessionWarning] == "true" && e.meta[MetaSessionFinal] != "true"
+}
+
+func countWhere(events []event, pred func(event) bool) int {
+	n := 0
+	for _, e := range events {
+		if pred(e) {
+			n++
+		}
+	}
+	return n
+}
+
+func waitForEvents(t *testing.T, r *fakeRecorder, want int) []event {
+	t.Helper()
+	deadline := time.Now().Add(500 * time.Millisecond)
+	for time.Now().Before(deadline) {
+		if got := r.snapshot(); len(got) >= want {
+			return got
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	got := r.snapshot()
+	t.Fatalf("timed out waiting for %d events, got %d: %+v", want, len(got), got)
+	return nil
+}
+
+// newWatcher builds a watcher with the final timer disabled (finalLead=0),
+// matching the lead-only behaviour the pre-final-warning tests assume.
+func newWatcher(lead time.Duration, r *fakeRecorder) *Watcher {
+	return NewWithLeads(lead, 0, r)
+}
+
+func TestUpdateZeroBeforeAnythingIsNoop(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	_ = w.Update(time.Time{})
+
+	if got := r.snapshot(); len(got) != 0 {
+		t.Fatalf("expected no events on initial zero, got %+v", got)
+	}
+}
+
+func TestUpdateNonZeroFiresStateChange(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	d := time.Now().Add(time.Hour)
+	_ = w.Update(d)
+
+	events := waitForEvents(t, r, 1)
+	if events[0].kind != stateChange {
+		t.Fatalf("expected stateChange, got %+v", events[0])
+	}
+	if !w.Deadline().Equal(d) {
+		t.Fatalf("deadline mismatch: %v vs %v", w.Deadline(), d)
+	}
+}
+
+func TestSameDeadlineIsNoop(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	d := time.Now().Add(time.Hour)
+	_ = w.Update(d)
+	_ = w.Update(d)
+	_ = w.Update(d)
+
+	events := waitForEvents(t, r, 1)
+	if len(events) != 1 {
+		t.Fatalf("expected exactly 1 event for repeated same deadline, got %d: %+v", len(events), events)
+	}
+}
+
+func TestWarningFiresOnceWithinLeadWindow(t *testing.T) {
+	r := &fakeRecorder{}
+	lead := 50 * time.Millisecond
+	w := newWatcher(lead, r)
+	defer w.Close()
+
+	// Deadline 80ms out — warning should fire after ~30ms.
+	d := time.Now().Add(80 * time.Millisecond)
+	_ = w.Update(d)
+
+	events := waitForEvents(t, r, 2)
+	if events[0].kind != stateChange {
+		t.Fatalf("event[0] should be stateChange, got %+v", events[0])
+	}
+	if !events[1].isWarning() {
+		t.Fatalf("event[1] should be a warning publish, got %+v", events[1])
+	}
+}
+
+func TestWarningFiresImmediatelyWhenAlreadyInsideWindow(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(time.Hour, r) // lead > delta => fire immediately
+	defer w.Close()
+
+	d := time.Now().Add(10 * time.Millisecond)
+	_ = w.Update(d)
+
+	events := waitForEvents(t, r, 2)
+	if !events[1].isWarning() {
+		t.Fatalf("expected immediate warning publish, got %+v", events[1])
+	}
+}
+
+func TestNewDeadlineCancelsPriorTimer(t *testing.T) {
+	r := &fakeRecorder{}
+	lead := 50 * time.Millisecond
+	w := newWatcher(lead, r)
+	defer w.Close()
+
+	first := time.Now().Add(80 * time.Millisecond) // would fire warning ~30ms in
+	_ = w.Update(first)
+
+	// Replace with a far-future deadline before the warning fires.
+	time.Sleep(5 * time.Millisecond)
+	second := time.Now().Add(time.Hour)
+	_ = w.Update(second)
+
+	// Wait past when first's warning would have fired.
+	time.Sleep(80 * time.Millisecond)
+
+	if n := countWhere(r.snapshot(), event.isWarning); n != 0 {
+		t.Fatalf("warning fired for cancelled deadline: %+v", r.snapshot())
+	}
+}
+
+func TestRefreshAfterFireArmsNewWarning(t *testing.T) {
+	r := &fakeRecorder{}
+	lead := 30 * time.Millisecond
+	w := newWatcher(lead, r)
+	defer w.Close()
+
+	first := time.Now().Add(50 * time.Millisecond)
+	_ = w.Update(first)
+
+	// Wait for stateChange + warning of the first cycle.
+	waitForEvents(t, r, 2)
+
+	// Simulate a successful extend: brand new deadline.
+	second := time.Now().Add(60 * time.Millisecond)
+	_ = w.Update(second)
+
+	// 4 events total: stateChange, warning (first), stateChange, warning (second).
+	events := waitForEvents(t, r, 4)
+	if events[2].kind != stateChange {
+		t.Fatalf("event[2] should be stateChange for the new deadline, got %+v", events[2])
+	}
+	if !events[3].isWarning() {
+		t.Fatalf("event[3] should be a warning publish for the new deadline, got %+v", events[3])
+	}
+}
+
+func TestUpdateZeroAfterNonZeroClearsState(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(time.Hour, r)
+	defer w.Close()
+
+	d := time.Now().Add(2 * time.Hour)
+	_ = w.Update(d)
+	waitForEvents(t, r, 1)
+
+	_ = w.Update(time.Time{})
+
+	events := waitForEvents(t, r, 2)
+	if events[1].kind != stateChange {
+		t.Fatalf("expected stateChange on clear, got %+v", events[1])
+	}
+	if !w.Deadline().IsZero() {
+		t.Fatalf("Deadline should be zero after clear")
+	}
+}
+
+func TestUpdateRejectsBeforeEpoch(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	good := time.Now().Add(time.Hour)
+	if err := w.Update(good); err != nil {
+		t.Fatalf("seed Update: %v", err)
+	}
+
+	err := w.Update(time.Unix(-100, 0))
+	if !errors.Is(err, ErrDeadlineBeforeEpoch) {
+		t.Fatalf("want ErrDeadlineBeforeEpoch, got %v", err)
+	}
+	if !w.Deadline().IsZero() {
+		t.Fatalf("rejected pre-epoch update must clear deadline; got %v", w.Deadline())
+	}
+}
+
+func TestUpdateRejectsTooFarFuture(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	good := time.Now().Add(time.Hour)
+	if err := w.Update(good); err != nil {
+		t.Fatalf("seed Update: %v", err)
+	}
+
+	err := w.Update(time.Now().Add(50 * 365 * 24 * time.Hour))
+	if !errors.Is(err, ErrDeadlineTooFarFuture) {
+		t.Fatalf("want ErrDeadlineTooFarFuture, got %v", err)
+	}
+	if !w.Deadline().IsZero() {
+		t.Fatalf("rejected far-future update must clear deadline; got %v", w.Deadline())
+	}
+}
+
+func TestUpdateInPastClearsDeadline(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	good := time.Now().Add(time.Hour)
+	if err := w.Update(good); err != nil {
+		t.Fatalf("seed Update: %v", err)
+	}
+	// Drain the stateChange from the seed.
+	waitForEvents(t, r, 1)
+
+	err := w.Update(time.Now().Add(-1 * time.Hour))
+	if !errors.Is(err, ErrDeadlineInPast) {
+		t.Fatalf("want ErrDeadlineInPast, got %v", err)
+	}
+	if !w.Deadline().IsZero() {
+		t.Fatalf("in-past update must clear the deadline, got %v", w.Deadline())
+	}
+	events := waitForEvents(t, r, 2)
+	if events[1].kind != stateChange {
+		t.Fatalf("expected stateChange on clear, got %+v", events[1])
+	}
+}
+
+func TestUpdateWithinSkewAccepted(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	defer w.Close()
+
+	// 5 seconds in the past is within the 30s Skew tolerance — accept it.
+	d := time.Now().Add(-5 * time.Second)
+	if err := w.Update(d); err != nil {
+		t.Fatalf("within-skew Update should succeed, got %v", err)
+	}
+	if !w.Deadline().Equal(d) {
+		t.Fatalf("expected deadline to be applied, got %v want %v", w.Deadline(), d)
+	}
+}
+
+func TestCloseSilencesUpdates(t *testing.T) {
+	r := &fakeRecorder{}
+	w := newWatcher(50*time.Millisecond, r)
+	w.Close()
+
+	_ = w.Update(time.Now().Add(time.Hour))
+
+	time.Sleep(20 * time.Millisecond)
+	if got := r.snapshot(); len(got) != 0 {
+		t.Fatalf("expected no events after Close, got %+v", got)
+	}
+}
+
+func TestFinalWarningFiresAfterRegularWarning(t *testing.T) {
+	r := &fakeRecorder{}
+	// Warning fires at deadline-80ms, final at deadline-30ms.
+	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
+	defer w.Close()
+
+	d := time.Now().Add(100 * time.Millisecond)
+	_ = w.Update(d)
+
+	// Expect stateChange + warning + final-warning.
+	events := waitForEvents(t, r, 3)
+
+	if countWhere(events, func(e event) bool { return e.kind == stateChange }) != 1 {
+		t.Fatalf("expected exactly 1 stateChange, got %+v", events)
+	}
+	if countWhere(events, event.isWarning) != 1 {
+		t.Fatalf("expected exactly 1 warning publish, got %+v", events)
+	}
+	if countWhere(events, event.isFinalWarning) != 1 {
+		t.Fatalf("expected exactly 1 final-warning publish, got %+v", events)
+	}
+
+	// Warning must precede final (same deadline, longer lead fires first).
+	var wIdx, fIdx int
+	for i, e := range events {
+		switch {
+		case e.isWarning():
+			wIdx = i
+		case e.isFinalWarning():
+			fIdx = i
+		}
+	}
+	if wIdx > fIdx {
+		t.Fatalf("warning must publish before final-warning, got order %+v", events)
+	}
+}
+
+func TestDismissSuppressesFinalWarning(t *testing.T) {
+	r := &fakeRecorder{}
+	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
+	defer w.Close()
+
+	d := time.Now().Add(100 * time.Millisecond)
+	_ = w.Update(d)
+
+	// Wait for the warning publish so we know we're inside the warning
+	// window, then dismiss before the final timer would fire.
+	deadline := time.Now().Add(500 * time.Millisecond)
+	for time.Now().Before(deadline) {
+		if countWhere(r.snapshot(), event.isWarning) >= 1 {
+			break
+		}
+		time.Sleep(2 * time.Millisecond)
+	}
+	if countWhere(r.snapshot(), event.isWarning) < 1 {
+		t.Fatalf("warning did not publish in time, events=%+v", r.snapshot())
+	}
+
+	w.Dismiss()
+
+	// Now wait past when the final would have fired.
+	time.Sleep(120 * time.Millisecond)
+
+	if n := countWhere(r.snapshot(), event.isFinalWarning); n != 0 {
+		t.Fatalf("final-warning published after Dismiss(), events=%+v", r.snapshot())
+	}
+}
+
+func TestDismissResetByNewDeadline(t *testing.T) {
+	r := &fakeRecorder{}
+	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
+	defer w.Close()
+
+	first := time.Now().Add(100 * time.Millisecond)
+	_ = w.Update(first)
+
+	// Dismiss against the first deadline.
+	w.Dismiss()
+
+	// Replace with a fresh deadline before the first's timers complete.
+	time.Sleep(10 * time.Millisecond)
+	second := time.Now().Add(100 * time.Millisecond)
+	_ = w.Update(second)
+
+	// The second cycle must publish a final-warning (the dismiss state
+	// did not carry over).
+	deadline := time.Now().Add(500 * time.Millisecond)
+	for time.Now().Before(deadline) {
+		if countWhere(r.snapshot(), event.isFinalWarning) >= 1 {
+			break
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	if countWhere(r.snapshot(), event.isFinalWarning) < 1 {
+		t.Fatalf("final-warning did not publish on fresh deadline after Dismiss reset, events=%+v", r.snapshot())
+	}
+}
+
+func TestDismissBeforeUpdateIsNoop(t *testing.T) {
+	r := &fakeRecorder{}
+	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
+	defer w.Close()
+
+	// No deadline tracked yet; Dismiss must be a no-op (no panic, no state).
+	w.Dismiss()
+
+	d := time.Now().Add(100 * time.Millisecond)
+	_ = w.Update(d)
+
+	// Final warning should still publish — Dismiss only acts on the current
+	// deadline, and there was none at the time of the call.
+	deadline := time.Now().Add(500 * time.Millisecond)
+	for time.Now().Before(deadline) {
+		if countWhere(r.snapshot(), event.isFinalWarning) >= 1 {
+			return
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	t.Fatalf("final-warning did not publish after no-op pre-Update Dismiss, events=%+v", r.snapshot())
+}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -256,6 +256,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
 		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
+			// On daemon shutdown / Down() the parent context is cancelled
+			// and the dial fails with "context canceled". Wrapping that
+			// into state would leave the snapshot stuck at Connecting+err
+			// until the backoff loop wakes up — instead let the operation
+			// return cleanly so the deferred state.Set(StatusIdle) takes
+			// effect on the next iteration.
+			if c.ctx.Err() != nil {
+				return nil
+			}
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
@@ -384,6 +393,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}

+		// Seed the session-expiry deadline from the LoginResponse. Subsequent
+		// changes flow in through SyncResponse and are applied in handleSync.
+		engine.ApplySessionDeadline(loginResp.GetSessionExpiresAt())
+
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)

@@ -424,7 +437,11 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	}

 	c.statusRecorder.ClientStart()
-	err = backoff.Retry(operation, backOff)
+	// Wrap the backoff with c.ctx so Down()/actCancel propagates into the
+	// inter-attempt sleep — otherwise a 15s MaxInterval can keep the retry
+	// loop alive long after the caller asked to give up, leaving the
+	// status stream stuck at Connecting.
+	err = backoff.Retry(operation, backoff.WithContext(backOff, c.ctx))
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -45,8 +45,11 @@ netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Detailed system routing table in tabular format including destination, gateway, interface, metrics, and protocol information, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
-iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
-nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
+iptables.txt: Anonymized iptables (IPv4) rules with packet counters, if --system-info flag was provided.
+ip6tables.txt: Anonymized ip6tables (IPv6) rules with packet counters, if --system-info flag was provided.
+ipset.txt: Anonymized ipset list output, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters across all families (ip, ip6, inet, etc.), if --system-info flag was provided.
+sysctls.txt: Forwarding, reverse-path filter, source-validation, and conntrack accounting sysctl values that the NetBird client may read or modify, if --system-info flag was provided (Linux only).
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
@@ -165,22 +168,33 @@ The config.txt file contains anonymized configuration information of the NetBird
 Other non-sensitive configuration options are included without anonymization.

 Firewall Rules (Linux only)
-The bundle includes two separate firewall rule files:
+The bundle includes the following firewall-related files:

 iptables.txt:
- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
+- IPv4 iptables ruleset with packet counters using 'iptables-save' and 'iptables -v -n -L'
 - Includes all tables (filter, nat, mangle, raw, security)
 - Shows packet and byte counters for each rule
 - All IP addresses are anonymized
 - Chain names, table names, and other non-sensitive information remain unchanged

+ip6tables.txt:
+- IPv6 ip6tables ruleset with packet counters using 'ip6tables-save' and 'ip6tables -v -n -L'
+- Same table coverage and anonymization as iptables.txt
+- Omitted when ip6tables is not installed or no IPv6 rules are present
+
+ipset.txt:
+- Output of 'ipset list' (family-agnostic)
+- IP addresses are anonymized; set names and types remain unchanged
+
 nftables.txt:
- Complete nftables ruleset obtained via 'nft -a list ruleset'
+- Complete nftables ruleset across all families (ip, ip6, inet, arp, bridge, netdev) via 'nft -a list ruleset'
 - Includes rule handle numbers and packet counters
- All tables, chains, and rules are included
- Shows packet and byte counters for each rule
- All IP addresses are anonymized
- Chain names, table names, and other non-sensitive information remain unchanged
+- All IP addresses are anonymized; chain/table names remain unchanged
+
+sysctls.txt:
+- Forwarding (IPv4 + IPv6, global and per-interface), reverse-path filter, source-validation, conntrack accounting, and TCP-related sysctls that netbird may read or modify
+- Per-interface keys are enumerated from /proc/sys/net/ipv{4,6}/conf
+- Interface names anonymized when --anonymize is set

 IP Rules (Linux only)
 The ip_rules.txt file contains detailed IP routing rule information:
@@ -412,6 +426,10 @@ func (g *BundleGenerator) addSystemInfo() {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}

+	if err := g.addSysctls(); err != nil {
+		log.Errorf("failed to add sysctls to debug bundle: %v", err)
+	}
+
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}
--- a/client/internal/debug/debug_linux.go
+++ b/client/internal/debug/debug_linux.go
@@ -124,15 +124,18 @@ func getSystemdLogs(serviceName string) (string, error) {
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
-	iptablesRules, err := collectIPTablesRules()
+	g.addIPTablesRulesToBundle("iptables-save", "iptables", "iptables.txt")
+	g.addIPTablesRulesToBundle("ip6tables-save", "ip6tables", "ip6tables.txt")
+
+	ipsetOutput, err := collectIPSets()
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules: %v", err)
+		log.Warnf("Failed to collect ipset information: %v", err)
 	} else {
 		if g.anonymize {
-			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
+			ipsetOutput = g.anonymizer.AnonymizeString(ipsetOutput)
 		}
-		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
-			log.Warnf("Failed to add iptables rules to bundle: %v", err)
+		if err := g.addFileToZip(strings.NewReader(ipsetOutput), "ipset.txt"); err != nil {
+			log.Warnf("Failed to add ipset output to bundle: %v", err)
 		}
 	}

@@ -151,44 +154,65 @@ func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }

-// collectIPTablesRules collects rules using both iptables-save and verbose listing
-func collectIPTablesRules() (string, error) {
-	var builder strings.Builder
-
-	saveOutput, err := collectIPTablesSave()
+// addIPTablesRulesToBundle collects iptables/ip6tables rules and writes them to the bundle.
+func (g *BundleGenerator) addIPTablesRulesToBundle(saveBin, listBin, filename string) {
+	rules, err := collectIPTablesRules(saveBin, listBin)
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
-	} else {
-		builder.WriteString("=== iptables-save output ===\n")
+		log.Warnf("Failed to collect %s rules: %v", listBin, err)
+		return
+	}
+	if g.anonymize {
+		rules = g.anonymizer.AnonymizeString(rules)
+	}
+	if err := g.addFileToZip(strings.NewReader(rules), filename); err != nil {
+		log.Warnf("Failed to add %s rules to bundle: %v", listBin, err)
+	}
+}
+
+// collectIPTablesRules collects rules using both <saveBin> and verbose listing via <listBin>.
+// Returns an error when neither command produced any output (e.g. the binary is missing),
+// so the caller can skip writing an empty file.
+func collectIPTablesRules(saveBin, listBin string) (string, error) {
+	var builder strings.Builder
+	var collected bool
+	var firstErr error
+
+	saveOutput, err := runCommand(saveBin)
+	switch {
+	case err != nil:
+		firstErr = err
+		log.Warnf("Failed to collect %s output: %v", saveBin, err)
+	case strings.TrimSpace(saveOutput) == "":
+		log.Debugf("%s produced no output, skipping", saveBin)
+	default:
+		builder.WriteString(fmt.Sprintf("=== %s output ===\n", saveBin))
 		builder.WriteString(saveOutput)
 		builder.WriteString("\n")
+		collected = true
 	}

-	ipsetOutput, err := collectIPSets()
-	if err != nil {
-		log.Warnf("Failed to collect ipset information: %v", err)
-	} else {
-		builder.WriteString("=== ipset list output ===\n")
-		builder.WriteString(ipsetOutput)
-		builder.WriteString("\n")
-	}
-
-	builder.WriteString("=== iptables -v -n -L output ===\n")
+	listHeader := fmt.Sprintf("=== %s -v -n -L output ===\n", listBin)
+	builder.WriteString(listHeader)

 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
-
 	for _, table := range tables {
-		builder.WriteString(fmt.Sprintf("*%s\n", table))
-
-		stats, err := getTableStatistics(table)
+		stats, err := runCommand(listBin, "-v", "-n", "-L", "-t", table)
 		if err != nil {
-			log.Warnf("Failed to get statistics for table %s: %v", table, err)
+			if firstErr == nil {
+				firstErr = err
+			}
+			log.Warnf("Failed to get %s statistics for table %s: %v", listBin, table, err)
 			continue
 		}
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		builder.WriteString(stats)
 		builder.WriteString("\n")
+		collected = true
 	}

+	if !collected {
+		return "", fmt.Errorf("collect %s rules: %w", listBin, firstErr)
+	}
 	return builder.String(), nil
 }

@@ -214,34 +238,15 @@ func collectIPSets() (string, error) {
 	return ipsets, nil
 }

-// collectIPTablesSave uses iptables-save to get rule definitions
-func collectIPTablesSave() (string, error) {
-	cmd := exec.Command("iptables-save")
+// runCommand executes a command and returns its stdout, wrapping stderr in the error on failure.
+func runCommand(name string, args ...string) (string, error) {
+	cmd := exec.Command(name, args...)
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr

 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
-	}
-
-	rules := stdout.String()
-	if strings.TrimSpace(rules) == "" {
-		return "", fmt.Errorf("no iptables rules found")
-	}
-
-	return rules, nil
-}
-
-// getTableStatistics gets verbose statistics for an entire table using iptables command
-func getTableStatistics(table string) (string, error) {
-	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
+		return "", fmt.Errorf("execute %s: %w (stderr: %s)", name, err, stderr.String())
 	}

 	return stdout.String(), nil
@@ -804,3 +809,91 @@ func formatSetKeyType(keyType nftables.SetDatatype) string {
 		return fmt.Sprintf("type-%v", keyType)
 	}
 }
+
+// addSysctls collects forwarding and netbird-managed sysctl values and writes them to the bundle.
+func (g *BundleGenerator) addSysctls() error {
+	log.Info("Collecting sysctls")
+	content := collectSysctls()
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+	if err := g.addFileToZip(strings.NewReader(content), "sysctls.txt"); err != nil {
+		return fmt.Errorf("add sysctls to bundle: %w", err)
+	}
+	return nil
+}
+
+// collectSysctls reads every sysctl that the netbird client may modify, plus
+// global IPv4/IPv6 forwarding, and returns a formatted dump grouped by topic.
+// Per-interface values are enumerated by listing /proc/sys/net/ipv{4,6}/conf.
+func collectSysctls() string {
+	var builder strings.Builder
+
+	writeSysctlGroup(&builder, "forwarding", []string{
+		"net.ipv4.ip_forward",
+		"net.ipv6.conf.all.forwarding",
+		"net.ipv6.conf.default.forwarding",
+	})
+	writeSysctlGroup(&builder, "ipv4 per-interface forwarding", listInterfaceSysctls("ipv4", "forwarding"))
+	writeSysctlGroup(&builder, "ipv6 per-interface forwarding", listInterfaceSysctls("ipv6", "forwarding"))
+	writeSysctlGroup(&builder, "rp_filter", append(
+		[]string{"net.ipv4.conf.all.rp_filter", "net.ipv4.conf.default.rp_filter"},
+		listInterfaceSysctls("ipv4", "rp_filter")...,
+	))
+	writeSysctlGroup(&builder, "src_valid_mark", append(
+		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
+		listInterfaceSysctls("ipv4", "src_valid_mark")...,
+	))
+	writeSysctlGroup(&builder, "conntrack", []string{
+		"net.netfilter.nf_conntrack_acct",
+		"net.netfilter.nf_conntrack_tcp_loose",
+	})
+	writeSysctlGroup(&builder, "tcp", []string{
+		"net.ipv4.tcp_tw_reuse",
+	})
+
+	return builder.String()
+}
+
+func writeSysctlGroup(builder *strings.Builder, title string, keys []string) {
+	builder.WriteString(fmt.Sprintf("=== %s ===\n", title))
+	for _, key := range keys {
+		value, err := readSysctl(key)
+		if err != nil {
+			builder.WriteString(fmt.Sprintf("%s = <error: %v>\n", key, err))
+			continue
+		}
+		builder.WriteString(fmt.Sprintf("%s = %s\n", key, value))
+	}
+	builder.WriteString("\n")
+}
+
+// listInterfaceSysctls returns net.ipvX.conf.<iface>.<leaf> keys for every
+// interface present in /proc/sys/net/ipvX/conf, skipping "all" and "default"
+// (callers add those explicitly so they appear first).
+func listInterfaceSysctls(family, leaf string) []string {
+	dir := fmt.Sprintf("/proc/sys/net/%s/conf", family)
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil
+	}
+	var keys []string
+	for _, e := range entries {
+		name := e.Name()
+		if name == "all" || name == "default" {
+			continue
+		}
+		keys = append(keys, fmt.Sprintf("net.%s.conf.%s.%s", family, name, leaf))
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func readSysctl(key string) (string, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	value, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(value)), nil
+}
--- a/client/internal/debug/debug_nonlinux.go
+++ b/client/internal/debug/debug_nonlinux.go
@@ -17,3 +17,8 @@ func (g *BundleGenerator) addIPRules() error {
 	// IP rules are only supported on Linux
 	return nil
 }
+
+func (g *BundleGenerator) addSysctls() error {
+	// Sysctl collection is only supported on Linux
+	return nil
+}
--- a/client/internal/dns/dnsfw/config.go
+++ b/client/internal/dns/dnsfw/config.go
@@ -1,63 +0,0 @@
-package dnsfw
-
-import (
-	"os"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// EnvDisable disables the DNS firewall entirely when set to a truthy value.
-	EnvDisable = "NB_DISABLE_DNS_FIREWALL"
-	// EnvPorts overrides the comma-separated list of remote ports to block.
-	// Empty disables the firewall.
-	EnvPorts = "NB_DNS_FIREWALL_PORTS"
-	// EnvStrict enables strict mode: permit DNS only to the virtual DNS IP
-	// and the netbird daemon. Default mode also permits anything on the
-	// netbird tunnel interface, which is safer if NRPT is silently ignored
-	// by Windows but lets apps reach custom DNS servers via the tunnel.
-	EnvStrict = "NB_DNS_FIREWALL_STRICT"
-)
-
-// defaultBlockedPorts are the well-known DNS ports we block for non-netbird
-// processes: 53 (plain DNS) and 853 (DNS-over-TLS).
-var defaultBlockedPorts = []uint16{53, 853}
-
-// blockedPorts returns the effective port list, honoring env overrides.
-// A nil return means the firewall should not be installed.
-func blockedPorts() []uint16 {
-	if disabled, _ := strconv.ParseBool(os.Getenv(EnvDisable)); disabled {
-		log.Infof("dns firewall disabled via %s", EnvDisable)
-		return nil
-	}
-
-	override, ok := os.LookupEnv(EnvPorts)
-	if !ok {
-		return defaultBlockedPorts
-	}
-
-	var ports []uint16
-	for _, raw := range strings.Split(override, ",") {
-		raw = strings.TrimSpace(raw)
-		if raw == "" {
-			continue
-		}
-		port, err := strconv.ParseUint(raw, 10, 16)
-		if err != nil {
-			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
-			continue
-		}
-		if port == 0 {
-			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
-			continue
-		}
-		ports = append(ports, uint16(port))
-	}
-	if len(ports) == 0 {
-		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
-		return nil
-	}
-	return ports
-}
--- a/client/internal/dns/dnsfw/config_test.go
+++ b/client/internal/dns/dnsfw/config_test.go
@@ -1,39 +0,0 @@
-package dnsfw
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestBlockedPorts(t *testing.T) {
-	tests := []struct {
-		name     string
-		disable  string
-		ports    string
-		setPorts bool
-		want     []uint16
-	}{
-		{name: "default", want: defaultBlockedPorts},
-		{name: "disabled", disable: "true", want: nil},
-		{name: "disabled false keeps default", disable: "false", want: defaultBlockedPorts},
-		{name: "override single port", ports: "53", setPorts: true, want: []uint16{53}},
-		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
-		{name: "override empty disables", ports: "", setPorts: true, want: nil},
-		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvDisable, tc.disable)
-			if tc.setPorts {
-				t.Setenv(EnvPorts, tc.ports)
-			}
-			got := blockedPorts()
-			if !reflect.DeepEqual(got, tc.want) {
-				t.Fatalf("blockedPorts() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
--- a/client/internal/dns/dnsfw/dnsfw.go
+++ b/client/internal/dns/dnsfw/dnsfw.go
@@ -1,16 +0,0 @@
-// Package dnsfw blocks DNS traffic from non-netbird processes when netbird is
-// managing the host's DNS, so that resolvers running on apps or libraries
-// outside netbird cannot bypass the configured DNS path.
-//
-// Implementation is Windows-only (uses WFP). On other platforms New returns
-// a no-op manager.
-package dnsfw
-
-import "net/netip"
-
-// Manager controls the per-tunnel DNS firewall. Both methods must be safe
-// to call multiple times.
-type Manager interface {
-	Enable(ifaceGUID string, virtualDNSIP netip.Addr) error
-	Disable() error
-}
--- a/client/internal/dns/dnsfw/dnsfw_other.go
+++ b/client/internal/dns/dnsfw/dnsfw_other.go
@@ -1,15 +0,0 @@
-//go:build !windows
-
-package dnsfw
-
-import "net/netip"
-
-type noopManager struct{}
-
-func (noopManager) Enable(string, netip.Addr) error { return nil }
-func (noopManager) Disable() error                  { return nil }
-
-// New returns a no-op manager on non-Windows platforms.
-func New() Manager {
-	return noopManager{}
-}
--- a/client/internal/dns/dnsfw/dnsfw_windows.go
+++ b/client/internal/dns/dnsfw/dnsfw_windows.go
@@ -1,144 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"fmt"
-	"net/netip"
-	"os"
-	"strconv"
-	"sync"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-)
-
-var (
-	modIphlpapi                    = windows.NewLazyDLL("iphlpapi.dll")
-	procConvertInterfaceGuidToLuid = modIphlpapi.NewProc("ConvertInterfaceGuidToLuid")
-)
-
-type windowsManager struct {
-	mu sync.Mutex
-	// session is the WFP engine handle. Zero when disabled.
-	session uintptr
-}
-
-// Enable installs the dns firewall. Strict mode propagates failures;
-// non-strict mode logs and returns nil so partial protection is preserved.
-func (m *windowsManager) Enable(ifaceGUID string, virtualDNSIP netip.Addr) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	ports := blockedPorts()
-	if len(ports) == 0 {
-		return nil
-	}
-
-	if m.session != 0 {
-		if err := m.disableLocked(); err != nil {
-			return fmt.Errorf("reset existing dns firewall session: %w", err)
-		}
-	}
-
-	strict := strictMode()
-
-	luid, err := luidFromGUID(ifaceGUID)
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve tun luid from guid %s: %w", ifaceGUID, err))
-	}
-
-	exe, err := os.Executable()
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve daemon executable path: %w", err))
-	}
-
-	cfg := installConfig{
-		tunLUID:      luid,
-		daemonExe:    exe,
-		blockedPorts: ports,
-		strict:       strict,
-		virtualDNSIP: virtualDNSIP,
-	}
-	// session==0 signals a hard failure; non-zero with non-nil err is a partial install.
-	session, installErr := installFilters(cfg)
-	if session == 0 {
-		return m.failOrLog(strict, fmt.Errorf("install dns firewall filters: %w", installErr))
-	}
-
-	if installErr != nil && strict {
-		_ = closeSession(session)
-		return fmt.Errorf("strict dns firewall: partial install: %w", installErr)
-	}
-
-	m.session = session
-	log.Infof("dns firewall installed: iface=%s daemon=%s ports=%v strict=%v virtual_dns=%s",
-		ifaceGUID, exe, ports, strict, virtualDNSIP)
-	if installErr != nil {
-		log.Warnf("dns firewall partially installed (some filters failed): %v", installErr)
-	}
-	return nil
-}
-
-func (m *windowsManager) Disable() error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	return m.disableLocked()
-}
-
-func (m *windowsManager) disableLocked() error {
-	if m.session == 0 {
-		return nil
-	}
-	session := m.session
-	m.session = 0
-	if err := closeSession(session); err != nil {
-		return fmt.Errorf("close wfp session: %w", err)
-	}
-	log.Info("dns firewall removed")
-	return nil
-}
-
-// failOrLog returns err unchanged in strict mode. In non-strict mode the
-// error is logged and nil is returned.
-func (m *windowsManager) failOrLog(strict bool, err error) error {
-	if strict {
-		return err
-	}
-	log.Errorf("dns firewall: %v", err)
-	return nil
-}
-
-// New returns a Windows DNS firewall manager backed by WFP.
-func New() Manager {
-	return &windowsManager{}
-}
-
-// strictMode reports whether strict mode is enabled via env.
-func strictMode() bool {
-	v, _ := strconv.ParseBool(os.Getenv(EnvStrict))
-	return v
-}
-
-// luidFromGUID converts a Windows interface GUID string to its LUID.
-func luidFromGUID(ifaceGUID string) (luid uint64, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in luidFromGUID: %v", r)
-		}
-	}()
-
-	guid, err := windows.GUIDFromString(ifaceGUID)
-	if err != nil {
-		return 0, fmt.Errorf("parse guid: %w", err)
-	}
-	rc, _, _ := procConvertInterfaceGuidToLuid.Call(
-		uintptr(unsafe.Pointer(&guid)),
-		uintptr(unsafe.Pointer(&luid)),
-	)
-	if rc != 0 {
-		return 0, fmt.Errorf("ConvertInterfaceGuidToLuid returned %d", rc)
-	}
-	return luid, nil
-}
--- a/client/internal/dns/dnsfw/dnsfw_windows_test.go
+++ b/client/internal/dns/dnsfw/dnsfw_windows_test.go
@@ -1,72 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"net/netip"
-	"os"
-	"testing"
-)
-
-func TestStrictMode(t *testing.T) {
-	tests := []struct {
-		name string
-		val  string
-		set  bool
-		want bool
-	}{
-		{name: "unset", want: false},
-		{name: "true", val: "true", set: true, want: true},
-		{name: "1", val: "1", set: true, want: true},
-		{name: "false", val: "false", set: true, want: false},
-		{name: "invalid is false", val: "garbage", set: true, want: false},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvStrict, tc.val)
-			if !tc.set {
-				os.Unsetenv(EnvStrict)
-			}
-			if got := strictMode(); got != tc.want {
-				t.Fatalf("strictMode() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestWindowsManagerDisableIdempotent(t *testing.T) {
-	m := &windowsManager{}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("first Disable on fresh manager: %v", err)
-	}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("second Disable on fresh manager: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session should remain zero, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenDisabledByEnv(t *testing.T) {
-	t.Setenv(EnvDisable, "true")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when firewall disabled by env: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when env disables firewall, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenPortsEmpty(t *testing.T) {
-	t.Setenv(EnvPorts, "")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when ports list is empty: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when ports list is empty, got %d", m.session)
-	}
-}
--- a/client/internal/dns/dnsfw/helpers_windows.go
+++ b/client/internal/dns/dnsfw/helpers_windows.go
@@ -1,53 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/helpers.go.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"runtime"
-	"syscall"
-
-	"golang.org/x/sys/windows"
-)
-
-func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
-	namePtr, err := windows.UTF16PtrFromString(name)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	descriptionPtr, err := windows.UTF16PtrFromString(description)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	return &wtFwpmDisplayData0{
-		name:        namePtr,
-		description: descriptionPtr,
-	}, nil
-}
-
-func filterWeight(weight uint8) wtFwpValue0 {
-	return wtFwpValue0{
-		_type: cFWP_UINT8,
-		value: uintptr(weight),
-	}
-}
-
-func wrapErr(err error) error {
-	var errno syscall.Errno
-	if !errors.As(err, &errno) {
-		return err
-	}
-	_, file, line, ok := runtime.Caller(1)
-	if !ok {
-		return fmt.Errorf("wfp error at unknown location: %w", err)
-	}
-	return fmt.Errorf("wfp error at %s:%d: %w", file, line, err)
-}
--- a/client/internal/dns/dnsfw/rules_windows.go
+++ b/client/internal/dns/dnsfw/rules_windows.go
@@ -1,249 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Filter installers adapted from wireguard-windows tunnel/firewall/rules.go.
- * The block-DNS approach (port 53 + UDP/TCP) matches what wireguard-windows
- * uses for its kill-switch DNS leak protection. We extend it with a
- * configurable port set so we also cover :853 (DoT) and any future ports.
- */
-
-package dnsfw
-
-import (
-	"encoding/binary"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// Filters install at outbound ALE_AUTH_CONNECT layers only; inbound replies
-// follow the authorized outbound flow.
-
-// permitTunInterface installs a permit filter for any traffic whose local
-// interface is the netbird tunnel.
-func permitTunInterface(session uintptr, base *baseObjects, weight uint8, ifLUID uint64) error {
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT64,
-			value: uintptr(unsafe.Pointer(&ifLUID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird tunnel")
-}
-
-// permitDaemonByAppID installs a permit filter matching the netbird daemon
-// executable by App-ID. App-ID alone is sufficient because netbird.exe is a
-// dedicated binary.
-func permitDaemonByAppID(session uintptr, base *baseObjects, daemonExe string, weight uint8) error {
-	appID, err := daemonAppID(daemonExe)
-	if err != nil {
-		return err
-	}
-	defer fwpmFreeMemory0(unsafe.Pointer(&appID))
-
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_BYTE_BLOB_TYPE,
-			value: uintptr(unsafe.Pointer(appID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird daemon")
-}
-
-// permitVirtualDNSIP installs a permit filter for DNS-port traffic destined
-// for the in-tunnel virtual DNS IP. Used in strict mode in lieu of
-// permitTunInterface.
-func permitVirtualDNSIP(session uintptr, base *baseObjects, ip netip.Addr, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := permitDNSToHost(session, base, ip, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit %s:%d: %w", ip, port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func permitDNSToHost(session uintptr, base *baseObjects, ip netip.Addr, port uint16, weight uint8) error {
-	if !ip.IsValid() {
-		return fmt.Errorf("invalid address")
-	}
-
-	var addrCond wtFwpmFilterCondition0
-	var layer windows.GUID
-	// v6 backing must outlive fwpmFilterAdd0; keep it on this stack frame.
-	var v6 wtFwpByteArray16
-
-	if ip.Is4() {
-		v4 := ip.As4()
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT32,
-				value: uintptr(binary.BigEndian.Uint32(v4[:])),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
-	} else {
-		v6 = wtFwpByteArray16{byteArray16: ip.As16()}
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_BYTE_ARRAY16_TYPE,
-				value: uintptr(unsafe.Pointer(&v6)),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
-	}
-
-	conditions := [2]wtFwpmFilterCondition0{
-		addrCond,
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-	}
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	display, err := createWtFwpmDisplayData0(fmt.Sprintf("Permit DNS to %s:%d", ip, port), "")
-	if err != nil {
-		return wrapErr(err)
-	}
-	filter.displayData = *display
-	filter.layerKey = layer
-
-	var filterID uint64
-	if err := fwpmFilterAdd0(session, &filter, 0, &filterID); err != nil {
-		return wrapErr(err)
-	}
-	_ = v6
-	return nil
-}
-
-// blockDNSPorts installs a deny filter for outbound traffic to each of the
-// given remote ports over UDP or TCP. Per-port and per-layer failures are
-// accumulated; partial coverage is preferred over zero coverage.
-func blockDNSPorts(session uintptr, base *baseObjects, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := blockDNSPort(session, base, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("block port %d: %w", port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) error {
-	conditions := [3]wtFwpmFilterCondition0{
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_UDP),
-			},
-		},
-		// Repeat the IP_PROTOCOL condition for logical OR with TCP.
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_TCP),
-			},
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
-	}
-
-	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
-}
-
-// addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
-// connect layers. v4 and v6 are installed independently: failure on one
-// layer does not abort the other, and the accumulated errors are returned.
-// Partial coverage is preferred over zero coverage.
-func addOutboundFilters(session uintptr, filter *wtFwpmFilter0, name string) error {
-	layers := [...]struct {
-		layer windows.GUID
-		label string
-	}{
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V4, name + " (IPv4)"},
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V6, name + " (IPv6)"},
-	}
-
-	var merr *multierror.Error
-	for _, l := range layers {
-		display, err := createWtFwpmDisplayData0(l.label, "")
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-			continue
-		}
-		filter.displayData = *display
-		filter.layerKey = l.layer
-
-		var filterID uint64
-		if err := fwpmFilterAdd0(session, filter, 0, &filterID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
--- a/client/internal/dns/dnsfw/session_windows.go
+++ b/client/internal/dns/dnsfw/session_windows.go
@@ -1,177 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Session lifecycle and the high-level Install/Close entry points adapted
- * from wireguard-windows tunnel/firewall.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// installConfig is the input to installFilters.
-type installConfig struct {
-	tunLUID      uint64
-	daemonExe    string
-	blockedPorts []uint16
-	// strict, when true, narrows the carve-out from "anything on tun" to
-	// "DNS only to virtualDNSIP". virtualDNSIP must be valid in this case.
-	strict       bool
-	virtualDNSIP netip.Addr
-}
-
-// baseObjects holds the GUIDs of the WFP provider and sublayer registered
-// for our session. Both are randomly generated per session.
-type baseObjects struct {
-	provider windows.GUID
-	filters  windows.GUID
-}
-
-// installFilters opens a dynamic WFP session and installs the netbird DNS
-// firewall filters. Returns a zero session on hard failure (session create,
-// base objects); a non-zero session with a non-nil error is a partial install
-// (some per-filter installs failed) and is safe to close.
-func installFilters(cfg installConfig) (session uintptr, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			// Dynamic session: kernel will clean up on process exit even
-			// if we leave the handle dangling here.
-			err = fmt.Errorf("panic in installFilters: %v", r)
-		}
-	}()
-
-	if len(cfg.blockedPorts) == 0 {
-		return 0, errors.New("dns firewall: no blocked ports configured")
-	}
-	if cfg.strict && !cfg.virtualDNSIP.IsValid() {
-		return 0, errors.New("dns firewall: strict mode requires a valid virtual DNS IP")
-	}
-
-	session, err = createSession()
-	if err != nil {
-		return 0, err
-	}
-
-	base, err := registerBaseObjects(session)
-	if err != nil {
-		_ = fwpmEngineClose0(session)
-		return 0, fmt.Errorf("register base objects: %w", err)
-	}
-
-	var merr *multierror.Error
-	if cfg.strict {
-		if err := permitVirtualDNSIP(session, base, cfg.virtualDNSIP, cfg.blockedPorts, 15); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit virtual dns: %w", err))
-		}
-	} else {
-		if err := permitTunInterface(session, base, 15, cfg.tunLUID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit tun interface: %w", err))
-		}
-	}
-	if err := permitDaemonByAppID(session, base, cfg.daemonExe, 14); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("permit netbird daemon: %w", err))
-	}
-	if err := blockDNSPorts(session, base, cfg.blockedPorts, 10); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("block dns ports: %w", err))
-	}
-
-	return session, nberrors.FormatErrorOrNil(merr)
-}
-
-// closeSession tears down a WFP session previously opened by installFilters.
-// All filters owned by the session are removed.
-func closeSession(session uintptr) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in closeSession: %v", r)
-		}
-	}()
-
-	if session == 0 {
-		return nil
-	}
-	if err := fwpmEngineClose0(session); err != nil {
-		return wrapErr(err)
-	}
-	return nil
-}
-
-func createSession() (uintptr, error) {
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall dynamic session")
-	if err != nil {
-		return 0, wrapErr(err)
-	}
-	session := wtFwpmSession0{
-		displayData:          *displayData,
-		flags:                cFWPM_SESSION_FLAG_DYNAMIC,
-		txnWaitTimeoutInMSec: windows.INFINITE,
-	}
-	var handle uintptr
-	if err := fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&handle)); err != nil {
-		return 0, wrapErr(err)
-	}
-	return handle, nil
-}
-
-func registerBaseObjects(session uintptr) (*baseObjects, error) {
-	bo := &baseObjects{}
-	var err error
-	if bo.provider, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-	if bo.filters, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall provider")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	provider := wtFwpmProvider0{
-		providerKey: bo.provider,
-		displayData: *displayData,
-	}
-	if err := fwpmProviderAdd0(session, &provider, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	subDisplay, err := createWtFwpmDisplayData0("NetBird DNS firewall filters", "Permit and block filters")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	sublayer := wtFwpmSublayer0{
-		subLayerKey: bo.filters,
-		displayData: *subDisplay,
-		providerKey: &bo.provider,
-		weight:      ^uint16(0),
-	}
-	if err := fwpmSubLayerAdd0(session, &sublayer, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-	return bo, nil
-}
-
-// daemonAppID returns the WFP App-ID byte blob for the given executable path.
-func daemonAppID(path string) (*wtFwpByteBlob, error) {
-	pathPtr, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	var appID *wtFwpByteBlob
-	if err := fwpmGetAppIdFromFileName0(pathPtr, unsafe.Pointer(&appID)); err != nil {
-		return nil, wrapErr(err)
-	}
-	return appID, nil
-}
--- a/client/internal/dns/dnsfw/syscall_windows.go
+++ b/client/internal/dns/dnsfw/syscall_windows.go
@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
- */
-
-package dnsfw
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineopen0
-//sys	fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmEngineOpen0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineclose0
-//sys	fwpmEngineClose0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmEngineClose0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmsublayeradd0
-//sys	fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmSubLayerAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmgetappidfromfilename0
-//sys	fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmGetAppIdFromFileName0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfreememory0
-//sys	fwpmFreeMemory0(p unsafe.Pointer) = fwpuclnt.FwpmFreeMemory0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfilteradd0
-//sys	fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) [failretval!=0] = fwpuclnt.FwpmFilterAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/Fwpmu/nf-fwpmu-fwpmtransactionbegin0
-//sys	fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionBegin0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactioncommit0
-//sys	fwpmTransactionCommit0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionCommit0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactionabort0
-//sys	fwpmTransactionAbort0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionAbort0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
-//sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0
--- a/client/internal/dns/dnsfw/types_windows.go
+++ b/client/internal/dns/dnsfw/types_windows.go
@@ -1,414 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	anysizeArray = 1 // ANYSIZE_ARRAY defined in winnt.h
-
-	wtFwpBitmapArray64_Size = 8
-
-	wtFwpByteArray16_Size = 16
-
-	wtFwpByteArray6_Size = 6
-
-	wtFwpmAction0_Size              = 20
-	wtFwpmAction0_filterType_Offset = 4
-
-	wtFwpV4AddrAndMask_Size        = 8
-	wtFwpV4AddrAndMask_mask_Offset = 4
-
-	wtFwpV6AddrAndMask_Size                = 17
-	wtFwpV6AddrAndMask_prefixLength_Offset = 16
-)
-
-type wtFwpActionFlag uint32
-
-const (
-	cFWP_ACTION_FLAG_TERMINATING     wtFwpActionFlag = 0x00001000
-	cFWP_ACTION_FLAG_NON_TERMINATING wtFwpActionFlag = 0x00002000
-	cFWP_ACTION_FLAG_CALLOUT         wtFwpActionFlag = 0x00004000
-)
-
-// FWP_ACTION_TYPE defined in fwptypes.h
-type wtFwpActionType uint32
-
-const (
-	cFWP_ACTION_BLOCK               wtFwpActionType = wtFwpActionType(0x00000001 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_PERMIT              wtFwpActionType = wtFwpActionType(0x00000002 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_TERMINATING wtFwpActionType = wtFwpActionType(0x00000003 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
-	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
-	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
-	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
-)
-
-// FWP_BYTE_BLOB defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_blob_)
-type wtFwpByteBlob struct {
-	size uint32
-	data *uint8
-}
-
-// FWP_MATCH_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_match_type_)
-type wtFwpMatchType uint32
-
-const (
-	cFWP_MATCH_EQUAL                  wtFwpMatchType = 0
-	cFWP_MATCH_GREATER                wtFwpMatchType = cFWP_MATCH_EQUAL + 1
-	cFWP_MATCH_LESS                   wtFwpMatchType = cFWP_MATCH_GREATER + 1
-	cFWP_MATCH_GREATER_OR_EQUAL       wtFwpMatchType = cFWP_MATCH_LESS + 1
-	cFWP_MATCH_LESS_OR_EQUAL          wtFwpMatchType = cFWP_MATCH_GREATER_OR_EQUAL + 1
-	cFWP_MATCH_RANGE                  wtFwpMatchType = cFWP_MATCH_LESS_OR_EQUAL + 1
-	cFWP_MATCH_FLAGS_ALL_SET          wtFwpMatchType = cFWP_MATCH_RANGE + 1
-	cFWP_MATCH_FLAGS_ANY_SET          wtFwpMatchType = cFWP_MATCH_FLAGS_ALL_SET + 1
-	cFWP_MATCH_FLAGS_NONE_SET         wtFwpMatchType = cFWP_MATCH_FLAGS_ANY_SET + 1
-	cFWP_MATCH_EQUAL_CASE_INSENSITIVE wtFwpMatchType = cFWP_MATCH_FLAGS_NONE_SET + 1
-	cFWP_MATCH_NOT_EQUAL              wtFwpMatchType = cFWP_MATCH_EQUAL_CASE_INSENSITIVE + 1
-	cFWP_MATCH_PREFIX                 wtFwpMatchType = cFWP_MATCH_NOT_EQUAL + 1
-	cFWP_MATCH_NOT_PREFIX             wtFwpMatchType = cFWP_MATCH_PREFIX + 1
-	cFWP_MATCH_TYPE_MAX               wtFwpMatchType = cFWP_MATCH_NOT_PREFIX + 1
-)
-
-// FWPM_ACTION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_action0_)
-type wtFwpmAction0 struct {
-	_type      wtFwpActionType
-	filterType windows.GUID // Windows type: GUID
-}
-
-// Defined in fwpmu.h. 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-var cFWPM_CONDITION_IP_LOCAL_INTERFACE = windows.GUID{
-	Data1: 0x4cd62a49,
-	Data2: 0x59c3,
-	Data3: 0x4969,
-	Data4: [8]byte{0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4},
-}
-
-// Defined in fwpmu.h. b235ae9a-1d64-49b8-a44c-5ff3d9095045
-var cFWPM_CONDITION_IP_REMOTE_ADDRESS = windows.GUID{
-	Data1: 0xb235ae9a,
-	Data2: 0x1d64,
-	Data3: 0x49b8,
-	Data4: [8]byte{0xa4, 0x4c, 0x5f, 0xf3, 0xd9, 0x09, 0x50, 0x45},
-}
-
-// Defined in fwpmu.h. 3971ef2b-623e-4f9a-8cb1-6e79b806b9a7
-var cFWPM_CONDITION_IP_PROTOCOL = windows.GUID{
-	Data1: 0x3971ef2b,
-	Data2: 0x623e,
-	Data3: 0x4f9a,
-	Data4: [8]byte{0x8c, 0xb1, 0x6e, 0x79, 0xb8, 0x06, 0xb9, 0xa7},
-}
-
-// Defined in fwpmu.h. 0c1ba1af-5765-453f-af22-a8f791ac775b
-var cFWPM_CONDITION_IP_LOCAL_PORT = windows.GUID{
-	Data1: 0x0c1ba1af,
-	Data2: 0x5765,
-	Data3: 0x453f,
-	Data4: [8]byte{0xaf, 0x22, 0xa8, 0xf7, 0x91, 0xac, 0x77, 0x5b},
-}
-
-// Defined in fwpmu.h. c35a604d-d22b-4e1a-91b4-68f674ee674b
-var cFWPM_CONDITION_IP_REMOTE_PORT = windows.GUID{
-	Data1: 0xc35a604d,
-	Data2: 0xd22b,
-	Data3: 0x4e1a,
-	Data4: [8]byte{0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b},
-}
-
-// Defined in fwpmu.h. d78e1e87-8644-4ea5-9437-d809ecefc971
-var cFWPM_CONDITION_ALE_APP_ID = windows.GUID{
-	Data1: 0xd78e1e87,
-	Data2: 0x8644,
-	Data3: 0x4ea5,
-	Data4: [8]byte{0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71},
-}
-
-// af043a0a-b34d-4f86-979c-c90371af6e66
-var cFWPM_CONDITION_ALE_USER_ID = windows.GUID{
-	Data1: 0xaf043a0a,
-	Data2: 0xb34d,
-	Data3: 0x4f86,
-	Data4: [8]byte{0x97, 0x9c, 0xc9, 0x03, 0x71, 0xaf, 0x6e, 0x66},
-}
-
-// d9ee00de-c1ef-4617-bfe3-ffd8f5a08957
-var cFWPM_CONDITION_IP_LOCAL_ADDRESS = windows.GUID{
-	Data1: 0xd9ee00de,
-	Data2: 0xc1ef,
-	Data3: 0x4617,
-	Data4: [8]byte{0xbf, 0xe3, 0xff, 0xd8, 0xf5, 0xa0, 0x89, 0x57},
-}
-
-var (
-	cFWPM_CONDITION_ICMP_TYPE = cFWPM_CONDITION_IP_LOCAL_PORT
-	cFWPM_CONDITION_ICMP_CODE = cFWPM_CONDITION_IP_REMOTE_PORT
-)
-
-// 7bc43cbf-37ba-45f1-b74a-82ff518eeb10
-var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
-	Data1: 0x7bc43cbf,
-	Data2: 0x37ba,
-	Data3: 0x45f1,
-	Data4: [8]byte{0xb7, 0x4a, 0x82, 0xff, 0x51, 0x8e, 0xeb, 0x10},
-}
-
-type wtFwpmL2Flags uint32
-
-const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
-
-var cFWPM_CONDITION_FLAGS = windows.GUID{
-	Data1: 0x632ce23b,
-	Data2: 0x5167,
-	Data3: 0x435c,
-	Data4: [8]byte{0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c},
-}
-
-type wtFwpmFlags uint32
-
-const cFWP_CONDITION_FLAG_IS_LOOPBACK wtFwpmFlags = 0x00000001
-
-// Defined in fwpmtypes.h
-type wtFwpmFilterFlags uint32
-
-const (
-	cFWPM_FILTER_FLAG_NONE                                wtFwpmFilterFlags = 0x00000000
-	cFWPM_FILTER_FLAG_PERSISTENT                          wtFwpmFilterFlags = 0x00000001
-	cFWPM_FILTER_FLAG_BOOTTIME                            wtFwpmFilterFlags = 0x00000002
-	cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT                wtFwpmFilterFlags = 0x00000004
-	cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT                  wtFwpmFilterFlags = 0x00000008
-	cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED      wtFwpmFilterFlags = 0x00000010
-	cFWPM_FILTER_FLAG_DISABLED                            wtFwpmFilterFlags = 0x00000020
-	cFWPM_FILTER_FLAG_INDEXED                             wtFwpmFilterFlags = 0x00000040
-	cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT wtFwpmFilterFlags = 0x00000080
-	cFWPM_FILTER_FLAG_SYSTEMOS_ONLY                       wtFwpmFilterFlags = 0x00000100
-	cFWPM_FILTER_FLAG_GAMEOS_ONLY                         wtFwpmFilterFlags = 0x00000200
-	cFWPM_FILTER_FLAG_SILENT_MODE                         wtFwpmFilterFlags = 0x00000400
-	cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE           wtFwpmFilterFlags = 0x00000800
-)
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V4 (c38d57d1-05a7-4c33-904f-7fbceee60e82) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V4 = windows.GUID{
-	Data1: 0xc38d57d1,
-	Data2: 0x05a7,
-	Data3: 0x4c33,
-	Data4: [8]byte{0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82},
-}
-
-// e1cd9fe7-f4b5-4273-96c0-592e487b8650
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = windows.GUID{
-	Data1: 0xe1cd9fe7,
-	Data2: 0xf4b5,
-	Data3: 0x4273,
-	Data4: [8]byte{0x96, 0xc0, 0x59, 0x2e, 0x48, 0x7b, 0x86, 0x50},
-}
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V6 (4a72393b-319f-44bc-84c3-ba54dcb3b6b4) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V6 = windows.GUID{
-	Data1: 0x4a72393b,
-	Data2: 0x319f,
-	Data3: 0x44bc,
-	Data4: [8]byte{0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4},
-}
-
-// a3b42c97-9f04-4672-b87e-cee9c483257f
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = windows.GUID{
-	Data1: 0xa3b42c97,
-	Data2: 0x9f04,
-	Data3: 0x4672,
-	Data4: [8]byte{0xb8, 0x7e, 0xce, 0xe9, 0xc4, 0x83, 0x25, 0x7f},
-}
-
-// 94c44912-9d6f-4ebf-b995-05ab8a088d1b
-var cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0x94c44912,
-	Data2: 0x9d6f,
-	Data3: 0x4ebf,
-	Data4: [8]byte{0xb9, 0x95, 0x05, 0xab, 0x8a, 0x08, 0x8d, 0x1b},
-}
-
-// d4220bd3-62ce-4f08-ae88-b56e8526df50
-var cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0xd4220bd3,
-	Data2: 0x62ce,
-	Data3: 0x4f08,
-	Data4: [8]byte{0xae, 0x88, 0xb5, 0x6e, 0x85, 0x26, 0xdf, 0x50},
-}
-
-// FWP_BITMAP_ARRAY64 defined in fwtypes.h
-type wtFwpBitmapArray64 struct {
-	bitmapArray64 [8]uint8 // Windows type: [8]UINT8
-}
-
-// FWP_BYTE_ARRAY6 defined in fwtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array6_)
-type wtFwpByteArray6 struct {
-	byteArray6 [6]uint8 // Windows type: [6]UINT8
-}
-
-// FWP_BYTE_ARRAY16 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array16_)
-type wtFwpByteArray16 struct {
-	byteArray16 [16]uint8 // Windows type [16]UINT8
-}
-
-// FWP_CONDITION_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_condition_value0).
-type wtFwpConditionValue0 wtFwpValue0
-
-// FWP_DATA_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_data_type_)
-type wtFwpDataType uint
-
-const (
-	cFWP_EMPTY                         wtFwpDataType = 0
-	cFWP_UINT8                         wtFwpDataType = cFWP_EMPTY + 1
-	cFWP_UINT16                        wtFwpDataType = cFWP_UINT8 + 1
-	cFWP_UINT32                        wtFwpDataType = cFWP_UINT16 + 1
-	cFWP_UINT64                        wtFwpDataType = cFWP_UINT32 + 1
-	cFWP_INT8                          wtFwpDataType = cFWP_UINT64 + 1
-	cFWP_INT16                         wtFwpDataType = cFWP_INT8 + 1
-	cFWP_INT32                         wtFwpDataType = cFWP_INT16 + 1
-	cFWP_INT64                         wtFwpDataType = cFWP_INT32 + 1
-	cFWP_FLOAT                         wtFwpDataType = cFWP_INT64 + 1
-	cFWP_DOUBLE                        wtFwpDataType = cFWP_FLOAT + 1
-	cFWP_BYTE_ARRAY16_TYPE             wtFwpDataType = cFWP_DOUBLE + 1
-	cFWP_BYTE_BLOB_TYPE                wtFwpDataType = cFWP_BYTE_ARRAY16_TYPE + 1
-	cFWP_SID                           wtFwpDataType = cFWP_BYTE_BLOB_TYPE + 1
-	cFWP_SECURITY_DESCRIPTOR_TYPE      wtFwpDataType = cFWP_SID + 1
-	cFWP_TOKEN_INFORMATION_TYPE        wtFwpDataType = cFWP_SECURITY_DESCRIPTOR_TYPE + 1
-	cFWP_TOKEN_ACCESS_INFORMATION_TYPE wtFwpDataType = cFWP_TOKEN_INFORMATION_TYPE + 1
-	cFWP_UNICODE_STRING_TYPE           wtFwpDataType = cFWP_TOKEN_ACCESS_INFORMATION_TYPE + 1
-	cFWP_BYTE_ARRAY6_TYPE              wtFwpDataType = cFWP_UNICODE_STRING_TYPE + 1
-	cFWP_BITMAP_INDEX_TYPE             wtFwpDataType = cFWP_BYTE_ARRAY6_TYPE + 1
-	cFWP_BITMAP_ARRAY64_TYPE           wtFwpDataType = cFWP_BITMAP_INDEX_TYPE + 1
-	cFWP_SINGLE_DATA_TYPE_MAX          wtFwpDataType = 0xff
-	cFWP_V4_ADDR_MASK                  wtFwpDataType = cFWP_SINGLE_DATA_TYPE_MAX + 1
-	cFWP_V6_ADDR_MASK                  wtFwpDataType = cFWP_V4_ADDR_MASK + 1
-	cFWP_RANGE_TYPE                    wtFwpDataType = cFWP_V6_ADDR_MASK + 1
-	cFWP_DATA_TYPE_MAX                 wtFwpDataType = cFWP_RANGE_TYPE + 1
-)
-
-// FWP_V4_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v4_addr_and_mask).
-type wtFwpV4AddrAndMask struct {
-	addr uint32
-	mask uint32
-}
-
-// FWP_V6_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v6_addr_and_mask).
-type wtFwpV6AddrAndMask struct {
-	addr         [16]uint8
-	prefixLength uint8
-}
-
-// FWP_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_value0_)
-type wtFwpValue0 struct {
-	_type wtFwpDataType
-	value uintptr
-}
-
-// FWPM_DISPLAY_DATA0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwpm_display_data0).
-type wtFwpmDisplayData0 struct {
-	name        *uint16 // Windows type: *wchar_t
-	description *uint16 // Windows type: *wchar_t
-}
-
-// FWPM_FILTER_CONDITION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0).
-type wtFwpmFilterCondition0 struct {
-	fieldKey       windows.GUID // Windows type: GUID
-	matchType      wtFwpMatchType
-	conditionValue wtFwpConditionValue0
-}
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0_)
-type wtFwpProvider0 struct {
-	providerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16 // Windows type: *wchar_t
-}
-
-type wtFwpmSessionFlagsValue uint32
-
-const (
-	cFWPM_SESSION_FLAG_DYNAMIC wtFwpmSessionFlagsValue = 0x00000001 // FWPM_SESSION_FLAG_DYNAMIC defined in fwpmtypes.h
-)
-
-// FWPM_SESSION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_session0).
-type wtFwpmSession0 struct {
-	sessionKey           windows.GUID // Windows type: GUID
-	displayData          wtFwpmDisplayData0
-	flags                wtFwpmSessionFlagsValue // Windows type UINT32
-	txnWaitTimeoutInMSec uint32
-	processId            uint32 // Windows type: DWORD
-	sid                  *windows.SID
-	username             *uint16 // Windows type: *wchar_t
-	kernelMode           uint8   // Windows type: BOOL
-}
-
-type wtFwpmSublayerFlags uint32
-
-const (
-	cFWPM_SUBLAYER_FLAG_PERSISTENT wtFwpmSublayerFlags = 0x00000001 // FWPM_SUBLAYER_FLAG_PERSISTENT defined in fwpmtypes.h
-)
-
-// FWPM_SUBLAYER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_sublayer0_)
-type wtFwpmSublayer0 struct {
-	subLayerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        wtFwpmSublayerFlags
-	providerKey  *windows.GUID // Windows type: *GUID
-	providerData wtFwpByteBlob
-	weight       uint16
-}
-
-// Defined in rpcdce.h
-type wtRpcCAuthN uint32
-
-const (
-	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
-	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
-	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
-)
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/sv-se/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0).
-type wtFwpmProvider0 struct {
-	providerKey  windows.GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16
-}
-
-type wtIPProto uint32
-
-const (
-	cIPPROTO_ICMP   wtIPProto = 1
-	cIPPROTO_ICMPV6 wtIPProto = 58
-	cIPPROTO_TCP    wtIPProto = 6
-	cIPPROTO_UDP    wtIPProto = 17
-)
-
-const (
-	cFWP_ACTRL_MATCH_FILTER = 1
-)
--- a/client/internal/dns/dnsfw/types_windows_32.go
+++ b/client/internal/dns/dnsfw/types_windows_32.go
@@ -1,92 +0,0 @@
-//go:build windows && (386 || arm)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 8
-	wtFwpByteBlob_data_Offset = 4
-
-	wtFwpConditionValue0_Size         = 8
-	wtFwpConditionValue0_uint8_Offset = 4
-
-	wtFwpmDisplayData0_Size               = 8
-	wtFwpmDisplayData0_description_Offset = 4
-
-	wtFwpmFilter0_Size                       = 152
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 24
-	wtFwpmFilter0_providerKey_Offset         = 28
-	wtFwpmFilter0_providerData_Offset        = 32
-	wtFwpmFilter0_layerKey_Offset            = 40
-	wtFwpmFilter0_subLayerKey_Offset         = 56
-	wtFwpmFilter0_weight_Offset              = 72
-	wtFwpmFilter0_numFilterConditions_Offset = 80
-	wtFwpmFilter0_filterCondition_Offset     = 84
-	wtFwpmFilter0_action_Offset              = 88
-	wtFwpmFilter0_providerContextKey_Offset  = 112
-	wtFwpmFilter0_reserved_Offset            = 128
-	wtFwpmFilter0_filterID_Offset            = 136
-	wtFwpmFilter0_effectiveWeight_Offset     = 144
-
-	wtFwpmFilterCondition0_Size                  = 28
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 20
-
-	wtFwpmSession0_Size                        = 48
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 24
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
-	wtFwpmSession0_processId_Offset            = 32
-	wtFwpmSession0_sid_Offset                  = 36
-	wtFwpmSession0_username_Offset             = 40
-	wtFwpmSession0_kernelMode_Offset           = 44
-
-	wtFwpmSublayer0_Size                = 44
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 24
-	wtFwpmSublayer0_providerKey_Offset  = 28
-	wtFwpmSublayer0_providerData_Offset = 32
-	wtFwpmSublayer0_weight_Offset       = 40
-
-	wtFwpProvider0_Size                = 40
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 24
-	wtFwpProvider0_providerData_Offset = 28
-	wtFwpProvider0_serviceName_Offset  = 36
-
-	wtFwpTokenInformation_Size = 16
-
-	wtFwpValue0_Size         = 8
-	wtFwpValue0_value_Offset = 4
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags
-	providerKey         *windows.GUID // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	offset2             [4]byte       // Layout correction field
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}
--- a/client/internal/dns/dnsfw/types_windows_64.go
+++ b/client/internal/dns/dnsfw/types_windows_64.go
@@ -1,89 +0,0 @@
-//go:build windows && (amd64 || arm64)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 16
-	wtFwpByteBlob_data_Offset = 8
-
-	wtFwpConditionValue0_Size         = 16
-	wtFwpConditionValue0_uint8_Offset = 8
-
-	wtFwpmDisplayData0_Size               = 16
-	wtFwpmDisplayData0_description_Offset = 8
-
-	wtFwpmFilter0_Size                       = 200
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 32
-	wtFwpmFilter0_providerKey_Offset         = 40
-	wtFwpmFilter0_providerData_Offset        = 48
-	wtFwpmFilter0_layerKey_Offset            = 64
-	wtFwpmFilter0_subLayerKey_Offset         = 80
-	wtFwpmFilter0_weight_Offset              = 96
-	wtFwpmFilter0_numFilterConditions_Offset = 112
-	wtFwpmFilter0_filterCondition_Offset     = 120
-	wtFwpmFilter0_action_Offset              = 128
-	wtFwpmFilter0_providerContextKey_Offset  = 152
-	wtFwpmFilter0_reserved_Offset            = 168
-	wtFwpmFilter0_filterID_Offset            = 176
-	wtFwpmFilter0_effectiveWeight_Offset     = 184
-
-	wtFwpmFilterCondition0_Size                  = 40
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 24
-
-	wtFwpmSession0_Size                        = 72
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 32
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
-	wtFwpmSession0_processId_Offset            = 40
-	wtFwpmSession0_sid_Offset                  = 48
-	wtFwpmSession0_username_Offset             = 56
-	wtFwpmSession0_kernelMode_Offset           = 64
-
-	wtFwpmSublayer0_Size                = 72
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 32
-	wtFwpmSublayer0_providerKey_Offset  = 40
-	wtFwpmSublayer0_providerData_Offset = 48
-	wtFwpmSublayer0_weight_Offset       = 64
-
-	wtFwpProvider0_Size                = 64
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 32
-	wtFwpProvider0_providerData_Offset = 40
-	wtFwpProvider0_serviceName_Offset  = 56
-
-	wtFwpValue0_Size         = 16
-	wtFwpValue0_value_Offset = 8
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags // Windows type: UINT32
-	providerKey         *windows.GUID     // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}
--- a/client/internal/dns/dnsfw/zsyscall_windows.go
+++ b/client/internal/dns/dnsfw/zsyscall_windows.go
@@ -1,130 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package dnsfw
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
-
-	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
-	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
-	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
-	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
-	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
-	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
-	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
-	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
-	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
-	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
-)
-
-func fwpmEngineClose0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmEngineClose0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmEngineOpen0.Addr(), 5, uintptr(unsafe.Pointer(serverName)), uintptr(authnService), uintptr(unsafe.Pointer(authIdentity)), uintptr(unsafe.Pointer(session)), uintptr(engineHandle), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmFilterAdd0.Addr(), 4, uintptr(engineHandle), uintptr(unsafe.Pointer(filter)), uintptr(sd), uintptr(unsafe.Pointer(id)), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFreeMemory0(p unsafe.Pointer) {
-	syscall.Syscall(procFwpmFreeMemory0.Addr(), 1, uintptr(p), 0, 0)
-	return
-}
-
-func fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmGetAppIdFromFileName0.Addr(), 2, uintptr(unsafe.Pointer(fileName)), uintptr(appID), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmProviderAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(provider)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmSubLayerAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(subLayer)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionAbort0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionAbort0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionBegin0.Addr(), 2, uintptr(engineHandle), uintptr(flags), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionCommit0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionCommit0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -17,7 +17,6 @@ import (
 	"golang.org/x/sys/windows/registry"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -75,7 +74,6 @@ type registryConfigurator struct {
 	routingAll      bool
 	gpo             bool
 	nrptEntryCount  int
-	dnsFirewall     dnsfw.Manager
 	origNameservers []netip.Addr
 }

@@ -96,9 +94,8 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}

 	configurator := &registryConfigurator{
-		guid:        guid,
-		gpo:         useGPO,
-		dnsFirewall: dnsfw.New(),
+		guid: guid,
+		gpo:  useGPO,
 	}

 	origNameservers, err := configurator.captureOriginalNameservers()
@@ -279,8 +276,16 @@ func (r *registryConfigurator) disableWINSForInterface() error {
 }

 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
-	if err := r.applyRouteAll(config); err != nil {
-		return err
+	if config.RouteAll {
+		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+			return fmt.Errorf("add dns setup: %w", err)
+		}
+	} else if r.routingAll {
+		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+			return fmt.Errorf("delete interface registry key property: %w", err)
+		}
+		r.routingAll = false
+		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

 	r.updateState(stateManager)
@@ -296,13 +301,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}

-	// In RouteAll mode, install an NRPT root-zone rule so the system DNS client
-	// steers every query to the NetBird resolver even if the per-interface
-	// NameServer setting is bypassed or overridden by another adapter.
-	if config.RouteAll {
-		matchDomains = append(matchDomains, ".")
-	}
-
 	if err := r.removeDNSMatchPolicies(); err != nil {
 		log.Errorf("cleanup old dns match policies: %s", err)
 	}
@@ -329,35 +327,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }

-func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
-	if config.RouteAll {
-		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
-			return fmt.Errorf("dns firewall: %w", err)
-		}
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
-			if dErr := r.dnsFirewall.Disable(); dErr != nil {
-				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
-			}
-			return nberrors.FormatErrorOrNil(merr)
-		}
-		return nil
-	}
-
-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-	if !r.routingAll {
-		return nil
-	}
-	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-		return fmt.Errorf("delete interface registry key property: %w", err)
-	}
-	r.routingAll = false
-	log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
-	return nil
-}
-
 func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
 	if err := stateManager.UpdateState(&ShutdownState{
 		Guid:           r.guid,
@@ -544,10 +513,6 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}

-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-
 	go r.flushDNSCache()

 	return nil
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -8,8 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows/registry"
-
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 )

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
@@ -36,9 +34,8 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	}()

 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}

 	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
@@ -137,9 +134,8 @@ func TestNRPTDomainBatching(t *testing.T) {
 	}()

 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}

 	testCases := []struct {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -35,6 +35,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl"
+	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
@@ -250,6 +251,8 @@ type Engine struct {
 	jobExecutorWG sync.WaitGroup

 	exposeManager *expose.Manager
+
+	sessionWatcher *sessionwatch.Watcher
 }

 // Peer is an instance of the Connection Peer
@@ -293,6 +296,17 @@ func NewEngine(
 		clientMetrics:      services.ClientMetrics,
 		updateManager:      services.UpdateManager,
 	}
+	// sessionWatcher keeps the SubscribeStatus consumers in sync with the
+	// session expiry deadline. Deadline-change ticks come for free via
+	// Status.SetSessionExpiresAt; the watcher exists to push a wake-up at
+	// T-WarningLead and T-FinalWarningLead so the UI repaints the remaining
+	// time / warning state even when nothing else changed, and to publish
+	// two SystemEvents (the warning composition lives in sessionwatch so
+	// the wire format stays owned by one package):
+	//   - T-WarningLead   → interactive "Extend now / Dismiss" notification
+	//   - T-FinalWarningLead → auto-opened SessionAboutToExpire dialog,
+	//     suppressed when the user dismissed the earlier warning
+	engine.sessionWatcher = sessionwatch.New(engine.statusRecorder)

 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
@@ -333,6 +347,10 @@ func (e *Engine) Stop() error {
 		e.srWatcher.Close()
 	}

+	if e.sessionWatcher != nil {
+		e.sessionWatcher.Close()
+	}
+
 	if e.updateManager != nil {
 		e.updateManager.SetDownloadOnly()
 	}
@@ -865,6 +883,8 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return e.ctx.Err()
 	}

+	e.ApplySessionDeadline(update.GetSessionExpiresAt())
+
 	if update.NetworkMap != nil && update.NetworkMap.PeerConfig != nil {
 		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
--- a/client/internal/engine_authsession.go
+++ b/client/internal/engine_authsession.go
@@ -0,0 +1,97 @@
+package internal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/netbirdio/netbird/client/system"
+)
+
+// ApplySessionDeadline propagates the absolute SSO session deadline carried on
+// LoginResponse / SyncResponse to both the watcher (for the edge-triggered
+// warning) and the status recorder (for the SubscribeStatus / Status RPC
+// snapshot the UI consumes).
+//
+// The wire field is 3-state:
+//   - nil                        → snapshot carries no info; keep the
+//     previously-anchored deadline (no-op)
+//   - explicit zero (s=0, n=0)   → peer is not SSO-registered or expiry is
+//     disabled; clear both sinks
+//   - valid timestamp            → new deadline; arm watcher, expose on
+//     status recorder
+//
+// Deadline sanity-checks live in sessionwatch.Watcher.Update. Any rejected
+// value is treated as a clear on both sinks: the alternative — leaving the
+// previously-known deadline in place — risks the UI confidently displaying
+// a stale "expires in X" while the server has actually invalidated it.
+func (e *Engine) ApplySessionDeadline(ts *timestamppb.Timestamp) {
+	if ts == nil {
+		return
+	}
+	var deadline time.Time
+	// Explicit zero (seconds=0 AND nanos=0) is the sentinel for "disabled".
+	// Everything else flows through Watcher.Update, whose sanity-checks
+	// reject out-of-range / pre-epoch / far-future / too-stale values; the
+	// catch-block below converts any rejection into a clear.
+	if ts.GetSeconds() != 0 || ts.GetNanos() != 0 {
+		deadline = ts.AsTime().UTC()
+	}
+	if e.sessionWatcher != nil {
+		if err := e.sessionWatcher.Update(deadline); err != nil {
+			log.Errorf("auth session deadline rejected: %v, clearing", err)
+			deadline = time.Time{}
+		}
+	}
+	if e.statusRecorder != nil {
+		e.statusRecorder.SetSessionExpiresAt(deadline)
+	}
+}
+
+// DismissSessionWarning records the user's "Dismiss" click on the
+// T-WarningLead interactive notification and suppresses the upcoming
+// T-FinalWarningLead fallback for the current deadline. No-op when the
+// watcher is not running or holds no deadline.
+func (e *Engine) DismissSessionWarning() {
+	if e.sessionWatcher == nil {
+		return
+	}
+	e.sessionWatcher.Dismiss()
+}
+
+// ExtendAuthSession asks the management server to refresh the SSO session
+// expiry deadline using the supplied JWT, then mirrors the new deadline into
+// the daemon's state. The tunnel is untouched; no resync, no reconnect.
+//
+// Returns the new absolute UTC deadline (or zero time when the server
+// reports the peer is not eligible for extension).
+func (e *Engine) ExtendAuthSession(ctx context.Context, jwtToken string) (time.Time, error) {
+	if jwtToken == "" {
+		return time.Time{}, errors.New("jwt token is required")
+	}
+	if e.mgmClient == nil {
+		return time.Time{}, errors.New("management client is not initialised")
+	}
+
+	info, err := system.GetInfoWithChecks(ctx, e.checks)
+	if err != nil {
+		log.Warnf("failed to collect system info for session extend: %v", err)
+		info = system.GetInfo(ctx)
+	}
+
+	resp, err := e.mgmClient.ExtendAuthSession(info, jwtToken)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("extend auth session on management: %w", err)
+	}
+
+	e.ApplySessionDeadline(resp.GetSessionExpiresAt())
+
+	if resp.GetSessionExpiresAt().IsValid() {
+		return resp.GetSessionExpiresAt().AsTime().UTC(), nil
+	}
+	return time.Time{}, nil
+}
--- a/client/internal/engine_session_deadline_test.go
+++ b/client/internal/engine_session_deadline_test.go
@@ -0,0 +1,78 @@
+package internal
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
+	"github.com/netbirdio/netbird/client/internal/peer"
+)
+
+// TestApplySessionDeadline_ThreeState pins down the 3-state semantics of the
+// wire field carried on LoginResponse / SyncResponse:
+//
+//   - nil pointer            → no info; previously-anchored deadline survives
+//   - explicit zero value    → "expiry disabled" sentinel; both sinks cleared
+//   - valid future timestamp → new deadline propagated to both sinks
+func TestApplySessionDeadline_ThreeState(t *testing.T) {
+	newEngine := func() *Engine {
+		recorder := peer.NewRecorder("")
+		return &Engine{
+			statusRecorder: recorder,
+			sessionWatcher: sessionwatch.New(recorder),
+		}
+	}
+
+	t.Run("valid timestamp sets deadline on both sinks", func(t *testing.T) {
+		e := newEngine()
+		deadline := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
+
+		e.ApplySessionDeadline(timestamppb.New(deadline))
+
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(deadline),
+			"status recorder should hold the new deadline")
+	})
+
+	t.Run("nil is a no-op and preserves previous deadline", func(t *testing.T) {
+		e := newEngine()
+		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
+		e.ApplySessionDeadline(timestamppb.New(seeded))
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
+
+		e.ApplySessionDeadline(nil)
+
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded),
+			"nil snapshot must not disturb the existing deadline")
+	})
+
+	t.Run("explicit zero clears a previously-anchored deadline", func(t *testing.T) {
+		e := newEngine()
+		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
+		e.ApplySessionDeadline(timestamppb.New(seeded))
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
+
+		// Explicit zero Timestamp{} (seconds=0, nanos=0) is the
+		// "expiry disabled / not SSO" sentinel.
+		e.ApplySessionDeadline(&timestamppb.Timestamp{})
+
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().IsZero(),
+			"explicit zero sentinel must clear the deadline")
+	})
+
+	t.Run("invalid timestamp clears the deadline", func(t *testing.T) {
+		e := newEngine()
+		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
+		e.ApplySessionDeadline(timestamppb.New(seeded))
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
+
+		// Out-of-range nanos → IsValid()==false; same-meaning as the
+		// disabled sentinel for downstream sinks.
+		e.ApplySessionDeadline(&timestamppb.Timestamp{Seconds: 1, Nanos: -1})
+
+		require.True(t, e.statusRecorder.GetSessionExpiresAt().IsZero(),
+			"invalid timestamp must clear the deadline")
+	})
+}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -202,6 +202,12 @@ type Status struct {
 	notifier              *notifier
 	rosenpassEnabled      bool
 	rosenpassPermissive   bool
+	// sessionExpiresAt is the absolute UTC instant at which the peer's SSO
+	// session expires. Zero when the peer is not SSO-tracked or login
+	// expiration is disabled. Populated from management LoginResponse /
+	// SyncResponse and exposed via the daemon's Status / SubscribeStatus RPC
+	// so the UI can show remaining time without itself talking to mgm.
+	sessionExpiresAt      time.Time
 	nsGroupStates         []NSGroupState
 	resolvedDomainsStates map[domain.Domain]ResolvedDomainInfo
 	lazyConnectionEnabled bool
@@ -217,6 +223,14 @@ type Status struct {
 	eventStreams map[string]chan *proto.SystemEvent
 	eventQueue   *EventQueue

+	// stateChangeStreams fan-out connection-state changes (connected /
+	// disconnected / connecting / address change / peers list change) to
+	// every active SubscribeStatus gRPC stream. Each subscriber gets a
+	// buffered chan; the notifier non-blockingly pings them so a slow
+	// consumer can never stall the daemon.
+	stateChangeMux     sync.Mutex
+	stateChangeStreams map[string]chan struct{}
+
 	ingressGwMgr *ingressgw.Manager

 	routeIDLookup routeIDLookup
@@ -230,6 +244,7 @@ func NewRecorder(mgmAddress string) *Status {
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
+		stateChangeStreams:    make(map[string]chan struct{}),
 		offlinePeers:          make([]State, 0),
 		notifier:              newNotifier(),
 		mgmAddress:            mgmAddress,
@@ -360,6 +375,7 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
+	d.notifyStateChange()
 	return nil
 }

@@ -385,6 +401,7 @@ func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.R

 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
+	d.notifyStateChange()
 	return nil
 }

@@ -410,6 +427,7 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {

 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
+	d.notifyStateChange()
 	return nil
 }

@@ -459,6 +477,7 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
+	d.notifyStateChange()
 	return nil
 }

@@ -495,6 +514,7 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
+	d.notifyStateChange()
 	return nil
 }

@@ -530,6 +550,7 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
+	d.notifyStateChange()
 	return nil
 }

@@ -568,6 +589,7 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
+	d.notifyStateChange()
 	return nil
 }

@@ -661,6 +683,7 @@ func (d *Status) FinishPeerListModifications() {
 	for _, rd := range dispatches {
 		d.dispatchRouterPeers(rd.peerID, rd.snapshot)
 	}
+	d.notifyStateChange()
 }

 func (d *Status) SubscribeToPeerStateChanges(ctx context.Context, peerID string) *StatusChangeSubscription {
@@ -719,6 +742,32 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Unlock()

 	d.notifier.localAddressChanged(fqdn, ip)
+	d.notifyStateChange()
+}
+
+// SetSessionExpiresAt records the absolute UTC instant at which the peer's
+// SSO session is set to expire. Pass the zero value to clear (e.g. when the
+// management server stops publishing a deadline because login expiration was
+// disabled or the peer is not SSO-tracked). Same-value updates are no-ops;
+// real changes fan out via notifyStateChange so SubscribeStatus consumers
+// pick up the new deadline on their next read.
+func (d *Status) SetSessionExpiresAt(deadline time.Time) {
+	d.mux.Lock()
+	if d.sessionExpiresAt.Equal(deadline) {
+		d.mux.Unlock()
+		return
+	}
+	d.sessionExpiresAt = deadline
+	d.mux.Unlock()
+	d.notifyStateChange()
+}
+
+// GetSessionExpiresAt returns the most recently recorded SSO session deadline,
+// or the zero value when no deadline is tracked.
+func (d *Status) GetSessionExpiresAt() time.Time {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	return d.sessionExpiresAt
 }

 // AddLocalPeerStateRoute adds a route to the local peer state
@@ -787,6 +836,7 @@ func (d *Status) CleanLocalPeerState() {
 	d.mux.Unlock()

 	d.notifier.localAddressChanged(fqdn, ip)
+	d.notifyStateChange()
 }

 // MarkManagementDisconnected sets ManagementState to disconnected
@@ -799,6 +849,7 @@ func (d *Status) MarkManagementDisconnected(err error) {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
+	d.notifyStateChange()
 }

 // MarkManagementConnected sets ManagementState to connected
@@ -811,6 +862,7 @@ func (d *Status) MarkManagementConnected() {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
+	d.notifyStateChange()
 }

 // UpdateSignalAddress update the address of the signal server
@@ -851,6 +903,7 @@ func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
+	d.notifyStateChange()
 }

 // MarkSignalConnected sets SignalState to connected
@@ -863,6 +916,7 @@ func (d *Status) MarkSignalConnected() {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
+	d.notifyStateChange()
 }

 func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
@@ -1060,16 +1114,19 @@ func (d *Status) GetFullStatus() FullStatus {
 // ClientStart will notify all listeners about the new service state
 func (d *Status) ClientStart() {
 	d.notifier.clientStart()
+	d.notifyStateChange()
 }

 // ClientStop will notify all listeners about the new service state
 func (d *Status) ClientStop() {
 	d.notifier.clientStop()
+	d.notifyStateChange()
 }

 // ClientTeardown will notify all listeners about the service is under teardown
 func (d *Status) ClientTeardown() {
 	d.notifier.clientTearDown()
+	d.notifyStateChange()
 }

 // SetConnectionListener set a listener to the notifier
@@ -1211,6 +1268,62 @@ func (d *Status) GetEventHistory() []*proto.SystemEvent {
 	return d.eventQueue.GetAll()
 }

+// SubscribeToStateChanges hands back a channel that receives a tick on
+// every connection-state change (connected / disconnected / connecting /
+// address change / peers-list change). The channel is buffered to one
+// pending tick so a coalesced burst still wakes the consumer exactly
+// once. Pass the returned id to UnsubscribeFromStateChanges to detach.
+func (d *Status) SubscribeToStateChanges() (string, <-chan struct{}) {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	id := uuid.New().String()
+	ch := make(chan struct{}, 1)
+	d.stateChangeStreams[id] = ch
+	return id, ch
+}
+
+// UnsubscribeFromStateChanges releases a SubscribeToStateChanges channel
+// and closes it so any consumer goroutine selecting on the channel
+// unblocks cleanly.
+func (d *Status) UnsubscribeFromStateChanges(id string) {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	if ch, ok := d.stateChangeStreams[id]; ok {
+		close(ch)
+		delete(d.stateChangeStreams, id)
+	}
+}
+
+// notifyStateChange wakes every SubscribeToStateChanges subscriber. Drops
+// the tick if a subscriber's buffer is full — by definition the consumer
+// is already going to fetch the latest snapshot, so multiple pending ticks
+// would be redundant.
+func (d *Status) notifyStateChange() {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	for _, ch := range d.stateChangeStreams {
+		select {
+		case ch <- struct{}{}:
+		default:
+		}
+	}
+}
+
+// NotifyStateChange is the public wake-the-subscribers entry point used by
+// callers that mutate state outside the peer recorder — most importantly
+// the connect-state machine, which writes StatusNeedsLogin into the
+// shared contextState (client/internal/state.go) without touching any
+// recorder field. Without this push the SubscribeStatus stream stays on
+// the previous snapshot until an unrelated peer/management/signal
+// change happens to fire notifyStateChange, leaving the UI's status
+// out of sync with the daemon.
+func (d *Status) NotifyStateChange() {
+	d.notifyStateChange()
+}
+
 func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -738,7 +738,10 @@ func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeI
 }

 func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
-	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
+	if len(routes) == 0 {
+		return false
+	}
+	return route.IsV4DefaultRoute(routes[0].Network) || route.IsV6DefaultRoute(routes[0].Network)
 }

 func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
+	"strings"
 	"sync"

 	"github.com/hashicorp/go-multierror"
@@ -12,10 +13,6 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

-const (
-	exitNodeCIDR = "0.0.0.0/0"
-)
-
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
@@ -124,13 +121,7 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	if rs.deselectAll {
-		return false
-	}
-
-	_, deselected := rs.deselectedRoutes[routeID]
-	isSelected := !deselected
-	return isSelected
+	return rs.isSelectedLocked(routeID)
 }

 // FilterSelected removes unselected routes from the provided map.
@@ -144,23 +135,22 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {

 	filtered := route.HAMap{}
 	for id, rt := range routes {
-		netID := id.NetID()
-		_, deselected := rs.deselectedRoutes[netID]
-		if !deselected {
+		if !rs.isDeselectedLocked(id.NetID()) {
 			filtered[id] = rt
 		}
 	}
 	return filtered
 }

-// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this route.
+// Intended for exit-node code paths: a v6 exit-node pair (e.g. "MyExit-v6") with no explicit state of
+// its own inherits its v4 base's state, so legacy persisted selections that predate v6 pairing
+// transparently apply to the synthesized v6 entry.
 func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	_, selected := rs.selectedRoutes[routeID]
-	_, deselected := rs.deselectedRoutes[routeID]
-	return selected || deselected
+	return rs.hasUserSelectionForRouteLocked(rs.effectiveNetID(routeID))
 }

 func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
@@ -174,7 +164,7 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	filtered := make(route.HAMap, len(routes))
 	for id, rt := range routes {
 		netID := id.NetID()
-		if rs.isDeselected(netID) {
+		if rs.isDeselectedLocked(netID) {
 			continue
 		}

@@ -189,13 +179,48 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	return filtered
 }

-func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
+// effectiveNetID returns the v4 base for a "-v6" exit pair entry that has no explicit
+// state of its own, so selections made on the v4 entry govern the v6 entry automatically.
+// Only call this from exit-node-specific code paths: applying it to a non-exit "-v6" route
+// would make it inherit unrelated v4 state. Must be called with rs.mu held.
+func (rs *RouteSelector) effectiveNetID(id route.NetID) route.NetID {
+	name := string(id)
+	if !strings.HasSuffix(name, route.V6ExitSuffix) {
+		return id
+	}
+	if _, ok := rs.selectedRoutes[id]; ok {
+		return id
+	}
+	if _, ok := rs.deselectedRoutes[id]; ok {
+		return id
+	}
+	return route.NetID(strings.TrimSuffix(name, route.V6ExitSuffix))
+}
+
+func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
+	if rs.deselectAll {
+		return false
+	}
+	_, deselected := rs.deselectedRoutes[routeID]
+	return !deselected
+}
+
+func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
+	if rs.deselectAll {
+		return true
+	}
 	_, deselected := rs.deselectedRoutes[netID]
-	return deselected || rs.deselectAll
+	return deselected
+}
+
+func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
 }

 func isExitNode(rt []*route.Route) bool {
-	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
+	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
 }

 func (rs *RouteSelector) applyExitNodeFilter(
@@ -204,26 +229,23 @@ func (rs *RouteSelector) applyExitNodeFilter(
 	rt []*route.Route,
 	out route.HAMap,
 ) {
-
-	if rs.hasUserSelections() {
-		// user made explicit selects/deselects
-		if rs.IsSelected(netID) {
+	// Exit-node path: apply the v4/v6 pair mirror so a deselect on the v4 base also
+	// drops the synthesized v6 entry that lacks its own explicit state.
+	effective := rs.effectiveNetID(netID)
+	if rs.hasUserSelectionForRouteLocked(effective) {
+		if rs.isSelectedLocked(effective) {
 			out[id] = rt
 		}
 		return
 	}

-	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
+	// no explicit selection for this route: defer to management's SkipAutoApply flag
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }

-func (rs *RouteSelector) hasUserSelections() bool {
-	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
-}
-
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -330,6 +330,137 @@ func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
 	assert.Len(t, filtered, 0) // No routes should be selected
 }

+// TestRouteSelector_V6ExitPairInherits covers the v4/v6 exit-node pair selection
+// mirror. The mirror is scoped to exit-node code paths: HasUserSelectionForRoute
+// and FilterSelectedExitNodes resolve a "-v6" entry without explicit state to its
+// v4 base, so legacy persisted selections that predate v6 pairing transparently
+// apply to the synthesized v6 entry. General lookups (IsSelected, FilterSelected)
+// stay literal so unrelated routes named "*-v6" don't inherit unrelated state.
+func TestRouteSelector_V6ExitPairInherits(t *testing.T) {
+	all := []route.NetID{"exit1", "exit1-v6", "exit2", "exit2-v6", "corp", "corp-v6"}
+
+	t.Run("HasUserSelectionForRoute mirrors deselected v4 base", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 pair sees v4 base's user selection")
+
+		// unrelated v6 with no v4 base touched is unaffected
+		assert.False(t, rs.HasUserSelectionForRoute("exit2-v6"))
+	})
+
+	t.Run("IsSelected stays literal for non-exit lookups", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
+
+		// A non-exit route literally named "corp-v6" must not inherit "corp"'s state
+		// via the mirror; the mirror only applies in exit-node code paths.
+		assert.False(t, rs.IsSelected("corp"))
+		assert.True(t, rs.IsSelected("corp-v6"), "non-exit *-v6 routes must not inherit unrelated v4 state")
+	})
+
+	t.Run("explicit v6 state overrides v4 base in filter", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1-v6"}, true, all))
+
+		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
+		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
+		routes := route.HAMap{
+			"exit1|0.0.0.0/0": {v4Route},
+			"exit1-v6|::/0":   {v6Route},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.NotContains(t, filtered, route.HAUniqueID("exit1|0.0.0.0/0"))
+		assert.Contains(t, filtered, route.HAUniqueID("exit1-v6|::/0"), "explicit v6 select wins over v4 base")
+	})
+
+	t.Run("non-v6-suffix routes unaffected", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		// A route literally named "exit1-something" must not pair-resolve.
+		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
+	})
+
+	t.Run("filter v6 paired with deselected v4 base", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
+		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
+		routes := route.HAMap{
+			"exit1|0.0.0.0/0": {v4Route},
+			"exit1-v6|::/0":   {v6Route},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.Empty(t, filtered, "deselecting v4 base must also drop the v6 pair")
+	})
+
+	t.Run("non-exit *-v6 routes pass through FilterSelectedExitNodes", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
+
+		// A non-default-route entry named "corp-v6" is not an exit node and
+		// must not be skipped because its v4 base "corp" is deselected.
+		corpV6 := &route.Route{NetID: "corp-v6", Network: netip.MustParsePrefix("10.0.0.0/8")}
+		routes := route.HAMap{
+			"corp-v6|10.0.0.0/8": {corpV6},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.Contains(t, filtered, route.HAUniqueID("corp-v6|10.0.0.0/8"),
+			"non-exit *-v6 routes must not inherit unrelated v4 state in FilterSelectedExitNodes")
+	})
+}
+
+// TestRouteSelector_SkipAutoApplyPerRoute verifies that management's
+// SkipAutoApply flag governs each untouched route independently, even when
+// the user has explicit selections on other routes.
+func TestRouteSelector_SkipAutoApplyPerRoute(t *testing.T) {
+	autoApplied := &route.Route{
+		NetID:         "Auto",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		SkipAutoApply: false,
+	}
+	skipApply := &route.Route{
+		NetID:         "Skip",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		SkipAutoApply: true,
+	}
+	routes := route.HAMap{
+		"Auto|0.0.0.0/0": {autoApplied},
+		"Skip|0.0.0.0/0": {skipApply},
+	}
+
+	rs := routeselector.NewRouteSelector()
+	// User makes an unrelated explicit selection elsewhere.
+	require.NoError(t, rs.DeselectRoutes([]route.NetID{"Unrelated"}, []route.NetID{"Auto", "Skip", "Unrelated"}))
+
+	filtered := rs.FilterSelectedExitNodes(routes)
+	assert.Contains(t, filtered, route.HAUniqueID("Auto|0.0.0.0/0"), "AutoApply route should be included")
+	assert.NotContains(t, filtered, route.HAUniqueID("Skip|0.0.0.0/0"), "SkipAutoApply route should be excluded without explicit user selection")
+}
+
+// TestRouteSelector_V6ExitIsExitNode verifies that ::/0 routes are recognized
+// as exit nodes by the selector's filter path.
+func TestRouteSelector_V6ExitIsExitNode(t *testing.T) {
+	v6Exit := &route.Route{
+		NetID:         "V6Only",
+		Network:       netip.MustParsePrefix("::/0"),
+		SkipAutoApply: true,
+	}
+	routes := route.HAMap{
+		"V6Only|::/0": {v6Exit},
+	}
+
+	rs := routeselector.NewRouteSelector()
+	filtered := rs.FilterSelectedExitNodes(routes)
+	assert.Empty(t, filtered, "::/0 should be treated as an exit node and respect SkipAutoApply")
+}
+
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}
--- a/client/internal/state.go
+++ b/client/internal/state.go
@@ -33,17 +33,34 @@ func CtxGetState(ctx context.Context) *contextState {
 }

 type contextState struct {
-	err    error
-	status StatusType
-	mutex  sync.Mutex
+	err      error
+	status   StatusType
+	mutex    sync.Mutex
+	onChange func()
+}
+
+// SetOnChange installs a callback fired after every successful Set. Used by
+// the daemon to wire the status recorder's notifyStateChange so any
+// state.Set in the connect/login paths pushes a fresh snapshot to
+// SubscribeStatus subscribers without each callsite having to opt in.
+// The callback runs outside the contextState mutex to avoid a lock-order
+// dependency with the recorder's stateChangeMux.
+func (c *contextState) SetOnChange(fn func()) {
+	c.mutex.Lock()
+	c.onChange = fn
+	c.mutex.Unlock()
 }

 func (c *contextState) Set(update StatusType) {
 	c.mutex.Lock()
-	defer c.mutex.Unlock()
-
 	c.status = update
 	c.err = nil
+	cb := c.onChange
+	c.mutex.Unlock()
+
+	if cb != nil {
+		cb()
+	}
 }

 func (c *contextState) Status() (StatusType, error) {
@@ -57,6 +74,17 @@ func (c *contextState) Status() (StatusType, error) {
 	return c.status, nil
 }

+// CurrentStatus returns the last status set via Set, ignoring any wrapped
+// error. Use when the status is needed for reporting purposes (e.g. the
+// status snapshot stream) and a transient wrapped error from a retry loop
+// shouldn't blank out the underlying status.
+func (c *contextState) CurrentStatus() StatusType {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	return c.status
+}
+
 func (c *contextState) Wrap(err error) error {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -32,9 +32,6 @@
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
 					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
-					<?if $(var.ArchSuffix) = "amd64" ?>
-					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
-					<?endif ?>

 					<ServiceInstall
                                     Id="NetBirdService"
@@ -62,8 +59,23 @@
 			<Component Id="NetbirdAumidRegistry" Guid="*">
 				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
+					<!-- Pre-seed the CLSID the Wails notifications service reads on
+					     first startup (notifications_windows.go:getGUID looks for
+					     the CustomActivator value under this key). Without this
+					     the service generates a fresh per-install UUID, which
+					     diverges from the ToastActivatorCLSID set on the Start
+					     Menu / Desktop shortcuts above and the COM activator
+					     never fires when a toast is clicked. -->
+					<RegistryValue Name="CustomActivator" Type="string" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>

 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,19 +88,67 @@
 			</Directory>
 		</StandardDirectory>

+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>

 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
 		<util:CloseApplication Id="CloseNetBirdUI" CloseMessage="no" Target="netbird-ui.exe" RebootPrompt="no" TerminateProcess="0" />

+		<!-- WebView2 evergreen runtime detection.
+		     Probe both the per-machine and per-user EdgeUpdate keys; if either
+		     reports a non-empty `pv` value the runtime is already installed
+		     and we skip the bootstrapper. -->
+		<Property Id="WEBVIEW2_VERSION_HKLM">
+			<RegistrySearch Id="WV2HKLM" Root="HKLM"
+				Key="SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
+				Name="pv" Type="raw" Bitness="always64" />
+		</Property>
+		<Property Id="WEBVIEW2_VERSION_HKCU">
+			<RegistrySearch Id="WV2HKCU" Root="HKCU"
+				Key="Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
+				Name="pv" Type="raw" />
+		</Property>

+		<!-- Embed the bootstrapper payload. Path is relative to the WiX
+		     working directory; sign-pipelines stages it next to client/
+		     via `wails3 generate webview2bootstrapper`. -->
+		<Binary Id="WebView2Bootstrapper" SourceFile=".\client\MicrosoftEdgeWebview2Setup.exe" />
+
+		<CustomAction Id="InstallWebView2"
+			BinaryRef="WebView2Bootstrapper"
+			ExeCommand="/silent /install"
+			Execute="deferred"
+			Impersonate="no"
+			Return="check" />
+
+		<InstallExecuteSequence>
+			<Custom Action="InstallWebView2" Before="InstallFinalize"
+				Condition="NOT WEBVIEW2_VERSION_HKLM AND NOT WEBVIEW2_VERSION_HKCU AND NOT REMOVE" />
+		</InstallExecuteSequence>

 		<!-- Icons -->
-		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\assets\netbird.ico" />
+		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\build\windows\icon.ico" />
 		<Property Id="ARPPRODUCTICON" Value="NetbirdIcon" />

 	</Package>
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -24,6 +24,12 @@ service DaemonService {
  // Status of the service.
  rpc Status(StatusRequest) returns (StatusResponse) {}

+  // SubscribeStatus pushes a fresh StatusResponse on connection state
+  // changes (Connected / Disconnected / Connecting / address change /
+  // peers list change). The first message on the stream is the current
+  // snapshot, so a freshly-subscribed UI doesn't need to also call Status.
+  rpc SubscribeStatus(StatusRequest) returns (stream StatusResponse) {}
+
  // Down stops engine work in the daemon.
  rpc Down(DownRequest) returns (DownResponse) {}

@@ -109,6 +115,25 @@ service DaemonService {
  // WaitJWTToken waits for JWT authentication completion
  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}

+  // RequestExtendAuthSession initiates an SSO session-extension flow.
+  // The daemon prepares a PKCE/device-code request against the IdP and
+  // returns the verification URI; the UI is expected to open it. The flow
+  // state is kept in the daemon until WaitExtendAuthSession completes it.
+  rpc RequestExtendAuthSession(RequestExtendAuthSessionRequest) returns (RequestExtendAuthSessionResponse) {}
+
+  // WaitExtendAuthSession blocks until the user finishes the SSO step
+  // started by RequestExtendAuthSession, then forwards the resulting JWT
+  // to the management server's ExtendAuthSession RPC. Returns the new
+  // session expiry deadline. The tunnel stays up the entire time.
+  rpc WaitExtendAuthSession(WaitExtendAuthSessionRequest) returns (WaitExtendAuthSessionResponse) {}
+
+  // DismissSessionWarning records that the user clicked "Dismiss" on the
+  // T-WarningLead interactive notification, suppressing the auto-opened
+  // SessionAboutToExpire dialog that would otherwise fire at
+  // T-FinalWarningLead for the current deadline. Idempotent and best-effort:
+  // a missed call only means the fallback dialog will still appear.
+  rpc DismissSessionWarning(DismissSessionWarningRequest) returns (DismissSessionWarningResponse) {}
+
 // StartCPUProfile starts CPU profiling in the daemon
  rpc StartCPUProfile(StartCPUProfileRequest) returns (StartCPUProfileResponse) {}

@@ -227,6 +252,12 @@ message UpRequest {
  optional string profileName = 1;
  optional string username = 2;
  reserved 3;
+  // async instructs the daemon to start the connection attempt and return
+  // immediately without waiting for the engine to become ready. Status updates
+  // are delivered via the SubscribeStatus stream. When false (the default) the
+  // RPC blocks until the engine is running or gives up, which is the behaviour
+  // needed by the CLI.
+  bool async = 4;
 }

 message UpResponse {}
@@ -244,6 +275,10 @@ message StatusResponse{
  FullStatus fullStatus = 2;
  // NetBird daemon version
  string daemonVersion = 3;
+  // Absolute UTC instant at which the peer's SSO session expires.
+  // Unset when the peer is not SSO-registered or login expiration is disabled.
+  // The UI derives "warning active" from this value and its own clock.
+  google.protobuf.Timestamp sessionExpiresAt = 4;
 }

 message DownRequest {}
@@ -798,6 +833,55 @@ message WaitJWTTokenResponse {
  int64 expiresIn = 3;
 }

+// RequestExtendAuthSessionRequest kicks off the session-extension SSO flow.
+message RequestExtendAuthSessionRequest {
+  // Optional OIDC login_hint (typically the user's email) to pre-fill the
+  // IdP login form.
+  optional string hint = 1;
+}
+
+// RequestExtendAuthSessionResponse carries the verification URI the UI
+// should open in a browser. The daemon retains the flow state and resolves
+// it via WaitExtendAuthSession.
+message RequestExtendAuthSessionResponse {
+  // verification URI for the user to open in the browser
+  string verificationURI = 1;
+  // complete verification URI (with embedded user code)
+  string verificationURIComplete = 2;
+  // user code to enter on verification URI (for device-code flows)
+  string userCode = 3;
+  // device code for matching the WaitExtendAuthSession call to this flow
+  string deviceCode = 4;
+  // expiration time in seconds for the device code / PKCE flow
+  int64 expiresIn = 5;
+}
+
+// WaitExtendAuthSessionRequest is sent by the UI after it opens the
+// verification URI. The daemon blocks on this call until the user
+// completes (or aborts) the SSO step.
+message WaitExtendAuthSessionRequest {
+  // device code returned by RequestExtendAuthSession
+  string deviceCode = 1;
+  // user code for verification
+  string userCode = 2;
+}
+
+// WaitExtendAuthSessionResponse carries the refreshed deadline returned
+// by the management server. Unset when the management server reports the
+// peer is not eligible for session extension.
+message WaitExtendAuthSessionResponse {
+  google.protobuf.Timestamp sessionExpiresAt = 1;
+}
+
+// DismissSessionWarningRequest is sent by the UI when the user clicks
+// "Dismiss" on the T-WarningLead notification.
+message DismissSessionWarningRequest {}
+
+// DismissSessionWarningResponse acknowledges the dismissal. Carries no
+// payload — the daemon's only obligation is to silence the upcoming
+// T-FinalWarningLead fallback for the current deadline.
+message DismissSessionWarningResponse {}
+
 // StartCPUProfileRequest for starting CPU profiling
 message StartCPUProfileRequest {}

--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -19,6 +19,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	gstatus "google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
@@ -67,6 +68,12 @@ type Server struct {
 	logFile string

 	oauthAuthFlow oauthAuthFlow
+	// extendAuthSessionFlow holds the pending PKCE flow created by
+	// RequestExtendAuthSession until WaitExtendAuthSession resolves it.
+	// Kept separate from oauthAuthFlow (which is reserved for the SSH
+	// JWT path) so a concurrent SSH auth doesn't clobber the session
+	// extend flow or vice versa.
+	extendAuthSessionFlow *auth.PendingFlow

 	mutex  sync.Mutex
 	config *profilemanager.Config
@@ -123,6 +130,7 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		captureEnabled:         captureEnabled,
 		networksDisabled:       networksDisabled,
 		jwtCache:               newJWTCache(),
+		extendAuthSessionFlow:  auth.NewPendingFlow(),
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
@@ -140,6 +148,15 @@ func (s *Server) Start() error {
 	}

 	state := internal.CtxGetState(s.rootCtx)
+	// Every contextState.Set in the connect/login/server paths must push a
+	// SubscribeStatus snapshot, otherwise transitions that don't happen to
+	// be accompanied by a Mark{Management,Signal,...} call (e.g. plain
+	// StatusNeedsLogin after a PermissionDenied login, StatusLoginFailed
+	// after OAuth init failure, StatusIdle in the Login defer) leave the
+	// UI stuck on the previous status until the next unrelated peer event.
+	// Binding the recorder here means new state.Set callsites don't have
+	// to opt in individually.
+	state.SetOnChange(s.statusRecorder.NotifyStateChange)

 	if err := handlePanicLog(); err != nil {
 		log.Warnf("failed to redirect stderr: %v", err)
@@ -220,10 +237,20 @@ func (s *Server) Start() error {
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
 func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profilemanager.Config, statusRecorder *peer.Status, runningChan chan struct{}, giveUpChan chan struct{}) {
+	// close(giveUpChan) MUST run on every exit path (DisableAutoConnect
+	// return, backoff.Retry return, panic) — Down() blocks for up to 5s
+	// waiting on this signal before flipping the state to Idle, and a
+	// missed close leaves Down() always hitting the timeout. The signal
+	// fires AFTER clientRunning=false is committed under the mutex so a
+	// Down/Up racing with the goroutine exit never observes a half-state
+	// (chan closed but clientRunning still true).
 	defer func() {
 		s.mutex.Lock()
 		s.clientRunning = false
 		s.mutex.Unlock()
+		if giveUpChan != nil {
+			close(giveUpChan)
+		}
 	}()

 	if s.config.DisableAutoConnect {
@@ -258,6 +285,15 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	runOperation := func() error {
 		err := s.connect(ctx, profileConfig, statusRecorder, runningChan)
 		if err != nil {
+			// PermissionDenied means the daemon transitioned to NeedsLogin
+			// inside connect(). Without backoff.Permanent the outer retry
+			// re-enters connect(), which resets the state to Connecting and
+			// makes the tray flicker between NeedsLogin and Connecting until
+			// the user logs in. Stop retrying and let the state stick.
+			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				log.Debugf("run client connection exited with PermissionDenied, waiting for login")
+				return backoff.Permanent(err)
+			}
 			log.Debugf("run client connection exited with error: %v. Will retry in the background", err)
 			return err
 		}
@@ -269,10 +305,6 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	if err := backoff.Retry(runOperation, backOff); err != nil {
 		log.Errorf("operation failed: %v", err)
 	}
-
-	if giveUpChan != nil {
-		close(giveUpChan)
-	}
 }

 // loginAttempt attempts to login using the provided information. it returns a status in case something fails
@@ -341,9 +373,7 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	}

 	if msg.OptionalPreSharedKey != nil {
-		if *msg.OptionalPreSharedKey != "" {
-			config.PreSharedKey = msg.OptionalPreSharedKey
-		}
+		config.PreSharedKey = msg.OptionalPreSharedKey
 	}

 	if msg.CleanDNSLabels {
@@ -569,8 +599,35 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	return &proto.LoginResponse{}, nil
 }

-// WaitSSOLogin uses the userCode to validate the TokenInfo and
-// waits for the user to continue with the login on a browser
+// WaitSSOLogin validates the supplied userCode against the in-flight OAuth
+// device/PKCE flow and blocks until the user finishes the browser leg.
+//
+// State transitions on exit:
+//
+//	┌──────────────────────────────────────────┬──────────────────────────────────┐
+//	│ Outcome                                  │ contextState                     │
+//	├──────────────────────────────────────────┼──────────────────────────────────┤
+//	│ Success → loginAttempt → Connected       │ StatusConnected (loginAttempt)   │
+//	│ Success → loginAttempt → still-NeedsLogin│ StatusNeedsLogin (loginAttempt)  │
+//	│ Success → loginAttempt error             │ StatusLoginFailed (loginAttempt) │
+//	│ UserCode mismatch                        │ StatusLoginFailed                │
+//	│ WaitToken: context.Canceled (external    │ defer runs: status untouched if  │
+//	│   abort — profile switch invokes         │   already NeedsLogin/LoginFailed,│
+//	│   actCancel/waitCancel, app quit,        │   else StatusIdle. Keeps the     │
+//	│   another WaitSSOLogin started)          │   cancel from leaking as a       │
+//	│                                          │   spurious LoginFailed on the    │
+//	│                                          │   next profile's Up.             │
+//	│ WaitToken: context.DeadlineExceeded      │ StatusNeedsLogin                 │
+//	│   (OAuth device-code window expired      │   (retryable; the UI's "Connect" │
+//	│   while waiting on the browser leg)      │   re-enters the Login flow)      │
+//	│ WaitToken: any other error               │ StatusLoginFailed                │
+//	│   (access_denied, expired_token, HTTP    │   (genuine auth/IO failure;      │
+//	│   failure, token validation rejection)   │   surfaced verbatim to caller)   │
+//	└──────────────────────────────────────────┴──────────────────────────────────┘
+//
+// The defer at the top of the function applies the Idle fallback so callers
+// that bypass the explicit Set calls (the Canceled branch above, the success
+// path before loginAttempt) still land on a sensible terminal status.
 func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLoginRequest) (*proto.WaitSSOLoginResponse, error) {
 	s.mutex.Lock()
 	if s.actCancel != nil {
@@ -630,7 +687,21 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 		s.mutex.Lock()
 		s.oauthAuthFlow.expiresAt = time.Now()
 		s.mutex.Unlock()
-		state.Set(internal.StatusLoginFailed)
+		switch {
+		case errors.Is(err, context.Canceled):
+			// External abort (profile switch, app quit, another
+			// WaitSSOLogin started). Not a login failure — let the
+			// top-level defer fall through to StatusIdle so the next
+			// flow starts from a clean state.
+		case errors.Is(err, context.DeadlineExceeded):
+			// OAuth device-code window expired with no user action.
+			// Retryable — leave the daemon in NeedsLogin so the UI
+			// keeps the Login affordance instead of reading as a
+			// hard failure.
+			state.Set(internal.StatusNeedsLogin)
+		default:
+			state.Set(internal.StatusLoginFailed)
+		}
 		log.Errorf("waiting for browser login failed: %v", err)
 		return nil, err
 	}
@@ -745,6 +816,9 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)

 	s.mutex.Unlock()
+	if msg.GetAsync() {
+		return &proto.UpResponse{}, nil
+	}
 	return s.waitForUp(callerCtx)
 }

@@ -844,23 +918,37 @@ func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownRes
 		return nil, err
 	}

-	state := internal.CtxGetState(s.rootCtx)
-	state.Set(internal.StatusIdle)
-
 	s.mutex.Unlock()

 	// Wait for the connectWithRetryRuns goroutine to finish with a short timeout.
 	// This prevents the goroutine from setting ErrResetConnection after Down() returns.
-	// The giveUpChan is closed at the end of connectWithRetryRuns.
+	// The giveUpChan is closed by the goroutine's deferred cleanup (see
+	// connectWithRetryRuns) on every exit path. A timeout here typically
+	// means the goroutine is still wedged inside a slow teardown step.
 	if giveUpChan != nil {
 		select {
 		case <-giveUpChan:
-			log.Debugf("client goroutine finished successfully")
+			log.Debugf("client goroutine finished, giveUpChan closed")
 		case <-time.After(5 * time.Second):
 			log.Warnf("timeout waiting for client goroutine to finish, proceeding anyway")
 		}
 	}

+	// Set Idle only after the retry goroutine has exited (or timed out).
+	// Setting it earlier races with the goroutine's own Set(StatusConnecting)
+	// at the top of each retry attempt, which would leave the snapshot
+	// stuck at Connecting long after the user asked to disconnect.
+	internal.CtxGetState(s.rootCtx).Set(internal.StatusIdle)
+
+	// Clear stale management/signal errors so the next Up() (typically for a
+	// different profile) starts with a clean status snapshot. Without this,
+	// a managementError left over from a LoginFailed cycle persists in the
+	// statusRecorder and appears in the new profile's initial
+	// SubscribeStatus snapshot, making the new profile look like it also
+	// failed to log in.
+	s.statusRecorder.MarkManagementDisconnected(nil)
+	s.statusRecorder.MarkSignalDisconnected(nil)
+
 	return &proto.DownResponse{}, nil
 }

@@ -1114,9 +1202,23 @@ func (s *Server) Status(
 		}
 	}

-	status, err := internal.CtxGetState(s.rootCtx).Status()
+	return s.buildStatusResponse(msg)
+}
+
+// buildStatusResponse composes a StatusResponse from the current daemon
+// state. Shared between the unary Status RPC and the SubscribeStatus
+// stream so both paths return identical snapshots.
+func (s *Server) buildStatusResponse(msg *proto.StatusRequest) (*proto.StatusResponse, error) {
+	state := internal.CtxGetState(s.rootCtx)
+	status, err := state.Status()
 	if err != nil {
-		return nil, err
+		// state.Status() blanks the status when err is set (e.g. management
+		// retry loop wrapped a connection error). The underlying status is
+		// still meaningful and the failure is already surfaced via
+		// FullStatus.ManagementState.Error, so don't propagate err — that
+		// would tear down the SubscribeStatus stream and cause the UI to
+		// mark the daemon as unreachable on every retry.
+		status = state.CurrentStatus()
 	}

 	if status == internal.StatusNeedsLogin && s.isSessionActive.Load() {
@@ -1127,6 +1229,10 @@ func (s *Server) Status(

 	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: version.NetbirdVersion()}

+	if deadline := s.statusRecorder.GetSessionExpiresAt(); !deadline.IsZero() {
+		statusResponse.SessionExpiresAt = timestamppb.New(deadline)
+	}
+
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)

@@ -1356,6 +1462,131 @@ func (s *Server) WaitJWTToken(
 	}, nil
 }

+// RequestExtendAuthSession initiates the SSO session-extension flow and
+// returns the verification URI the UI should open. The flow state is held
+// in s.extendAuthSessionFlow until WaitExtendAuthSession resolves it.
+func (s *Server) RequestExtendAuthSession(
+	ctx context.Context,
+	msg *proto.RequestExtendAuthSessionRequest,
+) (*proto.RequestExtendAuthSessionResponse, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	s.mutex.Lock()
+	config := s.config
+	connectClient := s.connectClient
+	s.mutex.Unlock()
+
+	if config == nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not configured")
+	}
+	if connectClient == nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not running")
+	}
+
+	hint := ""
+	if msg.Hint != nil {
+		hint = *msg.Hint
+	}
+	if hint == "" {
+		hint = profilemanager.GetLoginHint()
+	}
+
+	isDesktop := isUnixRunningDesktop()
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isDesktop, false, hint)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to create OAuth flow: %v", err)
+	}
+
+	authInfo, err := oAuthFlow.RequestAuthInfo(ctx)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to request auth info: %v", err)
+	}
+
+	s.extendAuthSessionFlow.Set(oAuthFlow, authInfo)
+
+	return &proto.RequestExtendAuthSessionResponse{
+		VerificationURI:         authInfo.VerificationURI,
+		VerificationURIComplete: authInfo.VerificationURIComplete,
+		UserCode:                authInfo.UserCode,
+		DeviceCode:              authInfo.DeviceCode,
+		ExpiresIn:               int64(authInfo.ExpiresIn),
+	}, nil
+}
+
+// WaitExtendAuthSession blocks until the user completes the SSO step
+// initiated by RequestExtendAuthSession, then forwards the resulting JWT
+// to the management server's ExtendAuthSession RPC. The returned deadline
+// is also applied locally via the engine so SubscribeStatus consumers see
+// the refreshed state.
+func (s *Server) WaitExtendAuthSession(
+	ctx context.Context,
+	req *proto.WaitExtendAuthSessionRequest,
+) (*proto.WaitExtendAuthSessionResponse, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	oAuthFlow, authInfo, ok := s.extendAuthSessionFlow.Get()
+
+	s.mutex.Lock()
+	connectClient := s.connectClient
+	s.mutex.Unlock()
+
+	if !ok || authInfo.DeviceCode != req.DeviceCode {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "invalid device code or no active extend-session flow")
+	}
+
+	tokenInfo, err := oAuthFlow.WaitToken(ctx, authInfo)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to obtain JWT token: %v", err)
+	}
+
+	// Clear pending flow before talking to mgm so a retry can re-initiate.
+	s.extendAuthSessionFlow.Clear()
+
+	if connectClient == nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not running")
+	}
+	engine := connectClient.Engine()
+	if engine == nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "engine is not initialised")
+	}
+
+	deadline, err := engine.ExtendAuthSession(ctx, tokenInfo.GetTokenToUse())
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "management ExtendAuthSession failed: %v", err)
+	}
+
+	resp := &proto.WaitExtendAuthSessionResponse{}
+	if !deadline.IsZero() {
+		resp.SessionExpiresAt = timestamppb.New(deadline)
+	}
+	return resp, nil
+}
+
+// DismissSessionWarning forwards the user's "Dismiss" click on the
+// T-WarningLead notification down to the engine's sessionWatcher so the
+// T-FinalWarningLead fallback is suppressed for the current deadline.
+// Best-effort: when the client/engine is not yet running the call is a
+// successful no-op (the watcher has no deadline to dismiss anyway).
+func (s *Server) DismissSessionWarning(
+	_ context.Context,
+	_ *proto.DismissSessionWarningRequest,
+) (*proto.DismissSessionWarningResponse, error) {
+	s.mutex.Lock()
+	connectClient := s.connectClient
+	s.mutex.Unlock()
+	if connectClient == nil {
+		return &proto.DismissSessionWarningResponse{}, nil
+	}
+	if engine := connectClient.Engine(); engine != nil {
+		engine.DismissSessionWarning()
+	}
+	return &proto.DismissSessionWarningResponse{}, nil
+}
+
 // ExposeService exposes a local port via the NetBird reverse proxy.
 func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.DaemonService_ExposeServiceServer) error {
 	s.mutex.Lock()
--- a/client/server/status_stream.go
+++ b/client/server/status_stream.go
@@ -0,0 +1,57 @@
+package server
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// SubscribeStatus pushes a fresh StatusResponse on every connection state
+// change. The first message is the current snapshot, so a re-subscribing
+// client doesn't need to also call Status. Subsequent messages fire when
+// the peer recorder reports any of: connected/disconnected/connecting,
+// management or signal flip, address change, or peers list change.
+//
+// The change channel coalesces bursts to a single tick. If the consumer
+// is slow the daemon drops extras (not blocks), and the next snapshot
+// the consumer pulls already reflects everything.
+func (s *Server) SubscribeStatus(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
+	subID, ch := s.statusRecorder.SubscribeToStateChanges()
+	defer func() {
+		s.statusRecorder.UnsubscribeFromStateChanges(subID)
+		log.Debug("client unsubscribed from status updates")
+	}()
+
+	log.Debug("client subscribed to status updates")
+
+	if err := s.sendStatusSnapshot(req, stream); err != nil {
+		return err
+	}
+
+	for {
+		select {
+		case _, ok := <-ch:
+			if !ok {
+				return nil
+			}
+			if err := s.sendStatusSnapshot(req, stream); err != nil {
+				return err
+			}
+		case <-stream.Context().Done():
+			return nil
+		}
+	}
+}
+
+func (s *Server) sendStatusSnapshot(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
+	resp, err := s.buildStatusResponse(req)
+	if err != nil {
+		log.Warnf("build status snapshot for stream: %v", err)
+		return err
+	}
+	if err := stream.Send(resp); err != nil {
+		log.Warnf("send status snapshot to stream: %v", err)
+		return err
+	}
+	return nil
+}
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -55,6 +55,10 @@ type ConvertOptions struct {
 	IPsFilter            map[string]struct{}
 	ConnectionTypeFilter string
 	ProfileName          string
+	// SessionExpiresAt is the absolute UTC instant at which the peer's SSO
+	// session expires. Zero when the peer is not SSO-tracked or login
+	// expiration is disabled. Sourced from StatusResponse.SessionExpiresAt.
+	SessionExpiresAt time.Time
 }

 type PeerStateDetailOutput struct {
@@ -153,6 +157,11 @@ type OutputOverview struct {
 	LazyConnectionEnabled   bool                       `json:"lazyConnectionEnabled" yaml:"lazyConnectionEnabled"`
 	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 	SSHServerState          SSHServerStateOutput       `json:"sshServer" yaml:"sshServer"`
+	// SessionExpiresAt is the absolute UTC instant at which the peer's SSO
+	// session expires. nil when the peer is not SSO-tracked or login
+	// expiration is disabled. Pointer (rather than zero-value time.Time) so
+	// JSON / YAML omit the field entirely with `,omitempty`.
+	SessionExpiresAt *time.Time `json:"sessionExpiresAt,omitempty" yaml:"sessionExpiresAt,omitempty"`
 }

 // ConvertToStatusOutputOverview converts protobuf status to the output overview.
@@ -198,6 +207,10 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 		ProfileName:             opts.ProfileName,
 		SSHServerState:          sshServerOverview,
 	}
+	if !opts.SessionExpiresAt.IsZero() {
+		t := opts.SessionExpiresAt
+		overview.SessionExpiresAt = &t
+	}

 	if opts.Anonymize {
 		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
@@ -535,6 +548,15 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS

 	peersCountString := fmt.Sprintf("%d/%d Connected", o.Peers.Connected, o.Peers.Total)

+	var sessionExpiryString string
+	if o.SessionExpiresAt != nil && !o.SessionExpiresAt.IsZero() {
+		sessionExpiryString = fmt.Sprintf(
+			"Session expires: %s (in %s)\n",
+			o.SessionExpiresAt.Format(time.RFC3339),
+			FormatRemainingDuration(time.Until(*o.SessionExpiresAt)),
+		)
+	}
+
 	var forwardingRulesString string
 	if o.NumberOfForwardingRules > 0 {
 		forwardingRulesString = fmt.Sprintf("Forwarding rules: %d\n", o.NumberOfForwardingRules)
@@ -565,6 +587,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"SSH Server: %s\n"+
 			"Networks: %s\n"+
 			"%s"+
+			"%s"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		o.DaemonVersion,
@@ -583,6 +606,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		sshServerStatus,
 		networks,
 		forwardingRulesString,
+		sessionExpiryString,
 		peersCountString,
 	)
 	return summary
@@ -996,3 +1020,57 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *OutputOverview) {
 		overview.SSHServerState.Sessions[i].Command = a.AnonymizeString(session.Command)
 	}
 }
+
+// FormatRemainingDuration renders a time.Duration for the "Session expires"
+// line. Examples: "2h 15m", "47m 12s", "8s", "expired 3m ago".
+//
+// Granularity drops to seconds only under a minute, otherwise minutes are
+// the smallest unit shown — sub-minute precision is noise for a deadline
+// that's hours or days out.
+func FormatRemainingDuration(d time.Duration) string {
+	if d <= 0 {
+		return "expired " + HumaniseDuration(-d) + " ago"
+	}
+	return HumaniseDuration(d)
+}
+
+// HumaniseDuration renders a positive duration in compact form (e.g.
+// "2h 15m", "47m", "8s"). Exposed alongside FormatRemainingDuration so
+// callers that don't need the "expired … ago" wording can format
+// positive durations directly.
+func HumaniseDuration(d time.Duration) string {
+	if d < time.Minute {
+		s := int(d.Round(time.Second).Seconds())
+		if s < 1 {
+			s = 1
+		}
+		return fmt.Sprintf("%ds", s)
+	}
+
+	const (
+		day    = 24 * time.Hour
+		hour   = time.Hour
+		minute = time.Minute
+	)
+
+	days := int64(d / day)
+	d -= time.Duration(days) * day
+	hours := int64(d / hour)
+	d -= time.Duration(hours) * hour
+	minutes := int64(d / minute)
+
+	switch {
+	case days > 0:
+		if hours == 0 {
+			return fmt.Sprintf("%dd", days)
+		}
+		return fmt.Sprintf("%dd %dh", days, hours)
+	case hours > 0:
+		if minutes == 0 {
+			return fmt.Sprintf("%dh", hours)
+		}
+		return fmt.Sprintf("%dh %dm", hours, minutes)
+	default:
+		return fmt.Sprintf("%dm", minutes)
+	}
+}
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -641,3 +641,50 @@ func TestTimeAgo(t *testing.T) {
 		})
 	}
 }
+
+func TestHumaniseDuration(t *testing.T) {
+	cases := []struct {
+		in   time.Duration
+		want string
+	}{
+		{0, "1s"},
+		{500 * time.Millisecond, "1s"},
+		{8 * time.Second, "8s"},
+		{59 * time.Second, "59s"},
+		{time.Minute, "1m"},
+		{47*time.Minute + 12*time.Second, "47m"},
+		{time.Hour, "1h"},
+		{2*time.Hour + 15*time.Minute, "2h 15m"},
+		{2 * time.Hour, "2h"},
+		{24 * time.Hour, "1d"},
+		{2*24*time.Hour + 3*time.Hour, "2d 3h"},
+	}
+	for _, tc := range cases {
+		got := HumaniseDuration(tc.in)
+		assert.Equal(t, tc.want, got, "input %s", tc.in)
+	}
+}
+
+func TestFormatRemainingDuration_Expired(t *testing.T) {
+	assert.Equal(t, "expired 3m ago", FormatRemainingDuration(-3*time.Minute))
+	assert.Equal(t, "expired 1s ago", FormatRemainingDuration(-500*time.Millisecond))
+}
+
+func TestSessionExpiresLineRendered(t *testing.T) {
+	in := overview // copy of the package-level fixture
+	deadline := time.Now().Add(2*time.Hour + 30*time.Minute).UTC()
+	in.SessionExpiresAt = &deadline
+
+	out := in.GeneralSummary(false, false, false, false)
+	assert.Contains(t, out, "Session expires: ")
+	assert.Contains(t, out, deadline.Format(time.RFC3339))
+	// 2h 30m drifts to "2h 29m" within 60s — match the family prefix.
+	assert.Contains(t, out, "(in 2h ")
+}
+
+func TestSessionExpiresLineOmittedWhenNil(t *testing.T) {
+	in := overview
+	in.SessionExpiresAt = nil
+	out := in.GeneralSummary(false, false, false, false)
+	assert.NotContains(t, out, "Session expires")
+}
--- a/client/ui/.gitignore
+++ b/client/ui/.gitignore
@@ -0,0 +1,8 @@
+.task
+bin
+frontend/dist
+frontend/node_modules
+frontend/bindings
+frontend/.vite
+build/linux/appimage/build
+build/windows/nsis/MicrosoftEdgeWebview2Setup.exe
--- a/client/ui/CLAUDE.md
+++ b/client/ui/CLAUDE.md
@@ -0,0 +1,152 @@
+# NetBird Wails UI — Working Notes
+
+This is the Wails v3 desktop UI for NetBird. Go services live in `services/`; the React/TS frontend lives in `frontend/`; bindings between them are generated under `frontend/bindings/`.
+
+> **Keep these notes current.** When working in this directory with Claude, update this file (and `frontend/CLAUDE.md` for frontend-only changes) whenever you add a service, change an event name, shift a convention, rename a key directory, or land any other change that future-you would want to know about before reading the code. The goal is that a cold-start agent can orient itself from these notes without re-deriving the codebase.
+
+## Layout
+
+### Go (top-level package `main`)
+- `main.go` — app entry. Builds the shared gRPC `Conn`, constructs services, registers them with Wails, creates the main webview window, then starts (in order) the Linux SNI watcher → tray → `peers.Watch` → `app.Run`. CLI flags: `--daemon-addr`, `--log-file` (repeatable; first user-provided value drops the seeded `console` default), `--log-level` (`trace|debug|info|warn|error`, default `info`).
+- `tray.go` — `Tray` struct + menu. Subscribes to `EventStatus`, `EventSystem`, `EventUpdateAvailable`, `EventUpdateProgress`. Owns per-status icon/dot, Profiles submenu, Connect/Disconnect swap, About → Update, session-expired toast.
+- `tray_linux.go` — `init()` sets `WEBKIT_DISABLE_DMABUF_RENDERER=1` to avoid the blank-white window on VMs / minimal WMs.
+- `tray_watcher_linux.go`, `xembed_host_linux.go`, `xembed_tray_linux.{c,h}` — in-process SNI watcher + XEmbed bridge for minimal WMs. See `LINUX-TRAY.md`.
+- `signal_unix.go` / `signal_windows.go` — `listenForShowSignal`. Unix uses SIGUSR1; Windows uses a named event `Global\NetBirdQuickActionsTriggerEvent`. Mirrors the legacy Fyne UI's external-trigger contract so the installer / CLI keep working.
+- `grpc.go` — lazy, mutex-protected gRPC `Conn` shared by every service. `DaemonAddr()`: `unix:///var/run/netbird.sock` on Linux/macOS, `tcp://127.0.0.1:41731` on Windows.
+- `icons.go` — `//go:embed` tray/window PNGs. macOS uses template variants (`*-macos.png`); Linux ships light + dark PNGs; Windows reuses the light PNG (multi-frame `.ico` never redrew on Wails3's `NIM_MODIFY`).
+
+### Wails services (`services/*.go`)
+Each service is registered via `app.RegisterService(application.NewService(svc))`. Every method becomes a TS function in `frontend/bindings/.../services/`. Frontend-facing details (TS signatures, push events, models) are in `frontend/WAILS-API.md`. After editing any `services/*.go` or the proto, regenerate with `wails3 generate bindings -clean=true -ts` (or `pnpm bindings` from `frontend/`). `frontend/bindings/**` is gitignored.
+
+For frontend-side conventions (routing, providers, contexts) see `frontend/CLAUDE.md`.
+
+## Services rundown
+
+All services live in `services/` and assume a build tag `!android && !ios && !freebsd && !js`. Each takes a shared `DaemonConn` (`conn.go`) and is registered in `main.go`.
+
+| Service | File | Responsibility |
+|---|---|---|
+| `Connection` | `connection.go` | `Login` / `WaitSSOLogin` / `Up` / `Down` / `Logout` / `OpenURL`. `Up` is always async (`Async: true`); status flows back through `Peers`. `Login` Down-resets the daemon first to dislodge a stale WaitSSOLogin. `OpenURL` honors `$BROWSER`. |
+| `Settings` | `settings.go` | `GetConfig` / `SetConfig` (partial update — pointer fields are sent, nil fields preserved) / `GetFeatures` (operator-disabled UI surfaces). |
+| `Profiles` | `profile.go` | `Username` / `List` / `GetActive` / `Switch` / `Add` / `Remove`. `List` populates `Email` from the **user-side** state file (`profilemanager.NewProfileManager().GetProfileState`) — the daemon runs as root and can't read it. |
+| `ProfileSwitcher` | `profileswitcher.go` | `SwitchActive` — the single entry point both tray and frontend should use for profile flips. Applies the reconnect policy (see "Profile switching" below), mirrors the daemon switch into the user-side `profilemanager`, drives optimistic feedback via `Peers.BeginProfileSwitch`. |
+| `Peers` | `peers.go` | Daemon status snapshot + two long-running streams (`SubscribeStatus` → `EventStatus`, `SubscribeEvents` → `EventSystem`). Emits synthetic `StatusDaemonUnavailable` when the socket is unreachable. Owns the profile-switch suppression filter (`BeginProfileSwitch` / `CancelProfileSwitch` / `shouldSuppress`). Fan-outs update metadata into dedicated `EventUpdateAvailable` / `EventUpdateProgress` events. |
+| `Networks` | `network.go` | `List` / `Select` / `Deselect` of routed networks. |
+| `Forwarding` | `forwarding.go` | `List` exposed/forwarded services from the daemon's reverse-proxy table. |
+| `Debug` | `debug.go` | `Bundle` (debug bundle creation + optional upload) / `Get|SetLogLevel` / `RevealFile` (cross-platform "show in file manager"). |
+| `Update` | `update.go` | `GetState` / `Trigger` (enforced installer) / `GetInstallerResult` / `Quit`. The install-progress UI lives in its own auxiliary window (`/#/install-progress`), opened by `WindowManager.OpenInstallProgress` — the daemon goes unreachable mid-install so it can't be inside the main window. |
+| `WindowManager` | `windowmanager.go` | `OpenSettings(tab)` / `OpenBrowserLogin(uri)` / `CloseBrowserLogin` / `OpenSessionExpired` / `OpenSessionAboutToExpire(seconds)` / `OpenInstallProgress(version)` / `CloseInstallProgress`. `OpenSettings("")` opens the General tab; pass a tab id (e.g. `"profiles"`) to deep-link, encoded as `?tab=…` in the start URL. `OpenInstallProgress` is `AlwaysOnTop` and hides every other visible window for the duration of the install (restored on close). Auxiliary windows are created on first open and **destroyed** on close (Wails-recommended singleton pattern; prevents the macOS dock-reopen from resurrecting hidden windows). |
+| `I18n` | `i18n.go` | Thin facade over `i18n.Bundle`. `Languages()` returns the shipped locales (`_index.json`); `Bundle(code)` returns the full key→text map for one language so the React layer can drive its own translation library. |
+| `Preferences` | `preferences.go` | Thin facade over `preferences.Store`. `Get()` returns `{language}`; `SetLanguage(code)` validates against `i18n.Bundle.HasLanguage`, persists, and broadcasts `netbird:preferences:changed`. |
+
+`DaemonConn` is defined in `services/conn.go`; `ptrStr` (string-to-*string helper for proto pointer fields) lives there too.
+
+## Daemon proto
+- Proto source: `../proto/daemon.proto`. Generated Go in `../proto/*.pb.go`.
+- Regen: `cd ../proto && protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative daemon.proto`
+- Pinned versions (see `daemon.pb.go` header): `protoc v7.34.1`, `protoc-gen-go v1.36.6`. CI's `proto-version-check` workflow fails on mismatch.
+- After proto regen, also regen Wails bindings so the TS layer picks up new fields.
+
+## Events bus
+
+`main.go` registers five typed events for the frontend: `netbird:status` (`Status`), `netbird:event` (`SystemEvent`), `netbird:profile:changed` (`ProfileRef`), `netbird:update:available` (`UpdateAvailable`), `netbird:update:progress` (`UpdateProgress`). `netbird:profile:changed` fires from `ProfileSwitcher.SwitchActive` after a successful daemon-side switch — both the React `ProfileContext` and the tray subscribe so a flip driven from one surface paints in the others (the daemon itself does not emit a profile event). Plus three plain-string events:
+
+- `EventTriggerLogin = "trigger-login"` — tray asking the frontend's `startLogin()` to begin an SSO flow. The tray does **not** show the main window when emitting — the hidden webview is alive and subscribed, so `startLogin` runs and the only visible surface is the BrowserLogin popup it opens.
+- `EventBrowserLoginCancel = "browser-login:cancel"` — the `BrowserLogin` window's Cancel button or red-X close. `startLogin()` listens and tears down the daemon's pending `WaitSSOLogin`.
+- `preferences.EventPreferencesChanged = "netbird:preferences:changed"` — emitted after every successful `SetLanguage` (payload `{language}`). Both the tray menu rebuild and the React `i18next.changeLanguage` subscribe so a flip from any window paints everywhere.
+
+Daemon connection status strings (`services/peers.go`) mirror `internal.Status*` in `client/internal/state.go`: `Connected`, `Connecting`, `Idle`, `NeedsLogin`, `LoginFailed`, `SessionExpired`, plus the synthetic `DaemonUnavailable` emitted by `Peers` when the socket is unreachable.
+
+## Profile switching
+
+`services/profileswitcher.go` is the single source of truth for the reconnect policy. Both the tray (`tray.go switchProfile`) and the frontend (via `modules/profile/ProfileContext.tsx`'s `switchProfile`, which `modules/settings/SettingsProfiles.tsx` and the header `ProfileDropdown` go through) call `ProfileSwitcher.SwitchActive`; identical inputs give identical state transitions.
+
+Reconnect policy (driven by `prevStatus` from `Peers.Get`):
+
+| Previous status | Action | Optimistic UI | Suppressed events until new flow begins |
+|---|---|---|---|
+| Connected | Switch + Down + Up | Connecting (synthetic) | Connected, Idle |
+| Connecting | Switch + Down + Up | Connecting (unchanged) | Connected, Idle |
+| NeedsLogin / LoginFailed / SessionExpired | Switch + Down | (no change) | — |
+| Idle | Switch only | (no change) | — |
+
+Only Connected/Connecting trigger `Peers.BeginProfileSwitch`. That:
+1. Sets a 30s `switchInProgress` guard.
+2. Emits a synthetic `Status{Status: StatusConnecting}` so both tray and React paint immediately.
+3. Tells `statusStreamLoop` to drop the daemon's stale Connected updates (peer count drops as the engine tears down) and the transient Idle in between Down and the new Up.
+
+`shouldSuppress` releases the guard as soon as a status that signals the new flow began arrives:
+- **Suppressed**: Connected, Idle
+- **Pass through and clear**: Connecting / NeedsLogin / LoginFailed / SessionExpired / DaemonUnavailable
+- **Timeout fallback**: 30s elapsed → clear flag, emit normally.
+
+`Peers.CancelProfileSwitch` aborts the suppression — called by `tray.go handleDisconnect` so the user's "Disconnect while Connecting" click paints through immediately.
+
+Also: `ProfileSwitcher.SwitchActive` mirrors the daemon switch into the user-side `profilemanager` (`~/Library/Application Support/netbird/active_profile`). The CLI's `netbird up` reads this file and sends the resolved profile name back; if it diverges from the daemon's `/var/lib/netbird/active_profile.json`, the daemon silently flips back. Mirror failures don't abort the switch — surfaced as a warning.
+
+## Auxiliary windows (`WindowManager`)
+
+The main window is created up front in `main.go`. Auxiliary windows are created on demand by `services.WindowManager`:
+
+- **Settings** (`/#/settings`) — opened from the header gear icon (`layouts/Header.tsx → WindowManager.OpenSettings("")`), the tray's Settings menu entry (`tray.go openSettings`), and the profile dropdown's "Manage Profiles" entry (`WindowManager.OpenSettings("profiles")`, which sets `?tab=profiles` in the start URL — `Settings.tsx` reads it via `useSearchParams`). The window hosts every settings tab — including **Profiles** (`SettingsProfiles.tsx`, `UserCircle` icon, sits between Security and SSH), which lists profiles in a table with Deregister/Delete in a per-row kebab and an Add Profile button. Both call sites go through `WindowManager` so the user sees the same dedicated frameless window from either trigger — the tray used to repurpose the main window via `SetURL("/#/settings")`, which replaced the main UI in place. Frameless-look (opaque macOS backdrop, hidden inset title bar), fixed 900×640, no resize, no minimise/maximise.
+- **BrowserLogin** (`/#/browser-login?uri=…`) — opened by the connection toggle's SSO flow (`layouts/ConnectionStatusSwitch.tsx`). 460×440, fixed size. The close button (red X) fires `EventBrowserLoginCancel` so the JS-side `startLogin()` can tear down the daemon's pending `WaitSSOLogin`. `WindowManager.CloseBrowserLogin` closes it programmatically when the flow completes.
+- **SessionExpired** (`/#/session-expired`) and **SessionAboutToExpire** (`/#/session-about-to-expire?seconds=<n>`) — opened by `WindowManager.OpenSessionExpired` / `OpenSessionAboutToExpire(seconds)`. 460×380, fixed size, `AlwaysOnTop: true` (the user can't miss them). The React-side buttons close the window via `WindowManager.CloseSession*` and (for Sign-in / Stay-connected) emit `EventTriggerLogin` so the main window's `startLogin()` orchestrator handles the SSO flow. Currently triggered only by the DEV-only "Development" Settings tab; daemon-status integration is a follow-up.
+- **InstallProgress** (`/#/install-progress?version=<v>`) — opened by `WindowManager.OpenInstallProgress(version)` from `ClientVersionContext` (force-install branch on `installing` flip, user-driven enforced branch from `triggerUpdate`). 360-wide auto-sized via `useAutoSizeWindow`, `AlwaysOnTop`. Owns its own polling loop against `Update.GetInstallerResult` with the 5-second daemon-down-grace (sustained gRPC failure = success → call `Update.Quit()`). Hides every other visible window on open (restored on close). The DEV-only "Development" tab has a "Show updating dialog" button that opens this window directly for preview.
+
+All five auxiliary windows are **destroyed** on close (mutex-guarded singleton; `closing` hook nils the field). Destroying rather than hiding is deliberate — Wails' macOS dock-reopen handler resurrects hidden windows, which we don't want for auxiliaries.
+
+The main window is **hidden** on close (the `WindowClosing` hook calls `e.Cancel(); window.Hide()`). The user reaches "really quit" through the tray → Quit menu entry.
+
+## Localisation (i18n)
+
+The locale tree under `frontend/src/i18n/locales/` is the single source of truth for both Go (tray, OS notifications) and React (every user-facing string). Layout: `_index.json` lists shipped languages (`code` / `displayName` / `englishName`); `<code>/common.json` per language. `en/common.json` must exist (the `Bundle` loader hard-fails without it); languages listed in `_index.json` without a bundle are skipped with a warning. Placeholders are single-braced (`"Install version {version}"`) — Go substitutes via `Bundle.Translate(lang, key, "name", value, ...)`; React uses i18next with `interpolation: { prefix: "{", suffix: "}" }`.
+
+Adding a language: drop a `<code>/common.json`, append a row to `_index.json`, add the static import in `frontend/src/i18n/index.ts`, rebuild. Embed lives in `client/ui/main.go`'s `embed.FS`.
+
+Package layout:
+- `client/ui/i18n/` — pure `LanguageCode` / `Language` / `Bundle` loader. No Wails / no daemon. Reads the tree from an `fs.FS` passed in by `main.go`.
+- `client/ui/preferences/` — `Store` persists `UIPreferences{language}` to `os.UserConfigDir()/netbird/ui-preferences.json` (per-OS-user, shared across daemon profiles). Validates against an injected `LanguageValidator` (`*i18n.Bundle`). No file → in-memory default `en`, persisted on first `SetLanguage`. Broadcasts via in-process pub/sub + optional Wails event emitter.
+- `services/i18n.go` + `services/preferences.go` — Wails facades. Preferences emits `netbird:preferences:changed` (payload `{language}`) on every `SetLanguage`.
+
+Key conventions: `tray.*` / `notify.*` (Go-side), `common.* / connect.* / nav.* / profile.* / settings.* / update.* / browserLogin.* / sessionExpired.* / peers.*` (frontend). Keep keys stable — renames cascade everywhere.
+
+## Linux tray support
+
+The in-process `StatusNotifierWatcher` + XEmbed host that lets the tray work on minimal WMs is detailed in `LINUX-TRAY.md` (sibling). Touch that doc when modifying `tray_watcher_linux.go` / `xembed_host_linux.go` / `xembed_tray_linux.{c,h}`.
+
+## Wails Dialogs (frontend, `@wailsio/runtime`)
+
+API surface — `Dialogs.Info` / `Warning` / `Error` / `Question` / `OpenFile` / `SaveFile`, options shape, per-OS behaviour, and the Go-side frameless-window pattern — lives in `WAILS-DIALOGS.md` (sibling). The conventions for **when** to use a native dialog vs inline UI are in the "Conventions" section below.
+
+## Conventions in this codebase
+
+### Errors → native dialogs
+
+User-actionable operation failures (config save, profile switch, debug bundle, update, etc.) surface via `Dialogs.Error` with an action-named title — "Save Settings Failed", "Switch Profile Failed", not "Error" / "Something went wrong". The dialog itself already says "Error" visually.
+
+Confirmations use `Dialogs.Warning` with explicit `Buttons`. The promise resolves with the **button Label string**, not an index — pin the label into a variable before comparing (especially with i18n, where labels translate). Full API in `WAILS-DIALOGS.md`.
+
+**Skip native dialogs** for: inline form validation (`Input.tsx`, URL-format checks — too heavy for keystroke feedback); transient link errors on the dashboard (flap in/out with daemon — use an inline indicator); "partial success" notes inside an otherwise-OK flow (e.g. "bundle saved but upload failed" stays inline). The install-progress window owns its own error UI in-place (timeout/canceled/failed phases) — no native dialog needed there.
+
+### OS notifications
+
+The tray uses Wails' built-in `notifications` service. One `notifications.NotificationService` is created in `main.go` and passed into `TrayServices.Notifier`. Notification IDs are prefixed for coalescing: `netbird-update-<version>`, `netbird-event-<id>`, `netbird-tray-error`, `netbird-session-expired`. Notifications are gated by the user's "Notifications" toggle (cached in `Tray.notificationsEnabled`, seeded from `Settings.GetConfig` at boot). `Severity == "critical"` events bypass the gate, mirroring the legacy Fyne `event.Manager`.
+
+### Profile switching invariants
+
+`ProfileSwitcher.SwitchActive` is the only switch path on the TS side — `ProfileContext.switchProfile` is the single TS wrapper, and `modules/settings/SettingsProfiles.tsx` + the header `ProfileDropdown` both go through it. The Go side captures `prevStatus`, drives the optimistic-Connecting paint via `Peers.BeginProfileSwitch`, mirrors into the user-side `profilemanager`, and conditionally fires Down/Up per the reconnect-policy table above.
+
+**Never call `Connection.Up` on an Idle/NeedsLogin daemon** — the daemon's internal 50s `waitForUp` blocks until `DeadlineExceeded`. `Connection.Up` from the frontend is reserved for the explicit Connect button (`ConnectionStatusSwitch.connect`) and the post-SSO resume inside `startLogin`; the gating for profile-switch reconnects lives Go-side in `ProfileSwitcher.SwitchActive`.
+
+## Build / dev tasks
+
+`task dev` (Wails dev, live reload), `task build` (prod build for the current OS, dispatches to `build/{darwin,linux,windows}/Taskfile.yml`), `task build:server` / `run:server` / `build:docker` / `run:docker` (server-mode variants in `build/Taskfile.yml`). **No** `task generate:bindings` alias — run `wails3 generate bindings -clean=true -ts` directly from this directory. CLI flags + log-target semantics are documented in the `main.go` bullet under "Layout".
+
+## Useful references
+- `WAILS-DIALOGS.md` (sibling) — full `@wailsio/runtime` `Dialogs` API + per-OS behaviour + frameless-window pattern.
+- `LINUX-TRAY.md` (sibling) — StatusNotifierWatcher + XEmbed host details.
+- `frontend/WAILS-API.md` — frontend-facing binding signatures and model shapes.
+- Wails v3 dialog docs: https://v3.wails.io/features/dialogs/message/ and https://v3.wails.io/features/dialogs/custom/ (may 403 from some clients).
+- Wails v3 multiple-windows guidance: https://v3.wails.io/learn/multiple-windows/
+- Authoritative TS signatures: `frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
+- Wails examples: https://github.com/wailsapp/wails/tree/master/v3/examples/dialogs
--- a/client/ui/LINUX-TRAY.md
+++ b/client/ui/LINUX-TRAY.md
@@ -0,0 +1,8 @@
+# Linux tray support (StatusNotifierWatcher + XEmbed)
+
+Minimal WMs (Fluxbox, OpenBox, i3, dwm, vanilla GNOME without the AppIndicator extension) don't ship a `StatusNotifierWatcher`, so tray icons using libayatana-appindicator / freedesktop StatusNotifier silently fail. `main.go` calls `startStatusNotifierWatcher()` *before* `NewTray` so the Wails systray's `RegisterStatusNotifierItem` call hits the in-process watcher we control.
+
+- `tray_watcher_linux.go` — owns `org.kde.StatusNotifierWatcher` on the session bus if no other process has it. Safe to call unconditionally.
+- `xembed_host_linux.go` + `xembed_tray_linux.{c,h}` — when an XEmbed tray (`_NET_SYSTEM_TRAY_S0`) is available, also start an in-process XEmbed host that bridges the SNI icon into the XEmbed tray. Reads `IconPixmap` over D-Bus, draws via cairo+X11, polls for clicks, fetches `com.canonical.dbusmenu.GetLayout` for the popup menu, fires `com.canonical.dbusmenu.Event` on click.
+
+Build is gated on `linux && !386`; the 386 build (no cgo) and non-Linux builds use the `tray_watcher_other.go` no-op.
--- a/client/ui/Netbird.icns
+++ b/client/ui/Netbird.icns
--- a/client/ui/README.md
+++ b/client/ui/README.md
@@ -0,0 +1,100 @@
+# NetBird desktop UI (Wails3 + React)
+
+Replaces `client/ui` (Fyne). One binary on Windows / macOS / Linux,
+talks to the NetBird daemon over gRPC, renders a React frontend in a
+WebView.
+
+## Prerequisites
+
+- Go ≥ 1.25, Node ≥ 20, **pnpm** (`corepack enable && corepack prepare pnpm@latest --activate`)
+- `wails3` CLI: `go install github.com/wailsapp/wails/v3/cmd/wails3@latest`
+- `task`: `go install github.com/go-task/task/v3/cmd/task@latest`
+- A running NetBird daemon (default: `unix:///var/run/netbird.sock`,
+  Windows `tcp://127.0.0.1:41731`)
+- Linux only: `libwebkit2gtk-4.1-dev`, `libgtk-3-dev`,
+  `libayatana-appindicator3-dev`
+
+## Develop without rebuilding
+
+```bash
+cd client/ui
+task dev
+```
+
+`task dev` runs Vite (port 9245) + the Go binary + a `*.go` watcher.
+Frontend edits hot-reload instantly. Go edits trigger a rebuild and
+relaunch. Pass daemon flags after `--`:
+
+```bash
+task dev -- --daemon-addr=tcp://127.0.0.1:41731
+```
+
+For pure UI work (no native window, fastest loop):
+
+```bash
+cd frontend && pnpm dev
+```
+
+## Production build
+
+```bash
+task build
+```
+
+Output in `bin/`. Frontend assets are embedded into the binary.
+
+### Cross-compile Windows from Linux
+
+Install the mingw-w64 toolchain once:
+
+```bash
+sudo apt install gcc-mingw-w64-x86-64           # Debian/Ubuntu
+sudo dnf install mingw64-gcc                    # Fedora
+sudo pacman -S mingw-w64-gcc                    # Arch
+```
+
+Then:
+
+```bash
+CGO_ENABLED=1 task windows:build
+```
+
+Produces `bin/netbird-ui.exe`. macOS cross-compile from Linux is not
+supported (signing and notarization need a real Mac).
+
+### Windows console build (logs in the terminal)
+
+Default `windows:build` links the binary as a Windows GUI app, which
+detaches from the launching console — `logrus` output, `fmt.Println`,
+and panics go nowhere visible. To debug tray/event/daemon issues:
+
+```bash
+CGO_ENABLED=1 task windows:build:console
+```
+
+Produces `bin/netbird-ui-console.exe`. Run it from `cmd.exe` /
+PowerShell / Windows Terminal and stdout/stderr land in that
+terminal. Same flag works on a native Windows build (drop the
+`CGO_ENABLED=1` if your toolchain already has it set).
+
+## Regenerating bindings
+
+When a Go service signature changes:
+
+```bash
+wails3 generate bindings
+```
+
+`task dev` does this automatically on `*.go` save.
+
+## Tray icons
+
+Source SVGs live in `assets/svg/` (state.svg + state-macos.svg). After editing
+any SVG, rasterize to the PNGs the Go side embeds:
+
+```bash
+task common:generate:tray:icons
+```
+
+Requires Inkscape. Commit the resulting `assets/*.png` files alongside the
+SVG change so CI doesn't need Inkscape installed.
--- a/client/ui/Taskfile.yml
+++ b/client/ui/Taskfile.yml
@@ -0,0 +1,58 @@
+version: '3'
+
+includes:
+  common: ./build/Taskfile.yml
+  windows: ./build/windows/Taskfile.yml
+  darwin: ./build/darwin/Taskfile.yml
+  linux: ./build/linux/Taskfile.yml
+
+vars:
+  APP_NAME: "netbird-ui"
+  BIN_DIR: "bin"
+  VITE_PORT: '{{.WAILS_VITE_PORT | default 9245}}'
+
+tasks:
+  build:
+    summary: Builds the application
+    cmds:
+      - task: "{{OS}}:build"
+
+  package:
+    summary: Packages a production build of the application
+    cmds:
+      - task: "{{OS}}:package"
+
+  run:
+    summary: Runs the application
+    cmds:
+      - task: "{{OS}}:run"
+
+  dev:
+    summary: Runs the application in development mode
+    cmds:
+      - wails3 dev -config ./build/config.yml -port {{.VITE_PORT}}
+
+  setup:docker:
+    summary: Builds Docker image for cross-compilation (~800MB download)
+    cmds:
+      - task: common:setup:docker
+
+  build:server:
+    summary: Builds the application in server mode (no GUI, HTTP server only)
+    cmds:
+      - task: common:build:server
+
+  run:server:
+    summary: Runs the application in server mode
+    cmds:
+      - task: common:run:server
+
+  build:docker:
+    summary: Builds a Docker image for server mode deployment
+    cmds:
+      - task: common:build:docker
+
+  run:docker:
+    summary: Builds and runs the Docker image
+    cmds:
+      - task: common:run:docker
--- a/client/ui/WAILS-DIALOGS.md
+++ b/client/ui/WAILS-DIALOGS.md
@@ -0,0 +1,56 @@
+# Wails Dialogs (frontend, `@wailsio/runtime`)
+
+The frontend dialog API lives in `@wailsio/runtime` as `Dialogs`. Authoritative signatures are in
+`frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
+
+See `CLAUDE.md` for project conventions on *when* to use these (errors vs. inline validation, confirmation flow, etc.).
+
+## Message dialogs
+
+```ts
+import { Dialogs } from "@wailsio/runtime";
+
+await Dialogs.Info({ Title, Message, Buttons?, Detached? });
+await Dialogs.Warning({ Title, Message, Buttons?, Detached? });
+await Dialogs.Error({ Title, Message, Buttons?, Detached? });
+await Dialogs.Question({ Title, Message, Buttons?, Detached? });
+```
+
+All four return `Promise<string>` resolving to the **Label** of the button the user clicked. With no `Buttons` provided you get a single OK button — the promise just resolves when the user dismisses.
+
+`MessageDialogOptions` fields:
+- `Title?: string` — window title (short).
+- `Message?: string` — the body text.
+- `Buttons?: Button[]` — custom buttons. Each `Button` is `{ Label?, IsCancel?, IsDefault? }`. `IsCancel` is what Esc/⌘. triggers; `IsDefault` is what Enter triggers.
+- `Detached?: boolean` — when `true`, the dialog isn't tied to the parent window (no sheet behavior on macOS).
+
+## File dialogs
+
+`Dialogs.OpenFile(options)` and `Dialogs.SaveFile(options)` — see `dialogs.d.ts` for the full `OpenFileDialogOptions` / `SaveFileDialogOptions` field set (filters, ButtonText, multi-select, hidden files, alias resolution, directory mode, etc).
+
+## Per-OS behavior
+
+| Platform | Behavior |
+|---|---|
+| **macOS** | Sheet-style when attached to a parent window. Up to ~4 custom buttons render naturally. Keyboard: Enter = default, ⌘. or Esc = cancel. Follows system theme. Accessibility is built-in. |
+| **Windows** | Modal `TaskDialog`-style. Standard button labels are nudged toward OS conventions. Keyboard: Enter = default, Esc = cancel. Follows system theme. |
+| **Linux** | GTK dialogs — appearance varies by desktop environment (GNOME/KDE). Follows desktop theme. Standard keyboard nav. |
+
+Behavioural notes that affect us:
+- The promise resolves with the **button label string**, not an index. Compare against the literal `Label` you passed (e.g. `if (result !== "Delete") return;`).
+- `Buttons[]` on Linux/Windows uses the labels you supply, but the OS layout/styling is fixed.
+- `Dialogs.Error` plays the platform error sound and uses the platform error icon. Don't use it for confirmations — use `Dialogs.Warning` or `Dialogs.Question`.
+- Don't fire dialogs in a tight loop or from every keystroke — they interrupt focus and (on macOS) animate in/out. Debounce or guard with a `busy` flag.
+
+## Frameless / custom-window dialogs (Go side)
+
+When the native dialog API isn't enough — rich content, embedded webview, multi-screen flow — open a regular Wails window. This is done on the **Go side** via `app.Window.NewWithOptions(application.WebviewWindowOptions{...})`. Useful options:
+- `Parent` — attach to a parent so OS treats it as a child.
+- `AlwaysOnTop: true` — float above the parent.
+- `Frameless: true` — no titlebar/chrome.
+- `Resizable: false` (also `DisableResize: true` in v3) — fixed-size dialog feel.
+- `Hidden: true` initially, then `dialog.Show()` + `dialog.SetFocus()`.
+
+We **do** use this pattern, but pragmatically: `WindowManager.OpenSettings` and `OpenBrowserLogin` are regular small webview windows (not modal sheets) with no resize, hidden minimise/maximise buttons, and a translucent macOS title bar. They're not classic "OS modal dialogs"; they're just lightweight ancillary windows that look the part. Modal behaviour (`parent.SetEnabled(false)`) is intentionally not used — the user can still click back to the main window.
+
+In-app modals (`NewProfileDialog`, delete-profile confirmation, etc.) are Radix `Dialog` primitives inside the main webview. Reach for a custom OS window only when content must escape the main window (BrowserLogin is the canonical example — its lifecycle is tied to the SSO wait) or when the window needs its own taskbar entry / dock icon.
--- a/client/ui/assets/connected.png
+++ b/client/ui/assets/connected.png
--- a/client/ui/assets/disconnected.png
+++ b/client/ui/assets/disconnected.png
--- a/client/ui/assets/netbird-disconnected.ico
+++ b/client/ui/assets/netbird-disconnected.ico
--- a/client/ui/assets/netbird-disconnected.png
+++ b/client/ui/assets/netbird-disconnected.png
--- a/client/ui/assets/netbird-menu-16.png
+++ b/client/ui/assets/netbird-menu-16.png
--- a/client/ui/assets/netbird-menu-24.png
+++ b/client/ui/assets/netbird-menu-24.png
--- a/client/ui/assets/netbird-menu-dot-connected-16.png
+++ b/client/ui/assets/netbird-menu-dot-connected-16.png
--- a/client/ui/assets/netbird-menu-dot-connected-22.png
+++ b/client/ui/assets/netbird-menu-dot-connected-22.png
--- a/client/ui/assets/netbird-menu-dot-connected.png
+++ b/client/ui/assets/netbird-menu-dot-connected.png
--- a/client/ui/assets/netbird-menu-dot-connecting-16.png
+++ b/client/ui/assets/netbird-menu-dot-connecting-16.png
--- a/client/ui/assets/netbird-menu-dot-connecting-22.png
+++ b/client/ui/assets/netbird-menu-dot-connecting-22.png
--- a/client/ui/assets/netbird-menu-dot-connecting.png
+++ b/client/ui/assets/netbird-menu-dot-connecting.png
--- a/client/ui/assets/netbird-menu-dot-error-16.png
+++ b/client/ui/assets/netbird-menu-dot-error-16.png
--- a/client/ui/assets/netbird-menu-dot-error-22.png
+++ b/client/ui/assets/netbird-menu-dot-error-22.png
--- a/client/ui/assets/netbird-menu-dot-error.png
+++ b/client/ui/assets/netbird-menu-dot-error.png
--- a/client/ui/assets/netbird-menu-dot-idle-16.png
+++ b/client/ui/assets/netbird-menu-dot-idle-16.png
--- a/client/ui/assets/netbird-menu-dot-idle-22.png
+++ b/client/ui/assets/netbird-menu-dot-idle-22.png
--- a/client/ui/assets/netbird-menu-dot-idle.png
+++ b/client/ui/assets/netbird-menu-dot-idle.png
--- a/client/ui/assets/netbird-menu-dot-login-16.png
+++ b/client/ui/assets/netbird-menu-dot-login-16.png
--- a/client/ui/assets/netbird-menu-dot-login-22.png
+++ b/client/ui/assets/netbird-menu-dot-login-22.png
--- a/client/ui/assets/netbird-menu-dot-login.png
+++ b/client/ui/assets/netbird-menu-dot-login.png
--- a/client/ui/assets/netbird-menu-dot-offline-16.png
+++ b/client/ui/assets/netbird-menu-dot-offline-16.png
--- a/client/ui/assets/netbird-menu-dot-offline-22.png
+++ b/client/ui/assets/netbird-menu-dot-offline-22.png
--- a/client/ui/assets/netbird-menu-dot-offline.png
+++ b/client/ui/assets/netbird-menu-dot-offline.png
--- a/client/ui/assets/netbird-systemtray-connected-dark.ico
+++ b/client/ui/assets/netbird-systemtray-connected-dark.ico
--- a/client/ui/assets/netbird-systemtray-connected-macos.png
+++ b/client/ui/assets/netbird-systemtray-connected-macos.png
--- a/client/ui/assets/netbird-systemtray-connected.ico
+++ b/client/ui/assets/netbird-systemtray-connected.ico
--- a/client/ui/assets/netbird-systemtray-connecting-dark.ico
+++ b/client/ui/assets/netbird-systemtray-connecting-dark.ico
--- a/client/ui/assets/netbird-systemtray-connecting-macos.png
+++ b/client/ui/assets/netbird-systemtray-connecting-macos.png
--- a/client/ui/assets/netbird-systemtray-connecting.ico
+++ b/client/ui/assets/netbird-systemtray-connecting.ico
--- a/client/ui/assets/netbird-systemtray-disconnected-macos.png
+++ b/client/ui/assets/netbird-systemtray-disconnected-macos.png
--- a/client/ui/assets/netbird-systemtray-disconnected.ico
+++ b/client/ui/assets/netbird-systemtray-disconnected.ico
--- a/client/ui/assets/netbird-systemtray-error-dark.ico
+++ b/client/ui/assets/netbird-systemtray-error-dark.ico
--- a/client/ui/assets/netbird-systemtray-error-macos.png
+++ b/client/ui/assets/netbird-systemtray-error-macos.png
--- a/client/ui/assets/netbird-systemtray-error.ico
+++ b/client/ui/assets/netbird-systemtray-error.ico
--- a/client/ui/assets/netbird-systemtray-needs-login-macos.png
+++ b/client/ui/assets/netbird-systemtray-needs-login-macos.png
--- a/client/ui/assets/netbird-systemtray-needs-login.png
+++ b/client/ui/assets/netbird-systemtray-needs-login.png
--- a/client/ui/assets/netbird-systemtray-update-connected-dark.ico
+++ b/client/ui/assets/netbird-systemtray-update-connected-dark.ico
--- a/Show More
+++ b/Show More