Add daemon socket owner enforcement via SO_PEERCRED

* add SSO session extend flow (management)

Adds the management-server half of the SSO session-extension feature:

- New ExtendAuthSession gRPC RPC that refreshes a peer's session expiry
  using a fresh JWT, validated through the same pipeline as Login but
  without tearing down the tunnel or redoing the NetworkMap sync.
- Per-peer SessionExpiresAt timestamp on every LoginResponse and
  SyncResponse so connected clients learn the deadline on the existing
  long-lived stream, and admin-side changes (toggling expiration,
  changing the expiration window) reach every peer within seconds.
- SessionExpiresAt(...) helper on Peer that derives the absolute UTC
  deadline from LastLogin + the account-level PeerLoginExpiration
  setting, returning zero when the peer is not SSO-tracked or expiration
  is disabled.

The matching client-side consumer of these fields lands separately.

* encode SessionExpiresAt as 3-state on the wire

Previously the `sessionExpiresAt` field on LoginResponse, SyncResponse
and ExtendAuthSessionResponse was 2-state: a valid timestamp meant
"new deadline", and nil meant "clear". That conflated two distinct
meanings — "no info in this snapshot" vs "expiry is explicitly off /
peer is not SSO-tracked" — so a Sync push that legitimately couldn't
compute the deadline (settings lookup failed) would silently clear the
client's anchor and lose the warning window.

Three states now, encoded on the same field number (no .proto schema
churn — only comments and the server-side encoder change):

  - nil pointer (field absent) → "no info"; client preserves anchor
  - &Timestamp{} (seconds=0, nanos=0) → explicit "disabled / not SSO"
    sentinel; client clears
  - valid timestamp → new absolute UTC deadline

A new encodeSessionExpiresAt helper centralises the zero/non-zero
encoding and is shared by the Sync, Login and ExtendAuthSession
builders. The Sync builder still emits nil when settings are missing.
Login and ExtendAuthSession always carry an authoritative value.

The matching client-side decoder lands on feature/session-extend.

* add UserExtendedPeerSession activity event

ExtendAuthSession previously reused UserLoggedInPeer for its audit
record, which conflated two distinct user actions: a full interactive
SSO login (tunnel re-established, network map resync) versus an
in-place deadline refresh (tunnel untouched). Auditors reading the log
couldn't tell which one happened, and downstream dashboards/alerts on
"login" volume were polluted by routine extends.

Adds a dedicated UserExtendedPeerSession Activity (code 125,
"user.peer.session.extend") and switches ExtendPeerSession over to it.
The peer-extend audit trail is now distinguishable from interactive
logins.

* make ExtendAuthSession JWT-retry backoff cancellable

Skip the retry log and 200ms wait on the final attempt, and replace the
uncancellable time.Sleep with a select on time.After/ctx.Done so an
upstream cancellation aborts the wait instead of running it to
completion.

.github/workflows/proto-version-check.yml

@@ -20,34 +20,66 @@ jobs:
               per_page: 100,
             });
 
-            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
-            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
-            if (missingPatch.length > 0) {
-              core.setFailed(
-                `Cannot inspect patch data for:\n` +
-                missingPatch.map(f => `- ${f}`).join('\n') +
-                `\nThis can happen with very large PRs. Verify proto versions manually.`
-              );
+            const modifiedPbFiles = files.filter(
+              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
+            );
+            if (modifiedPbFiles.length === 0) {
+              console.log('No modified .pb.go files to check');
               return;
             }
-            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const violations = [];
 
-            for (const file of pbFiles) {
-              const changed = file.patch
-                .split('\n')
-                .filter(line => versionPattern.test(line));
-              if (changed.length > 0) {
+            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
+            const baseSha = context.payload.pull_request.base.sha;
+            const headSha = context.payload.pull_request.head.sha;
+
+            async function getVersionHeader(path, ref) {
+              try {
+                const res = await github.rest.repos.getContent({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  path,
+                  ref,
+                });
+                if (!res.data.content) {
+                  return { ok: false, reason: 'no inline content (file too large)' };
+                }
+                const content = Buffer.from(res.data.content, 'base64').toString('utf8');
+                const lines = content
+                  .split('\n')
+                  .slice(0, 20)
+                  .filter(line => versionPattern.test(line));
+                return { ok: true, lines };
+              } catch (e) {
+                return { ok: false, reason: e.message };
+              }
+            }
+
+            const violations = [];
+            for (const file of modifiedPbFiles) {
+              const [base, head] = await Promise.all([
+                getVersionHeader(file.filename, baseSha),
+                getVersionHeader(file.filename, headSha),
+              ]);
+              if (!base.ok || !head.ok) {
+                core.warning(
+                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
+                );
+                continue;
+              }
+              if (base.lines.join('\n') !== head.lines.join('\n')) {
                 violations.push({
                   file: file.filename,
-                  lines: changed,
+                  base: base.lines,
+                  head: head.lines,
                 });
               }
             }
 
             if (violations.length > 0) {
               const details = violations.map(v =>
-                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
+                `${v.file}:\n` +
+                `  base:\n${v.base.map(l => '    ' + l).join('\n') || '    (none)'}\n` +
+                `  head:\n${v.head.map(l => '    ' + l).join('\n') || '    (none)'}`
               ).join('\n\n');
 
               core.setFailed(

.github/workflows/wasm-build-validation.yml

@@ -61,8 +61,8 @@ jobs:
 
           echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
 
-          if [ ${SIZE} -gt 62914560 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 60MB limit!"
+          if [ ${SIZE} -gt 58720256 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
             exit 1
           fi
 

README.md

@@ -1,147 +1,134 @@
 
 <div align="center">
-<br/>
-  <br/>
-<p align="center">
-  <img width="234" src="docs/media/logo-full.png"/>
-</p>
-  <p>
-   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
-       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
-     </a> 
-     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
-     </a> 
-    <br>
+  <p align="center">
+    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
+  </p>
+  <p align="center">
+    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
+      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
+    </a>
+    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
+    </a>
     <a href="https://docs.netbird.io/slack-url">
-        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>
+      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
+    </a>
     <a href="https://forum.netbird.io">
-        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
-     </a>  
-     <br>
+      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
+    </a>
     <a href="https://gurubase.io/g/netbird">
-        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
-     </a>    
+      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
+    </a>
   </p>
 </div>
 
-
 <p align="center">
-<strong>
-  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+  <strong>
+    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+    <br/>
+    See <a href="https://netbird.io/docs/">Documentation</a>
+    <br/>
+    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  </strong>
   <br/>
-  See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  <br/>
- 
-</strong>
-<br>
-<strong>
-  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-</strong>
-<br>
-<br>
-<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
-    New: NetBird terraform provider
-  </a> 
+  <strong>
+    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+  </strong>
 </p>
 
-<br>
-
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
 
 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
-### Open Source Network Security in a Single Platform
-
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### Self-Host NetBird (Video)
+### Self-host NetBird (video)
+
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 
 ### Key features
 
-| Connectivity | Management | Security | Automation| Platforms |
-|----|----|----|----|----|
-| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-||||| <ul><li>- \[x] Docker</ui></li> |
+| Connectivity | Management | Security | Automation | Platforms |
+|---|---|---|---|---|
+| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
+| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
+| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
+| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
+| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
+| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
+| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
+| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
+| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
+| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
+| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
+| | | | | ✓ OpenWRT |
+| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
+| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
+| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
+| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
+| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
+| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
 
 ### Quickstart with NetBird Cloud
 
-- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
-- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
-- Check NetBird [admin UI](https://app.netbird.io/).
-- Add more machines.
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
+- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
+- Check the NetBird [admin UI](https://app.netbird.io/).
 
 ### Quickstart with self-hosted NetBird
 
-> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
-Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
+This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
 
 **Infrastructure requirements:**
-- A Linux VM with at least **1CPU** and **2GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
-- **Public domain** name pointing to the VM.
+- A Linux VM with at least **1 CPU** and **2 GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
+- A **public domain** name pointing to the VM.
 
 **Software requirements:**
-- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
-- [jq](https://jqlang.github.io/jq/) installed. In most distributions
-  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
-- [curl](https://curl.se/) installed.
-  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
+- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
 
 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
-- Once finished, you can manage the resources via `docker-compose`
 
 ### A bit on NetBird internals
--  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
--  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
--  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
--  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
--  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
--  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
- 
-[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
+- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
+- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
+- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
+- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
+- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
 
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
 
 ### Community projects
--  [NetBird installer script](https://github.com/physk/netbird-installer)
--  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
--  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
+- [NetBird installer script](https://github.com/physk/netbird-installer)
+- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
+- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
 ### Support acknowledgement
 
-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
 
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
 
-### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
+### Acknowledgements
+We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
 
 ### Legal
-This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

client/android/profile_manager.go

@@ -137,7 +137,7 @@ func (pm *ProfileManager) SwitchProfile(profileName string) error {
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername, nil); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 

client/cmd/owner.go

@@ -0,0 +1,84 @@
+package cmd
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var ownerCmd = &cobra.Command{
+	Use:   "owner",
+	Short: "Manage daemon owner UIDs",
+	Long: `Manage the list of UIDs allowed to control the NetBird daemon.
+
+Owners are persisted in the active profile config and survive daemon restarts.
+The first call from the user logged in at the GUI / console session claims
+ownership automatically; these subcommands cover the rest of the lifecycle.`,
+}
+
+var ownerAddCmd = &cobra.Command{
+	Use:   "add <uid>",
+	Short: "Add a UID as an owner of the daemon",
+	Long: `Add a UID to the active profile's owner list. Requires root or an
+existing owner. Use this to grant another local user permanent access without
+having them log in at the console first.`,
+	Args: cobra.ExactArgs(1),
+	RunE: addOwnerFunc,
+}
+
+var ownerResetCmd = &cobra.Command{
+	Use:   "reset",
+	Short: "Clear the daemon's owner list",
+	Long: `Clear the active profile's owner list, returning the daemon to its
+unconfigured state. The next call from the active console-session user will
+re-claim ownership. Requires root.`,
+	RunE: resetOwnerFunc,
+}
+
+func addOwnerFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	uid, err := strconv.ParseUint(args[0], 10, 32)
+	if err != nil {
+		return fmt.Errorf("parse uid %q: %w", args[0], err)
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	if _, err := client.AddOwner(cmd.Context(), &proto.AddOwnerRequest{Uid: uint32(uid)}); err != nil {
+		return fmt.Errorf("add owner: %w", err)
+	}
+
+	cmd.Printf("UID %d added as owner\n", uid)
+	return nil
+}
+
+func resetOwnerFunc(cmd *cobra.Command, _ []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	if _, err := client.ResetOwner(cmd.Context(), &proto.ResetOwnerRequest{}); err != nil {
+		return fmt.Errorf("reset owner: %w", err)
+	}
+
+	cmd.Println("daemon owner list cleared; next call from the active console user will re-claim ownership")
+	return nil
+}

client/cmd/root.go

@@ -23,6 +23,7 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
@@ -156,8 +157,12 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
+	rootCmd.AddCommand(ownerCmd)
 	rootCmd.AddCommand(exposeCmd)
 
+	ownerCmd.AddCommand(ownerAddCmd)
+	ownerCmd.AddCommand(ownerResetCmd)
+
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
 
@@ -250,11 +255,24 @@ func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, e
 	return grpc.DialContext(
 		ctx,
 		strings.TrimPrefix(addr, "tcp://"),
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		daemonDialTransportOption(addr),
 		grpc.WithBlock(),
 	)
 }
 
+// daemonDialTransportOption returns the appropriate transport credentials for connecting
+// to the daemon. On Unix socket platforms, uses Unix transport credentials so the server
+// can extract the caller's UID for owner verification. Otherwise, uses insecure credentials.
+func daemonDialTransportOption(addr string) grpc.DialOption {
+	if strings.HasPrefix(addr, "unix://") {
+		creds := owner.NewUnixTransportCredentials()
+		if creds != nil {
+			return grpc.WithTransportCredentials(creds)
+		}
+	}
+	return grpc.WithTransportCredentials(insecure.NewCredentials())
+}
+
 // WithBackOff execute function in backoff cycle.
 func WithBackOff(bf func() error) error {
 	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {

client/cmd/service_controller.go

@@ -16,6 +16,7 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/client/system"
@@ -29,9 +30,6 @@ func (p *program) Start(svc service.Service) error {
 	// Collect static system and platform information
 	system.UpdateStaticInfoAsync()
 
-	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
-	p.serv = grpc.NewServer()
-
 	split := strings.Split(daemonAddr, "://")
 	switch split[0] {
 	case "unix":
@@ -47,6 +45,12 @@ func (p *program) Start(svc service.Service) error {
 		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
 	}
 
+	// Set up owner enforcement for Unix sockets.
+	configAdapter := &owner.ConfigAdapter{}
+	serverOpts := ownerServerOpts(split[0], configAdapter)
+
+	p.serv = grpc.NewServer(serverOpts...)
+
 	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
@@ -65,6 +69,8 @@ func (p *program) Start(svc service.Service) error {
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
+
+		configAdapter.SetBackend(serverInstance)
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
 
 		p.serverInstanceMu.Lock()
@@ -79,6 +85,32 @@ func (p *program) Start(svc service.Service) error {
 	return nil
 }
 
+// ownerServerOpts returns gRPC server options for owner enforcement.
+// On Unix socket platforms, this includes transport credentials for peer credential
+// extraction and interceptors that check the caller's UID. On other platforms or TCP,
+// no owner enforcement is applied and a warning is logged so operators know the daemon
+// is running without per-user authorization.
+func ownerServerOpts(protocol string, configAdapter *owner.ConfigAdapter) []grpc.ServerOption {
+	if protocol != "unix" {
+		log.Warnf("daemon socket owner enforcement is not applied for protocol %q", protocol)
+		return nil
+	}
+
+	creds := owner.NewUnixTransportCredentials()
+	if creds == nil {
+		log.Warnf("daemon socket owner enforcement unavailable on this platform; daemon will accept any local connection")
+		return nil
+	}
+
+	interceptor := owner.NewInterceptor(configAdapter)
+
+	return []grpc.ServerOption{
+		grpc.Creds(creds),
+		grpc.ChainUnaryInterceptor(interceptor.UnaryInterceptor()),
+		grpc.ChainStreamInterceptor(interceptor.StreamInterceptor()),
+	}
+}
+
 func (p *program) Stop(srv service.Service) error {
 	p.serverInstanceMu.Lock()
 	if p.serverInstance != nil {

client/cmd/testutil_test.go

@@ -11,7 +11,7 @@ import (
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"
 
-	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
 
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 
@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}
 
-	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := validator.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)

client/cmd/up.go

@@ -44,6 +44,9 @@ const (
 
 	profileNameFlag = "profile"
 	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
+
+	claimOwnerFlag = "owner"
+	claimOwnerDesc = "claim owner privileges for this profile, restricting daemon control to the current user and root"
 )
 
 var (
@@ -54,6 +57,7 @@ var (
 	showQR             bool
 	profileName        string
 	configPath         string
+	claimOwner         bool
 
 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -87,6 +91,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) NetBird config file location. ")
+	upCmd.PersistentFlags().BoolVar(&claimOwner, claimOwnerFlag, false, claimOwnerDesc)
 
 }
 
@@ -331,6 +336,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	if _, err := client.Up(ctx, &proto.UpRequest{
 		ProfileName: &activeProf.Name,
 		Username:    &username,
+		ClaimOwner:  claimOwner,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
 	}
@@ -361,12 +367,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
-	if cmd.Flag(serverVNCAllowedFlag).Changed {
-		req.ServerVNCAllowed = &serverVNCAllowed
-	}
-	if cmd.Flag(disableVNCApprovalFlag).Changed {
-		req.DisableVNCApproval = &disableVNCApproval
-	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		req.EnableSSHRoot = &enableSSHRoot
 	}
@@ -473,14 +473,30 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
-	if cmd.Flag(serverVNCAllowedFlag).Changed {
-		ic.ServerVNCAllowed = &serverVNCAllowed
-	}
-	if cmd.Flag(disableVNCApprovalFlag).Changed {
-		ic.DisableVNCApproval = &disableVNCApproval
+
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		ic.EnableSSHRoot = &enableSSHRoot
 	}
 
-	applySSHFlagsToConfig(cmd, &ic)
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		ic.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		ic.DisableSSHAuth = &disableSSHAuth
+	}
+
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
+	}
 
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
@@ -556,49 +572,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 	return &ic, nil
 }
 
-func applySSHFlagsToConfig(cmd *cobra.Command, ic *profilemanager.ConfigInput) {
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		ic.EnableSSHRoot = &enableSSHRoot
-	}
-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		ic.EnableSSHSFTP = &enableSSHSFTP
-	}
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		ic.DisableSSHAuth = &disableSSHAuth
-	}
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
-	}
-}
-
-func applySSHFlagsToLogin(cmd *cobra.Command, req *proto.LoginRequest) {
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		req.EnableSSHRoot = &enableSSHRoot
-	}
-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		req.EnableSSHSFTP = &enableSSHSFTP
-	}
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		req.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		req.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		req.DisableSSHAuth = &disableSSHAuth
-	}
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		ttl := int32(sshJWTCacheTTL)
-		req.SshJWTCacheTTL = &ttl
-	}
-}
-
 func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
@@ -628,14 +601,31 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
-	if cmd.Flag(serverVNCAllowedFlag).Changed {
-		loginRequest.ServerVNCAllowed = &serverVNCAllowed
-	}
-	if cmd.Flag(disableVNCApprovalFlag).Changed {
-		loginRequest.DisableVNCApproval = &disableVNCApproval
+
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		loginRequest.EnableSSHRoot = &enableSSHRoot
 	}
 
-	applySSHFlagsToLogin(cmd, &loginRequest)
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		loginRequest.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		loginRequest.DisableSSHAuth = &disableSSHAuth
+	}
+
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
+		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
+	}
 
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled

client/cmd/up_daemon_test.go

@@ -29,7 +29,7 @@ func TestUpDaemon(t *testing.T) {
 	}
 
 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username)
+	err = sm.AddProfile("test1", currUser.Username, nil)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return

client/cmd/vnc_agent.go

@@ -1,100 +0,0 @@
-//go:build windows || (darwin && !ios)
-
-package cmd
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-var (
-	vncAgentSocket    string
-	vncAgentTargetUID uint32
-)
-
-func init() {
-	vncAgentCmd.Flags().StringVar(&vncAgentSocket, "socket", "", "Unix-domain socket path the agent listens on (required)")
-	vncAgentCmd.Flags().Uint32Var(&vncAgentTargetUID, "target-uid", 0, "uid the agent should drop privileges to before listening (darwin only; 0 = stay as current uid)")
-	rootCmd.AddCommand(vncAgentCmd)
-}
-
-// vncAgentCmd runs a VNC server inside the user's interactive session,
-// listening on a Unix-domain socket. The NetBird service spawns it: on
-// Windows via CreateProcessAsUser into the console session, on macOS via
-// launchctl asuser into the Aqua session.
-var vncAgentCmd = &cobra.Command{
-	Use:    "vnc-agent",
-	Short:  "Run VNC capture agent (internal, spawned by service)",
-	Hidden: true,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		log.SetReportCaller(true)
-		log.SetFormatter(&log.JSONFormatter{})
-		log.SetOutput(os.Stderr)
-
-		if vncAgentSocket == "" {
-			return fmt.Errorf("--socket is required")
-		}
-
-		token := os.Getenv("NB_VNC_AGENT_TOKEN")
-		if token == "" {
-			return fmt.Errorf("NB_VNC_AGENT_TOKEN not set; agent requires a token from the service")
-		}
-		// Purge the token from env so it doesn't leak via /proc/<pid>/environ.
-		if err := os.Unsetenv("NB_VNC_AGENT_TOKEN"); err != nil {
-			log.Debugf("unset NB_VNC_AGENT_TOKEN: %v", err)
-		}
-
-		// Drop root privileges to the target console user BEFORE creating
-		// the listening socket: keeps a post-auth bug in the encoder /
-		// input / capture paths confined to the user's own privileges
-		// rather than escalating to host root, and makes the daemon's
-		// LOCAL_PEERCRED check see the right uid. No-op on Windows
-		// (both processes run as SYSTEM) and when --target-uid is 0.
-		if vncAgentTargetUID != 0 {
-			if err := dropAgentPrivileges(vncAgentTargetUID); err != nil {
-				return fmt.Errorf("drop privileges to uid %d: %w", vncAgentTargetUID, err)
-			}
-		}
-
-		if err := os.Remove(vncAgentSocket); err != nil && !os.IsNotExist(err) {
-			log.Debugf("remove stale socket %s: %v", vncAgentSocket, err)
-		}
-		ln, err := net.Listen("unix", vncAgentSocket)
-		if err != nil {
-			return fmt.Errorf("listen on %s: %w", vncAgentSocket, err)
-		}
-		if err := os.Chmod(vncAgentSocket, 0o600); err != nil {
-			log.Debugf("chmod %s: %v", vncAgentSocket, err)
-		}
-
-		capturer, injector, err := newAgentResources()
-		if err != nil {
-			_ = ln.Close()
-			return err
-		}
-		srv := vncserver.New(vncserver.Config{
-			Capturer:      capturer,
-			Injector:      injector,
-			DisableAuth:   true,
-			AgentTokenHex: token,
-			Listener:      ln,
-		})
-
-		if err := srv.Start(cmd.Context(), netip.AddrPort{}, netip.Prefix{}); err != nil {
-			return fmt.Errorf("start vnc server: %w", err)
-		}
-		log.Infof("vnc-agent listening on %s, ready", vncAgentSocket)
-
-		<-cmd.Context().Done()
-		log.Info("vnc-agent context cancelled, shutting down")
-		return srv.Stop()
-	},
-	SilenceUsage: true,
-}

client/cmd/vnc_agent_darwin.go

@@ -1,18 +0,0 @@
-//go:build darwin && !ios
-
-package cmd
-
-import (
-	"fmt"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-func newAgentResources() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
-	capturer := vncserver.NewMacPoller()
-	injector, err := vncserver.NewMacInputInjector()
-	if err != nil {
-		return nil, nil, fmt.Errorf("macOS input injector: %w", err)
-	}
-	return capturer, injector, nil
-}

client/cmd/vnc_agent_dropprivs_darwin.go

@@ -1,50 +0,0 @@
-//go:build darwin && !ios
-
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"syscall"
-)
-
-// dropAgentPrivileges drops the vnc-agent process from root (its
-// launchctl-asuser-inherited starting uid) to the target console user
-// before any other initialisation runs. Without this the agent runs as
-// root for the lifetime of the session; any post-auth memory-safety
-// issue in the capture/input/encode paths would then be a root-level
-// RCE on the host instead of a user-level one. Also makes the daemon's
-// LOCAL_PEERCRED check correctly identify the agent as the console user,
-// not as root.
-//
-// Returns an error when the agent is running as a non-root uid that
-// differs from targetUID: non-root can only setuid to itself, so a
-// mismatch here means the spawn went to the wrong session.
-func dropAgentPrivileges(targetUID uint32) error {
-	if targetUID == 0 {
-		return fmt.Errorf("refusing to keep agent running as root (target uid 0)")
-	}
-	cur := uint32(os.Getuid())
-	if cur == targetUID {
-		return nil
-	}
-	if cur != 0 {
-		return fmt.Errorf("agent uid %d does not match expected %d and we lack root to fix it", cur, targetUID)
-	}
-	// Drop supplementary groups first: setgid alone doesn't touch the
-	// auxiliary group list, leaving root's groups attached would let the
-	// dropped process write to root-only group-writable files.
-	if err := syscall.Setgroups([]int{}); err != nil {
-		return fmt.Errorf("setgroups([]): %w", err)
-	}
-	if err := syscall.Setgid(int(targetUID)); err != nil {
-		return fmt.Errorf("setgid(%d): %w", targetUID, err)
-	}
-	if err := syscall.Setuid(int(targetUID)); err != nil {
-		return fmt.Errorf("setuid(%d): %w", targetUID, err)
-	}
-	if uint32(os.Getuid()) != targetUID || uint32(os.Geteuid()) != targetUID {
-		return fmt.Errorf("setuid verification: uid=%d euid=%d, expected %d", os.Getuid(), os.Geteuid(), targetUID)
-	}
-	return nil
-}

client/cmd/vnc_agent_dropprivs_darwin_test.go

@@ -1,55 +0,0 @@
-//go:build darwin && !ios
-
-package cmd
-
-import (
-	"strings"
-	"testing"
-)
-
-// TestDropAgentPrivileges_RefusesRootTarget locks in the contract that
-// dropAgentPrivileges must never be a no-op when asked to keep the
-// agent as root (target uid 0). A future caller that passes 0 by
-// mistake would otherwise leave the post-auth attack surface running
-// with full root privileges.
-func TestDropAgentPrivileges_RefusesRootTarget(t *testing.T) {
-	err := dropAgentPrivileges(0)
-	if err == nil {
-		t.Fatal("expected refusal for target uid 0, got nil")
-	}
-	if !strings.Contains(err.Error(), "root") {
-		t.Fatalf("error should mention root, got: %v", err)
-	}
-}
-
-// TestDropAgentPrivileges_NoOpWhenAlreadyTarget covers the dev path
-// where the agent is launched by hand as the target user (no root
-// available, no setuid needed). The helper must succeed silently
-// instead of trying (and failing) a setuid to its current uid.
-func TestDropAgentPrivileges_NoOpWhenAlreadyTarget(t *testing.T) {
-	// Skip when running as root: the early-return path we want to
-	// cover only fires when current uid == target uid.
-	uid := currentUIDForTest()
-	if uid == 0 {
-		t.Skip("test must not run as root; cannot exercise the no-op early-return")
-	}
-	if err := dropAgentPrivileges(uid); err != nil {
-		t.Fatalf("expected no-op when current uid == target, got: %v", err)
-	}
-}
-
-// TestDropAgentPrivileges_RefusesMismatchedNonRoot guards the "non-root
-// caller tries to setuid to a different uid" path: setuid would fail
-// with EPERM anyway, but the helper should surface a clear error
-// before issuing the syscall so a misconfigured spawn (wrong --target-uid
-// flag) is debuggable.
-func TestDropAgentPrivileges_RefusesMismatchedNonRoot(t *testing.T) {
-	uid := currentUIDForTest()
-	if uid == 0 {
-		t.Skip("test must not run as root; covered case requires non-root caller")
-	}
-	err := dropAgentPrivileges(uid + 1)
-	if err == nil {
-		t.Fatal("expected refusal when non-root caller asks to setuid elsewhere")
-	}
-}

client/cmd/vnc_agent_dropprivs_testhelpers_darwin.go

@@ -1,11 +0,0 @@
-//go:build darwin && !ios
-
-package cmd
-
-import "os"
-
-// currentUIDForTest exposes os.Getuid for the darwin dropprivs tests
-// without leaking an os import into the test file itself.
-func currentUIDForTest() uint32 {
-	return uint32(os.Getuid())
-}

client/cmd/vnc_agent_dropprivs_windows.go

@@ -1,14 +0,0 @@
-//go:build windows
-
-package cmd
-
-// dropAgentPrivileges is a no-op on Windows: the agent and the daemon
-// both run as SYSTEM (the daemon spawns the agent into the interactive
-// session via CreateProcessAsUser with an impersonation token, but the
-// resulting process still runs under SYSTEM, not under the user's
-// account). The Windows path relies on the C:\Windows\Temp socket
-// location (admin/SYSTEM-write-only) and the per-spawn token for
-// integrity instead.
-func dropAgentPrivileges(_ uint32) error {
-	return nil
-}

client/cmd/vnc_agent_windows.go

@@ -1,15 +0,0 @@
-//go:build windows
-
-package cmd
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-func newAgentResources() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
-	sessionID := vncserver.GetCurrentSessionID()
-	log.Infof("VNC agent running in Windows session %d", sessionID)
-	return vncserver.NewDesktopCapturer(), vncserver.NewWindowsInputInjector(), nil
-}

client/cmd/vnc_flags.go

@@ -1,16 +0,0 @@
-package cmd
-
-const (
-	serverVNCAllowedFlag   = "allow-server-vnc"
-	disableVNCApprovalFlag = "disable-vnc-approval"
-)
-
-var (
-	serverVNCAllowed   bool
-	disableVNCApproval bool
-)
-
-func init() {
-	upCmd.PersistentFlags().BoolVar(&serverVNCAllowed, serverVNCAllowedFlag, false, "Allow embedded VNC server on peer")
-	upCmd.PersistentFlags().BoolVar(&disableVNCApproval, disableVNCApprovalFlag, false, "Disable per-connection user approval prompts for the embedded VNC server")
-}

client/configs/configs.go

@@ -6,30 +6,19 @@ import (
 	"runtime"
 )
 
-var (
-	// StateDir holds persistent state (config, profiles, install metadata).
-	StateDir string
-	// RuntimeDir holds ephemeral artifacts that should not survive reboot,
-	// such as Unix sockets for daemon and per-session IPC. Empty on
-	// platforms without a conventional /var/run-style location.
-	RuntimeDir string
-)
+var StateDir string
 
 func init() {
+	StateDir = os.Getenv("NB_STATE_DIR")
+	if StateDir != "" {
+		return
+	}
 	switch runtime.GOOS {
 	case "windows":
 		StateDir = filepath.Join(os.Getenv("PROGRAMDATA"), "Netbird")
 	case "darwin", "linux":
 		StateDir = "/var/lib/netbird"
-		RuntimeDir = "/var/run/netbird"
 	case "freebsd", "openbsd", "netbsd", "dragonfly":
 		StateDir = "/var/db/netbird"
-		RuntimeDir = "/var/run/netbird"
-	}
-	if v := os.Getenv("NB_STATE_DIR"); v != "" {
-		StateDir = v
-	}
-	if v := os.Getenv("NB_RUNTIME_DIR"); v != "" {
-		RuntimeDir = v
 	}
 }

client/embed/embed.go

@@ -12,6 +12,7 @@ import (
 	"sync"
 
 	"github.com/sirupsen/logrus"
+	wgdevice "golang.zx2c4.com/wireguard/device"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface"
@@ -84,6 +85,12 @@ type Options struct {
 	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
+	// BlockLANAccess blocks the embedded peer from reaching the host's
+	// LAN (RFC 1918, link-local, loopback) when it's used as a routing
+	// peer. Mirrors profilemanager.ConfigInput.BlockLANAccess. Useful
+	// when the embedded client must never act as a stepping stone into
+	// the host's local network (e.g. the proxy's overlay peer).
+	BlockLANAccess bool
 	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the tunnel interface.
@@ -94,6 +101,26 @@ type Options struct {
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
+	// Performance configures the tunnel's buffer pool cap and batch size.
+	Performance Performance
+}
+
+// Performance configures the embedded client's tunnel memory/throughput knobs.
+//
+// These settings are process-global: any non-nil field also becomes the
+// default for Clients constructed by later embed.New calls in the same
+// process. Nil fields are ignored.
+type Performance struct {
+	// PreallocatedBuffersPerPool caps the per-tunnel buffer pool. Zero
+	// leaves the pool unbounded. Lower values trade throughput for a
+	// tighter memory ceiling. May also be changed on a running Client via
+	// Client.SetPerformance, provided this field was nonzero at construction.
+	PreallocatedBuffersPerPool *uint32
+	// MaxBatchSize overrides the number of packets the tunnel reads or
+	// writes per syscall, which also bounds eager buffer allocation per
+	// worker. Zero uses the platform default. Applied at construction
+	// only; ignored by Client.SetPerformance.
+	MaxBatchSize *uint32
 }
 
 // validateCredentials checks that exactly one credential type is provided
@@ -175,6 +202,7 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
+		BlockLANAccess:      &opts.BlockLANAccess,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
@@ -192,6 +220,13 @@ func New(opts Options) (*Client, error) {
 		config.PrivateKey = opts.PrivateKey
 	}
 
+	if opts.Performance.PreallocatedBuffersPerPool != nil {
+		wgdevice.SetPreallocatedBuffersPerPool(*opts.Performance.PreallocatedBuffersPerPool)
+	}
+	if opts.Performance.MaxBatchSize != nil {
+		wgdevice.SetMaxBatchSizeOverride(*opts.Performance.MaxBatchSize)
+	}
+
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
@@ -405,6 +440,21 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 	}, nil
 }
 
+// IdentityForIP looks up a remote peer by its tunnel IP using the
+// embedded client's status recorder. Returns the peer's WireGuard public
+// key and FQDN. ok=false means the IP isn't in this client's peer
+// roster — callers should treat that as "unknown peer".
+func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
+	if !ip.IsValid() || c.recorder == nil {
+		return "", "", false
+	}
+	state, found := c.recorder.PeerStateByIP(ip.String())
+	if !found {
+		return "", "", false
+	}
+	return state.PubKey, state.FQDN, true
+}
+
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
@@ -473,6 +523,25 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 
+// SetPerformance retunes a running Client. Only PreallocatedBuffersPerPool
+// takes effect, and only when it was nonzero at construction;
+// MaxBatchSize is construction-only and returns an error if set here.
+//
+// Returns ErrClientNotStarted / ErrEngineNotStarted if the Client is not
+// running yet.
+func (c *Client) SetPerformance(t Performance) error {
+	if t.MaxBatchSize != nil {
+		return errors.New("MaxBatchSize is construction-only and cannot be changed at runtime")
+	}
+	engine, err := c.getEngine()
+	if err != nil {
+		return err
+	}
+	return engine.SetPerformance(internal.Performance{
+		PreallocatedBuffersPerPool: t.PreallocatedBuffersPerPool,
+	})
+}
+
 // StartCapture begins capturing packets on this client's tunnel device.
 // Only one capture can be active at a time; starting a new one stops the previous.
 // Call StopCapture (or CaptureSession.Stop) to end it.

client/firewall/nftables/external_chain_monitor_linux.go

@@ -52,9 +52,10 @@ func (m *externalChainMonitor) start() {
 
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	m.done = make(chan struct{})
+	done := make(chan struct{})
+	m.done = done
 
-	go m.run(ctx)
+	go m.run(ctx, done)
 }
 
 func (m *externalChainMonitor) stop() {
@@ -72,8 +73,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }
 
-func (m *externalChainMonitor) run(ctx context.Context) {
-	defer close(m.done)
+func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
+	defer close(done)
 
 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,

client/installer.nsis

@@ -260,23 +260,15 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
 
 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 
-; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
-; or HKCU by legacy installers.
-DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
-DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-SetRegView 32
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-DeleteRegKey HKLM "${REG_APP_PATH}"
-DeleteRegKey HKLM "${UI_REG_APP_PATH}"
-DeleteRegKey HKLM "${UNINSTALL_PATH}"
-SetRegView 64
-
+; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
     WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
     DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
+    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
 
@@ -307,16 +299,11 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
-; Remove autostart entries from every view a previous installer may have used.
+; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-SetRegView 32
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-DeleteRegKey HKLM "${REG_APP_PATH}"
-DeleteRegKey HKLM "${UI_REG_APP_PATH}"
-DeleteRegKey HKLM "${UNINSTALL_PATH}"
-SetRegView 64
 
 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."

client/internal/approval/broker.go

@@ -1,219 +0,0 @@
-// Package approval brokers per-attempt user-accept prompts for inbound
-// remote access (VNC today, SSH and others in the future). A caller pushes
-// a Prompt; the broker emits a SystemEvent on the daemon→UI stream and
-// blocks until the UI calls the daemon's RespondApproval RPC, the per-
-// request timeout fires, or no subscriber is connected. The latter case
-// fails closed so a backgrounded UI cannot silently bypass the gate.
-package approval
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"sync"
-	"time"
-
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// Metadata keys the broker reserves on the emitted SystemEvent. Callers
-// should not set these themselves; values in Prompt.Metadata that collide
-// are overwritten by the broker.
-const (
-	MetaRequestID = "request_id"
-	MetaKind      = "kind"
-	MetaExpiresAt = "expires_at"
-)
-
-// ShortKeyFingerprint formats a hex-encoded Noise_IK static pubkey as a
-// short, eyeball-able fingerprint to display in the approval dialog.
-// The dashboard-supplied display name attached to a SessionPubKey isn't
-// cryptographically asserted by the connecting client, so the prompt
-// must also show something that IS: the key fingerprint, a hash of
-// the static public key the client just proved possession of during the
-// Noise handshake. Returns the empty string when the input is too short
-// to plausibly be a hex pubkey, so the row is omitted rather than
-// rendered as a misleading partial.
-//
-// Output format: 16 hex chars grouped as XXXX-XXXX-XXXX-XXXX (64 bits of
-// fingerprint, resistant to random-prefix collisions and easy for a human
-// to compare with an out-of-band reference).
-func ShortKeyFingerprint(hexKey string) string {
-	if len(hexKey) < 8 {
-		return ""
-	}
-	src := hexKey
-	if len(src) > 16 {
-		src = src[:16]
-	}
-	var out []byte
-	for i, c := range src {
-		if i > 0 && i%4 == 0 {
-			out = append(out, '-')
-		}
-		out = append(out, byte(c))
-	}
-	return string(out)
-}
-
-// Kind values for the well-known prompt subjects. New subsystems should
-// add a constant here so the UI can dispatch on a known string.
-const (
-	KindVNC = "vnc"
-	KindSSH = "ssh"
-)
-
-// DefaultTimeout is the wall-clock window the user has to accept or deny a
-// pending approval before the broker fails closed and returns ErrTimeout.
-// Kept well under typical VNC client and dashboard connection timeouts so
-// the RFB rejection actually reaches the browser instead of racing the
-// browser's own "connection timed out" message.
-const DefaultTimeout = 15 * time.Second
-
-// timeoutValue returns the active timeout. It's a var so tests in this
-// package can shorten the wait without exposing a setter on the public
-// API. Production code always sees DefaultTimeout.
-var timeoutValue = func() time.Duration { return DefaultTimeout }
-
-// ErrNoSubscriber indicates no UI is connected to consume the prompt.
-// The caller must reject the underlying connection (fail-closed).
-var ErrNoSubscriber = errors.New("no UI subscriber connected for approval")
-
-// ErrTimeout indicates the user did not respond within DefaultTimeout.
-var ErrTimeout = errors.New("approval timed out")
-
-// ErrDenied indicates the user explicitly denied the connection.
-var ErrDenied = errors.New("approval denied")
-
-// EventPublisher is the subset of peer.Status used to emit prompts.
-type EventPublisher interface {
-	PublishEvent(
-		severity proto.SystemEvent_Severity,
-		category proto.SystemEvent_Category,
-		msg string,
-		userMsg string,
-		metadata map[string]string,
-	)
-	HasEventSubscribers() bool
-}
-
-// Prompt describes the pending request shown to the user. Kind selects
-// the UI dispatch path (e.g. "vnc", "ssh"). Subject is the human-readable
-// one-liner the UI may show as a title or notification body. Metadata is
-// passed through verbatim and is the subsystem-specific payload (peer
-// name, source IP, mode, etc.).
-type Prompt struct {
-	Kind     string
-	Subject  string
-	Metadata map[string]string
-}
-
-// Decision carries the user's response to an approval prompt. ViewOnly is
-// only meaningful when Accept is true; it lets the host grant the
-// connection but signal the requester that input control is withheld.
-type Decision struct {
-	Accept   bool
-	ViewOnly bool
-}
-
-// Broker holds in-flight approval requests keyed by request ID.
-type Broker struct {
-	pub EventPublisher
-
-	mu      sync.Mutex
-	pending map[string]chan Decision
-}
-
-// New returns a broker that publishes prompts via pub.
-func New(pub EventPublisher) *Broker {
-	return &Broker{
-		pub:     pub,
-		pending: make(map[string]chan Decision),
-	}
-}
-
-// Request emits a SystemEvent for p and blocks until the UI calls Respond,
-// ctx is cancelled, or DefaultTimeout elapses. Returns a Decision when
-// the user replied; ErrDenied / ErrTimeout / ErrNoSubscriber / ctx.Err
-// otherwise. Callers must treat any non-nil error as a deny.
-func (b *Broker) Request(ctx context.Context, p Prompt) (Decision, error) {
-	var zero Decision
-	if b == nil || b.pub == nil {
-		return zero, fmt.Errorf("approval broker not configured")
-	}
-	if !b.pub.HasEventSubscribers() {
-		return zero, ErrNoSubscriber
-	}
-
-	id := uuid.NewString()
-	resp := make(chan Decision, 1)
-
-	b.mu.Lock()
-	b.pending[id] = resp
-	b.mu.Unlock()
-
-	defer b.dropPending(id)
-
-	timeout := timeoutValue()
-	expiresAt := time.Now().Add(timeout)
-	meta := make(map[string]string, len(p.Metadata)+3)
-	for k, v := range p.Metadata {
-		meta[k] = v
-	}
-	meta[MetaRequestID] = id
-	meta[MetaKind] = p.Kind
-	meta[MetaExpiresAt] = expiresAt.UTC().Format(time.RFC3339)
-
-	subject := p.Subject
-	if subject == "" {
-		subject = fmt.Sprintf("%s connection requires approval", p.Kind)
-	}
-	b.pub.PublishEvent(proto.SystemEvent_INFO, proto.SystemEvent_APPROVAL, subject, subject, meta)
-	log.Debugf("approval request %s (%s) emitted: %s", id, p.Kind, subject)
-
-	timer := time.NewTimer(timeout)
-	defer timer.Stop()
-
-	select {
-	case d := <-resp:
-		if !d.Accept {
-			return zero, ErrDenied
-		}
-		return d, nil
-	case <-timer.C:
-		return zero, ErrTimeout
-	case <-ctx.Done():
-		return zero, ctx.Err()
-	}
-}
-
-// Respond delivers the user's decision for id. Returns true when a pending
-// request matched and was woken, false when id was unknown or already done.
-func (b *Broker) Respond(id string, d Decision) bool {
-	if b == nil {
-		return false
-	}
-	b.mu.Lock()
-	ch, ok := b.pending[id]
-	if ok {
-		delete(b.pending, id)
-	}
-	b.mu.Unlock()
-	if !ok {
-		return false
-	}
-	select {
-	case ch <- d:
-	default:
-	}
-	return true
-}
-
-func (b *Broker) dropPending(id string) {
-	b.mu.Lock()
-	delete(b.pending, id)
-	b.mu.Unlock()
-}

client/internal/approval/broker_test.go

@@ -1,434 +0,0 @@
-package approval
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// fakePublisher records published events and reports whether subscribers
-// are connected. The subscribers flag is the security-critical signal:
-// when false the broker must refuse to emit and the gate must fail closed.
-type fakePublisher struct {
-	mu          sync.Mutex
-	subscribers bool
-	events      []*proto.SystemEvent
-}
-
-func (p *fakePublisher) PublishEvent(
-	severity proto.SystemEvent_Severity,
-	category proto.SystemEvent_Category,
-	msg string,
-	userMsg string,
-	metadata map[string]string,
-) {
-	p.mu.Lock()
-	p.events = append(p.events, &proto.SystemEvent{
-		Severity:    severity,
-		Category:    category,
-		Message:     msg,
-		UserMessage: userMsg,
-		Metadata:    metadata,
-	})
-	p.mu.Unlock()
-}
-
-func (p *fakePublisher) HasEventSubscribers() bool {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	return p.subscribers
-}
-
-func (p *fakePublisher) lastEvent(t *testing.T) *proto.SystemEvent {
-	t.Helper()
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	require.NotEmpty(t, p.events, "publisher saw no events")
-	return p.events[len(p.events)-1]
-}
-
-func (p *fakePublisher) eventCount() int {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	return len(p.events)
-}
-
-// TestRequestNoSubscriberFailsClosed is the core fail-closed invariant:
-// when the UI is not subscribed, the broker must refuse without emitting
-// an event or arming a waiter. A regression here is a silent bypass.
-func TestRequestNoSubscriberFailsClosed(t *testing.T) {
-	pub := &fakePublisher{subscribers: false}
-	b := New(pub)
-
-	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
-	assert.ErrorIs(t, err, ErrNoSubscriber)
-	assert.Equal(t, 0, pub.eventCount(), "no event must be emitted when fail-closed")
-
-	b.mu.Lock()
-	pending := len(b.pending)
-	b.mu.Unlock()
-	assert.Equal(t, 0, pending, "no waiter must be registered on fail-closed")
-}
-
-// TestRequestTimeoutDenies verifies that a request without a UI response
-// returns ErrTimeout (deny) rather than nil (silent accept). Uses a short
-// per-test broker timeout via Respond after the fact to keep the test fast.
-func TestRequestTimeoutDenies(t *testing.T) {
-	// Replace DefaultTimeout for the lifetime of this test.
-	orig := DefaultTimeout
-	defaultTimeout(t, 60*time.Millisecond)
-	defer defaultTimeout(t, orig)
-
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	start := time.Now()
-	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
-	assert.ErrorIs(t, err, ErrTimeout, "missing user response must yield ErrTimeout, not nil")
-	assert.GreaterOrEqual(t, time.Since(start), 50*time.Millisecond, "timeout fired prematurely")
-}
-
-// TestRequestDenied returns ErrDenied when the UI responds with false.
-func TestRequestDenied(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	var requestID string
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
-	}()
-
-	requestID = waitForRequestID(t, pub)
-	require.True(t, b.Respond(requestID, Decision{Accept: false}))
-
-	select {
-	case err := <-done:
-		assert.ErrorIs(t, err, ErrDenied)
-	case <-time.After(time.Second):
-		t.Fatal("Request did not return after Respond(false)")
-	}
-}
-
-// TestRequestAccepted is the happy path. Failure here doesn't bypass the
-// gate but breaks the feature.
-func TestRequestAccepted(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
-	}()
-
-	id := waitForRequestID(t, pub)
-	require.True(t, b.Respond(id, Decision{Accept: true}))
-
-	select {
-	case err := <-done:
-		assert.NoError(t, err)
-	case <-time.After(time.Second):
-		t.Fatal("Request did not return after Respond(true)")
-	}
-}
-
-// TestRequestCtxCancelDenies verifies that an upstream cancel (e.g. the
-// engine shutting down mid-prompt) returns the cancel error rather than
-// nil. A nil here would be a silent bypass on shutdown races.
-func TestRequestCtxCancelDenies(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, ctx, Prompt{Kind: KindVNC, Subject: "test"})
-	}()
-
-	// Wait until the prompt is in flight so cancel races a live waiter.
-	_ = waitForRequestID(t, pub)
-	cancel()
-
-	select {
-	case err := <-done:
-		assert.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("Request did not return after ctx cancel")
-	}
-}
-
-// TestRespondUnknownIsNoop ensures a stray RespondApproval RPC cannot
-// affect or accidentally accept any in-flight request whose id it doesn't
-// match. Also confirms it doesn't panic.
-func TestRespondUnknownIsNoop(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	// No in-flight prompts: Respond returns false.
-	assert.False(t, b.Respond("does-not-exist", Decision{Accept: true}))
-
-	// With an in-flight prompt, a wrong id still returns false and the
-	// prompt remains armed (eventually timing out as a deny).
-	defaultTimeout(t, 60*time.Millisecond)
-	defer defaultTimeout(t, DefaultTimeout)
-
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
-	}()
-	realID := waitForRequestID(t, pub)
-	assert.False(t, b.Respond("totally-bogus", Decision{Accept: true}), "unknown id must not match")
-	assert.NotEqual(t, "totally-bogus", realID)
-
-	select {
-	case err := <-done:
-		assert.ErrorIs(t, err, ErrTimeout, "armed prompt must still time out, not accept")
-	case <-time.After(time.Second):
-		t.Fatal("prompt did not resolve")
-	}
-}
-
-// TestRespondAfterTimeoutNoop confirms a late accept response can't
-// retroactively flip a denied (timed-out) request. The dropPending defer
-// in Request must have removed the entry by the time Respond races in.
-func TestRespondAfterTimeoutNoop(t *testing.T) {
-	defaultTimeout(t, 30*time.Millisecond)
-	defer defaultTimeout(t, DefaultTimeout)
-
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
-	}()
-	id := waitForRequestID(t, pub)
-
-	select {
-	case err := <-done:
-		require.ErrorIs(t, err, ErrTimeout)
-	case <-time.After(time.Second):
-		t.Fatal("prompt did not time out")
-	}
-
-	assert.False(t, b.Respond(id, Decision{Accept: true}), "late respond must be no-op")
-}
-
-// TestRespondDoubleNoop ensures a duplicate ack from the UI doesn't leak
-// past the matched waiter or panic on a closed/full channel.
-func TestRespondDoubleNoop(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
-	}()
-	id := waitForRequestID(t, pub)
-	require.True(t, b.Respond(id, Decision{Accept: true}))
-	assert.False(t, b.Respond(id, Decision{Accept: false}), "second response must be no-op")
-
-	select {
-	case err := <-done:
-		assert.NoError(t, err)
-	case <-time.After(time.Second):
-		t.Fatal("prompt did not resolve")
-	}
-}
-
-// TestNilBrokerRequestErrors guards the engine pre-init path where the
-// broker may not yet exist (or its publisher is nil): Request must
-// error, never silently accept.
-func TestNilBrokerRequestErrors(t *testing.T) {
-	var b *Broker
-	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC})
-	assert.Error(t, err, "nil broker must error, never silently accept")
-
-	b2 := New(nil)
-	_, err = b2.Request(context.Background(), Prompt{Kind: KindVNC})
-	assert.Error(t, err, "broker with nil publisher must error, never silently accept")
-}
-
-// TestPromptMetadataInjected confirms the broker stamps request_id, kind,
-// and expires_at on the emitted event. The UI relies on these keys; if
-// they are dropped, the user cannot route the prompt and the response
-// path breaks (which fails closed via timeout).
-func TestPromptMetadataInjected(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	done := make(chan error, 1)
-	go func() {
-		done <- requestErr(b, context.Background(), Prompt{
-			Kind:     KindVNC,
-			Subject:  "VNC connection from peerA",
-			Metadata: map[string]string{"peer_name": "peerA"},
-		})
-	}()
-
-	id := waitForRequestID(t, pub)
-	ev := pub.lastEvent(t)
-
-	assert.Equal(t, proto.SystemEvent_APPROVAL, ev.Category)
-	assert.Equal(t, KindVNC, ev.Metadata[MetaKind])
-	assert.Equal(t, id, ev.Metadata[MetaRequestID])
-	assert.NotEmpty(t, ev.Metadata[MetaExpiresAt])
-	assert.Equal(t, "peerA", ev.Metadata["peer_name"], "caller metadata must pass through")
-
-	require.True(t, b.Respond(id, Decision{Accept: true}))
-	<-done
-}
-
-// TestConcurrentRequests verifies that two concurrent prompts are tracked
-// independently. A bug that aliases ids would let one Respond unblock
-// the wrong waiter (a silent accept across prompts).
-func TestConcurrentRequests(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	const n = 20
-	results := make(chan error, n)
-	for i := 0; i < n; i++ {
-		go func() {
-			results <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
-		}()
-	}
-
-	ids := waitForNRequestIDs(t, pub, n)
-	require.Len(t, ids, n)
-
-	// Deny exactly half, accept the rest. Track outcome per id so we can
-	// match each Request's return value against the response we sent.
-	denySet := make(map[string]bool, n)
-	for i, id := range ids {
-		deny := i%2 == 0
-		denySet[id] = deny
-		require.True(t, b.Respond(id, Decision{Accept: !deny}))
-	}
-
-	// Collect all returns and check no nil errors slipped past a deny.
-	var accepted, denied atomic.Int32
-	for i := 0; i < n; i++ {
-		select {
-		case err := <-results:
-			if err == nil {
-				accepted.Add(1)
-			} else {
-				assert.ErrorIs(t, err, ErrDenied)
-				denied.Add(1)
-			}
-		case <-time.After(2 * time.Second):
-			t.Fatalf("only got %d/%d responses", i, n)
-		}
-	}
-	assert.Equal(t, int32(n/2), denied.Load())
-	assert.Equal(t, int32(n/2), accepted.Load())
-}
-
-// waitForRequestID blocks until the publisher sees its next event and
-// returns the request_id stamped on it.
-func waitForRequestID(t *testing.T, pub *fakePublisher) string {
-	t.Helper()
-	deadline := time.Now().Add(2 * time.Second)
-	for time.Now().Before(deadline) {
-		pub.mu.Lock()
-		count := len(pub.events)
-		var id string
-		if count > 0 {
-			id = pub.events[count-1].Metadata[MetaRequestID]
-		}
-		pub.mu.Unlock()
-		if id != "" {
-			return id
-		}
-		time.Sleep(2 * time.Millisecond)
-	}
-	t.Fatal("timeout waiting for emitted event")
-	return ""
-}
-
-func waitForNRequestIDs(t *testing.T, pub *fakePublisher, n int) []string {
-	t.Helper()
-	deadline := time.Now().Add(2 * time.Second)
-	for time.Now().Before(deadline) {
-		pub.mu.Lock()
-		count := len(pub.events)
-		pub.mu.Unlock()
-		if count >= n {
-			break
-		}
-		time.Sleep(2 * time.Millisecond)
-	}
-	pub.mu.Lock()
-	defer pub.mu.Unlock()
-	out := make([]string, 0, len(pub.events))
-	seen := make(map[string]struct{}, len(pub.events))
-	for _, ev := range pub.events {
-		id := ev.Metadata[MetaRequestID]
-		if id == "" {
-			continue
-		}
-		if _, dup := seen[id]; dup {
-			continue
-		}
-		seen[id] = struct{}{}
-		out = append(out, id)
-	}
-	if len(out) < n {
-		t.Fatalf("only got %d/%d request ids", len(out), n)
-	}
-	return out
-}
-
-// defaultTimeout swaps the broker's per-request wall-clock window so the
-// timeout tests run quickly. Restores the prior value on the next call.
-func defaultTimeout(t *testing.T, d time.Duration) {
-	t.Helper()
-	if d <= 0 {
-		t.Fatal("defaultTimeout must be > 0")
-	}
-	timeoutValue = func() time.Duration { return d }
-}
-
-// requestErr wraps Broker.Request to drop the Decision when tests only
-// care about the error path. Keeps the goroutine bodies tight.
-func requestErr(b *Broker, ctx context.Context, p Prompt) error {
-	_, err := b.Request(ctx, p)
-	return err
-}
-
-// TestRequestViewOnly checks the view-only outcome flows through Request's
-// Decision return without being silently swallowed.
-func TestRequestViewOnly(t *testing.T) {
-	pub := &fakePublisher{subscribers: true}
-	b := New(pub)
-
-	type result struct {
-		d   Decision
-		err error
-	}
-	done := make(chan result, 1)
-	go func() {
-		d, err := b.Request(context.Background(), Prompt{Kind: KindVNC})
-		done <- result{d, err}
-	}()
-
-	id := waitForRequestID(t, pub)
-	require.True(t, b.Respond(id, Decision{Accept: true, ViewOnly: true}))
-
-	select {
-	case r := <-done:
-		assert.NoError(t, r.err)
-		assert.True(t, r.d.Accept)
-		assert.True(t, r.d.ViewOnly, "ViewOnly must survive the round-trip")
-	case <-time.After(time.Second):
-		t.Fatal("view-only request did not resolve")
-	}
-}

client/internal/approval/fingerprint_test.go

@@ -1,62 +0,0 @@
-package approval
-
-import "testing"
-
-// TestShortKeyFingerprint locks in the format the VNC approval prompt
-// shows to the user. The fingerprint is the user's only cryptographic
-// anchor against a malicious management server that pushes a spoofed
-// display name, so accidental changes to its format would silently
-// undermine that defence.
-func TestShortKeyFingerprint(t *testing.T) {
-	cases := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "full_32_byte_pubkey",
-			in:   "0123456789abcdeffedcba9876543210ffeeddccbbaa99887766554433221100",
-			want: "0123-4567-89ab-cdef",
-		},
-		{
-			name: "exactly_16_chars",
-			in:   "0123456789abcdef",
-			want: "0123-4567-89ab-cdef",
-		},
-		{
-			name: "borderline_8_chars",
-			in:   "01234567",
-			want: "0123-4567",
-		},
-		{
-			name: "too_short_returns_empty",
-			in:   "0123",
-			want: "",
-		},
-		{
-			name: "empty_returns_empty",
-			in:   "",
-			want: "",
-		},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			got := ShortKeyFingerprint(tc.in)
-			if got != tc.want {
-				t.Fatalf("ShortKeyFingerprint(%q) = %q, want %q", tc.in, got, tc.want)
-			}
-		})
-	}
-}
-
-// TestShortKeyFingerprint_DistinctKeysDistinctOutputs guards against a
-// formatting bug that would collapse different prefixes onto the same
-// displayed fingerprint and let an attacker substitute their pubkey for
-// a victim's while keeping the prompt visually identical.
-func TestShortKeyFingerprint_DistinctKeysDistinctOutputs(t *testing.T) {
-	a := ShortKeyFingerprint("0123456789abcdef" + "rest_of_pubkey_ignored")
-	b := ShortKeyFingerprint("0123456789abcde0" + "rest_of_pubkey_ignored")
-	if a == b {
-		t.Fatalf("expected distinct outputs for distinct prefixes, both = %q", a)
-	}
-}

client/internal/auth/auth.go

@@ -315,7 +315,6 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.RosenpassEnabled,
 		a.config.RosenpassPermissive,
 		a.config.ServerSSHAllowed,
-		a.config.ServerVNCAllowed,
 		a.config.DisableClientRoutes,
 		a.config.DisableServerRoutes,
 		a.config.DisableDNS,

client/internal/connect.go

@@ -562,8 +562,6 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		RosenpassEnabled:              config.RosenpassEnabled,
 		RosenpassPermissive:           config.RosenpassPermissive,
 		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
-		ServerVNCAllowed:              config.ServerVNCAllowed != nil && *config.ServerVNCAllowed,
-		DisableVNCApproval:            config.DisableVNCApproval,
 		EnableSSHRoot:                 config.EnableSSHRoot,
 		EnableSSHSFTP:                 config.EnableSSHSFTP,
 		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
@@ -646,7 +644,6 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.RosenpassEnabled,
 		config.RosenpassPermissive,
 		config.ServerSSHAllowed,
-		config.ServerVNCAllowed,
 		config.DisableClientRoutes,
 		config.DisableServerRoutes,
 		config.DisableDNS,

client/internal/debug/debug.go

@@ -636,12 +636,6 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.SSHJWTCacheTTL != nil {
 		configContent.WriteString(fmt.Sprintf("SSHJWTCacheTTL: %d\n", *g.internalConfig.SSHJWTCacheTTL))
 	}
-	if g.internalConfig.ServerVNCAllowed != nil {
-		configContent.WriteString(fmt.Sprintf("ServerVNCAllowed: %v\n", *g.internalConfig.ServerVNCAllowed))
-	}
-	if g.internalConfig.DisableVNCApproval != nil {
-		configContent.WriteString(fmt.Sprintf("DisableVNCApproval: %v\n", *g.internalConfig.DisableVNCApproval))
-	}
 
 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))

client/internal/debug/debug_test.go

@@ -862,8 +862,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		RosenpassEnabled:              true,
 		RosenpassPermissive:           true,
 		ServerSSHAllowed:              &bTrue,
-		ServerVNCAllowed:              &bTrue,
-		DisableVNCApproval:            &bTrue,
 		EnableSSHRoot:                 &bTrue,
 		EnableSSHSFTP:                 &bTrue,
 		EnableSSHLocalPortForwarding:  &bTrue,

client/internal/dns/handler_chain.go

@@ -339,8 +339,7 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	case entry.Pattern == ".":
 		return true
 	case entry.IsWildcard:
-		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
-		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
+		return strings.HasSuffix(qname, "."+entry.Pattern)
 	default:
 		// For non-wildcard patterns:
 		// If handler wants subdomain matching, allow suffix match

client/internal/dns/handler_chain_test.go

@@ -164,6 +164,54 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 			matchSubdomains: true,
 			shouldMatch:     true,
 		},
+		{
+			name:            "wildcard label-boundary mismatch (suffix overlap)",
+			handlerDomain:   "*.b.test.",
+			queryDomain:     "x.ab.test.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+		{
+			name:            "wildcard label-boundary match",
+			handlerDomain:   "*.b.test.",
+			queryDomain:     "x.b.test.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
+		{
+			name:            "wildcard multi-label match",
+			handlerDomain:   "*.b.test.",
+			queryDomain:     "x.y.b.test.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
+		{
+			name:            "wildcard no match on multi-label apex",
+			handlerDomain:   "*.b.test.",
+			queryDomain:     "b.test.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+		{
+			name:            "wildcard no match on unrelated suffix containment",
+			handlerDomain:   "*.example.com.",
+			queryDomain:     "notexample.com.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+		{
+			name:            "wildcard accepts pattern registered without trailing dot",
+			handlerDomain:   "*.b.test",
+			queryDomain:     "x.b.test.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -273,6 +321,19 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			expectedCalls:   1,
 			expectedHandler: 2, // highest priority matching handler should be called
 		},
+		{
+			name: "overlapping wildcard suffixes route to correct handler",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: "*.b.test.", priority: nbdns.PriorityDNSRoute},
+				{pattern: "*.ab.test.", priority: nbdns.PriorityDNSRoute},
+			},
+			queryDomain:     "app.ab.test.",
+			expectedCalls:   1,
+			expectedHandler: 1,
+		},
 		{
 			name: "root zone with specific domain",
 			handlers: []struct {

client/internal/dns/local/local.go

@@ -26,6 +26,19 @@ type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }
 
+// PeerConnectivity reports whether a tunnel IP belongs to a peer the
+// client knows about and whether that peer is currently connected. The
+// local resolver uses this to suppress A/AAAA answers whose RDATA points
+// at a disconnected peer (typical case: a synthesized private-service
+// record pointing at an embedded proxy peer that just went offline).
+//
+// known=false means the IP isn't in the local peerstore at all — the
+// record is left alone (it points at something outside our mesh, e.g.
+// a non-peer upstream).
+type PeerConnectivity interface {
+	IsConnectedByIP(ip string) (known, connected bool)
+}
+
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
@@ -33,6 +46,11 @@ type Resolver struct {
 	// zones maps zone domain -> NonAuthoritative (true = non-authoritative, user-created zone)
 	zones    map[domain.Domain]bool
 	resolver resolver
+	// peerConn, when non-nil, is consulted on every A/AAAA answer to
+	// drop records pointing at disconnected peers. nil disables the
+	// filter and preserves the legacy "return whatever is registered"
+	// behaviour for callers that never wire a status source.
+	peerConn PeerConnectivity
 
 	ctx    context.Context
 	cancel context.CancelFunc
@@ -49,6 +67,15 @@ func NewResolver() *Resolver {
 	}
 }
 
+// SetPeerConnectivity wires the per-IP connectivity check used to filter
+// out A/AAAA answers pointing at disconnected peers. Pass nil to disable.
+// Safe to call multiple times; the latest value wins.
+func (d *Resolver) SetPeerConnectivity(p PeerConnectivity) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	d.peerConn = p
+}
+
 func (d *Resolver) MatchSubdomains() bool {
 	return true
 }
@@ -95,6 +122,7 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	replyMessage.RecursionAvailable = true
 
 	result := d.lookupRecords(logger, question)
+	result.records = d.filterDisconnectedPeerAnswers(logger, question, result.records)
 	replyMessage.Authoritative = !result.hasExternalData
 	replyMessage.Answer = result.records
 	replyMessage.Rcode = d.determineRcode(question, result)
@@ -436,6 +464,78 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 	}
 }
 
+// filterDisconnectedPeerAnswers drops A/AAAA records whose RDATA matches
+// a known but disconnected peer. The synthesized private-service zones
+// emit one A record per connected proxy peer in a cluster; when a peer
+// goes offline, the server-side refresh removes the record from the
+// next netmap, but the client may still hold the previous netmap for a
+// short window. This filter is the local belt to that braces — even on
+// the stale netmap, the resolver hides the offline target.
+//
+// Records pointing at unknown IPs (outside the local peerstore, e.g.
+// non-mesh upstreams) are never dropped. Non-A/AAAA records pass
+// through untouched.
+//
+// Escape hatch: if filtering would leave the answer empty AND at least
+// one record was filtered, the original list is returned. Better to
+// hand the client a record that may not respond than NXDOMAIN it
+// completely when every proxy peer is offline (the upstream may still
+// be reachable some other way, or the peerstore may be stale).
+func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
+	if len(records) == 0 {
+		return records
+	}
+	d.mu.RLock()
+	checker := d.peerConn
+	d.mu.RUnlock()
+	if checker == nil {
+		return records
+	}
+
+	kept := make([]dns.RR, 0, len(records))
+	var dropped int
+	for _, rr := range records {
+		ip := extractRecordIP(rr)
+		if ip == "" {
+			kept = append(kept, rr)
+			continue
+		}
+		known, connected := checker.IsConnectedByIP(ip)
+		if known && !connected {
+			dropped++
+			continue
+		}
+		kept = append(kept, rr)
+	}
+	if dropped == 0 {
+		return records
+	}
+	if len(kept) == 0 {
+		logger.Debugf("all %d answers for %s point at disconnected peers; returning the original list", dropped, question.Name)
+		return records
+	}
+	logger.Tracef("dropped %d disconnected-peer answer(s) for %s, returning %d", dropped, question.Name, len(kept))
+	return kept
+}
+
+// extractRecordIP returns the dotted-decimal / colon-hex IP carried by
+// an A or AAAA record, or "" for any other record type.
+func extractRecordIP(rr dns.RR) string {
+	switch r := rr.(type) {
+	case *dns.A:
+		if r.A == nil {
+			return ""
+		}
+		return r.A.String()
+	case *dns.AAAA:
+		if r.AAAA == nil {
+			return ""
+		}
+		return r.AAAA.String()
+	}
+	return ""
+}
+
 // Update replaces all zones and their records
 func (d *Resolver) Update(customZones []nbdns.CustomZone) {
 	d.mu.Lock()

client/internal/dns/local/local_test.go

@@ -30,6 +30,21 @@ func (m *mockResolver) LookupNetIP(ctx context.Context, network, host string) ([
 	return nil, nil
 }
 
+// mockPeerConnectivity returns canned (known, connected) results per IP.
+// Used by the disconnected-peer filter tests below. IPs not in the map
+// are reported as unknown so the filter leaves them alone.
+type mockPeerConnectivity struct {
+	byIP map[string]struct{ known, connected bool }
+}
+
+func (m mockPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
+	v, ok := m.byIP[ip]
+	if !ok {
+		return false, false
+	}
+	return v.known, v.connected
+}
+
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
@@ -2652,3 +2667,114 @@ func BenchmarkIsInManagedZone_ManyZones(b *testing.B) {
 		resolver.isInManagedZone(qname)
 	}
 }
+
+// TestLocalResolver_FilterDisconnectedPeerAnswers verifies the
+// connectivity-aware filtering layered on top of lookupRecords:
+// when an A record's IP belongs to a known peer that's disconnected,
+// the record is dropped from the answer. Records for unknown IPs pass
+// through. If filtering would empty the answer entirely and at least
+// one record was dropped, the original list is restored (escape hatch
+// for the "all proxies offline" case).
+func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
+	zone := "svc.cluster.netbird."
+	connectedRec := nbdns.SimpleRecord{
+		Name:  zone,
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   5,
+		RData: "100.64.0.10",
+	}
+	disconnectedRec := nbdns.SimpleRecord{
+		Name:  zone,
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   5,
+		RData: "100.64.0.11",
+	}
+	unknownRec := nbdns.SimpleRecord{
+		Name:  zone,
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   5,
+		RData: "203.0.113.5",
+	}
+
+	type ipState struct{ known, connected bool }
+	tests := []struct {
+		name        string
+		records     []nbdns.SimpleRecord
+		connByIP    map[string]ipState
+		wantInOrder []string
+	}{
+		{
+			name:    "drops disconnected peer, keeps connected",
+			records: []nbdns.SimpleRecord{connectedRec, disconnectedRec},
+			connByIP: map[string]ipState{
+				"100.64.0.10": {known: true, connected: true},
+				"100.64.0.11": {known: true, connected: false},
+			},
+			wantInOrder: []string{"100.64.0.10"},
+		},
+		{
+			name:    "unknown IPs pass through untouched",
+			records: []nbdns.SimpleRecord{unknownRec, disconnectedRec},
+			connByIP: map[string]ipState{
+				"100.64.0.11": {known: true, connected: false},
+			},
+			wantInOrder: []string{"203.0.113.5"},
+		},
+		{
+			name:    "all disconnected falls back to original list",
+			records: []nbdns.SimpleRecord{disconnectedRec, connectedRec},
+			connByIP: map[string]ipState{
+				"100.64.0.10": {known: true, connected: false},
+				"100.64.0.11": {known: true, connected: false},
+			},
+			wantInOrder: []string{"100.64.0.11", "100.64.0.10"},
+		},
+		{
+			name:        "no checker wired returns all records",
+			records:     []nbdns.SimpleRecord{connectedRec, disconnectedRec},
+			connByIP:    nil,
+			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			resolver := NewResolver()
+			if tc.connByIP != nil {
+				cm := mockPeerConnectivity{byIP: make(map[string]struct{ known, connected bool }, len(tc.connByIP))}
+				for ip, st := range tc.connByIP {
+					cm.byIP[ip] = struct{ known, connected bool }{st.known, st.connected}
+				}
+				resolver.SetPeerConnectivity(cm)
+			}
+			resolver.Update([]nbdns.CustomZone{{
+				Domain:           strings.TrimSuffix(zone, "."),
+				Records:          tc.records,
+				NonAuthoritative: true,
+			}})
+
+			var got *dns.Msg
+			writer := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					got = m
+					return nil
+				},
+			}
+			req := new(dns.Msg).SetQuestion(zone, dns.TypeA)
+			resolver.ServeDNS(writer, req)
+
+			require.NotNil(t, got, "resolver must produce a response")
+			require.Len(t, got.Answer, len(tc.wantInOrder),
+				"answer count must match expected: %v", tc.wantInOrder)
+			for i, want := range tc.wantInOrder {
+				a, ok := got.Answer[i].(*dns.A)
+				require.True(t, ok, "answer[%d] must be an A record", i)
+				assert.Equal(t, want, a.A.String(),
+					"answer[%d] expected %s got %s", i, want, a.A.String())
+			}
+		})
+	}
+}

client/internal/dns/server.go

@@ -301,6 +301,11 @@ func newDefaultServer(
 		warningDelayBase:  defaultWarningDelayBase,
 		healthRefresh:     make(chan struct{}, 1),
 	}
+	// Wire the local resolver against the peer status recorder so it can
+	// suppress A/AAAA answers that point at disconnected peers (typical
+	// case: synthesised private-service records pointing at an embedded
+	// proxy peer that just went offline).
+	defaultServer.localResolver.SetPeerConnectivity(localPeerConnectivity{statusRecorder})
 
 	// register with root zone, handler chain takes care of the routing
 	dnsService.RegisterMux(".", handlerChain)
@@ -1386,3 +1391,25 @@ func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	}
 	return nil
 }
+
+// localPeerConnectivity adapts *peer.Status to local.PeerConnectivity so
+// the local resolver can ask "is this IP a known peer and is it
+// connected?" without taking on the peer package as a dependency.
+// A nil status recorder always reports known=false so the resolver
+// short-circuits to the legacy "return everything" path.
+type localPeerConnectivity struct {
+	status *peer.Status
+}
+
+// IsConnectedByIP looks the IP up in the peerstore and surfaces both
+// the known and connected bits. Used by Resolver.filterDisconnectedPeerAnswers.
+func (l localPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
+	if l.status == nil {
+		return false, false
+	}
+	state, ok := l.status.PeerStateByIP(ip)
+	if !ok {
+		return false, false
+	}
+	return true, state.ConnStatus == peer.StatusConnected
+}

client/internal/engine.go

@@ -35,7 +35,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl"
-	"github.com/netbirdio/netbird/client/internal/approval"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
@@ -124,8 +123,6 @@ type EngineConfig struct {
 	RosenpassPermissive bool
 
 	ServerSSHAllowed              bool
-	ServerVNCAllowed              bool
-	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -207,9 +204,7 @@ type Engine struct {
 
 	networkMonitor *networkmonitor.NetworkMonitor
 
-	sshServer      sshServer
-	vncSrv         vncServer
-	approvalBroker *approval.Broker
+	sshServer sshServer
 
 	statusRecorder *peer.Status
 
@@ -290,7 +285,6 @@ func NewEngine(
 		TURNs:              []*stun.URI{},
 		networkSerial:      0,
 		statusRecorder:     services.StatusRecorder,
-		approvalBroker:     approval.New(services.StatusRecorder),
 		stateManager:       services.StateManager,
 		portForwardManager: portforward.NewManager(),
 		checks:             services.Checks,
@@ -326,10 +320,6 @@ func (e *Engine) Stop() error {
 		log.Warnf("failed to stop SSH server: %v", err)
 	}
 
-	if err := e.stopVNCServer(); err != nil {
-		log.Warnf("failed to stop VNC server: %v", err)
-	}
-
 	e.cleanupSSHConfig()
 
 	if e.ingressGatewayMgr != nil {
@@ -1020,7 +1010,6 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
-		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1068,10 +1057,6 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		}
 	}
 
-	if err := e.updateVNC(); err != nil {
-		log.Warnf("failed handling VNC server setup: %v", err)
-	}
-
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.IPv6 = e.wgInterface.Address().IPv6String()
@@ -1197,7 +1182,6 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.RosenpassEnabled,
 			e.config.RosenpassPermissive,
 			&e.config.ServerSSHAllowed,
-			&e.config.ServerVNCAllowed,
 			e.config.DisableClientRoutes,
 			e.config.DisableServerRoutes,
 			e.config.DisableDNS,
@@ -1387,11 +1371,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.updateSSHServerAuth(networkMap.GetSshAuth())
 	}
 
-	// VNC auth: always sync, including nil so cleared auth on the management
-	// side is applied locally, and so it isn't skipped on the RemotePeersIsEmpty
-	// cleanup path.
-	e.updateVNCServerAuth(networkMap.GetVncAuth())
-
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
 	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, remotePeers)
 	e.connMgr.SetExcludeList(e.ctx, excludedLazyPeers)
@@ -1847,7 +1826,6 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
-		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1989,6 +1967,29 @@ func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
 	return e.clientMetrics
 }
 
+// Performance bundles runtime-adjustable tunnel pool knobs.
+// See Engine.SetPerformance. Nil fields are ignored.
+type Performance struct {
+	PreallocatedBuffersPerPool *uint32
+}
+
+// SetPerformance applies the given tuning to this engine's live Device.
+func (e *Engine) SetPerformance(t Performance) error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	if e.wgInterface == nil {
+		return fmt.Errorf("wg interface not initialized")
+	}
+	dev := e.wgInterface.GetWGDevice()
+	if dev == nil {
+		return fmt.Errorf("wg device not initialized")
+	}
+	if t.PreallocatedBuffersPerPool != nil {
+		dev.SetPreallocatedBuffersPerPool(*t.PreallocatedBuffersPerPool)
+	}
+	return nil
+}
+
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
@@ -2612,16 +2613,3 @@ func decodeRelayIP(b []byte) netip.Addr {
 	}
 	return ip.Unmap()
 }
-
-// RespondApproval relays the user's decision for a pending approval to
-// the broker. viewOnly is honoured only when accept is true. Returns
-// true when the request_id matched a live prompt.
-func (e *Engine) RespondApproval(requestID string, accept, viewOnly bool) bool {
-	if e == nil || e.approvalBroker == nil {
-		return false
-	}
-	return e.approvalBroker.Respond(requestID, approval.Decision{
-		Accept:   accept,
-		ViewOnly: accept && viewOnly,
-	})
-}

client/internal/engine_ssh.go

@@ -12,7 +12,7 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
@@ -237,18 +237,22 @@ func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
 		return errors.New("wg interface not initialized")
 	}
 
-	wgAddr := e.wgInterface.Address()
 	serverConfig := &sshserver.Config{
-		HostKeyPEM:        e.config.SSHKey,
-		JWT:               jwtConfig,
-		NetstackNet:       e.wgInterface.GetNet(),
-		NetworkValidation: wgAddr,
+		HostKeyPEM: e.config.SSHKey,
+		JWT:        jwtConfig,
 	}
 	server := sshserver.New(serverConfig)
 
+	wgAddr := e.wgInterface.Address()
+	server.SetNetworkValidation(wgAddr)
+
 	netbirdIP := wgAddr.IP
 	listenAddr := netip.AddrPortFrom(netbirdIP, sshserver.InternalSSHPort)
 
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		server.SetNetstackNet(netstackNet)
+	}
+
 	e.configureSSHServer(server)
 
 	if err := server.Start(e.ctx, listenAddr); err != nil {

client/internal/engine_test.go

@@ -27,7 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/management/server/job"
 
-	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -66,8 +66,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/shared/netiputil"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1641,7 +1641,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		return nil, "", err
 	}
 
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

client/internal/engine_vnc.go

@@ -1,303 +0,0 @@
-//go:build !js && !ios && !android
-
-package internal
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/netip"
-
-	log "github.com/sirupsen/logrus"
-
-	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/approval"
-	"github.com/netbirdio/netbird/client/internal/metrics"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/vnc"
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
-)
-
-
-type vncServer interface {
-	Start(ctx context.Context, addr netip.AddrPort, network netip.Prefix) error
-	Stop() error
-	ActiveSessions() []vncserver.ActiveSessionInfo
-}
-
-func (e *Engine) setupVNCPortRedirection() error {
-	if e.firewall == nil || e.wgInterface == nil {
-		return nil
-	}
-
-	localAddr := e.wgInterface.Address().IP
-	if !localAddr.IsValid() {
-		return errors.New("invalid local NetBird address")
-	}
-
-	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, vnc.ExternalPort, vnc.InternalPort); err != nil {
-		return fmt.Errorf("add VNC port redirection: %w", err)
-	}
-	log.Infof("VNC port redirection: %s:%d -> %s:%d", localAddr, vnc.ExternalPort, localAddr, vnc.InternalPort)
-
-	return nil
-}
-
-func (e *Engine) cleanupVNCPortRedirection() error {
-	if e.firewall == nil || e.wgInterface == nil {
-		return nil
-	}
-
-	localAddr := e.wgInterface.Address().IP
-	if !localAddr.IsValid() {
-		return errors.New("invalid local NetBird address")
-	}
-
-	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, vnc.ExternalPort, vnc.InternalPort); err != nil {
-		return fmt.Errorf("remove VNC port redirection: %w", err)
-	}
-
-	return nil
-}
-
-// updateVNC handles starting/stopping the VNC server based on the config flag.
-func (e *Engine) updateVNC() error {
-	if !e.config.ServerVNCAllowed {
-		if e.vncSrv != nil {
-			log.Info("VNC server disabled, stopping")
-		}
-		return e.stopVNCServer()
-	}
-
-	if e.config.BlockInbound {
-		log.Info("VNC server disabled because inbound connections are blocked")
-		return e.stopVNCServer()
-	}
-
-	if e.vncSrv != nil {
-		return nil
-	}
-
-	return e.startVNCServer()
-}
-
-func (e *Engine) startVNCServer() error {
-	if e.wgInterface == nil {
-		return errors.New("wg interface not initialized")
-	}
-
-	capturer, injector, ok := newPlatformVNC()
-	if !ok {
-		log.Debug("VNC server not supported on this platform")
-		return nil
-	}
-
-	netbirdIP := e.wgInterface.Address().IP
-
-	var sessionRecorder func(vncserver.SessionTick)
-	if e.clientMetrics != nil {
-		sessionRecorder = func(t vncserver.SessionTick) {
-			e.clientMetrics.RecordVNCSessionTick(e.ctx, metrics.VNCSessionTick{
-				Period:        t.Period,
-				BytesOut:      t.BytesOut,
-				Writes:        t.Writes,
-				FBUs:          t.FBUs,
-				MaxFBUBytes:   t.MaxFBUBytes,
-				MaxFBURects:   t.MaxFBURects,
-				MaxWriteBytes: t.MaxWriteBytes,
-				WriteNanos:    t.WriteNanos,
-			})
-		}
-	}
-	serviceMode := vncNeedsServiceMode()
-	if serviceMode {
-		log.Info("VNC: running as system service, enabling service mode (per-session agent proxy)")
-	}
-	requireApproval := e.config.DisableVNCApproval == nil || !*e.config.DisableVNCApproval
-	srv := vncserver.New(vncserver.Config{
-		Capturer:        capturer,
-		Injector:        injector,
-		IdentityKey:     e.config.WgPrivateKey[:],
-		ServiceMode:     serviceMode,
-		SessionRecorder: sessionRecorder,
-		NetstackNet:     e.wgInterface.GetNet(),
-		RequireApproval: requireApproval,
-		Approver:        &vncApprover{broker: e.approvalBroker, statusRecorder: e.statusRecorder},
-	})
-
-	listenAddr := netip.AddrPortFrom(netbirdIP, vnc.InternalPort)
-	network := e.wgInterface.Address().Network
-	if err := srv.Start(e.ctx, listenAddr, network); err != nil {
-		return fmt.Errorf("start VNC server: %w", err)
-	}
-
-	e.vncSrv = srv
-
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		if registrar, ok := e.firewall.(interface {
-			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.RegisterNetstackService(nftypes.TCP, vnc.InternalPort)
-			log.Debugf("registered VNC service with netstack for TCP:%d", vnc.InternalPort)
-		}
-	}
-
-	if err := e.setupVNCPortRedirection(); err != nil {
-		log.Warnf("setup VNC port redirection: %v", err)
-	}
-
-	log.Info("VNC server enabled")
-	return nil
-}
-
-// updateVNCServerAuth updates VNC fine-grained access control from management.
-// A nil vncAuth clears all authorized users and session pubkeys so management
-// can revoke access by omitting the field on the next sync.
-func (e *Engine) updateVNCServerAuth(vncAuth *mgmProto.VNCAuth) {
-	if e.vncSrv == nil {
-		return
-	}
-
-	vncSrv, ok := e.vncSrv.(*vncserver.Server)
-	if !ok {
-		return
-	}
-
-	if vncAuth == nil {
-		vncSrv.UpdateVNCAuth(&sshauth.Config{})
-		return
-	}
-
-	protoUsers := vncAuth.GetAuthorizedUsers()
-	authorizedUsers := make([]sshuserhash.UserIDHash, len(protoUsers))
-	for i, hash := range protoUsers {
-		if len(hash) != 16 {
-			log.Warnf("invalid VNC auth hash length %d, expected 16", len(hash))
-			return
-		}
-		authorizedUsers[i] = sshuserhash.UserIDHash(hash)
-	}
-
-	machineUsers := make(map[string][]uint32)
-	for osUser, indexes := range vncAuth.GetMachineUsers() {
-		machineUsers[osUser] = indexes.GetIndexes()
-	}
-
-	sessionPubKeys := make([]sshauth.SessionPubKey, 0, len(vncAuth.GetSessionPubKeys()))
-	for _, e := range vncAuth.GetSessionPubKeys() {
-		pub := e.GetPubKey()
-		if len(pub) != 32 {
-			log.Warnf("VNC session pubkey wrong length %d", len(pub))
-			continue
-		}
-		hash := e.GetUserIdHash()
-		if len(hash) != 16 {
-			log.Warnf("VNC session user id hash wrong length %d", len(hash))
-			continue
-		}
-		sessionPubKeys = append(sessionPubKeys, sshauth.SessionPubKey{
-			PubKey:      pub,
-			UserIDHash:  sshuserhash.UserIDHash(hash),
-			DisplayName: e.GetDisplayName(),
-		})
-	}
-
-	vncSrv.UpdateVNCAuth(&sshauth.Config{
-		AuthorizedUsers: authorizedUsers,
-		MachineUsers:    machineUsers,
-		SessionPubKeys:  sessionPubKeys,
-	})
-}
-
-// GetVNCServerStatus returns whether the VNC server is running and the list
-// of active VNC sessions. The pointer is captured under syncMsgMux so a
-// concurrent updateVNC/stopVNCServer cannot swap it out between the nil
-// check and the ActiveSessions call.
-func (e *Engine) GetVNCServerStatus() (enabled bool, sessions []vncserver.ActiveSessionInfo) {
-	e.syncMsgMux.Lock()
-	vncSrv := e.vncSrv
-	e.syncMsgMux.Unlock()
-	if vncSrv == nil {
-		return false, nil
-	}
-	return true, vncSrv.ActiveSessions()
-}
-
-func (e *Engine) stopVNCServer() error {
-	if e.vncSrv == nil {
-		return nil
-	}
-
-	if err := e.cleanupVNCPortRedirection(); err != nil {
-		log.Warnf("cleanup VNC port redirection: %v", err)
-	}
-
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		if registrar, ok := e.firewall.(interface {
-			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.UnregisterNetstackService(nftypes.TCP, vnc.InternalPort)
-		}
-	}
-
-	log.Info("stopping VNC server")
-	err := e.vncSrv.Stop()
-	e.vncSrv = nil
-	if err != nil {
-		return fmt.Errorf("stop VNC server: %w", err)
-	}
-	return nil
-}
-
-// vncApprover adapts the generic approval.Broker for the VNC server.
-type vncApprover struct {
-	broker         *approval.Broker
-	statusRecorder *peer.Status
-}
-
-func (a *vncApprover) Request(ctx context.Context, info vncserver.ApprovalInfo) (vncserver.ApprovalDecision, error) {
-	// Resolve the source overlay IP to a peer FQDN for the prompt label.
-	if info.PeerName == "" && info.SourceIP != "" && a.statusRecorder != nil {
-		if fqdn, ok := a.statusRecorder.PeerByIP(info.SourceIP); ok {
-			info.PeerName = fqdn
-		}
-	}
-	subject := fmt.Sprintf("VNC connection from %s", displayPeer(info))
-	meta := map[string]string{
-		"peer_name":   info.PeerName,
-		"peer_pubkey": info.PeerPubKey,
-		"source_ip":   info.SourceIP,
-		"mode":        info.Mode,
-		"username":    info.Username,
-		"initiator":   info.Initiator,
-	}
-	d, err := a.broker.Request(ctx, approval.Prompt{
-		Kind:     approval.KindVNC,
-		Subject:  subject,
-		Metadata: meta,
-	})
-	if err != nil {
-		return vncserver.ApprovalDecision{}, err
-	}
-	return vncserver.ApprovalDecision{ViewOnly: d.ViewOnly}, nil
-}
-
-func displayPeer(info vncserver.ApprovalInfo) string {
-	if info.Initiator != "" {
-		return info.Initiator
-	}
-	if info.PeerName != "" {
-		return info.PeerName
-	}
-	if info.SourceIP != "" {
-		return info.SourceIP
-	}
-	if info.PeerPubKey != "" {
-		return info.PeerPubKey
-	}
-	return "unknown peer"
-}

client/internal/engine_vnc_console_freebsd.go

@@ -1,31 +0,0 @@
-//go:build freebsd
-
-package internal
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-// newConsoleVNC builds the FreeBSD console fallback: vt(4) framebuffer
-// for capture, /dev/uinput for input. The uinput device requires the
-// `uinput` kernel module (`kldload uinput`); without it, input init
-// fails and we drop to a stub injector so the user still gets a
-// view-only screen mirror.
-func newConsoleVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
-	poller := vncserver.NewFBPoller("")
-	w, h := poller.Width(), poller.Height()
-	if w == 0 || h == 0 {
-		poller.Close()
-		return nil, nil, fmt.Errorf("vt framebuffer init failed (vt may not allow mmap on this driver)")
-	}
-	if inj, err := vncserver.NewUInputInjector(w, h); err == nil {
-		return poller, inj, nil
-	} else {
-		log.Infof("VNC console: uinput unavailable (%v); view-only mode. Run `kldload uinput` to enable input.", err)
-		return poller, &vncserver.StubInputInjector{}, nil
-	}
-}

client/internal/engine_vnc_console_linux.go

@@ -1,30 +0,0 @@
-//go:build linux && !android
-
-package internal
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-// newConsoleVNC builds a framebuffer + uinput VNC backend for boxes
-// without a running X server. Used as the auto-fallback when
-// newPlatformVNC can't reach X. Returns an error when /dev/fb0 or
-// /dev/uinput aren't usable so the caller can drop back to a stub.
-func newConsoleVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
-	poller := vncserver.NewFBPoller("")
-	w, h := poller.Width(), poller.Height()
-	if w == 0 || h == 0 {
-		poller.Close()
-		return nil, nil, fmt.Errorf("framebuffer capturer init failed (is /dev/fb0 readable?)")
-	}
-	inj, err := vncserver.NewUInputInjector(w, h)
-	if err != nil {
-		log.Debugf("uinput unavailable, falling back to view-only VNC: %v", err)
-		return poller, &vncserver.StubInputInjector{}, nil
-	}
-	return poller, inj, nil
-}

client/internal/engine_vnc_darwin.go

@@ -1,34 +0,0 @@
-//go:build darwin && !ios
-
-package internal
-
-import (
-	"os"
-
-	log "github.com/sirupsen/logrus"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
-	capturer := vncserver.NewMacPoller()
-	// Prompt for Screen Recording at server-enable time rather than first
-	// client-connect. The native prompt is far easier for users to act on
-	// in the moment they toggled VNC on than later when "the screen looks
-	// like wallpaper" would otherwise be the only clue.
-	vncserver.PrimeScreenCapturePermission()
-	injector, err := vncserver.NewMacInputInjector()
-	if err != nil {
-		log.Debugf("VNC: macOS input injector: %v", err)
-		return capturer, &vncserver.StubInputInjector{}, true
-	}
-	return capturer, injector, true
-}
-
-// vncNeedsServiceMode reports whether the running process is a system
-// LaunchDaemon (root, parented by launchd). Daemons sit in the global
-// bootstrap namespace and cannot talk to WindowServer; we route capture
-// through a per-user agent in that case.
-func vncNeedsServiceMode() bool {
-	return os.Geteuid() == 0 && os.Getppid() == 1
-}

client/internal/engine_vnc_stub.go

@@ -1,23 +0,0 @@
-//go:build js || ios || android
-
-package internal
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type vncServer interface{}
-
-func (e *Engine) updateVNC() error { return nil }
-
-func (e *Engine) updateVNCServerAuth(auth *mgmProto.VNCAuth) {
-	if auth == nil {
-		return
-	}
-	log.Debugf("ignoring VNC auth push on platform without a VNC server: %d session pubkeys, %d authorized users",
-		len(auth.GetSessionPubKeys()), len(auth.GetAuthorizedUsers()))
-}
-
-func (e *Engine) stopVNCServer() error { return nil }

client/internal/engine_vnc_windows.go

@@ -1,13 +0,0 @@
-//go:build windows
-
-package internal
-
-import vncserver "github.com/netbirdio/netbird/client/vnc/server"
-
-func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
-	return vncserver.NewDesktopCapturer(), vncserver.NewWindowsInputInjector(), true
-}
-
-func vncNeedsServiceMode() bool {
-	return vncserver.GetCurrentSessionID() == 0
-}

client/internal/engine_vnc_x11.go

@@ -1,35 +0,0 @@
-//go:build (linux && !android) || freebsd
-
-package internal
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	vncserver "github.com/netbirdio/netbird/client/vnc/server"
-)
-
-func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
-	// Prefer X11 when an X server is reachable. NewX11InputInjector probes
-	// DISPLAY (and /proc) eagerly, so a non-nil error here means no X.
-	injector, err := vncserver.NewX11InputInjector("", "", "")
-	if err == nil {
-		return vncserver.NewX11Poller("", ""), injector, true
-	}
-	log.Debugf("VNC: X11 not available: %v", err)
-
-	// Fallback for headless / pre-X states (kernel console, login manager
-	// without X, physical server in recovery): stream the framebuffer and
-	// inject input via /dev/uinput.
-	consoleCap, consoleInj, err := newConsoleVNC()
-	if err == nil {
-		log.Infof("VNC: using framebuffer console capture (%dx%d)", consoleCap.Width(), consoleCap.Height())
-		return consoleCap, consoleInj, true
-	}
-	log.Debugf("VNC: framebuffer console fallback unavailable: %v", err)
-
-	return &vncserver.StubCapturer{}, &vncserver.StubInputInjector{}, false
-}
-
-func vncNeedsServiceMode() bool {
-	return false
-}

client/internal/metrics/influxdb.go

@@ -120,36 +120,6 @@ func (m *influxDBMetrics) RecordSyncDuration(_ context.Context, agentInfo AgentI
 	m.trimLocked()
 }
 
-func (m *influxDBMetrics) RecordVNCSessionTick(_ context.Context, agentInfo AgentInfo, tick VNCSessionTick) {
-	tags := fmt.Sprintf("deployment_type=%s,version=%s,os=%s,arch=%s,peer_id=%s",
-		agentInfo.DeploymentType.String(),
-		agentInfo.Version,
-		agentInfo.OS,
-		agentInfo.Arch,
-		agentInfo.peerID,
-	)
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.samples = append(m.samples, influxSample{
-		measurement: "netbird_vnc_traffic",
-		tags:        tags,
-		fields: map[string]float64{
-			"period_seconds":     tick.Period.Seconds(),
-			"bytes_out":          float64(tick.BytesOut),
-			"writes":             float64(tick.Writes),
-			"fbus":               float64(tick.FBUs),
-			"max_fbu_bytes":      float64(tick.MaxFBUBytes),
-			"max_fbu_rects":      float64(tick.MaxFBURects),
-			"max_write_bytes":    float64(tick.MaxWriteBytes),
-			"write_time_seconds": float64(tick.WriteNanos) / 1e9,
-		},
-		timestamp: time.Now(),
-	})
-	m.trimLocked()
-}
-
 func (m *influxDBMetrics) RecordLoginDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration, success bool) {
 	result := "success"
 	if !success {

client/internal/metrics/metrics.go

@@ -59,11 +59,6 @@ type metricsImplementation interface {
 	// RecordLoginDuration records how long the login to management took
 	RecordLoginDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration, success bool)
 
-	// RecordVNCSessionTick records a periodic snapshot of one VNC
-	// session's wire activity. Called once per metricsConn tick interval
-	// (and once at session close), only when the tick saw activity.
-	RecordVNCSessionTick(ctx context.Context, agentInfo AgentInfo, tick VNCSessionTick)
-
 	// Export exports metrics in InfluxDB line protocol format
 	Export(w io.Writer) error
 
@@ -83,21 +78,6 @@ type ClientMetrics struct {
 	pushCancel context.CancelFunc
 }
 
-// VNCSessionTick is one sampling slice of a VNC session's wire activity.
-// BytesOut / Writes / FBUs / WriteNanos are deltas observed during this
-// tick; Max* fields are the high-water marks observed during the tick.
-// Period is the wall-clock duration the deltas cover.
-type VNCSessionTick struct {
-	Period        time.Duration
-	BytesOut      uint64
-	Writes        uint64
-	FBUs          uint64
-	MaxFBUBytes   uint64
-	MaxFBURects   uint64
-	MaxWriteBytes uint64
-	WriteNanos    uint64
-}
-
 // ConnectionStageTimestamps holds timestamps for each connection stage
 type ConnectionStageTimestamps struct {
 	SignalingReceived  time.Time // First signal received from remote peer (both initial and reconnection)
@@ -147,17 +127,6 @@ func (c *ClientMetrics) RecordSyncDuration(ctx context.Context, duration time.Du
 	c.impl.RecordSyncDuration(ctx, agentInfo, duration)
 }
 
-// RecordVNCSessionTick records a periodic snapshot of one VNC session.
-func (c *ClientMetrics) RecordVNCSessionTick(ctx context.Context, tick VNCSessionTick) {
-	if c == nil {
-		return
-	}
-	c.mu.RLock()
-	agentInfo := c.agentInfo
-	c.mu.RUnlock()
-	c.impl.RecordVNCSessionTick(ctx, agentInfo, tick)
-}
-
 // RecordLoginDuration records how long the login to management server took
 func (c *ClientMetrics) RecordLoginDuration(ctx context.Context, duration time.Duration, success bool) {
 	if c == nil {

client/internal/metrics/push_test.go

@@ -73,9 +73,6 @@ func (m *mockMetrics) RecordSyncDuration(_ context.Context, _ AgentInfo, _ time.
 func (m *mockMetrics) RecordLoginDuration(_ context.Context, _ AgentInfo, _ time.Duration, _ bool) {
 }
 
-func (m *mockMetrics) RecordVNCSessionTick(_ context.Context, _ AgentInfo, _ VNCSessionTick) {
-}
-
 func (m *mockMetrics) Export(w io.Writer) error {
 	if m.exportData != "" {
 		_, err := w.Write([]byte(m.exportData))

client/internal/networkmonitor/check_change_common.go

@@ -50,7 +50,7 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 		switch msg.Type {
 		// handle route changes
 		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, err := parseRouteMessage(buf[:n])
+			route, flags, err := parseRouteMessage(buf[:n])
 			if err != nil {
 				log.Debugf("Network monitor: error parsing routing message: %v", err)
 				continue
@@ -66,6 +66,10 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 			}
 			switch msg.Type {
 			case unix.RTM_ADD:
+				if systemops.IgnoreAddedDefaultRoute(flags) {
+					log.Debugf("Network monitor: ignoring added default route via %s, interface %s, flags %#x", route.Gw, intf, flags)
+					continue
+				}
 				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 				return nil
 			case unix.RTM_DELETE:
@@ -78,22 +82,26 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 	}
 }
 
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
+func parseRouteMessage(buf []byte) (*systemops.Route, int, error) {
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
 	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
+		return nil, 0, fmt.Errorf("parse RIB: %v", err)
 	}
 
 	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+		return nil, 0, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
 	}
 
 	msg, ok := msgs[0].(*route.RouteMessage)
 	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+		return nil, 0, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
 	}
 
-	return systemops.MsgToRoute(msg)
+	r, err := systemops.MsgToRoute(msg)
+	if err != nil {
+		return nil, 0, err
+	}
+	return r, msg.Flags, nil
 }
 
 // waitReadable blocks until fd has data to read, or ctx is cancelled.

client/internal/owner/config.go

@@ -0,0 +1,46 @@
+package owner
+
+import (
+	"fmt"
+	"sync"
+)
+
+// ConfigAdapter is a thread-safe OwnerConfig that delegates to a lazily-set backend.
+// This allows the interceptor to be created before the daemon server (and its config)
+// is initialized, which is necessary because gRPC interceptors are set at server creation time.
+type ConfigAdapter struct {
+	mu      sync.RWMutex
+	backend OwnerConfig
+}
+
+// SetBackend sets the actual config implementation. Must be called before any RPCs are served.
+func (a *ConfigAdapter) SetBackend(backend OwnerConfig) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.backend = backend
+}
+
+// GetOwnerUIDs delegates to the backend.
+func (a *ConfigAdapter) GetOwnerUIDs() []UID {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.backend == nil {
+		// No backend yet, return empty (root-only).
+		return []UID{}
+	}
+
+	return a.backend.GetOwnerUIDs()
+}
+
+// AddOwnerUID delegates to the backend.
+func (a *ConfigAdapter) AddOwnerUID(uid UID) error {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.backend == nil {
+		return fmt.Errorf("owner config backend not initialized")
+	}
+
+	return a.backend.AddOwnerUID(uid)
+}

client/internal/owner/consoleuser/consoleuser.go

@@ -0,0 +1,17 @@
+// Package consoleuser provides the OS-level "active console user" UID lookup
+// used to gate ownership TOFU. The active console user is the local user
+// physically at the machine (or in the foreground GUI session): the user that
+// can legitimately claim the daemon as theirs on first run.
+package consoleuser
+
+// ActiveUID returns the UID of the currently active console / GUI session
+// user, and true if such a user exists. Returns 0, false on platforms without
+// a console concept (ios, android), on headless servers with no active
+// session, or on lookup failure.
+//
+// Implementations must fail closed: any error or ambiguity returns (0, false)
+// so that the caller treats the result as "no console user" rather than
+// granting access to an unverified UID.
+func ActiveUID() (uint32, bool) {
+	return activeUID()
+}

client/internal/owner/consoleuser/consoleuser_darwin.go

@@ -0,0 +1,58 @@
+package consoleuser
+
+import (
+	"unsafe"
+
+	"github.com/ebitengine/purego"
+)
+
+// activeUID returns the UID of the user currently logged into the macOS GUI
+// console session. Uses SCDynamicStoreCopyConsoleUser from the
+// SystemConfiguration framework via purego (no cgo).
+func activeUID() (uint32, bool) {
+	sc, err := purego.Dlopen(
+		"/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration",
+		purego.RTLD_NOW|purego.RTLD_GLOBAL,
+	)
+	if err != nil {
+		return 0, false
+	}
+
+	cf, err := purego.Dlopen(
+		"/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation",
+		purego.RTLD_NOW|purego.RTLD_GLOBAL,
+	)
+	if err != nil {
+		return 0, false
+	}
+
+	// CFStringRef SCDynamicStoreCopyConsoleUser(SCDynamicStoreRef store,
+	//     uid_t *uid, gid_t *gid);
+	//
+	// We pass nil for the store (NULL is accepted; the framework creates a
+	// transient one), discard the returned CFStringRef username (we only
+	// need the UID), and read uid via the out-pointer.
+	var copyConsoleUser func(store uintptr, uidPtr, gidPtr unsafe.Pointer) uintptr
+	purego.RegisterLibFunc(&copyConsoleUser, sc, "SCDynamicStoreCopyConsoleUser")
+
+	var cfRelease func(uintptr)
+	purego.RegisterLibFunc(&cfRelease, cf, "CFRelease")
+
+	var uid uint32
+	var gid uint32
+
+	cfStr := copyConsoleUser(0, unsafe.Pointer(&uid), unsafe.Pointer(&gid))
+	if cfStr == 0 {
+		return 0, false
+	}
+	cfRelease(cfStr)
+
+	// loginwindow / no GUI session reports uid 0. We don't want the
+	// console-user path to grant anything to root (root is already always
+	// allowed by the interceptor), so treat uid 0 as "no console user".
+	if uid == 0 {
+		return 0, false
+	}
+
+	return uid, true
+}

client/internal/owner/consoleuser/consoleuser_freebsd.go

@@ -0,0 +1,34 @@
+package consoleuser
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+// activeUID returns the UID of the user currently logged into the FreeBSD
+// console. FreeBSD's vt(4) chowns the active virtual terminal device to the
+// logged-in user, so a non-root owner of any /dev/ttyvN reliably identifies
+// the console user.
+//
+// We scan /dev/ttyv0../dev/ttyv9 and return the first non-root owner. Network
+// ptys (pts) are intentionally not considered: SSH'd users are not "at the
+// console" and must not TOFU-claim ownership.
+func activeUID() (uint32, bool) {
+	for i := 0; i < 10; i++ {
+		path := fmt.Sprintf("/dev/ttyv%d", i)
+		fi, err := os.Stat(path)
+		if err != nil {
+			continue
+		}
+		st, ok := fi.Sys().(*syscall.Stat_t)
+		if !ok {
+			continue
+		}
+		if st.Uid == 0 {
+			continue
+		}
+		return st.Uid, true
+	}
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_linux.go

@@ -0,0 +1,64 @@
+package consoleuser
+
+import (
+	"github.com/godbus/dbus/v5"
+)
+
+const (
+	loginDest      = "org.freedesktop.login1"
+	loginPath      = dbus.ObjectPath("/org/freedesktop/login1")
+	loginInterface = "org.freedesktop.login1.Manager"
+	listSessions   = loginInterface + ".ListSessions"
+
+	sessionInterface = "org.freedesktop.login1.Session"
+	sessionActive    = sessionInterface + ".Active"
+	sessionClass     = sessionInterface + ".Class"
+)
+
+// activeUID queries systemd-logind for the active local user session and
+// returns that user's UID. Falls back to (0, false) on any error or when no
+// active user session exists (headless box, no GUI, no login at the console).
+func activeUID() (uint32, bool) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return 0, false
+	}
+
+	mgr := conn.Object(loginDest, loginPath)
+
+	// ListSessions returns []struct{ID string; UID uint32; User string;
+	// Seat string; Path dbus.ObjectPath}.
+	var sessions []struct {
+		ID   string
+		UID  uint32
+		User string
+		Seat string
+		Path dbus.ObjectPath
+	}
+	if err := mgr.Call(listSessions, 0).Store(&sessions); err != nil {
+		return 0, false
+	}
+
+	for _, s := range sessions {
+		obj := conn.Object(loginDest, s.Path)
+
+		active, err := obj.GetProperty(sessionActive)
+		if err != nil || active.Value() != true {
+			continue
+		}
+
+		class, err := obj.GetProperty(sessionClass)
+		if err != nil {
+			continue
+		}
+		// Only "user" sessions count; "greeter" / "lock-screen" / etc. are
+		// not someone we should grant ownership to.
+		if classStr, ok := class.Value().(string); !ok || classStr != "user" {
+			continue
+		}
+
+		return s.UID, true
+	}
+
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_other.go

@@ -0,0 +1,9 @@
+//go:build !linux && !darwin && !freebsd && !windows
+
+package consoleuser
+
+// activeUID has no meaning on platforms without a console-user concept
+// (ios, android). Returns no-user so TOFU never fires.
+func activeUID() (uint32, bool) {
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_windows.go

@@ -0,0 +1,59 @@
+package consoleuser
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// activeUID returns a synthetic UID (the user SID's RID) for the currently
+// active Windows console session. The owner package treats UIDs as opaque
+// uint32 identifiers; on Windows we use the user account RID, which is stable
+// per-account on a given machine.
+//
+// Returns (0, false) when there is no active console session, the session has
+// no logged-in user, or any lookup fails.
+func activeUID() (uint32, bool) {
+	sessionID := windows.WTSGetActiveConsoleSessionId()
+	if sessionID == 0xFFFFFFFF {
+		return 0, false
+	}
+
+	var token windows.Token
+	if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
+		return 0, false
+	}
+	defer token.Close()
+
+	user, err := tokenUserSID(token)
+	if err != nil || user == nil {
+		return 0, false
+	}
+
+	subCount := user.SubAuthorityCount()
+	if subCount == 0 {
+		return 0, false
+	}
+	rid := user.SubAuthority(uint32(subCount) - 1)
+	if rid == 0 {
+		return 0, false
+	}
+	return rid, true
+}
+
+// tokenUserSID returns the user SID associated with the given access token.
+func tokenUserSID(token windows.Token) (*windows.SID, error) {
+	var size uint32
+	err := windows.GetTokenInformation(token, windows.TokenUser, nil, 0, &size)
+	if err != windows.ERROR_INSUFFICIENT_BUFFER {
+		return nil, err
+	}
+
+	buf := make([]byte, size)
+	if err := windows.GetTokenInformation(token, windows.TokenUser, &buf[0], size, &size); err != nil {
+		return nil, err
+	}
+
+	tu := (*windows.Tokenuser)(unsafe.Pointer(&buf[0]))
+	return tu.User.Sid, nil
+}

client/internal/owner/creds.go

@@ -0,0 +1,37 @@
+package owner
+
+import (
+	"context"
+
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+)
+
+// UnixAuthInfo implements credentials.AuthInfo carrying the peer's UID from SO_PEERCRED.
+type UnixAuthInfo struct {
+	credentials.CommonAuthInfo
+	UID UID
+	GID uint32
+	PID int32
+}
+
+// AuthType returns the authentication type.
+func (u UnixAuthInfo) AuthType() string {
+	return "unix_peercred"
+}
+
+// UIDFromContext extracts the caller's UID from the gRPC peer context.
+// Returns uid and true if Unix credentials were available, 0 and false otherwise.
+func UIDFromContext(ctx context.Context) (UID, bool) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return 0, false
+	}
+
+	info, ok := p.AuthInfo.(UnixAuthInfo)
+	if !ok {
+		return 0, false
+	}
+
+	return info.UID, true
+}

client/internal/owner/env.go

@@ -0,0 +1,48 @@
+package owner
+
+import (
+	"os"
+	"strconv"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// EnvOwnerUID is the environment variable that seeds the owner UID list for new config files.
+// MDM deployments can set this (e.g. via --service-env NB_OWNER_UID=1000) so the first
+// config created by the daemon pre-populates the owner without requiring "netbird up --owner".
+// Multiple UIDs can be comma-separated: NB_OWNER_UID=1000,1001
+const EnvOwnerUID = "NB_OWNER_UID"
+
+// OwnerUIDsFromEnv parses NB_OWNER_UID into a UID slice.
+// Returns nil if the variable is unset, allowing the caller to distinguish
+// "not configured" from "explicitly empty".
+func OwnerUIDsFromEnv() []UID {
+	val := os.Getenv(EnvOwnerUID)
+	if val == "" {
+		return nil
+	}
+
+	parts := strings.Split(val, ",")
+	uids := make([]UID, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		uid, err := strconv.ParseUint(p, 10, 32)
+		if err != nil {
+			log.Warnf("ignoring invalid UID %q in %s: %v", p, EnvOwnerUID, err)
+			continue
+		}
+		uids = append(uids, UID(uid))
+	}
+
+	if len(uids) == 0 {
+		log.Warnf("%s set but contains no valid UIDs, defaulting to root-only", EnvOwnerUID)
+		return []UID{}
+	}
+
+	log.Infof("seeding owner UIDs from %s: %v", EnvOwnerUID, uids)
+	return uids
+}

client/internal/owner/env_test.go

@@ -0,0 +1,81 @@
+package owner
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOwnerUIDsFromEnv(t *testing.T) {
+	tests := []struct {
+		name     string
+		envValue string
+		unset    bool
+		want     []UID
+	}{
+		{
+			name:  "unset returns nil",
+			unset: true,
+			want:  nil,
+		},
+		{
+			name:     "empty string returns nil",
+			envValue: "",
+			want:     nil,
+		},
+		{
+			name:     "single UID",
+			envValue: "1000",
+			want:     []UID{1000},
+		},
+		{
+			name:     "multiple UIDs",
+			envValue: "1000,1001,1002",
+			want:     []UID{1000, 1001, 1002},
+		},
+		{
+			name:     "spaces around UIDs",
+			envValue: " 1000 , 1001 ",
+			want:     []UID{1000, 1001},
+		},
+		{
+			name:     "invalid UID skipped",
+			envValue: "1000,notanumber,1001",
+			want:     []UID{1000, 1001},
+		},
+		{
+			name:     "all invalid returns empty slice",
+			envValue: "abc,def",
+			want:     []UID{},
+		},
+		{
+			name:     "trailing comma",
+			envValue: "1000,",
+			want:     []UID{1000},
+		},
+		{
+			name:     "zero UID is valid",
+			envValue: "0",
+			want:     []UID{0},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv(EnvOwnerUID, tt.envValue)
+			if tt.unset {
+				os.Unsetenv(EnvOwnerUID)
+			}
+
+			got := OwnerUIDsFromEnv()
+
+			if tt.want == nil {
+				require.Nil(t, got)
+			} else {
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}

client/internal/owner/interceptor.go

@@ -0,0 +1,170 @@
+package owner
+
+import (
+	"context"
+	"slices"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal/owner/consoleuser"
+)
+
+const servicePath = "/daemon.DaemonService/"
+
+// profileBypassMethods skip the active-profile owner check. They either
+// operate on a specific target profile (and the handler enforces target-profile
+// owner-or-root itself) or are per-user listings/creations that don't affect
+// the active session and shouldn't require active-profile ownership. Peer
+// credentials are still required.
+var profileBypassMethods = map[string]bool{
+	servicePath + "AddProfile":    true,
+	servicePath + "ListProfiles":  true,
+	servicePath + "RemoveProfile": true,
+	servicePath + "SwitchProfile": true,
+}
+
+// Error messages returned to denied callers. They are multi-line so the
+// suggested commands sit on their own line for easy triple-click copy-paste.
+const (
+	errNoPeerCreds = "peer credentials unavailable; rerun via the netbird CLI"
+
+	errNoOwnerConfigured = `no daemon owner is configured and no console-session user matches your UID.
+Run as root for one-off use:
+    sudo netbird ...
+Or call from the active console session: the first call from the user logged in
+at the GUI/console claims ownership automatically.`
+
+	errOwnerRequired = `this operation requires root or the daemon owner (uid %d is not an owner).
+Run as root for one-off use:
+    sudo netbird ...
+Or ask an existing owner (or root) to add you:
+    sudo netbird owner add %[1]d`
+)
+
+// consoleUIDLookup is the function used to look up the active console UID.
+// Overridable in tests; defaults to the platform implementation.
+var consoleUIDLookup = consoleuser.ActiveUID
+
+// OwnerConfig provides access to the current owner UIDs setting.
+// The interceptor reads and writes through this interface so it can
+// work with the profile manager's config without a direct dependency.
+type OwnerConfig interface {
+	// GetOwnerUIDs returns the current owner UIDs.
+	// nil means legacy/migration TOFU (field absent from existing config).
+	// empty means fresh install (root-only with console-user TOFU exception).
+	// populated means those UIDs plus root may control the daemon.
+	GetOwnerUIDs() []UID
+
+	// AddOwnerUID adds the given UID to the owner list and persists it.
+	AddOwnerUID(uid UID) error
+}
+
+// Interceptor enforces owner restrictions on the daemon gRPC socket.
+type Interceptor struct {
+	config OwnerConfig
+	// mu serializes the read-then-write of OwnerUIDs during TOFU/claim flows
+	// so two concurrent first-callers can't both end up persisted as owners.
+	// Holds across the OwnerConfig.AddOwnerUID call; safe because no callback
+	// path takes this mutex.
+	mu sync.Mutex
+}
+
+// NewInterceptor creates an owner interceptor backed by the given config.
+func NewInterceptor(config OwnerConfig) *Interceptor {
+	return &Interceptor{config: config}
+}
+
+// UnaryInterceptor returns a gRPC unary server interceptor that enforces owner policy.
+func (i *Interceptor) UnaryInterceptor() grpc.UnaryServerInterceptor {
+	return func(
+		ctx context.Context,
+		req any,
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (any, error) {
+		if err := i.authorize(ctx, info.FullMethod); err != nil {
+			return nil, err
+		}
+		return handler(ctx, req)
+	}
+}
+
+// StreamInterceptor returns a gRPC stream server interceptor that enforces owner policy.
+func (i *Interceptor) StreamInterceptor() grpc.StreamServerInterceptor {
+	return func(
+		srv any,
+		ss grpc.ServerStream,
+		info *grpc.StreamServerInfo,
+		handler grpc.StreamHandler,
+	) error {
+		if err := i.authorize(ss.Context(), info.FullMethod); err != nil {
+			return err
+		}
+		return handler(srv, ss)
+	}
+}
+
+// authorize checks whether the caller is allowed to call the given method.
+// Every RPC is gated; root is always allowed. Non-root callers are accepted
+// when they are existing owners, when the config is in legacy TOFU state
+// (claim on first call, preserves pre-enforcement behavior), or when the
+// config is in fresh-install state and they match the active console user.
+func (i *Interceptor) authorize(ctx context.Context, fullMethod string) error {
+	uid, ok := UIDFromContext(ctx)
+	if !ok {
+		return status.Error(codes.PermissionDenied, errNoPeerCreds)
+	}
+
+	if uid == 0 {
+		return nil
+	}
+
+	// Profile-management RPCs do their own per-target authorization in the
+	// handler. The interceptor only confirms peer credentials are present.
+	if profileBypassMethods[fullMethod] {
+		return nil
+	}
+
+	i.mu.Lock()
+	defer i.mu.Unlock()
+
+	ownerUIDs := i.config.GetOwnerUIDs()
+
+	switch {
+	case ownerUIDs == nil:
+		// Legacy / migration TOFU: existing pre-enforcement config has no
+		// owners field. Any non-root local caller claims on first call so
+		// upgrades don't break.
+		return i.claim(uid, "migration TOFU")
+
+	case len(ownerUIDs) == 0:
+		// Fresh-install root-only mode with a console-user exception so the
+		// GUI/CLI just works for the user physically at the machine. SSH'd
+		// or otherwise non-console callers are denied.
+		consoleUID, ok := consoleUIDLookup()
+		if ok && uint32(uid) == consoleUID {
+			return i.claim(uid, "console-user TOFU")
+		}
+		return status.Error(codes.PermissionDenied, errNoOwnerConfigured)
+
+	case slices.Contains(ownerUIDs, uid):
+		return nil
+
+	default:
+		return status.Errorf(codes.PermissionDenied, errOwnerRequired, uid)
+	}
+}
+
+// claim adds uid to the owner list and persists it. The caller must hold i.mu.
+func (i *Interceptor) claim(uid UID, reason string) error {
+	log.Infof("%s: claiming owner for UID %d", reason, uid)
+	if err := i.config.AddOwnerUID(uid); err != nil {
+		log.Errorf("persist owner UID: %v", err)
+		return status.Error(codes.Internal, "persist owner UID")
+	}
+	return nil
+}

client/internal/owner/interceptor_test.go

@@ -0,0 +1,277 @@
+package owner
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+)
+
+type mockOwnerConfig struct {
+	uids []UID
+	err  error
+}
+
+func (m *mockOwnerConfig) GetOwnerUIDs() []UID {
+	return m.uids
+}
+
+func (m *mockOwnerConfig) AddOwnerUID(uid UID) error {
+	if m.err != nil {
+		return m.err
+	}
+	m.uids = append(m.uids, uid)
+	return nil
+}
+
+func peerContext(uid UID) context.Context {
+	return peer.NewContext(context.Background(), &peer.Peer{
+		Addr: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
+		AuthInfo: UnixAuthInfo{
+			CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+			UID:            uid,
+		},
+	})
+}
+
+func noPeerContext() context.Context {
+	return context.Background()
+}
+
+// withConsoleUID overrides the platform console-user lookup for a single test.
+func withConsoleUID(t *testing.T, uid uint32, ok bool) {
+	t.Helper()
+	prev := consoleUIDLookup
+	consoleUIDLookup = func() (uint32, bool) { return uid, ok }
+	t.Cleanup(func() { consoleUIDLookup = prev })
+}
+
+func TestInterceptor_RootAlwaysAllowed(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	for _, method := range []string{
+		"/daemon.DaemonService/Up",
+		"/daemon.DaemonService/Status",
+		"/daemon.DaemonService/Down",
+	} {
+		err := interceptor.authorize(peerContext(0), method)
+		assert.NoError(t, err, "root should always be allowed for %s", method)
+	}
+}
+
+func TestInterceptor_NoPeerCreds_AlwaysDenies(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	for _, method := range []string{
+		"/daemon.DaemonService/Status",
+		"/daemon.DaemonService/Up",
+		"/daemon.DaemonService/SomeNewMethod",
+	} {
+		err := interceptor.authorize(noPeerContext(), method)
+		require.Error(t, err, "method %s should be denied without peer creds", method)
+		assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	}
+}
+
+// TestInterceptor_LegacyMigration covers the nil-OwnerUIDs branch:
+// pre-enforcement configs upgraded to this version. Any non-root local caller
+// can claim on first call.
+func TestInterceptor_LegacyMigration_AnyCallerClaims(t *testing.T) {
+	withConsoleUID(t, 0, false) // no console; should not matter for nil
+	cfg := &mockOwnerConfig{uids: nil}
+	interceptor := NewInterceptor(cfg)
+
+	// First call from any UID claims regardless of method.
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
+	require.NoError(t, err)
+	require.Equal(t, []UID{1000}, cfg.uids)
+
+	// After claim, a different UID is denied.
+	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Status")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+// TestInterceptor_FreshInstall covers the empty-OwnerUIDs branch: console-user
+// can claim, others denied.
+func TestInterceptor_FreshInstall_ConsoleUserClaims(t *testing.T) {
+	withConsoleUID(t, 1000, true)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
+	require.NoError(t, err)
+	require.Equal(t, []UID{1000}, cfg.uids)
+}
+
+func TestInterceptor_FreshInstall_NonConsoleDenied(t *testing.T) {
+	withConsoleUID(t, 1000, true)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	assert.Empty(t, cfg.uids, "non-console caller must not claim")
+}
+
+func TestInterceptor_FreshInstall_NoConsole_Denied(t *testing.T) {
+	withConsoleUID(t, 0, false)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Up")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_OwnerUID_AllowsOwner(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
+	assert.NoError(t, err)
+}
+
+func TestInterceptor_OwnerUID_DeniesOther(t *testing.T) {
+	withConsoleUID(t, 9999, true) // console-user TOFU should not apply once owners exist
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_MultipleOwners(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000, 2000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
+	assert.NoError(t, err)
+
+	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
+	assert.NoError(t, err)
+
+	err = interceptor.authorize(peerContext(3000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+// TestInterceptor_UnknownMethodRequiresOwner pins the safe-by-default invariant:
+// any future RPC still goes through owner enforcement.
+func TestInterceptor_UnknownMethodRequiresOwner(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/SomeFutureMethod")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+
+	err = interceptor.authorize(peerContext(1000), "/daemon.DaemonService/SomeFutureMethod")
+	assert.NoError(t, err)
+}
+
+func TestInterceptor_ErrorMessageActionable(t *testing.T) {
+	withConsoleUID(t, 9999, true)
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	msg := status.Convert(err).Message()
+	assert.Contains(t, msg, "sudo netbird")
+	assert.Contains(t, msg, "owner add")
+}
+
+func TestInterceptor_UnaryIntegration(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	unary := interceptor.UnaryInterceptor()
+
+	resp, err := unary(peerContext(1000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
+		return "ok", nil
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "ok", resp)
+
+	_, err = unary(peerContext(2000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
+		t.Fatal("handler should not be called")
+		return nil, nil
+	})
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_StreamIntegration(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	stream := interceptor.StreamInterceptor()
+
+	called := false
+	err := stream(nil, &mockServerStream{ctx: peerContext(1000)},
+		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
+		func(srv any, stream grpc.ServerStream) error {
+			called = true
+			return nil
+		})
+	require.NoError(t, err)
+	assert.True(t, called)
+
+	err = stream(nil, &mockServerStream{ctx: peerContext(2000)},
+		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
+		func(srv any, stream grpc.ServerStream) error {
+			t.Fatal("handler should not be called")
+			return nil
+		})
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+type mockServerStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (m *mockServerStream) Context() context.Context { return m.ctx }
+
+// TestInterceptor_ProfileBypass pins that profile-management methods reach
+// the handler regardless of active-profile ownership; the handler enforces
+// per-target-profile auth itself.
+func TestInterceptor_ProfileBypass(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	// Caller UID 2000 is not an owner of the active profile but must be
+	// allowed through for these methods.
+	for _, method := range []string{
+		"/daemon.DaemonService/AddProfile",
+		"/daemon.DaemonService/ListProfiles",
+		"/daemon.DaemonService/RemoveProfile",
+		"/daemon.DaemonService/SwitchProfile",
+	} {
+		err := interceptor.authorize(peerContext(2000), method)
+		assert.NoError(t, err, "profile method %s should bypass active-owner check", method)
+	}
+
+	// Without peer creds, even bypass methods are denied.
+	for _, method := range []string{
+		"/daemon.DaemonService/AddProfile",
+		"/daemon.DaemonService/SwitchProfile",
+	} {
+		err := interceptor.authorize(noPeerContext(), method)
+		require.Error(t, err, "bypass method %s still requires peer creds", method)
+		assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	}
+}

client/internal/owner/transport_bsd.go

@@ -0,0 +1,66 @@
+//go:build darwin || freebsd
+
+package owner
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"golang.org/x/sys/unix"
+	"google.golang.org/grpc/credentials"
+)
+
+// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
+// peer UID from Unix socket connections via LOCAL_PEERCRED (Xucred).
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+type unixCreds struct{}
+
+func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	return conn, UnixAuthInfo{}, nil
+}
+
+// ServerHandshake extracts peer credentials from the Unix connection using LOCAL_PEERCRED.
+// Returns an error if credentials cannot be extracted (fail-closed).
+func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
+	}
+
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
+	}
+
+	var xucred *unix.Xucred
+	var credErr error
+	if err := raw.Control(func(fd uintptr) {
+		xucred, credErr = unix.GetsockoptXucred(int(fd), unix.SOL_LOCAL, unix.LOCAL_PEERCRED)
+	}); err != nil {
+		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
+	}
+	if credErr != nil {
+		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
+	}
+
+	return conn, UnixAuthInfo{
+		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+		UID:            UID(xucred.Uid),
+	}, nil
+}
+
+func (c *unixCreds) Info() credentials.ProtocolInfo {
+	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
+}
+
+func (c *unixCreds) Clone() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+func (c *unixCreds) OverrideServerName(_ string) error {
+	return nil
+}

client/internal/owner/transport_generic.go

@@ -0,0 +1,11 @@
+//go:build !linux && !darwin && !freebsd
+
+package owner
+
+import "google.golang.org/grpc/credentials"
+
+// NewUnixTransportCredentials returns nil on platforms without Unix socket peer credentials.
+// The daemon should use insecure credentials and skip owner enforcement.
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return nil
+}

client/internal/owner/transport_linux.go

@@ -0,0 +1,66 @@
+package owner
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"golang.org/x/sys/unix"
+	"google.golang.org/grpc/credentials"
+)
+
+// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
+// peer UID/GID/PID from Unix socket connections via SO_PEERCRED.
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+type unixCreds struct{}
+
+func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	return conn, UnixAuthInfo{}, nil
+}
+
+// ServerHandshake extracts peer credentials from the Unix connection.
+// Returns an error if credentials cannot be extracted (fail-closed).
+func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
+	}
+
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
+	}
+
+	var ucred *unix.Ucred
+	var credErr error
+	if err := raw.Control(func(fd uintptr) {
+		ucred, credErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
+	}); err != nil {
+		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
+	}
+	if credErr != nil {
+		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
+	}
+
+	return conn, UnixAuthInfo{
+		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+		UID:            UID(ucred.Uid),
+		GID:            ucred.Gid,
+		PID:            ucred.Pid,
+	}, nil
+}
+
+func (c *unixCreds) Info() credentials.ProtocolInfo {
+	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
+}
+
+func (c *unixCreds) Clone() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+func (c *unixCreds) OverrideServerName(_ string) error {
+	return nil
+}

client/internal/owner/transport_test.go

@@ -0,0 +1,107 @@
+package owner
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/credentials"
+)
+
+func TestUnixTransportCredentials_ServerHandshake(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	sockPath := filepath.Join(t.TempDir(), "test.sock")
+
+	ln, err := net.Listen("unix", sockPath)
+	require.NoError(t, err)
+	t.Cleanup(func() { ln.Close() })
+
+	done := make(chan struct{})
+	var serverConn net.Conn
+	var serverAuth credentials.AuthInfo
+	var serverErr error
+
+	go func() {
+		defer close(done)
+		raw, err := ln.Accept()
+		if err != nil {
+			serverErr = err
+			return
+		}
+		serverConn, serverAuth, serverErr = creds.ServerHandshake(raw)
+	}()
+
+	client, err := net.Dial("unix", sockPath)
+	require.NoError(t, err)
+	t.Cleanup(func() { client.Close() })
+
+	<-done
+	require.NoError(t, serverErr)
+	require.NotNil(t, serverConn)
+	t.Cleanup(func() { serverConn.Close() })
+
+	authInfo, ok := serverAuth.(UnixAuthInfo)
+	require.True(t, ok, "expected UnixAuthInfo, got %T", serverAuth)
+	assert.Equal(t, UID(os.Getuid()), authInfo.UID, "UID should match current user")
+}
+
+func TestUnixTransportCredentials_ServerHandshake_NonUnixConn(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	// Use a TCP connection, which is not *net.UnixConn.
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { ln.Close() })
+
+	done := make(chan struct{})
+	var handshakeErr error
+
+	go func() {
+		defer close(done)
+		raw, err := ln.Accept()
+		if err != nil {
+			handshakeErr = err
+			return
+		}
+		defer raw.Close()
+		_, _, handshakeErr = creds.ServerHandshake(raw)
+	}()
+
+	client, err := net.Dial("tcp", ln.Addr().String())
+	require.NoError(t, err)
+	t.Cleanup(func() { client.Close() })
+
+	<-done
+	require.Error(t, handshakeErr, "ServerHandshake must fail for non-Unix connections")
+}
+
+func TestUnixTransportCredentials_Info(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	info := creds.Info()
+	assert.Equal(t, "unix_peercred", info.SecurityProtocol)
+}
+
+func TestUnixTransportCredentials_Clone(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	cloned := creds.Clone()
+	require.NotNil(t, cloned)
+	assert.Equal(t, creds.Info(), cloned.Info())
+}

client/internal/owner/uid.go

@@ -0,0 +1,5 @@
+package owner
+
+// UID is a Unix user ID. Defined as a distinct type so it can't be silently
+// swapped with GID, PID, or other uint32 values at call sites.
+type UID uint32

client/internal/peer/conn.go

@@ -23,6 +23,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/portforward"
+	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -899,7 +900,7 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	}
 
 	// Fallback to deterministic key if no NetBird PSK is configured
-	determKey, err := conn.rosenpassDetermKey()
+	determKey, err := rosenpass.DeterministicSeedKey(conn.config.LocalKey, conn.config.Key)
 	if err != nil {
 		conn.Log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return nil
@@ -908,26 +909,6 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	return determKey
 }
 
-// todo: move this logic into Rosenpass package
-func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
-	lk := []byte(conn.config.LocalKey)
-	rk := []byte(conn.config.Key) // remote key
-	var keyInput []byte
-	if string(lk) > string(rk) {
-		//nolint:gocritic
-		keyInput = append(lk[:16], rk[:16]...)
-	} else {
-		//nolint:gocritic
-		keyInput = append(rk[:16], lk[:16]...)
-	}
-
-	key, err := wgtypes.NewKey(keyInput)
-	if err != nil {
-		return nil, err
-	}
-	return &key, nil
-}
-
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }

client/internal/peer/status.go

@@ -185,9 +185,12 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 	return s.eventsChan
 }
 
-// Status holds a state of peers, signal, management connections and relays
+// Status holds a state of peers, signal, management connections and relays.
+// mux is an RWMutex so hot read paths (notably PeerStateByIP, called for
+// every private-service request) don't contend against each other.
+// Pure read methods take RLock; anything that mutates state takes Lock.
 type Status struct {
-	mux                   sync.Mutex
+	mux                   sync.RWMutex
 	peers                 map[string]State
 	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState           bool
@@ -283,8 +286,8 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)
 
 // GetPeer adds peer to Daemon status map
 func (d *Status) GetPeer(peerPubKey string) (State, error) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 
 	state, ok := d.peers[peerPubKey]
 	if !ok {
@@ -294,8 +297,8 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {
 }
 
 func (d *Status) PeerByIP(ip string) (string, bool) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 
 	for _, state := range d.peers {
 		if state.IP == ip {
@@ -305,6 +308,25 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 	return "", false
 }
 
+// PeerStateByIP returns the full peer State for the given tunnel IP.
+// Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
+// address so dual-stack peers are reachable on either family. Returns the
+// zero State and false when no peer matches or the input is empty.
+func (d *Status) PeerStateByIP(ip string) (State, bool) {
+	if ip == "" {
+		return State{}, false
+	}
+	d.mux.RLock()
+	defer d.mux.RUnlock()
+
+	for _, state := range d.peers {
+		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
+			return state, true
+		}
+	}
+	return State{}, false
+}
+
 // RemovePeer removes peer from Daemon status map
 func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
@@ -702,8 +724,8 @@ func (d *Status) UnsubscribePeerStateChanges(subscription *StatusChangeSubscript
 
 // GetLocalPeerState returns the local peer state
 func (d *Status) GetLocalPeerState() LocalPeerState {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return d.localPeer.Clone()
 }
 
@@ -909,8 +931,8 @@ func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
 }
 
 func (d *Status) GetRosenpassState() RosenpassState {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return RosenpassState{
 		d.rosenpassEnabled,
 		d.rosenpassPermissive,
@@ -918,14 +940,14 @@ func (d *Status) GetRosenpassState() RosenpassState {
 }
 
 func (d *Status) GetLazyConnection() bool {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return d.lazyConnectionEnabled
 }
 
 func (d *Status) GetManagementState() ManagementState {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return ManagementState{
 		d.mgmAddress,
 		d.managementState,
@@ -951,8 +973,8 @@ func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {
 
 // IsLoginRequired determines if a peer's login has expired.
 func (d *Status) IsLoginRequired() bool {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 
 	// if peer is connected to the management then login is not expired
 	if d.managementState {
@@ -967,8 +989,8 @@ func (d *Status) IsLoginRequired() bool {
 }
 
 func (d *Status) GetSignalState() SignalState {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return SignalState{
 		d.signalAddress,
 		d.signalState,
@@ -978,8 +1000,8 @@ func (d *Status) GetSignalState() SignalState {
 
 // GetRelayStates returns the stun/turn/permanent relay states
 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	if d.relayMgr == nil {
 		return d.relayStates
 	}
@@ -1008,8 +1030,8 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 }
 
 func (d *Status) ForwardingRules() []firewall.ForwardRule {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	if d.ingressGwMgr == nil {
 		return nil
 	}
@@ -1018,16 +1040,16 @@ func (d *Status) ForwardingRules() []firewall.ForwardRule {
 }
 
 func (d *Status) GetDNSStates() []NSGroupState {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 
 	// shallow copy is good enough, as slices fields are currently not updated
 	return slices.Clone(d.nsGroupStates)
 }
 
 func (d *Status) GetResolvedDomainsStates() map[domain.Domain]ResolvedDomainInfo {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	return maps.Clone(d.resolvedDomainsStates)
 }
 
@@ -1043,8 +1065,8 @@ func (d *Status) GetFullStatus() FullStatus {
 		LazyConnectionEnabled: d.GetLazyConnection(),
 	}
 
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 
 	fullStatus.LocalPeerState = d.localPeer
 
@@ -1191,15 +1213,6 @@ func (d *Status) SubscribeToEvents() *EventSubscription {
 	}
 }
 
-// HasEventSubscribers reports whether any client is currently subscribed
-// to the daemon's SystemEvent stream. Used by the VNC approval broker to
-// fail closed when no UI is connected to prompt the user.
-func (d *Status) HasEventSubscribers() bool {
-	d.eventMux.Lock()
-	defer d.eventMux.Unlock()
-	return len(d.eventStreams) > 0
-}
-
 // UnsubscribeFromEvents removes an event subscription
 func (d *Status) UnsubscribeFromEvents(sub *EventSubscription) {
 	if sub == nil {
@@ -1228,8 +1241,8 @@ func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 }
 
 func (d *Status) PeersStatus() (*configurer.Stats, error) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
+	d.mux.RLock()
+	defer d.mux.RUnlock()
 	if d.wgIface == nil {
 		return nil, fmt.Errorf("wgInterface is nil, cannot retrieve peers status")
 	}

client/internal/peer/status_test.go

@@ -63,6 +63,33 @@ func TestUpdatePeerState(t *testing.T) {
 	assert.Equal(t, ip, state.IP, "ip should be equal")
 }
 
+func TestStatus_PeerStateByIP(t *testing.T) {
+	status := NewRecorder("https://mgm")
+	req := require.New(t)
+
+	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", ""))
+	req.NoError(status.AddPeer("pk-2", "peer-2.netbird", "100.64.0.11", ""))
+
+	state, ok := status.PeerStateByIP("100.64.0.10")
+	req.True(ok, "known tunnel IP should resolve to a peer state")
+	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
+	req.Equal("peer-1.netbird", state.FQDN, "matching state must carry the right FQDN")
+
+	_, ok = status.PeerStateByIP("100.64.0.99")
+	req.False(ok, "unknown IP must report ok=false")
+}
+
+func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
+	status := NewRecorder("https://mgm")
+	req := require.New(t)
+
+	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
+
+	state, ok := status.PeerStateByIP("fd00::1")
+	req.True(ok, "IPv6-only match must resolve to the peer state")
+	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
+}
+
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"

client/internal/profilemanager/config.go

@@ -21,6 +21,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
@@ -65,8 +66,6 @@ type ConfigInput struct {
 	StateFilePath                 string
 	PreSharedKey                  *string
 	ServerSSHAllowed              *bool
-	ServerVNCAllowed              *bool
-	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -101,6 +100,10 @@ type ConfigInput struct {
 	LazyConnectionEnabled *bool
 
 	MTU *uint16
+
+	// OwnerUIDs sets the UIDs of users allowed to control the daemon.
+	// When non-nil, replaces the config's OwnerUIDs.
+	OwnerUIDs []owner.UID
 }
 
 // Config Configuration type
@@ -118,8 +121,6 @@ type Config struct {
 	RosenpassEnabled              bool
 	RosenpassPermissive           bool
 	ServerSSHAllowed              *bool
-	ServerVNCAllowed              *bool
-	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -178,6 +179,12 @@ type Config struct {
 	LazyConnectionEnabled bool
 
 	MTU uint16
+
+	// OwnerUIDs controls who can perform privileged daemon operations via the gRPC socket.
+	// nil (absent from JSON): TOFU mode, first privileged caller claims ownership (backward compat for existing installs).
+	// [] (empty slice): root-only, no non-root owners until explicitly set via "netbird up --owner".
+	// [uid1, uid2, ...]: these UIDs plus root can perform privileged operations.
+	OwnerUIDs []owner.UID `json:"OwnerUIDs"`
 }
 
 var ConfigDirOverride string
@@ -238,10 +245,18 @@ func fileExists(path string) (bool, error) {
 
 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
+	// Seed owner UIDs from environment if set (for MDM deployments),
+	// otherwise default to root-only (empty slice).
+	ownerUIDs := owner.OwnerUIDsFromEnv()
+	if ownerUIDs == nil {
+		ownerUIDs = []owner.UID{}
+	}
+
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
 		WgPort:           iface.DefaultWgPort,
+		OwnerUIDs:        ownerUIDs,
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -422,33 +437,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.ServerVNCAllowed != nil {
-		if config.ServerVNCAllowed == nil || *input.ServerVNCAllowed != *config.ServerVNCAllowed {
-			if *input.ServerVNCAllowed {
-				log.Infof("enabling VNC server")
-			} else {
-				log.Infof("disabling VNC server")
-			}
-			config.ServerVNCAllowed = input.ServerVNCAllowed
-			updated = true
-		}
-	} else if config.ServerVNCAllowed == nil {
-		config.ServerVNCAllowed = util.False()
-		updated = true
-	}
-
-	if input.DisableVNCApproval != nil {
-		if config.DisableVNCApproval == nil || *input.DisableVNCApproval != *config.DisableVNCApproval {
-			if *input.DisableVNCApproval {
-				log.Infof("disabling VNC connection approval prompt")
-			} else {
-				log.Infof("enabling VNC connection approval prompt")
-			}
-			config.DisableVNCApproval = input.DisableVNCApproval
-			updated = true
-		}
-	}
-
 	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
 		if *input.EnableSSHRoot {
 			log.Infof("enabling SSH root login")
@@ -643,6 +631,14 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.OwnerUIDs != nil {
+		if !slices.Equal(config.OwnerUIDs, input.OwnerUIDs) {
+			log.Infof("updating owner UIDs to %v", input.OwnerUIDs)
+			config.OwnerUIDs = input.OwnerUIDs
+			updated = true
+		}
+	}
+
 	return updated, nil
 }
 

client/internal/profilemanager/service.go

@@ -13,6 +13,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -243,7 +244,10 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }
 
-func (s *ServiceManager) AddProfile(profileName, username string) error {
+// AddProfile creates a new profile with the given name. inheritOwnerUIDs is
+// applied to the new profile's OwnerUIDs (pass the active profile's owners so
+// the caller stays authorized; pass nil to leave the default empty/env-seeded).
+func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUIDs []owner.UID) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
 		return fmt.Errorf("failed to get config directory: %w", err)
@@ -264,7 +268,7 @@ func (s *ServiceManager) AddProfile(profileName, username string) error {
 		return ErrProfileAlreadyExists
 	}
 
-	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath, OwnerUIDs: inheritOwnerUIDs})
 	if err != nil {
 		return fmt.Errorf("failed to create new config: %w", err)
 	}

client/internal/rosenpass/manager.go

@@ -28,6 +28,15 @@ func hashRosenpassKey(key []byte) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }
 
+// rpServer is the subset of rp.Server used by Manager. Defined as an interface
+// so tests can substitute a mock without spinning up a real UDP server.
+type rpServer interface {
+	AddPeer(rp.PeerConfig) (rp.PeerID, error)
+	RemovePeer(rp.PeerID) error
+	Run() error
+	Close() error
+}
+
 type Manager struct {
 	ifaceName    string
 	spk          []byte
@@ -36,7 +45,7 @@ type Manager struct {
 	preSharedKey *[32]byte
 	rpPeerIDs    map[string]*rp.PeerID
 	rpWgHandler  *NetbirdHandler
-	server       *rp.Server
+	server       rpServer
 	lock         sync.Mutex
 	port         int
 	wgIface      PresharedKeySetter
@@ -51,7 +60,22 @@ func NewManager(preSharedKey *wgtypes.Key, wgIfaceName string) (*Manager, error)
 
 	rpKeyHash := hashRosenpassKey(public)
 	log.Tracef("generated new rosenpass key pair with public key %s", rpKeyHash)
-	return &Manager{ifaceName: wgIfaceName, rpKeyHash: rpKeyHash, spk: public, ssk: secret, preSharedKey: (*[32]byte)(preSharedKey), rpPeerIDs: make(map[string]*rp.PeerID), lock: sync.Mutex{}}, nil
+	return &Manager{
+		ifaceName:    wgIfaceName,
+		rpKeyHash:    rpKeyHash,
+		spk:          public,
+		ssk:          secret,
+		preSharedKey: (*[32]byte)(preSharedKey),
+		rpPeerIDs:    make(map[string]*rp.PeerID),
+		// rpWgHandler is created here (instead of only in generateConfig) so it
+		// is never nil between NewManager and Run(). Otherwise an early
+		// OnConnected call (race observed on Android, issue #4341) panics on
+		// nil receiver in addPeer -> m.rpWgHandler.AddPeer. generateConfig will
+		// replace it with a fresh handler on each Run() to clear stale peer
+		// state from previous engine sessions.
+		rpWgHandler: NewNetbirdHandler(),
+		lock:        sync.Mutex{},
+	}, nil
 }
 
 func (m *Manager) GetPubKey() []byte {
@@ -65,6 +89,16 @@ func (m *Manager) GetAddress() *net.UDPAddr {
 
 // addPeer adds a new peer to the Rosenpass server
 func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuardIP string, wireGuardPubKey string) error {
+	// Defense in depth against issue #4341 (Android crash): if Run() has not
+	// completed yet, m.server / m.rpWgHandler may be nil. Return an explicit
+	// error instead of panicking on nil-receiver dereference.
+	if m.server == nil {
+		return fmt.Errorf("rosenpass server not initialized")
+	}
+	if m.rpWgHandler == nil {
+		return fmt.Errorf("rosenpass wg handler not initialized")
+	}
+
 	var err error
 	pcfg := rp.PeerConfig{PublicKey: rosenpassPubKey}
 	if m.preSharedKey != nil {
@@ -79,6 +113,16 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
+		// Our local Rosenpass UDP server binds on the IPv6 wildcard ([::]) — see
+		// GetAddress(). The remote peer's endpoint (pcfg.Endpoint) is the destination
+		// our server will sendto when initiating handshakes. ResolveUDPAddr returns a
+		// 4-byte IPv4 for IPv4 hosts, which the kernel rejects (EDESTADDRREQ) when
+		// sent from an AF_INET6 socket. Normalize the remote endpoint to IPv4-mapped
+		// IPv6 so its address family matches our listening socket.
+		// TODO: maybe bind the Rosenpass UDP server to the peer wg IP addr
+		if v4 := pcfg.Endpoint.IP.To4(); v4 != nil {
+			pcfg.Endpoint.IP = v4.To16()
+		}
 	}
 	peerID, err := m.server.AddPeer(pcfg)
 	if err != nil {
@@ -182,24 +226,31 @@ func (m *Manager) Run() error {
 		return err
 	}
 
-	m.server, err = rp.NewUDPServer(conf)
+	server, err := rp.NewUDPServer(conf)
 	if err != nil {
 		return err
 	}
 
+	m.lock.Lock()
+	m.server = server
+	m.lock.Unlock()
+
 	log.Infof("starting rosenpass server on port %d", m.port)
 
-	return m.server.Run()
+	return server.Run()
 }
 
 // Close closes the Rosenpass server
 func (m *Manager) Close() error {
-	if m.server != nil {
-		err := m.server.Close()
-		if err != nil {
-			log.Errorf("failed closing local rosenpass server")
-		}
-		m.server = nil
+	m.lock.Lock()
+	server := m.server
+	m.server = nil
+	m.lock.Unlock()
+	if server == nil {
+		return nil
+	}
+	if err := server.Close(); err != nil {
+		log.Errorf("failed closing local rosenpass server: %v", err)
 	}
 	return nil
 }

client/internal/rosenpass/manager_test.go

@@ -1,14 +1,412 @@
 package rosenpass
 
 import (
+	"errors"
+	"os"
+	"sync"
 	"testing"
 
+	rp "cunicu.li/go-rosenpass"
 	"github.com/stretchr/testify/require"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+// --- test doubles -----------------------------------------------------------
+
+type addPeerCall struct {
+	cfg rp.PeerConfig
+}
+
+type removePeerCall struct {
+	id rp.PeerID
+}
+
+type mockServer struct {
+	mu         sync.Mutex
+	addCalls   []addPeerCall
+	removed    []removePeerCall
+	nextID     rp.PeerID
+	addErr     error
+	removeErr  error
+	closed     bool
+	ran        bool
+}
+
+func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.addCalls = append(m.addCalls, addPeerCall{cfg: cfg})
+	if m.addErr != nil {
+		return rp.PeerID{}, m.addErr
+	}
+	// Increment a byte in nextID so distinct peers get distinct IDs.
+	m.nextID[0]++
+	return m.nextID, nil
+}
+
+func (m *mockServer) RemovePeer(id rp.PeerID) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.removed = append(m.removed, removePeerCall{id: id})
+	return m.removeErr
+}
+
+func (m *mockServer) Run() error  { m.ran = true; return nil }
+func (m *mockServer) Close() error { m.closed = true; return nil }
+
+type setPSKCall struct {
+	peerKey    string
+	psk        wgtypes.Key
+	updateOnly bool
+}
+
+type mockIface struct {
+	mu    sync.Mutex
+	calls []setPSKCall
+	err   error
+}
+
+func (m *mockIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.calls = append(m.calls, setPSKCall{peerKey: peerKey, psk: psk, updateOnly: updateOnly})
+	return m.err
+}
+
+// newTestManager builds a Manager with deterministic spk so tie-break
+// against a peer pubkey is controllable from tests. The provided spk byte
+// becomes the first byte; remaining bytes are zero.
+func newTestManager(spkFirstByte byte, mock *mockServer) *Manager {
+	spk := make([]byte, 32)
+	spk[0] = spkFirstByte
+	return &Manager{
+		ifaceName:   "wt0",
+		spk:         spk,
+		ssk:         make([]byte, 32),
+		rpKeyHash:   "test-hash",
+		rpPeerIDs:   make(map[string]*rp.PeerID),
+		rpWgHandler: NewNetbirdHandler(),
+		server:      mock,
+	}
+}
+
+// validWGKey returns a deterministic 32-byte wireguard public key (base64).
+func validWGKey(t *testing.T, lastByte byte) string {
+	t.Helper()
+	var k wgtypes.Key
+	k[31] = lastByte
+	return k.String()
+}
+
+// --- pure helpers ----------------------------------------------------------
+
+func TestHashRosenpassKey_Deterministic(t *testing.T) {
+	key := []byte("hello-rosenpass")
+	require.Equal(t, hashRosenpassKey(key), hashRosenpassKey(key))
+	require.Len(t, hashRosenpassKey(key), 64) // sha256 hex
+}
+
+func TestHashRosenpassKey_DifferentInputsDifferOutputs(t *testing.T) {
+	require.NotEqual(t, hashRosenpassKey([]byte("a")), hashRosenpassKey([]byte("b")))
+}
+
+func TestGetLogLevel_DefaultWhenUnset(t *testing.T) {
+	// Snapshot + unset to exercise the LookupEnv ok=false branch. t.Setenv
+	// can only set, not delete, so do it manually with restore via t.Cleanup.
+	prev, hadPrev := os.LookupEnv(defaultLogLevelVar)
+	require.NoError(t, os.Unsetenv(defaultLogLevelVar))
+	t.Cleanup(func() {
+		if hadPrev {
+			_ = os.Setenv(defaultLogLevelVar, prev)
+		} else {
+			_ = os.Unsetenv(defaultLogLevelVar)
+		}
+	})
+	require.Equal(t, defaultLog.String(), getLogLevel().String())
+}
+
+func TestGetLogLevel_Cases(t *testing.T) {
+	cases := map[string]string{
+		"debug":   "DEBUG",
+		"info":    "INFO",
+		"warn":    "WARN",
+		"error":   "ERROR",
+		"unknown": "INFO", // default fallback
+	}
+	for input, wantStr := range cases {
+		input, wantStr := input, wantStr
+		t.Run(input, func(t *testing.T) {
+			t.Setenv(defaultLogLevelVar, input)
+			require.Equal(t, wantStr, getLogLevel().String())
+		})
+	}
+}
+
 func TestFindRandomAvailableUDPPort(t *testing.T) {
 	port, err := findRandomAvailableUDPPort()
 	require.NoError(t, err)
 	require.Greater(t, port, 0)
 	require.LessOrEqual(t, port, 65535)
 }
+
+// --- addPeer ---------------------------------------------------------------
+
+func TestAddPeer_HigherLocalPubkey_SetsEndpoint(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv) // local spk lexicographically larger
+
+	remotePubKey := make([]byte, 32) // remote spk = all zeros (smaller)
+	err := m.addPeer(remotePubKey, "rosenpass-host:7000", "100.1.1.1", validWGKey(t, 1))
+	require.NoError(t, err)
+	require.Len(t, srv.addCalls, 1)
+
+	ep := srv.addCalls[0].cfg.Endpoint
+	require.NotNil(t, ep, "initiator side must set Endpoint")
+	require.Equal(t, 7000, ep.Port)
+	require.Equal(t, "100.1.1.1", ep.IP.String())
+}
+
+func TestAddPeer_HigherLocalPubkey_EndpointIPIsIPv4Mapped(t *testing.T) {
+	// Regression guard for the EDESTADDRREQ fix: Endpoint.IP must be 16-byte
+	// (IPv4-mapped IPv6) so it matches the AF_INET6 listening socket family.
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
+	require.NoError(t, err)
+
+	ep := srv.addCalls[0].cfg.Endpoint
+	require.NotNil(t, ep)
+	require.Len(t, ep.IP, 16, "IPv4 endpoint must be normalized to 16-byte v4-mapped form")
+	require.True(t, ep.IP.To4() != nil, "Endpoint must still be detected as IPv4")
+}
+
+func TestAddPeer_LowerLocalPubkey_LeavesEndpointNil(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0x00, srv) // local spk smaller
+
+	remotePubKey := make([]byte, 32)
+	remotePubKey[0] = 0xFF
+	err := m.addPeer(remotePubKey, "rp:5000", "100.1.1.1", validWGKey(t, 2))
+	require.NoError(t, err)
+
+	require.Nil(t, srv.addCalls[0].cfg.Endpoint, "responder side must NOT set Endpoint")
+}
+
+func TestAddPeer_PresharedKeyPropagated(t *testing.T) {
+	srv := &mockServer{}
+	psk := &wgtypes.Key{0x42}
+	m := newTestManager(0xFF, srv)
+	m.preSharedKey = (*[32]byte)(psk)
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 3))
+	require.NoError(t, err)
+	require.Equal(t, [32]byte(*psk), [32]byte(srv.addCalls[0].cfg.PresharedKey))
+}
+
+func TestAddPeer_InvalidRosenpassAddr_ReturnsError(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv) // initiator path → parses rosenpassAddr
+
+	err := m.addPeer(make([]byte, 32), "not-a-host-port", "100.1.1.1", validWGKey(t, 1))
+	require.Error(t, err)
+	require.Empty(t, srv.addCalls, "server.AddPeer must not run when address parse fails")
+}
+
+func TestAddPeer_InvalidWireGuardPubKey_ReturnsError(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", "not-a-valid-key")
+	require.Error(t, err)
+}
+
+func TestAddPeer_ServerError_Propagates(t *testing.T) {
+	srv := &mockServer{addErr: errors.New("boom")}
+	m := newTestManager(0xFF, srv)
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
+	require.Error(t, err)
+}
+
+// Regression guard for issue #4341 (Android crash). If Run() has not completed
+// before OnConnected fires, m.rpWgHandler or m.server may be nil. Without the
+// nil guards, m.rpWgHandler.AddPeer panics on nil receiver.
+func TestAddPeer_NilHandler_ReturnsErrorNoCrash(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+	m.rpWgHandler = nil // simulate Run() not yet completed
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "wg handler not initialized")
+}
+
+func TestAddPeer_NilServer_ReturnsErrorNoCrash(t *testing.T) {
+	m := newTestManager(0xFF, nil)
+	m.server = nil // simulate Run() not yet completed
+
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "server not initialized")
+}
+
+// NewManager must pre-initialize rpWgHandler so the nil-receiver crash from
+// issue #4341 cannot occur in the window between NewManager and Run().
+func TestNewManager_PreInitializesHandler(t *testing.T) {
+	psk := wgtypes.Key{}
+	m, err := NewManager(&psk, "wt0")
+	require.NoError(t, err)
+	require.NotNil(t, m.rpWgHandler, "rpWgHandler must be initialized in NewManager")
+}
+
+func TestAddPeer_RecordsPeerID(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	wgKey := validWGKey(t, 5)
+	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey)
+	require.NoError(t, err)
+	require.Contains(t, m.rpPeerIDs, wgKey)
+}
+
+// --- OnConnected / OnDisconnected ------------------------------------------
+
+func TestOnConnected_NilRemotePubKey_NoAddPeer(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	m.OnConnected(validWGKey(t, 1), nil, "100.1.1.1", "rp:5000")
+	require.Empty(t, srv.addCalls, "nil remote rosenpass pubkey must skip AddPeer")
+	require.Empty(t, m.rpPeerIDs)
+}
+
+func TestOnConnected_ValidPubKey_CallsAddPeer(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	wgKey := validWGKey(t, 1)
+	m.OnConnected(wgKey, make([]byte, 32), "100.1.1.1", "rp:5000")
+	require.Len(t, srv.addCalls, 1)
+	require.Contains(t, m.rpPeerIDs, wgKey)
+}
+
+func TestOnDisconnected_UnknownPeer_NoOp(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	m.OnDisconnected(validWGKey(t, 99))
+	require.Empty(t, srv.removed, "unknown peer key must not call RemovePeer")
+}
+
+func TestOnDisconnected_KnownPeer_CallsRemoveAndForgets(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	wgKey := validWGKey(t, 1)
+	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
+	require.Contains(t, m.rpPeerIDs, wgKey)
+
+	m.OnDisconnected(wgKey)
+	require.Len(t, srv.removed, 1)
+	require.NotContains(t, m.rpPeerIDs, wgKey, "peer must be forgotten after disconnect")
+}
+
+// --- IsPresharedKeyInitialized ---------------------------------------------
+
+func TestIsPresharedKeyInitialized_UnknownPeer_ReturnsFalse(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+	require.False(t, m.IsPresharedKeyInitialized(validWGKey(t, 1)))
+}
+
+func TestIsPresharedKeyInitialized_AddedButNotHandshaken_ReturnsFalse(t *testing.T) {
+	srv := &mockServer{}
+	m := newTestManager(0xFF, srv)
+
+	wgKey := validWGKey(t, 2)
+	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
+	require.False(t, m.IsPresharedKeyInitialized(wgKey))
+}
+
+// --- NetbirdHandler.outputKey ----------------------------------------------
+
+func TestHandler_OutputKey_FirstCallUsesUpdateOnlyFalse(t *testing.T) {
+	h := NewNetbirdHandler()
+	iface := &mockIface{}
+	h.SetInterface(iface)
+
+	pid := rp.PeerID{0x01}
+	wgKey := wgtypes.Key{0xAA}
+	h.AddPeer(pid, "wt0", rp.Key(wgKey))
+
+	psk := rp.Key{0xBB}
+	h.HandshakeCompleted(pid, psk)
+
+	require.Len(t, iface.calls, 1)
+	require.False(t, iface.calls[0].updateOnly, "first PSK rotation must use updateOnly=false")
+	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
+}
+
+func TestHandler_OutputKey_SubsequentCallsUseUpdateOnlyTrue(t *testing.T) {
+	h := NewNetbirdHandler()
+	iface := &mockIface{}
+	h.SetInterface(iface)
+
+	pid := rp.PeerID{0x02}
+	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xCC}))
+
+	h.HandshakeCompleted(pid, rp.Key{0x01}) // first
+	h.HandshakeCompleted(pid, rp.Key{0x02}) // second
+
+	require.Len(t, iface.calls, 2)
+	require.False(t, iface.calls[0].updateOnly)
+	require.True(t, iface.calls[1].updateOnly, "subsequent rotations must use updateOnly=true")
+}
+
+func TestHandler_OutputKey_NilInterface_NoCrashNoCall(t *testing.T) {
+	h := NewNetbirdHandler()
+	// no SetInterface — iface remains nil
+	pid := rp.PeerID{0x03}
+	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{}))
+
+	// Must not panic.
+	h.HandshakeCompleted(pid, rp.Key{})
+}
+
+func TestHandler_OutputKey_UnknownPeer_NoCall(t *testing.T) {
+	h := NewNetbirdHandler()
+	iface := &mockIface{}
+	h.SetInterface(iface)
+
+	h.HandshakeCompleted(rp.PeerID{0xFF}, rp.Key{})
+	require.Empty(t, iface.calls, "unknown peer id must not trigger SetPresharedKey")
+}
+
+func TestHandler_RemovePeer_ClearsInitializedState(t *testing.T) {
+	h := NewNetbirdHandler()
+	iface := &mockIface{}
+	h.SetInterface(iface)
+
+	pid := rp.PeerID{0x04}
+	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xDD}))
+	h.HandshakeCompleted(pid, rp.Key{0x01})
+	require.True(t, h.IsPeerInitialized(pid))
+
+	h.RemovePeer(pid)
+	require.False(t, h.IsPeerInitialized(pid), "RemovePeer must clear initialized flag")
+}
+
+func TestHandler_SetInterfaceAfterAddPeer_StillReceivesKey(t *testing.T) {
+	h := NewNetbirdHandler()
+	pid := rp.PeerID{0x05}
+	wgKey := wgtypes.Key{0xEE}
+	h.AddPeer(pid, "wt0", rp.Key(wgKey))
+
+	iface := &mockIface{}
+	h.SetInterface(iface) // set after AddPeer
+
+	h.HandshakeCompleted(pid, rp.Key{0x42})
+	require.Len(t, iface.calls, 1)
+	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
+}

client/internal/rosenpass/seed.go

@@ -0,0 +1,42 @@
+package rosenpass
+
+import (
+	"fmt"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// DeterministicSeedKey derives a 32-byte WireGuard preshared key from a pair
+// of peer public keys. Both peers, given the same key pair, produce the same
+// output regardless of which side runs the function: the inputs are ordered
+// lexicographically before concatenation.
+//
+// NetBird uses this value as the initial Rosenpass-side preshared key when no
+// explicit account-level PSK is configured, so both peers converge on the same
+// PSK before the first post-quantum handshake completes.
+//
+// The resulting key MUST NOT be treated as quantum-safe: it is deterministic
+// from public keys and exists only to seed WireGuard until Rosenpass rotates
+// in a real post-quantum PSK.
+func DeterministicSeedKey(localKey, remoteKey string) (*wgtypes.Key, error) {
+	lk := []byte(localKey)
+	rk := []byte(remoteKey)
+	if len(lk) < 16 || len(rk) < 16 {
+		return nil, fmt.Errorf("rosenpass: peer keys must be at least 16 bytes (got local=%d, remote=%d)", len(lk), len(rk))
+	}
+
+	var keyInput []byte
+	if localKey > remoteKey {
+		keyInput = append(keyInput, lk[:16]...)
+		keyInput = append(keyInput, rk[:16]...)
+	} else {
+		keyInput = append(keyInput, rk[:16]...)
+		keyInput = append(keyInput, lk[:16]...)
+	}
+
+	key, err := wgtypes.NewKey(keyInput)
+	if err != nil {
+		return nil, fmt.Errorf("rosenpass: deterministic seed key: %w", err)
+	}
+	return &key, nil
+}

client/internal/rosenpass/seed_test.go

@@ -0,0 +1,44 @@
+package rosenpass
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestDeterministicSeedKey_SameForBothSides(t *testing.T) {
+	// Peer A and peer B must derive the same PSK regardless of which side
+	// computes it: the function orders inputs internally.
+	a := strings.Repeat("a", 32)
+	b := strings.Repeat("b", 32)
+
+	keyAB, err := DeterministicSeedKey(a, b)
+	require.NoError(t, err)
+	keyBA, err := DeterministicSeedKey(b, a)
+	require.NoError(t, err)
+	require.Equal(t, keyAB.String(), keyBA.String(), "swapping arguments must yield identical key")
+}
+
+func TestDeterministicSeedKey_ChangesWithKeys(t *testing.T) {
+	a := strings.Repeat("a", 32)
+	b := strings.Repeat("b", 32)
+	c := strings.Repeat("c", 32)
+
+	keyAB, err := DeterministicSeedKey(a, b)
+	require.NoError(t, err)
+	keyAC, err := DeterministicSeedKey(a, c)
+	require.NoError(t, err)
+	require.NotEqual(t, keyAB.String(), keyAC.String(), "different peer pair must yield different key")
+}
+
+func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
+	short := "short" // < 16 bytes
+	long := strings.Repeat("x", 32)
+
+	_, err := DeterministicSeedKey(short, long)
+	require.Error(t, err)
+	_, err = DeterministicSeedKey(long, short)
+	require.Error(t, err)
+}
+

client/internal/routemanager/systemops/routeflags_addfilter_bsd.go

@@ -0,0 +1,9 @@
+//go:build dragonfly || freebsd || netbsd || openbsd
+
+package systemops
+
+// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
+// given flags should be ignored by the network monitor.
+func IgnoreAddedDefaultRoute(flags int) bool {
+	return filterRoutesByFlags(flags)
+}

client/internal/routemanager/systemops/routeflags_addfilter_darwin.go

@@ -0,0 +1,21 @@
+//go:build darwin
+
+package systemops
+
+import "golang.org/x/sys/unix"
+
+// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
+// given flags should be ignored by the network monitor. Scoped routes
+// (RTF_IFSCOPE) are tied to a specific interface index and cannot replace the
+// unscoped default the kernel uses for general egress, so flapping ones (e.g.
+// Wi-Fi calling IMS tunnels on ipsec0, Docker bridges, scoped utun defaults)
+// must not trigger an engine restart.
+func IgnoreAddedDefaultRoute(flags int) bool {
+	if filterRoutesByFlags(flags) {
+		return true
+	}
+	if flags&unix.RTF_IFSCOPE != 0 {
+		return true
+	}
+	return false
+}

client/internal/statemanager/manager.go

@@ -74,14 +74,6 @@ func New(filePath string) *Manager {
 	}
 }
 
-// FilePath returns the path of the underlying state file.
-func (m *Manager) FilePath() string {
-	if m == nil {
-		return ""
-	}
-	return m.filePath
-}
-
 // Start starts the state manager periodic save routine
 func (m *Manager) Start() {
 	if m == nil {
@@ -104,17 +96,19 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}
 
 	m.mu.Lock()
-	defer m.mu.Unlock()
+	cancel := m.cancel
+	done := m.done
+	m.mu.Unlock()
 
-	if m.cancel == nil {
+	if cancel == nil {
 		return nil
 	}
-	m.cancel()
+	cancel()
 
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
-	case <-m.done:
+	case <-done:
 	}
 
 	return nil

client/netbird.wxs

@@ -64,13 +64,6 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
-			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
-			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
-				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
-					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
-				<RemoveRegistryValue Root="HKCU"
-					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
-			</Component>
 		</StandardDirectory>
 
 		<StandardDirectory Id="CommonAppDataFolder">
@@ -83,28 +76,10 @@
 			</Directory>
 		</StandardDirectory>
 
-		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
-		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
-		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
-			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
-			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
-				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
-			<RemoveRegistryValue Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
-		</Component>
-
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
-			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
-			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.proto

@@ -91,6 +91,15 @@ service DaemonService {
 
   rpc GetActiveProfile(GetActiveProfileRequest) returns (GetActiveProfileResponse) {}
 
+  // AddOwner adds a UID to the active profile's owner list. Requires
+  // root or an existing owner.
+  rpc AddOwner(AddOwnerRequest) returns (AddOwnerResponse) {}
+
+  // ResetOwner clears the active profile's owner list, returning it to
+  // the unconfigured state. The next call from the active console-session
+  // user will then re-claim ownership. Requires root.
+  rpc ResetOwner(ResetOwnerRequest) returns (ResetOwnerResponse) {}
+
   // Logout disconnects from the network and deletes the peer from the management server
   rpc Logout(LogoutRequest) returns (LogoutResponse) {}
 
@@ -119,14 +128,6 @@ service DaemonService {
 
   // ExposeService exposes a local port via the NetBird reverse proxy
   rpc ExposeService(ExposeServiceRequest) returns (stream ExposeServiceEvent) {}
-
-  // RespondApproval delivers the user's accept/deny decision for a
-  // pending user-approval prompt. The daemon pushes the prompt as a
-  // SystemEvent with category APPROVAL and metadata key "request_id";
-  // the UI calls this RPC with the same request_id to unblock whichever
-  // subsystem (VNC, SSH, ...) is waiting. The "kind" metadata key tells
-  // the UI which subsystem the prompt belongs to.
-  rpc RespondApproval(RespondApprovalRequest) returns (RespondApprovalResponse) {}
 }
 
 
@@ -213,10 +214,6 @@ message LoginRequest {
   optional bool disableSSHAuth = 38;
   optional int32 sshJWTCacheTTL = 39;
   optional bool disable_ipv6 = 40;
-
-  optional bool serverVNCAllowed = 41;
-
-  optional bool disableVNCApproval = 42;
 }
 
 message LoginResponse {
@@ -239,6 +236,10 @@ message UpRequest {
   optional string profileName = 1;
   optional string username = 2;
   reserved 3;
+  // When true, the caller claims owner privileges for this profile.
+  // Requires root or current owner; for new installs (root-only mode),
+  // the calling UID becomes an owner.
+  bool claimOwner = 4;
 }
 
 message UpResponse {}
@@ -326,10 +327,6 @@ message GetConfigResponse {
   int32 sshJWTCacheTTL = 26;
 
   bool disable_ipv6 = 27;
-
-  bool serverVNCAllowed = 28;
-
-  bool disableVNCApproval = 29;
 }
 
 // PeerState contains the latest state of a peer
@@ -410,25 +407,6 @@ message SSHServerState {
   repeated SSHSessionInfo sessions = 2;
 }
 
-// VNCSessionInfo contains information about an active VNC session
-message VNCSessionInfo {
-  string remoteAddress = 1;
-  string mode = 2;
-  string username = 3;
-  // userID is the Noise-verified session identity (hashed user ID from
-  // the ACL session-key entry), empty when auth is disabled.
-  string userID = 4;
-  // initiator is the human-readable display name of the dashboard user
-  // who minted the SessionPubKey, when known.
-  string initiator = 5;
-}
-
-// VNCServerState contains the latest state of the VNC server
-message VNCServerState {
-  bool enabled = 1;
-  repeated VNCSessionInfo sessions = 2;
-}
-
 // FullStatus contains the full state held by the Status instance
 message FullStatus {
   ManagementState managementState = 1;
@@ -443,7 +421,6 @@ message FullStatus {
 
   bool lazyConnectionEnabled = 9;
   SSHServerState sshServerState = 10;
-  VNCServerState vncServerState = 11;
 }
 
 // Networks
@@ -631,7 +608,6 @@ message SystemEvent {
     AUTHENTICATION = 2;
     CONNECTIVITY = 3;
     SYSTEM = 4;
-    APPROVAL = 5;
   }
 
   string id = 1;
@@ -715,10 +691,6 @@ message SetConfigRequest {
   optional bool disableSSHAuth = 33;
   optional int32 sshJWTCacheTTL = 34;
   optional bool disable_ipv6 = 35;
-
-  optional bool serverVNCAllowed = 36;
-
-  optional bool disableVNCApproval = 37;
 }
 
 message SetConfigResponse{}
@@ -730,6 +702,16 @@ message AddProfileRequest {
 
 message AddProfileResponse {}
 
+message AddOwnerRequest {
+  uint32 uid = 1;
+}
+
+message AddOwnerResponse {}
+
+message ResetOwnerRequest {}
+
+message ResetOwnerResponse {}
+
 message RemoveProfileRequest {
   string username = 1;
   string profileName = 2;
@@ -913,18 +895,3 @@ message StartBundleCaptureRequest {
 message StartBundleCaptureResponse {}
 message StopBundleCaptureRequest {}
 message StopBundleCaptureResponse {}
-
-message RespondApprovalRequest {
-  // request_id matches the SystemEvent metadata key emitted by the daemon
-  // when a subsystem awaits user approval for an inbound connection.
-  string request_id = 1;
-  // accept is true if the user approved the request, false if they
-  // denied it. A missing or unknown request_id is treated as a no-op.
-  bool accept = 2;
-  // view_only signals that the user granted the connection but withheld
-  // input control. Only meaningful when accept is true; ignored when
-  // accept is false.
-  bool view_only = 3;
-}
-
-message RespondApprovalResponse {}

client/proto/daemon_grpc.pb.go

@@ -48,6 +48,8 @@ const (
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
+	DaemonService_AddOwner_FullMethodName                   = "/daemon.DaemonService/AddOwner"
+	DaemonService_ResetOwner_FullMethodName                 = "/daemon.DaemonService/ResetOwner"
 	DaemonService_Logout_FullMethodName                     = "/daemon.DaemonService/Logout"
 	DaemonService_GetFeatures_FullMethodName                = "/daemon.DaemonService/GetFeatures"
 	DaemonService_TriggerUpdate_FullMethodName              = "/daemon.DaemonService/TriggerUpdate"
@@ -58,7 +60,6 @@ const (
 	DaemonService_StopCPUProfile_FullMethodName             = "/daemon.DaemonService/StopCPUProfile"
 	DaemonService_GetInstallerResult_FullMethodName         = "/daemon.DaemonService/GetInstallerResult"
 	DaemonService_ExposeService_FullMethodName              = "/daemon.DaemonService/ExposeService"
-	DaemonService_RespondApproval_FullMethodName            = "/daemon.DaemonService/RespondApproval"
 )
 
 // DaemonServiceClient is the client API for DaemonService service.
@@ -116,6 +117,13 @@ type DaemonServiceClient interface {
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
+	// AddOwner adds a UID to the active profile's owner list. Requires
+	// root or an existing owner.
+	AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error)
+	// ResetOwner clears the active profile's owner list, returning it to
+	// the unconfigured state. The next call from the active console-session
+	// user will then re-claim ownership. Requires root.
+	ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
 	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
@@ -135,13 +143,6 @@ type DaemonServiceClient interface {
 	GetInstallerResult(ctx context.Context, in *InstallerResultRequest, opts ...grpc.CallOption) (*InstallerResultResponse, error)
 	// ExposeService exposes a local port via the NetBird reverse proxy
 	ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ExposeServiceEvent], error)
-	// RespondApproval delivers the user's accept/deny decision for a
-	// pending user-approval prompt. The daemon pushes the prompt as a
-	// SystemEvent with category APPROVAL and metadata key "request_id";
-	// the UI calls this RPC with the same request_id to unblock whichever
-	// subsystem (VNC, SSH, ...) is waiting. The "kind" metadata key tells
-	// the UI which subsystem the prompt belongs to.
-	RespondApproval(ctx context.Context, in *RespondApprovalRequest, opts ...grpc.CallOption) (*RespondApprovalResponse, error)
 }
 
 type daemonServiceClient struct {
@@ -460,6 +461,26 @@ func (c *daemonServiceClient) GetActiveProfile(ctx context.Context, in *GetActiv
 	return out, nil
 }
 
+func (c *daemonServiceClient) AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AddOwnerResponse)
+	err := c.cc.Invoke(ctx, DaemonService_AddOwner_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ResetOwnerResponse)
+	err := c.cc.Invoke(ctx, DaemonService_ResetOwner_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *daemonServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LogoutResponse)
@@ -569,16 +590,6 @@ func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServi
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type DaemonService_ExposeServiceClient = grpc.ServerStreamingClient[ExposeServiceEvent]
 
-func (c *daemonServiceClient) RespondApproval(ctx context.Context, in *RespondApprovalRequest, opts ...grpc.CallOption) (*RespondApprovalResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(RespondApprovalResponse)
-	err := c.cc.Invoke(ctx, DaemonService_RespondApproval_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility.
@@ -634,6 +645,13 @@ type DaemonServiceServer interface {
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
+	// AddOwner adds a UID to the active profile's owner list. Requires
+	// root or an existing owner.
+	AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error)
+	// ResetOwner clears the active profile's owner list, returning it to
+	// the unconfigured state. The next call from the active console-session
+	// user will then re-claim ownership. Requires root.
+	ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
 	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
@@ -653,13 +671,6 @@ type DaemonServiceServer interface {
 	GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error)
 	// ExposeService exposes a local port via the NetBird reverse proxy
 	ExposeService(*ExposeServiceRequest, grpc.ServerStreamingServer[ExposeServiceEvent]) error
-	// RespondApproval delivers the user's accept/deny decision for a
-	// pending user-approval prompt. The daemon pushes the prompt as a
-	// SystemEvent with category APPROVAL and metadata key "request_id";
-	// the UI calls this RPC with the same request_id to unblock whichever
-	// subsystem (VNC, SSH, ...) is waiting. The "kind" metadata key tells
-	// the UI which subsystem the prompt belongs to.
-	RespondApproval(context.Context, *RespondApprovalRequest) (*RespondApprovalResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
@@ -757,6 +768,12 @@ func (UnimplementedDaemonServiceServer) ListProfiles(context.Context, *ListProfi
 func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetActiveProfile not implemented")
 }
+func (UnimplementedDaemonServiceServer) AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method AddOwner not implemented")
+}
+func (UnimplementedDaemonServiceServer) ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ResetOwner not implemented")
+}
 func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method Logout not implemented")
 }
@@ -787,9 +804,6 @@ func (UnimplementedDaemonServiceServer) GetInstallerResult(context.Context, *Ins
 func (UnimplementedDaemonServiceServer) ExposeService(*ExposeServiceRequest, grpc.ServerStreamingServer[ExposeServiceEvent]) error {
 	return status.Error(codes.Unimplemented, "method ExposeService not implemented")
 }
-func (UnimplementedDaemonServiceServer) RespondApproval(context.Context, *RespondApprovalRequest) (*RespondApprovalResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method RespondApproval not implemented")
-}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 func (UnimplementedDaemonServiceServer) testEmbeddedByValue()                       {}
 
@@ -1319,6 +1333,42 @@ func _DaemonService_GetActiveProfile_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_AddOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AddOwnerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).AddOwner(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_AddOwner_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).AddOwner(ctx, req.(*AddOwnerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_ResetOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ResetOwnerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).ResetOwner(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_ResetOwner_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).ResetOwner(ctx, req.(*ResetOwnerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _DaemonService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(LogoutRequest)
 	if err := dec(in); err != nil {
@@ -1492,24 +1542,6 @@ func _DaemonService_ExposeService_Handler(srv interface{}, stream grpc.ServerStr
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type DaemonService_ExposeServiceServer = grpc.ServerStreamingServer[ExposeServiceEvent]
 
-func _DaemonService_RespondApproval_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RespondApprovalRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).RespondApproval(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_RespondApproval_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).RespondApproval(ctx, req.(*RespondApprovalRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1625,6 +1657,14 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetActiveProfile",
 			Handler:    _DaemonService_GetActiveProfile_Handler,
 		},
+		{
+			MethodName: "AddOwner",
+			Handler:    _DaemonService_AddOwner_Handler,
+		},
+		{
+			MethodName: "ResetOwner",
+			Handler:    _DaemonService_ResetOwner_Handler,
+		},
 		{
 			MethodName: "Logout",
 			Handler:    _DaemonService_Logout_Handler,
@@ -1661,10 +1701,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetInstallerResult",
 			Handler:    _DaemonService_GetInstallerResult_Handler,
 		},
-		{
-			MethodName: "RespondApproval",
-			Handler:    _DaemonService_RespondApproval_Handler,
-		},
 	},
 	Streams: []grpc.StreamDesc{
 		{

client/server/capture.go

@@ -111,7 +111,7 @@ func (s *Server) StartCapture(req *proto.StartCaptureRequest, stream proto.Daemo
 		return status.Errorf(codes.Internal, "create capture session: %v", err)
 	}
 
-	engine, err := s.claimCapture(sess, func() { pw.Close() })
+	engine, err := s.claimCapture(sess)
 	if err != nil {
 		sess.Stop()
 		pw.Close()
@@ -190,7 +190,10 @@ func (s *Server) StartBundleCapture(_ context.Context, req *proto.StartBundleCap
 
 	s.stopBundleCaptureLocked()
 	s.cleanupBundleCapture()
-	s.evictActiveCaptureLocked()
+
+	if s.activeCapture != nil {
+		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
+	}
 
 	engine, err := s.getCaptureEngineLocked()
 	if err != nil {
@@ -301,58 +304,29 @@ func (s *Server) cleanupBundleCapture() {
 	s.bundleCapture = nil
 }
 
-// claimCapture reserves the engine's capture slot for sess. If another
-// capture is already running it is evicted: a previous streaming session
-// whose gRPC client died and never freed the slot stays stuck otherwise,
-// and a bundle capture is just informational state.
-func (s *Server) claimCapture(sess *capture.Session, cancel func()) (*internal.Engine, error) {
+// claimCapture reserves the engine's capture slot for sess. Returns
+// FailedPrecondition if another capture is already active.
+func (s *Server) claimCapture(sess *capture.Session) (*internal.Engine, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	s.evictActiveCaptureLocked()
+	if s.activeCapture != nil {
+		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
+	}
 	engine, err := s.getCaptureEngineLocked()
 	if err != nil {
 		return nil, err
 	}
 	s.activeCapture = sess
-	s.activeCaptureCancel = cancel
 	return engine, nil
 }
 
-// evictActiveCaptureLocked tears down whatever capture currently owns
-// the engine slot so a fresh claim can succeed. Caller must hold mutex.
-func (s *Server) evictActiveCaptureLocked() {
-	if s.activeCapture == nil {
-		return
-	}
-	if s.bundleCapture != nil && s.bundleCapture.sess == s.activeCapture {
-		log.Infof("evicting running bundle capture to start a new capture")
-		s.stopBundleCaptureLocked()
-		return
-	}
-	log.Infof("evicting previous streaming capture to start a new one")
-	prev := s.activeCapture
-	cancel := s.activeCaptureCancel
-	if engine, err := s.getCaptureEngineLocked(); err == nil {
-		if err := engine.SetCapture(nil); err != nil {
-			log.Debugf("clear previous capture: %v", err)
-		}
-	}
-	s.activeCapture = nil
-	s.activeCaptureCancel = nil
-	prev.Stop()
-	if cancel != nil {
-		cancel()
-	}
-}
-
 // releaseCapture clears the active-capture owner if it still matches sess.
 func (s *Server) releaseCapture(sess *capture.Session) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 	if s.activeCapture == sess {
 		s.activeCapture = nil
-		s.activeCaptureCancel = nil
 	}
 }
 
@@ -367,7 +341,6 @@ func (s *Server) clearCaptureIfOwner(sess *capture.Session, engine *internal.Eng
 		log.Debugf("clear capture: %v", err)
 	}
 	s.activeCapture = nil
-	s.activeCaptureCancel = nil
 }
 
 func (s *Server) getCaptureEngineLocked() (*internal.Engine, error) {

client/server/owner.go

@@ -0,0 +1,172 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"slices"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal/owner"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
+)
+
+// authorizeTargetProfile enforces the "match or root" rule for operations
+// that target a specific profile (Remove/Switch). The caller must be root
+// or appear in the target profile config's OwnerUIDs. A target profile in
+// legacy TOFU state (nil OwnerUIDs) is treated as unowned and therefore
+// accessible to any peer-creds caller, which matches pre-enforcement
+// behavior on upgraded installs.
+func (s *Server) authorizeTargetProfile(ctx context.Context, profileName, username string) error {
+	uid, ok := owner.UIDFromContext(ctx)
+	if !ok {
+		return status.Error(codes.PermissionDenied, "peer credentials unavailable")
+	}
+	if uid == 0 {
+		return nil
+	}
+
+	cfg, err := s.readProfileConfig(profileName, username)
+	if err != nil {
+		return fmt.Errorf("read target profile config: %w", err)
+	}
+
+	// Legacy / never-claimed target: allow, mirroring the migration TOFU
+	// semantics in the interceptor.
+	if cfg.OwnerUIDs == nil {
+		return nil
+	}
+
+	if slices.Contains(cfg.OwnerUIDs, uid) {
+		return nil
+	}
+
+	return status.Errorf(codes.PermissionDenied,
+		"profile %q is owned by another user (uid %d is not in its owner list)", profileName, uid)
+}
+
+// readProfileConfig loads a profile's config from disk without making it
+// active. Used by authorizeTargetProfile.
+func (s *Server) readProfileConfig(profileName, username string) (*profilemanager.Config, error) {
+	state := &profilemanager.ActiveProfileState{Name: profileName, Username: username}
+	path, err := state.FilePath()
+	if err != nil {
+		return nil, fmt.Errorf("resolve profile path: %w", err)
+	}
+	cfg, err := profilemanager.GetConfig(path)
+	if err != nil {
+		return nil, fmt.Errorf("load %s: %w", path, err)
+	}
+	return cfg, nil
+}
+
+// GetOwnerUIDs returns the current owner UIDs from the active config.
+// nil means TOFU mode, empty means root-only, populated means those UIDs are owners.
+func (s *Server) GetOwnerUIDs() []owner.UID {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.config == nil {
+		return nil
+	}
+
+	return s.config.OwnerUIDs
+}
+
+// AddOwnerUID adds the given UID to the owner list in the active profile config.
+func (s *Server) AddOwnerUID(uid owner.UID) error {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	return s.addOwnerUIDLocked(uid)
+}
+
+// addOwnerUIDLocked adds uid to the active profile's owner list and persists it.
+// The caller must hold s.mutex.
+func (s *Server) addOwnerUIDLocked(uid owner.UID) error {
+	if s.config == nil {
+		return fmt.Errorf("config not loaded")
+	}
+
+	if slices.Contains(s.config.OwnerUIDs, uid) {
+		return nil
+	}
+
+	s.config.OwnerUIDs = append(s.config.OwnerUIDs, uid)
+
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		return fmt.Errorf("get active profile: %w", err)
+	}
+
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		return fmt.Errorf("get profile file path: %w", err)
+	}
+
+	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
+		return fmt.Errorf("write config: %w", err)
+	}
+
+	log.Infof("owner UID %d added in %s (owners: %v)", uid, cfgPath, s.config.OwnerUIDs)
+	return nil
+}
+
+// AddOwner handles the AddOwner RPC. The interceptor has already gated this
+// call (caller must be root or an existing owner); the handler just persists
+// the new UID into the active profile config.
+func (s *Server) AddOwner(_ context.Context, msg *proto.AddOwnerRequest) (*proto.AddOwnerResponse, error) {
+	if msg == nil || msg.Uid == 0 {
+		return nil, status.Error(codes.InvalidArgument, "uid must be non-zero")
+	}
+	if err := s.AddOwnerUID(owner.UID(msg.Uid)); err != nil {
+		return nil, fmt.Errorf("add owner: %w", err)
+	}
+	return &proto.AddOwnerResponse{}, nil
+}
+
+// ResetOwner clears the active profile's owner list. Only callable by root
+// (the interceptor enforces this: a non-owner non-root caller is denied
+// before reaching the handler, and only owners or root can reach Add/Reset
+// at all; we additionally require root here so existing owners can't reset
+// each other out).
+func (s *Server) ResetOwner(ctx context.Context, _ *proto.ResetOwnerRequest) (*proto.ResetOwnerResponse, error) {
+	uid, ok := owner.UIDFromContext(ctx)
+	if !ok {
+		return nil, status.Error(codes.PermissionDenied, "peer credentials unavailable")
+	}
+	if uid != 0 {
+		return nil, status.Error(codes.PermissionDenied, "reset-owner requires root")
+	}
+
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.config == nil {
+		return nil, fmt.Errorf("config not loaded")
+	}
+
+	// Reset to the fresh-install state (empty, not nil): only root and the
+	// active console-session user can reclaim. nil would be legacy migration
+	// TOFU, where any non-root caller (including SSH) could reclaim.
+	s.config.OwnerUIDs = []owner.UID{}
+
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		return nil, fmt.Errorf("get active profile: %w", err)
+	}
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		return nil, fmt.Errorf("get profile file path: %w", err)
+	}
+	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
+		return nil, fmt.Errorf("write config: %w", err)
+	}
+
+	log.Infof("owner list reset; next call from the active console user will re-claim ownership")
+	return &proto.ResetOwnerResponse{}, nil
+}

client/server/server.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
@@ -93,12 +94,8 @@ type Server struct {
 	captureEnabled         bool
 	bundleCapture          *bundleCapture
 	// activeCapture is the session currently installed on the engine; guarded by s.mutex.
-	activeCapture *capture.Session
-	// activeCaptureCancel tears down the streaming pipe/cancel for the
-	// active streaming capture so eviction unblocks the StartCapture RPC
-	// handler. Nil for bundle captures (they own their own context).
-	activeCaptureCancel func()
-	networksDisabled    bool
+	activeCapture    *capture.Session
+	networksDisabled bool
 
 	sleepHandler *sleephandler.SleepHandler
 
@@ -380,8 +377,6 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	config.RosenpassPermissive = msg.RosenpassPermissive
 	config.DisableAutoConnect = msg.DisableAutoConnect
 	config.ServerSSHAllowed = msg.ServerSSHAllowed
-	config.ServerVNCAllowed = msg.ServerVNCAllowed
-	config.DisableVNCApproval = msg.DisableVNCApproval
 	config.NetworkMonitor = msg.NetworkMonitor
 	config.DisableClientRoutes = msg.DisableClientRoutes
 	config.DisableServerRoutes = msg.DisableServerRoutes
@@ -741,6 +736,18 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 	s.config = config
 
+	// An explicit --owner claim locks the active profile to the calling user
+	// (plus root). Root has no specific UID to claim, so only non-root callers
+	// take effect here; the interceptor has already authorized the call.
+	if msg != nil && msg.ClaimOwner {
+		if uid, ok := owner.UIDFromContext(callerCtx); ok && uid != 0 {
+			if err := s.addOwnerUIDLocked(uid); err != nil {
+				s.mutex.Unlock()
+				return nil, fmt.Errorf("claim owner: %w", err)
+			}
+		}
+	}
+
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
@@ -806,6 +813,18 @@ func (s *Server) switchProfileIfNeeded(profileName string, userName *string, act
 
 // SwitchProfile switches the active profile in the daemon.
 func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfileRequest) (*proto.SwitchProfileResponse, error) {
+	// Switching downs the current session and starts another, so the caller
+	// must own the target profile (or be root).
+	if msg != nil && msg.ProfileName != nil {
+		username := ""
+		if msg.Username != nil {
+			username = *msg.Username
+		}
+		if err := s.authorizeTargetProfile(callerCtx, *msg.ProfileName, username); err != nil {
+			return nil, err
+		}
+	}
+
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
@@ -1142,7 +1161,6 @@ func (s *Server) Status(
 		pbFullStatus := fullStatus.ToProto()
 		pbFullStatus.Events = s.statusRecorder.GetEventHistory()
 		pbFullStatus.SshServerState = s.getSSHServerState()
-		pbFullStatus.VncServerState = s.getVNCServerState()
 		statusResponse.FullStatus = pbFullStatus
 	}
 
@@ -1182,38 +1200,6 @@ func (s *Server) getSSHServerState() *proto.SSHServerState {
 	return sshServerState
 }
 
-// getVNCServerState retrieves the current VNC server state.
-func (s *Server) getVNCServerState() *proto.VNCServerState {
-	s.mutex.Lock()
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-
-	if connectClient == nil {
-		return nil
-	}
-
-	engine := connectClient.Engine()
-	if engine == nil {
-		return nil
-	}
-
-	enabled, sessions := engine.GetVNCServerStatus()
-	pbSessions := make([]*proto.VNCSessionInfo, 0, len(sessions))
-	for _, sess := range sessions {
-		pbSessions = append(pbSessions, &proto.VNCSessionInfo{
-			RemoteAddress: sess.RemoteAddress,
-			Mode:          sess.Mode,
-			Username:      sess.Username,
-			UserID:        sess.UserID,
-			Initiator:     sess.Initiator,
-		})
-	}
-	return &proto.VNCServerState{
-		Enabled:  enabled,
-		Sessions: pbSessions,
-	}
-}
-
 // GetPeerSSHHostKey retrieves SSH host key for a specific peer
 func (s *Server) GetPeerSSHHostKey(
 	ctx context.Context,
@@ -1454,27 +1440,6 @@ func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.Daemon
 	return nil
 }
 
-// RespondApproval relays the user's accept/deny decision for a pending
-// approval prompt to the engine's broker. Unknown or already-resolved
-// request_ids are silently no-op'd so a slow UI cannot deny a prompt the
-// user already handled (or that already timed out).
-func (s *Server) RespondApproval(_ context.Context, msg *proto.RespondApprovalRequest) (*proto.RespondApprovalResponse, error) {
-	s.mutex.Lock()
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-	if connectClient == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "client not initialized")
-	}
-	engine := connectClient.Engine()
-	if engine == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "engine not running")
-	}
-	if !engine.RespondApproval(msg.GetRequestId(), msg.GetAccept(), msg.GetViewOnly()) {
-		log.Debugf("approval response for unknown request_id %s", msg.GetRequestId())
-	}
-	return &proto.RespondApprovalResponse{}, nil
-}
-
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
 		return false
@@ -1591,8 +1556,6 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		Mtu:                           int64(cfg.MTU),
 		DisableAutoConnect:            cfg.DisableAutoConnect,
 		ServerSSHAllowed:              *cfg.ServerSSHAllowed,
-		ServerVNCAllowed:              cfg.ServerVNCAllowed != nil && *cfg.ServerVNCAllowed,
-		DisableVNCApproval:            cfg.DisableVNCApproval != nil && *cfg.DisableVNCApproval,
 		RosenpassEnabled:              cfg.RosenpassEnabled,
 		RosenpassPermissive:           cfg.RosenpassPermissive,
 		LazyConnectionEnabled:         cfg.LazyConnectionEnabled,
@@ -1626,7 +1589,17 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}
 
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
+	// New profiles auto-claim the caller as their sole owner so the user who
+	// just created the profile retains control (and other local users can't
+	// touch it via SwitchProfile/RemoveProfile). When called by root, leave
+	// OwnerUIDs at the default (empty/env-seeded); root explicitly didn't
+	// claim ownership for any specific user.
+	var initialOwners []owner.UID
+	if uid, ok := owner.UIDFromContext(ctx); ok && uid != 0 {
+		initialOwners = []owner.UID{uid}
+	}
+
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username, initialOwners); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
@@ -1636,6 +1609,10 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 
 // RemoveProfile removes a profile from the daemon.
 func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequest) (*proto.RemoveProfileResponse, error) {
+	if err := s.authorizeTargetProfile(ctx, msg.ProfileName, msg.Username); err != nil {
+		return nil, err
+	}
+
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 

client/server/server_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
-	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -315,7 +315,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 		return nil, "", err
 	}
 
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

client/server/setconfig_test.go

@@ -58,8 +58,6 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	rosenpassEnabled := true
 	rosenpassPermissive := true
 	serverSSHAllowed := true
-	serverVNCAllowed := true
-	disableVNCApproval := true
 	interfaceName := "utun100"
 	wireguardPort := int64(51820)
 	preSharedKey := "test-psk"
@@ -85,8 +83,6 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		RosenpassEnabled:      &rosenpassEnabled,
 		RosenpassPermissive:   &rosenpassPermissive,
 		ServerSSHAllowed:      &serverSSHAllowed,
-		ServerVNCAllowed:      &serverVNCAllowed,
-		DisableVNCApproval:    &disableVNCApproval,
 		InterfaceName:         &interfaceName,
 		WireguardPort:         &wireguardPort,
 		OptionalPreSharedKey:  &preSharedKey,
@@ -131,10 +127,6 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.Equal(t, rosenpassPermissive, cfg.RosenpassPermissive)
 	require.NotNil(t, cfg.ServerSSHAllowed)
 	require.Equal(t, serverSSHAllowed, *cfg.ServerSSHAllowed)
-	require.NotNil(t, cfg.ServerVNCAllowed)
-	require.Equal(t, serverVNCAllowed, *cfg.ServerVNCAllowed)
-	require.NotNil(t, cfg.DisableVNCApproval)
-	require.Equal(t, disableVNCApproval, *cfg.DisableVNCApproval)
 	require.Equal(t, interfaceName, cfg.WgIface)
 	require.Equal(t, int(wireguardPort), cfg.WgPort)
 	require.Equal(t, preSharedKey, cfg.PreSharedKey)
@@ -187,8 +179,6 @@ func verifyAllFieldsCovered(t *testing.T, req *proto.SetConfigRequest) {
 		"RosenpassEnabled":              true,
 		"RosenpassPermissive":           true,
 		"ServerSSHAllowed":              true,
-		"ServerVNCAllowed":              true,
-		"DisableVNCApproval":            true,
 		"InterfaceName":                 true,
 		"WireguardPort":                 true,
 		"OptionalPreSharedKey":          true,
@@ -250,8 +240,6 @@ func TestCLIFlags_MappedToSetConfig(t *testing.T) {
 		"enable-rosenpass":                  "RosenpassEnabled",
 		"rosenpass-permissive":              "RosenpassPermissive",
 		"allow-server-ssh":                  "ServerSSHAllowed",
-		"allow-server-vnc":                  "ServerVNCAllowed",
-		"disable-vnc-approval":              "DisableVNCApproval",
 		"interface-name":                    "InterfaceName",
 		"wireguard-port":                    "WireguardPort",
 		"preshared-key":                     "OptionalPreSharedKey",

client/ssh/auth/auth.go

@@ -1,4 +1,4 @@
-package sessionauth
+package auth
 
 import (
 	"errors"
@@ -15,16 +15,13 @@ const (
 	DefaultUserIDClaim = "sub"
 	// Wildcard is a special user ID that matches all users
 	Wildcard = "*"
-	// sessionPubKeyLen is the size of an X25519 static public key in bytes.
-	sessionPubKeyLen = 32
 )
 
 var (
-	ErrEmptyUserID            = errors.New("JWT user ID is empty")
-	ErrUserNotAuthorized      = errors.New("user is not authorized to access this peer")
-	ErrNoMachineUserMapping   = errors.New("no authorization mapping for OS user")
-	ErrUserNotMappedToOSUser  = errors.New("user is not authorized to login as OS user")
-	ErrSessionKeyNotKnown = errors.New("session pubkey not registered")
+	ErrEmptyUserID           = errors.New("JWT user ID is empty")
+	ErrUserNotAuthorized     = errors.New("user is not authorized to access this peer")
+	ErrNoMachineUserMapping  = errors.New("no authorization mapping for OS user")
+	ErrUserNotMappedToOSUser = errors.New("user is not authorized to login as OS user")
 )
 
 // Authorizer handles SSH fine-grained access control authorization
@@ -38,17 +35,6 @@ type Authorizer struct {
 	// machineUsers maps OS login usernames to lists of authorized user indexes
 	machineUsers map[string][]uint32
 
-	// sessionPubKeys maps an X25519 static public key (as map-safe
-	// array) to the hashed user identity that key authenticates as.
-	// Populated from management's temporary-access flow; used by VNC to
-	// authenticate via the Noise_IK handshake.
-	sessionPubKeys map[[sessionPubKeyLen]byte]sshuserhash.UserIDHash
-	// sessionDisplayNames mirrors sessionPubKeys with the optional
-	// human-readable display name management associated with each
-	// session key. Used by the per-connection UI approval prompt; not
-	// consulted by any authorization decision.
-	sessionDisplayNames map[[sessionPubKeyLen]byte]string
-
 	// mu protects the list of users
 	mu sync.RWMutex
 }
@@ -64,29 +50,13 @@ type Config struct {
 	// MachineUsers maps OS login usernames to indexes in AuthorizedUsers
 	// If a user wants to login as a specific OS user, their index must be in the corresponding list
 	MachineUsers map[string][]uint32
-
-	// SessionPubKeys binds ephemeral X25519 static public keys to hashed
-	// user identities. Populated for VNC; ignored on the SSH side.
-	SessionPubKeys []SessionPubKey
-}
-
-// SessionPubKey is a single ephemeral-key entry: the 32-byte X25519
-// static public key plus the hashed user identity it authenticates as,
-// optionally plus a human-readable display name for the UI approval
-// prompt to identify the requester.
-type SessionPubKey struct {
-	PubKey      []byte
-	UserIDHash  sshuserhash.UserIDHash
-	DisplayName string
 }
 
 // NewAuthorizer creates a new SSH authorizer with empty configuration
 func NewAuthorizer() *Authorizer {
 	a := &Authorizer{
-		userIDClaim:    DefaultUserIDClaim,
-		machineUsers:   make(map[string][]uint32),
-		sessionPubKeys:      make(map[[sessionPubKeyLen]byte]sshuserhash.UserIDHash),
-		sessionDisplayNames: make(map[[sessionPubKeyLen]byte]string),
+		userIDClaim:  DefaultUserIDClaim,
+		machineUsers: make(map[string][]uint32),
 	}
 
 	return a
@@ -102,8 +72,6 @@ func (a *Authorizer) Update(config *Config) {
 		a.userIDClaim = DefaultUserIDClaim
 		a.authorizedUsers = []sshuserhash.UserIDHash{}
 		a.machineUsers = make(map[string][]uint32)
-		a.sessionPubKeys = make(map[[sessionPubKeyLen]byte]sshuserhash.UserIDHash)
-		a.sessionDisplayNames = make(map[[sessionPubKeyLen]byte]string)
 		log.Info("SSH authorization cleared")
 		return
 	}
@@ -126,35 +94,8 @@ func (a *Authorizer) Update(config *Config) {
 	}
 	a.machineUsers = machineUsers
 
-	sessionPubKeys := make(map[[sessionPubKeyLen]byte]sshuserhash.UserIDHash, len(config.SessionPubKeys))
-	sessionDisplayNames := make(map[[sessionPubKeyLen]byte]string, len(config.SessionPubKeys))
-	conflicted := make(map[[sessionPubKeyLen]byte]struct{})
-	for _, e := range config.SessionPubKeys {
-		if len(e.PubKey) != sessionPubKeyLen {
-			continue
-		}
-		var key [sessionPubKeyLen]byte
-		copy(key[:], e.PubKey)
-		if _, bad := conflicted[key]; bad {
-			continue
-		}
-		if existing, ok := sessionPubKeys[key]; ok && existing != e.UserIDHash {
-			log.Warnf("SSH auth: session pubkey bound to conflicting user hashes; dropping binding")
-			delete(sessionPubKeys, key)
-			delete(sessionDisplayNames, key)
-			conflicted[key] = struct{}{}
-			continue
-		}
-		sessionPubKeys[key] = e.UserIDHash
-		if e.DisplayName != "" {
-			sessionDisplayNames[key] = e.DisplayName
-		}
-	}
-	a.sessionPubKeys = sessionPubKeys
-	a.sessionDisplayNames = sessionDisplayNames
-
-	log.Debugf("SSH auth: updated with %d authorized users, %d machine user mappings, %d session pubkeys",
-		len(config.AuthorizedUsers), len(machineUsers), len(sessionPubKeys))
+	log.Debugf("SSH auth: updated with %d authorized users, %d machine user mappings",
+		len(config.AuthorizedUsers), len(machineUsers))
 }
 
 // Authorize validates if a user is authorized to login as the specified OS user.
@@ -214,54 +155,6 @@ func (a *Authorizer) GetUserIDClaim() string {
 	return a.userIDClaim
 }
 
-// LookupSessionKey resolves a Noise-verified static public key to the
-// hashed user identity registered with it. Fails closed when the key is
-// unknown.
-func (a *Authorizer) LookupSessionKey(pubKey []byte) (sshuserhash.UserIDHash, error) {
-	var zero sshuserhash.UserIDHash
-	if len(pubKey) != sessionPubKeyLen {
-		return zero, fmt.Errorf("session pubkey wrong length: %d", len(pubKey))
-	}
-	var key [sessionPubKeyLen]byte
-	copy(key[:], pubKey)
-	a.mu.RLock()
-	hash, ok := a.sessionPubKeys[key]
-	a.mu.RUnlock()
-	if !ok {
-		return zero, ErrSessionKeyNotKnown
-	}
-	return hash, nil
-}
-
-// LookupSessionDisplayName returns the human-readable display name
-// management associated with a session pubkey, or empty string when none
-// is recorded. Never returns an error: a missing/unknown key reports as
-// "" and the caller falls back to other identifiers.
-func (a *Authorizer) LookupSessionDisplayName(pubKey []byte) string {
-	if len(pubKey) != sessionPubKeyLen {
-		return ""
-	}
-	var key [sessionPubKeyLen]byte
-	copy(key[:], pubKey)
-	a.mu.RLock()
-	name := a.sessionDisplayNames[key]
-	a.mu.RUnlock()
-	return name
-}
-
-// AuthorizeOSUserBySessionKey resolves the OS-user mapping for a session
-// key. Mirrors Authorize but skips the JWT-hash step since the key has
-// already been verified and the user identity hash is in hand.
-func (a *Authorizer) AuthorizeOSUserBySessionKey(userIDHash sshuserhash.UserIDHash, osUsername string) (string, error) {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-	userIndex, found := a.findUserIndex(userIDHash)
-	if !found {
-		return "", fmt.Errorf("session user (hash: %s) not in authorized list for OS user %q: %w", userIDHash, osUsername, ErrUserNotAuthorized)
-	}
-	return a.checkMachineUserMapping("session", osUsername, userIndex)
-}
-
 // findUserIndex finds the index of a hashed user ID in the authorized users list
 // Returns the index and true if found, 0 and false if not found
 func (a *Authorizer) findUserIndex(hashedUserID sshuserhash.UserIDHash) (int, bool) {

client/ssh/auth/auth_test.go

@@ -1,7 +1,6 @@
-package sessionauth
+package auth
 
 import (
-	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -611,61 +610,3 @@ func TestAuthorizer_Wildcard_WithPartialIndexes_AllowsAllUsers(t *testing.T) {
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized, "unauthorized user should be denied")
 }
-
-func TestAuthorizer_LookupSessionKey_Valid(t *testing.T) {
-	pub := bytesRepeat(0x11, sessionPubKeyLen)
-	userHash, err := sshauth.HashUserID("alice")
-	require.NoError(t, err)
-
-	a := NewAuthorizer()
-	a.Update(&Config{
-		AuthorizedUsers: []sshauth.UserIDHash{userHash},
-		MachineUsers:    map[string][]uint32{Wildcard: {0}},
-		SessionPubKeys:  []SessionPubKey{{PubKey: pub, UserIDHash: userHash}},
-	})
-
-	got, err := a.LookupSessionKey(pub)
-	require.NoError(t, err)
-	assert.Equal(t, userHash, got)
-
-	if _, err := a.AuthorizeOSUserBySessionKey(got, "alice"); err != nil {
-		t.Fatalf("AuthorizeOSUserBySessionKey: %v", err)
-	}
-}
-
-func TestAuthorizer_LookupSessionKey_UnknownPub(t *testing.T) {
-	a := NewAuthorizer()
-	a.Update(&Config{})
-	_, err := a.LookupSessionKey(bytesRepeat(0x22, sessionPubKeyLen))
-	require.ErrorIs(t, err, ErrSessionKeyNotKnown)
-}
-
-func TestAuthorizer_LookupSessionKey_WrongLength(t *testing.T) {
-	a := NewAuthorizer()
-	_, err := a.LookupSessionKey([]byte("short"))
-	require.Error(t, err)
-}
-
-func TestAuthorizer_LookupSessionKey_UpdateClears(t *testing.T) {
-	pub := bytesRepeat(0x33, sessionPubKeyLen)
-	userHash, err := sshauth.HashUserID("alice")
-	require.NoError(t, err)
-
-	a := NewAuthorizer()
-	a.Update(&Config{SessionPubKeys: []SessionPubKey{{PubKey: pub, UserIDHash: userHash}}})
-	if _, err := a.LookupSessionKey(pub); err != nil {
-		t.Fatalf("setup lookup: %v", err)
-	}
-	a.Update(&Config{})
-	if _, err := a.LookupSessionKey(pub); !errors.Is(err, ErrSessionKeyNotKnown) {
-		t.Fatalf("expected ErrSessionKeyNotKnown, got %v", err)
-	}
-}
-
-func bytesRepeat(b byte, n int) []byte {
-	out := make([]byte, n)
-	for i := range out {
-		out[i] = b
-	}
-	return out
-}

client/ssh/proxy/proxy_test.go

@@ -28,7 +28,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
-	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/server"
 	"github.com/netbirdio/netbird/client/ssh/testutil"
 	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"

client/ssh/server/jwt_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	nbssh "github.com/netbirdio/netbird/client/ssh"
-	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/client"
 	"github.com/netbirdio/netbird/client/ssh/detection"
 	"github.com/netbirdio/netbird/client/ssh/testutil"

client/ssh/server/server.go

@@ -23,7 +23,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/detection"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/auth/jwt"
@@ -197,14 +197,6 @@ type Config struct {
 
 	// HostKey is the SSH server host key in PEM format
 	HostKeyPEM []byte
-
-	// NetstackNet, when non-nil, makes the SSH server listen via the
-	// supplied userspace network stack instead of an OS socket.
-	NetstackNet *netstack.Net
-
-	// NetworkValidation, when non-zero, restricts inbound connections to
-	// peers inside the NetBird overlay defined by this WireGuard address.
-	NetworkValidation wgaddr.Address
 }
 
 // SessionInfo contains information about an active SSH session
@@ -216,15 +208,12 @@ type SessionInfo struct {
 	PortForwards  []string
 }
 
-// New creates an SSH server instance from the supplied Config. Fields are
-// read once at construction; mutating Config afterwards has no effect.
-// JWT == nil disables JWT authentication.
+// New creates an SSH server instance with the provided host key and optional JWT configuration
+// If jwtConfig is nil, JWT authentication is disabled
 func New(config *Config) *Server {
 	s := &Server{
 		mu:                     sync.RWMutex{},
 		hostKeyPEM:             config.HostKeyPEM,
-		netstackNet:            config.NetstackNet,
-		wgAddress:              config.NetworkValidation,
 		sessions:               make(map[sessionKey]*sessionState),
 		pendingAuthJWT:         make(map[authKey]string),
 		remoteForwardListeners: make(map[forwardKey]net.Listener),
@@ -445,6 +434,20 @@ func (s *Server) buildSessionInfo(state *sessionState) SessionInfo {
 	return info
 }
 
+// SetNetstackNet sets the netstack network for userspace networking
+func (s *Server) SetNetstackNet(net *netstack.Net) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.netstackNet = net
+}
+
+// SetNetworkValidation configures network-based connection filtering
+func (s *Server) SetNetworkValidation(addr wgaddr.Address) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.wgAddress = addr
+}
+
 // UpdateSSHAuth updates the SSH fine-grained access control configuration
 // This should be called when network map updates include new SSH auth configuration
 func (s *Server) UpdateSSHAuth(config *sshauth.Config) {

client/status/status.go

@@ -131,19 +131,6 @@ type SSHServerStateOutput struct {
 	Sessions []SSHSessionOutput `json:"sessions" yaml:"sessions"`
 }
 
-type VNCSessionOutput struct {
-	RemoteAddress string `json:"remoteAddress" yaml:"remoteAddress"`
-	Mode          string `json:"mode" yaml:"mode"`
-	Username      string `json:"username,omitempty" yaml:"username,omitempty"`
-	UserID        string `json:"userID,omitempty" yaml:"userID,omitempty"`
-	Initiator     string `json:"initiator,omitempty" yaml:"initiator,omitempty"`
-}
-
-type VNCServerStateOutput struct {
-	Enabled  bool               `json:"enabled" yaml:"enabled"`
-	Sessions []VNCSessionOutput `json:"sessions" yaml:"sessions"`
-}
-
 type OutputOverview struct {
 	Peers                   PeersStateOutput           `json:"peers" yaml:"peers"`
 	CliVersion              string                     `json:"cliVersion" yaml:"cliVersion"`
@@ -166,7 +153,6 @@ type OutputOverview struct {
 	LazyConnectionEnabled   bool                       `json:"lazyConnectionEnabled" yaml:"lazyConnectionEnabled"`
 	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 	SSHServerState          SSHServerStateOutput       `json:"sshServer" yaml:"sshServer"`
-	VNCServerState          VNCServerStateOutput       `json:"vncServer" yaml:"vncServer"`
 }
 
 // ConvertToStatusOutputOverview converts protobuf status to the output overview.
@@ -187,7 +173,6 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 
 	relayOverview := mapRelays(pbFullStatus.GetRelays())
 	sshServerOverview := mapSSHServer(pbFullStatus.GetSshServerState())
-	vncServerOverview := mapVNCServer(pbFullStatus.GetVncServerState())
 	peersOverview := mapPeers(pbFullStatus.GetPeers(), opts.StatusFilter, opts.PrefixNamesFilter, opts.PrefixNamesFilterMap, opts.IPsFilter, opts.ConnectionTypeFilter)
 
 	overview := OutputOverview{
@@ -212,7 +197,6 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 		LazyConnectionEnabled:   pbFullStatus.GetLazyConnectionEnabled(),
 		ProfileName:             opts.ProfileName,
 		SSHServerState:          sshServerOverview,
-		VNCServerState:          vncServerOverview,
 	}
 
 	if opts.Anonymize {
@@ -287,26 +271,6 @@ func mapSSHServer(sshServerState *proto.SSHServerState) SSHServerStateOutput {
 	}
 }
 
-func mapVNCServer(state *proto.VNCServerState) VNCServerStateOutput {
-	if state == nil {
-		return VNCServerStateOutput{Sessions: []VNCSessionOutput{}}
-	}
-	sessions := make([]VNCSessionOutput, 0, len(state.GetSessions()))
-	for _, sess := range state.GetSessions() {
-		sessions = append(sessions, VNCSessionOutput{
-			RemoteAddress: sess.GetRemoteAddress(),
-			Mode:          sess.GetMode(),
-			Username:      sess.GetUsername(),
-			UserID:        sess.GetUserID(),
-			Initiator:     sess.GetInitiator(),
-		})
-	}
-	return VNCServerStateOutput{
-		Enabled:  state.GetEnabled(),
-		Sessions: sessions,
-	}
-}
-
 func mapPeers(
 	peers []*proto.PeerState,
 	statusFilter string,
@@ -569,26 +533,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		}
 	}
 
-	vncServerStatus := "Disabled"
-	if o.VNCServerState.Enabled {
-		vncSessionCount := len(o.VNCServerState.Sessions)
-		if vncSessionCount > 0 {
-			sessionWord := "session"
-			if vncSessionCount > 1 {
-				sessionWord = "sessions"
-			}
-			vncServerStatus = fmt.Sprintf("Enabled (%d active %s)", vncSessionCount, sessionWord)
-		} else {
-			vncServerStatus = "Enabled"
-		}
-
-		if showSSHSessions && vncSessionCount > 0 {
-			for _, sess := range o.VNCServerState.Sessions {
-				vncServerStatus += "\n  " + formatVNCSessionLine(sess)
-			}
-		}
-	}
-
 	peersCountString := fmt.Sprintf("%d/%d Connected", o.Peers.Connected, o.Peers.Total)
 
 	var forwardingRulesString string
@@ -619,7 +563,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"Quantum resistance: %s\n"+
 			"Lazy connection: %s\n"+
 			"SSH Server: %s\n"+
-			"VNC Server: %s\n"+
 			"Networks: %s\n"+
 			"%s"+
 			"Peers count: %s\n",
@@ -638,7 +581,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		rosenpassEnabledStatus,
 		lazyConnectionEnabledStatus,
 		sshServerStatus,
-		vncServerStatus,
 		networks,
 		forwardingRulesString,
 		peersCountString,
@@ -998,26 +940,6 @@ func anonymizePeerDetail(a *anonymize.Anonymizer, peer *PeerStateDetailOutput) {
 	}
 }
 
-// formatVNCSessionLine renders a single VNC session row for the detailed
-// status output. The leading slot identifies the initiator (display name
-// when known, hashed UserID otherwise); the post-arrow slot is the OS
-// user the session targets and is omitted in attach mode where the
-// destination is the current console user (unknown to the daemon).
-func formatVNCSessionLine(sess VNCSessionOutput) string {
-	who := sess.Initiator
-	if who == "" {
-		who = sess.UserID
-	}
-	prefix := sess.RemoteAddress
-	if who != "" {
-		prefix = fmt.Sprintf("%s@%s", who, sess.RemoteAddress)
-	}
-	if sess.Username != "" {
-		return fmt.Sprintf("[%s -> %s] mode=%s", prefix, sess.Username, sess.Mode)
-	}
-	return fmt.Sprintf("[%s] mode=%s", prefix, sess.Mode)
-}
-
 func anonymizeOverview(a *anonymize.Anonymizer, overview *OutputOverview) {
 	for i, peer := range overview.Peers.Details {
 		peer := peer
@@ -1038,19 +960,6 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *OutputOverview) {
 		overview.Relays.Details[i] = detail
 	}
 
-	anonymizeNSServerGroups(a, overview)
-
-	for i, route := range overview.Networks {
-		overview.Networks[i] = a.AnonymizeRoute(route)
-	}
-
-	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
-
-	anonymizeEvents(a, overview)
-	anonymizeServerSessions(a, overview)
-}
-
-func anonymizeNSServerGroups(a *anonymize.Anonymizer, overview *OutputOverview) {
 	for i, nsGroup := range overview.NSServerGroups {
 		for j, domain := range nsGroup.Domains {
 			overview.NSServerGroups[i].Domains[j] = a.AnonymizeDomain(domain)
@@ -1062,9 +971,13 @@ func anonymizeNSServerGroups(a *anonymize.Anonymizer, overview *OutputOverview)
 			}
 		}
 	}
-}
 
-func anonymizeEvents(a *anonymize.Anonymizer, overview *OutputOverview) {
+	for i, route := range overview.Networks {
+		overview.Networks[i] = a.AnonymizeRoute(route)
+	}
+
+	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
+
 	for i, event := range overview.Events {
 		overview.Events[i].Message = a.AnonymizeString(event.Message)
 		overview.Events[i].UserMessage = a.AnonymizeString(event.UserMessage)
@@ -1073,24 +986,13 @@ func anonymizeEvents(a *anonymize.Anonymizer, overview *OutputOverview) {
 			event.Metadata[k] = a.AnonymizeString(v)
 		}
 	}
-}
 
-func anonymizeRemoteAddress(a *anonymize.Anonymizer, addr string) string {
-	if host, port, err := net.SplitHostPort(addr); err == nil {
-		return fmt.Sprintf("%s:%s", a.AnonymizeIPString(host), port)
-	}
-	return a.AnonymizeIPString(addr)
-}
-
-func anonymizeServerSessions(a *anonymize.Anonymizer, overview *OutputOverview) {
 	for i, session := range overview.SSHServerState.Sessions {
-		overview.SSHServerState.Sessions[i].RemoteAddress = anonymizeRemoteAddress(a, session.RemoteAddress)
+		if host, port, err := net.SplitHostPort(session.RemoteAddress); err == nil {
+			overview.SSHServerState.Sessions[i].RemoteAddress = fmt.Sprintf("%s:%s", a.AnonymizeIPString(host), port)
+		} else {
+			overview.SSHServerState.Sessions[i].RemoteAddress = a.AnonymizeIPString(session.RemoteAddress)
+		}
 		overview.SSHServerState.Sessions[i].Command = a.AnonymizeString(session.Command)
 	}
-	for i, sess := range overview.VNCServerState.Sessions {
-		overview.VNCServerState.Sessions[i].RemoteAddress = anonymizeRemoteAddress(a, sess.RemoteAddress)
-		overview.VNCServerState.Sessions[i].Username = a.AnonymizeString(sess.Username)
-		overview.VNCServerState.Sessions[i].UserID = a.AnonymizeString(sess.UserID)
-		overview.VNCServerState.Sessions[i].Initiator = a.AnonymizeString(sess.Initiator)
-	}
 }

client/status/status_test.go

@@ -240,10 +240,6 @@ var overview = OutputOverview{
 		Enabled:  false,
 		Sessions: []SSHSessionOutput{},
 	},
-	VNCServerState: VNCServerStateOutput{
-		Enabled:  false,
-		Sessions: []VNCSessionOutput{},
-	},
 }
 
 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
@@ -408,10 +404,6 @@ func TestParsingToJSON(t *testing.T) {
 		  "sshServer":{
 		    "enabled":false,
 			"sessions":[]
-		  },
-		  "vncServer":{
-		    "enabled":false,
-			"sessions":[]
 		  }
         }`
 	// @formatter:on
@@ -521,9 +513,6 @@ profileName: ""
 sshServer:
     enabled: false
     sessions: []
-vncServer:
-    enabled: false
-    sessions: []
 `
 
 	assert.Equal(t, expectedYAML, yaml)
@@ -593,7 +582,6 @@ Interface type: Kernel
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
-VNC Server: Disabled
 Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)
@@ -619,7 +607,6 @@ Interface type: Kernel
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
-VNC Server: Disabled
 Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `

client/system/info.go

@@ -62,7 +62,6 @@ type Info struct {
 	RosenpassEnabled    bool
 	RosenpassPermissive bool
 	ServerSSHAllowed    bool
-	ServerVNCAllowed    bool
 
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -84,7 +83,6 @@ type Info struct {
 func (i *Info) SetFlags(
 	rosenpassEnabled, rosenpassPermissive bool,
 	serverSSHAllowed *bool,
-	serverVNCAllowed *bool,
 	disableClientRoutes, disableServerRoutes,
 	disableDNS, disableFirewall, blockLANAccess, blockInbound, disableIPv6, lazyConnectionEnabled bool,
 	enableSSHRoot, enableSSHSFTP, enableSSHLocalPortForwarding, enableSSHRemotePortForwarding *bool,
@@ -95,9 +93,6 @@ func (i *Info) SetFlags(
 	if serverSSHAllowed != nil {
 		i.ServerSSHAllowed = *serverSSHAllowed
 	}
-	if serverVNCAllowed != nil {
-		i.ServerVNCAllowed = *serverVNCAllowed
-	}
 
 	i.DisableClientRoutes = disableClientRoutes
 	i.DisableServerRoutes = disableServerRoutes

client/system/info_linux.go

@@ -3,15 +3,14 @@
 package system
 
 import (
-	"bytes"
 	"context"
 	"os"
-	"os/exec"
 	"regexp"
 	"runtime"
-	"strings"
 	"time"
 
+	"golang.org/x/sys/unix"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/zcalusic/sysinfo"
 
@@ -29,19 +28,11 @@ func UpdateStaticInfoAsync() {
 
 // GetInfo retrieves and parses the system information
 func GetInfo(ctx context.Context) *Info {
-	info := _getInfo()
-	for strings.Contains(info, "broken pipe") {
-		info = _getInfo()
-		time.Sleep(500 * time.Millisecond)
-	}
-
-	osStr := strings.ReplaceAll(info, "\n", "")
-	osStr = strings.ReplaceAll(osStr, "\r\n", "")
-	osInfo := strings.Split(osStr, " ")
+	kernelName, kernelVersion, kernelPlatform := kernelInfo()
 
 	osName, osVersion := readOsReleaseFile()
 	if osName == "" {
-		osName = osInfo[3]
+		osName = kernelName
 	}
 
 	systemHostname, _ := os.Hostname()
@@ -58,8 +49,8 @@ func GetInfo(ctx context.Context) *Info {
 	}
 
 	gio := &Info{
-		Kernel:             osInfo[0],
-		Platform:           osInfo[2],
+		Kernel:             kernelName,
+		Platform:           kernelPlatform,
 		OS:                 osName,
 		OSVersion:          osVersion,
 		Hostname:           extractDeviceName(ctx, systemHostname),
@@ -67,7 +58,7 @@ func GetInfo(ctx context.Context) *Info {
 		CPUs:               runtime.NumCPU(),
 		NetbirdVersion:     version.NetbirdVersion(),
 		UIVersion:          extractUserAgent(ctx),
-		KernelVersion:      osInfo[1],
+		KernelVersion:      kernelVersion,
 		NetworkAddresses:   addrs,
 		SystemSerialNumber: si.SystemSerialNumber,
 		SystemProductName:  si.SystemProductName,
@@ -78,18 +69,12 @@ func GetInfo(ctx context.Context) *Info {
 	return gio
 }
 
-func _getInfo() string {
-	cmd := exec.Command("uname", "-srio")
-	cmd.Stdin = strings.NewReader("some")
-	var out bytes.Buffer
-	var stderr bytes.Buffer
-	cmd.Stdout = &out
-	cmd.Stderr = &stderr
-	err := cmd.Run()
-	if err != nil {
-		log.Warnf("getInfo: %s", err)
+func kernelInfo() (string, string, string) {
+	var uts unix.Utsname
+	if err := unix.Uname(&uts); err != nil {
+		return "", "", ""
 	}
-	return out.String()
+	return unix.ByteSliceToString(uts.Sysname[:]), unix.ByteSliceToString(uts.Release[:]), unix.ByteSliceToString(uts.Machine[:])
 }
 
 func sysInfo() (string, string, string) {

client/ui/approval.go

@@ -1,206 +0,0 @@
-//go:build !(linux && 386)
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	"fyne.io/fyne/v2"
-	"fyne.io/fyne/v2/container"
-	"fyne.io/fyne/v2/widget"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/approval"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// handleApprovalEvent forks a netbird-ui child process to render the
-// dialog on its own fyne main loop. Top-level windows opened from a
-// background goroutine of the tray process don't render reliably on
-// Linux/GTK, so the rest of the UI (settings, login URL, update) uses
-// the same fork pattern.
-func (s *serviceClient) handleApprovalEvent(ev *proto.SystemEvent) {
-	if ev == nil || ev.Category != proto.SystemEvent_APPROVAL {
-		return
-	}
-	requestID := ev.Metadata["request_id"]
-	if requestID == "" {
-		log.Warnf("approval event missing request_id: %v", ev.Metadata)
-		return
-	}
-	args := []string{
-		"--approval-request-id=" + requestID,
-		"--approval-kind=" + ev.Metadata["kind"],
-		"--approval-initiator=" + ev.Metadata["initiator"],
-		"--approval-peer-name=" + ev.Metadata["peer_name"],
-		"--approval-source-ip=" + ev.Metadata["source_ip"],
-		"--approval-username=" + ev.Metadata["username"],
-		"--approval-expires-at=" + ev.Metadata["expires_at"],
-		"--approval-key-fingerprint=" + ev.Metadata["peer_pubkey"],
-		"--approval-subject=" + ev.UserMessage,
-	}
-	go s.eventHandler.runSelfCommand(s.ctx, "approval", args...)
-}
-
-// showApprovalUI runs the dialog on the forked process's fyne main loop
-// and forwards the user's decision to the daemon via RespondApproval.
-func (s *serviceClient) showApprovalUI(req approvalRequest) {
-	w := s.app.NewWindow(approvalTitle(req.kind))
-	w.Resize(fyne.NewSize(480, 260))
-	w.CenterOnScreen()
-	w.RequestFocus()
-
-	var rows []string
-	if req.initiator != "" {
-		// The display name comes from the management dashboard and is
-		// not cryptographically asserted by the connecting client. The
-		// key fingerprint that follows IS: it's the Noise_IK static
-		// public key the client just proved possession of. Show both
-		// so the user can sanity-check that "Alice" is really the
-		// Alice they trust.
-		rows = append(rows, "From user:  "+req.initiator)
-	}
-	if fp := approval.ShortKeyFingerprint(req.keyFingerprint); fp != "" {
-		rows = append(rows, "Key fp:     "+fp)
-	}
-	if req.peerName != "" {
-		rows = append(rows, "Via peer:   "+req.peerName)
-	}
-	if req.sourceIP != "" && req.sourceIP != req.peerName {
-		rows = append(rows, "Source IP:  "+req.sourceIP)
-	}
-	if req.username != "" {
-		rows = append(rows, "OS user:    "+req.username)
-	}
-	if len(rows) == 0 {
-		rows = []string{"Remote: " + req.displayPeer()}
-	}
-	body := strings.Join(rows, "\n")
-	bodyLabel := widget.NewLabel(body)
-	bodyLabel.Wrapping = fyne.TextWrapWord
-
-	countdown := widget.NewLabel("")
-	deadline := req.deadline()
-	updateCountdown := func() {
-		remaining := time.Until(deadline).Round(time.Second)
-		if remaining < 0 {
-			remaining = 0
-		}
-		countdown.SetText(fmt.Sprintf("Auto-deny in %s", remaining))
-	}
-	updateCountdown()
-
-	type outcome struct {
-		accept   bool
-		viewOnly bool
-	}
-	decided := make(chan outcome, 1)
-	decide := func(o outcome) {
-		select {
-		case decided <- o:
-		default:
-		}
-	}
-
-	allow := widget.NewButton("Allow", func() { decide(outcome{accept: true}) })
-	allow.Importance = widget.HighImportance
-	allowView := widget.NewButton("Allow (view only)", func() { decide(outcome{accept: true, viewOnly: true}) })
-	deny := widget.NewButton("Deny", func() { decide(outcome{accept: false}) })
-
-	header := widget.NewLabelWithStyle(req.subject, fyne.TextAlignLeading, fyne.TextStyle{Bold: true})
-	buttonRow := container.NewGridWithColumns(3, allow, allowView, deny)
-	info := container.NewVBox(header, widget.NewSeparator(), bodyLabel, widget.NewSeparator(), countdown)
-	w.SetContent(container.NewPadded(container.NewBorder(nil, buttonRow, nil, nil, info)))
-	w.SetCloseIntercept(func() { decide(outcome{}) })
-
-	go func() {
-		ticker := time.NewTicker(time.Second)
-		defer ticker.Stop()
-		for range ticker.C {
-			if time.Until(deadline) <= 0 {
-				decide(outcome{})
-				return
-			}
-			fyne.Do(updateCountdown)
-		}
-	}()
-
-	go func() {
-		o := <-decided
-		s.sendApprovalResponse(req.requestID, o.accept, o.viewOnly)
-		fyne.Do(func() {
-			w.Close()
-			s.app.Quit()
-		})
-	}()
-
-	w.Show()
-}
-
-func (s *serviceClient) sendApprovalResponse(requestID string, accept, viewOnly bool) {
-	conn, err := s.getSrvClient(defaultFailTimeout)
-	if err != nil {
-		log.Warnf("approval response: get daemon client: %v", err)
-		return
-	}
-	ctx, cancel := context.WithTimeout(s.ctx, defaultFailTimeout)
-	defer cancel()
-	if _, err := conn.RespondApproval(ctx, &proto.RespondApprovalRequest{
-		RequestId: requestID,
-		Accept:    accept,
-		ViewOnly:  viewOnly,
-	}); err != nil {
-		log.Warnf("approval response: %v", err)
-	}
-}
-
-// approvalRequest is the parsed --approval-* CLI args that the forked
-// dialog process consumes.
-type approvalRequest struct {
-	requestID      string
-	kind           string
-	initiator      string
-	peerName       string
-	sourceIP       string
-	username       string
-	subject        string
-	expiresAt      string
-	keyFingerprint string
-}
-
-func (r approvalRequest) displayPeer() string {
-	switch {
-	case r.initiator != "":
-		return r.initiator
-	case r.peerName != "":
-		return r.peerName
-	case r.sourceIP != "":
-		return r.sourceIP
-	default:
-		return "unknown peer"
-	}
-}
-
-// deadline returns the wall-clock auto-deny moment. Falls back to a short
-// local window when the daemon's expires_at is missing/unparsable, so a
-// stale value never leaves the dialog open indefinitely.
-func (r approvalRequest) deadline() time.Time {
-	if t, err := time.Parse(time.RFC3339, r.expiresAt); err == nil {
-		return t
-	}
-	return time.Now().Add(13 * time.Second)
-}
-
-func approvalTitle(kind string) string {
-	switch kind {
-	case "vnc":
-		return "Allow VNC Connection?"
-	case "ssh":
-		return "Allow SSH Connection?"
-	default:
-		return "Allow Incoming Connection?"
-	}
-}

client/ui/client_ui.go

@@ -97,25 +97,13 @@ func main() {
 		showQuickActions:  flags.showQuickActions,
 		showUpdate:        flags.showUpdate,
 		showUpdateVersion: flags.showUpdateVersion,
-		showApproval:      flags.showApproval,
-		approvalRequest: approvalRequest{
-			requestID:      flags.approvalRequestID,
-			kind:           flags.approvalKind,
-			initiator:      flags.approvalInitiator,
-			peerName:       flags.approvalPeerName,
-			sourceIP:       flags.approvalSourceIP,
-			username:       flags.approvalUsername,
-			subject:        flags.approvalSubject,
-			expiresAt:      flags.approvalExpiresAt,
-			keyFingerprint: flags.approvalKeyFingerprint,
-		},
 	})
 
 	// Watch for theme/settings changes to update the icon.
 	go watchSettingsChanges(a, client)
 
 	// Run in window mode if any UI flag was set.
-	if flags.showSettings || flags.showNetworks || flags.showDebug || flags.showLoginURL || flags.showProfiles || flags.showQuickActions || flags.showUpdate || flags.showApproval {
+	if flags.showSettings || flags.showNetworks || flags.showDebug || flags.showLoginURL || flags.showProfiles || flags.showQuickActions || flags.showUpdate {
 		a.Run()
 		return
 	}
@@ -152,17 +140,6 @@ type cliFlags struct {
 	saveLogsInFile    bool
 	showUpdate        bool
 	showUpdateVersion string
-	showApproval      bool
-
-	approvalRequestID      string
-	approvalKind           string
-	approvalInitiator      string
-	approvalPeerName       string
-	approvalSourceIP       string
-	approvalUsername       string
-	approvalSubject        string
-	approvalExpiresAt      string
-	approvalKeyFingerprint string
 }
 
 // parseFlags reads and returns all needed command-line flags.
@@ -184,16 +161,6 @@ func parseFlags() *cliFlags {
 	flag.BoolVar(&flags.showLoginURL, "login-url", false, "show login URL in a popup window")
 	flag.BoolVar(&flags.showUpdate, "update", false, "show update progress window")
 	flag.StringVar(&flags.showUpdateVersion, "update-version", "", "version to update to")
-	flag.BoolVar(&flags.showApproval, "approval", false, "show inbound-connection approval prompt window")
-	flag.StringVar(&flags.approvalRequestID, "approval-request-id", "", "approval prompt: daemon-issued request id")
-	flag.StringVar(&flags.approvalKind, "approval-kind", "", "approval prompt: subsystem kind (vnc, ssh, ...)")
-	flag.StringVar(&flags.approvalInitiator, "approval-initiator", "", "approval prompt: display name of the user who initiated the connection")
-	flag.StringVar(&flags.approvalPeerName, "approval-peer-name", "", "approval prompt: remote peer FQDN")
-	flag.StringVar(&flags.approvalSourceIP, "approval-source-ip", "", "approval prompt: remote source IP")
-	flag.StringVar(&flags.approvalUsername, "approval-username", "", "approval prompt: requested OS username")
-	flag.StringVar(&flags.approvalSubject, "approval-subject", "", "approval prompt: human-readable subject line")
-	flag.StringVar(&flags.approvalExpiresAt, "approval-expires-at", "", "approval prompt: RFC3339 deadline at which the daemon auto-denies")
-	flag.StringVar(&flags.approvalKeyFingerprint, "approval-key-fingerprint", "", "approval prompt: hex-encoded Noise static pubkey of the connecting client")
 	flag.Parse()
 	return &flags
 }
@@ -282,7 +249,6 @@ type serviceClient struct {
 	mQuit              *systray.MenuItem
 	mNetworks          *systray.MenuItem
 	mAllowSSH          *systray.MenuItem
-	mAllowVNC          *systray.MenuItem
 	mAutoConnect       *systray.MenuItem
 	mEnableRosenpass   *systray.MenuItem
 	mLazyConnEnabled   *systray.MenuItem
@@ -321,8 +287,6 @@ type serviceClient struct {
 	sEnableSSHRemotePortForward *widget.Check
 	sDisableSSHAuth             *widget.Check
 	iSSHJWTCacheTTL             *widget.Entry
-	sServerVNCAllowed           *widget.Check
-	sDisableVNCApproval         *widget.Check
 
 	// observable settings over corresponding iMngURL and iPreSharedKey values.
 	managementURL string
@@ -344,8 +308,6 @@ type serviceClient struct {
 	enableSSHRemotePortForward bool
 	disableSSHAuth             bool
 	sshJWTCacheTTL             int
-	serverVNCAllowed           bool
-	disableVNCApproval         bool
 
 	connected            bool
 	daemonVersion        string
@@ -393,8 +355,6 @@ type newServiceClientArgs struct {
 	showQuickActions  bool
 	showUpdate        bool
 	showUpdateVersion string
-	showApproval      bool
-	approvalRequest   approvalRequest
 }
 
 // newServiceClient instance constructor
@@ -435,8 +395,6 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		s.showQuickActionsUI()
 	case args.showUpdate:
 		s.showUpdateProgress(ctx, args.showUpdateVersion)
-	case args.showApproval:
-		s.showApprovalUI(args.approvalRequest)
 	}
 
 	return s
@@ -520,8 +478,6 @@ func (s *serviceClient) showSettingsUI() {
 	s.sEnableSSHRemotePortForward = widget.NewCheck("Enable SSH Remote Port Forwarding", nil)
 	s.sDisableSSHAuth = widget.NewCheck("Disable SSH Authentication", nil)
 	s.iSSHJWTCacheTTL = widget.NewEntry()
-	s.sServerVNCAllowed = widget.NewCheck("Allow embedded VNC server on this peer", nil)
-	s.sDisableVNCApproval = widget.NewCheck("Skip per-connection approval prompt for VNC", nil)
 
 	s.wSettings.SetContent(s.getSettingsForm())
 	s.wSettings.Resize(fyne.NewSize(600, 400))
@@ -634,8 +590,7 @@ func (s *serviceClient) hasSettingsChanged(iMngURL string, port, mtu int64) bool
 		s.disableServerRoutes != s.sDisableServerRoutes.Checked ||
 		s.disableIPv6 != s.sDisableIPv6.Checked ||
 		s.blockLANAccess != s.sBlockLANAccess.Checked ||
-		s.hasSSHChanges() ||
-		s.hasVNCChanges()
+		s.hasSSHChanges()
 }
 
 func (s *serviceClient) applySettingsChanges(iMngURL string, port, mtu int64) error {
@@ -694,8 +649,6 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	req.EnableSSHLocalPortForwarding = &s.sEnableSSHLocalPortForward.Checked
 	req.EnableSSHRemotePortForwarding = &s.sEnableSSHRemotePortForward.Checked
 	req.DisableSSHAuth = &s.sDisableSSHAuth.Checked
-	req.ServerVNCAllowed = &s.sServerVNCAllowed.Checked
-	req.DisableVNCApproval = &s.sDisableVNCApproval.Checked
 
 	sshJWTCacheTTLText := strings.TrimSpace(s.iSSHJWTCacheTTL.Text)
 	if sshJWTCacheTTLText != "" {
@@ -756,12 +709,10 @@ func (s *serviceClient) getSettingsForm() fyne.CanvasObject {
 	connectionForm := s.getConnectionForm()
 	networkForm := s.getNetworkForm()
 	sshForm := s.getSSHForm()
-	vncForm := s.getVNCForm()
 	tabs := container.NewAppTabs(
 		container.NewTabItem("Connection", connectionForm),
 		container.NewTabItem("Network", networkForm),
 		container.NewTabItem("SSH", sshForm),
-		container.NewTabItem("VNC", vncForm),
 	)
 	saveButton := widget.NewButtonWithIcon("Save", theme.ConfirmIcon(), s.saveSettings)
 	saveButton.Importance = widget.HighImportance
@@ -802,15 +753,6 @@ func (s *serviceClient) getSSHForm() *widget.Form {
 	}
 }
 
-func (s *serviceClient) getVNCForm() *widget.Form {
-	return &widget.Form{
-		Items: []*widget.FormItem{
-			{Text: "Allow VNC Server", Widget: s.sServerVNCAllowed},
-			{Text: "Disable Connection Approval Prompt", Widget: s.sDisableVNCApproval},
-		},
-	}
-}
-
 func (s *serviceClient) hasSSHChanges() bool {
 	currentSSHJWTCacheTTL := s.sshJWTCacheTTL
 	if text := strings.TrimSpace(s.iSSHJWTCacheTTL.Text); text != "" {
@@ -829,11 +771,6 @@ func (s *serviceClient) hasSSHChanges() bool {
 		s.sshJWTCacheTTL != currentSSHJWTCacheTTL
 }
 
-func (s *serviceClient) hasVNCChanges() bool {
-	return s.serverVNCAllowed != s.sServerVNCAllowed.Checked ||
-		s.disableVNCApproval != s.sDisableVNCApproval.Checked
-}
-
 func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginResponse, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
@@ -1108,7 +1045,6 @@ func (s *serviceClient) onTrayReady() {
 
 	s.mSettings = systray.AddMenuItem("Settings", disabledMenuDescr)
 	s.mAllowSSH = s.mSettings.AddSubMenuItemCheckbox("Allow SSH", allowSSHMenuDescr, false)
-	s.mAllowVNC = s.mSettings.AddSubMenuItemCheckbox("Allow VNC", allowVNCMenuDescr, false)
 	s.mAutoConnect = s.mSettings.AddSubMenuItemCheckbox("Connect on Startup", autoConnectMenuDescr, false)
 	s.mEnableRosenpass = s.mSettings.AddSubMenuItemCheckbox("Enable Quantum-Resistance", quantumResistanceMenuDescr, false)
 	s.mLazyConnEnabled = s.mSettings.AddSubMenuItemCheckbox("Enable Lazy Connections", lazyConnMenuDescr, false)
@@ -1182,7 +1118,6 @@ func (s *serviceClient) onTrayReady() {
 
 	s.eventManager = event.NewManager(s.notifier, s.addr)
 	s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
-	s.eventManager.AddHandler(s.handleApprovalEvent)
 	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
 		if event.Category == proto.SystemEvent_SYSTEM {
 			s.updateExitNodes()
@@ -1418,12 +1353,6 @@ func (s *serviceClient) getSrvConfig() {
 	if cfg.SSHJWTCacheTTL != nil {
 		s.sshJWTCacheTTL = *cfg.SSHJWTCacheTTL
 	}
-	if cfg.ServerVNCAllowed != nil {
-		s.serverVNCAllowed = *cfg.ServerVNCAllowed
-	}
-	if cfg.DisableVNCApproval != nil {
-		s.disableVNCApproval = *cfg.DisableVNCApproval
-	}
 
 	if s.showAdvancedSettings {
 		s.iMngURL.SetText(s.managementURL)
@@ -1464,12 +1393,6 @@ func (s *serviceClient) getSrvConfig() {
 		if cfg.SSHJWTCacheTTL != nil {
 			s.iSSHJWTCacheTTL.SetText(strconv.Itoa(*cfg.SSHJWTCacheTTL))
 		}
-		if cfg.ServerVNCAllowed != nil {
-			s.sServerVNCAllowed.SetChecked(*cfg.ServerVNCAllowed)
-		}
-		if cfg.DisableVNCApproval != nil {
-			s.sDisableVNCApproval.SetChecked(*cfg.DisableVNCApproval)
-		}
 	}
 
 	if s.mNotifications == nil {
@@ -1529,8 +1452,6 @@ func protoConfigToConfig(cfg *proto.GetConfigResponse) *profilemanager.Config {
 
 	config.DisableAutoConnect = cfg.DisableAutoConnect
 	config.ServerSSHAllowed = &cfg.ServerSSHAllowed
-	config.ServerVNCAllowed = &cfg.ServerVNCAllowed
-	config.DisableVNCApproval = &cfg.DisableVNCApproval
 	config.RosenpassEnabled = cfg.RosenpassEnabled
 	config.RosenpassPermissive = cfg.RosenpassPermissive
 	config.DisableNotifications = &cfg.DisableNotifications
@@ -1626,12 +1547,6 @@ func (s *serviceClient) loadSettings() {
 		s.mAllowSSH.Uncheck()
 	}
 
-	if cfg.ServerVNCAllowed {
-		s.mAllowVNC.Check()
-	} else {
-		s.mAllowVNC.Uncheck()
-	}
-
 	if cfg.DisableAutoConnect {
 		s.mAutoConnect.Uncheck()
 	} else {
@@ -1671,7 +1586,6 @@ func (s *serviceClient) loadSettings() {
 func (s *serviceClient) updateConfig() error {
 	disableAutoStart := !s.mAutoConnect.Checked()
 	sshAllowed := s.mAllowSSH.Checked()
-	vncAllowed := s.mAllowVNC.Checked()
 	rosenpassEnabled := s.mEnableRosenpass.Checked()
 	lazyConnectionEnabled := s.mLazyConnEnabled.Checked()
 	blockInbound := s.mBlockInbound.Checked()
@@ -1700,7 +1614,6 @@ func (s *serviceClient) updateConfig() error {
 		Username:              currUser.Username,
 		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,
-		ServerVNCAllowed:      &vncAllowed,
 		RosenpassEnabled:      &rosenpassEnabled,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,

client/ui/const.go

@@ -2,7 +2,6 @@ package main
 
 const (
 	allowSSHMenuDescr          = "Allow SSH connections"
-	allowVNCMenuDescr          = "Allow embedded VNC server"
 	autoConnectMenuDescr       = "Connect automatically when the service starts"
 	quantumResistanceMenuDescr = "Enable post-quantum security via Rosenpass"
 	lazyConnMenuDescr          = "[Experimental] Enable lazy connections"

client/ui/event/event.go

@@ -112,7 +112,7 @@ func (e *Manager) handleEvent(event *proto.SystemEvent) {
 	handlers := slices.Clone(e.handlers)
 	e.mu.Unlock()
 
-	if event.UserMessage != "" && (enabled || event.Severity == proto.SystemEvent_CRITICAL) && !isV6DefaultRoutePartner(event) && event.Category != proto.SystemEvent_APPROVAL {
+	if event.UserMessage != "" && (enabled || event.Severity == proto.SystemEvent_CRITICAL) && !isV6DefaultRoutePartner(event) {
 		title := e.getEventTitle(event)
 		body := event.UserMessage
 		id := event.Metadata["id"]

client/ui/event_handler.go

@@ -39,8 +39,6 @@ func (h *eventHandler) listen(ctx context.Context) {
 			h.handleDisconnectClick()
 		case <-h.client.mAllowSSH.ClickedCh:
 			h.handleAllowSSHClick()
-		case <-h.client.mAllowVNC.ClickedCh:
-			h.handleAllowVNCClick()
 		case <-h.client.mAutoConnect.ClickedCh:
 			h.handleAutoConnectClick()
 		case <-h.client.mEnableRosenpass.ClickedCh:
@@ -136,15 +134,6 @@ func (h *eventHandler) handleAllowSSHClick() {
 
 }
 
-func (h *eventHandler) handleAllowVNCClick() {
-	h.toggleCheckbox(h.client.mAllowVNC)
-	if err := h.updateConfigWithErr(); err != nil {
-		h.toggleCheckbox(h.client.mAllowVNC) // revert checkbox state on error
-		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update VNC settings")
-	}
-}
-
 func (h *eventHandler) handleAutoConnectClick() {
 	h.toggleCheckbox(h.client.mAutoConnect)
 	if err := h.updateConfigWithErr(); err != nil {