Reject port 0 in NB_DNS_FIREWALL_PORTS and roll back firewall on DNS setup failure

* Use fwmark-aware route lookup for raw socket UDP checksum source

* Guard nil raw socket in sharedsock WriteTo

.github/DISCUSSION_TEMPLATE/ideas-feature-requests.yml

@@ -0,0 +1,130 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Ideas & Feature Requests
+
+        Use this category for feature requests, enhancements, integrations, and product ideas.
+
+        NetBird uses community traction in discussions — upvotes, replies, affected users, and use-case detail — as an input when deciding what should become a maintainer-curated issue or roadmap item. A clear problem statement is more useful than a solution-only request.
+
+        Please search first and add your use case to an existing discussion when one already exists.
+
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Before posting
+      options:
+        - label: I searched existing discussions and issues for similar requests.
+          required: true
+        - label: I checked the documentation to confirm this is not already supported.
+          required: true
+        - label: This is a product idea or enhancement request, not a support question.
+          required: true
+        - label: I removed or anonymized sensitive details from examples and screenshots.
+          required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Product area
+      description: Select every area this request touches.
+      multiple: true
+      options:
+        - Client / Agent
+        - CLI
+        - Desktop UI
+        - Mobile app
+        - Dashboard / Admin UI
+        - Management service / API
+        - Signal service
+        - Relay
+        - DNS
+        - Routes / Exit nodes
+        - NetBird SSH
+        - Access control policies
+        - Posture checks
+        - Identity provider / SSO
+        - Self-hosting / Deployment
+        - Kubernetes / Operator
+        - Terraform / Automation
+        - Documentation
+        - Other / not sure
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or use case
+      description: What are you trying to accomplish, and what is difficult or impossible today?
+      placeholder: |
+        As a ...
+        I want to ...
+        Because ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe the behavior, workflow, API, UI, or integration you would like to see.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives or workarounds considered
+      description: What have you tried today? Why is the current workaround not enough?
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Community impact and priority
+      description: Help us understand who benefits and how urgent this is.
+      placeholder: |
+        - Number of users/teams/peers affected:
+        - Deployment type: Cloud / self-hosted / both
+        - Frequency: daily / weekly / occasional
+        - Blocking production adoption? yes/no
+        - Related comments, discussions, or customer requests:
+    validations:
+      required: true
+
+  - type: textarea
+    id: examples
+    attributes:
+      label: Examples from other tools or products
+      description: If another tool solves this well, link or describe the behavior.
+
+  - type: textarea
+    id: security
+    attributes:
+      label: Security, privacy, and compatibility considerations
+      description: Note any access-control, audit, data retention, network, platform, or backward-compatibility concerns.
+
+  - type: textarea
+    id: implementation
+    attributes:
+      label: Implementation ideas
+      description: Optional. If you are familiar with the codebase or API, share possible implementation notes.
+
+  - type: dropdown
+    id: contribution
+    attributes:
+      label: Are you willing to help?
+      options:
+        - Yes, I can submit a PR if the approach is accepted.
+        - Yes, I can test or validate a proposed implementation.
+        - Yes, I can provide more use-case details.
+        - Not at this time.
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Add screenshots, diagrams, links, or anything else that helps explain the request.

.github/DISCUSSION_TEMPLATE/issue-triage.yml

@@ -0,0 +1,237 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Issue Triage
+
+        Use this category for reproducible bugs and regressions in NetBird.
+
+        The more context you include, the faster we can validate and act on your report. If you're not sure whether something is a bug, **Q&A / Support** is a good starting point — we can always move the conversation here once we've confirmed it's a product issue.
+
+        Intermittent issues are useful too. Include the trigger, frequency, timing, and any logs or debug evidence you have, and we'll work from there.
+
+        Please don't include secrets, tokens, private keys, internal hostnames, or public IPs. Security vulnerabilities should be reported through the repository security policy rather than a public discussion.
+
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Before posting
+      options:
+        - label: I searched existing discussions and issues, including closed ones, and checked the relevant docs.
+          required: true
+        - label: I believe this is a product bug rather than a configuration or setup question.
+          required: true
+        - label: I can reproduce this issue, or for intermittent issues I've included trigger, frequency, and timing details below.
+          required: true
+        - label: I removed or anonymized sensitive data from logs, screenshots, and configuration.
+          required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Affected area
+      description: Select every area this report touches.
+      multiple: true
+      options:
+        - Client / Agent
+        - Reverse Proxy
+        - CLI
+        - Desktop UI
+        - Mobile app
+        - Peer connectivity
+        - DNS
+        - Routes / Exit nodes
+        - NetBird SSH
+        - Relay / Signal / NAT traversal
+        - Login / Authentication / IdP
+        - Dashboard / Admin UI
+        - Management service / API
+        - Access control policies / Posture checks
+        - Self-hosting / Deployment
+        - Kubernetes / Operator
+        - Documentation
+        - Other / not sure
+    validations:
+      required: true
+
+  - type: dropdown
+    id: deployment
+    attributes:
+      label: Deployment type
+      options:
+        - NetBird Cloud
+        - Self-hosted - quickstart script
+        - Self-hosted - advanced/custom deployment
+        - Local development build
+        - Not sure / environment I do not fully control
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Operating system or environment
+      description: Select every environment involved in the reproduction.
+      multiple: true
+      options:
+        - Linux
+        - macOS
+        - Windows
+        - Android
+        - iOS
+        - FreeBSD
+        - OpenWRT
+        - Docker
+        - Kubernetes
+        - Synology
+        - Browser
+        - Other / not sure
+    validations:
+      required: true
+
+  - type: textarea
+    id: version
+    attributes:
+      label: NetBird version and upgrade status
+      description: Run `netbird version` where applicable. For self-hosted deployments, include management, signal, relay, and dashboard versions if available. If you cannot test on a current/supported version, explain why.
+      placeholder: |
+        Example:
+        - Client: 0.30.2
+        - Management: 0.30.2
+        - Signal: 0.30.2
+        - Relay: 0.30.2
+        - Dashboard: 0.30.2
+        - Upgrade status: reproduced on current version / cannot upgrade because ...
+    validations:
+      required: true
+
+  - type: dropdown
+    id: regression
+    attributes:
+      label: Did this work before?
+      options:
+        - Yes, this worked before
+        - No, this never worked
+        - Not sure
+    validations:
+      required: true
+
+  - type: textarea
+    id: regression-details
+    attributes:
+      label: Regression details
+      description: If this worked before, include the last known working version, first known broken version, and any recent upgrade, configuration, network, or IdP changes.
+      placeholder: |
+        - Last known working version:
+        - First known broken version:
+        - Recent changes:
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: Briefly describe the reproducible bug.
+      placeholder: What is broken?
+    validations:
+      required: true
+
+  - type: textarea
+    id: current-behavior
+    attributes:
+      label: Current behavior
+      description: What happens now? Include exact errors, timeouts, UI messages, or failed commands when possible.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Steps to reproduce
+      description: Provide the smallest set of steps that reliably reproduces the bug. If the issue is intermittent, include the trigger, frequency, timing, and relevant timestamps.
+      placeholder: |
+        1. Configure ...
+        2. Run ...
+        3. Observe ...
+
+        For intermittent issues:
+        - Trigger:
+        - Frequency:
+        - Timing/timestamps:
+    validations:
+      required: true
+
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment and topology
+      description: Include the relevant topology and software involved in the reproduction. For UI/docs-only reports, write `N/A` if this does not apply. Use `None`, `Unknown`, or `N/A` where appropriate.
+      placeholder: |
+        - Peer A:
+        - Peer B:
+        - Same LAN or different networks:
+        - NAT/CGNAT/corporate firewall/mobile network:
+        - Other VPN software:
+        - Firewall, DNS, or endpoint security software:
+        - Routes, DNS, policies, posture checks, or SSH rules involved:
+        - IdP, reverse proxy, or browser involved:
+    validations:
+      required: true
+
+  - type: textarea
+    id: self-hosted-details
+    attributes:
+      label: Self-hosted details, if available
+      description: Optional. If you use self-hosting and have access to these details, include them. If you do not administer the environment, provide what you know and say what you cannot access.
+      placeholder: |
+        - Deployment method: quickstart / Docker Compose / Helm / operator / custom
+        - Management/signal/relay/dashboard versions:
+        - Reverse proxy:
+        - IdP/provider:
+        - STUN/TURN/coturn/relay details:
+        - Relevant component logs:
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs, status output, or debug evidence
+      description: |
+        For client, connectivity, DNS, route, relay/signal, or self-hosted reports, logs are essential — please include anonymized output from `netbird status -dA`, or a debug bundle via `netbird debug for 1m -AS -U`. Debug bundles are automatically deleted after 30 days.
+
+        For UI, dashboard, or documentation reports, leave the pre-filled `N/A`.
+      value: "N/A"
+      render: shell
+    validations:
+      required: true
+
+  - type: textarea
+    id: related-reports
+    attributes:
+      label: Related issues or discussions
+      description: Optional. Link similar reports you found while searching, if any.
+      placeholder: |
+        - Related issue/discussion:
+        - Why this may be the same or different:
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Impact
+      description: Optional. Help us understand priority. How many users, peers, environments, or workflows are affected? Is there a workaround?
+      placeholder: |
+        - Affected users/peers:
+        - Business or production impact:
+        - Workaround available:
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Add links to related discussions, issues, docs, screenshots, recordings, or anything else that may help validation.

.github/DISCUSSION_TEMPLATE/q-a-support.yml

@@ -0,0 +1,146 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Q&A / Support
+
+        Use this category for questions about configuration, setup, self-hosted deployments, troubleshooting, and general NetBird usage.
+
+        This is community support and does not provide an SLA. For NetBird Cloud support, use the official support channel linked from the issue creation page. Please do not post secrets, tokens, private keys, internal hostnames, or public IPs unless you intentionally want them public.
+
+        If your question turns into a reproducible product defect, DevRel or a maintainer may ask you to open or move the conversation to Issue Triage.
+
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Before posting
+      options:
+        - label: I searched existing discussions and issues for similar questions.
+          required: true
+        - label: I reviewed the relevant NetBird documentation or troubleshooting guide.
+          required: true
+        - label: I removed or anonymized sensitive data from logs, screenshots, and configuration.
+          required: true
+
+  - type: dropdown
+    id: topic
+    attributes:
+      label: Topic
+      multiple: true
+      options:
+        - Getting started
+        - Self-hosting
+        - Client / Agent
+        - CLI
+        - Desktop UI
+        - Mobile app
+        - Dashboard / Admin UI
+        - DNS
+        - Routes / Exit nodes
+        - NetBird SSH
+        - Relay
+        - Access control policies
+        - Posture checks
+        - Identity provider / SSO
+        - API
+        - Kubernetes / Operator
+        - Terraform / Automation
+        - Documentation
+        - Other / not sure
+    validations:
+      required: true
+
+  - type: dropdown
+    id: deployment
+    attributes:
+      label: Deployment type
+      options:
+        - NetBird Cloud
+        - Self-hosted - quickstart script
+        - Self-hosted - advanced/custom deployment
+        - Local development build
+        - Not sure
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Operating system or environment
+      multiple: true
+      options:
+        - Linux
+        - macOS
+        - Windows
+        - Android
+        - iOS
+        - FreeBSD
+        - OpenWRT
+        - Docker
+        - Kubernetes
+        - Synology
+        - Browser
+        - Other / not sure
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: NetBird version
+      description: Run `netbird version` where applicable. For self-hosted deployments, include component versions if relevant.
+      placeholder: "Example: client 0.30.2, management 0.30.2"
+
+  - type: textarea
+    id: question
+    attributes:
+      label: Question
+      description: What are you trying to understand or accomplish?
+      placeholder: Describe your question clearly.
+    validations:
+      required: true
+
+  - type: textarea
+    id: goal
+    attributes:
+      label: Desired outcome
+      description: What would a successful answer help you do?
+      placeholder: |
+        I want to configure ...
+        I expected ...
+        I need help deciding ...
+
+  - type: textarea
+    id: attempted
+    attributes:
+      label: What have you tried?
+      description: Include commands, documentation links, configuration attempts, or troubleshooting steps already tried.
+      placeholder: |
+        - Read ...
+        - Ran ...
+        - Changed ...
+        - Observed ...
+
+  - type: textarea
+    id: environment
+    attributes:
+      label: Relevant environment details
+      description: Include redacted topology, IdP/provider, reverse proxy, firewall, DNS, route, policy, or self-hosted setup details that may affect the answer.
+      placeholder: |
+        - Deployment:
+        - Components involved:
+        - Network/topology:
+        - Related config:
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs or output
+      description: Optional. Include anonymized logs, command output, screenshots, or `netbird status -dA` if relevant.
+      render: shell
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Add links, diagrams, screenshots, or other details that may help the community answer.

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -1,71 +0,0 @@
----
-name: Bug/Issue report
-about: Create a report to help us improve
-title: ''
-labels: ['triage-needed']
-assignees: ''
-
----
-
-**Describe the problem**
-
-A clear and concise description of what the problem is.
-
-**To Reproduce**
-
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-
-A clear and concise description of what you expected to happen.
-
-**Are you using NetBird Cloud?**
-
-Please specify whether you use NetBird Cloud or self-host NetBird's control plane.
-
-**NetBird version**
-
-`netbird version`
-
-**Is any other VPN software installed?**
-
-If yes, which one?
-
-**Debug output**
-
-To help us resolve the problem, please attach the following anonymized status output
-
-  netbird status -dA
-
-Create and upload a debug bundle, and share the returned file key:
-
-  netbird debug for 1m -AS -U
-
-*Uploaded files are automatically deleted after 30 days.*
-
-
-Alternatively, create the file only and attach it here manually:
-
-  netbird debug for 1m -AS
-
-
-**Screenshots**
-
-If applicable, add screenshots to help explain your problem.
-
-**Additional context**
-
-Add any other context about the problem here.
-
-**Have you tried these troubleshooting steps?**
-- [ ] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable)
-- [ ] Checked for newer NetBird versions
-- [ ] Searched for similar issues on GitHub (including closed ones)
-- [ ] Restarted the NetBird client
-- [ ] Disabled other VPN software
-- [ ] Checked firewall settings
-

.github/ISSUE_TEMPLATE/config.yml

@@ -1,14 +1,26 @@
-blank_issues_enabled: true
+blank_issues_enabled: false
 contact_links:
-  - name: Community Support
+  - name: Start an Issue Triage discussion
+    url: https://github.com/netbirdio/netbird/discussions/new?category=issue-triage
+    about: Report a bug, regression, or unexpected behavior so DevRel can validate it before it becomes an issue.
+  - name: Propose an idea or feature request
+    url: https://github.com/netbirdio/netbird/discussions/new?category=ideas-feature-requests
+    about: Share feature requests, enhancements, and integration ideas for community feedback and prioritization.
+  - name: Ask a Q&A / Support question
+    url: https://github.com/netbirdio/netbird/discussions/new?category=q-a-support
+    about: Get help with setup, configuration, self-hosting, troubleshooting, and general usage.
+  - name: Security vulnerability disclosure
+    url: https://github.com/netbirdio/netbird/security/policy
+    about: Please do not report security vulnerabilities in public issues or discussions.
+  - name: Community Support Forum
     url: https://forum.netbird.io/
-    about: Community support forum
+    about: Community support forum.
   - name: Cloud Support
     url: https://docs.netbird.io/help/report-bug-issues
-    about: Contact us for support
-  - name: Client/Connection Troubleshooting
+    about: Contact NetBird for Cloud support.
+  - name: Client / Connection Troubleshooting
     url: https://docs.netbird.io/help/troubleshooting-client
-    about: See our client troubleshooting guide for help addressing common issues
+    about: See the client troubleshooting guide for common connectivity issues.
   - name: Self-host Troubleshooting
     url: https://docs.netbird.io/selfhosted/troubleshooting
-    about: See our self-host troubleshooting guide for help addressing common issues
+    about: See the self-host troubleshooting guide for common deployment issues.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,20 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ['feature-request']
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/validated_issue.yml

@@ -0,0 +1,128 @@
+name: Validated issue
+description: Maintainer/DevRel only. Create an issue after a discussion has been validated or for internally validated work.
+title: "[Validated]: "
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Discussion-first issue policy
+
+        Issues are maintainer-curated work items. Community reports and feature requests should start in [Discussions](https://github.com/netbirdio/netbird/discussions) so DevRel can validate, reproduce, and route them before engineering time is committed.
+
+        Use this form when:
+        - A discussion has been validated and should become actionable work.
+        - A maintainer is opening internally validated work that can bypass the discussion-first flow.
+
+        Issues opened without a relevant validated discussion or maintainer context may be closed and redirected to Discussions.
+
+  - type: checkboxes
+    id: validation-checks
+    attributes:
+      label: Validation checklist
+      options:
+        - label: This issue is linked to a validated discussion, or it is being opened directly by a maintainer.
+          required: true
+        - label: The report has enough context for engineering to act on it without re-triaging from scratch.
+          required: true
+        - label: Sensitive data, secrets, private keys, internal hostnames, and public IPs have been removed or intentionally disclosed.
+          required: true
+
+  - type: dropdown
+    id: issue-type
+    attributes:
+      label: Issue type
+      options:
+        - Bug / Regression
+        - Feature / Enhancement
+        - Documentation
+        - Maintenance / Refactor
+        - Cross-repository coordination
+        - Other
+    validations:
+      required: true
+
+  - type: input
+    id: source-discussion
+    attributes:
+      label: Source discussion
+      description: Link the GitHub Discussion that was validated. Maintainers bypassing the flow can write "Maintainer-created" and explain why below.
+      placeholder: https://github.com/netbirdio/netbird/discussions/1234
+    validations:
+      required: true
+
+  - type: input
+    id: validation-owner
+    attributes:
+      label: Validation owner
+      description: GitHub handle of the DevRel team member or maintainer who validated this work.
+      placeholder: "@username"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: target-repository
+    attributes:
+      label: Target repository
+      description: Where should the implementation work happen?
+      options:
+        - netbirdio/netbird
+        - netbirdio/dashboard
+        - netbirdio/kubernetes-operator
+        - netbirdio/docs
+        - Multiple repositories
+        - Unknown / needs routing
+    validations:
+      required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: Concise description of the validated work.
+      placeholder: What needs to be fixed, changed, documented, or built?
+    validations:
+      required: true
+
+  - type: textarea
+    id: evidence
+    attributes:
+      label: Validation evidence
+      description: For bugs, include reproduction status, affected versions, logs, and environment. For features, include community traction, affected users, and alignment notes.
+      placeholder: |
+        - Reproduced by:
+        - Affected versions / platforms:
+        - Community signal:
+        - Related logs or screenshots:
+    validations:
+      required: true
+
+  - type: textarea
+    id: scope
+    attributes:
+      label: Proposed scope
+      description: Describe what is in scope and, if helpful, what is explicitly out of scope.
+      placeholder: |
+        In scope:
+        - ...
+
+        Out of scope:
+        - ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: acceptance-criteria
+    attributes:
+      label: Acceptance criteria
+      description: What must be true for this issue to be closed?
+      placeholder: |
+        - [ ] ...
+        - [ ] ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Links to related PRs, docs, issues in other repositories, roadmap items, or implementation notes.

.github/workflows/release.yml

@@ -114,7 +114,7 @@ jobs:
           retention-days: 30
 
   release:
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-24.04-8-core
     outputs:
       release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
       linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
@@ -455,6 +455,151 @@ jobs:
           path: dist/
           retention-days: 3
 
+  test_windows_installer:
+    name: "Windows Installer / Build Test"
+    runs-on: windows-2022
+    needs: [release, release_ui]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            wintun_arch: amd64
+          - arch: arm64
+            wintun_arch: arm64
+    defaults:
+      run:
+        shell: powershell
+    env:
+      PackageWorkdir: netbird_windows_${{ matrix.arch }}
+      downloadPath: '${{ github.workspace }}\temp'
+    steps:
+      - name: Parse semver string
+        id: semver_parser
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Add 7-Zip to PATH
+        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Download release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release
+          path: release
+
+      - name: Download UI release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release-ui
+          path: release-ui
+
+      - name: Stage binaries into dist
+        run: |
+          $workdir = "dist\${{ env.PackageWorkdir }}"
+          New-Item -ItemType Directory -Force -Path $workdir | Out-Null
+          $client = Get-ChildItem -Recurse -Path release -Filter "netbird_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
+          $ui = Get-ChildItem -Recurse -Path release-ui -Filter "netbird-ui-windows_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
+          if (-not $client) { Write-Host "::error::client tarball not found for ${{ matrix.arch }}"; exit 1 }
+          if (-not $ui) { Write-Host "::error::ui tarball not found for ${{ matrix.arch }}"; exit 1 }
+          Write-Host "Client: $($client.FullName)"
+          Write-Host "UI:     $($ui.FullName)"
+          tar -zvxf $client.FullName -C $workdir
+          tar -zvxf $ui.FullName -C $workdir
+          Get-ChildItem $workdir
+
+      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
+        id: download-wintun
+        with:
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+
+      - name: Decompress wintun files
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+
+      - name: Move wintun.dll into dist
+        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
+      - name: Download Mesa3D (amd64 only)
+        uses: carlosperate/download-file-action@v2
+        id: download-mesa3d
+        if: matrix.arch == 'amd64'
+        with:
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
+          file-name: mesa3d.7z
+          location: ${{ env.downloadPath }}
+          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
+
+      - name: Extract Mesa3D driver (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
+
+      - name: Move opengl32.dll into dist (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
+      - name: Download EnVar plugin for NSIS
+        uses: carlosperate/download-file-action@v2
+        with:
+          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
+          file-name: envar_plugin.zip
+          location: ${{ github.workspace }}
+
+      - name: Extract EnVar plugin
+        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"
+
+      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
+        uses: carlosperate/download-file-action@v2
+        if: matrix.arch == 'amd64'
+        with:
+          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
+          file-name: ShellExecAsUser_amd64-Unicode.7z
+          location: ${{ github.workspace }}
+
+      - name: Extract ShellExecAsUser plugin (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"
+
+      - name: Build NSIS installer
+        uses: joncloud/makensis-action@v3.3
+        with:
+          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
+          script-file: client/installer.nsis
+          arguments: "/V4 /DARCH=${{ matrix.arch }}"
+        env:
+          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
+
+      - name: Rename NSIS installer
+        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
+
+      - name: Install WiX
+        run: |
+          dotnet tool install --global wix --version 6.0.2
+          wix extension add WixToolset.Util.wixext/6.0.2
+
+      - name: Build MSI installer
+        env:
+          NETBIRD_VERSION: "${{ steps.semver_parser.outputs.fullversion }}"
+        run: wix build -arch ${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -ext WixToolset.Util.wixext -o netbird_installer_test_windows_${{ matrix.arch }}.msi .\client\netbird.wxs -d ProcessorArchitecture=${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -d ArchSuffix=${{ matrix.arch }}
+
+      - name: Upload installer artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-installer-test-${{ matrix.arch }}
+          path: |
+            netbird_installer_test_windows_${{ matrix.arch }}.exe
+            netbird_installer_test_windows_${{ matrix.arch }}.msi
+          retention-days: 3
+
   comment_release_artifacts:
     name: Comment release artifacts
     runs-on: ubuntu-latest
@@ -554,7 +699,7 @@ jobs:
 
   trigger_signer:
     runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin]
+    needs: [release, release_ui, release_ui_darwin, test_windows_installer]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger binaries sign pipelines

.github/workflows/sync-tag.yml

@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
+# Receiving workflows (cloud sync-tag, mobile bump-netbird) expect the short
+# tag form (e.g. v0.30.0), not refs/tags/v0.30.0 — github.ref_name, not github.ref.
 jobs:
   trigger_sync_tag:
     runs-on: ubuntu-latest
@@ -20,4 +22,30 @@ jobs:
           ref: main
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
+
+  trigger_android_bump:
+    runs-on: ubuntu-latest
+    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
+    steps:
+      - name: Trigger android-client submodule bump
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: bump-netbird.yml
+          ref: main
+          repo: netbirdio/android-client
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
+
+  trigger_ios_bump:
+    runs-on: ubuntu-latest
+    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
+    steps:
+      - name: Trigger ios-client submodule bump
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: bump-netbird.yml
+          ref: main
+          repo: netbirdio/ios-client
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref_name }}" }'

.golangci.yaml

@@ -58,6 +58,11 @@ linters:
     govet:
       enable:
         - nilness
+      disable:
+        # The inline analyzer flags x/exp/maps Clone/Clear with //go:fix inline
+        # directives but cannot perform the rewrite due to generic type
+        # parameter inference limitations in the Go inliner.
+        - inline
       enable-all: false
     revive:
       rules:
@@ -87,6 +92,9 @@ linters:
       - linters:
           - unused
         path: client/firewall/iptables/rule\.go
+      - linters:
+          - unused
+        path: client/internal/dns/dnsfw/(types|syscall|zsyscall)_windows.*\.go
       - linters:
           - gosec
           - mirror

client/Dockerfile

@@ -17,6 +17,7 @@ ENV \
     NETBIRD_BIN="/usr/local/bin/netbird" \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
+    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/Dockerfile-rootless

@@ -23,6 +23,7 @@ ENV \
     NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
     NB_LOG_FILE="console,/var/lib/netbird/client.log" \
     NB_DISABLE_DNS="true" \
+    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/cmd/capture.go

@@ -0,0 +1,196 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util/capture"
+)
+
+var captureCmd = &cobra.Command{
+	Use:   "capture",
+	Short: "Capture packets on the WireGuard interface",
+	Long: `Captures decrypted packets flowing through the WireGuard interface.
+
+Default output is human-readable text. Use --pcap or --output for pcap binary.
+Requires --enable-capture to be set at service install or reconfigure time.
+
+Examples:
+  netbird debug capture
+  netbird debug capture host 100.64.0.1 and port 443
+  netbird debug capture tcp
+  netbird debug capture icmp
+  netbird debug capture src host 10.0.0.1 and dst port 80
+  netbird debug capture -o capture.pcap
+  netbird debug capture --pcap | tshark -r -
+  netbird debug capture --pcap | tcpdump -r - -n`,
+	Args: cobra.ArbitraryArgs,
+	RunE: runCapture,
+}
+
+func init() {
+	debugCmd.AddCommand(captureCmd)
+
+	captureCmd.Flags().Bool("pcap", false, "Force pcap binary output (default when --output is set)")
+	captureCmd.Flags().BoolP("verbose", "v", false, "Show seq/ack, TTL, window, total length")
+	captureCmd.Flags().Bool("ascii", false, "Print payload as ASCII after each packet (useful for HTTP)")
+	captureCmd.Flags().Uint32("snap-len", 0, "Max bytes per packet (0 = full)")
+	captureCmd.Flags().DurationP("duration", "d", 0, "Capture duration (0 = until interrupted)")
+	captureCmd.Flags().StringP("output", "o", "", "Write pcap to file instead of stdout")
+}
+
+func runCapture(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			cmd.PrintErrf(errCloseConnection, err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	req, err := buildCaptureRequest(cmd, args)
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := signal.NotifyContext(cmd.Context(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	stream, err := client.StartCapture(ctx, req)
+	if err != nil {
+		return handleCaptureError(err)
+	}
+
+	// First Recv is the empty acceptance message from the server. If the
+	// device is unavailable (kernel WG, not connected, capture disabled),
+	// the server returns an error instead.
+	if _, err := stream.Recv(); err != nil {
+		return handleCaptureError(err)
+	}
+
+	out, cleanup, err := captureOutput(cmd)
+	if err != nil {
+		return err
+	}
+
+	if req.TextOutput {
+		cmd.PrintErrf("Capturing packets... Press Ctrl+C to stop.\n")
+	} else {
+		cmd.PrintErrf("Capturing packets (pcap)... Press Ctrl+C to stop.\n")
+	}
+
+	streamErr := streamCapture(ctx, cmd, stream, out)
+	cleanupErr := cleanup()
+	if streamErr != nil {
+		return streamErr
+	}
+	return cleanupErr
+}
+
+func buildCaptureRequest(cmd *cobra.Command, args []string) (*proto.StartCaptureRequest, error) {
+	req := &proto.StartCaptureRequest{}
+
+	if len(args) > 0 {
+		expr := strings.Join(args, " ")
+		if _, err := capture.ParseFilter(expr); err != nil {
+			return nil, fmt.Errorf("invalid filter: %w", err)
+		}
+		req.FilterExpr = expr
+	}
+
+	if snap, _ := cmd.Flags().GetUint32("snap-len"); snap > 0 {
+		req.SnapLen = snap
+	}
+	if d, _ := cmd.Flags().GetDuration("duration"); d != 0 {
+		if d < 0 {
+			return nil, fmt.Errorf("duration must not be negative")
+		}
+		req.Duration = durationpb.New(d)
+	}
+	req.Verbose, _ = cmd.Flags().GetBool("verbose")
+	req.Ascii, _ = cmd.Flags().GetBool("ascii")
+
+	outPath, _ := cmd.Flags().GetString("output")
+	forcePcap, _ := cmd.Flags().GetBool("pcap")
+	req.TextOutput = !forcePcap && outPath == ""
+
+	return req, nil
+}
+
+func streamCapture(ctx context.Context, cmd *cobra.Command, stream proto.DaemonService_StartCaptureClient, out io.Writer) error {
+	for {
+		pkt, err := stream.Recv()
+		if err != nil {
+			if ctx.Err() != nil {
+				cmd.PrintErrf("\nCapture stopped.\n")
+				return nil //nolint:nilerr // user interrupted
+			}
+			if err == io.EOF {
+				cmd.PrintErrf("\nCapture finished.\n")
+				return nil
+			}
+			return handleCaptureError(err)
+		}
+		if _, err := out.Write(pkt.GetData()); err != nil {
+			return fmt.Errorf("write output: %w", err)
+		}
+	}
+}
+
+// captureOutput returns the writer for capture data and a cleanup function
+// that finalizes the file. Errors from the cleanup must be propagated.
+func captureOutput(cmd *cobra.Command) (io.Writer, func() error, error) {
+	outPath, _ := cmd.Flags().GetString("output")
+	if outPath == "" {
+		return os.Stdout, func() error { return nil }, nil
+	}
+
+	f, err := os.CreateTemp(filepath.Dir(outPath), filepath.Base(outPath)+".*.tmp")
+	if err != nil {
+		return nil, nil, fmt.Errorf("create output file: %w", err)
+	}
+	tmpPath := f.Name()
+	return f, func() error {
+		var merr *multierror.Error
+		if err := f.Close(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("close output file: %w", err))
+		}
+		fi, statErr := os.Stat(tmpPath)
+		if statErr != nil || fi.Size() == 0 {
+			if rmErr := os.Remove(tmpPath); rmErr != nil && !os.IsNotExist(rmErr) {
+				merr = multierror.Append(merr, fmt.Errorf("remove empty output file: %w", rmErr))
+			}
+			return nberrors.FormatErrorOrNil(merr)
+		}
+		if err := os.Rename(tmpPath, outPath); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("rename output file: %w", err))
+			return nberrors.FormatErrorOrNil(merr)
+		}
+		cmd.PrintErrf("Wrote %s\n", outPath)
+		return nberrors.FormatErrorOrNil(merr)
+	}, nil
+}
+
+func handleCaptureError(err error) error {
+	if s, ok := status.FromError(err); ok {
+		return fmt.Errorf("%s", s.Message())
+	}
+	return err
+}

client/cmd/debug.go

@@ -9,6 +9,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -239,11 +240,50 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		}()
 	}
 
+	captureStarted := false
+	if wantCapture, _ := cmd.Flags().GetBool("capture"); wantCapture {
+		captureTimeout := duration + 30*time.Second
+		const maxBundleCapture = 10 * time.Minute
+		if captureTimeout > maxBundleCapture {
+			captureTimeout = maxBundleCapture
+		}
+		_, err := client.StartBundleCapture(cmd.Context(), &proto.StartBundleCaptureRequest{
+			Timeout: durationpb.New(captureTimeout),
+		})
+		if err != nil {
+			cmd.PrintErrf("Failed to start packet capture: %v\n", status.Convert(err).Message())
+		} else {
+			captureStarted = true
+			cmd.Println("Packet capture started.")
+			// Safety: always stop on exit, even if the normal stop below runs too.
+			defer func() {
+				if captureStarted {
+					stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+					defer cancel()
+					if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
+						cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
+					}
+				}
+			}()
+		}
+	}
+
 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")
 
+	if captureStarted {
+		stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
+			cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
+		} else {
+			captureStarted = false
+			cmd.Println("Packet capture stopped.")
+		}
+	}
+
 	if cpuProfilingStarted {
 		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
 			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
@@ -416,4 +456,5 @@ func init() {
 	forCmd.Flags().BoolVarP(&systemInfoFlag, "system-info", "S", true, "Adds system information to the debug bundle")
 	forCmd.Flags().BoolVarP(&uploadBundleFlag, "upload-bundle", "U", false, "Uploads the debug bundle to a server")
 	forCmd.Flags().StringVar(&uploadBundleURLFlag, "upload-bundle-url", types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
+	forCmd.Flags().Bool("capture", false, "Capture packets during the debug duration and include in bundle")
 }

client/cmd/login.go

@@ -10,6 +10,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
@@ -23,6 +24,7 @@ import (
 
 func init() {
 	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
+	loginCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	loginCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	loginCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) Netbird config file location")
 }
@@ -256,7 +258,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 }
 
 func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.LoginResponse, client proto.DaemonServiceClient, pm *profilemanager.ProfileManager) error {
-	openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+	openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser, showQR)
 
 	resp, err := client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
 	if err != nil {
@@ -324,7 +326,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro
 		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
 	}
 
-	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)
+	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser, showQR)
 
 	tokenInfo, err := oAuthFlow.WaitToken(context.TODO(), flowInfo)
 	if err != nil {
@@ -334,7 +336,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro
 	return &tokenInfo, nil
 }
 
-func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBrowser bool) {
+func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBrowser, showQR bool) {
 	var codeMsg string
 	if userCode != "" && !strings.Contains(verificationURIComplete, userCode) {
 		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
@@ -348,6 +350,12 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 			verificationURIComplete + " " + codeMsg)
 	}
 
+	if showQR {
+		if f, ok := cmd.OutOrStdout().(*os.File); ok && term.IsTerminal(int(f.Fd())) {
+			printQRCode(f, verificationURIComplete)
+		}
+	}
+
 	cmd.Println("")
 
 	if !noBrowser {

client/cmd/qr.go

@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"io"
+
+	"github.com/mdp/qrterminal/v3"
+)
+
+// printQRCode prints a QR code for the given URL to the writer.
+// Called only when the user explicitly requests QR output via --qr.
+func printQRCode(w io.Writer, url string) {
+	if url == "" {
+		return
+	}
+	qrterminal.GenerateWithConfig(url, qrterminal.Config{
+		Level:          qrterminal.M,
+		Writer:         w,
+		HalfBlocks:     true,
+		BlackChar:      qrterminal.BLACK_BLACK,
+		WhiteChar:      qrterminal.WHITE_WHITE,
+		BlackWhiteChar: qrterminal.BLACK_WHITE,
+		WhiteBlackChar: qrterminal.WHITE_BLACK,
+		QuietZone:      qrterminal.QUIET_ZONE,
+	})
+}

client/cmd/qr_test.go

@@ -0,0 +1,26 @@
+package cmd
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestPrintQRCode_EmptyURL(t *testing.T) {
+	var buf bytes.Buffer
+
+	printQRCode(&buf, "")
+
+	if buf.Len() != 0 {
+		t.Error("expected no output for empty URL")
+	}
+}
+
+func TestPrintQRCode_WritesOutput(t *testing.T) {
+	var buf bytes.Buffer
+
+	printQRCode(&buf, "https://example.com/auth")
+
+	if buf.Len() == 0 {
+		t.Error("expected QR code output for non-empty URL")
+	}
+}

client/cmd/root.go

@@ -75,6 +75,7 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
+	captureEnabled          bool
 	networksDisabled        bool
 
 	rootCmd = &cobra.Command{

client/cmd/service.go

@@ -44,6 +44,7 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
+	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, captureEnabled, networksDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,6 +59,10 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
+	if captureEnabled {
+		args = append(args, "--enable-capture")
+	}
+
 	if networksDisabled {
 		args = append(args, "--disable-networks")
 	}

client/cmd/service_params.go

@@ -28,6 +28,7 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
+	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
@@ -79,6 +80,7 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
+		EnableCapture:         captureEnabled,
 		DisableNetworks:       networksDisabled,
 	}
 
@@ -144,6 +146,10 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
+	if !serviceCmd.PersistentFlags().Changed("enable-capture") {
+		captureEnabled = params.EnableCapture
+	}
+
 	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
 		networksDisabled = params.DisableNetworks
 	}

client/cmd/service_params_test.go

@@ -535,6 +535,7 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
+		"EnableCapture":         "captureEnabled",
 		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}

client/cmd/testutil_test.go

@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -160,7 +160,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false, false)
+		"", "", false, false, false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -39,6 +39,9 @@ const (
 	noBrowserFlag = "no-browser"
 	noBrowserDesc = "do not open the browser for SSO login"
 
+	showQRFlag = "qr"
+	showQRDesc = "show QR code for the SSO login URL (useful for headless machines without browser access)"
+
 	profileNameFlag = "profile"
 	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
 )
@@ -48,6 +51,7 @@ var (
 	dnsLabels          []string
 	dnsLabelsValidated domain.List
 	noBrowser          bool
+	showQR             bool
 	profileName        string
 	configPath         string
 
@@ -80,6 +84,7 @@ func init() {
 	)
 
 	upCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
+	upCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) NetBird config file location. ")
 

client/embed/capture.go

@@ -0,0 +1,65 @@
+package embed
+
+import (
+	"io"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/util/capture"
+)
+
+// CaptureOptions configures a packet capture session.
+type CaptureOptions struct {
+	// Output receives pcap-formatted data. Nil disables pcap output.
+	Output io.Writer
+	// TextOutput receives human-readable packet summaries. Nil disables text output.
+	TextOutput io.Writer
+	// Filter is a BPF-like filter expression (e.g. "host 10.0.0.1 and tcp port 443").
+	// Empty captures all packets.
+	Filter string
+	// Verbose adds seq/ack, TTL, window, and total length to text output.
+	Verbose bool
+	// ASCII dumps transport payload as printable ASCII after each packet line.
+	ASCII bool
+}
+
+// CaptureStats reports capture session counters.
+type CaptureStats struct {
+	Packets int64
+	Bytes   int64
+	Dropped int64
+}
+
+// CaptureSession represents an active packet capture. Call Stop to end the
+// capture and flush buffered packets.
+type CaptureSession struct {
+	sess   *capture.Session
+	engine *internal.Engine
+}
+
+// Stop ends the capture, flushes remaining packets, and detaches from the device.
+// Safe to call multiple times.
+func (cs *CaptureSession) Stop() {
+	if cs.engine != nil {
+		_ = cs.engine.SetCapture(nil)
+		cs.engine = nil
+	}
+	if cs.sess != nil {
+		cs.sess.Stop()
+	}
+}
+
+// Stats returns current capture counters.
+func (cs *CaptureSession) Stats() CaptureStats {
+	s := cs.sess.Stats()
+	return CaptureStats{
+		Packets: s.Packets,
+		Bytes:   s.Bytes,
+		Dropped: s.Dropped,
+	}
+}
+
+// Done returns a channel that is closed when the capture's writer goroutine
+// has fully exited and all buffered packets have been flushed.
+func (cs *CaptureSession) Done() <-chan struct{} {
+	return cs.sess.Done()
+}

client/embed/embed.go

@@ -24,6 +24,7 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/util/capture"
 )
 
 var (
@@ -65,7 +66,7 @@ type Options struct {
 	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
-	// PreSharedKey is the pre-shared key for the WireGuard interface
+	// PreSharedKey is the pre-shared key for the tunnel interface
 	PreSharedKey string
 	// LogOutput is the output destination for logs (defaults to os.Stderr if nil)
 	LogOutput io.Writer
@@ -81,9 +82,9 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
+	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
-	// MTU is the MTU for the WireGuard interface.
+	// MTU is the MTU for the tunnel interface.
 	// Valid values are in the range 576..8192 bytes.
 	// If non-nil, this value overrides any value stored in the config file.
 	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
@@ -469,6 +470,52 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 
+// StartCapture begins capturing packets on this client's tunnel device.
+// Only one capture can be active at a time; starting a new one stops the previous.
+// Call StopCapture (or CaptureSession.Stop) to end it.
+func (c *Client) StartCapture(opts CaptureOptions) (*CaptureSession, error) {
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, err
+	}
+
+	var matcher capture.Matcher
+	if opts.Filter != "" {
+		m, err := capture.ParseFilter(opts.Filter)
+		if err != nil {
+			return nil, fmt.Errorf("parse filter: %w", err)
+		}
+		matcher = m
+	}
+
+	sess, err := capture.NewSession(capture.Options{
+		Output:     opts.Output,
+		TextOutput: opts.TextOutput,
+		Matcher:    matcher,
+		Verbose:    opts.Verbose,
+		ASCII:      opts.ASCII,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create capture session: %w", err)
+	}
+
+	if err := engine.SetCapture(sess); err != nil {
+		sess.Stop()
+		return nil, fmt.Errorf("set capture: %w", err)
+	}
+
+	return &CaptureSession{sess: sess, engine: engine}, nil
+}
+
+// StopCapture stops the active capture session if one is running.
+func (c *Client) StopCapture() error {
+	engine, err := c.getEngine()
+	if err != nil {
+		return err
+	}
+	return engine.SetCapture(nil)
+}
+
 // getEngine safely retrieves the engine from the client with proper locking.
 // Returns ErrClientNotStarted if the client is not started.
 // Returns ErrEngineNotStarted if the engine is not available.

client/firewall/uspfilter/filter.go

@@ -115,12 +115,13 @@ type Manager struct {
 
 	localipmanager *localIPManager
 
-	udpTracker  *conntrack.UDPTracker
-	icmpTracker *conntrack.ICMPTracker
-	tcpTracker  *conntrack.TCPTracker
-	forwarder   atomic.Pointer[forwarder.Forwarder]
-	logger      *nblog.Logger
-	flowLogger  nftypes.FlowLogger
+	udpTracker     *conntrack.UDPTracker
+	icmpTracker    *conntrack.ICMPTracker
+	tcpTracker     *conntrack.TCPTracker
+	forwarder      atomic.Pointer[forwarder.Forwarder]
+	pendingCapture atomic.Pointer[forwarder.PacketCapture]
+	logger         *nblog.Logger
+	flowLogger     nftypes.FlowLogger
 
 	blockRule firewall.Rule
 
@@ -351,6 +352,19 @@ func (m *Manager) determineRouting() error {
 	return nil
 }
 
+// SetPacketCapture sets or clears packet capture on the forwarder endpoint.
+// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
+func (m *Manager) SetPacketCapture(pc forwarder.PacketCapture) {
+	if pc == nil {
+		m.pendingCapture.Store(nil)
+	} else {
+		m.pendingCapture.Store(&pc)
+	}
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.SetCapture(pc)
+	}
+}
+
 // initForwarder initializes the forwarder, it disables routing on errors
 func (m *Manager) initForwarder() error {
 	if m.forwarder.Load() != nil {
@@ -372,6 +386,11 @@ func (m *Manager) initForwarder() error {
 
 	m.forwarder.Store(forwarder)
 
+	// Re-load after store: a concurrent SetPacketCapture may have seen forwarder as nil and only updated pendingCapture.
+	if pc := m.pendingCapture.Load(); pc != nil {
+		forwarder.SetCapture(*pc)
+	}
+
 	log.Debug("forwarder initialized")
 
 	return nil
@@ -614,6 +633,7 @@ func (m *Manager) resetState() {
 	}
 
 	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.SetCapture(nil)
 		fwder.Stop()
 	}
 

client/firewall/uspfilter/forwarder/endpoint.go

@@ -12,12 +12,19 @@ import (
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 )
 
+// PacketCapture captures raw packets for debugging. Implementations must be
+// safe for concurrent use and must not block.
+type PacketCapture interface {
+	Offer(data []byte, outbound bool)
+}
+
 // endpoint implements stack.LinkEndpoint and handles integration with the wireguard device
 type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
 	mtu        atomic.Uint32
+	capture    atomic.Pointer[PacketCapture]
 }
 
 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -54,13 +61,17 @@ func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error)
 			continue
 		}
 
-		// Send the packet through WireGuard
+		pktBytes := data.AsSlice()
+
 		address := netHeader.DestinationAddress()
-		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
-		if err != nil {
+		if err := e.device.CreateOutboundPacket(pktBytes, address.AsSlice()); err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
+
+		if pc := e.capture.Load(); pc != nil {
+			(*pc).Offer(pktBytes, true)
+		}
 		written++
 	}
 

client/firewall/uspfilter/forwarder/forwarder.go

@@ -139,6 +139,16 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	return f, nil
 }
 
+// SetCapture sets or clears the packet capture on the forwarder endpoint.
+// This captures outbound packets that bypass the FilteredDevice (netstack forwarding).
+func (f *Forwarder) SetCapture(pc PacketCapture) {
+	if pc == nil {
+		f.endpoint.capture.Store(nil)
+		return
+	}
+	f.endpoint.capture.Store(&pc)
+}
+
 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	if len(payload) < header.IPv4MinimumSize {
 		return fmt.Errorf("packet too small: %d bytes", len(payload))

client/firewall/uspfilter/forwarder/icmp.go

@@ -270,5 +270,9 @@ func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []
 		return 0
 	}
 
+	if pc := f.endpoint.capture.Load(); pc != nil {
+		(*pc).Offer(fullPacket, true)
+	}
+
 	return len(fullPacket)
 }

client/iface/device/device_filter.go

@@ -3,6 +3,7 @@ package device
 import (
 	"net/netip"
 	"sync"
+	"sync/atomic"
 
 	"golang.zx2c4.com/wireguard/tun"
 )
@@ -28,11 +29,20 @@ type PacketFilter interface {
 	SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
 }
 
+// PacketCapture captures raw packets for debugging. Implementations must be
+// safe for concurrent use and must not block.
+type PacketCapture interface {
+	// Offer submits a packet for capture. outbound is true for packets
+	// leaving the host (Read path), false for packets arriving (Write path).
+	Offer(data []byte, outbound bool)
+}
+
 // FilteredDevice to override Read or Write of packets
 type FilteredDevice struct {
 	tun.Device
 
 	filter    PacketFilter
+	capture   atomic.Pointer[PacketCapture]
 	mutex     sync.RWMutex
 	closeOnce sync.Once
 }
@@ -63,20 +73,25 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
 		return 0, err
 	}
+
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
 
-	if filter == nil {
-		return
+	if filter != nil {
+		for i := 0; i < n; i++ {
+			if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
+				bufs = append(bufs[:i], bufs[i+1:]...)
+				sizes = append(sizes[:i], sizes[i+1:]...)
+				n--
+				i--
+			}
+		}
 	}
 
-	for i := 0; i < n; i++ {
-		if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
-			bufs = append(bufs[:i], bufs[i+1:]...)
-			sizes = append(sizes[:i], sizes[i+1:]...)
-			n--
-			i--
+	if pc := d.capture.Load(); pc != nil {
+		for i := 0; i < n; i++ {
+			(*pc).Offer(bufs[i][offset:offset+sizes[i]], true)
 		}
 	}
 
@@ -85,6 +100,13 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 
 // Write wraps write method with filtering feature
 func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
+	// Capture before filtering so dropped packets are still visible in captures.
+	if pc := d.capture.Load(); pc != nil {
+		for _, buf := range bufs {
+			(*pc).Offer(buf[offset:], false)
+		}
+	}
+
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
@@ -96,9 +118,10 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	filteredBufs := make([][]byte, 0, len(bufs))
 	dropped := 0
 	for _, buf := range bufs {
-		if !filter.FilterInbound(buf[offset:], len(buf)) {
-			filteredBufs = append(filteredBufs, buf)
+		if filter.FilterInbound(buf[offset:], len(buf)) {
 			dropped++
+		} else {
+			filteredBufs = append(filteredBufs, buf)
 		}
 	}
 
@@ -113,3 +136,14 @@ func (d *FilteredDevice) SetFilter(filter PacketFilter) {
 	d.filter = filter
 	d.mutex.Unlock()
 }
+
+// SetCapture sets or clears the packet capture sink. Pass nil to disable.
+// Uses atomic store so the hot path (Read/Write) is a single pointer load
+// with no locking overhead when capture is off.
+func (d *FilteredDevice) SetCapture(pc PacketCapture) {
+	if pc == nil {
+		d.capture.Store(nil)
+		return
+	}
+	d.capture.Store(&pc)
+}

client/iface/device/device_filter_test.go

@@ -158,7 +158,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 			t.Errorf("unexpected error: %v", err)
 			return
 		}
-		if n != 0 {
+		if n != 1 {
 			t.Errorf("expected n=1, got %d", n)
 			return
 		}

client/internal/debug/debug.go

@@ -61,6 +61,7 @@ allocs.prof: Allocations profiling information.
 threadcreate.prof: Thread creation profiling information.
 cpu.prof: CPU profiling information.
 stack_trace.txt: Complete stack traces of all goroutines at the time of bundle creation.
+capture.pcap: Packet capture in pcap format. Only present when capture was running during bundle collection. Omitted from anonymized bundles because it contains raw decrypted packet data.
 
 
 Anonymization Process
@@ -234,6 +235,7 @@ type BundleGenerator struct {
 	logPath        string
 	tempDir        string
 	cpuProfile     []byte
+	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
 
@@ -257,7 +259,8 @@ type GeneratorDependencies struct {
 	LogPath        string
 	TempDir        string // Directory for temporary bundle zip files. If empty, os.TempDir() is used.
 	CPUProfile     []byte
-	RefreshStatus  func() // Optional callback to refresh status before bundle generation
+	CapturePath    string
+	RefreshStatus  func()
 	ClientMetrics  MetricsExporter
 }
 
@@ -277,6 +280,7 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		logPath:        deps.LogPath,
 		tempDir:        deps.TempDir,
 		cpuProfile:     deps.CPUProfile,
+		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
 
@@ -346,6 +350,10 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add CPU profile to debug bundle: %v", err)
 	}
 
+	if err := g.addCaptureFile(); err != nil {
+		log.Errorf("failed to add capture file to debug bundle: %v", err)
+	}
+
 	if err := g.addStackTrace(); err != nil {
 		log.Errorf("failed to add stack trace to debug bundle: %v", err)
 	}
@@ -669,6 +677,29 @@ func (g *BundleGenerator) addCPUProfile() error {
 	return nil
 }
 
+func (g *BundleGenerator) addCaptureFile() error {
+	if g.capturePath == "" {
+		return nil
+	}
+
+	if g.anonymize {
+		log.Info("skipping capture file in anonymized bundle (contains raw packet data)")
+		return nil
+	}
+
+	f, err := os.Open(g.capturePath)
+	if err != nil {
+		return fmt.Errorf("open capture file: %w", err)
+	}
+	defer f.Close()
+
+	if err := g.addFileToZip(f, "capture.pcap"); err != nil {
+		return fmt.Errorf("add capture file to zip: %w", err)
+	}
+
+	return nil
+}
+
 func (g *BundleGenerator) addStackTrace() error {
 	buf := make([]byte, 5242880) // 5 MB buffer
 	n := runtime.Stack(buf, true)

client/internal/dns/dnsfw/config.go

@@ -0,0 +1,63 @@
+package dnsfw
+
+import (
+	"os"
+	"strconv"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// EnvDisable disables the DNS firewall entirely when set to a truthy value.
+	EnvDisable = "NB_DISABLE_DNS_FIREWALL"
+	// EnvPorts overrides the comma-separated list of remote ports to block.
+	// Empty disables the firewall.
+	EnvPorts = "NB_DNS_FIREWALL_PORTS"
+	// EnvStrict enables strict mode: permit DNS only to the virtual DNS IP
+	// and the netbird daemon. Default mode also permits anything on the
+	// netbird tunnel interface, which is safer if NRPT is silently ignored
+	// by Windows but lets apps reach custom DNS servers via the tunnel.
+	EnvStrict = "NB_DNS_FIREWALL_STRICT"
+)
+
+// defaultBlockedPorts are the well-known DNS ports we block for non-netbird
+// processes: 53 (plain DNS) and 853 (DNS-over-TLS).
+var defaultBlockedPorts = []uint16{53, 853}
+
+// blockedPorts returns the effective port list, honoring env overrides.
+// A nil return means the firewall should not be installed.
+func blockedPorts() []uint16 {
+	if disabled, _ := strconv.ParseBool(os.Getenv(EnvDisable)); disabled {
+		log.Infof("dns firewall disabled via %s", EnvDisable)
+		return nil
+	}
+
+	override, ok := os.LookupEnv(EnvPorts)
+	if !ok {
+		return defaultBlockedPorts
+	}
+
+	var ports []uint16
+	for _, raw := range strings.Split(override, ",") {
+		raw = strings.TrimSpace(raw)
+		if raw == "" {
+			continue
+		}
+		port, err := strconv.ParseUint(raw, 10, 16)
+		if err != nil {
+			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
+			continue
+		}
+		if port == 0 {
+			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
+			continue
+		}
+		ports = append(ports, uint16(port))
+	}
+	if len(ports) == 0 {
+		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
+		return nil
+	}
+	return ports
+}

client/internal/dns/dnsfw/config_test.go

@@ -0,0 +1,39 @@
+package dnsfw
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestBlockedPorts(t *testing.T) {
+	tests := []struct {
+		name     string
+		disable  string
+		ports    string
+		setPorts bool
+		want     []uint16
+	}{
+		{name: "default", want: defaultBlockedPorts},
+		{name: "disabled", disable: "true", want: nil},
+		{name: "disabled false keeps default", disable: "false", want: defaultBlockedPorts},
+		{name: "override single port", ports: "53", setPorts: true, want: []uint16{53}},
+		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
+		{name: "override empty disables", ports: "", setPorts: true, want: nil},
+		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(EnvDisable, tc.disable)
+			if tc.setPorts {
+				t.Setenv(EnvPorts, tc.ports)
+			}
+			got := blockedPorts()
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Fatalf("blockedPorts() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}

client/internal/dns/dnsfw/dnsfw.go

@@ -0,0 +1,16 @@
+// Package dnsfw blocks DNS traffic from non-netbird processes when netbird is
+// managing the host's DNS, so that resolvers running on apps or libraries
+// outside netbird cannot bypass the configured DNS path.
+//
+// Implementation is Windows-only (uses WFP). On other platforms New returns
+// a no-op manager.
+package dnsfw
+
+import "net/netip"
+
+// Manager controls the per-tunnel DNS firewall. Both methods must be safe
+// to call multiple times.
+type Manager interface {
+	Enable(ifaceGUID string, virtualDNSIP netip.Addr) error
+	Disable() error
+}

client/internal/dns/dnsfw/dnsfw_other.go

@@ -0,0 +1,15 @@
+//go:build !windows
+
+package dnsfw
+
+import "net/netip"
+
+type noopManager struct{}
+
+func (noopManager) Enable(string, netip.Addr) error { return nil }
+func (noopManager) Disable() error                  { return nil }
+
+// New returns a no-op manager on non-Windows platforms.
+func New() Manager {
+	return noopManager{}
+}

client/internal/dns/dnsfw/dnsfw_windows.go

@@ -0,0 +1,144 @@
+//go:build windows
+
+package dnsfw
+
+import (
+	"fmt"
+	"net/netip"
+	"os"
+	"strconv"
+	"sync"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	modIphlpapi                    = windows.NewLazyDLL("iphlpapi.dll")
+	procConvertInterfaceGuidToLuid = modIphlpapi.NewProc("ConvertInterfaceGuidToLuid")
+)
+
+type windowsManager struct {
+	mu sync.Mutex
+	// session is the WFP engine handle. Zero when disabled.
+	session uintptr
+}
+
+// Enable installs the dns firewall. Strict mode propagates failures;
+// non-strict mode logs and returns nil so partial protection is preserved.
+func (m *windowsManager) Enable(ifaceGUID string, virtualDNSIP netip.Addr) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	ports := blockedPorts()
+	if len(ports) == 0 {
+		return nil
+	}
+
+	if m.session != 0 {
+		if err := m.disableLocked(); err != nil {
+			return fmt.Errorf("reset existing dns firewall session: %w", err)
+		}
+	}
+
+	strict := strictMode()
+
+	luid, err := luidFromGUID(ifaceGUID)
+	if err != nil {
+		return m.failOrLog(strict, fmt.Errorf("resolve tun luid from guid %s: %w", ifaceGUID, err))
+	}
+
+	exe, err := os.Executable()
+	if err != nil {
+		return m.failOrLog(strict, fmt.Errorf("resolve daemon executable path: %w", err))
+	}
+
+	cfg := installConfig{
+		tunLUID:      luid,
+		daemonExe:    exe,
+		blockedPorts: ports,
+		strict:       strict,
+		virtualDNSIP: virtualDNSIP,
+	}
+	// session==0 signals a hard failure; non-zero with non-nil err is a partial install.
+	session, installErr := installFilters(cfg)
+	if session == 0 {
+		return m.failOrLog(strict, fmt.Errorf("install dns firewall filters: %w", installErr))
+	}
+
+	if installErr != nil && strict {
+		_ = closeSession(session)
+		return fmt.Errorf("strict dns firewall: partial install: %w", installErr)
+	}
+
+	m.session = session
+	log.Infof("dns firewall installed: iface=%s daemon=%s ports=%v strict=%v virtual_dns=%s",
+		ifaceGUID, exe, ports, strict, virtualDNSIP)
+	if installErr != nil {
+		log.Warnf("dns firewall partially installed (some filters failed): %v", installErr)
+	}
+	return nil
+}
+
+func (m *windowsManager) Disable() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.disableLocked()
+}
+
+func (m *windowsManager) disableLocked() error {
+	if m.session == 0 {
+		return nil
+	}
+	session := m.session
+	m.session = 0
+	if err := closeSession(session); err != nil {
+		return fmt.Errorf("close wfp session: %w", err)
+	}
+	log.Info("dns firewall removed")
+	return nil
+}
+
+// failOrLog returns err unchanged in strict mode. In non-strict mode the
+// error is logged and nil is returned.
+func (m *windowsManager) failOrLog(strict bool, err error) error {
+	if strict {
+		return err
+	}
+	log.Errorf("dns firewall: %v", err)
+	return nil
+}
+
+// New returns a Windows DNS firewall manager backed by WFP.
+func New() Manager {
+	return &windowsManager{}
+}
+
+// strictMode reports whether strict mode is enabled via env.
+func strictMode() bool {
+	v, _ := strconv.ParseBool(os.Getenv(EnvStrict))
+	return v
+}
+
+// luidFromGUID converts a Windows interface GUID string to its LUID.
+func luidFromGUID(ifaceGUID string) (luid uint64, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in luidFromGUID: %v", r)
+		}
+	}()
+
+	guid, err := windows.GUIDFromString(ifaceGUID)
+	if err != nil {
+		return 0, fmt.Errorf("parse guid: %w", err)
+	}
+	rc, _, _ := procConvertInterfaceGuidToLuid.Call(
+		uintptr(unsafe.Pointer(&guid)),
+		uintptr(unsafe.Pointer(&luid)),
+	)
+	if rc != 0 {
+		return 0, fmt.Errorf("ConvertInterfaceGuidToLuid returned %d", rc)
+	}
+	return luid, nil
+}

client/internal/dns/dnsfw/dnsfw_windows_test.go

@@ -0,0 +1,72 @@
+//go:build windows
+
+package dnsfw
+
+import (
+	"net/netip"
+	"os"
+	"testing"
+)
+
+func TestStrictMode(t *testing.T) {
+	tests := []struct {
+		name string
+		val  string
+		set  bool
+		want bool
+	}{
+		{name: "unset", want: false},
+		{name: "true", val: "true", set: true, want: true},
+		{name: "1", val: "1", set: true, want: true},
+		{name: "false", val: "false", set: true, want: false},
+		{name: "invalid is false", val: "garbage", set: true, want: false},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(EnvStrict, tc.val)
+			if !tc.set {
+				os.Unsetenv(EnvStrict)
+			}
+			if got := strictMode(); got != tc.want {
+				t.Fatalf("strictMode() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestWindowsManagerDisableIdempotent(t *testing.T) {
+	m := &windowsManager{}
+	if err := m.Disable(); err != nil {
+		t.Fatalf("first Disable on fresh manager: %v", err)
+	}
+	if err := m.Disable(); err != nil {
+		t.Fatalf("second Disable on fresh manager: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session should remain zero, got %d", m.session)
+	}
+}
+
+func TestWindowsManagerEnableNoOpWhenDisabledByEnv(t *testing.T) {
+	t.Setenv(EnvDisable, "true")
+
+	m := &windowsManager{}
+	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
+		t.Fatalf("Enable should be a no-op when firewall disabled by env: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session must remain zero when env disables firewall, got %d", m.session)
+	}
+}
+
+func TestWindowsManagerEnableNoOpWhenPortsEmpty(t *testing.T) {
+	t.Setenv(EnvPorts, "")
+
+	m := &windowsManager{}
+	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
+		t.Fatalf("Enable should be a no-op when ports list is empty: %v", err)
+	}
+	if m.session != 0 {
+		t.Fatalf("session must remain zero when ports list is empty, got %d", m.session)
+	}
+}

client/internal/dns/dnsfw/helpers_windows.go

@@ -0,0 +1,53 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/helpers.go.
+ */
+
+package dnsfw
+
+import (
+	"errors"
+	"fmt"
+	"runtime"
+	"syscall"
+
+	"golang.org/x/sys/windows"
+)
+
+func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
+	namePtr, err := windows.UTF16PtrFromString(name)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	descriptionPtr, err := windows.UTF16PtrFromString(description)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	return &wtFwpmDisplayData0{
+		name:        namePtr,
+		description: descriptionPtr,
+	}, nil
+}
+
+func filterWeight(weight uint8) wtFwpValue0 {
+	return wtFwpValue0{
+		_type: cFWP_UINT8,
+		value: uintptr(weight),
+	}
+}
+
+func wrapErr(err error) error {
+	var errno syscall.Errno
+	if !errors.As(err, &errno) {
+		return err
+	}
+	_, file, line, ok := runtime.Caller(1)
+	if !ok {
+		return fmt.Errorf("wfp error at unknown location: %w", err)
+	}
+	return fmt.Errorf("wfp error at %s:%d: %w", file, line, err)
+}

client/internal/dns/dnsfw/rules_windows.go

@@ -0,0 +1,249 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
+ *
+ * Filter installers adapted from wireguard-windows tunnel/firewall/rules.go.
+ * The block-DNS approach (port 53 + UDP/TCP) matches what wireguard-windows
+ * uses for its kill-switch DNS leak protection. We extend it with a
+ * configurable port set so we also cover :853 (DoT) and any future ports.
+ */
+
+package dnsfw
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+	"unsafe"
+
+	"github.com/hashicorp/go-multierror"
+	"golang.org/x/sys/windows"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+)
+
+// Filters install at outbound ALE_AUTH_CONNECT layers only; inbound replies
+// follow the authorized outbound flow.
+
+// permitTunInterface installs a permit filter for any traffic whose local
+// interface is the netbird tunnel.
+func permitTunInterface(session uintptr, base *baseObjects, weight uint8, ifLUID uint64) error {
+	cond := wtFwpmFilterCondition0{
+		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
+		matchType: cFWP_MATCH_EQUAL,
+		conditionValue: wtFwpConditionValue0{
+			_type: cFWP_UINT64,
+			value: uintptr(unsafe.Pointer(&ifLUID)),
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: 1,
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	return addOutboundFilters(session, &filter, "Permit netbird tunnel")
+}
+
+// permitDaemonByAppID installs a permit filter matching the netbird daemon
+// executable by App-ID. App-ID alone is sufficient because netbird.exe is a
+// dedicated binary.
+func permitDaemonByAppID(session uintptr, base *baseObjects, daemonExe string, weight uint8) error {
+	appID, err := daemonAppID(daemonExe)
+	if err != nil {
+		return err
+	}
+	defer fwpmFreeMemory0(unsafe.Pointer(&appID))
+
+	cond := wtFwpmFilterCondition0{
+		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
+		matchType: cFWP_MATCH_EQUAL,
+		conditionValue: wtFwpConditionValue0{
+			_type: cFWP_BYTE_BLOB_TYPE,
+			value: uintptr(unsafe.Pointer(appID)),
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: 1,
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	return addOutboundFilters(session, &filter, "Permit netbird daemon")
+}
+
+// permitVirtualDNSIP installs a permit filter for DNS-port traffic destined
+// for the in-tunnel virtual DNS IP. Used in strict mode in lieu of
+// permitTunInterface.
+func permitVirtualDNSIP(session uintptr, base *baseObjects, ip netip.Addr, ports []uint16, weight uint8) error {
+	var merr *multierror.Error
+	for _, port := range ports {
+		if err := permitDNSToHost(session, base, ip, port, weight); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit %s:%d: %w", ip, port, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func permitDNSToHost(session uintptr, base *baseObjects, ip netip.Addr, port uint16, weight uint8) error {
+	if !ip.IsValid() {
+		return fmt.Errorf("invalid address")
+	}
+
+	var addrCond wtFwpmFilterCondition0
+	var layer windows.GUID
+	// v6 backing must outlive fwpmFilterAdd0; keep it on this stack frame.
+	var v6 wtFwpByteArray16
+
+	if ip.Is4() {
+		v4 := ip.As4()
+		addrCond = wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT32,
+				value: uintptr(binary.BigEndian.Uint32(v4[:])),
+			},
+		}
+		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
+	} else {
+		v6 = wtFwpByteArray16{byteArray16: ip.As16()}
+		addrCond = wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_BYTE_ARRAY16_TYPE,
+				value: uintptr(unsafe.Pointer(&v6)),
+			},
+		}
+		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
+	}
+
+	conditions := [2]wtFwpmFilterCondition0{
+		addrCond,
+		{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT16,
+				value: uintptr(port),
+			},
+		},
+	}
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: uint32(len(conditions)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
+	}
+
+	display, err := createWtFwpmDisplayData0(fmt.Sprintf("Permit DNS to %s:%d", ip, port), "")
+	if err != nil {
+		return wrapErr(err)
+	}
+	filter.displayData = *display
+	filter.layerKey = layer
+
+	var filterID uint64
+	if err := fwpmFilterAdd0(session, &filter, 0, &filterID); err != nil {
+		return wrapErr(err)
+	}
+	_ = v6
+	return nil
+}
+
+// blockDNSPorts installs a deny filter for outbound traffic to each of the
+// given remote ports over UDP or TCP. Per-port and per-layer failures are
+// accumulated; partial coverage is preferred over zero coverage.
+func blockDNSPorts(session uintptr, base *baseObjects, ports []uint16, weight uint8) error {
+	var merr *multierror.Error
+	for _, port := range ports {
+		if err := blockDNSPort(session, base, port, weight); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("block port %d: %w", port, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) error {
+	conditions := [3]wtFwpmFilterCondition0{
+		{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT16,
+				value: uintptr(port),
+			},
+		},
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_UDP),
+			},
+		},
+		// Repeat the IP_PROTOCOL condition for logical OR with TCP.
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_TCP),
+			},
+		},
+	}
+
+	filter := wtFwpmFilter0{
+		providerKey:         &base.provider,
+		subLayerKey:         base.filters,
+		weight:              filterWeight(weight),
+		numFilterConditions: uint32(len(conditions)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
+	}
+
+	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
+}
+
+// addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
+// connect layers. v4 and v6 are installed independently: failure on one
+// layer does not abort the other, and the accumulated errors are returned.
+// Partial coverage is preferred over zero coverage.
+func addOutboundFilters(session uintptr, filter *wtFwpmFilter0, name string) error {
+	layers := [...]struct {
+		layer windows.GUID
+		label string
+	}{
+		{cFWPM_LAYER_ALE_AUTH_CONNECT_V4, name + " (IPv4)"},
+		{cFWPM_LAYER_ALE_AUTH_CONNECT_V6, name + " (IPv6)"},
+	}
+
+	var merr *multierror.Error
+	for _, l := range layers {
+		display, err := createWtFwpmDisplayData0(l.label, "")
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
+			continue
+		}
+		filter.displayData = *display
+		filter.layerKey = l.layer
+
+		var filterID uint64
+		if err := fwpmFilterAdd0(session, filter, 0, &filterID); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}

client/internal/dns/dnsfw/session_windows.go

@@ -0,0 +1,177 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
+ *
+ * Session lifecycle and the high-level Install/Close entry points adapted
+ * from wireguard-windows tunnel/firewall.
+ */
+
+package dnsfw
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"unsafe"
+
+	"github.com/hashicorp/go-multierror"
+	"golang.org/x/sys/windows"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+)
+
+// installConfig is the input to installFilters.
+type installConfig struct {
+	tunLUID      uint64
+	daemonExe    string
+	blockedPorts []uint16
+	// strict, when true, narrows the carve-out from "anything on tun" to
+	// "DNS only to virtualDNSIP". virtualDNSIP must be valid in this case.
+	strict       bool
+	virtualDNSIP netip.Addr
+}
+
+// baseObjects holds the GUIDs of the WFP provider and sublayer registered
+// for our session. Both are randomly generated per session.
+type baseObjects struct {
+	provider windows.GUID
+	filters  windows.GUID
+}
+
+// installFilters opens a dynamic WFP session and installs the netbird DNS
+// firewall filters. Returns a zero session on hard failure (session create,
+// base objects); a non-zero session with a non-nil error is a partial install
+// (some per-filter installs failed) and is safe to close.
+func installFilters(cfg installConfig) (session uintptr, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			// Dynamic session: kernel will clean up on process exit even
+			// if we leave the handle dangling here.
+			err = fmt.Errorf("panic in installFilters: %v", r)
+		}
+	}()
+
+	if len(cfg.blockedPorts) == 0 {
+		return 0, errors.New("dns firewall: no blocked ports configured")
+	}
+	if cfg.strict && !cfg.virtualDNSIP.IsValid() {
+		return 0, errors.New("dns firewall: strict mode requires a valid virtual DNS IP")
+	}
+
+	session, err = createSession()
+	if err != nil {
+		return 0, err
+	}
+
+	base, err := registerBaseObjects(session)
+	if err != nil {
+		_ = fwpmEngineClose0(session)
+		return 0, fmt.Errorf("register base objects: %w", err)
+	}
+
+	var merr *multierror.Error
+	if cfg.strict {
+		if err := permitVirtualDNSIP(session, base, cfg.virtualDNSIP, cfg.blockedPorts, 15); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit virtual dns: %w", err))
+		}
+	} else {
+		if err := permitTunInterface(session, base, 15, cfg.tunLUID); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("permit tun interface: %w", err))
+		}
+	}
+	if err := permitDaemonByAppID(session, base, cfg.daemonExe, 14); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("permit netbird daemon: %w", err))
+	}
+	if err := blockDNSPorts(session, base, cfg.blockedPorts, 10); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("block dns ports: %w", err))
+	}
+
+	return session, nberrors.FormatErrorOrNil(merr)
+}
+
+// closeSession tears down a WFP session previously opened by installFilters.
+// All filters owned by the session are removed.
+func closeSession(session uintptr) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in closeSession: %v", r)
+		}
+	}()
+
+	if session == 0 {
+		return nil
+	}
+	if err := fwpmEngineClose0(session); err != nil {
+		return wrapErr(err)
+	}
+	return nil
+}
+
+func createSession() (uintptr, error) {
+	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall dynamic session")
+	if err != nil {
+		return 0, wrapErr(err)
+	}
+	session := wtFwpmSession0{
+		displayData:          *displayData,
+		flags:                cFWPM_SESSION_FLAG_DYNAMIC,
+		txnWaitTimeoutInMSec: windows.INFINITE,
+	}
+	var handle uintptr
+	if err := fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&handle)); err != nil {
+		return 0, wrapErr(err)
+	}
+	return handle, nil
+}
+
+func registerBaseObjects(session uintptr) (*baseObjects, error) {
+	bo := &baseObjects{}
+	var err error
+	if bo.provider, err = windows.GenerateGUID(); err != nil {
+		return nil, wrapErr(err)
+	}
+	if bo.filters, err = windows.GenerateGUID(); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall provider")
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	provider := wtFwpmProvider0{
+		providerKey: bo.provider,
+		displayData: *displayData,
+	}
+	if err := fwpmProviderAdd0(session, &provider, 0); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	subDisplay, err := createWtFwpmDisplayData0("NetBird DNS firewall filters", "Permit and block filters")
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	sublayer := wtFwpmSublayer0{
+		subLayerKey: bo.filters,
+		displayData: *subDisplay,
+		providerKey: &bo.provider,
+		weight:      ^uint16(0),
+	}
+	if err := fwpmSubLayerAdd0(session, &sublayer, 0); err != nil {
+		return nil, wrapErr(err)
+	}
+	return bo, nil
+}
+
+// daemonAppID returns the WFP App-ID byte blob for the given executable path.
+func daemonAppID(path string) (*wtFwpByteBlob, error) {
+	pathPtr, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	var appID *wtFwpByteBlob
+	if err := fwpmGetAppIdFromFileName0(pathPtr, unsafe.Pointer(&appID)); err != nil {
+		return nil, wrapErr(err)
+	}
+	return appID, nil
+}

client/internal/dns/dnsfw/syscall_windows.go

@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
+ */
+
+package dnsfw
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineopen0
+//sys	fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmEngineOpen0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineclose0
+//sys	fwpmEngineClose0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmEngineClose0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmsublayeradd0
+//sys	fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmSubLayerAdd0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmgetappidfromfilename0
+//sys	fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmGetAppIdFromFileName0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfreememory0
+//sys	fwpmFreeMemory0(p unsafe.Pointer) = fwpuclnt.FwpmFreeMemory0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfilteradd0
+//sys	fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) [failretval!=0] = fwpuclnt.FwpmFilterAdd0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/Fwpmu/nf-fwpmu-fwpmtransactionbegin0
+//sys	fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionBegin0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactioncommit0
+//sys	fwpmTransactionCommit0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionCommit0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactionabort0
+//sys	fwpmTransactionAbort0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionAbort0
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
+//sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0

client/internal/dns/dnsfw/types_windows.go

@@ -0,0 +1,414 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	anysizeArray = 1 // ANYSIZE_ARRAY defined in winnt.h
+
+	wtFwpBitmapArray64_Size = 8
+
+	wtFwpByteArray16_Size = 16
+
+	wtFwpByteArray6_Size = 6
+
+	wtFwpmAction0_Size              = 20
+	wtFwpmAction0_filterType_Offset = 4
+
+	wtFwpV4AddrAndMask_Size        = 8
+	wtFwpV4AddrAndMask_mask_Offset = 4
+
+	wtFwpV6AddrAndMask_Size                = 17
+	wtFwpV6AddrAndMask_prefixLength_Offset = 16
+)
+
+type wtFwpActionFlag uint32
+
+const (
+	cFWP_ACTION_FLAG_TERMINATING     wtFwpActionFlag = 0x00001000
+	cFWP_ACTION_FLAG_NON_TERMINATING wtFwpActionFlag = 0x00002000
+	cFWP_ACTION_FLAG_CALLOUT         wtFwpActionFlag = 0x00004000
+)
+
+// FWP_ACTION_TYPE defined in fwptypes.h
+type wtFwpActionType uint32
+
+const (
+	cFWP_ACTION_BLOCK               wtFwpActionType = wtFwpActionType(0x00000001 | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_PERMIT              wtFwpActionType = wtFwpActionType(0x00000002 | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_CALLOUT_TERMINATING wtFwpActionType = wtFwpActionType(0x00000003 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_TERMINATING)
+	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
+	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
+	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
+	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
+	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
+	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
+)
+
+// FWP_BYTE_BLOB defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_blob_)
+type wtFwpByteBlob struct {
+	size uint32
+	data *uint8
+}
+
+// FWP_MATCH_TYPE defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_match_type_)
+type wtFwpMatchType uint32
+
+const (
+	cFWP_MATCH_EQUAL                  wtFwpMatchType = 0
+	cFWP_MATCH_GREATER                wtFwpMatchType = cFWP_MATCH_EQUAL + 1
+	cFWP_MATCH_LESS                   wtFwpMatchType = cFWP_MATCH_GREATER + 1
+	cFWP_MATCH_GREATER_OR_EQUAL       wtFwpMatchType = cFWP_MATCH_LESS + 1
+	cFWP_MATCH_LESS_OR_EQUAL          wtFwpMatchType = cFWP_MATCH_GREATER_OR_EQUAL + 1
+	cFWP_MATCH_RANGE                  wtFwpMatchType = cFWP_MATCH_LESS_OR_EQUAL + 1
+	cFWP_MATCH_FLAGS_ALL_SET          wtFwpMatchType = cFWP_MATCH_RANGE + 1
+	cFWP_MATCH_FLAGS_ANY_SET          wtFwpMatchType = cFWP_MATCH_FLAGS_ALL_SET + 1
+	cFWP_MATCH_FLAGS_NONE_SET         wtFwpMatchType = cFWP_MATCH_FLAGS_ANY_SET + 1
+	cFWP_MATCH_EQUAL_CASE_INSENSITIVE wtFwpMatchType = cFWP_MATCH_FLAGS_NONE_SET + 1
+	cFWP_MATCH_NOT_EQUAL              wtFwpMatchType = cFWP_MATCH_EQUAL_CASE_INSENSITIVE + 1
+	cFWP_MATCH_PREFIX                 wtFwpMatchType = cFWP_MATCH_NOT_EQUAL + 1
+	cFWP_MATCH_NOT_PREFIX             wtFwpMatchType = cFWP_MATCH_PREFIX + 1
+	cFWP_MATCH_TYPE_MAX               wtFwpMatchType = cFWP_MATCH_NOT_PREFIX + 1
+)
+
+// FWPM_ACTION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_action0_)
+type wtFwpmAction0 struct {
+	_type      wtFwpActionType
+	filterType windows.GUID // Windows type: GUID
+}
+
+// Defined in fwpmu.h. 4cd62a49-59c3-4969-b7f3-bda5d32890a4
+var cFWPM_CONDITION_IP_LOCAL_INTERFACE = windows.GUID{
+	Data1: 0x4cd62a49,
+	Data2: 0x59c3,
+	Data3: 0x4969,
+	Data4: [8]byte{0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4},
+}
+
+// Defined in fwpmu.h. b235ae9a-1d64-49b8-a44c-5ff3d9095045
+var cFWPM_CONDITION_IP_REMOTE_ADDRESS = windows.GUID{
+	Data1: 0xb235ae9a,
+	Data2: 0x1d64,
+	Data3: 0x49b8,
+	Data4: [8]byte{0xa4, 0x4c, 0x5f, 0xf3, 0xd9, 0x09, 0x50, 0x45},
+}
+
+// Defined in fwpmu.h. 3971ef2b-623e-4f9a-8cb1-6e79b806b9a7
+var cFWPM_CONDITION_IP_PROTOCOL = windows.GUID{
+	Data1: 0x3971ef2b,
+	Data2: 0x623e,
+	Data3: 0x4f9a,
+	Data4: [8]byte{0x8c, 0xb1, 0x6e, 0x79, 0xb8, 0x06, 0xb9, 0xa7},
+}
+
+// Defined in fwpmu.h. 0c1ba1af-5765-453f-af22-a8f791ac775b
+var cFWPM_CONDITION_IP_LOCAL_PORT = windows.GUID{
+	Data1: 0x0c1ba1af,
+	Data2: 0x5765,
+	Data3: 0x453f,
+	Data4: [8]byte{0xaf, 0x22, 0xa8, 0xf7, 0x91, 0xac, 0x77, 0x5b},
+}
+
+// Defined in fwpmu.h. c35a604d-d22b-4e1a-91b4-68f674ee674b
+var cFWPM_CONDITION_IP_REMOTE_PORT = windows.GUID{
+	Data1: 0xc35a604d,
+	Data2: 0xd22b,
+	Data3: 0x4e1a,
+	Data4: [8]byte{0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b},
+}
+
+// Defined in fwpmu.h. d78e1e87-8644-4ea5-9437-d809ecefc971
+var cFWPM_CONDITION_ALE_APP_ID = windows.GUID{
+	Data1: 0xd78e1e87,
+	Data2: 0x8644,
+	Data3: 0x4ea5,
+	Data4: [8]byte{0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71},
+}
+
+// af043a0a-b34d-4f86-979c-c90371af6e66
+var cFWPM_CONDITION_ALE_USER_ID = windows.GUID{
+	Data1: 0xaf043a0a,
+	Data2: 0xb34d,
+	Data3: 0x4f86,
+	Data4: [8]byte{0x97, 0x9c, 0xc9, 0x03, 0x71, 0xaf, 0x6e, 0x66},
+}
+
+// d9ee00de-c1ef-4617-bfe3-ffd8f5a08957
+var cFWPM_CONDITION_IP_LOCAL_ADDRESS = windows.GUID{
+	Data1: 0xd9ee00de,
+	Data2: 0xc1ef,
+	Data3: 0x4617,
+	Data4: [8]byte{0xbf, 0xe3, 0xff, 0xd8, 0xf5, 0xa0, 0x89, 0x57},
+}
+
+var (
+	cFWPM_CONDITION_ICMP_TYPE = cFWPM_CONDITION_IP_LOCAL_PORT
+	cFWPM_CONDITION_ICMP_CODE = cFWPM_CONDITION_IP_REMOTE_PORT
+)
+
+// 7bc43cbf-37ba-45f1-b74a-82ff518eeb10
+var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
+	Data1: 0x7bc43cbf,
+	Data2: 0x37ba,
+	Data3: 0x45f1,
+	Data4: [8]byte{0xb7, 0x4a, 0x82, 0xff, 0x51, 0x8e, 0xeb, 0x10},
+}
+
+type wtFwpmL2Flags uint32
+
+const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
+
+var cFWPM_CONDITION_FLAGS = windows.GUID{
+	Data1: 0x632ce23b,
+	Data2: 0x5167,
+	Data3: 0x435c,
+	Data4: [8]byte{0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c},
+}
+
+type wtFwpmFlags uint32
+
+const cFWP_CONDITION_FLAG_IS_LOOPBACK wtFwpmFlags = 0x00000001
+
+// Defined in fwpmtypes.h
+type wtFwpmFilterFlags uint32
+
+const (
+	cFWPM_FILTER_FLAG_NONE                                wtFwpmFilterFlags = 0x00000000
+	cFWPM_FILTER_FLAG_PERSISTENT                          wtFwpmFilterFlags = 0x00000001
+	cFWPM_FILTER_FLAG_BOOTTIME                            wtFwpmFilterFlags = 0x00000002
+	cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT                wtFwpmFilterFlags = 0x00000004
+	cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT                  wtFwpmFilterFlags = 0x00000008
+	cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED      wtFwpmFilterFlags = 0x00000010
+	cFWPM_FILTER_FLAG_DISABLED                            wtFwpmFilterFlags = 0x00000020
+	cFWPM_FILTER_FLAG_INDEXED                             wtFwpmFilterFlags = 0x00000040
+	cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT wtFwpmFilterFlags = 0x00000080
+	cFWPM_FILTER_FLAG_SYSTEMOS_ONLY                       wtFwpmFilterFlags = 0x00000100
+	cFWPM_FILTER_FLAG_GAMEOS_ONLY                         wtFwpmFilterFlags = 0x00000200
+	cFWPM_FILTER_FLAG_SILENT_MODE                         wtFwpmFilterFlags = 0x00000400
+	cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE           wtFwpmFilterFlags = 0x00000800
+)
+
+// FWPM_LAYER_ALE_AUTH_CONNECT_V4 (c38d57d1-05a7-4c33-904f-7fbceee60e82) defined in fwpmu.h
+var cFWPM_LAYER_ALE_AUTH_CONNECT_V4 = windows.GUID{
+	Data1: 0xc38d57d1,
+	Data2: 0x05a7,
+	Data3: 0x4c33,
+	Data4: [8]byte{0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82},
+}
+
+// e1cd9fe7-f4b5-4273-96c0-592e487b8650
+var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = windows.GUID{
+	Data1: 0xe1cd9fe7,
+	Data2: 0xf4b5,
+	Data3: 0x4273,
+	Data4: [8]byte{0x96, 0xc0, 0x59, 0x2e, 0x48, 0x7b, 0x86, 0x50},
+}
+
+// FWPM_LAYER_ALE_AUTH_CONNECT_V6 (4a72393b-319f-44bc-84c3-ba54dcb3b6b4) defined in fwpmu.h
+var cFWPM_LAYER_ALE_AUTH_CONNECT_V6 = windows.GUID{
+	Data1: 0x4a72393b,
+	Data2: 0x319f,
+	Data3: 0x44bc,
+	Data4: [8]byte{0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4},
+}
+
+// a3b42c97-9f04-4672-b87e-cee9c483257f
+var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = windows.GUID{
+	Data1: 0xa3b42c97,
+	Data2: 0x9f04,
+	Data3: 0x4672,
+	Data4: [8]byte{0xb8, 0x7e, 0xce, 0xe9, 0xc4, 0x83, 0x25, 0x7f},
+}
+
+// 94c44912-9d6f-4ebf-b995-05ab8a088d1b
+var cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE = windows.GUID{
+	Data1: 0x94c44912,
+	Data2: 0x9d6f,
+	Data3: 0x4ebf,
+	Data4: [8]byte{0xb9, 0x95, 0x05, 0xab, 0x8a, 0x08, 0x8d, 0x1b},
+}
+
+// d4220bd3-62ce-4f08-ae88-b56e8526df50
+var cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE = windows.GUID{
+	Data1: 0xd4220bd3,
+	Data2: 0x62ce,
+	Data3: 0x4f08,
+	Data4: [8]byte{0xae, 0x88, 0xb5, 0x6e, 0x85, 0x26, 0xdf, 0x50},
+}
+
+// FWP_BITMAP_ARRAY64 defined in fwtypes.h
+type wtFwpBitmapArray64 struct {
+	bitmapArray64 [8]uint8 // Windows type: [8]UINT8
+}
+
+// FWP_BYTE_ARRAY6 defined in fwtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array6_)
+type wtFwpByteArray6 struct {
+	byteArray6 [6]uint8 // Windows type: [6]UINT8
+}
+
+// FWP_BYTE_ARRAY16 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array16_)
+type wtFwpByteArray16 struct {
+	byteArray16 [16]uint8 // Windows type [16]UINT8
+}
+
+// FWP_CONDITION_VALUE0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_condition_value0).
+type wtFwpConditionValue0 wtFwpValue0
+
+// FWP_DATA_TYPE defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_data_type_)
+type wtFwpDataType uint
+
+const (
+	cFWP_EMPTY                         wtFwpDataType = 0
+	cFWP_UINT8                         wtFwpDataType = cFWP_EMPTY + 1
+	cFWP_UINT16                        wtFwpDataType = cFWP_UINT8 + 1
+	cFWP_UINT32                        wtFwpDataType = cFWP_UINT16 + 1
+	cFWP_UINT64                        wtFwpDataType = cFWP_UINT32 + 1
+	cFWP_INT8                          wtFwpDataType = cFWP_UINT64 + 1
+	cFWP_INT16                         wtFwpDataType = cFWP_INT8 + 1
+	cFWP_INT32                         wtFwpDataType = cFWP_INT16 + 1
+	cFWP_INT64                         wtFwpDataType = cFWP_INT32 + 1
+	cFWP_FLOAT                         wtFwpDataType = cFWP_INT64 + 1
+	cFWP_DOUBLE                        wtFwpDataType = cFWP_FLOAT + 1
+	cFWP_BYTE_ARRAY16_TYPE             wtFwpDataType = cFWP_DOUBLE + 1
+	cFWP_BYTE_BLOB_TYPE                wtFwpDataType = cFWP_BYTE_ARRAY16_TYPE + 1
+	cFWP_SID                           wtFwpDataType = cFWP_BYTE_BLOB_TYPE + 1
+	cFWP_SECURITY_DESCRIPTOR_TYPE      wtFwpDataType = cFWP_SID + 1
+	cFWP_TOKEN_INFORMATION_TYPE        wtFwpDataType = cFWP_SECURITY_DESCRIPTOR_TYPE + 1
+	cFWP_TOKEN_ACCESS_INFORMATION_TYPE wtFwpDataType = cFWP_TOKEN_INFORMATION_TYPE + 1
+	cFWP_UNICODE_STRING_TYPE           wtFwpDataType = cFWP_TOKEN_ACCESS_INFORMATION_TYPE + 1
+	cFWP_BYTE_ARRAY6_TYPE              wtFwpDataType = cFWP_UNICODE_STRING_TYPE + 1
+	cFWP_BITMAP_INDEX_TYPE             wtFwpDataType = cFWP_BYTE_ARRAY6_TYPE + 1
+	cFWP_BITMAP_ARRAY64_TYPE           wtFwpDataType = cFWP_BITMAP_INDEX_TYPE + 1
+	cFWP_SINGLE_DATA_TYPE_MAX          wtFwpDataType = 0xff
+	cFWP_V4_ADDR_MASK                  wtFwpDataType = cFWP_SINGLE_DATA_TYPE_MAX + 1
+	cFWP_V6_ADDR_MASK                  wtFwpDataType = cFWP_V4_ADDR_MASK + 1
+	cFWP_RANGE_TYPE                    wtFwpDataType = cFWP_V6_ADDR_MASK + 1
+	cFWP_DATA_TYPE_MAX                 wtFwpDataType = cFWP_RANGE_TYPE + 1
+)
+
+// FWP_V4_ADDR_AND_MASK defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v4_addr_and_mask).
+type wtFwpV4AddrAndMask struct {
+	addr uint32
+	mask uint32
+}
+
+// FWP_V6_ADDR_AND_MASK defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v6_addr_and_mask).
+type wtFwpV6AddrAndMask struct {
+	addr         [16]uint8
+	prefixLength uint8
+}
+
+// FWP_VALUE0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_value0_)
+type wtFwpValue0 struct {
+	_type wtFwpDataType
+	value uintptr
+}
+
+// FWPM_DISPLAY_DATA0 defined in fwptypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwpm_display_data0).
+type wtFwpmDisplayData0 struct {
+	name        *uint16 // Windows type: *wchar_t
+	description *uint16 // Windows type: *wchar_t
+}
+
+// FWPM_FILTER_CONDITION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0).
+type wtFwpmFilterCondition0 struct {
+	fieldKey       windows.GUID // Windows type: GUID
+	matchType      wtFwpMatchType
+	conditionValue wtFwpConditionValue0
+}
+
+// FWPM_PROVIDER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0_)
+type wtFwpProvider0 struct {
+	providerKey  windows.GUID // Windows type: GUID
+	displayData  wtFwpmDisplayData0
+	flags        uint32
+	providerData wtFwpByteBlob
+	serviceName  *uint16 // Windows type: *wchar_t
+}
+
+type wtFwpmSessionFlagsValue uint32
+
+const (
+	cFWPM_SESSION_FLAG_DYNAMIC wtFwpmSessionFlagsValue = 0x00000001 // FWPM_SESSION_FLAG_DYNAMIC defined in fwpmtypes.h
+)
+
+// FWPM_SESSION0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_session0).
+type wtFwpmSession0 struct {
+	sessionKey           windows.GUID // Windows type: GUID
+	displayData          wtFwpmDisplayData0
+	flags                wtFwpmSessionFlagsValue // Windows type UINT32
+	txnWaitTimeoutInMSec uint32
+	processId            uint32 // Windows type: DWORD
+	sid                  *windows.SID
+	username             *uint16 // Windows type: *wchar_t
+	kernelMode           uint8   // Windows type: BOOL
+}
+
+type wtFwpmSublayerFlags uint32
+
+const (
+	cFWPM_SUBLAYER_FLAG_PERSISTENT wtFwpmSublayerFlags = 0x00000001 // FWPM_SUBLAYER_FLAG_PERSISTENT defined in fwpmtypes.h
+)
+
+// FWPM_SUBLAYER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_sublayer0_)
+type wtFwpmSublayer0 struct {
+	subLayerKey  windows.GUID // Windows type: GUID
+	displayData  wtFwpmDisplayData0
+	flags        wtFwpmSublayerFlags
+	providerKey  *windows.GUID // Windows type: *GUID
+	providerData wtFwpByteBlob
+	weight       uint16
+}
+
+// Defined in rpcdce.h
+type wtRpcCAuthN uint32
+
+const (
+	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
+	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
+	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
+)
+
+// FWPM_PROVIDER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/sv-se/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0).
+type wtFwpmProvider0 struct {
+	providerKey  windows.GUID
+	displayData  wtFwpmDisplayData0
+	flags        uint32
+	providerData wtFwpByteBlob
+	serviceName  *uint16
+}
+
+type wtIPProto uint32
+
+const (
+	cIPPROTO_ICMP   wtIPProto = 1
+	cIPPROTO_ICMPV6 wtIPProto = 58
+	cIPPROTO_TCP    wtIPProto = 6
+	cIPPROTO_UDP    wtIPProto = 17
+)
+
+const (
+	cFWP_ACTRL_MATCH_FILTER = 1
+)

client/internal/dns/dnsfw/types_windows_32.go

@@ -0,0 +1,92 @@
+//go:build windows && (386 || arm)
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	wtFwpByteBlob_Size        = 8
+	wtFwpByteBlob_data_Offset = 4
+
+	wtFwpConditionValue0_Size         = 8
+	wtFwpConditionValue0_uint8_Offset = 4
+
+	wtFwpmDisplayData0_Size               = 8
+	wtFwpmDisplayData0_description_Offset = 4
+
+	wtFwpmFilter0_Size                       = 152
+	wtFwpmFilter0_displayData_Offset         = 16
+	wtFwpmFilter0_flags_Offset               = 24
+	wtFwpmFilter0_providerKey_Offset         = 28
+	wtFwpmFilter0_providerData_Offset        = 32
+	wtFwpmFilter0_layerKey_Offset            = 40
+	wtFwpmFilter0_subLayerKey_Offset         = 56
+	wtFwpmFilter0_weight_Offset              = 72
+	wtFwpmFilter0_numFilterConditions_Offset = 80
+	wtFwpmFilter0_filterCondition_Offset     = 84
+	wtFwpmFilter0_action_Offset              = 88
+	wtFwpmFilter0_providerContextKey_Offset  = 112
+	wtFwpmFilter0_reserved_Offset            = 128
+	wtFwpmFilter0_filterID_Offset            = 136
+	wtFwpmFilter0_effectiveWeight_Offset     = 144
+
+	wtFwpmFilterCondition0_Size                  = 28
+	wtFwpmFilterCondition0_matchType_Offset      = 16
+	wtFwpmFilterCondition0_conditionValue_Offset = 20
+
+	wtFwpmSession0_Size                        = 48
+	wtFwpmSession0_displayData_Offset          = 16
+	wtFwpmSession0_flags_Offset                = 24
+	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
+	wtFwpmSession0_processId_Offset            = 32
+	wtFwpmSession0_sid_Offset                  = 36
+	wtFwpmSession0_username_Offset             = 40
+	wtFwpmSession0_kernelMode_Offset           = 44
+
+	wtFwpmSublayer0_Size                = 44
+	wtFwpmSublayer0_displayData_Offset  = 16
+	wtFwpmSublayer0_flags_Offset        = 24
+	wtFwpmSublayer0_providerKey_Offset  = 28
+	wtFwpmSublayer0_providerData_Offset = 32
+	wtFwpmSublayer0_weight_Offset       = 40
+
+	wtFwpProvider0_Size                = 40
+	wtFwpProvider0_displayData_Offset  = 16
+	wtFwpProvider0_flags_Offset        = 24
+	wtFwpProvider0_providerData_Offset = 28
+	wtFwpProvider0_serviceName_Offset  = 36
+
+	wtFwpTokenInformation_Size = 16
+
+	wtFwpValue0_Size         = 8
+	wtFwpValue0_value_Offset = 4
+)
+
+// FWPM_FILTER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
+type wtFwpmFilter0 struct {
+	filterKey           windows.GUID // Windows type: GUID
+	displayData         wtFwpmDisplayData0
+	flags               wtFwpmFilterFlags
+	providerKey         *windows.GUID // Windows type: *GUID
+	providerData        wtFwpByteBlob
+	layerKey            windows.GUID // Windows type: GUID
+	subLayerKey         windows.GUID // Windows type: GUID
+	weight              wtFwpValue0
+	numFilterConditions uint32
+	filterCondition     *wtFwpmFilterCondition0
+	action              wtFwpmAction0
+	offset1             [4]byte       // Layout correction field
+	providerContextKey  windows.GUID  // Windows type: GUID
+	reserved            *windows.GUID // Windows type: *GUID
+	offset2             [4]byte       // Layout correction field
+	filterID            uint64
+	effectiveWeight     wtFwpValue0
+}

client/internal/dns/dnsfw/types_windows_64.go

@@ -0,0 +1,89 @@
+//go:build windows && (amd64 || arm64)
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
+ */
+
+package dnsfw
+
+import "golang.org/x/sys/windows"
+
+const (
+	wtFwpByteBlob_Size        = 16
+	wtFwpByteBlob_data_Offset = 8
+
+	wtFwpConditionValue0_Size         = 16
+	wtFwpConditionValue0_uint8_Offset = 8
+
+	wtFwpmDisplayData0_Size               = 16
+	wtFwpmDisplayData0_description_Offset = 8
+
+	wtFwpmFilter0_Size                       = 200
+	wtFwpmFilter0_displayData_Offset         = 16
+	wtFwpmFilter0_flags_Offset               = 32
+	wtFwpmFilter0_providerKey_Offset         = 40
+	wtFwpmFilter0_providerData_Offset        = 48
+	wtFwpmFilter0_layerKey_Offset            = 64
+	wtFwpmFilter0_subLayerKey_Offset         = 80
+	wtFwpmFilter0_weight_Offset              = 96
+	wtFwpmFilter0_numFilterConditions_Offset = 112
+	wtFwpmFilter0_filterCondition_Offset     = 120
+	wtFwpmFilter0_action_Offset              = 128
+	wtFwpmFilter0_providerContextKey_Offset  = 152
+	wtFwpmFilter0_reserved_Offset            = 168
+	wtFwpmFilter0_filterID_Offset            = 176
+	wtFwpmFilter0_effectiveWeight_Offset     = 184
+
+	wtFwpmFilterCondition0_Size                  = 40
+	wtFwpmFilterCondition0_matchType_Offset      = 16
+	wtFwpmFilterCondition0_conditionValue_Offset = 24
+
+	wtFwpmSession0_Size                        = 72
+	wtFwpmSession0_displayData_Offset          = 16
+	wtFwpmSession0_flags_Offset                = 32
+	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
+	wtFwpmSession0_processId_Offset            = 40
+	wtFwpmSession0_sid_Offset                  = 48
+	wtFwpmSession0_username_Offset             = 56
+	wtFwpmSession0_kernelMode_Offset           = 64
+
+	wtFwpmSublayer0_Size                = 72
+	wtFwpmSublayer0_displayData_Offset  = 16
+	wtFwpmSublayer0_flags_Offset        = 32
+	wtFwpmSublayer0_providerKey_Offset  = 40
+	wtFwpmSublayer0_providerData_Offset = 48
+	wtFwpmSublayer0_weight_Offset       = 64
+
+	wtFwpProvider0_Size                = 64
+	wtFwpProvider0_displayData_Offset  = 16
+	wtFwpProvider0_flags_Offset        = 32
+	wtFwpProvider0_providerData_Offset = 40
+	wtFwpProvider0_serviceName_Offset  = 56
+
+	wtFwpValue0_Size         = 16
+	wtFwpValue0_value_Offset = 8
+)
+
+// FWPM_FILTER0 defined in fwpmtypes.h
+// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
+type wtFwpmFilter0 struct {
+	filterKey           windows.GUID // Windows type: GUID
+	displayData         wtFwpmDisplayData0
+	flags               wtFwpmFilterFlags // Windows type: UINT32
+	providerKey         *windows.GUID     // Windows type: *GUID
+	providerData        wtFwpByteBlob
+	layerKey            windows.GUID // Windows type: GUID
+	subLayerKey         windows.GUID // Windows type: GUID
+	weight              wtFwpValue0
+	numFilterConditions uint32
+	filterCondition     *wtFwpmFilterCondition0
+	action              wtFwpmAction0
+	offset1             [4]byte       // Layout correction field
+	providerContextKey  windows.GUID  // Windows type: GUID
+	reserved            *windows.GUID // Windows type: *GUID
+	filterID            uint64
+	effectiveWeight     wtFwpValue0
+}

client/internal/dns/dnsfw/zsyscall_windows.go

@@ -0,0 +1,130 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package dnsfw
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
+
+	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
+	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
+	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
+	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
+	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
+	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
+	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
+	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
+	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
+	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
+)
+
+func fwpmEngineClose0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmEngineClose0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.Syscall6(procFwpmEngineOpen0.Addr(), 5, uintptr(unsafe.Pointer(serverName)), uintptr(authnService), uintptr(unsafe.Pointer(authIdentity)), uintptr(unsafe.Pointer(session)), uintptr(engineHandle), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) {
+	r1, _, e1 := syscall.Syscall6(procFwpmFilterAdd0.Addr(), 4, uintptr(engineHandle), uintptr(unsafe.Pointer(filter)), uintptr(sd), uintptr(unsafe.Pointer(id)), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmFreeMemory0(p unsafe.Pointer) {
+	syscall.Syscall(procFwpmFreeMemory0.Addr(), 1, uintptr(p), 0, 0)
+	return
+}
+
+func fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmGetAppIdFromFileName0.Addr(), 2, uintptr(unsafe.Pointer(fileName)), uintptr(appID), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmProviderAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(provider)), uintptr(sd))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmSubLayerAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(subLayer)), uintptr(sd))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionAbort0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionAbort0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionBegin0.Addr(), 2, uintptr(engineHandle), uintptr(flags), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func fwpmTransactionCommit0(engineHandle uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall(procFwpmTransactionCommit0.Addr(), 1, uintptr(engineHandle), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

client/internal/dns/host_windows.go

@@ -16,6 +16,7 @@ import (
 	"golang.org/x/sys/windows/registry"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -71,6 +72,7 @@ type registryConfigurator struct {
 	routingAll     bool
 	gpo            bool
 	nrptEntryCount int
+	dnsFirewall    dnsfw.Manager
 }
 
 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -90,8 +92,9 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}
 
 	configurator := &registryConfigurator{
-		guid: guid,
-		gpo:  useGPO,
+		guid:        guid,
+		gpo:         useGPO,
+		dnsFirewall: dnsfw.New(),
 	}
 
 	if err := configurator.configureInterface(); err != nil {
@@ -169,16 +172,8 @@ func (r *registryConfigurator) disableWINSForInterface() error {
 }
 
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
-	if config.RouteAll {
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			return fmt.Errorf("add dns setup: %w", err)
-		}
-	} else if r.routingAll {
-		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-			return fmt.Errorf("delete interface registry key property: %w", err)
-		}
-		r.routingAll = false
-		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
+	if err := r.applyRouteAll(config); err != nil {
+		return err
 	}
 
 	r.updateState(stateManager)
@@ -220,6 +215,35 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }
 
+func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
+	if config.RouteAll {
+		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
+			return fmt.Errorf("dns firewall: %w", err)
+		}
+		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
+			if dErr := r.dnsFirewall.Disable(); dErr != nil {
+				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
+			}
+			return nberrors.FormatErrorOrNil(merr)
+		}
+		return nil
+	}
+
+	if err := r.dnsFirewall.Disable(); err != nil {
+		log.Errorf("disable dns firewall: %v", err)
+	}
+	if !r.routingAll {
+		return nil
+	}
+	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+		return fmt.Errorf("delete interface registry key property: %w", err)
+	}
+	r.routingAll = false
+	log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
+	return nil
+}
+
 func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
 	if err := stateManager.UpdateState(&ShutdownState{
 		Guid:           r.guid,
@@ -406,6 +430,10 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
+	if err := r.dnsFirewall.Disable(); err != nil {
+		log.Errorf("disable dns firewall: %v", err)
+	}
+
 	go r.flushDNSCache()
 
 	return nil

client/internal/engine.go

@@ -28,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
@@ -68,6 +69,7 @@ import (
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/util/capture"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -218,6 +220,8 @@ type Engine struct {
 	portForwardManager *portforward.Manager
 	srWatcher          *guard.SRWatcher
 
+	afpacketCapture *capture.AFPacketCapture
+
 	// Sync response persistence (protected by syncRespMux)
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
@@ -1703,6 +1707,11 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }
 
 func (e *Engine) close() {
+	if e.afpacketCapture != nil {
+		e.afpacketCapture.Stop()
+		e.afpacketCapture = nil
+	}
+
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 
 	if e.wgInterface != nil {
@@ -2168,6 +2177,62 @@ func (e *Engine) Address() (netip.Addr, error) {
 	return e.wgInterface.Address().IP, nil
 }
 
+// SetCapture sets or clears packet capture on the WireGuard device.
+// On userspace WireGuard, it taps the FilteredDevice directly.
+// On kernel WireGuard (Linux), it falls back to AF_PACKET raw socket capture.
+// Pass nil to disable capture.
+func (e *Engine) SetCapture(pc device.PacketCapture) error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	intf := e.wgInterface
+	if intf == nil {
+		return errors.New("wireguard interface not initialized")
+	}
+
+	if e.afpacketCapture != nil {
+		e.afpacketCapture.Stop()
+		e.afpacketCapture = nil
+	}
+
+	dev := intf.GetDevice()
+	if dev != nil {
+		dev.SetCapture(pc)
+		e.setForwarderCapture(pc)
+		return nil
+	}
+
+	// Kernel mode: no FilteredDevice. Use AF_PACKET on Linux.
+	if pc == nil {
+		return nil
+	}
+	sess, ok := pc.(*capture.Session)
+	if !ok {
+		return errors.New("filtered device not available and AF_PACKET requires *capture.Session")
+	}
+
+	afc := capture.NewAFPacketCapture(intf.Name(), sess)
+	if err := afc.Start(); err != nil {
+		return fmt.Errorf("start AF_PACKET capture on %s: %w", intf.Name(), err)
+	}
+	e.afpacketCapture = afc
+	return nil
+}
+
+// setForwarderCapture propagates capture to the USP filter's forwarder endpoint.
+// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
+func (e *Engine) setForwarderCapture(pc device.PacketCapture) {
+	if e.firewall == nil {
+		return
+	}
+	type forwarderCapturer interface {
+		SetPacketCapture(pc forwarder.PacketCapture)
+	}
+	if fc, ok := e.firewall.(forwarderCapturer); ok {
+		fc.SetPacketCapture(pc)
+	}
+}
+
 func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewallManager.ForwardRule, error) {
 	if e.firewall == nil {
 		log.Warn("firewall is disabled, not updating forwarding rules")
@@ -2389,6 +2454,8 @@ func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
 		}
 	}
 
+	relayIP := decodeRelayIP(msg.GetBody().GetRelayServerIP())
+
 	offerAnswer := peer.OfferAnswer{
 		IceCredentials: peer.IceCredentials{
 			UFrag: remoteCred.UFrag,
@@ -2399,7 +2466,23 @@ func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
 		RosenpassPubKey: rosenpassPubKey,
 		RosenpassAddr:   rosenpassAddr,
 		RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
+		RelaySrvIP:      relayIP,
 		SessionID:       sessionID,
 	}
 	return &offerAnswer, nil
 }
+
+// decodeRelayIP decodes the proto relayServerIP bytes (4 or 16) into a
+// netip.Addr. Returns the zero value for empty input and logs a warning
+// for malformed payloads.
+func decodeRelayIP(b []byte) netip.Addr {
+	if len(b) == 0 {
+		return netip.Addr{}
+	}
+	ip, ok := netip.AddrFromSlice(b)
+	if !ok {
+		log.Warnf("invalid relayServerIP in signal message (%d bytes), ignoring", len(b))
+		return netip.Addr{}
+	}
+	return ip.Unmap()
+}

client/internal/engine_test.go

@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -3,7 +3,6 @@ package activity
 import (
 	"net"
 	"net/netip"
-	"runtime"
 	"testing"
 	"time"
 
@@ -18,10 +17,6 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
-func isBindListenerPlatform() bool {
-	return runtime.GOOS == "windows" || runtime.GOOS == "js"
-}
-
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -181,10 +176,6 @@ func TestBindListener_Close(t *testing.T) {
 }
 
 func TestManager_BindMode(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 
@@ -226,10 +217,6 @@ func TestManager_BindMode(t *testing.T) {
 }
 
 func TestManager_BindMode_MultiplePeers(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 

client/internal/lazyconn/activity/manager.go

@@ -4,14 +4,12 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -75,16 +73,6 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
-	// BindListener is used on Windows, JS, and netstack platforms:
-	// - JS: Cannot listen to UDP sockets
-	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
-	//   gateway points to, preventing them from reaching the loopback interface.
-	// - Netstack: Allows multiple instances on the same host without port conflicts.
-	// BindListener bypasses these issues by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
-		return NewUDPListener(m.wgIface, peerCfg)
-	}
-
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")

client/internal/lazyconn/manager/manager.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/activity"
@@ -91,8 +90,8 @@ func (m *Manager) UpdateRouteHAMap(haMap route.HAMap) {
 	m.routesMu.Lock()
 	defer m.routesMu.Unlock()
 
-	maps.Clear(m.peerToHAGroups)
-	maps.Clear(m.haGroupToPeers)
+	clear(m.peerToHAGroups)
+	clear(m.haGroupToPeers)
 
 	for haUniqueID, routes := range haMap {
 		var peers []string

client/internal/netflow/store/memory.go

@@ -3,8 +3,6 @@ package store
 import (
 	"sync"
 
-	"golang.org/x/exp/maps"
-
 	"github.com/google/uuid"
 
 	"github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -30,7 +28,7 @@ func (m *Memory) StoreEvent(event *types.Event) {
 func (m *Memory) Close() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
-	maps.Clear(m.events)
+	clear(m.events)
 }
 
 func (m *Memory) GetEvents() []*types.Event {

client/internal/peer/handshaker.go

@@ -3,6 +3,7 @@ package peer
 import (
 	"context"
 	"errors"
+	"net/netip"
 	"sync"
 	"sync/atomic"
 
@@ -40,6 +41,10 @@ type OfferAnswer struct {
 
 	// relay server address
 	RelaySrvAddress string
+	// RelaySrvIP is the IP the remote peer is connected to on its
+	// relay server. Used as a dial target if DNS for RelaySrvAddress
+	// fails. Zero value if the peer did not advertise an IP.
+	RelaySrvIP netip.Addr
 	// SessionID is the unique identifier of the session, used to discard old messages
 	SessionID *ICESessionID
 }
@@ -217,8 +222,9 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {
 		answer.SessionID = &sid
 	}
 
-	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
+	if addr, ip, err := h.relay.RelayInstanceAddress(); err == nil {
 		answer.RelaySrvAddress = addr
+		answer.RelaySrvIP = ip
 	}
 
 	return answer

client/internal/peer/notifier_test.go

@@ -8,6 +8,7 @@ import (
 type mocListener struct {
 	lastState int
 	wg        sync.WaitGroup
+	peersWg   sync.WaitGroup
 	peers     int
 }
 
@@ -33,6 +34,7 @@ func (l *mocListener) OnAddressChanged(host, addr string) {
 }
 func (l *mocListener) OnPeersListChanged(size int) {
 	l.peers = size
+	l.peersWg.Done()
 }
 
 func (l *mocListener) setWaiter() {
@@ -43,6 +45,14 @@ func (l *mocListener) wait() {
 	l.wg.Wait()
 }
 
+func (l *mocListener) setPeersWaiter() {
+	l.peersWg.Add(1)
+}
+
+func (l *mocListener) waitPeers() {
+	l.peersWg.Wait()
+}
+
 func Test_notifier_serverState(t *testing.T) {
 
 	type scenario struct {
@@ -72,11 +82,13 @@ func Test_notifier_serverState(t *testing.T) {
 func Test_notifier_SetListener(t *testing.T) {
 	listener := &mocListener{}
 	listener.setWaiter()
+	listener.setPeersWaiter()
 
 	n := newNotifier()
 	n.lastNotification = stateConnecting
 	n.setListener(listener)
 	listener.wait()
+	listener.waitPeers()
 	if listener.lastState != n.lastNotification {
 		t.Errorf("invalid state: %d, expected: %d", listener.lastState, n.lastNotification)
 	}
@@ -85,9 +97,14 @@ func Test_notifier_SetListener(t *testing.T) {
 func Test_notifier_RemoveListener(t *testing.T) {
 	listener := &mocListener{}
 	listener.setWaiter()
+	listener.setPeersWaiter()
 	n := newNotifier()
 	n.lastNotification = stateConnecting
 	n.setListener(listener)
+	// setListener replays cached state on a goroutine; wait for both the state
+	// and peers callbacks to finish so we don't race on listener.peers.
+	listener.wait()
+	listener.waitPeers()
 	n.removeListener()
 	n.peerListChanged(1)
 

client/internal/peer/signaler.go

@@ -54,19 +54,19 @@ func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string,
 			log.Warnf("failed to get session ID bytes: %v", err)
 		}
 	}
-	msg, err := signal.MarshalCredential(
-		s.wgPrivateKey,
-		offerAnswer.WgListenPort,
-		remoteKey,
-		&signal.Credential{
+	msg, err := signal.MarshalCredential(s.wgPrivateKey, remoteKey, signal.CredentialPayload{
+		Type:         bodyType,
+		WgListenPort: offerAnswer.WgListenPort,
+		Credential: &signal.Credential{
 			UFrag: offerAnswer.IceCredentials.UFrag,
 			Pwd:   offerAnswer.IceCredentials.Pwd,
 		},
-		bodyType,
-		offerAnswer.RosenpassPubKey,
-		offerAnswer.RosenpassAddr,
-		offerAnswer.RelaySrvAddress,
-		sessionIDBytes)
+		RosenpassPubKey: offerAnswer.RosenpassPubKey,
+		RosenpassAddr:   offerAnswer.RosenpassAddr,
+		RelaySrvAddress: offerAnswer.RelaySrvAddress,
+		RelaySrvIP:      offerAnswer.RelaySrvIP,
+		SessionID:       sessionIDBytes,
+	})
 	if err != nil {
 		return err
 	}

client/internal/peer/status.go

@@ -320,10 +320,10 @@ func (d *Status) RemovePeer(peerPubKey string) error {
 // UpdatePeerState updates peer status
 func (d *Status) UpdatePeerState(receivedState State) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -343,23 +343,29 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
-	}
-
+	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
 	// when we close the connection we will not notify the router manager
-	if receivedState.ConnStatus == StatusIdle {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	notifyRouter := receivedState.ConnStatus == StatusIdle
+	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
+	numPeers := d.numOfPeers()
+
+	d.mux.Unlock()
+
+	if notifyList {
+		d.notifier.peerListChanged(numPeers)
+	}
+	if notifyRouter {
+		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
 	return nil
 }
 
 func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.ResID) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[peer]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -371,17 +377,20 @@ func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.R
 		d.routeIDLookup.AddRemoteRouteID(resourceId, pref)
 	}
 
+	numPeers := d.numOfPeers()
+	d.mux.Unlock()
+
 	// todo: consider to make sense of this notification or not
-	d.notifyPeerListChanged()
+	d.notifier.peerListChanged(numPeers)
 	return nil
 }
 
 func (d *Status) RemovePeerStateRoute(peer string, route string) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[peer]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -393,8 +402,11 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {
 		d.routeIDLookup.RemoveRemoteRouteID(pref)
 	}
 
+	numPeers := d.numOfPeers()
+	d.mux.Unlock()
+
 	// todo: consider to make sense of this notification or not
-	d.notifyPeerListChanged()
+	d.notifier.peerListChanged(numPeers)
 	return nil
 }
 
@@ -410,10 +422,10 @@ func (d *Status) CheckRoutes(ip netip.Addr) ([]byte, bool) {
 
 func (d *Status) UpdatePeerICEState(receivedState State) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -431,22 +443,28 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
-	}
+	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
+	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
+	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
+	numPeers := d.numOfPeers()
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.mux.Unlock()
+
+	if notifyList {
+		d.notifier.peerListChanged(numPeers)
+	}
+	if notifyRouter {
+		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -461,22 +479,28 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
-	}
+	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
+	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
+	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
+	numPeers := d.numOfPeers()
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.mux.Unlock()
+
+	if notifyList {
+		d.notifier.peerListChanged(numPeers)
+	}
+	if notifyRouter {
+		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -490,22 +514,28 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
-	}
+	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
+	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
+	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
+	numPeers := d.numOfPeers()
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.mux.Unlock()
+
+	if notifyList {
+		d.notifier.peerListChanged(numPeers)
+	}
+	if notifyRouter {
+		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
+		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -522,12 +552,18 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
-	}
+	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
+	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
+	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
+	numPeers := d.numOfPeers()
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.mux.Unlock()
+
+	if notifyList {
+		d.notifier.peerListChanged(numPeers)
+	}
+	if notifyRouter {
+		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
 	return nil
 }
@@ -594,17 +630,33 @@ func (d *Status) UpdatePeerSSHHostKey(peerPubKey string, sshHostKey []byte) erro
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	if !d.peerListChangedForNotification {
+		d.mux.Unlock()
 		return
 	}
 	d.peerListChangedForNotification = false
 
-	d.notifyPeerListChanged()
+	numPeers := d.numOfPeers()
 
+	// snapshot per-peer router state to deliver after the lock is released
+	type routerDispatch struct {
+		peerID   string
+		snapshot map[string]RouterState
+	}
+	dispatches := make([]routerDispatch, 0, len(d.peers))
 	for key := range d.peers {
-		d.notifyPeerStateChangeListeners(key)
+		snapshot := d.snapshotRouterPeersLocked(key, true)
+		if snapshot != nil {
+			dispatches = append(dispatches, routerDispatch{peerID: key, snapshot: snapshot})
+		}
+	}
+
+	d.mux.Unlock()
+
+	d.notifier.peerListChanged(numPeers)
+	for _, rd := range dispatches {
+		d.dispatchRouterPeers(rd.peerID, rd.snapshot)
 	}
 }
 
@@ -655,10 +707,12 @@ func (d *Status) GetLocalPeerState() LocalPeerState {
 // UpdateLocalPeerState updates local peer status
 func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-
 	d.localPeer = localPeerState
-	d.notifyAddressChanged()
+	fqdn := d.localPeer.FQDN
+	ip := d.localPeer.IP
+	d.mux.Unlock()
+
+	d.notifier.localAddressChanged(fqdn, ip)
 }
 
 // AddLocalPeerStateRoute adds a route to the local peer state
@@ -721,30 +775,36 @@ func (d *Status) CleanLocalPeerStateRoutes() {
 // CleanLocalPeerState cleans local peer status
 func (d *Status) CleanLocalPeerState() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-
 	d.localPeer = LocalPeerState{}
-	d.notifyAddressChanged()
+	fqdn := d.localPeer.FQDN
+	ip := d.localPeer.IP
+	d.mux.Unlock()
+
+	d.notifier.localAddressChanged(fqdn, ip)
 }
 
 // MarkManagementDisconnected sets ManagementState to disconnected
 func (d *Status) MarkManagementDisconnected(err error) {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-	defer d.onConnectionChanged()
-
 	d.managementState = false
 	d.managementError = err
+	mgm := d.managementState
+	sig := d.signalState
+	d.mux.Unlock()
+
+	d.notifier.updateServerStates(mgm, sig)
 }
 
 // MarkManagementConnected sets ManagementState to connected
 func (d *Status) MarkManagementConnected() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-	defer d.onConnectionChanged()
-
 	d.managementState = true
 	d.managementError = nil
+	mgm := d.managementState
+	sig := d.signalState
+	d.mux.Unlock()
+
+	d.notifier.updateServerStates(mgm, sig)
 }
 
 // UpdateSignalAddress update the address of the signal server
@@ -778,21 +838,25 @@ func (d *Status) UpdateLazyConnection(enabled bool) {
 // MarkSignalDisconnected sets SignalState to disconnected
 func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-	defer d.onConnectionChanged()
-
 	d.signalState = false
 	d.signalError = err
+	mgm := d.managementState
+	sig := d.signalState
+	d.mux.Unlock()
+
+	d.notifier.updateServerStates(mgm, sig)
 }
 
 // MarkSignalConnected sets SignalState to connected
 func (d *Status) MarkSignalConnected() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
-	defer d.onConnectionChanged()
-
 	d.signalState = true
 	d.signalError = nil
+	mgm := d.managementState
+	sig := d.signalState
+	d.mux.Unlock()
+
+	d.notifier.updateServerStates(mgm, sig)
 }
 
 func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
@@ -919,7 +983,7 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 
 	// if the server connection is not established then we will use the general address
 	// in case of connection we will use the instance specific address
-	instanceAddr, err := d.relayMgr.RelayInstanceAddress()
+	instanceAddr, _, err := d.relayMgr.RelayInstanceAddress()
 	if err != nil {
 		// TODO add their status
 		for _, r := range d.relayMgr.ServerURLs() {
@@ -1012,18 +1076,17 @@ func (d *Status) RemoveConnectionListener() {
 	d.notifier.removeListener()
 }
 
-func (d *Status) onConnectionChanged() {
-	d.notifier.updateServerStates(d.managementState, d.signalState)
-}
-
-// notifyPeerStateChangeListeners notifies route manager about the change in peer state
-func (d *Status) notifyPeerStateChangeListeners(peerID string) {
-	subs, ok := d.changeNotify[peerID]
-	if !ok {
-		return
+// snapshotRouterPeersLocked builds the RouterState map for a peer's subscribers.
+// Caller MUST hold d.mux. Returns nil when there are no subscribers for peerID
+// or when notify is false. The snapshot is consumed later by dispatchRouterPeers
+// outside the lock so the channel send cannot stall any d.mux holder.
+func (d *Status) snapshotRouterPeersLocked(peerID string, notify bool) map[string]RouterState {
+	if !notify {
+		return nil
+	}
+	if _, ok := d.changeNotify[peerID]; !ok {
+		return nil
 	}
-
-	// collect the relevant data for router peers
 	routerPeers := make(map[string]RouterState, len(d.changeNotify))
 	for pid := range d.changeNotify {
 		s, ok := d.peers[pid]
@@ -1031,13 +1094,35 @@ func (d *Status) notifyPeerStateChangeListeners(peerID string) {
 			log.Warnf("router peer not found in peers list: %s", pid)
 			continue
 		}
-
 		routerPeers[pid] = RouterState{
 			Status:  s.ConnStatus,
 			Relayed: s.Relayed,
 			Latency: s.Latency,
 		}
 	}
+	return routerPeers
+}
+
+// dispatchRouterPeers delivers a previously snapshotted router-state map to
+// the peer's subscribers. Caller MUST NOT hold d.mux. The method takes a
+// fresh, short read of d.changeNotify under the lock to grab subscriber
+// channels, then sends outside the lock so a slow consumer cannot block other
+// d.mux holders. The send itself stays blocking (only short-circuited by the
+// subscriber's context) so peer state transitions are not silently dropped.
+func (d *Status) dispatchRouterPeers(peerID string, routerPeers map[string]RouterState) {
+	if routerPeers == nil {
+		return
+	}
+
+	d.mux.Lock()
+	subsMap, ok := d.changeNotify[peerID]
+	subs := make([]*StatusChangeSubscription, 0, len(subsMap))
+	if ok {
+		for _, sub := range subsMap {
+			subs = append(subs, sub)
+		}
+	}
+	d.mux.Unlock()
 
 	for _, sub := range subs {
 		select {
@@ -1047,14 +1132,6 @@ func (d *Status) notifyPeerStateChangeListeners(peerID string) {
 	}
 }
 
-func (d *Status) notifyPeerListChanged() {
-	d.notifier.peerListChanged(d.numOfPeers())
-}
-
-func (d *Status) notifyAddressChanged() {
-	d.notifier.localAddressChanged(d.localPeer.FQDN, d.localPeer.IP)
-}
-
 func (d *Status) numOfPeers() int {
 	return len(d.peers) + len(d.offlinePeers)
 }

client/internal/peer/worker_relay.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net"
+	"net/netip"
 	"sync"
 	"sync/atomic"
 
@@ -53,15 +54,19 @@ func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 	w.relaySupportedOnRemotePeer.Store(true)
 
 	// the relayManager will return with error in case if the connection has lost with relay server
-	currentRelayAddress, err := w.relayManager.RelayInstanceAddress()
+	currentRelayAddress, _, err := w.relayManager.RelayInstanceAddress()
 	if err != nil {
 		w.log.Errorf("failed to handle new offer: %s", err)
 		return
 	}
 
 	srv := w.preferredRelayServer(currentRelayAddress, remoteOfferAnswer.RelaySrvAddress)
+	var serverIP netip.Addr
+	if srv == remoteOfferAnswer.RelaySrvAddress {
+		serverIP = remoteOfferAnswer.RelaySrvIP
+	}
 
-	relayedConn, err := w.relayManager.OpenConn(w.peerCtx, srv, w.config.Key)
+	relayedConn, err := w.relayManager.OpenConn(w.peerCtx, srv, w.config.Key, serverIP)
 	if err != nil {
 		if errors.Is(err, relayClient.ErrConnAlreadyExists) {
 			w.log.Debugf("handled offer by reusing existing relay connection")
@@ -90,7 +95,7 @@ func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 	})
 }
 
-func (w *WorkerRelay) RelayInstanceAddress() (string, error) {
+func (w *WorkerRelay) RelayInstanceAddress() (string, netip.Addr, error) {
 	return w.relayManager.RelayInstanceAddress()
 }
 

client/internal/portforward/pcp/nat.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"runtime"
 	"sync"
 	"time"
 
@@ -177,7 +178,12 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 		return nil, nil, err
 	}
 
-	_, gateway, localIP, err = router.Route(net.IPv4zero)
+	dst := net.IPv4zero
+	if runtime.GOOS == "linux" {
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
+		dst = net.IPv4(0, 0, 0, 1)
+	}
+	_, gateway, localIP, err = router.Route(dst)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -196,7 +202,12 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 		return nil, nil, err
 	}
 
-	_, gateway, localIP, err = router.Route(net.IPv6zero)
+	dst := net.IPv6zero
+	if runtime.GOOS == "linux" {
+		// ::2
+		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
+	}
+	_, gateway, localIP, err = router.Route(dst)
 	if err != nil {
 		return nil, nil, err
 	}

client/internal/routemanager/systemops/systemops_darwin.go

@@ -89,8 +89,16 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
 	}
 
+	reused := false
 	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
+		if !errors.Is(err, unix.EEXIST) {
+			return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
+		}
+		// macOS installs its own RTF_IFSCOPE defaults for primary service
+		// selection on multi-NIC setups, so a route on this ifindex can
+		// already exist before we try. Binding to it via IP[V6]_BOUND_IF
+		// still produces the scoped lookup we need.
+		reused = true
 	}
 
 	af := unix.AF_INET
@@ -102,7 +110,11 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 	if nexthop.IP.IsValid() {
 		via = nexthop.IP.String()
 	}
-	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
+	verb := "installed"
+	if reused {
+		verb = "reused existing"
+	}
+	log.Infof("%s scoped default route via %s on %s for %s", verb, via, nexthop.Intf.Name, afOf(unspec))
 	return true, nil
 }
 

client/internal/routemanager/systemops/systemops_generic.go

@@ -342,6 +342,22 @@ func GetNextHop(ip netip.Addr) (Nexthop, error) {
 	if err != nil {
 		return Nexthop{}, fmt.Errorf("new netroute: %w", err)
 	}
+
+	// go-netroute v0.4.0 rejects unspecified destinations on Linux with a hard
+	// client-side check. Substitute the lowest non-loopback address so the
+	// lookup falls through to the default route (::1 / 127.0.0.1 would match
+	// loopback, ::/0.0.0.0 are unspec). BSD/Windows pass the query straight to
+	// the kernel and need no substitution.
+	if runtime.GOOS == "linux" && ip.IsUnspecified() {
+		if ip.Is6() {
+			// ::2
+			ip = netip.AddrFrom16([16]byte{15: 2})
+		} else {
+			// 0.0.0.1
+			ip = netip.AddrFrom4([4]byte{0, 0, 0, 1})
+		}
+	}
+
 	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
 	if err != nil {
 		log.Debugf("Failed to get route for %s: %v", ip, err)

client/internal/routemanager/systemops/systemops_generic_test.go

@@ -354,9 +354,13 @@ func TestAddRouteToNonVPNIntf(t *testing.T) {
 			require.NoError(t, err, "Should be able to get IPv4 default route")
 			t.Logf("Initial IPv4 next hop: %s", initialNextHopV4)
 
+			if testCase.prefix.Addr().Is6() && !testCase.expectError {
+				ensureIPv6DefaultRoute(t)
+			}
+
 			initialNextHopV6, err := GetNextHop(netip.IPv6Unspecified())
 			if testCase.prefix.Addr().Is6() &&
-				(errors.Is(err, vars.ErrRouteNotFound) || initialNextHopV6.Intf != nil && strings.HasPrefix(initialNextHopV6.Intf.Name, "utun")) {
+				initialNextHopV6.Intf != nil && strings.HasPrefix(initialNextHopV6.Intf.Name, "utun") {
 				t.Skip("Skipping test as no ipv6 default route is available")
 			}
 			if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {

client/internal/routemanager/systemops/v6route_bsd_test.go

@@ -0,0 +1,30 @@
+//go:build darwin || dragonfly || freebsd || netbsd || openbsd
+
+package systemops
+
+import (
+	"bytes"
+	"os/exec"
+	"testing"
+)
+
+// ensureIPv6DefaultRoute installs an IPv6 default route via the loopback
+// interface so route lookups for global IPv6 prefixes resolve in environments
+// without v6 connectivity. If a default already exists it is left alone.
+func ensureIPv6DefaultRoute(t *testing.T) {
+	t.Helper()
+
+	out, err := exec.Command("route", "-6", "add", "default", "-iface", "lo0").CombinedOutput()
+	if err != nil {
+		// Existing default; nothing to install or clean up.
+		if bytes.Contains(out, []byte("route already in table")) {
+			return
+		}
+		t.Skipf("install IPv6 fallback default route: %v: %s", err, out)
+	}
+	t.Cleanup(func() {
+		if out, err := exec.Command("route", "-6", "delete", "default").CombinedOutput(); err != nil {
+			t.Logf("delete IPv6 fallback default route: %v: %s", err, out)
+		}
+	})
+}

client/internal/routemanager/systemops/v6route_linux_test.go

@@ -0,0 +1,41 @@
+//go:build linux && !android
+
+package systemops
+
+import (
+	"errors"
+	"net"
+	"syscall"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/vishvananda/netlink"
+)
+
+// ensureIPv6DefaultRoute installs a low-preference IPv6 default route via the
+// loopback interface so route lookups for global IPv6 prefixes resolve in
+// environments without v6 connectivity. Any pre-existing default route wins
+// because of its lower metric.
+func ensureIPv6DefaultRoute(t *testing.T) {
+	t.Helper()
+
+	lo, err := netlink.LinkByName("lo")
+	require.NoError(t, err, "find loopback interface")
+
+	route := &netlink.Route{
+		Dst:       &net.IPNet{IP: net.IPv6zero, Mask: net.CIDRMask(0, 128)},
+		LinkIndex: lo.Attrs().Index,
+		Priority:  1 << 20,
+	}
+	if err := netlink.RouteAdd(route); err != nil {
+		if errors.Is(err, syscall.EEXIST) {
+			return
+		}
+		t.Skipf("install IPv6 fallback default route: %v", err)
+	}
+	t.Cleanup(func() {
+		if err := netlink.RouteDel(route); err != nil && !errors.Is(err, syscall.ESRCH) {
+			t.Logf("delete IPv6 fallback default route: %v", err)
+		}
+	})
+}

client/internal/routemanager/systemops/v6route_windows_test.go

@@ -0,0 +1,34 @@
+//go:build windows
+
+package systemops
+
+import (
+	"bytes"
+	"os/exec"
+	"testing"
+)
+
+const loopbackIfaceWindows = "Loopback Pseudo-Interface 1"
+
+// ensureIPv6DefaultRoute installs an IPv6 default route via the loopback
+// interface so route lookups for global IPv6 prefixes resolve in environments
+// without v6 connectivity. If a default already exists it is left alone.
+func ensureIPv6DefaultRoute(t *testing.T) {
+	t.Helper()
+
+	script := `New-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "` + loopbackIfaceWindows + `" -RouteMetric 9999 -PolicyStore ActiveStore -ErrorAction Stop`
+	out, err := exec.Command("powershell", "-Command", script).CombinedOutput()
+	if err != nil {
+		// Existing default; nothing to install or clean up.
+		if bytes.Contains(out, []byte("already exists")) {
+			return
+		}
+		t.Skipf("install IPv6 fallback default route: %v: %s", err, out)
+	}
+	t.Cleanup(func() {
+		script := `Remove-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "` + loopbackIfaceWindows + `" -Confirm:$false -ErrorAction Stop`
+		if out, err := exec.Command("powershell", "-Command", script).CombinedOutput(); err != nil {
+			t.Logf("delete IPv6 fallback default route: %v: %s", err, out)
+		}
+	})
+}

client/internal/routeselector/routeselector.go

@@ -7,7 +7,6 @@ import (
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
-	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
@@ -44,8 +43,8 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 		if rs.selectedRoutes == nil {
 			rs.selectedRoutes = map[route.NetID]struct{}{}
 		}
-		maps.Clear(rs.deselectedRoutes)
-		maps.Clear(rs.selectedRoutes)
+		clear(rs.deselectedRoutes)
+		clear(rs.selectedRoutes)
 		for _, r := range allRoutes {
 			rs.deselectedRoutes[r] = struct{}{}
 		}
@@ -78,8 +77,8 @@ func (rs *RouteSelector) SelectAllRoutes() {
 	if rs.selectedRoutes == nil {
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 	}
-	maps.Clear(rs.deselectedRoutes)
-	maps.Clear(rs.selectedRoutes)
+	clear(rs.deselectedRoutes)
+	clear(rs.selectedRoutes)
 }
 
 // DeselectRoutes removes specific routes from the selection.
@@ -116,8 +115,8 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	if rs.selectedRoutes == nil {
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 	}
-	maps.Clear(rs.deselectedRoutes)
-	maps.Clear(rs.selectedRoutes)
+	clear(rs.deselectedRoutes)
+	clear(rs.selectedRoutes)
 }
 
 // IsSelected checks if a specific route is selected.

client/internal/wg_iface_monitor.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net"
 	"runtime"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -28,6 +27,10 @@ func NewWGIfaceMonitor() *WGIfaceMonitor {
 
 // Start begins monitoring the WireGuard interface.
 // It relies on the provided context cancellation to stop.
+//
+// On Linux the watcher is event-driven (RTNLGRP_LINK netlink subscription)
+// to avoid the allocation churn of repeatedly dumping the kernel link
+// table; on other platforms it falls back to a low-frequency poll.
 func (m *WGIfaceMonitor) Start(ctx context.Context, ifaceName string) (shouldRestart bool, err error) {
 	defer close(m.done)
 
@@ -56,31 +59,7 @@ func (m *WGIfaceMonitor) Start(ctx context.Context, ifaceName string) (shouldRes
 
 	log.Infof("Interface monitor: watching %s (index: %d)", ifaceName, expectedIndex)
 
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Infof("Interface monitor: stopped for %s", ifaceName)
-			return false, fmt.Errorf("wg interface monitor stopped: %v", ctx.Err())
-		case <-ticker.C:
-			currentIndex, err := getInterfaceIndex(ifaceName)
-			if err != nil {
-				// Interface was deleted
-				log.Infof("Interface monitor: %s deleted", ifaceName)
-				return true, fmt.Errorf("interface %s deleted: %w", ifaceName, err)
-			}
-
-			// Check if interface index changed (interface was recreated)
-			if currentIndex != expectedIndex {
-				log.Infof("Interface monitor: %s recreated (index changed from %d to %d), restarting engine",
-					ifaceName, expectedIndex, currentIndex)
-				return true, nil
-			}
-		}
-	}
-
+	return watchInterface(ctx, ifaceName, expectedIndex)
 }
 
 // getInterfaceIndex returns the index of a network interface by name.

client/internal/wg_iface_monitor_linux.go

@@ -0,0 +1,134 @@
+//go:build linux
+
+package internal
+
+import (
+	"context"
+	"fmt"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+)
+
+// watchInterface uses an RTNLGRP_LINK netlink subscription to detect
+// deletion or recreation of the WireGuard interface.
+//
+// The previous implementation polled net.InterfaceByName every 2 s, which
+// on Linux issues syscall.NetlinkRIB(RTM_GETLINK, ...) and dumps the
+// entire kernel link table on every call. On hosts with many veth
+// interfaces (containers, bridges) the resulting allocation churn was on
+// the order of ~1 GB/day from this single ticker, which on small ARM
+// hosts manifested as a slow RSS climb (see netbirdio/netbird#3678).
+//
+// The event-driven version below allocates only when the kernel actually
+// publishes a link event for the tracked interface — typically zero
+// allocations between events.
+func watchInterface(ctx context.Context, ifaceName string, expectedIndex int) (bool, error) {
+	done := make(chan struct{})
+	defer close(done)
+
+	// Buffer the channel to absorb event bursts (e.g. when many veth
+	// pairs are created/destroyed at once by container runtimes).
+	linkChan := make(chan netlink.LinkUpdate, 32)
+	if err := netlink.LinkSubscribe(linkChan, done); err != nil {
+		// Return shouldRestart=true so the engine recovers monitoring
+		// via triggerClientRestart instead of silently losing it for
+		// the rest of the process lifetime.
+		return true, fmt.Errorf("subscribe to link updates: %w", err)
+	}
+
+	// Race window: the interface could have been deleted (or recreated)
+	// between the initial getInterfaceIndex() in Start and LinkSubscribe
+	// completing its handshake with the kernel. Re-check explicitly so we
+	// do not block forever waiting for an event that already fired.
+	if currentIndex, err := getInterfaceIndex(ifaceName); err != nil {
+		log.Infof("Interface monitor: %s deleted before subscription completed", ifaceName)
+		return true, fmt.Errorf("interface %s deleted: %w", ifaceName, err)
+	} else if currentIndex != expectedIndex {
+		log.Infof("Interface monitor: %s recreated (index changed from %d to %d) before subscription completed",
+			ifaceName, expectedIndex, currentIndex)
+		return true, nil
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Infof("Interface monitor: stopped for %s", ifaceName)
+			return false, fmt.Errorf("wg interface monitor stopped: %w", ctx.Err())
+
+		case update, ok := <-linkChan:
+			if !ok {
+				// The vishvananda/netlink subscription goroutine closes
+				// the channel on receive errors. Signal the engine to
+				// restart so monitoring is re-established instead of
+				// silently ending.
+				log.Warnf("Interface monitor: link subscription channel closed unexpectedly for %s", ifaceName)
+				return true, fmt.Errorf("link subscription channel closed unexpectedly")
+			}
+			if restart, err := inspectLinkEvent(update, ifaceName, expectedIndex); restart {
+				return true, err
+			}
+		}
+	}
+}
+
+// inspectLinkEvent classifies a single netlink link update against the
+// tracked WireGuard interface. It returns (true, err) when the engine
+// should restart monitoring; (false, nil) means the event is unrelated
+// and the caller should keep waiting.
+//
+// The error component, when non-nil, describes the kernel-side reason
+// (deletion or rename); the recreation case returns (true, nil) since
+// no error condition is reported.
+func inspectLinkEvent(update netlink.LinkUpdate, ifaceName string, expectedIndex int) (bool, error) {
+	eventIndex := int(update.Index)
+	eventName := ""
+	if attrs := update.Attrs(); attrs != nil {
+		eventName = attrs.Name
+	}
+
+	switch update.Header.Type {
+	case syscall.RTM_DELLINK:
+		return inspectDelLink(eventIndex, ifaceName, expectedIndex)
+	case syscall.RTM_NEWLINK:
+		return inspectNewLink(eventIndex, eventName, ifaceName, expectedIndex)
+	}
+	return false, nil
+}
+
+// inspectDelLink reports a restart when an RTM_DELLINK arrives for the
+// tracked interface index.
+func inspectDelLink(eventIndex int, ifaceName string, expectedIndex int) (bool, error) {
+	if eventIndex != expectedIndex {
+		return false, nil
+	}
+	log.Infof("Interface monitor: %s deleted", ifaceName)
+	return true, fmt.Errorf("interface %s deleted", ifaceName)
+}
+
+// inspectNewLink reports a restart when an RTM_NEWLINK either:
+//
+//  1. Introduces a link with our name at a different index (recreation
+//     after a delete), or
+//
+//  2. Reports a link still at our index but with a different name
+//     (in-place rename). The previous polling implementation caught
+//     this implicitly because net.InterfaceByName(ifaceName) would
+//     start failing; the event-driven version has to test it.
+//
+// Same name + same index is just a flag/state change on the existing
+// interface and is ignored.
+func inspectNewLink(eventIndex int, eventName, ifaceName string, expectedIndex int) (bool, error) {
+	if eventName == ifaceName && eventIndex != expectedIndex {
+		log.Infof("Interface monitor: %s recreated (index changed from %d to %d), restarting engine",
+			ifaceName, expectedIndex, eventIndex)
+		return true, nil
+	}
+	if eventIndex == expectedIndex && eventName != "" && eventName != ifaceName {
+		log.Infof("Interface monitor: %s renamed to %s (index %d), restarting engine",
+			ifaceName, eventName, expectedIndex)
+		return true, fmt.Errorf("interface %s renamed to %s", ifaceName, eventName)
+	}
+	return false, nil
+}

client/internal/wg_iface_monitor_other.go

@@ -0,0 +1,56 @@
+//go:build !linux
+
+package internal
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// watchInterface polls net.InterfaceByName at a fixed interval to detect
+// deletion or recreation of the WireGuard interface.
+//
+// This is the fallback used on non-Linux desktop and server platforms
+// (darwin, windows, freebsd). It is also compiled on android and ios so
+// the package builds on every supported GOOS, but it is never reached
+// at runtime there because Start() in wg_iface_monitor.go exits early
+// on mobile platforms.
+//
+// The Linux build (see wg_iface_monitor_linux.go) uses an event-driven
+// RTNLGRP_LINK netlink subscription instead, because on Linux
+// net.InterfaceByName issues syscall.NetlinkRIB(RTM_GETLINK, ...) which
+// dumps the entire kernel link table on every call and produces
+// significant allocation churn (netbirdio/netbird#3678).
+//
+// Windows is also reported in #3678 as affected by RSS climb. A future
+// follow-up could implement an event-driven watcher there using
+// NotifyIpInterfaceChange from iphlpapi.
+func watchInterface(ctx context.Context, ifaceName string, expectedIndex int) (bool, error) {
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Infof("Interface monitor: stopped for %s", ifaceName)
+			return false, fmt.Errorf("wg interface monitor stopped: %w", ctx.Err())
+		case <-ticker.C:
+			currentIndex, err := getInterfaceIndex(ifaceName)
+			if err != nil {
+				// Interface was deleted
+				log.Infof("Interface monitor: %s deleted", ifaceName)
+				return true, fmt.Errorf("interface %s deleted: %w", ifaceName, err)
+			}
+
+			// Check if interface index changed (interface was recreated)
+			if currentIndex != expectedIndex {
+				log.Infof("Interface monitor: %s recreated (index changed from %d to %d), restarting engine",
+					ifaceName, expectedIndex, currentIndex)
+				return true, nil
+			}
+		}
+	}
+}

client/netbird.wxs

@@ -68,8 +68,7 @@
 
 		<StandardDirectory Id="CommonAppDataFolder">
 			<Directory Id="NetbirdAutoStartDir" Name="Netbird">
-				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64">
-					<Condition>AUTOSTART = "1"</Condition>
+				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64" Condition='AUTOSTART = "1"'>
 					<RegistryValue Root="HKLM" Key="Software\Microsoft\Windows\CurrentVersion\Run"
 						Name="Netbird" Value="&quot;[NetbirdInstallDir]netbird-ui.exe&quot;"
 						Type="string" KeyPath="yes" />

client/proto/daemon.pb.go

@@ -5847,6 +5847,288 @@ func (x *ExposeServiceReady) GetPortAutoAssigned() bool {
 	return false
 }
 
+type StartCaptureRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	TextOutput    bool                   `protobuf:"varint,1,opt,name=text_output,json=textOutput,proto3" json:"text_output,omitempty"`
+	SnapLen       uint32                 `protobuf:"varint,2,opt,name=snap_len,json=snapLen,proto3" json:"snap_len,omitempty"`
+	Duration      *durationpb.Duration   `protobuf:"bytes,3,opt,name=duration,proto3" json:"duration,omitempty"`
+	FilterExpr    string                 `protobuf:"bytes,4,opt,name=filter_expr,json=filterExpr,proto3" json:"filter_expr,omitempty"`
+	Verbose       bool                   `protobuf:"varint,5,opt,name=verbose,proto3" json:"verbose,omitempty"`
+	Ascii         bool                   `protobuf:"varint,6,opt,name=ascii,proto3" json:"ascii,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartCaptureRequest) Reset() {
+	*x = StartCaptureRequest{}
+	mi := &file_daemon_proto_msgTypes[88]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartCaptureRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartCaptureRequest) ProtoMessage() {}
+
+func (x *StartCaptureRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[88]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartCaptureRequest.ProtoReflect.Descriptor instead.
+func (*StartCaptureRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{88}
+}
+
+func (x *StartCaptureRequest) GetTextOutput() bool {
+	if x != nil {
+		return x.TextOutput
+	}
+	return false
+}
+
+func (x *StartCaptureRequest) GetSnapLen() uint32 {
+	if x != nil {
+		return x.SnapLen
+	}
+	return 0
+}
+
+func (x *StartCaptureRequest) GetDuration() *durationpb.Duration {
+	if x != nil {
+		return x.Duration
+	}
+	return nil
+}
+
+func (x *StartCaptureRequest) GetFilterExpr() string {
+	if x != nil {
+		return x.FilterExpr
+	}
+	return ""
+}
+
+func (x *StartCaptureRequest) GetVerbose() bool {
+	if x != nil {
+		return x.Verbose
+	}
+	return false
+}
+
+func (x *StartCaptureRequest) GetAscii() bool {
+	if x != nil {
+		return x.Ascii
+	}
+	return false
+}
+
+type CapturePacket struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Data          []byte                 `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CapturePacket) Reset() {
+	*x = CapturePacket{}
+	mi := &file_daemon_proto_msgTypes[89]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CapturePacket) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CapturePacket) ProtoMessage() {}
+
+func (x *CapturePacket) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[89]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CapturePacket.ProtoReflect.Descriptor instead.
+func (*CapturePacket) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{89}
+}
+
+func (x *CapturePacket) GetData() []byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
+type StartBundleCaptureRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// timeout auto-stops the capture after this duration.
+	// Clamped to a server-side maximum (10 minutes). Zero or unset defaults to the maximum.
+	Timeout       *durationpb.Duration `protobuf:"bytes,1,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartBundleCaptureRequest) Reset() {
+	*x = StartBundleCaptureRequest{}
+	mi := &file_daemon_proto_msgTypes[90]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartBundleCaptureRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartBundleCaptureRequest) ProtoMessage() {}
+
+func (x *StartBundleCaptureRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[90]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartBundleCaptureRequest.ProtoReflect.Descriptor instead.
+func (*StartBundleCaptureRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{90}
+}
+
+func (x *StartBundleCaptureRequest) GetTimeout() *durationpb.Duration {
+	if x != nil {
+		return x.Timeout
+	}
+	return nil
+}
+
+type StartBundleCaptureResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartBundleCaptureResponse) Reset() {
+	*x = StartBundleCaptureResponse{}
+	mi := &file_daemon_proto_msgTypes[91]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartBundleCaptureResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartBundleCaptureResponse) ProtoMessage() {}
+
+func (x *StartBundleCaptureResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[91]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartBundleCaptureResponse.ProtoReflect.Descriptor instead.
+func (*StartBundleCaptureResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{91}
+}
+
+type StopBundleCaptureRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StopBundleCaptureRequest) Reset() {
+	*x = StopBundleCaptureRequest{}
+	mi := &file_daemon_proto_msgTypes[92]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StopBundleCaptureRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StopBundleCaptureRequest) ProtoMessage() {}
+
+func (x *StopBundleCaptureRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[92]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StopBundleCaptureRequest.ProtoReflect.Descriptor instead.
+func (*StopBundleCaptureRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{92}
+}
+
+type StopBundleCaptureResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StopBundleCaptureResponse) Reset() {
+	*x = StopBundleCaptureResponse{}
+	mi := &file_daemon_proto_msgTypes[93]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StopBundleCaptureResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StopBundleCaptureResponse) ProtoMessage() {}
+
+func (x *StopBundleCaptureResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[93]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StopBundleCaptureResponse.ProtoReflect.Descriptor instead.
+func (*StopBundleCaptureResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{93}
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -5857,7 +6139,7 @@ type PortInfo_Range struct {
 
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[95]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -5869,7 +6151,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}
 
 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[95]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -6410,7 +6692,23 @@ const file_daemon_proto_rawDesc = "" +
 	"\vservice_url\x18\x02 \x01(\tR\n" +
 	"serviceUrl\x12\x16\n" +
 	"\x06domain\x18\x03 \x01(\tR\x06domain\x12,\n" +
-	"\x12port_auto_assigned\x18\x04 \x01(\bR\x10portAutoAssigned*b\n" +
+	"\x12port_auto_assigned\x18\x04 \x01(\bR\x10portAutoAssigned\"\xd9\x01\n" +
+	"\x13StartCaptureRequest\x12\x1f\n" +
+	"\vtext_output\x18\x01 \x01(\bR\n" +
+	"textOutput\x12\x19\n" +
+	"\bsnap_len\x18\x02 \x01(\rR\asnapLen\x125\n" +
+	"\bduration\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\bduration\x12\x1f\n" +
+	"\vfilter_expr\x18\x04 \x01(\tR\n" +
+	"filterExpr\x12\x18\n" +
+	"\averbose\x18\x05 \x01(\bR\averbose\x12\x14\n" +
+	"\x05ascii\x18\x06 \x01(\bR\x05ascii\"#\n" +
+	"\rCapturePacket\x12\x12\n" +
+	"\x04data\x18\x01 \x01(\fR\x04data\"P\n" +
+	"\x19StartBundleCaptureRequest\x123\n" +
+	"\atimeout\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"\x1c\n" +
+	"\x1aStartBundleCaptureResponse\"\x1a\n" +
+	"\x18StopBundleCaptureRequest\"\x1b\n" +
+	"\x19StopBundleCaptureResponse*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -6428,7 +6726,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"EXPOSE_UDP\x10\x03\x12\x0e\n" +
 	"\n" +
-	"EXPOSE_TLS\x10\x042\xac\x15\n" +
+	"EXPOSE_TLS\x10\x042\xaf\x17\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -6449,7 +6747,10 @@ const file_daemon_proto_rawDesc = "" +
 	"CleanState\x12\x19.daemon.CleanStateRequest\x1a\x1a.daemon.CleanStateResponse\"\x00\x12H\n" +
 	"\vDeleteState\x12\x1a.daemon.DeleteStateRequest\x1a\x1b.daemon.DeleteStateResponse\"\x00\x12u\n" +
 	"\x1aSetSyncResponsePersistence\x12).daemon.SetSyncResponsePersistenceRequest\x1a*.daemon.SetSyncResponsePersistenceResponse\"\x00\x12H\n" +
-	"\vTracePacket\x12\x1a.daemon.TracePacketRequest\x1a\x1b.daemon.TracePacketResponse\"\x00\x12D\n" +
+	"\vTracePacket\x12\x1a.daemon.TracePacketRequest\x1a\x1b.daemon.TracePacketResponse\"\x00\x12F\n" +
+	"\fStartCapture\x12\x1b.daemon.StartCaptureRequest\x1a\x15.daemon.CapturePacket\"\x000\x01\x12]\n" +
+	"\x12StartBundleCapture\x12!.daemon.StartBundleCaptureRequest\x1a\".daemon.StartBundleCaptureResponse\"\x00\x12Z\n" +
+	"\x11StopBundleCapture\x12 .daemon.StopBundleCaptureRequest\x1a!.daemon.StopBundleCaptureResponse\"\x00\x12D\n" +
 	"\x0fSubscribeEvents\x12\x18.daemon.SubscribeRequest\x1a\x13.daemon.SystemEvent\"\x000\x01\x12B\n" +
 	"\tGetEvents\x12\x18.daemon.GetEventsRequest\x1a\x19.daemon.GetEventsResponse\"\x00\x12N\n" +
 	"\rSwitchProfile\x12\x1c.daemon.SwitchProfileRequest\x1a\x1d.daemon.SwitchProfileResponse\"\x00\x12B\n" +
@@ -6483,7 +6784,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 }
 
 var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 91)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 97)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
 	(ExposeProtocol)(0),                        // 1: daemon.ExposeProtocol
@@ -6577,125 +6878,139 @@ var file_daemon_proto_goTypes = []any{
 	(*ExposeServiceRequest)(nil),               // 89: daemon.ExposeServiceRequest
 	(*ExposeServiceEvent)(nil),                 // 90: daemon.ExposeServiceEvent
 	(*ExposeServiceReady)(nil),                 // 91: daemon.ExposeServiceReady
-	nil,                                        // 92: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 93: daemon.PortInfo.Range
-	nil,                                        // 94: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 95: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 96: google.protobuf.Timestamp
+	(*StartCaptureRequest)(nil),                // 92: daemon.StartCaptureRequest
+	(*CapturePacket)(nil),                      // 93: daemon.CapturePacket
+	(*StartBundleCaptureRequest)(nil),          // 94: daemon.StartBundleCaptureRequest
+	(*StartBundleCaptureResponse)(nil),         // 95: daemon.StartBundleCaptureResponse
+	(*StopBundleCaptureRequest)(nil),           // 96: daemon.StopBundleCaptureRequest
+	(*StopBundleCaptureResponse)(nil),          // 97: daemon.StopBundleCaptureResponse
+	nil,                                        // 98: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 99: daemon.PortInfo.Range
+	nil,                                        // 100: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 101: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 102: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	95, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	25, // 1: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	96, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	96, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	95, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
-	23, // 5: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
-	20, // 6: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	19, // 7: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	18, // 8: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	17, // 9: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	21, // 10: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	22, // 11: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	55, // 12: daemon.FullStatus.events:type_name -> daemon.SystemEvent
-	24, // 13: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
-	31, // 14: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	92, // 15: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	93, // 16: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
-	32, // 17: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
-	32, // 18: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
-	33, // 19: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
-	0,  // 20: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
-	0,  // 21: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
-	41, // 22: daemon.ListStatesResponse.states:type_name -> daemon.State
-	50, // 23: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
-	52, // 24: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
-	2,  // 25: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
-	3,  // 26: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	96, // 27: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	94, // 28: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
-	55, // 29: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	95, // 30: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	68, // 31: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
-	1,  // 32: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
-	91, // 33: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
-	30, // 34: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
-	5,  // 35: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	7,  // 36: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	9,  // 37: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	11, // 38: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	13, // 39: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	15, // 40: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	26, // 41: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	28, // 42: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	28, // 43: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	4,  // 44: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	35, // 45: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	37, // 46: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	39, // 47: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	42, // 48: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	44, // 49: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	46, // 50: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	48, // 51: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	51, // 52: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	54, // 53: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	56, // 54: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	58, // 55: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	60, // 56: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	62, // 57: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	64, // 58: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	66, // 59: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	69, // 60: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	71, // 61: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	73, // 62: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	75, // 63: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
-	77, // 64: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	79, // 65: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	81, // 66: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	83, // 67: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	85, // 68: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	87, // 69: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	89, // 70: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
-	6,  // 71: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	8,  // 72: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	10, // 73: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	12, // 74: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	14, // 75: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	16, // 76: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	27, // 77: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	29, // 78: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	29, // 79: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	34, // 80: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	36, // 81: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	38, // 82: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	40, // 83: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	43, // 84: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	45, // 85: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	47, // 86: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	49, // 87: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	53, // 88: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	55, // 89: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	57, // 90: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	59, // 91: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	61, // 92: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	63, // 93: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	65, // 94: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	67, // 95: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	70, // 96: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	72, // 97: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	74, // 98: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	76, // 99: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
-	78, // 100: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	80, // 101: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	82, // 102: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	84, // 103: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	86, // 104: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	88, // 105: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	90, // 106: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
-	71, // [71:107] is the sub-list for method output_type
-	35, // [35:71] is the sub-list for method input_type
-	35, // [35:35] is the sub-list for extension type_name
-	35, // [35:35] is the sub-list for extension extendee
-	0,  // [0:35] is the sub-list for field type_name
+	101, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	25,  // 1: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	102, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	102, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	101, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	23,  // 5: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
+	20,  // 6: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	19,  // 7: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	18,  // 8: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	17,  // 9: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	21,  // 10: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	22,  // 11: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	55,  // 12: daemon.FullStatus.events:type_name -> daemon.SystemEvent
+	24,  // 13: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
+	31,  // 14: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
+	98,  // 15: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	99,  // 16: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	32,  // 17: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
+	32,  // 18: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
+	33,  // 19: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
+	0,   // 20: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
+	0,   // 21: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
+	41,  // 22: daemon.ListStatesResponse.states:type_name -> daemon.State
+	50,  // 23: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
+	52,  // 24: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
+	2,   // 25: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
+	3,   // 26: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
+	102, // 27: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	100, // 28: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	55,  // 29: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
+	101, // 30: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	68,  // 31: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
+	1,   // 32: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
+	91,  // 33: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
+	101, // 34: daemon.StartCaptureRequest.duration:type_name -> google.protobuf.Duration
+	101, // 35: daemon.StartBundleCaptureRequest.timeout:type_name -> google.protobuf.Duration
+	30,  // 36: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
+	5,   // 37: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	7,   // 38: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	9,   // 39: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	11,  // 40: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	13,  // 41: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	15,  // 42: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	26,  // 43: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	28,  // 44: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	28,  // 45: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	4,   // 46: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	35,  // 47: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	37,  // 48: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	39,  // 49: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	42,  // 50: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	44,  // 51: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	46,  // 52: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	48,  // 53: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	51,  // 54: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	92,  // 55: daemon.DaemonService.StartCapture:input_type -> daemon.StartCaptureRequest
+	94,  // 56: daemon.DaemonService.StartBundleCapture:input_type -> daemon.StartBundleCaptureRequest
+	96,  // 57: daemon.DaemonService.StopBundleCapture:input_type -> daemon.StopBundleCaptureRequest
+	54,  // 58: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	56,  // 59: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	58,  // 60: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	60,  // 61: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	62,  // 62: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	64,  // 63: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	66,  // 64: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	69,  // 65: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	71,  // 66: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	73,  // 67: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	75,  // 68: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
+	77,  // 69: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	79,  // 70: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	81,  // 71: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	83,  // 72: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	85,  // 73: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	87,  // 74: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	89,  // 75: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
+	6,   // 76: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	8,   // 77: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	10,  // 78: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	12,  // 79: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	14,  // 80: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	16,  // 81: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	27,  // 82: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	29,  // 83: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	29,  // 84: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	34,  // 85: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	36,  // 86: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	38,  // 87: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	40,  // 88: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	43,  // 89: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	45,  // 90: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	47,  // 91: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	49,  // 92: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	53,  // 93: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	93,  // 94: daemon.DaemonService.StartCapture:output_type -> daemon.CapturePacket
+	95,  // 95: daemon.DaemonService.StartBundleCapture:output_type -> daemon.StartBundleCaptureResponse
+	97,  // 96: daemon.DaemonService.StopBundleCapture:output_type -> daemon.StopBundleCaptureResponse
+	55,  // 97: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	57,  // 98: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	59,  // 99: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	61,  // 100: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	63,  // 101: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	65,  // 102: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	67,  // 103: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	70,  // 104: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	72,  // 105: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	74,  // 106: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	76,  // 107: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
+	78,  // 108: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	80,  // 109: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	82,  // 110: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	84,  // 111: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	86,  // 112: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	88,  // 113: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	90,  // 114: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
+	76,  // [76:115] is the sub-list for method output_type
+	37,  // [37:76] is the sub-list for method input_type
+	37,  // [37:37] is the sub-list for extension type_name
+	37,  // [37:37] is the sub-list for extension extendee
+	0,   // [0:37] is the sub-list for field type_name
 }
 
 func init() { file_daemon_proto_init() }
@@ -6725,7 +7040,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
 			NumEnums:      4,
-			NumMessages:   91,
+			NumMessages:   97,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

client/proto/daemon.proto

@@ -64,6 +64,17 @@ service DaemonService {
 
   rpc TracePacket(TracePacketRequest) returns (TracePacketResponse) {}
 
+  // StartCapture begins streaming packet capture on the WireGuard interface.
+  // Requires --enable-capture set at service install/reconfigure time.
+  rpc StartCapture(StartCaptureRequest) returns (stream CapturePacket) {}
+
+  // StartBundleCapture begins capturing packets to a server-side temp file
+  // for inclusion in the next debug bundle. Auto-stops after the given timeout.
+  rpc StartBundleCapture(StartBundleCaptureRequest) returns (StartBundleCaptureResponse) {}
+
+  // StopBundleCapture stops the running bundle capture. Idempotent.
+  rpc StopBundleCapture(StopBundleCaptureRequest) returns (StopBundleCaptureResponse) {}
+
   rpc SubscribeEvents(SubscribeRequest) returns (stream SystemEvent) {}
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
@@ -832,3 +843,26 @@ message ExposeServiceReady {
   string domain = 3;
   bool port_auto_assigned = 4;
 }
+
+message StartCaptureRequest {
+  bool text_output = 1;
+  uint32 snap_len = 2;
+  google.protobuf.Duration duration = 3;
+  string filter_expr = 4;
+  bool verbose = 5;
+  bool ascii = 6;
+}
+
+message CapturePacket {
+  bytes data = 1;
+}
+
+message StartBundleCaptureRequest {
+  // timeout auto-stops the capture after this duration.
+  // Clamped to a server-side maximum (10 minutes). Zero or unset defaults to the maximum.
+  google.protobuf.Duration timeout = 1;
+}
+
+message StartBundleCaptureResponse {}
+message StopBundleCaptureRequest {}
+message StopBundleCaptureResponse {}

client/proto/daemon_grpc.pb.go

@@ -37,6 +37,9 @@ const (
 	DaemonService_DeleteState_FullMethodName                = "/daemon.DaemonService/DeleteState"
 	DaemonService_SetSyncResponsePersistence_FullMethodName = "/daemon.DaemonService/SetSyncResponsePersistence"
 	DaemonService_TracePacket_FullMethodName                = "/daemon.DaemonService/TracePacket"
+	DaemonService_StartCapture_FullMethodName               = "/daemon.DaemonService/StartCapture"
+	DaemonService_StartBundleCapture_FullMethodName         = "/daemon.DaemonService/StartBundleCapture"
+	DaemonService_StopBundleCapture_FullMethodName          = "/daemon.DaemonService/StopBundleCapture"
 	DaemonService_SubscribeEvents_FullMethodName            = "/daemon.DaemonService/SubscribeEvents"
 	DaemonService_GetEvents_FullMethodName                  = "/daemon.DaemonService/GetEvents"
 	DaemonService_SwitchProfile_FullMethodName              = "/daemon.DaemonService/SwitchProfile"
@@ -96,6 +99,14 @@ type DaemonServiceClient interface {
 	// SetSyncResponsePersistence enables or disables sync response persistence
 	SetSyncResponsePersistence(ctx context.Context, in *SetSyncResponsePersistenceRequest, opts ...grpc.CallOption) (*SetSyncResponsePersistenceResponse, error)
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
+	// StartCapture begins streaming packet capture on the WireGuard interface.
+	// Requires --enable-capture set at service install/reconfigure time.
+	StartCapture(ctx context.Context, in *StartCaptureRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[CapturePacket], error)
+	// StartBundleCapture begins capturing packets to a server-side temp file
+	// for inclusion in the next debug bundle. Auto-stops after the given timeout.
+	StartBundleCapture(ctx context.Context, in *StartBundleCaptureRequest, opts ...grpc.CallOption) (*StartBundleCaptureResponse, error)
+	// StopBundleCapture stops the running bundle capture. Idempotent.
+	StopBundleCapture(ctx context.Context, in *StopBundleCaptureRequest, opts ...grpc.CallOption) (*StopBundleCaptureResponse, error)
 	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
 	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
@@ -313,9 +324,48 @@ func (c *daemonServiceClient) TracePacket(ctx context.Context, in *TracePacketRe
 	return out, nil
 }
 
+func (c *daemonServiceClient) StartCapture(ctx context.Context, in *StartCaptureRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[CapturePacket], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], DaemonService_StartCapture_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[StartCaptureRequest, CapturePacket]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type DaemonService_StartCaptureClient = grpc.ServerStreamingClient[CapturePacket]
+
+func (c *daemonServiceClient) StartBundleCapture(ctx context.Context, in *StartBundleCaptureRequest, opts ...grpc.CallOption) (*StartBundleCaptureResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(StartBundleCaptureResponse)
+	err := c.cc.Invoke(ctx, DaemonService_StartBundleCapture_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) StopBundleCapture(ctx context.Context, in *StopBundleCaptureRequest, opts ...grpc.CallOption) (*StopBundleCaptureResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(StopBundleCaptureResponse)
+	err := c.cc.Invoke(ctx, DaemonService_StopBundleCapture_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], DaemonService_SubscribeEvents_FullMethodName, cOpts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], DaemonService_SubscribeEvents_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -494,7 +544,7 @@ func (c *daemonServiceClient) GetInstallerResult(ctx context.Context, in *Instal
 
 func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ExposeServiceEvent], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], DaemonService_ExposeService_FullMethodName, cOpts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[2], DaemonService_ExposeService_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -550,6 +600,14 @@ type DaemonServiceServer interface {
 	// SetSyncResponsePersistence enables or disables sync response persistence
 	SetSyncResponsePersistence(context.Context, *SetSyncResponsePersistenceRequest) (*SetSyncResponsePersistenceResponse, error)
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
+	// StartCapture begins streaming packet capture on the WireGuard interface.
+	// Requires --enable-capture set at service install/reconfigure time.
+	StartCapture(*StartCaptureRequest, grpc.ServerStreamingServer[CapturePacket]) error
+	// StartBundleCapture begins capturing packets to a server-side temp file
+	// for inclusion in the next debug bundle. Auto-stops after the given timeout.
+	StartBundleCapture(context.Context, *StartBundleCaptureRequest) (*StartBundleCaptureResponse, error)
+	// StopBundleCapture stops the running bundle capture. Idempotent.
+	StopBundleCapture(context.Context, *StopBundleCaptureRequest) (*StopBundleCaptureResponse, error)
 	SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
 	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
@@ -641,6 +699,15 @@ func (UnimplementedDaemonServiceServer) SetSyncResponsePersistence(context.Conte
 func (UnimplementedDaemonServiceServer) TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method TracePacket not implemented")
 }
+func (UnimplementedDaemonServiceServer) StartCapture(*StartCaptureRequest, grpc.ServerStreamingServer[CapturePacket]) error {
+	return status.Error(codes.Unimplemented, "method StartCapture not implemented")
+}
+func (UnimplementedDaemonServiceServer) StartBundleCapture(context.Context, *StartBundleCaptureRequest) (*StartBundleCaptureResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method StartBundleCapture not implemented")
+}
+func (UnimplementedDaemonServiceServer) StopBundleCapture(context.Context, *StopBundleCaptureRequest) (*StopBundleCaptureResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method StopBundleCapture not implemented")
+}
 func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeEvents not implemented")
 }
@@ -1040,6 +1107,53 @@ func _DaemonService_TracePacket_Handler(srv interface{}, ctx context.Context, de
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_StartCapture_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(StartCaptureRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(DaemonServiceServer).StartCapture(m, &grpc.GenericServerStream[StartCaptureRequest, CapturePacket]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type DaemonService_StartCaptureServer = grpc.ServerStreamingServer[CapturePacket]
+
+func _DaemonService_StartBundleCapture_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StartBundleCaptureRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).StartBundleCapture(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_StartBundleCapture_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).StartBundleCapture(ctx, req.(*StartBundleCaptureRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_StopBundleCapture_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StopBundleCaptureRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).StopBundleCapture(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_StopBundleCapture_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).StopBundleCapture(ctx, req.(*StopBundleCaptureRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _DaemonService_SubscribeEvents_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -1429,6 +1543,14 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "TracePacket",
 			Handler:    _DaemonService_TracePacket_Handler,
 		},
+		{
+			MethodName: "StartBundleCapture",
+			Handler:    _DaemonService_StartBundleCapture_Handler,
+		},
+		{
+			MethodName: "StopBundleCapture",
+			Handler:    _DaemonService_StopBundleCapture_Handler,
+		},
 		{
 			MethodName: "GetEvents",
 			Handler:    _DaemonService_GetEvents_Handler,
@@ -1495,6 +1617,11 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 		},
 	},
 	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "StartCapture",
+			Handler:       _DaemonService_StartCapture_Handler,
+			ServerStreams: true,
+		},
 		{
 			StreamName:    "SubscribeEvents",
 			Handler:       _DaemonService_SubscribeEvents_Handler,

client/server/capture.go

@@ -0,0 +1,365 @@
+package server
+
+import (
+	"context"
+	"io"
+	"os"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util/capture"
+)
+
+const maxBundleCaptureDuration = 10 * time.Minute
+
+// bundleCapture holds the state of an in-progress capture destined for the
+// debug bundle. The lifecycle is:
+//
+//	StartBundleCapture → capture running, writing to temp file
+//	StopBundleCapture  → capture stopped, temp file available
+//	DebugBundle        → temp file included in zip, then cleaned up
+type bundleCapture struct {
+	mu      sync.Mutex
+	sess    *capture.Session
+	file    *os.File
+	engine  *internal.Engine
+	cancel  context.CancelFunc
+	stopped bool
+}
+
+// stop halts the capture session and closes the pcap writer. Idempotent.
+func (bc *bundleCapture) stop() {
+	bc.mu.Lock()
+	defer bc.mu.Unlock()
+
+	if bc.stopped {
+		return
+	}
+	bc.stopped = true
+
+	if bc.cancel != nil {
+		bc.cancel()
+	}
+	if bc.sess != nil {
+		bc.sess.Stop()
+	}
+}
+
+// path returns the temp file path, or "" if no file exists.
+func (bc *bundleCapture) path() string {
+	if bc.file == nil {
+		return ""
+	}
+	return bc.file.Name()
+}
+
+// cleanup removes the temp file.
+func (bc *bundleCapture) cleanup() {
+	if bc.file == nil {
+		return
+	}
+	name := bc.file.Name()
+	if err := bc.file.Close(); err != nil {
+		log.Debugf("close bundle capture file: %v", err)
+	}
+	if err := os.Remove(name); err != nil && !os.IsNotExist(err) {
+		log.Debugf("remove bundle capture file: %v", err)
+	}
+	bc.file = nil
+}
+
+// StartCapture streams a pcap or text packet capture over gRPC.
+// Gated by the --enable-capture service flag.
+func (s *Server) StartCapture(req *proto.StartCaptureRequest, stream proto.DaemonService_StartCaptureServer) error {
+	if !s.captureEnabled {
+		return status.Error(codes.PermissionDenied,
+			"packet capture is disabled; reinstall or reconfigure the service with --enable-capture")
+	}
+
+	if d := req.GetDuration(); d != nil && d.AsDuration() < 0 {
+		return status.Error(codes.InvalidArgument, "duration must not be negative")
+	}
+
+	matcher, err := parseCaptureFilter(req)
+	if err != nil {
+		return status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
+	}
+
+	pr, pw := io.Pipe()
+
+	opts := capture.Options{
+		Matcher: matcher,
+		SnapLen: req.GetSnapLen(),
+		Verbose: req.GetVerbose(),
+		ASCII:   req.GetAscii(),
+	}
+	if req.GetTextOutput() {
+		opts.TextOutput = pw
+	} else {
+		opts.Output = pw
+	}
+
+	sess, err := capture.NewSession(opts)
+	if err != nil {
+		pw.Close()
+		return status.Errorf(codes.Internal, "create capture session: %v", err)
+	}
+
+	engine, err := s.claimCapture(sess)
+	if err != nil {
+		sess.Stop()
+		pw.Close()
+		return err
+	}
+
+	if err := engine.SetCapture(sess); err != nil {
+		s.releaseCapture(sess)
+		sess.Stop()
+		pw.Close()
+		return status.Errorf(codes.Internal, "set capture: %v", err)
+	}
+
+	// Send an empty initial message to signal that the capture was accepted.
+	// The client waits for this before printing the banner, so it must arrive
+	// before any packet data.
+	if err := stream.Send(&proto.CapturePacket{}); err != nil {
+		s.clearCaptureIfOwner(sess, engine)
+		sess.Stop()
+		pw.Close()
+		return status.Errorf(codes.Internal, "send initial message: %v", err)
+	}
+
+	ctx := stream.Context()
+	if d := req.GetDuration(); d != nil {
+		if dur := d.AsDuration(); dur > 0 {
+			var cancel context.CancelFunc
+			ctx, cancel = context.WithTimeout(ctx, dur)
+			defer cancel()
+		}
+	}
+
+	go func() {
+		<-ctx.Done()
+		s.clearCaptureIfOwner(sess, engine)
+		sess.Stop()
+		pw.Close()
+	}()
+	defer pr.Close()
+
+	log.Infof("packet capture started (text=%v, expr=%q)", req.GetTextOutput(), req.GetFilterExpr())
+	defer func() {
+		stats := sess.Stats()
+		log.Infof("packet capture stopped: %d packets, %d bytes, %d dropped",
+			stats.Packets, stats.Bytes, stats.Dropped)
+	}()
+
+	return streamToGRPC(pr, stream)
+}
+
+func streamToGRPC(r io.Reader, stream proto.DaemonService_StartCaptureServer) error {
+	buf := make([]byte, 32*1024)
+	for {
+		n, readErr := r.Read(buf)
+		if n > 0 {
+			if err := stream.Send(&proto.CapturePacket{Data: buf[:n]}); err != nil {
+				log.Debugf("capture stream send: %v", err)
+				return nil //nolint:nilerr // client disconnected
+			}
+		}
+		if readErr != nil {
+			return nil //nolint:nilerr // pipe closed, capture stopped normally
+		}
+	}
+}
+
+// StartBundleCapture begins capturing packets to a server-side temp file for
+// inclusion in the next debug bundle. Not gated by --enable-capture since the
+// output stays on the server (same trust level as CPU profiling).
+//
+// A timeout auto-stops the capture as a safety net if StopBundleCapture is
+// never called (e.g. CLI crash).
+func (s *Server) StartBundleCapture(_ context.Context, req *proto.StartBundleCaptureRequest) (*proto.StartBundleCaptureResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	s.stopBundleCaptureLocked()
+	s.cleanupBundleCapture()
+
+	if s.activeCapture != nil {
+		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
+	}
+
+	engine, err := s.getCaptureEngineLocked()
+	if err != nil {
+		// Not fatal: kernel mode or not connected. Log and return success
+		// so the debug bundle still generates without capture data.
+		log.Warnf("packet capture unavailable, skipping: %v", err)
+		return &proto.StartBundleCaptureResponse{}, nil
+	}
+
+	timeout := req.GetTimeout().AsDuration()
+	if timeout <= 0 || timeout > maxBundleCaptureDuration {
+		timeout = maxBundleCaptureDuration
+	}
+
+	f, err := os.CreateTemp("", "netbird.capture.*.pcap")
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "create temp file: %v", err)
+	}
+
+	sess, err := capture.NewSession(capture.Options{Output: f})
+	if err != nil {
+		f.Close()
+		os.Remove(f.Name())
+		return nil, status.Errorf(codes.Internal, "create capture session: %v", err)
+	}
+
+	if err := engine.SetCapture(sess); err != nil {
+		sess.Stop()
+		f.Close()
+		os.Remove(f.Name())
+		log.Warnf("packet capture unavailable (no filtered device), skipping: %v", err)
+		return &proto.StartBundleCaptureResponse{}, nil
+	}
+	s.activeCapture = sess
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	bc := &bundleCapture{
+		sess:   sess,
+		file:   f,
+		engine: engine,
+		cancel: cancel,
+	}
+
+	s.bundleCapture = bc
+
+	go func() {
+		<-ctx.Done()
+		s.mutex.Lock()
+		if s.bundleCapture == bc {
+			s.stopBundleCaptureLocked()
+		} else {
+			bc.stop()
+		}
+		s.mutex.Unlock()
+		log.Infof("bundle capture auto-stopped after timeout")
+	}()
+	log.Infof("bundle capture started (timeout=%s, file=%s)", timeout, f.Name())
+
+	return &proto.StartBundleCaptureResponse{}, nil
+}
+
+// StopBundleCapture stops the running bundle capture. Idempotent.
+func (s *Server) StopBundleCapture(_ context.Context, _ *proto.StopBundleCaptureRequest) (*proto.StopBundleCaptureResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	s.stopBundleCaptureLocked()
+	return &proto.StopBundleCaptureResponse{}, nil
+}
+
+// stopBundleCaptureLocked stops the bundle capture if running. Must hold s.mutex.
+func (s *Server) stopBundleCaptureLocked() {
+	if s.bundleCapture == nil {
+		return
+	}
+	bc := s.bundleCapture
+	if bc.engine != nil && s.activeCapture == bc.sess {
+		if err := bc.engine.SetCapture(nil); err != nil {
+			log.Debugf("clear bundle capture: %v", err)
+		}
+		s.activeCapture = nil
+	}
+	bc.stop()
+
+	stats := bc.sess.Stats()
+	log.Infof("bundle capture stopped: %d packets, %d bytes, %d dropped",
+		stats.Packets, stats.Bytes, stats.Dropped)
+}
+
+// bundleCapturePath returns the temp file path if a capture has been taken,
+// stops any running capture, and returns "". Called from DebugBundle.
+// Must hold s.mutex.
+func (s *Server) bundleCapturePath() string {
+	if s.bundleCapture == nil {
+		return ""
+	}
+
+	s.bundleCapture.stop()
+	return s.bundleCapture.path()
+}
+
+// cleanupBundleCapture removes the temp file and clears state. Must hold s.mutex.
+func (s *Server) cleanupBundleCapture() {
+	if s.bundleCapture == nil {
+		return
+	}
+	s.bundleCapture.cleanup()
+	s.bundleCapture = nil
+}
+
+// claimCapture reserves the engine's capture slot for sess. Returns
+// FailedPrecondition if another capture is already active.
+func (s *Server) claimCapture(sess *capture.Session) (*internal.Engine, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.activeCapture != nil {
+		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
+	}
+	engine, err := s.getCaptureEngineLocked()
+	if err != nil {
+		return nil, err
+	}
+	s.activeCapture = sess
+	return engine, nil
+}
+
+// releaseCapture clears the active-capture owner if it still matches sess.
+func (s *Server) releaseCapture(sess *capture.Session) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+	if s.activeCapture == sess {
+		s.activeCapture = nil
+	}
+}
+
+// clearCaptureIfOwner clears engine's capture slot only if sess still owns it.
+func (s *Server) clearCaptureIfOwner(sess *capture.Session, engine *internal.Engine) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+	if s.activeCapture != sess {
+		return
+	}
+	if err := engine.SetCapture(nil); err != nil {
+		log.Debugf("clear capture: %v", err)
+	}
+	s.activeCapture = nil
+}
+
+func (s *Server) getCaptureEngineLocked() (*internal.Engine, error) {
+	if s.connectClient == nil {
+		return nil, status.Error(codes.FailedPrecondition, "client not connected")
+	}
+	engine := s.connectClient.Engine()
+	if engine == nil {
+		return nil, status.Error(codes.FailedPrecondition, "engine not initialized")
+	}
+	return engine, nil
+}
+
+// parseCaptureFilter returns a Matcher from the request.
+// Returns nil (match all) when no filter expression is set.
+func parseCaptureFilter(req *proto.StartCaptureRequest) (capture.Matcher, error) {
+	expr := req.GetFilterExpr()
+	if expr == "" {
+		return nil, nil //nolint:nilnil // nil Matcher means "match all"
+	}
+	return capture.ParseFilter(expr)
+}

client/server/debug.go

@@ -43,7 +43,9 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 		}()
 	}
 
-	// Prepare refresh callback for health probes
+	capturePath := s.bundleCapturePath()
+	defer s.cleanupBundleCapture()
+
 	var refreshStatus func()
 	if s.connectClient != nil {
 		engine := s.connectClient.Engine()
@@ -62,6 +64,7 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			SyncResponse:   syncResponse,
 			LogPath:        s.logFile,
 			CPUProfile:     cpuProfileData,
+			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
 			ClientMetrics:  clientMetrics,
 		},

client/server/server.go

@@ -33,6 +33,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util/capture"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -89,7 +90,11 @@ type Server struct {
 	profileManager         *profilemanager.ServiceManager
 	profilesDisabled       bool
 	updateSettingsDisabled bool
-	networksDisabled       bool
+	captureEnabled         bool
+	bundleCapture          *bundleCapture
+	// activeCapture is the session currently installed on the engine; guarded by s.mutex.
+	activeCapture    *capture.Session
+	networksDisabled bool
 
 	sleepHandler *sleephandler.SleepHandler
 
@@ -106,7 +111,7 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, networksDisabled bool) *Server {
+func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, captureEnabled bool, networksDisabled bool) *Server {
 	s := &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
@@ -115,6 +120,7 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		profileManager:         profilemanager.NewServiceManager(configFile),
 		profilesDisabled:       profilesDisabled,
 		updateSettingsDisabled: updateSettingsDisabled,
+		captureEnabled:         captureEnabled,
 		networksDisabled:       networksDisabled,
 		jwtCache:               newJWTCache(),
 	}

client/server/server_test.go

@@ -104,7 +104,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "debug", "", false, false, false)
+	s := New(ctx, "debug", "", false, false, false, false)
 
 	s.config = config
 
@@ -165,7 +165,7 @@ func TestServer_Up(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false, false, false)
 	err = s.Start()
 	require.NoError(t, err)
 
@@ -235,7 +235,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false, false, false)
 
 	err = s.Start()
 	require.NoError(t, err)
@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/server/setconfig_test.go

@@ -53,7 +53,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	ctx := context.Background()
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false, false, false)
 
 	rosenpassEnabled := true
 	rosenpassPermissive := true

client/ssh/config/manager.go

@@ -224,15 +224,20 @@ func (m *Manager) buildHostPatterns(peer PeerSSHInfo) []string {
 
 func (m *Manager) writeSSHConfig(sshConfig string) error {
 	sshConfigPath := filepath.Join(m.sshConfigDir, m.sshConfigFile)
+	sshConfigPathTmp := sshConfigPath + ".tmp"
 
 	if err := os.MkdirAll(m.sshConfigDir, 0755); err != nil {
 		return fmt.Errorf("create SSH config directory %s: %w", m.sshConfigDir, err)
 	}
 
-	if err := writeFileWithTimeout(sshConfigPath, []byte(sshConfig), 0644); err != nil {
+	if err := writeFileWithTimeout(sshConfigPathTmp, []byte(sshConfig), 0644); err != nil {
 		return fmt.Errorf("write SSH config file %s: %w", sshConfigPath, err)
 	}
 
+	if err := os.Rename(sshConfigPathTmp, sshConfigPath); err != nil {
+		return fmt.Errorf("rename ssh config %s -> %s: %w", sshConfigPathTmp, sshConfigPath, err)
+	}
+
 	log.Infof("Created NetBird SSH client config: %s", sshConfigPath)
 	return nil
 }

client/ui/debug.go

@@ -16,6 +16,7 @@ import (
 	"fyne.io/fyne/v2/widget"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
+	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
@@ -38,6 +39,7 @@ type debugCollectionParams struct {
 	upload            bool
 	uploadURL         string
 	enablePersistence bool
+	capture           bool
 }
 
 // UI components for progress tracking
@@ -51,25 +53,58 @@ type progressUI struct {
 func (s *serviceClient) showDebugUI() {
 	w := s.app.NewWindow("NetBird Debug")
 	w.SetOnClosed(s.cancel)
-
 	w.Resize(fyne.NewSize(600, 500))
 	w.SetFixedSize(true)
 
 	anonymizeCheck := widget.NewCheck("Anonymize sensitive information (public IPs, domains, ...)", nil)
 	systemInfoCheck := widget.NewCheck("Include system information (routes, interfaces, ...)", nil)
 	systemInfoCheck.SetChecked(true)
+	captureCheck := widget.NewCheck("Include packet capture", nil)
 	uploadCheck := widget.NewCheck("Upload bundle automatically after creation", nil)
 	uploadCheck.SetChecked(true)
 
-	uploadURLLabel := widget.NewLabel("Debug upload URL:")
+	uploadURLContainer, uploadURL := s.buildUploadSection(uploadCheck)
+
+	debugModeContainer, runForDurationCheck, durationInput, noteLabel := s.buildDurationSection()
+
+	statusLabel := widget.NewLabel("")
+	statusLabel.Hide()
+	progressBar := widget.NewProgressBar()
+	progressBar.Hide()
+	createButton := widget.NewButton("Create Debug Bundle", nil)
+
+	uiControls := []fyne.Disableable{
+		anonymizeCheck, systemInfoCheck, captureCheck,
+		uploadCheck, uploadURL, runForDurationCheck, durationInput, createButton,
+	}
+
+	createButton.OnTapped = s.getCreateHandler(
+		statusLabel, progressBar, uploadCheck, uploadURL,
+		anonymizeCheck, systemInfoCheck, captureCheck,
+		runForDurationCheck, durationInput, uiControls, w,
+	)
+
+	content := container.NewVBox(
+		widget.NewLabel("Create a debug bundle to help troubleshoot issues with NetBird"),
+		widget.NewLabel(""),
+		anonymizeCheck, systemInfoCheck, captureCheck,
+		uploadCheck, uploadURLContainer,
+		widget.NewLabel(""),
+		debugModeContainer, noteLabel,
+		widget.NewLabel(""),
+		statusLabel, progressBar, createButton,
+	)
+
+	w.SetContent(container.NewPadded(content))
+	w.Show()
+}
+
+func (s *serviceClient) buildUploadSection(uploadCheck *widget.Check) (*fyne.Container, *widget.Entry) {
 	uploadURL := widget.NewEntry()
 	uploadURL.SetText(uptypes.DefaultBundleURL)
 	uploadURL.SetPlaceHolder("Enter upload URL")
 
-	uploadURLContainer := container.NewVBox(
-		uploadURLLabel,
-		uploadURL,
-	)
+	uploadURLContainer := container.NewVBox(widget.NewLabel("Debug upload URL:"), uploadURL)
 
 	uploadCheck.OnChanged = func(checked bool) {
 		if checked {
@@ -78,13 +113,14 @@ func (s *serviceClient) showDebugUI() {
 			uploadURLContainer.Hide()
 		}
 	}
+	return uploadURLContainer, uploadURL
+}
 
-	debugModeContainer := container.NewHBox()
+func (s *serviceClient) buildDurationSection() (*fyne.Container, *widget.Check, *widget.Entry, *widget.Label) {
 	runForDurationCheck := widget.NewCheck("Run with trace logs before creating bundle", nil)
 	runForDurationCheck.SetChecked(true)
 
 	forLabel := widget.NewLabel("for")
-
 	durationInput := widget.NewEntry()
 	durationInput.SetText("1")
 	minutesLabel := widget.NewLabel("minute")
@@ -108,63 +144,8 @@ func (s *serviceClient) showDebugUI() {
 		}
 	}
 
-	debugModeContainer.Add(runForDurationCheck)
-	debugModeContainer.Add(forLabel)
-	debugModeContainer.Add(durationInput)
-	debugModeContainer.Add(minutesLabel)
-
-	statusLabel := widget.NewLabel("")
-	statusLabel.Hide()
-
-	progressBar := widget.NewProgressBar()
-	progressBar.Hide()
-
-	createButton := widget.NewButton("Create Debug Bundle", nil)
-
-	// UI controls that should be disabled during debug collection
-	uiControls := []fyne.Disableable{
-		anonymizeCheck,
-		systemInfoCheck,
-		uploadCheck,
-		uploadURL,
-		runForDurationCheck,
-		durationInput,
-		createButton,
-	}
-
-	createButton.OnTapped = s.getCreateHandler(
-		statusLabel,
-		progressBar,
-		uploadCheck,
-		uploadURL,
-		anonymizeCheck,
-		systemInfoCheck,
-		runForDurationCheck,
-		durationInput,
-		uiControls,
-		w,
-	)
-
-	content := container.NewVBox(
-		widget.NewLabel("Create a debug bundle to help troubleshoot issues with NetBird"),
-		widget.NewLabel(""),
-		anonymizeCheck,
-		systemInfoCheck,
-		uploadCheck,
-		uploadURLContainer,
-		widget.NewLabel(""),
-		debugModeContainer,
-		noteLabel,
-		widget.NewLabel(""),
-		statusLabel,
-		progressBar,
-		createButton,
-	)
-
-	paddedContent := container.NewPadded(content)
-	w.SetContent(paddedContent)
-
-	w.Show()
+	modeContainer := container.NewHBox(runForDurationCheck, forLabel, durationInput, minutesLabel)
+	return modeContainer, runForDurationCheck, durationInput, noteLabel
 }
 
 func validateMinute(s string, minutesLabel *widget.Label) error {
@@ -200,6 +181,7 @@ func (s *serviceClient) getCreateHandler(
 	uploadURL *widget.Entry,
 	anonymizeCheck *widget.Check,
 	systemInfoCheck *widget.Check,
+	captureCheck *widget.Check,
 	runForDurationCheck *widget.Check,
 	duration *widget.Entry,
 	uiControls []fyne.Disableable,
@@ -222,6 +204,7 @@ func (s *serviceClient) getCreateHandler(
 		params := &debugCollectionParams{
 			anonymize:         anonymizeCheck.Checked,
 			systemInfo:        systemInfoCheck.Checked,
+			capture:           captureCheck.Checked,
 			upload:            uploadCheck.Checked,
 			uploadURL:         url,
 			enablePersistence: true,
@@ -253,10 +236,7 @@ func (s *serviceClient) getCreateHandler(
 
 		statusLabel.SetText("Creating debug bundle...")
 		go s.handleDebugCreation(
-			anonymizeCheck.Checked,
-			systemInfoCheck.Checked,
-			uploadCheck.Checked,
-			url,
+			params,
 			statusLabel,
 			uiControls,
 			w,
@@ -371,7 +351,7 @@ func startProgressTracker(ctx context.Context, wg *sync.WaitGroup, duration time
 func (s *serviceClient) configureServiceForDebug(
 	conn proto.DaemonServiceClient,
 	state *debugInitialState,
-	enablePersistence bool,
+	params *debugCollectionParams,
 ) {
 	if state.wasDown {
 		if _, err := conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
@@ -397,7 +377,7 @@ func (s *serviceClient) configureServiceForDebug(
 		time.Sleep(time.Second)
 	}
 
-	if enablePersistence {
+	if params.enablePersistence {
 		if _, err := conn.SetSyncResponsePersistence(s.ctx, &proto.SetSyncResponsePersistenceRequest{
 			Enabled: true,
 		}); err != nil {
@@ -417,6 +397,26 @@ func (s *serviceClient) configureServiceForDebug(
 	if _, err := conn.StartCPUProfile(s.ctx, &proto.StartCPUProfileRequest{}); err != nil {
 		log.Warnf("failed to start CPU profiling: %v", err)
 	}
+
+	s.startBundleCaptureIfEnabled(conn, params)
+}
+
+func (s *serviceClient) startBundleCaptureIfEnabled(conn proto.DaemonServiceClient, params *debugCollectionParams) {
+	if !params.capture {
+		return
+	}
+
+	const maxCapture = 10 * time.Minute
+	timeout := params.duration + 30*time.Second
+	if timeout > maxCapture {
+		timeout = maxCapture
+		log.Warnf("packet capture clamped to %s (server maximum)", maxCapture)
+	}
+	if _, err := conn.StartBundleCapture(s.ctx, &proto.StartBundleCaptureRequest{
+		Timeout: durationpb.New(timeout),
+	}); err != nil {
+		log.Warnf("failed to start bundle capture: %v", err)
+	}
 }
 
 func (s *serviceClient) collectDebugData(
@@ -430,7 +430,7 @@ func (s *serviceClient) collectDebugData(
 	var wg sync.WaitGroup
 	startProgressTracker(ctx, &wg, params.duration, progress)
 
-	s.configureServiceForDebug(conn, state, params.enablePersistence)
+	s.configureServiceForDebug(conn, state, params)
 
 	wg.Wait()
 	progress.progressBar.Hide()
@@ -440,6 +440,14 @@ func (s *serviceClient) collectDebugData(
 		log.Warnf("failed to stop CPU profiling: %v", err)
 	}
 
+	if params.capture {
+		stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if _, err := conn.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
+			log.Warnf("failed to stop bundle capture: %v", err)
+		}
+	}
+
 	return nil
 }
 
@@ -520,18 +528,37 @@ func handleError(progress *progressUI, errMsg string) {
 }
 
 func (s *serviceClient) handleDebugCreation(
-	anonymize bool,
-	systemInfo bool,
-	upload bool,
-	uploadURL string,
+	params *debugCollectionParams,
 	statusLabel *widget.Label,
 	uiControls []fyne.Disableable,
 	w fyne.Window,
 ) {
-	log.Infof("Creating debug bundle (Anonymized: %v, System Info: %v, Upload Attempt: %v)...",
-		anonymize, systemInfo, upload)
+	conn, err := s.getSrvClient(failFastTimeout)
+	if err != nil {
+		log.Errorf("Failed to get client for debug: %v", err)
+		statusLabel.SetText(fmt.Sprintf("Error: %v", err))
+		enableUIControls(uiControls)
+		return
+	}
 
-	resp, err := s.createDebugBundle(anonymize, systemInfo, uploadURL)
+	if params.capture {
+		if _, err := conn.StartBundleCapture(s.ctx, &proto.StartBundleCaptureRequest{
+			Timeout: durationpb.New(30 * time.Second),
+		}); err != nil {
+			log.Warnf("failed to start bundle capture: %v", err)
+		} else {
+			defer func() {
+				stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+				defer cancel()
+				if _, err := conn.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
+					log.Warnf("failed to stop bundle capture: %v", err)
+				}
+			}()
+			time.Sleep(2 * time.Second)
+		}
+	}
+
+	resp, err := s.createDebugBundle(params.anonymize, params.systemInfo, params.uploadURL)
 	if err != nil {
 		log.Errorf("Failed to create debug bundle: %v", err)
 		statusLabel.SetText(fmt.Sprintf("Error creating bundle: %v", err))
@@ -543,7 +570,7 @@ func (s *serviceClient) handleDebugCreation(
 	uploadFailureReason := resp.GetUploadFailureReason()
 	uploadedKey := resp.GetUploadedKey()
 
-	if upload {
+	if params.upload {
 		if uploadFailureReason != "" {
 			showUploadFailedDialog(w, localPath, uploadFailureReason)
 		} else {

client/wasm/cmd/main.go

@@ -5,6 +5,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"sync"
 	"syscall/js"
 	"time"
 
@@ -14,6 +15,7 @@ import (
 	netbird "github.com/netbirdio/netbird/client/embed"
 	sshdetection "github.com/netbirdio/netbird/client/ssh/detection"
 	nbstatus "github.com/netbirdio/netbird/client/status"
+	wasmcapture "github.com/netbirdio/netbird/client/wasm/internal/capture"
 	"github.com/netbirdio/netbird/client/wasm/internal/http"
 	"github.com/netbirdio/netbird/client/wasm/internal/rdp"
 	"github.com/netbirdio/netbird/client/wasm/internal/ssh"
@@ -459,6 +461,95 @@ func createSetLogLevelMethod(client *netbird.Client) js.Func {
 	})
 }
 
+// createStartCaptureMethod creates the programmable packet capture method.
+// Returns a JS interface with onpacket callback and stop() method.
+//
+// Usage from JavaScript:
+//
+//	const cap = await client.startCapture({ filter: "tcp port 443", verbose: true })
+//	cap.onpacket = (line) => console.log(line)
+//	const stats = cap.stop()
+func createStartCaptureMethod(client *netbird.Client) js.Func {
+	return js.FuncOf(func(_ js.Value, args []js.Value) any {
+		var opts js.Value
+		if len(args) > 0 {
+			opts = args[0]
+		}
+
+		return createPromise(func(resolve, reject js.Value) {
+			iface, err := wasmcapture.Start(client, opts)
+			if err != nil {
+				reject.Invoke(js.ValueOf(fmt.Sprintf("start capture: %v", err)))
+				return
+			}
+			resolve.Invoke(iface)
+		})
+	})
+}
+
+// captureMethods returns capture() and stopCapture() that share state for
+// the console-log shortcut. capture() logs packets to the browser console
+// and stopCapture() ends it, like Ctrl+C on the CLI.
+//
+// Usage from browser devtools console:
+//
+//	await client.capture()              // capture all packets
+//	await client.capture("tcp")         // capture with filter
+//	await client.capture({filter: "host 10.0.0.1", verbose: true})
+//	client.stopCapture()                // stop and print stats
+func captureMethods(client *netbird.Client) (startFn, stopFn js.Func) {
+	var mu sync.Mutex
+	var active *wasmcapture.Handle
+
+	startFn = js.FuncOf(func(_ js.Value, args []js.Value) any {
+		var opts js.Value
+		if len(args) > 0 {
+			opts = args[0]
+		}
+
+		return createPromise(func(resolve, reject js.Value) {
+			mu.Lock()
+			defer mu.Unlock()
+
+			if active != nil {
+				active.Stop()
+				active = nil
+			}
+
+			h, err := wasmcapture.StartConsole(client, opts)
+			if err != nil {
+				reject.Invoke(js.ValueOf(fmt.Sprintf("start capture: %v", err)))
+				return
+			}
+			active = h
+
+			console := js.Global().Get("console")
+			console.Call("log", "[capture] started, call client.stopCapture() to stop")
+			resolve.Invoke(js.Undefined())
+		})
+	})
+
+	stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
+		mu.Lock()
+		defer mu.Unlock()
+
+		if active == nil {
+			js.Global().Get("console").Call("log", "[capture] no active capture")
+			return js.Undefined()
+		}
+
+		stats := active.Stop()
+		active = nil
+
+		console := js.Global().Get("console")
+		console.Call("log", fmt.Sprintf("[capture] stopped: %d packets, %d bytes, %d dropped",
+			stats.Packets, stats.Bytes, stats.Dropped))
+		return js.Undefined()
+	})
+
+	return startFn, stopFn
+}
+
 // createPromise is a helper to create JavaScript promises
 func createPromise(handler func(resolve, reject js.Value)) js.Value {
 	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, promiseArgs []js.Value) any {
@@ -521,6 +612,11 @@ func createClientObject(client *netbird.Client) js.Value {
 	obj["statusDetail"] = createStatusDetailMethod(client)
 	obj["getSyncResponse"] = createGetSyncResponseMethod(client)
 	obj["setLogLevel"] = createSetLogLevelMethod(client)
+	obj["startCapture"] = createStartCaptureMethod(client)
+
+	capStart, capStop := captureMethods(client)
+	obj["capture"] = capStart
+	obj["stopCapture"] = capStop
 
 	return js.ValueOf(obj)
 }

client/wasm/internal/capture/capture.go

@@ -0,0 +1,176 @@
+//go:build js
+
+// Package capture bridges the util/capture package to JavaScript via syscall/js.
+package capture
+
+import (
+	"strings"
+	"sync"
+	"syscall/js"
+
+	netbird "github.com/netbirdio/netbird/client/embed"
+)
+
+// Handle holds a running capture session so it can be stopped later.
+type Handle struct {
+	cs      *netbird.CaptureSession
+	stopFn  js.Func
+	stopped bool
+}
+
+// Stop ends the capture and returns stats.
+func (h *Handle) Stop() netbird.CaptureStats {
+	if h.stopped {
+		return h.cs.Stats()
+	}
+	h.stopped = true
+	h.stopFn.Release()
+
+	h.cs.Stop()
+	return h.cs.Stats()
+}
+
+func statsToJS(s netbird.CaptureStats) js.Value {
+	obj := js.Global().Get("Object").Call("create", js.Null())
+	obj.Set("packets", js.ValueOf(s.Packets))
+	obj.Set("bytes", js.ValueOf(s.Bytes))
+	obj.Set("dropped", js.ValueOf(s.Dropped))
+	return obj
+}
+
+// parseOpts extracts filter/verbose/ascii from a JS options value.
+func parseOpts(jsOpts js.Value) (filter string, verbose, ascii bool) {
+	if jsOpts.IsNull() || jsOpts.IsUndefined() {
+		return
+	}
+	if jsOpts.Type() == js.TypeString {
+		filter = jsOpts.String()
+		return
+	}
+	if jsOpts.Type() != js.TypeObject {
+		return
+	}
+	if f := jsOpts.Get("filter"); !f.IsUndefined() && !f.IsNull() {
+		filter = f.String()
+	}
+	if v := jsOpts.Get("verbose"); !v.IsUndefined() {
+		verbose = v.Truthy()
+	}
+	if a := jsOpts.Get("ascii"); !a.IsUndefined() {
+		ascii = a.Truthy()
+	}
+	return
+}
+
+// Start creates a capture session and returns a JS interface for streaming text
+// output. The returned object exposes:
+//
+//	onpacket(callback)  - set callback(string) for each text line
+//	stop()              - stop capture and return stats { packets, bytes, dropped }
+//
+// Options: { filter: string, verbose: bool, ascii: bool } or just a filter string.
+func Start(client *netbird.Client, jsOpts js.Value) (js.Value, error) {
+	filter, verbose, ascii := parseOpts(jsOpts)
+
+	cb := &jsCallbackWriter{}
+
+	cs, err := client.StartCapture(netbird.CaptureOptions{
+		TextOutput: cb,
+		Filter:     filter,
+		Verbose:    verbose,
+		ASCII:      ascii,
+	})
+	if err != nil {
+		return js.Undefined(), err
+	}
+
+	handle := &Handle{cs: cs}
+
+	iface := js.Global().Get("Object").Call("create", js.Null())
+	handle.stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
+		return statsToJS(handle.Stop())
+	})
+	iface.Set("stop", handle.stopFn)
+	iface.Set("onpacket", js.Undefined())
+	cb.setInterface(iface)
+
+	return iface, nil
+}
+
+// StartConsole starts a capture that logs every packet line to console.log.
+// Returns a Handle so the caller can stop it later.
+func StartConsole(client *netbird.Client, jsOpts js.Value) (*Handle, error) {
+	filter, verbose, ascii := parseOpts(jsOpts)
+
+	cb := &jsCallbackWriter{}
+
+	cs, err := client.StartCapture(netbird.CaptureOptions{
+		TextOutput: cb,
+		Filter:     filter,
+		Verbose:    verbose,
+		ASCII:      ascii,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	handle := &Handle{cs: cs}
+	handle.stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
+		return statsToJS(handle.Stop())
+	})
+
+	iface := js.Global().Get("Object").Call("create", js.Null())
+	console := js.Global().Get("console")
+	iface.Set("onpacket", console.Get("log").Call("bind", console, js.ValueOf("[capture]")))
+	cb.setInterface(iface)
+
+	return handle, nil
+}
+
+// jsCallbackWriter is an io.Writer that buffers text until a newline, then
+// invokes the JS onpacket callback with each complete line.
+type jsCallbackWriter struct {
+	mu    sync.Mutex
+	iface js.Value
+	buf   strings.Builder
+}
+
+func (w *jsCallbackWriter) setInterface(iface js.Value) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	w.iface = iface
+}
+
+func (w *jsCallbackWriter) Write(p []byte) (int, error) {
+	w.mu.Lock()
+	w.buf.Write(p)
+
+	var lines []string
+	for {
+		str := w.buf.String()
+		idx := strings.IndexByte(str, '\n')
+		if idx < 0 {
+			break
+		}
+		lines = append(lines, str[:idx])
+		w.buf.Reset()
+		if idx+1 < len(str) {
+			w.buf.WriteString(str[idx+1:])
+		}
+	}
+
+	iface := w.iface
+	w.mu.Unlock()
+
+	if iface.IsUndefined() {
+		return len(p), nil
+	}
+	cb := iface.Get("onpacket")
+	if cb.IsUndefined() || cb.IsNull() {
+		return len(p), nil
+	}
+	for _, line := range lines {
+		cb.Invoke(js.ValueOf(line))
+	}
+	return len(p), nil
+}

combined/cmd/config.go

@@ -133,18 +133,13 @@ type ManagementConfig struct {
 
 // AuthConfig contains authentication/identity provider settings
 type AuthConfig struct {
-	Issuer                          string            `yaml:"issuer"`
-	LocalAuthDisabled               bool              `yaml:"localAuthDisabled"`
-	SignKeyRefreshEnabled           bool              `yaml:"signKeyRefreshEnabled"`
-	MfaSessionMaxLifetime           string            `yaml:"mfaSessionMaxLifetime"`
-	MfaSessionIdleTimeout           string            `yaml:"mfaSessionIdleTimeout"`
-	MfaSessionRememberMe            bool              `yaml:"mfaSessionRememberMe"`
-	SessionCookieEncryptionKey      string            `yaml:"sessionCookieEncryptionKey"`
-	Storage                         AuthStorageConfig `yaml:"storage"`
-	DashboardRedirectURIs           []string          `yaml:"dashboardRedirectURIs"`
-	CLIRedirectURIs                 []string          `yaml:"cliRedirectURIs"`
-	Owner                           *AuthOwnerConfig  `yaml:"owner,omitempty"`
-	DashboardPostLogoutRedirectURIs []string          `yaml:"dashboardPostLogoutRedirectURIs"`
+	Issuer                string            `yaml:"issuer"`
+	LocalAuthDisabled     bool              `yaml:"localAuthDisabled"`
+	SignKeyRefreshEnabled bool              `yaml:"signKeyRefreshEnabled"`
+	Storage               AuthStorageConfig `yaml:"storage"`
+	DashboardRedirectURIs []string          `yaml:"dashboardRedirectURIs"`
+	CLIRedirectURIs       []string          `yaml:"cliRedirectURIs"`
+	Owner                 *AuthOwnerConfig  `yaml:"owner,omitempty"`
 }
 
 // AuthStorageConfig contains auth storage settings
@@ -586,14 +581,10 @@ func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.Emb
 	}
 
 	cfg := &idp.EmbeddedIdPConfig{
-		Enabled:                    true,
-		Issuer:                     mgmt.Auth.Issuer,
-		LocalAuthDisabled:          mgmt.Auth.LocalAuthDisabled,
-		SignKeyRefreshEnabled:      mgmt.Auth.SignKeyRefreshEnabled,
-		MfaSessionMaxLifetime:      mgmt.Auth.MfaSessionMaxLifetime,
-		MfaSessionIdleTimeout:      mgmt.Auth.MfaSessionIdleTimeout,
-		MfaSessionRememberMe:       mgmt.Auth.MfaSessionRememberMe,
-		SessionCookieEncryptionKey: mgmt.Auth.SessionCookieEncryptionKey,
+		Enabled:               true,
+		Issuer:                mgmt.Auth.Issuer,
+		LocalAuthDisabled:     mgmt.Auth.LocalAuthDisabled,
+		SignKeyRefreshEnabled: mgmt.Auth.SignKeyRefreshEnabled,
 		Storage: idp.EmbeddedStorageConfig{
 			Type: authStorageType,
 			Config: idp.EmbeddedStorageTypeConfig{
@@ -601,9 +592,8 @@ func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.Emb
 				DSN:  authStorageDSN,
 			},
 		},
-		DashboardRedirectURIs:           mgmt.Auth.DashboardRedirectURIs,
-		CLIRedirectURIs:                 mgmt.Auth.CLIRedirectURIs,
-		DashboardPostLogoutRedirectURIs: mgmt.Auth.DashboardPostLogoutRedirectURIs,
+		DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
+		CLIRedirectURIs:       mgmt.Auth.CLIRedirectURIs,
 	}
 
 	if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {

combined/config.yaml.example

@@ -86,13 +86,6 @@ server:
     issuer: "https://example.com/oauth2"
     localAuthDisabled: false
     signKeyRefreshEnabled: false
-    # MFA session settings (applies when TOTP is enabled for an account)
-    # mfaSessionMaxLifetime: "24h"  # Max duration for an MFA session from creation
-    # mfaSessionIdleTimeout: "1h"   # MFA session expires after this idle period
-    # mfaSessionRememberMe: false   # Pre-check "remember me" on login so the MFA session persists across tabs/restarts
-    # Optional AES key for encrypting embedded IdP session cookies. Can also be set via NB_IDP_SESSION_COOKIE_ENCRYPTION_KEY.
-    # Must be 16/24/32 raw bytes or base64-encoded to one of those lengths (for example: openssl rand -hex 16).
-    # sessionCookieEncryptionKey: ""
     # OAuth2 redirect URIs for dashboard
     dashboardRedirectURIs:
       - "https://app.example.com/nb-auth"
@@ -100,9 +93,6 @@ server:
     # OAuth2 redirect URIs for CLI
     cliRedirectURIs:
       - "http://localhost:53000/"
-    # OAuth2 post-logout redirect URIs for dashboard (RP-initiated logout)
-    # dashboardPostLogoutRedirectURIs:
-    #   - "https://app.example.com/"
     # Optional initial admin user
     # owner:
     #   email: "admin@example.com"

flow/client/client.go

@@ -13,11 +13,9 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
-	"google.golang.org/grpc/status"
 
 	nbgrpc "github.com/netbirdio/netbird/client/grpc"
 	"github.com/netbirdio/netbird/flow/proto"
@@ -301,12 +299,11 @@ func defaultBackoff(ctx context.Context, interval time.Duration) backoff.BackOff
 	}, ctx)
 }
 
+// isContextDone reports whether the local context has been canceled or has
+// exceeded its deadline. It deliberately does not inspect gRPC status codes:
+// a server- or proxy-sent codes.Canceled / codes.DeadlineExceeded must not
+// short-circuit our retry loop, since retrying is the correct response when
+// the local context is still alive.
 func isContextDone(err error) bool {
-	if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
-		return true
-	}
-	if s, ok := status.FromError(err); ok {
-		return s.Code() == codes.Canceled || s.Code() == codes.DeadlineExceeded
-	}
-	return false
+	return errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded)
 }

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/onsi/gomega v1.27.6
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.4
-	github.com/spf13/cobra v1.10.2
+	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/crypto v0.50.0
@@ -41,11 +41,11 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.14
 	github.com/coreos/go-iptables v0.7.0
-	github.com/coreos/go-oidc/v3 v3.18.0
+	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
 	github.com/crowdsecurity/crowdsec v1.7.7
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
-	github.com/dexidp/dex v2.13.0+incompatible
+	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
 	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
@@ -53,9 +53,9 @@ require (
 	github.com/eko/gocache/store/redis/v4 v4.2.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
-	github.com/go-jose/go-jose/v4 v4.1.4
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
@@ -68,9 +68,10 @@ require (
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
 	github.com/libp2p/go-nat v0.2.0
-	github.com/libp2p/go-netroute v0.2.1
+	github.com/libp2p/go-netroute v0.4.0
 	github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81
 	github.com/mdlayher/socket v0.5.1
+	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42
@@ -112,7 +113,7 @@ require (
 	go.opentelemetry.io/otel/exporters/prometheus v0.64.0
 	go.opentelemetry.io/otel/metric v1.43.0
 	go.opentelemetry.io/otel/sdk/metric v1.43.0
-	go.uber.org/mock v0.6.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
@@ -140,7 +141,7 @@ require (
 	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
@@ -167,7 +168,6 @@ require (
 	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/beevik/etree v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -183,7 +183,6 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
 	github.com/fyne-io/glfw-js v0.3.0 // indirect
 	github.com/fyne-io/image v0.1.1 // indirect
@@ -191,7 +190,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
-	github.com/go-ldap/ldap/v3 v3.4.13 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -207,15 +206,11 @@ require (
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/webauthn v0.16.4 // indirect
-	github.com/go-webauthn/x v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
@@ -223,13 +218,7 @@ require (
 	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
 	github.com/hack-pad/safejs v0.1.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/huin/goupnp v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -249,13 +238,13 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/lib/pq v1.12.3 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
-	github.com/mattn/go-sqlite3 v1.14.42 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdelapenya/tlscert v0.2.0 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
@@ -276,10 +265,8 @@ require (
 	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
-	github.com/openbao/openbao/api/v2 v2.5.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
 	github.com/pion/dtls/v3 v3.0.9 // indirect
 	github.com/pion/mdns/v2 v2.0.7 // indirect
@@ -288,13 +275,11 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/russellhaering/goxmldsig v1.6.0 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.8 // indirect
 	github.com/shoenig/go-m1cpu v0.2.1 // indirect
@@ -303,13 +288,11 @@ require (
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.6.3 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.mongodb.org/mongo-driver v1.17.9 // indirect
@@ -327,6 +310,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	rsc.io/qr v0.2.0 // indirect
 )
 
 replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502
@@ -335,14 +319,10 @@ replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-202
 
 replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0
 
-replace github.com/cloudflare/circl => codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
+replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
 
 replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51
 
-replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
-
-replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2
-
-replace github.com/dexidp/dex/api/v2 => github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2
+replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0
 
 replace github.com/mailru/easyjson => github.com/netbirdio/easyjson v0.9.0

go.sum

@@ -5,8 +5,6 @@ cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3R
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:b8xUw3004wk+3ipBhu0VU4RtUJsegMIiqjxSK4++lzA=
-codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
 cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
@@ -25,8 +23,8 @@ github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl
 github.com/AppsFlyer/go-sundheit v0.6.0/go.mod h1:LDdBHD6tQBtmHsdW+i1GwdTt6Wqc0qazf5ZEJVTbTME=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
-github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@@ -93,8 +91,6 @@ github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sL
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -121,8 +117,8 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
-github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
@@ -134,10 +130,14 @@ github.com/crowdsecurity/go-cs-bouncer v0.0.21 h1:arPz0VtdVSaz+auOSfHythzkZVLyy1
 github.com/crowdsecurity/go-cs-bouncer v0.0.21/go.mod h1:4JiH0XXA4KKnnWThItUpe5+heJHWzsLOSA2IWJqUDBA=
 github.com/crowdsecurity/go-cs-lib v0.0.25 h1:Ov6VPW9yV+OPsbAIQk1iTkEWhwkpaG0v3lrBzeqjzj4=
 github.com/crowdsecurity/go-cs-lib v0.0.25/go.mod h1:X0GMJY2CxdA1S09SpuqIKaWQsvRGxXmecUp9cP599dE=
+github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:/DS5cDX3FJdl+XaN2D7XAwFpuanTxnp52DBLZAaJKx0=
+github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dexidp/dex/api/v2 v2.4.0 h1:gNba7n6BKVp8X4Jp24cxYn5rIIGhM6kDOXcZoL6tr9A=
+github.com/dexidp/dex/api/v2 v2.4.0/go.mod h1:/p550ADvFFh7K95VmhUD+jgm15VdaNnab9td8DHOpyI=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -156,8 +156,6 @@ github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEM
 github.com/eko/gocache/store/go_cache/v4 v4.2.2/go.mod h1:T9zkHokzr8K9EiC7RfMbDg6HSwaV6rv3UdcNu13SGcA=
 github.com/eko/gocache/store/redis/v4 v4.2.2 h1:Thw31fzGuH3WzJywsdbMivOmP550D6JS7GDHhvCJPA0=
 github.com/eko/gocache/store/redis/v4 v4.2.2/go.mod h1:LaTxLKx9TG/YUEybQvPMij++D7PBTIJ4+pzvk0ykz0w=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -173,8 +171,6 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
-github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/fyne-io/gl-js v0.2.0 h1:+EXMLVEa18EfkXBVKhifYB6OGs3HwKO3lUElA0LlAjs=
 github.com/fyne-io/gl-js v0.2.0/go.mod h1:ZcepK8vmOYLu96JoxbCKJy2ybr+g1pTnaBDdl7c3ajI=
 github.com/fyne-io/glfw-js v0.3.0 h1:d8k2+Y7l+zy2pc7wlGRyPfTgZoqDf3AI4G+2zOWhWUk=
@@ -193,10 +189,10 @@ github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 h1:5BVwOaUSBTlVZowGO6VZGw
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71/go.mod h1:9YTyiznxEY1fVinfM7RvRcjRHbw2xLBJ3AAGIT0I4Nw=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a h1:vxnBhFDDT+xzxf1jTJKMKZw3H0swfWk9RpWbBbDK5+0=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
-github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -233,20 +229,12 @@ github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI6
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
-github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-text/render v0.2.0 h1:LBYoTmp5jYiJ4NPqDc2pz17MLmA3wHw1dZSVGcOdeAc=
 github.com/go-text/render v0.2.0/go.mod h1:CkiqfukRGKJA5vZZISkjSYrcdtgKQWRa2HIzvwNN5SU=
 github.com/go-text/typesetting v0.2.1 h1:x0jMOGyO3d1qFAPI0j4GSsh7M0Q3Ypjzr4+CEVg82V8=
 github.com/go-text/typesetting v0.2.1/go.mod h1:mTOxEwasOFpAMBjEQDhdWRckoLLeI/+qrQeBCTGEt6M=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066 h1:qCuYC+94v2xrb1PoS4NIDe7DGYtLnU2wWiQe9a1B1c0=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066/go.mod h1:DDxDdQEnB70R8owOx3LVpEFvpMK9eeH1o2r0yZhFI9o=
-github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
-github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.4 h1:R9jqR/cYZa7hRquFF7Za/8qoH/K/TIs1/Q/4CyGN+1Q=
-github.com/go-webauthn/webauthn v0.16.4/go.mod h1:SU2ljAgToTV/YLPI0C05QS4qn+e04WpB5g1RMfcZfS4=
-github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
-github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
@@ -255,8 +243,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
-github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -288,10 +276,6 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
-github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
-github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
-github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
@@ -324,29 +308,15 @@ github.com/hack-pad/safejs v0.1.0/go.mod h1:HdS+bKF1NrE72VoXZeWzxFOVQVUSqZJAG0xN
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
-github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
-github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
-github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw=
-github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
-github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -417,14 +387,16 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
-github.com/lib/pq v1.12.3 h1:tTWxr2YLKwIvK90ZXEw8GP7UFHtcbTtty8zsI+YjrfQ=
-github.com/lib/pq v1.12.3/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/libdns/route53 v1.5.0 h1:2SKdpPFl/qgWsXQvsLNJJAoX7rSxlk7zgoL4jnWdXVA=
 github.com/libdns/route53 v1.5.0/go.mod h1:joT4hKmaTNKHEwb7GmZ65eoDz1whTu7KKYPS8ZqIh6Q=
 github.com/libp2p/go-nat v0.2.0 h1:Tyz+bUFAYqGyJ/ppPPymMGbIgNRH+WqC5QrT5fKrrGk=
 github.com/libp2p/go-nat v0.2.0/go.mod h1:3MJr+GRpRkyT65EpVPBstXLvOlAPzUVlG6Pwg9ohLJk=
+github.com/libp2p/go-netroute v0.4.0 h1:sZZx9hyANYUx9PZyqcgE/E1GUG3iEtTZHUEvdtXT7/Q=
+github.com/libp2p/go-netroute v0.4.0/go.mod h1:Nkd5ShYgSMS5MUKy/MU2T57xFoOKvvLR92Lic48LEyA=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81 h1:J56rFEfUTFT9j9CiRXhi1r8lUJ4W5idG3CiaBZGojNU=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81/go.mod h1:RD8ML/YdXctQ7qbcizZkw5mZ6l8Ogrl1dodBzVJduwI=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
@@ -434,13 +406,9 @@ github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8S
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
-github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
 github.com/mdelapenya/tlscert v0.2.0/go.mod h1:O4njj3ELLnJjGdkN7M/vIVCpZ+Cf0L6muqOG4tLSl8o=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
@@ -449,6 +417,8 @@ github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
+github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
+github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
 github.com/mholt/acmez/v2 v2.0.1 h1:3/3N0u1pLjMK4sNEAFSI+bcvzbPhRpY383sy1kLHJ6k=
 github.com/mholt/acmez/v2 v2.0.1/go.mod h1:fX4c9r5jYwMyMsC+7tkYRxHibkOTgta5DIFGoe67e1U=
 github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
@@ -481,14 +451,10 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2 h1:AP7OM/JnTogod3rVcLsMuilSG94kWQCr3z6R4rfVXnc=
-github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2/go.mod h1:+trSlzHNmdJGvz0oLEyyiuaPstUeD7YO6B3Fx9nyziY=
-github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2 h1:HEEGJPsVw7/p7SEL3HWP4vaInxHo8OJSEaOkHpUAk+M=
-github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2/go.mod h1:awuTyT29CYALpEyET0S307EgNlPWrc7fFKRAyhsO45M=
+github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
+github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
 github.com/netbirdio/easyjson v0.9.0 h1:6Nw2lghSVuy8RSkAYDhDv1thBVEmfVbKZnV7T7Z6Aus=
 github.com/netbirdio/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
-github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
-github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
 github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42 h1:F3zS5fT9xzD1OFLfcdAE+3FfyiwjGukF1hvj0jErgs8=
@@ -523,8 +489,6 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
-github.com/openbao/openbao/api/v2 v2.5.1 h1:Br79D6L20SbAa5P7xqENxmvv8LyI4HoKosPy7klhn4o=
-github.com/openbao/openbao/api/v2 v2.5.1/go.mod h1:Dh5un77tqGgMbmlVEqjqN+8/dMyUohnkaQVg/wXW0Ig=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -537,8 +501,6 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 h1:E7Kmf11E4K7B5hDti2K2NqPb1nlYlGYsu02S1JNd/Bs=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
-github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
-github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
 github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
@@ -580,8 +542,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
-github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
@@ -605,8 +565,6 @@ github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/russellhaering/goxmldsig v1.6.0 h1:8fdWXEPh2k/NZNQBPFNoVfS3JmzS4ZprY/sAOpKQLks=
 github.com/russellhaering/goxmldsig v1.6.0/go.mod h1:TrnaquDcYxWXfJrOjeMBTX4mLBeYAqaHEyUeWPxZlBM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU=
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
 github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
@@ -629,8 +587,8 @@ github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
-github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
@@ -670,8 +628,6 @@ github.com/ti-mo/conntrack v0.5.1 h1:opEwkFICnDbQc0BUXl73PHBK0h23jEIFVjXsqvF4GY0
 github.com/ti-mo/conntrack v0.5.1/go.mod h1:T6NCbkMdVU4qEIgwL0njA6lw/iCAbzchlnwm1Sa314o=
 github.com/ti-mo/netfilter v0.5.2 h1:CTjOwFuNNeZ9QPdRXt1MZFLFUf84cKtiQutNauHWd40=
 github.com/ti-mo/netfilter v0.5.2/go.mod h1:Btx3AtFiOVdHReTDmP9AE+hlkOcvIy403u7BXXbWZKo=
-github.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=
-github.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
@@ -690,8 +646,6 @@ github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAh
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
-github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -736,15 +690,14 @@ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lI
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
-go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
 goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -964,3 +917,5 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89 h1:mGJaeA61P8dEHTqdvAgc70ZIV3QoUoJcXCRyyjO26OA=
 gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
+rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
+rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=

idp/dex/config.go

@@ -51,70 +51,6 @@ type YAMLConfig struct {
 	// StaticPasswords cause the server use this list of passwords rather than
 	// querying the storage.
 	StaticPasswords []Password `yaml:"staticPasswords" json:"staticPasswords"`
-
-	// Sessions holds authentication session configuration.
-	// Requires DEX_SESSIONS_ENABLED=true feature flag.
-	Sessions *Sessions `yaml:"sessions" json:"sessions"`
-
-	// MFA holds multi-factor authentication configuration.
-	MFA MFAConfig `yaml:"mfa" json:"mfa"`
-}
-
-type Sessions struct {
-	// CookieName is the name of the session cookie. Defaults to "dex_session".
-	CookieName string `yaml:"cookieName" json:"cookieName"`
-	// AbsoluteLifetime is the maximum session lifetime from creation. Defaults to "24h".
-	AbsoluteLifetime string `yaml:"absoluteLifetime" json:"absoluteLifetime"`
-	// ValidIfNotUsedFor is the idle timeout. Defaults to "1h".
-	ValidIfNotUsedFor string `yaml:"validIfNotUsedFor" json:"validIfNotUsedFor"`
-	// RememberMeCheckedByDefault controls the default state of the "remember me" checkbox.
-	RememberMeCheckedByDefault *bool `yaml:"rememberMeCheckedByDefault" json:"rememberMeCheckedByDefault"`
-	// CookieEncryptionKey is the AES key for encrypting session cookies.
-	// Must be 16, 24, or 32 bytes for AES-128, AES-192, or AES-256.
-	// If empty, cookies are not encrypted.
-	CookieEncryptionKey string `yaml:"cookieEncryptionKey" json:"cookieEncryptionKey"`
-	// SSOSharedWithDefault is the default SSO sharing policy for clients without explicit ssoSharedWith.
-	// "all" = share with all clients, "none" = share with no one (default: "none").
-	SSOSharedWithDefault string `yaml:"ssoSharedWithDefault" json:"ssoSharedWithDefault"`
-}
-
-type MFAConfig struct {
-	Authenticators []MFAAuthenticator `yaml:"authenticators" json:"authenticators"`
-}
-
-type MFAAuthenticator struct {
-	ID     string                 `yaml:"id" json:"id"`
-	Type   string                 `yaml:"type" json:"type"`
-	Config map[string]interface{} `yaml:"config" json:"config"`
-
-	ConnectorTypes []string `yaml:"connectorTypes" json:"connectorTypes"`
-}
-
-type TOTPConfig struct {
-	Issuer string `yaml:"issuer" json:"issuer"`
-}
-
-// WebAuthnConfig holds configuration for a WebAuthn authenticator.
-type WebAuthnConfig struct {
-	// RPDisplayName is the human-readable relying party name shown in the browser
-	// dialog during key registration and authentication (e.g., "My Company SSO").
-	RPDisplayName string `yaml:"rpDisplayName" json:"rpDisplayName"`
-	// RPID is the relying party identifier — must match the domain in the browser
-	// address bar. If empty, derived from the issuer URL hostname.
-	// Example: "auth.example.com"
-	RPID string `yaml:"rpID" json:"rpID"`
-	// RPOrigins is the list of allowed origins for WebAuthn ceremonies.
-	// If empty, derived from the issuer URL (scheme + host).
-	// Example: ["https://auth.example.com"]
-	RPOrigins []string `yaml:"rpOrigins" json:"rpOrigins"`
-	// AttestationPreference controls what attestation data the authenticator should provide:
-	//   "none"     — don't request attestation (simpler, more private)
-	//   "indirect" — authenticator may anonymize attestation (default)
-	//   "direct"   — request full attestation (for enterprise key model verification)
-	AttestationPreference string `yaml:"attestationPreference" json:"attestationPreference"`
-	// Timeout is the duration allowed for the browser WebAuthn ceremony
-	// (registration or login). Defaults to "60s".
-	Timeout string `yaml:"timeout" json:"timeout"`
 }
 
 // Web is the config format for the HTTP server.
@@ -180,6 +116,7 @@ type Storage struct {
 	Config map[string]interface{} `yaml:"config" json:"config"`
 }
 
+// Password represents a static user configuration
 type Password storage.Password
 
 func (p *Password) UnmarshalYAML(node *yaml.Node) error {
@@ -492,98 +429,9 @@ func (c *YAMLConfig) Validate() error {
 	if !c.EnablePasswordDB && len(c.StaticPasswords) != 0 {
 		return fmt.Errorf("cannot specify static passwords without enabling password db")
 	}
-
 	return nil
 }
 
-func buildTotpConfig(auth MFAAuthenticator) (*server.TOTPProvider, error) {
-	data, err := json.Marshal(auth.Config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal TOTP config id: %s - %w", auth.ID, err)
-	}
-
-	var cfg TOTPConfig
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse TOTP config id: %s - %w", auth.ID, err)
-	}
-
-	return server.NewTOTPProvider(cfg.Issuer, auth.ConnectorTypes), nil
-}
-
-func buildWebAuthnConfig(auth MFAAuthenticator, issuerURL string) (*server.WebAuthnProvider, error) {
-	data, err := json.Marshal(auth.Config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal WebAuthn config id: %s - %w", auth.ID, err)
-	}
-
-	var cfg WebAuthnConfig
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse WebAuthn config id: %s - %w", auth.ID, err)
-	}
-
-	provider, err := server.NewWebAuthnProvider(cfg.RPDisplayName, cfg.RPID, cfg.RPOrigins,
-		cfg.AttestationPreference, cfg.Timeout, issuerURL, auth.ConnectorTypes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create WebAuthn provider id: %s - err: %w", auth.ID, err)
-	}
-
-	return provider, nil
-}
-
-func buildMFAProviders(authenticators []MFAAuthenticator, issuerURL string, logger *slog.Logger) map[string]server.MFAProvider {
-	if len(authenticators) == 0 {
-		return nil
-	}
-
-	providers := make(map[string]server.MFAProvider, len(authenticators))
-	for _, auth := range authenticators {
-		switch auth.Type {
-		case "TOTP":
-			provider, err := buildTotpConfig(auth)
-			if err != nil {
-				logger.Error("failed to parse TOTP config", "id", auth.ID, "err", err)
-				continue
-			}
-			providers[auth.ID] = provider
-			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
-		case "WebAuthn":
-			provider, err := buildWebAuthnConfig(auth, issuerURL)
-			if err != nil {
-				logger.Error("failed to parse WebAuthn config", "id", auth.ID, "err", err)
-				continue
-			}
-			providers[auth.ID] = provider
-			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
-		default:
-			logger.Error("unknown MFA authenticator type, skipping", "id", auth.ID, "type", auth.Type)
-		}
-	}
-	return providers
-}
-
-func buildSessionsConfig(sessions *Sessions) *server.SessionConfig {
-	if sessions == nil {
-		return nil
-	}
-
-	if sessions.RememberMeCheckedByDefault == nil {
-		defaultRememberMeCheckedByDefault := false
-		sessions.RememberMeCheckedByDefault = &defaultRememberMeCheckedByDefault
-	}
-
-	absoluteLifetime, _ := parseDuration(sessions.AbsoluteLifetime)
-	validIfNotUsedFor, _ := parseDuration(sessions.ValidIfNotUsedFor)
-
-	return &server.SessionConfig{
-		CookieEncryptionKey:        []byte(sessions.CookieEncryptionKey),
-		CookieName:                 sessions.CookieName,
-		AbsoluteLifetime:           absoluteLifetime,
-		ValidIfNotUsedFor:          validIfNotUsedFor,
-		RememberMeCheckedByDefault: *sessions.RememberMeCheckedByDefault,
-		SSOSharedWithDefault:       sessions.SSOSharedWithDefault,
-	}
-}
-
 // ToServerConfig converts YAMLConfig to dex server.Config
 func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) server.Config {
 	cfg := server.Config{
@@ -600,8 +448,6 @@ func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) s
 			Dir:     c.Frontend.Dir,
 			Extra:   c.Frontend.Extra,
 		},
-		SessionConfig: buildSessionsConfig(c.Sessions),
-		MFAProviders:  buildMFAProviders(c.MFA.Authenticators, c.Issuer, logger),
 	}
 
 	// Use embedded NetBird-styled templates if no custom dir specified
@@ -614,6 +460,11 @@ func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) s
 	}
 
 	// Apply expiry settings
+	if c.Expiry.SigningKeys != "" {
+		if d, err := parseDuration(c.Expiry.SigningKeys); err == nil {
+			cfg.RotateKeysAfter = d
+		}
+	}
 	if c.Expiry.IDTokens != "" {
 		if d, err := parseDuration(c.Expiry.IDTokens); err == nil {
 			cfg.IDTokensValidFor = d

idp/dex/provider.go

@@ -18,7 +18,6 @@ import (
 
 	dexapi "github.com/dexidp/dex/api/v2"
 	"github.com/dexidp/dex/server"
-	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
 	jose "github.com/go-jose/go-jose/v4"
@@ -71,7 +70,7 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
 
 	// Ensure data directory exists
-	if err := os.MkdirAll(config.DataDir, 0o700); err != nil {
+	if err := os.MkdirAll(config.DataDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create data directory: %w", err)
 	}
 
@@ -102,15 +101,6 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
 	}
 
-	localSignerConfig := signer.LocalConfig{
-		KeysRotationPeriod: "6h",
-	}
-
-	localSigner, err := localSignerConfig.Open(ctx, stor, 24*time.Hour, time.Now, logger)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create local signer: %w", err)
-	}
-
 	// Build Dex server config - use Dex's types directly
 	dexConfig := server.Config{
 		Issuer:                     issuer,
@@ -120,12 +110,12 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 		ContinueOnConnectorFailure: true,
 		Logger:                     logger,
 		PrometheusRegistry:         prometheus.NewRegistry(),
+		RotateKeysAfter:            6 * time.Hour,
 		IDTokensValidFor:           24 * time.Hour,
 		RefreshTokenPolicy:         refreshPolicy,
 		Web: server.WebConfig{
 			Issuer: "NetBird",
 		},
-		Signer: localSigner,
 	}
 
 	dexSrv, err := server.NewServer(ctx, dexConfig)
@@ -177,14 +167,6 @@ func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider
 		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
 	}
 
-	localSigner, err := getSigner(ctx, stor, yamlConfig, logger)
-	if err != nil {
-		stor.Close()
-		return nil, fmt.Errorf("failed to create local signer: %w", err)
-	}
-
-	dexConfig.Signer = localSigner
-
 	dexSrv, err := server.NewServer(ctx, dexConfig)
 	if err != nil {
 		stor.Close()
@@ -200,32 +182,6 @@ func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider
 	}, nil
 }
 
-func getSigner(ctx context.Context, stor storage.Storage, yamlConfig *YAMLConfig, logger *slog.Logger) (signer.Signer, error) {
-	// Parse expiry durations
-	idTokensValidFor := 24 * time.Hour // default
-	if yamlConfig.Expiry.IDTokens != "" {
-		var err error
-		idTokensValidFor, err = parseDuration(yamlConfig.Expiry.IDTokens)
-		if err != nil {
-			return nil, fmt.Errorf("invalid config value %q for id token expiry: %v", yamlConfig.Expiry.IDTokens, err)
-		}
-	}
-
-	localSignerConfig := &signer.LocalConfig{
-		KeysRotationPeriod: "720h", // 30 Days
-	}
-
-	if yamlConfig.Expiry.SigningKeys != "" {
-		if _, err := parseDuration(yamlConfig.Expiry.SigningKeys); err != nil {
-			return nil, fmt.Errorf("invalid config value %q for signing key expiry: %v", yamlConfig.Expiry.SigningKeys, err)
-		}
-
-		localSignerConfig.KeysRotationPeriod = yamlConfig.Expiry.SigningKeys
-	}
-
-	return localSignerConfig.Open(ctx, stor, idTokensValidFor, time.Now, logger)
-}
-
 // initializeStorage sets up connectors, passwords, and clients in storage
 func initializeStorage(ctx context.Context, stor storage.Storage, cfg *YAMLConfig) error {
 	if cfg.EnablePasswordDB {
@@ -285,8 +241,6 @@ func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []st
 			old.RedirectURIs = client.RedirectURIs
 			old.Name = client.Name
 			old.Public = client.Public
-			old.PostLogoutRedirectURIs = client.PostLogoutRedirectURIs
-			old.MFAChain = client.MFAChain
 			return old, nil
 		}); err != nil {
 			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
@@ -299,6 +253,9 @@ func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []st
 func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.Logger) server.Config {
 	cfg := yamlConfig.ToServerConfig(stor, logger)
 	cfg.PrometheusRegistry = prometheus.NewRegistry()
+	if cfg.RotateKeysAfter == 0 {
+		cfg.RotateKeysAfter = 24 * 30 * time.Hour
+	}
 	if cfg.IDTokensValidFor == 0 {
 		cfg.IDTokensValidFor = 24 * time.Hour
 	}
@@ -493,34 +450,10 @@ func (p *Provider) Storage() storage.Storage {
 	return p.storage
 }
 
-// SetClientsMFAChain updates the MFAChain field on the dashboard and CLI OAuth2 clients.
-// Pass a non-empty slice (e.g. []string{"default-totp"}) to enable MFA, or nil to disable it.
-func (p *Provider) SetClientsMFAChain(ctx context.Context, clientIDs []string, mfaChain []string) error {
-	for _, clientID := range clientIDs {
-		if err := p.storage.UpdateClient(ctx, clientID, func(old storage.Client) (storage.Client, error) {
-			old.MFAChain = mfaChain
-			return old, nil
-		}); err != nil {
-			return fmt.Errorf("failed to update MFA chain on client %s: %w", clientID, err)
-		}
-	}
-	return nil
-}
-
 // Handler returns the Dex server as an http.Handler for embedding in another server.
 // The handler expects requests with path prefix "/oauth2/".
 func (p *Provider) Handler() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Dex's /logout endpoint requires id_token_hint for RP-initiated logout with
-		// post_logout_redirect_uri. If the dashboard calls logout without one, avoid
-		// rendering Dex's non-actionable Bad Request page and send the user home.
-		if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" {
-			http.Redirect(w, r, "/", http.StatusSeeOther)
-			return
-		}
-
-		p.dexServer.ServeHTTP(w, r)
-	})
+	return p.dexServer
 }
 
 // CreateUser creates a new user with the given email, username, and password.

idp/dex/provider_test.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"log/slog"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
@@ -146,30 +144,6 @@ func TestEncodeDexUserID_MatchesDexFormat(t *testing.T) {
 	assert.Equal(t, knownEncodedID, reEncoded)
 }
 
-func TestHandlerRedirectsLogoutWithoutIDTokenHint(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-logout-handler-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	provider, err := NewProvider(ctx, &Config{
-		Issuer:  "http://localhost:5556/oauth2",
-		Port:    5556,
-		DataDir: tmpDir,
-	})
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	req := httptest.NewRequest(http.MethodGet, "/oauth2/logout?post_logout_redirect_uri=https://example.com", nil)
-	rec := httptest.NewRecorder()
-
-	provider.Handler().ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusSeeOther, rec.Code)
-	require.Equal(t, "/", rec.Header().Get("Location"))
-}
-
 func TestCreateUserInTempDB(t *testing.T) {
 	ctx := context.Background()
 

idp/dex/web/templates/home.html

@@ -1,12 +0,0 @@
-{{ template "header.html" . }}
-
-<script>globalThis.location.replace("/");</script>
-<noscript>
-    <div class="nb-card">
-        <h1 class="nb-heading">Redirecting…</h1>
-        <p class="nb-subheading">You are being redirected to the NetBird dashboard.</p>
-        <a href="/" class="nb-btn" style="display:block;text-align:center;text-decoration:none">Go to Dashboard</a>
-    </div>
-</noscript>
-
-{{ template "footer.html" . }}

idp/dex/web/templates/logout.html

@@ -1,14 +0,0 @@
-{{ template "header.html" . }}
-
-<div class="nb-card">
-    <h1 class="nb-heading">Logged Out</h1>
-    <p class="nb-subheading">You have been successfully logged out.</p>
-
-    {{ if .BackURL }}
-    <div class="nb-back-link">
-        <a href="{{ .BackURL }}" class="nb-link">&larr; Back to Application</a>
-    </div>
-    {{ end }}
-</div>
-
-{{ template "footer.html" . }}

idp/dex/web/templates/password.html

@@ -18,7 +18,6 @@
                 id="login"
                 name="login"
                 class="nb-input"
-                autocomplete="username"
                 placeholder="Enter your {{ .UsernamePrompt | lower }}"
                 {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}
                 required
@@ -32,7 +31,6 @@
                 id="password"
                 name="password"
                 class="nb-input"
-                autocomplete="current-password"
                 placeholder="Enter your password"
                 {{ if .Invalid }}autofocus{{ end }}
                 required

idp/dex/web/templates/totp_verify.html

@@ -1,44 +0,0 @@
-{{ template "header.html" . }}
-
-<div class="nb-card">
-    <h1 class="nb-heading">Two-factor authentication</h1>
-    {{ if not (eq .QRCode "") }}
-    <p class="nb-subheading">Scan the QR code below using your authenticator app, then enter the code.</p>
-    <div style="text-align: center; margin: 1em 0;">
-        <img src="data:image/png;base64,{{ .QRCode }}" alt="QR code" width="200" height="200"/>
-    </div>
-    {{ else }}
-    <p class="nb-subheading">Enter the code from your authenticator app.</p>
-    {{ end }}
-
-    <form method="post" action="{{ .PostURL }}">
-        {{ if .Invalid }}
-        <div class="nb-error">
-            Invalid code. Please try again.
-        </div>
-        {{ end }}
-
-        <div class="nb-form-group">
-            <label class="nb-label" for="totp">One-time code</label>
-            <input
-                type="text"
-                id="totp"
-                name="totp"
-                class="nb-input"
-                inputmode="numeric"
-                pattern="[0-9]*"
-                maxlength="6"
-                autocomplete="one-time-code"
-                placeholder="000000"
-                autofocus
-                required
-            >
-        </div>
-
-        <button type="submit" id="submit-login" class="nb-btn">
-            Verify
-        </button>
-    </form>
-</div>
-
-{{ template "footer.html" . }}

idp/dex/web/templates/webauthn_verify.html

@@ -1,12 +0,0 @@
-{{ template "header.html" . }}
-
-<script>globalThis.location.replace("/");</script>
-<noscript>
-    <div class="nb-card">
-        <h1 class="nb-heading">Redirecting…</h1>
-        <p class="nb-subheading">You are being redirected to the NetBird dashboard.</p>
-        <a href="/" class="nb-btn" style="display:block;text-align:center;text-decoration:none">Go to Dashboard</a>
-    </div>
-</noscript>
-
-{{ template "footer.html" . }}

management/internals/controllers/network_map/controller/controller.go

@@ -257,7 +257,10 @@ func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID
 
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
-func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string) error {
+func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
+	}
 	return c.sendUpdateAccountPeers(ctx, accountID)
 }
 
@@ -331,9 +334,13 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	return nil
 }
 
-func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID string) error {
+func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
 	log.WithContext(ctx).Tracef("buffer updating peers for account %s from %s", accountID, util.GetCallerName())
 
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
+	}
+
 	bufUpd, _ := c.accountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
 	b := bufUpd.(*bufferUpdate)
 
@@ -348,14 +355,14 @@ func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID str
 
 	go func() {
 		defer b.mu.Unlock()
-		_ = c.UpdateAccountPeers(ctx, accountID)
+		_ = c.sendUpdateAccountPeers(ctx, accountID)
 		if !b.update.Load() {
 			return
 		}
 		b.update.Store(false)
 		if b.next == nil {
 			b.next = time.AfterFunc(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
-				_ = c.UpdateAccountPeers(ctx, accountID)
+				_ = c.sendUpdateAccountPeers(ctx, accountID)
 			})
 			return
 		}

management/internals/controllers/network_map/interface.go

@@ -18,9 +18,9 @@ const (
 )
 
 type Controller interface {
-	UpdateAccountPeers(ctx context.Context, accountID string) error
+	UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
 	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
-	BufferUpdateAccountPeers(ctx context.Context, accountID string) error
+	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
 	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
 	GetDNSDomain(settings *types.Settings) string
 	StartWarmup(context.Context)

management/internals/controllers/network_map/interface_mock.go

@@ -44,17 +44,17 @@ func (m *MockController) EXPECT() *MockControllerMockRecorder {
 }
 
 // BufferUpdateAccountPeers mocks base method.
-func (m *MockController) BufferUpdateAccountPeers(ctx context.Context, accountID string) error {
+func (m *MockController) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "BufferUpdateAccountPeers", ctx, accountID)
+	ret := m.ctrl.Call(m, "BufferUpdateAccountPeers", ctx, accountID, reason)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // BufferUpdateAccountPeers indicates an expected call of BufferUpdateAccountPeers.
-func (mr *MockControllerMockRecorder) BufferUpdateAccountPeers(ctx, accountID any) *gomock.Call {
+func (mr *MockControllerMockRecorder) BufferUpdateAccountPeers(ctx, accountID, reason any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAccountPeers), ctx, accountID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAccountPeers), ctx, accountID, reason)
 }
 
 // CountStreams mocks base method.
@@ -238,15 +238,15 @@ func (mr *MockControllerMockRecorder) UpdateAccountPeer(ctx, accountId, peerId a
 }
 
 // UpdateAccountPeers mocks base method.
-func (m *MockController) UpdateAccountPeers(ctx context.Context, accountID string) error {
+func (m *MockController) UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateAccountPeers", ctx, accountID)
+	ret := m.ctrl.Call(m, "UpdateAccountPeers", ctx, accountID, reason)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // UpdateAccountPeers indicates an expected call of UpdateAccountPeers.
-func (mr *MockControllerMockRecorder) UpdateAccountPeers(ctx, accountID any) *gomock.Call {
+func (mr *MockControllerMockRecorder) UpdateAccountPeers(ctx, accountID, reason any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockController)(nil).UpdateAccountPeers), ctx, accountID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockController)(nil).UpdateAccountPeers), ctx, accountID, reason)
 }